Define a New VLAN

Before you create a new VLAN, make sure you understand all the VLAN concepts and restrictions described in About Virtual Local Area Networks (VLANs).

This topic explains how to:

Configure a VLAN in Fireware Web UI

When you configure a VLAN in Fireware Web UI, you must select a VLAN tag setting for at least one VLAN interface. Before you create the VLAN, you must configure at least one interface as a VLAN interface.

  1. Select Network > Interfaces.
  2. Select the interface that is connected to your VLAN switch. Click Edit.
  3. From the Interface Type drop-down list, select VLAN.
  4. Click Save.
  1. Select Network > VLAN.
    The VLAN page appears with a list of existing user-defined VLANs and their settings.
    You can also configure network interfaces from the Interfaces list.

Screen shot of the VLAN Settings page

  1. Click Add.
    The VLAN Settings page appears.

Screen shot of the VLAN Settings page

  1. In the Name text box, type a name for the VLAN. The name cannot contain spaces.
  2. (Optional) In the Description text box, type a description of the VLAN.
  3. In the VLAN ID text box, or type or select a value for the VLAN.
  4. In the Security Zone text box, select Trusted, Optional, Custom, or External.
    Security zones correspond to aliases for interface security zones. For example, VLANs of type Trusted are handled by policies that use the alias Any-Trusted as a source or destination.
  5. In the IP Address text box, type the address of the VLAN gateway.
    Any computer in this new VLAN must use this IP address as its default gateway.
  6. In the Select a VLAN tag setting for each interface list, select one or more interfaces.

VLAN configuration, set interfaces to send/receive tagged or untagged traffic

  1. From the Select Traffic drop-down list, select an option to apply to the selected interfaces:
    • Tagged traffic — The interface sends and receives tagged traffic.
    • Untagged traffic — The interface sends and receives untagged traffic.
    • No traffic — Remove the interface from this VLAN configuration.
  2. Click Save.

For information about the intra-VLAN traffic setting, go to the Apply Firewall Policies to Intra-VLAN Traffic section on this page.

Configure a VLAN in Policy Manager

In Policy Manager, you must create the VLAN before you can configure interfaces as a member of that VLAN. The VLAN configuration settings in Policy Manager do not include the list of interfaces that are members of the VLAN.

  1. Select Network > Configuration.
    The Network Configuration dialog box appears.
  2. Select the VLAN tab.
    A table of existing user-defined VLANs and their settings appears.

Screenshot of Network Configuration dialog box, VLAN tab

  1. Click Add.
    The New VLAN Configuration dialog box appears.

Screen shot of New VLAN Configuration dialog box

  1. In the Name (Alias) text box, type a name for the VLAN.
  2. (Optional) In the Description text box, type a description of the VLAN.
  3. In the VLAN ID text box, or type or select a value for the VLAN.
  4. In the Security Zone text box, select Trusted, Optional, Custom, or External.
    Security zones correspond to aliases for interface security zones. For example, VLANs of type Trusted are handled by policies that use the alias Any-Trusted as a source or destination.
  5. In the IP Address text box, type the address of the VLAN gateway.
    Any computer in this new VLAN must use this IP address as its default gateway.

For information about the intra-VLAN traffic setting, go to the Apply Firewall Policies to Intra-VLAN Traffic section on this page.

After you create the VLAN, you can configure interfaces as a member of the VLAN. For more information, go to Assign Interfaces to a VLAN

See which interfaces are members of the VLAN

On the VLAN tab, you can see a summary of the VLAN configuration, and a list of interfaces that are members of the VLAN.

On the VLAN tab, the numbers in the Interfaces column show the physical interfaces that are members of this VLAN. The interface number in bold is the interface that sends untagged data to that VLAN.

Use DHCP on a VLAN 

For a VLAN in the Trusted, Optional, or Custom security zone, you can configure the Firebox as a DHCP server for the computers on your VLAN network.

  1. In the VLAN settings, select the Network tab.
  2. From the DHCP Mode drop-down list, select DHCP Server
  3. (Optional) Type your Domain Name to supply it to the DHCP clients.
  4. To change the default lease time, type or select a number in the Lease Time text box and specify a unit of measurement in the drop-down list.
    This is the time interval that a DHCP client can use an IP address that it receives from the DHCP server. When the lease time is about to expire, the client sends a request to the DHCP server to get a new lease.
  5. To add an IP address pool, in the Address Pool section, click Add.
  6. In the Starting IP and Ending IP text boxes, type the first and last IP addresses in the pool.
    You can configure a maximum of six address pools.
  7. To reserve a specific IP address for a client, in the Reserved Address section, click Add.
  8. Type the IP address, Reservation Name, and MAC Address for the device. Click OK.
  9. To add DNS or WINS servers to your DHCP configuration, type the server address in the text box adjacent to the list. Click Add.
  10. To delete a server from the list, select the server from the list and click Remove.
  11. To configure DHCP options, click DHCP Options.
  12. (Fireware v12.1.1 and higher) By default, the Firebox IP address is the default gateway. To specify a different IP address as the default gateway, select Specify and type an IP address.
  1. In the New VLAN Configuration dialog box, select Use DHCP Server.
  2. To add an IP address pool, in the Address Pool section, click Add and type the first and last IP addresses assigned for distribution. Click OK.
    You can configure a maximum of six address pools.
  3. To reserve a specific IP address for a client, in the Reserved Addresses section, click Add. Type a Reservation Name for the reservation, the IP address you want to reserve, and the MAC address of the client’s network card. Click OK.
  4. To change the default lease time, from the Leasing Time drop-down list, select a different time interval.
    This is the time interval that a DHCP client can use an IP address that it receives from the DHCP server. When the lease time is about to expire, the client sends a request to the DHCP server to get a new lease.
  5. To add DNS or WINS servers to your DHCP configuration, click Configure DNS/WINS Servers.
  6. (Optional) In the DNS/WINS settings, type your Domain Name to supply it to the DHCP clients.
  7. To configure DHCP options, click DHCP Options.
  8. (Fireware v12.1.1 and higher) By default, the Firebox IP address is the default gateway. To specify a different IP address as the default gateway, select Specify and type an IP address.

For more information about per-interface DNS/WINS and DHCP options, go to Configure an IPv4 DHCP Server.

Use DHCP Relay on a VLAN 

  1. On the Network tab, from the DHCP Mode drop-down list, select DHCP Relay.
  2. Add the IP addresses of up to three DHCP servers.
  1. In the New VLAN Configuration dialog box, select Use DHCP Relay.
  2. Add the IP addresses of up to three DHCP servers.

Make sure to add a route to the DHCP server if necessary.

For more information about DHCP relay, go to Configure DHCP Relay.

Apply Firewall Policies to Intra-VLAN Traffic

You can configure more than one Firebox interface as a member of the same VLAN. For an example of this type of configuration, go to Configure One VLAN Bridged Across Two Interfaces.

To apply firewall policies to VLAN traffic between local interfaces, select the Apply firewall policies to intra-VLAN traffic check box.

Screen shot of Apply firewall policies to intra-VLAN traffic check box

Intra-VLAN traffic is traffic from a VLAN that is destined for the same VLAN. When you enable this feature, the Firebox applies policies to traffic that passes through the firewall between hosts that are on the same VLAN. If you want to apply policies to intra-VLAN traffic, make sure that no alternate path exists between the source and destination. The VLAN traffic must go through the Firebox in order for firewall policies to apply.

On an external VLAN interface, you must enable this setting so that the Firebox can:

  • Apply policy based routing and VPN tunnel routes to traffic received and sent by the same external VLAN interface
  • Apply firewall policies and NAT to traffic received and sent by the same external VLAN interface

Intra-VLAN policies are applied by IP address, user, or alias. If the intra-VLAN traffic does not match any defined policy, the traffic is denied as unhandled packets. Intra-VLAN non-IP packets are allowed.

In Fireware v12.1.1 and higher, this setting is enabled by default for new external VLAN interfaces.

Configure Network Settings for a VLAN on the External Interface

When you configure a VLAN on the external interface, you must configure how the VLAN gets the external IP address.

  1. On the VLAN Settings tab, from the Security Zone drop-down list, select External.
  2. Select the Network tab.

Screen shot of the VLAN page, Network tab

  1. From the Configuration Mode drop-down list, select Static IP, DHCP, or PPPoE.
  2. Configure the network settings with the same method you use for other external interfaces.
    For more information, go to Configure an External Interface.
  1. From the Security Zone drop-down list, select External.

Screen shot of the New VLAN Configuration dialog box

  1. Select an option: Use Static IP, Use DHCP Client, or Use PPPoE.
  2. Configure the network settings with the same method you use for other external interfaces.
    For more information, go to Configure an External Interface.

Enable IPv6 on a VLAN

To enable IPv6 on a VLAN interface:

  1. Select the IPv6 tab.
  2. Select the Enable IPv6 check box.
  3. Configure the IPv6 network settings the same as you would for any other interface.
    For information about how to configure the IPv6 settings, go to:

Configure a VLAN Secondary IP Addresses

  1. Select the Secondary tab.
  2. Type an unassigned host IP address in slash notation from the secondary network.
  3. Click Add.
  1. Select the Secondary tab.
  2. Click Add.
  3. Type an unassigned host IP address from the secondary network.
  4. Click OK.

For more information about secondary interface IP addresses, go to Add a Secondary Network IP Address.

Enable Spanning Tree Protocol

You can enable Spanning Tree Protocol for some VLAN configurations. Not all VLAN configurations are supported. For more information about Spanning Tree Protocol, go to About Spanning Tree Protocol.

To change the default Spanning Tree Protocol settings, you must use the Fireware command line interface (CLI). For more information about the default Spanning Tree Protocol settings, go to Configure Spanning Tree Protocol Settings in the CLI.

To enable Spanning Tree Protocol from the Web UI:

  1. Click the Bridge Protocols tab.
  2. Select Enable Spanning Tree Protocol.

Screen shot of Spanning Tree setting for a VLAN

  1. Click Save.

To enable Spanning Tree Protocol in Policy Manager:

  1. Click the Bridge Protocols tab.
  2. Select Enable Spanning Tree Protocol.

Screen shot of Spanning Tree settings in Policy Manager

  1. Click Save.

Enable 802.1p Marking for VLAN Interfaces

In Fireware v12.7 or higher, you can enable 802.1p priority marking (tagging) for VLAN interfaces on your Firebox.

802.1p is a quality of service (QoS)/class of service (CoS) method that operates at the MAC layer (Layer 2). Equipment that supports 802.1p can add and recognize a value that indicates the priority level of the Ethernet frame. You can enable 802.1p to help ensure a high level of quality for latency-sensitive real-time communications, such as VoIP.

For detailed information about 802.1p marking, go to About 802.1p Marking for VLAN Interfaces.

To enable 802.1p marking, in Fireware Web UI:

  1. Select Network > VLAN.
  2. Select an existing VLAN interface and click Edit.
  3. Select the Bridge Protocols tab.
  4. Select the Enable 802.1p priority tagging for Layer 2 frames check box.

To enable 802.1p marking, in Policy Manager:

  1. Select Network > Configuration > VLAN.
  2. Select an existing VLAN interface and click Edit.
  3. Select the Bridge Protocols tab.
  4. Select the Enable 802.1p priority tagging for Layer 2 frames check box.

Next Steps

Before you can save this VLAN, you must Assign Interfaces to a VLAN.

Related Topics

About Virtual Local Area Networks (VLANs)

Remove a VLAN

Common Interface Settings

About Network Modes and Interfaces