About Virtual Local Area Networks (VLANs)
An 802.1Q VLAN (virtual local area network) is a collection of computers on a LAN or LANs that are grouped together in a single broadcast domain, independent of their physical location. This enables you to group devices according to traffic patterns, instead of physical proximity. Members of a VLAN can share resources as if they were connected to the same LAN. You can also use VLANs to split a switch into multiple segments. For example, suppose your company has full-time employees and contract workers on the same LAN. If you want to restrict contract employees to a subset of the resources used by full-time employees, and use a stricter security policy for the contract workers, you can split the interface into two VLANs.
VLANs enable you to divide your network into groups with a logical, hierarchical structure or grouping instead of a physical one. This helps free IT staff from the restrictions of their existing network design and cable infrastructure. VLANs make it easier to design, implement, and manage your network. Because VLANs are software-based, you can quickly and easily adapt your network to additions, relocations, and reorganizations.
VLANs use bridges and switches, so broadcasts are more efficient because they go only to people in the VLAN, not everyone on the wire. Consequently, traffic across your routers is reduced, which means a reduction in router latency. You can configure your Firebox to act as a DHCP server for devices on the VLAN, or use DHCP relay with a separate DHCP server.
You assign a VLAN to the Trusted, Optional, or External security zone. VLAN security zones correspond to aliases for interface security zones. For example, VLANs of type Trusted are managed by policies that use the alias Any-Trusted as a source or destination. VLANs of type External appear in the list of external interfaces when you configure SD-WAN.
VLAN Requirements and Restrictions
- If your Firebox is configured in drop-in mode, you cannot use VLANs.
For example, if a VLAN interface is configured to send and receive untagged traffic for VLAN-10, it cannot also send and receive untagged VLAN traffic for any other VLAN at the same time. - Multi-WAN configuration settings are applied to VLAN traffic, however, it can be easier to manage bandwidth when you use only physical interfaces in a multi-WAN configuration.
- The maximum number of VLANs you can create is specified in your Firebox feature key in the Total number of VLAN interfaces value.
- We recommend that you do not create more than 10 VLANs that operate on external interfaces. Too many VLANs on external interfaces affect performance.
- All network segments that you add to a VLAN must have IP addresses on the VLAN network.
- To use multiple VLANs on a single interface on a FireboxV device in an ESXi environment, configure the VSwitch for the VLAN interface to use VLAN ID 4095 (All).
- Spanning Tree Protocol is supported for some VLAN configurations.
For more information about Spanning Tree Protocol support for VLANs, go to About Spanning Tree Protocol.
External VLAN Interfaces
In Fireware v12.8 or higher:
- An external VLAN can have more than one physical interface member, and the physical members can be tagged or untagged.
- A VLAN interface can send and receive untagged traffic for an external VLAN.
- An interface can simultaneously belong to both an External and Internal (Trusted, Optional, or Custom) VLAN.
You can bridge a VLAN between external interfaces and create policies that apply to traffic between the interfaces. This is also known as a bridged WAN configuration.
In Fireware v12.7.2 or lower, external VLANs have these restrictions:
- Each external VLAN can only have one physical member, and the physical member can only be a tagged member.
- A VLAN interface cannot send and receive untagged traffic for an external VLAN.
- A VLAN interface can send and receive untagged traffic for only one trusted, optional, or custom VLAN.
- A VLAN interface configured to send and receive tagged traffic for an external VLAN cannot also send and receive traffic for a trusted, optional, or custom VLAN.
About Tagging
To enable VLANs, you must deploy VLAN-capable switches in each site. The switch interfaces insert tags at layer 2 of the data frame that identify a network packet as part of a specified VLAN. These tags, which add an extra four bytes to the Ethernet header, identify that the frame belongs to a specific VLAN. Tags are specified by the IEEE 802.1Q standard.
The VLAN definition includes the disposition of tagged and untagged data frames. You must specify whether the VLAN receives tagged, untagged, or no data from each interface that is enabled. Your Firebox can insert tags for packets that are sent to a VLAN-capable switch. Your device can also remove tags from packets that are sent to a network segment that belongs to a VLAN that does not have a switch.
A Firebox interface can manage traffic for multiple tagged VLANs. This allows the interface to function as a VLAN trunk. The Firebox supports the 802.1Q standard.
About VLAN ID Numbers
By default, on most new switches that are not configured, each interface belongs to VLAN 1. Because this VLAN exists on every interface of most switches by default, the possibility exists that this VLAN can accidentally span the entire network, or at least very large portions of it.
We recommend you use a VLAN ID number that is not 1 for any VLAN that passes traffic to the Firebox.