Network and Traffic Management v11!9!3

8/10/2019 Network and Traffic Management v11!9!3

1/198


2/198

TRAINING

www.watchguard.com/training

[email protected]

SUPPORT

www.watchguard.com/support

[email protected]

U.S. and Canada +877.232.3531

All Other Countries +1.206.613.0456

ii WatchGuard Fireware Training

Disclaimer

Information in this guide is subject to change without notice. Companies, names, and data used in

examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or

transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express

written permission of WatchGuard Technologies, Inc.

Copyright and Patent Information

Copyright 2014 WatchGuard Technologies, Inc. All rights reserved.

WatchGuard, Firebox, Fireware, LiveSecurity, and spamBlocker are either registered trademarks or

trademarks of WatchGuard Technologies, Inc. in the United States and other countries. This product is

covered by one or more pending patent applications.

All other trademarks and tradenames are the property of their respective owners.

Printed in the United States.


3/198


4/198

iv WatchGuard Fireware Training

Network Topology ....................................................................................................................... 27

Configure the Device ................................................................................................................. 28

Configure the Switch ................................................................................................................. 30

Physically Connect All Devices .................................................................................................. 30

Test the Configuration ............................................................................................................... 30

Using VLANs in Device Policies ................................................................................... 31Apply Firewall Policies to Intra-VLAN Traffic ............................................................................. 31

Aliases ........................................................................................................................................ 31Exercise 5: Configure VLANs for Wireless Access Points ............................................ 33

When to Use This Configuration ............................................................................................... 33


Frequently Asked Questions ....................................................................................... 38

What You Have Learned .............................................................................................. 38

Traffic Management ............................................................................................................. 39

What You Will Learn ..................................................................................................... 39

Control Bandwidth Use with Traffic Management Actions ........................................ 39Traffic Management Action Types ............................................................................................ 40

Traffic Management in Policies ................................................................................................ 40

Traffic Management in Application Control ............................................................................. 40Traffic Management Action Precedence .................................................................................. 40

Monitoring Bandwidth Statistics ................................................................................................ 41

Control Traffic Priority with QoS .................................................................................. 41About Interface QoS Settings ..................................................................................................... 41

About Policy QoS Settings .......................................................................................................... 41

About Traffic Priority ................................................................................................................... 41

About Outgoing Interface Bandwidth ....................................................................................... 42

Exercise 1: Use a Traffic Management Action to Guarantee Bandwidth ................... 43

Enable Traffic Management and QoS ...................................................................................... 43

Verify the OS Compatibility Setting ........................................................................................... 43

Define Outgoing Interface Bandwidth ...................................................................................... 43

Create a Traffic Management Action ....................................................................................... 44Modify Policy Configuration ....................................................................................................... 45

Set Up Service Watch ................................................................................................................ 46

See the Results of the Configuration ........................................................................................ 47

Exercise 2: Use a Traffic Management Action to Limit Bandwidth ............................. 50

Re-Define Outgoing Interface Bandwidth ................................................................................ 50

Create a Traffic Management Action ....................................................................................... 51

Modify Policy Configuration ....................................................................................................... 51

See the Results of the Configuration ....................................................................................... 52

Exercise 3: Use Traffic Management with Application Control ................................... 55

Create two Traffic Management Actions .................................................................................. 55

Configure Application Control ................................................................................................... 56

Configure Application Control in Policies ................................................................................. 58Monitor the Traffic Management Actions in Firebox System Manager .................................. 59

Exercise 4: Use QoS to Mark and Prioritize Traffic ...................................................... 61

Before You Begin ....................................................................................................................... 61

Enable Prioritization by QoS Marking on Interfaces ................................................................ 61

Prioritize Traffic by Policy ........................................................................................................... 63

See the Results of the Configuration ....................................................................................... 64

What You Have Learned .............................................................................................. 65

Link Aggregation ................................................................................................................... 67

Introduction .................................................................................................................. 67


5/198

v

What You Will Learn ................................................................................................................... 67

Course Outline ........................................................................................................................... 67

Terms and Concepts You Should Know ..................................................................... 67Link Aggregation ........................................................................................................................ 67

Link Aggregation Group (LAG) .................................................................................................. 68

Link Aggregation Interface ........................................................................................................ 68

Link Aggregation Member Interface ........................................................................................ 68

Link Aggregation Modes ........................................................................................................... 69Link Aggregation Interface Identifiers ...................................................................................... 69

Link Aggregation with Other Networking Features .................................................... 70

Exercise 1: Configure Active-Backup Link Aggregation ............................................... 71

Network Topology ........................................................................................................................ 71

Before You Begin ....................................................................................................................... 72

Add the Link Aggregation Interface .......................................................................................... 72

Add Member Interfaces .............................................................................................................. 74

Connect the Switches ................................................................................................................ 75

Monitor the Link Aggregation Interface .................................................................................... 76

Exercise 2: Static and Dynamic Link Aggregation ....................................................... 78

Topology ...................................................................................................................................... 78

Before You Begin ....................................................................................................................... 78Add the Link Aggregation Interface .......................................................................................... 79

Add Member Interfaces ............................................................................................................. 80

Configure the Switch and Connect the Device to the Switch .................................................. 81

Connect the Device to the Switch .............................................................................................. 81

Monitor the Link Aggregation Interface ................................................................................... 82

Use Dynamic Mode .................................................................................................................... 82

Exercise 3: Use Link Aggregation with a VLAN ............................................................. 83


Before You Begin ....................................................................................................................... 83

Configure the Device ................................................................................................................. 84

Configure the Switch ................................................................................................................. 86

Physically Connect all Devices .................................................................................................. 86What You Have Learned .............................................................................................. 87

Multi-WAN Methods ............................................................................................................. 89

Introduction .................................................................................................................. 89What You Will Learn ................................................................................................................... 89

Exercises .................................................................................................................................... 89

What Multi-WAN Can Do For You .............................................................................................. 89

Terms and Concepts You Should Know ..................................................................... 90Outgoing Traffic and Multi-WAN ................................................................................................ 90

Incoming Traffic ......................................................................................................................... 90

IPSec VPN Traffic ....................................................................................................................... 90

Equal-Cost Multi-Path Routing (ECMP) ..................................................................................... 90Sticky Connections ..................................................................................................................... 91

Load Balancing Interface Group (LBIG) .................................................................................... 91

Policy-Based Routing ................................................................................................................. 92

Link Monitor Settings ................................................................................................................ 92

Failover/Failback ....................................................................................................................... 93

The Round-Robin Multi-WAN Method ......................................................................... 94When to Use It ............................................................................................................................ 94

How It Works .............................................................................................................................. 94

Calculate Weights for Round-robin ........................................................................................... 95

How to Configure It .................................................................................................................... 96


6/198

vi WatchGuard Fireware Training

When an External Interface Fails ............................................................................................... 97

The Failover Multi-WAN Method ................................................................................. 98When to Use It ............................................................................................................................ 98

How It Works .............................................................................................................................. 98


When an External Interface Fails .............................................................................................. 98

The Interface Overflow Multi-WAN Method ................................................................ 99

When to Use It ............................................................................................................................ 99How It Works .............................................................................................................................. 99


When an External Interface Fails .............................................................................................. 99

The Routing Table Multi-WAN Method ...................................................................... 100When to Use It .......................................................................................................................... 100

How It Works ............................................................................................................................ 100

How to Configure It .................................................................................................................. 100

When an External Interface Fails ............................................................................................ 100

Before You Begin ....................................................................................................... 101Necessary Equipment and Services ....................................................................................... 101

Management Computer Configuration ................................................................................... 101

Firewall Configuration .............................................................................................................. 102Bandwidth Available at Each External Interface ................................................................... 102

Physically Connecting your Devices ........................................................................................ 102

Exercise 1: Demonstrate the Interface Overflow Multi-WAN Method and Sticky

Connections .................................................................................................................. 103

When to Use the Interface Overflow Method ......................................................................... 103

Network Topology ..................................................................................................................... 103

Configure the Device ............................................................................................................... 104

Demonstrate It ......................................................................................................................... 108

Exercise 2: Demonstrate the Failover Multi-WAN Method and Policy-Based Routing ....

112

When to Use the Failover Method ........................................................................................... 112



Demonstrate It ......................................................................................................................... 117

Exercise 3: Demonstrate Load Balancing with the Round Robin Multi-WAN Method ....

118


Demonstrate It ......................................................................................................................... 119

Frequently Asked Questions ..................................................................................... 120

Appendix ..................................................................................................................... 121How Fireware XTM Makes Multi-WAN Routing Decisions For Outbound Traffic ................. 121

Multi-WAN Routing Decision Flow Chart ................................................................................ 122

What You Have Learned ............................................................................................ 124Routing ................................................................................................................................ 125

Introduction ................................................................................................................ 125What You Will Learn ................................................................................................................. 125

Terms and Concepts You Should Know .................................................................... 126Route ........................................................................................................................................ 126

Router ....................................................................................................................................... 126

Routing Table ........................................................................................................................... 126

Route Metric ............................................................................................................................. 126

Routing Protocol ....................................................................................................................... 126


7/198

vi

Convergence Time ................................................................................................................... 127

Decide Which Type of Routing to Use ...................................................................... 128Static vs. Dynamic Routing ..................................................................................................... 128

Supported Dynamic Routing Protocols .................................................................................. 128

Dynamic Routing Policies .......................................................................................... 130

Network Link Types .................................................................................................... 131A Common Cause of Routing Inconsistency .......................................................................... 133

Routing and Branch Office VPNs .............................................................................. 134BOVPN Virtual Interface Routing Scenarios .......................................................................... 135

Failover from a Dynamic Route to a VPN that is not a BOVPN Virtual Interface ................. 136

Monitoring Tools ........................................................................................................ 137The Status Report .................................................................................................................... 137

Diagnostic Logging .................................................................................................................. 138

Exercise 1: Configure Static Routing Over a Point-to-Point Link ............................... 139

Add a Static Route to the Site A Device ................................................................................. 140

Add a Static Route to the Site B Device ................................................................................. 141

Review the Routing Tables ...................................................................................................... 142

Test the Static Route ............................................................................................................... 143

The Disadvantage of Using Only Static Routes ..................................................................... 144

Exercise 2: Configure Dynamic Routing over a Point-to-Point Link .......................... 145


Remove the Static Routes ....................................................................................................... 145

Configure Dynamic Routing with OSPF .................................................................................. 146

Review the Routing Table ........................................................................................................ 147

Add a New Network at Site B .................................................................................................. 148

Exercise 3: Configure Static Routing Over a Multi-Hop Link ..................................... 150


Before You Begin ..................................................................................................................... 150

Configure the Peer Interfaces ................................................................................................. 151

Configure Static Routes Between the Trusted Networks at Each Site ................................. 151

Test the Static Route ............................................................................................................... 153Exercise 4: Dynamic Routing Over a Multi-Hop Link ................................................. 154

Before You Begin ..................................................................................................................... 154

Configure Static Routes Between the Peer Interfaces .......................................................... 155

Configure Dynamic Routing with BGP .................................................................................... 158

Review the Routing Table ........................................................................................................ 159

Test the Static Route ............................................................................................................... 159

What You Have Learned ............................................................................................ 159

FireCluster .......................................................................................................................... 161

Introduction ................................................................................................................ 161What You Will Learn ................................................................................................................. 161

About FireCluster ....................................................................................................... 161

Terms and Concepts You Should Know ................................................................... 162Cluster Member ....................................................................................................................... 162

Active/Active Cluster ................................................................................................................ 162

Active/Passive Cluster ............................................................................................................. 162

Load Balance Methods ........................................................................................................... 162

Cluster ID .................................................................................................................................. 163

Cluster Interface ...................................................................................................................... 163

Cluster Interface IP Address .................................................................................................... 163

Management Interface ............................................................................................................ 164

About Failover ............................................................................................................ 164


8/198

viii WatchGuard Fireware Training

Causes of FireCluster Failover ................................................................................................. 164

What Happens During a Failover ............................................................................................ 166

Monitoring Tools ........................................................................................................ 167Firebox System Manager ......................................................................................................... 167

Diagnostic Logging .................................................................................................................. 168

FireCluster Requirements ......................................................................................... 169Hardware Requirements ......................................................................................................... 169

License Requirements ............................................................................................................. 169Network Configuration Requirements .................................................................................... 169

Switch and Router Requirements ........................................................................................... 170

FireCluster Pre-Configuration Checklist .................................................................................. 171

Exercise 1: Set Up an Active/Passive Cluster ............................................................ 172

Configure the External Interface to Use a Static IP Address ................................................ 172

Configure the Trusted Interface .............................................................................................. 173

Disable Unused Network Interfaces ........................................................................................ 174

Decide Which Interfaces and Interface Address to Use ....................................................... 175

Connect the Cables .................................................................................................................. 176

Run the FireCluster Setup Wizard ........................................................................................... 177

Discover the Second Cluster Member .................................................................................... 186

Exercise 2: Monitor Cluster Status ............................................................................. 187Monitor the Cluster .................................................................................................................. 187

Monitor a Cluster Member ...................................................................................................... 188

Exercise 3: Test FireCluster Failover .......................................................................... 189

Force a Failover from Firebox System Manager .................................................................... 189

Trigger a Failover Due to Link Status ...................................................................................... 189

Use the Backup Cluster Interface ........................................................................................... 189

Trigger a Failover Due to Power Failure .................................................................................. 190

Test Failover with Network Traffic ........................................................................................... 190

Use Leave/Join in Firebox System Manager .......................................................................... 190

What You Have Learned ............................................................................................ 190


9/198

1

Fireware Training

Course Introduction

Network and Traffic Management with Fireware

This training is for:

* The exercises in this course require Fireware with a Pro upgrade, which is included with most device models.For some 5 Series models (505, 510, 520, 530), you can purchase the Fireware XTM Pro upgrade for your device.

Training Overview

About Side Notes

Side notes are extra

information that is

not necessary to

understand the

training. They might

be configuration or

troubleshooting tips,

or extra technical

information.

The WatchGuard Fireware XTM Network and Traffic Management with Firewarecourse covers these

topics:

VLAN

Traffic Management and QoS

Link Aggregation

Multi-WAN

Routing

FireCluster

This course assumes that you have completed the Fireware Essentials course and that you know how to

set up and configure basic networking features. This Course Introductiondescribes the software,

hardware, and network environment required to complete the exercises in this training courseware.

Necessary Equipment and Software

Because this course includes networking exercises, the training environment must include the

following network equipment in order to support all of the exercises in this course.

One WatchGuard XTM 33 or higher device for each student

One WatchGuard Firebox or XTM device configured by the instructor as the default gateway

Fireware XTM v11.9 or higher installed on each Firebox or XTM device

One Windows computer per student, with WatchGuard System Manager v11.9 or later installed Three network hubs or switches, each with enough interfaces for the instructor and all of the

student Firebox or XTM devices to connect.

- One switch is the primary external network for the student devices

- One switch is the secondary external network (WAN2) for the student devices in the

Multi-WAN exercises

- One switch is used for the multi-hop link in the Routing exercises

Two managed switches with 802.1Q and 802.3ad support per student, for VLAN and Link

Aggregation exercises. Or students can pair up for these exercises.

Devices WatchGuard XTM 330 or higher

Device OS versions Fireware XTM v11.9.x*

Management software versions WatchGuard System Manager v11.9.x


10/198

2 WatchGuard Fireware Training

FTP Server (optional for some exercises)

Classroom Network Configuration

The exercises in this course are designed using RFC 5737 documentation IP addresses to represent

public network IP addresses. The exercises in this training assume the following classroom network

configuration:

Figure 1: Training network configuration

Student Device IP Addresses

Students may be assigned a number (10,20,30,etc.) to identify the last IP address octet for their external

addresses, or their third octet for internal addresses in relation to their devices. This allows for similar

configuration among devices and prevents IP address conflicts and subnet overlap.

The student devices are configured with these addresses, whereXis the student number:

Eth0 External (WAN1) 203.0.113.X/24, Default Gateway 203.0.113.1

Eth1 Trusted 10.0.X.1/24

Eth2 Optional 172.16.X.1/24

Eth3 External or VLAN Configuration varies by exercise


11/198


Course Introduction 3

Eth4, Eth5 - Link Aggregation Configured in Link Aggregation exercises only

The student number is also used in the FireCluster exercises as the cluster ID. We recommend that you

assign student numbers in increments of at least 10, so the cluster ID does not create a virtual MAC

address conflict between multiple FireClusters.

In the exercises, your external interface and trusted interface IP addresses are determined by your

student number. Replace the X in the exercises with your student number.

Instructor Device Network Configuration

Several interfaces on the instructor Firebox or XTM device must be configured to support the exercises

in this course. The instructor device acts as the default gateway for the primary student external

network, 203.0.113.0/24. For the Multi-WAN exercises that require a second external network, we use

192.51.100.1/24. The instructor device acts as the default gateway for both of these networks.

You must also

configure a DNS

server, in the

Network >

Configuration >

WINS/DNStab, to

allow DNS to operatefrom the training

environment.

For DNS to function

for students, the

student Firebox or

XTM devices and

computers must also

be configured to use

the DNS server.

The instructor Firebox or XTM device is configured with these addresses:

Eth0 (External) Use appropriate addressing for a training environment with an Internet

connection.

Eth1 (Trusted) 203.0.113.1/24 The default gateway for the primary external interface on

student devices.

Eth2 (VLAN) Send and receive untagged traffic for VLAN10. Also used as the default gateway forthe secondary external interface on student devices when a second WAN interface is configured.

Eth3 (VLAN) Send and receive tagged traffic for VLAN10 and VLAN20. Used when students

configure a VLAN with an external interface.

Eth4 (Trusted) 172.16.10.1/30 as the primary IP address, and 172.16.X.1/30 as secondaryaddresses for the optional networks on each student device. Used to simulate a multi-hop link for

some dynamic routing exercises.

Figure 2: Instructor Firebox or XTM device network interfaces configuration


12/198


The instructor device must have 2 VLANs configured:

VLAN10 Trusted 198.51.100.1/24, ID:10 Untagged eth2, tagged eth3

VLAN20 Trusted 192.0.2.1/24, ID:20 Tagged eth3

Figure 3: Instructor Firebox or XTM device VLAN configuration

The instructor device must have addresses defined on eth4 for the optional networks for all student

devices. These are used for the multi-hop dynamic routing exercises.

Primary (for the Optional network of student 10) 172.16.10.1/30 for s

Secondary (for the Optional network of students 20 and higher) 172.16.X.1/30

Figure 4: Secondary IP addresses for Eth4 on the instructor device, for a total of 8 students


13/198


Course Introduction 5

Configuration Changes for the Instructor Device

To make the training network functional for these exercises, the instructor must make three more

configuration changes to the instructor Firebox or XTM device.

1. Create an Anypolicy to allow traffic between the trusted interfaces.

Figure 5: Any policy configuration for the instructor Firebox or XTM device

2. To enable access to the Internet, update the settings in Network > NAT > Dynamic NATto add adynamic entry for Any-Trusted-Any-External.

Or, you can add dynamic NAT rules from RFC 5737 addresses to Any-External (for example, add a

dynamic NAT rule for 203.0.113.0/24 Any-External)

Figure 6: NAT configuration for the instructor Firebox or XTM device


14/198


3. To configure the instructor Firebox or XTM device to simulate a multi-hop link for the routingexercises, you must add static routes to route traffic to the trusted network on each student device.

The next hop for each is the IP address of the optional interface on each student device.The gateway corresponds to the primary and secondary networks defined for Eth4 on the instructor device.

Figure 7: Static route configuration for the instructor Firebox or XTM device for a class with 8 students.

Optional) Set Up a Server to Host FTP and HTTP Downloads

Several of the exercises in this courseware require that the students download a file from an FTP server

or browse to a web site to observe the results of a configuration change. If your training environment

does not have Internet access, you can use the subsequent steps to help you build an FTP server and a

Web server on an existing Windows 2003 Server on your network, that students can use for the

exercises.

1. Connect the servers network card to the same hub or switch that connects the device externalinterface to the Internet router.

Usually, you would connect your device directly to the LAN interface of your Internet router. For

this exercise, you must use a hub or switch to connect the Windows 2003 Server to the external

network of the device.

2. Set up the FTP server.

For more information, see this Microsoft article: http://support.microsoft.com/kb/323384.

3. Create a 350 MB text file named 350mbfile.txtand save it in the ftprootfolder. The defaultlocation for this folder is c:\inetpub\ftproot.

To create a file in Windows, at the Command Prompt, type the fsutil command:fsutil file createnew c:\inetpub\ftproot\350mbfile.txt 358400000

4. Set up the web server on your Windows 2003 Server.

For more information, see this Microsoft article: http://support.microsoft.com/kb/324742

5. Copy the 350mbfile.txtfile from the C:\inetpub\ftprootto the C:\inetpub\wwwroot

directory.


15/198

7

Fireware Training

VLANs in Fireware XTM

Four Ways to Configure a Device for VLANs

Introduction

A virtual local area network (VLAN) is a collection of computers on a LAN or LANs that are grouped

together in a single broadcast domain independent of their physical location. A VLAN allows you to

group devices according to function or traffic patterns instead of location or IP address. Members of a

VLAN can share resources as if they were connected to the same LAN.

What You Will Learn

This course explains the concept of a VLAN and describes several different VLAN technologies that arein use today. You will learn everything necessary to successfully deploy VLANs with your Firebox or XTM

device. We will present four typical use cases with VLANs, and you will configure the Firebox or XTM

device for each of these situations.

Exercises

The exercises demonstrate situations in which you would use different VLAN configurations, a

simplified view of the network topology for each setup, and step-by-step procedures for how to

configure each setup. The exercises include:

You can also use

VLANs with link

aggregation. An

exercise for thatconfiguration is

included in the link

aggregation section

of this training.

Two VLANs on the same Firebox or XTM device interface

One VLAN bridged across two Firebox or XTM device interfaces

One VLAN bridged across two Firebox or XTM device interfaces (alternate configuration)

Two VLANs as External Interfaces on the same Firebox or XTM device

Three VLANs for two SSIDs on an AP device

The course concludes with frequently asked questions about how to configure firewall policies to

restrict incoming and outgoing access on VLAN interfaces, or to allow or deny traffic between different

VLANs.

What VLANs Can Do For You

VLANs provide three main benefits:

Increased performance by confining broadcasts.

Each computer you add to a LAN increases the amount of background (broadcast) traffic, whichcan reduce performance. With VLANs, you can restrict this traffic and reduce the amount of

bandwidth used by your network.

Improved manageability and simplified network tuning.

When you consolidate common resources into a VLAN, you reduce the number of routing hops

needed for those devices to communicate. You can also manage traffic from each functional group

more easily when each group uses a different VLAN.


16/198


Increased security options.

By default, members of one VLAN cannot see the traffic from another VLAN. You can apply separate

security policies to VLANs. By contrast, a secondary network on a Firebox or XTM device interface

gives no additional security because there is no separation of traffic. The Firebox or XTM device

does not filter traffic between the primary network of an interface and a secondary network on

that interface. It automatically routes traffic between primary and secondary networks on the same

physical interface with no access restrictions.

Terms and Concepts You Should Know

VLAN trunk interface

The physical interface (switch interface or device interface) that connects a VLAN device to another

VLAN device. Some vendors use this term only for a switch interface that carries traffic for more than

one VLAN. We use this as a general term to indicate an Ethernet interface on a VLAN-capable device

that connects the device to another VLAN-capable device.

VLAN ID (VID)

A number from 1 to 4094 associated with the VLAN. Every VLAN you use has a unique number.

TagThis term has two meanings: one for the verb usage, and one for the noun usage.

[noun]Information that is added to the header of an Ethernet frame. The format of the tag is defined

by the IEEE 802.1Q standard.

[verb]To add a VLAN tag to a data frames Ethernet header. The tag is added by an 802.1Q-compliant

device such as an 802.1Q switch or router, or the Firebox or XTM device.

Because the physical segment between two 802.1Q devices normally carries only tagged data

packets, we call it the tagged data segment.

Untag

To remove a VLAN tag from a frames Ethernet header. When an 802.1Q device sends data to a

network device that cannot understand 802.1Q VLAN tags, the device untags the data frames.

Because the physical segment between a VLAN device and a device that cannot understand VLAN

tags normally carries only untagged data packets, we call it the untagged data segment.

Tagging and untagging per interface

When you assign VLAN membership for an Ethernet interface on an 802.1Q device, you also tell the

interface whether to send and accept tagged or untagged data frames. Some VLAN devices allow

one Ethernet interface to accept both tagged and untagged frames. This depends on which VLANs

the interface is a member of.

When you configure a Firebox or XTM device Ethernet interface for VLAN, the interface will accept

both tagged and untagged data frames, but only for VLANs in the trusted, optional, and custom

security zones. For an external VLAN a device VLAN interface will accept only tagged data frames.

Use these two rules to decide whether to configure a switch interface for Tag or Untag:- If the interface connects to a device that can receive and understand 802.1Q VLAN tags,

configure the switch interface for Tag. Devices you connect to this interface are usually VLANswitches (managed switches) or routers.

- If the interface connects to a device that cannot receive and understand 802.1Q VLAN tags,

configure the switch interface for Untag. (Such devices will likely strip the VLAN tag from the

Ethernet header, or drop the frame altogether.) Devices you connect to this interface are

usually computers or printers.


17/198

VLAN Requirements and Recommendations

VLANs in Fireware XTM 9

Switches

When you configure a Firebox or XTM device Ethernet interface for VLAN, the switches that you

connect to the device interface must be able to use VLAN tags as defined in IEEE 802.1Q. A switch of

this type is commonly called a managed switchor an 802.1Q switch.

Types of VLANs

VLANs can use different parameters to assign membership:

- 802.1Q VLANs (used by the Firebox or XTM device)

The Institute of Electrical and Electronic Engineers (IEEE) publishes the 802.1Q standard to

define the format of VLAN tags. This standard lets you use VLANs with any vendors

equipment that conforms to 802.1Q standards.

- MAC address-based VLANs use the physical address on a computers network interface card

to put it in the correct logical group.

- VLANs based on multicast groups put computers into VLANs based on whether the

computer has subscribed to a particular multicast group.

- Protocol-based VLANs put computers into VLANs based on the communication protocol

each uses (such as IP, IPX, DECnet, or AppleTalk).

VLAN Requirements and Recommendations

To use a VLAN with a Firebox or XTM device:

If your Firebox or XTM device is configured in drop-in mode, you cannot use VLANs.

If your Firebox or XTM device is configured in bridged mode you cannot configure VLANs on the

device.

- The device in bridge mode can pass VLAN tagged traffic between 802.1Q bridges or

switches.

- You can configure a device in bridge mode to be managed from a VLAN that has a specified

VLAN tag.

Each VLAN interface can send and received untagged traffic for only one trusted or optional VLAN.

For example, if a VLAN interface is configured to send and receive untagged traffic for VLAN-10, itcannot also send and receive VLAN traffic for any other VLAN at the same time. Also, a VLAN

interface cannot be configured to send and receive untagged traffic for an external VLAN.

Multi-WAN configuration settings are applied to VLAN traffic. However, it can be easier to manage

bandwidth when you use only physical interfaces in a multi-WAN configuration.

Your device model and license controls the number of VLANs you can create. To see the number of

VLANs you can add to your Firebox or XTM device, Open Policy Manager and select Setup >

Feature Keys. Find the row labeled Total number of VLAN interfaces.

We recommend that you do not create more than 10 VLANs that operate on external interfaces.

Too many VLANs on external interfaces affect performance.

All network segments you want to add to a VLAN must have IP addresses on the VLAN network.


18/198


Before You Begin

Before you begin the exercises, you must:

1. Make sure the switches that connect to the Firebox or XTM device do not use Spanning TreeProtocol. Disable this protocol for any switch interface that connects to a device Ethernet interface

2. Know how to configure your VLAN switch. You should be familiar with how to configure your VLAN

switch. Consult the documentation from the device manufacturer for help.

Firewall Configuration

If your Firebox or XTM device is not yet configured, run the Quick Setup Wizard first to configure it.

Use the Routed mode for the Quick Setup Wizard. (You cannot use VLANs with Drop-in mode or

Bridge mode.) The Quick Setup Wizard with Routed mode has these defaults:

- The external Interface 0 is configured and enabled with static IP address 203.0.113.X/24.ReplaceXin the external IP address with the student number your instructor gives you.

- The trusted Interface 1 is configured and enabled with IP address 10.0.X.1/24.ReplaceXin the trusted IP address with the student number your instructor gives you.

- All of the other interfaces are set to Disabled.

- There are five policies in Policy Manager: FTP, Ping, WatchGuard WebUI, WatchGuard, and

Outgoing.

The trusted interface (Interface 1) is not a member of any VLAN in any of the exercises.

The management computer is connected directly to the trusted interface with an Ethernet cable.

Make sure your management computer has an IP address in the same subnet as the trusted

interface, with the correct subnet mask. Make sure the default gateway for the computer is the

trusted interface IP address.

Necessary Equipment and Services

Management computer

Use a computer with WSM version 11.9 or higher software installed to configure the Firebox or

XTM device. This computer is connected to the device trusted interface in all exercises.

Two additional computers

To test traffic flow with the VLANs you send traffic between two computers. Each computer is

connected to a VLAN switch or to the Firebox or XTM device itself, depending on the exercise.

You can also use the management computer for one of the two computers to test traffic flow

between VLANs.

WatchGuard Firebox or XTM device with Fireware XTM OS v11.9 or higher

In the exercises, we assume that you ran the Quick Setup Wizard to configure the Firebox or XTM

device and you selected Routed mode (not Drop-in or Bridge mode).

802.1Q VLAN switches- One switch for Exercises 1 and 2

- Two switches for Exercise 3 and 4

- One switch for Exercise 5

Ethernet cables

At a minimum, to complete all the exercises you must have:

- Six Ethernet cables To interconnect the devices altogether.


19/198

Before You Begin


Configuring the VLAN Switch

Each physical interface on a VLAN switch is generally classified as one of two types:

VLAN Access port

A switch interface of this type removes VLAN tags from data frames before it sends them to the

device attached to it. The interface also adds a VLAN tag to untagged frames it gets from the

connected device.

You connect computers, printers, and other networked devices to this type of interface.

Configure this type of switch interface for untagmode.

VLAN Trunk port

A switch interface of this type preserves any VLAN tags in the data frames it receives. It also

preserves VLAN tags when it sends tagged data frames to the device attached to it.

You connect other VLAN-capable devices such as VLAN switches and routers to this type of

interface. You also connect this type of interface to a Firebox or XTM device interface configured to

accept tagged data frames.

Configure this type of switch interface for tagmode.

Select the VLAN ID Numbers

By default, each interface on most new, unconfigured switches belongs to VLAN number 1. Because

this VLAN exists on every interface of most switches by default, the possibility exists that this VLAN can

accidentally span the entire network, or at least very large portions of it.

We recommend you use a VLAN ID number other than 1 for any VLAN that passes traffic to the Firebox

or XTM device.

About the PVID

Some switch manufacturers require you to assign a Port VLAN ID (PVID) to each interface. The PVID

number determines the VLAN ID number that the switch adds to the untagged packets it gets from

devices connected to the interface. If you do not configure a PVID for an interface, it is possible that theswitch can tag the data packets it gets on that interface with the default VLAN ID of 1. This is the case

even if you configure the interface to untag for a different VLAN ID number.

When you change the PVID setting on a switch interface to a PVID number that matches a VLAN

number, the switch adds a VLAN tag for that VLAN to untagged packets it receives on this interface. If

your switch uses PVID numbers, be sure to configure each switch interface that connects a computer to

use the correct PVID number.


20/198


Exercise 1: Two VLANs on the Same Device Interface

When to Use this Configuration

A Firebox or XTM device interface is a member of more than one VLAN when the switch that connects

to that interface carries traffic from more than one VLAN.

You use multiple VLANs on one Firebox or XTM device interface when you want to split a deviceinterface into multiple broadcast domains or multiple security zones. When you separate the traffic

from different functional groups before it enters the device interface, you get two major benefits:

Broadcast traffic is confined within each VLAN, which reduces congestion.

You can make access policies to allow limited traffic or no traffic between the VLANs. You also

control access from each VLAN to other parts of your network and to the Internet.

Compare the second benefit to the situation when you configure a Firebox or XTM device interface as a

physical interface (instead of as a VLAN) with a secondary network also configured on the interface: The

device does not filter traffic between the primary network of an interface and a secondary network on

that interface. The primary network is not protected from a secondary network on that interface.

Network Topology

This exercise shows how to connect one switch that carries traffic from two different VLANs to one

Firebox or XTM device interface. In the subsequent diagram, the computers are connected to the

802.1Q switch, and the switch is connected to Firebox or XTM device interface 3. The switch carries

traffic from two different VLANs.

Figure 1: Network topology for Exercise 1


21/198

Before You Begin


Configure the Device

1. From Policy Manager, select Network > Configuration.The Network Configurationdialog box appears.

2. Select the VLANtab.

Figure 2: VLANtab of Network Configurationdialog box

3. Click Addand create a new VLAN.

4. In the Name (Alias)text box, type a name for the VLAN. The name cannot contain spaces.For this example, type VLAN10.

5. (Optional) In the Descriptiontext box, type a description.For this example, typeAccounting.

6. In the VLAN IDtext box, type or select a number for the VLAN.For this example, select 10.

Security zones

correspond to aliases

for interface security

zones. For example,

VLANs of type

Trusted are handled

by policies that use

the alias

Any-Trusted as a

source or destination.

VLANs can be defined

as Trusted, Optional,

or Custom.

7. From the Security Zonedrop-down list, select the security zone for the VLAN.For this example, select Trusted.

8. In the IP Addresstext box, type the IP address of the VLAN gateway.For this example, type 192.168.10.1/24.Any computer in this new VLAN must use this IP address as its default gateway.

9. (Optional) Configure DHCP for the new VLAN.a. Select Use DHCP Server.

b. In the Address Poolsection, click Add.

c. Type or select the Starting Addressand the Ending Address.

For this example, type 192.168.10.10for the Starting Addressand 192.168.10.20for

the Ending Address.

d. Click OK.

The new address pool appears in the Address Poollist.

10. Click OK.The new VLAN appears.

Figure 3: VLANtab with new VLAN10

11. Click Addand create another new VLAN.

12. In the Name (Alias)text box, type a name for the VLAN. The name cannot contain spaces. For thisexample, type VLAN20.


22/198


13. (Optional) In the Descriptiontext box, type a description.For this example, type Sales.

14. In the VLAN IDtext box, type or select a number for the VLAN.For this example, select 20.

15. From the Security Zonedrop-down list, select the security zone for the VLAN.For this example, select Optional.





For this example, type 192.168.20.10for the Starting Addressand 192.168.20.20for

the Ending Address.

d. Click OK.

The new address pool appears in the Address Poolbox.

18. Click OK.Both VLANs now appear.

Figure 4: Two new VLANS: VLAN10 and VLAN20

19. Select the Interfacestab.20. Select Interface 3and click Configure.

21. From the Interface Typedrop-down list, select VLAN.Because you cannot

add a secondary

network to a VLAN

interface, the

Secondarytab

remains unavailable

here.

With Fireware XTM

v11.8.1 or higher, you

can add secondarynetworks to each of

the VLAN members.

To do this, edit the

VLAN members in the

VLAN tab.

The Interface Type Configurationsection appears on the IPv4tab. Both new VLANs appear in the list.

22. Select Send and receive tagged traffic for selected VLANs.

23. In the Membercolumn, select the check boxes for VLAN10 and VLAN20.

Figure 5: The Member column shows which VLANs the interface is a member of.

24. Click OK.This interface now appears as type VLAN in the list of interfaces.


23/198

Before You Begin


25. Check your work.

The Interfacestab should look like this.

Figure 6: Firebox or XTM device Interface 3 is now type VLAN

The VLANtab should look like this.

Figure 7: VLANtab after the VLANs are defined

26. Click and save this configuration to the device.Or, select File > Save > To Firebox.

Configure the Switch

Refer to the instructions from your switch manufacturer to configure your switch.

As a general rule,

remember that the

physical segment

between this switch

interface and the

Firebox or XTM device

is a taggeddata

segment. Traffic that

flows over this

segment must use

802.1Q VLAN tagging

Some switch

manufacturers refer

to a switch interface

that is configured like

Step 2 a trunk port or

trunk interface.

1. Add two VLANs to the 802.1Q switch configuration.Set the VLAN ID numbers for these VLANs to 10 and 20.

2. Configure the switch interface that connects the switch to the device interface 3.a. Disable Spanning Tree Protocol on any switch interface that connects to the device.

b. Configure this interface on the switch to be a member of both VLANs 10 and 20.

c. Configure this interface to tag for both VLANs.

d. If necessary for your switch operating system, configure the switch mode to trunk.

e. If necessary for your switch operating system, set encapsulation mode to 802.1Q.3. Configure the switch interfaces that connect computers in VLAN10 to the switch.

a. Configure each switch interface that will connect a computer in VLAN10 to be a member of

VLAN10.

b. Configure these interfaces to untag for VLAN10.

4. Configure the switch interfaces that connect computers in VLAN20 to the switch.a. Any switch interface that will connect a computer in VLAN20 must be a member of VLAN20.

b. Configure these interfaces to untag for VLAN20.


24/198


As a general rule,

remember that the

physical segment

between a switch

interface and a

computer (or other

networked device)

that connects to it is

an untaggeddata

segment. Traffic thatflows over this

segment does not

have VLAN tags.

Most switches sold

today have interfaces

that can auto-sense

MDI/MDI-X for the

Ethernet connection.

When the interface

senses a physical link,

it automatically

configures itself to be

a normal or uplink

interface. If you do not

get link lights on the

Ethernet interfaces

with one type of

Ethernet cable

(straight-through or

crossover), try the

other type of Ethernet

cable.

Physically Connect all Devices

1. Connect one end of an Ethernet cable to the device interface 3.

2. Connect the other end of the Ethernet cable to the interface on the switch that you configured totag for VLANs 10 and 20 (to the VLAN trunk interface of the switch).

3. Connect a computer to the interfaces on the switch that you configured to untag for VLAN10.

4. If you configured VLAN10 to use the DHCP server, configure the computers network card to use

DHCP to get an IP address automatically.For more information, see Step 9 on page 13.

5. If you did not configure the VLAN to use the DHCP server, configure the computers network cardwith an IP address in the VLAN subnet 192.168.10.x. Use subnet mask 255.255.255.0 and set thecomputers default gateway to the device VLAN IP address, 192.168.10.1.

6. Repeat Steps 13 to connect a computer to a switch interface that you configured to untag forVLAN20.

Test the Configuration

From the computer in VLAN10, you should be able to ping the computer in VLAN20, as well as ping the

VLAN10 computer from the VLAN20 computer. The two computers can ping each other because the

default settings of the Ping policy allow Any-Trusted and Any-Optional to send ICMP echo requests to

Any.

No other traffic is allowed between the two VLANs unless there is a policy that specifically allows it. The

basic configuration loaded by the Quick Setup Wizard does not allow any other traffic between the

VLANs.


25/198

Before You Begin


Exercise 2: One VLAN Bridged Across Two Device Interfaces


The primary benefit of this configuration is the ability to bridge a VLAN between computers connected

to a VLAN switch and computers directly connected to the Firebox or XTM device. A typical network

topology is this:

You have a relatively large number of computers connected by way of a VLAN switch to one device

interface.

You have a single computer (or a small group of computers) that must share the same resources as

the first group, but it is physically separated from the first group.

It is more convenient or cost-effective to connect the smaller group directly to the device.

To solve the challenge of putting all these computers into one logical group, you configure the Firebox

or XTM device with a VLAN that bridges two device interfaces:

One device interface tagsfor the VLAN.

This interface connects, by way of an Ethernet cable, to the VLAN switch that links the majority of

the computers in this logical group.

The other device interface untagsfor the VLAN.

This interface has a direct Ethernet connection to one computer (or a small group of computers) inthe logical group. This second connection can be a shared media connection such as a hub

connected to the interface, or a single computer connected to the interface with a crossover

Ethernet cable.

With this configuration, all the computers can easily share resources, and their broadcasts are confined

to the VLAN.


26/198


Network Topology

The untagged Firebox

or XTM device

interface in Figure 8

(Interface 4, with one

computer connected)

operates in much the

same way as an

untagged switch porton a VLAN switch.

This exercise shows how to connect a switch to one Firebox or XTM device interface, and computers to

another Firebox or XTM device interface. Figure 8shows that the computers connected to the switch

and to device interface 4 are in the same VLAN.


Note

If you have already completed the previous exercise, remove the VLANs and disable the VLAN

interface you configured in that exercise before you begin this one.


1. From Policy Manager, select Network > Configuration.


3. Click Addand create a new VLAN.The New VLAN Configurationdialog box appears.


5. (Optional) In the Descriptiontext box, type a description of the VLAN.For this example, typeAccounting.

6. In the VLAN IDtext box, select a number for the VLAN.For this example, type 10.



27/198

Before You Begin






For this example, type 192.168.10.10for the Starting Addressand 192.168.10.20forthe Ending Address.

d. Click OK.


The Interfaces

column is blank for a

new VLAN because no


interfaces have been

assigned to it yet. You

assign the VLAN to


interfaces in the next

steps.

10. Click OK.The new VLAN is added.

Figure 9: VLAN10 on the VLANtab

11. To make device Interfaces 3 and 4 members of the new VLAN, select the Interfacestab.

12. Select Interface 3and click Configure.

13. From the Interface Typedrop-down list, select VLAN.You configure

interface 3 to handle

tagged VLAN traffic,

because it connects to

a VLAN switch thatsends it traffic with

VLAN tags.


15. In the Membercolumn, select the check box for VLAN10.

Figure 10: Select the check box to make the interface a member of the VLAN


17. Double-click Interface 4and configure it to untagfor VLAN10.

18. From the Interface Typedrop-down list, select VLAN.


28/198


You can only select

one VLAN for

untagged traffic.

This option is not

available if you

choose a VLAN that

has external specified

as the zone. You

cannot configure an

interface to send andreceive both tagged

and untagged traffic

when a VLAN is

configured as an

external zone.

If you do not want

computers connected

to a Firebox or XTM

device interface to be

part of a VLAN, then

do not configure the

interface to be of type

VLAN. Instead,

configure the

interface to be of type

Trusted or Optional.

19. At the bottom of the dialog box, select the Send and receive untagged traffic for selected VLANcheck box. From the adjacent drop-down list, select VLAN10 (192.168.10.1/24).

Figure 11: Make Interface 4 an untagged switch port20. Click OKand check your work.

The Interfacestab should now look like this.

Figure 12: Firebox or XTM device interfaces 3 and 4 now appear as type VLAN


Figure 13: The VLAN interface used by interfaces 3 and 4

The VLAN settings list includes information about which interface tags and which interface untags

for a particular VLAN. It uses either boldface type or normal type for the numbers in the Interfaces

column:

- boldface typeentries are Untag

- normal type entries are Tag.

21. Save this configuration to the Firebox or XTM device.


29/198

Before You Begin



Refer to the instructions from your switch manufacturer to configure your switch.

1. Configure the switch interface that connects the switch to the Firebox or XTM device interface 3.a. Disable Spanning Tree Protocol on any switch interface that connects to the device.

b. Configure this interface on Switch A to be a member of VLAN10.

c. Configure this interface to tag for VLAN10.

d. If necessary for your switch operating system, configure the switch mode to trunk.e. If necessary for your switch operating system, set encapsulation mode to 802.1Q.

2. Configure the switch interfaces that connect computers to the switch.Some switch

manufacturers call an

interface configured

this way either a

trunk port or a trunk

interface.

3. Configure the other switch interfaces to be members of VLAN10 and to untag for VLAN10.

As a general rule, remember that the physical segment between this switch interface and the

device is a taggeddata segment. Traffic that flows over this segment must use 802.1Q VLAN

tagging.

As a general rule, remember that the physical segments between each of the other switch

interfaces and the computers (or other networked devices) that connect to them are untagged

data segments. Traffic that flows over these segments does not have VLAN tags.

Physically Connect all Devices

1. Connect one end of an Ethernet cable to the Firebox or XTM device interface 3.

2. Connect the other end of the Ethernet cable to the interface on the switch that you configured totag for VLAN10 (to the VLAN trunk interface of the switch).

3. Connect a computer to the one of the interfaces on the switch that you configured to untag forVLAN10.

4. If you configured VLAN10 to use the DHCP server, configure the computers network card to useDHCP to get an IP address automatically.See Step 9 on page 19.

5. If you did not configure the VLAN to use the DHCP server, configure the computers network cardwith an IP address in the VLAN subnet 192.168.10.x. Use subnet mask 255.255.255.0 and set the

computers default gateway to the device VLAN IP address 192.168.10.1

6. Repeat these steps to connect a computer to device interface 4.

Test the Configuration

You should be able to send a ping from the computer connected to the switch to the computer

connected to device interface 4, and from the computer connected to device interface 4 to the

computer connected to the switch. The two computers can communicate as though they were

connected to the same physical LAN.


30/198


Exercise 3: One VLAN Bridged Across Two Device Interfaces

Alternate Configuration)

When to Use This Configuration

You might use a configuration like this if your organization is spread across multiple locations. For

example, suppose your network is on the first and second floors in the same building. Some of the

computers on the first floor are in the same functional group as some of the computers on the second

floor. You want to group these computers into one broadcast domain so that they can easily share

resources, such as a dedicated file server for their LAN, host-based shared files, printers, and other

network accessories.

You connect the computers on one floor to one VLAN switch, and connect that switch to a Firebox or

XTM device interface. You connect the computers on the other floor to one VLAN switch, and connect

that switch to another Firebox or XTM device interface. This puts all of the computers into one LAN.

One of the main benefits in this setup is cost savings: it is not necessary to connect another device to

combine the traffic from the two switches before it enters the device. The device combines the traffic,

and lets you apply strict security policies between the VLANs, the rest of your network, and untrusted

segments such as the Internet. This saves you the cost of a different device, such as a router or a layer 3switch.

Network Topology

This exercise shows how to connect two 802.1Q switches, both of which send traffic from the same

VLAN, to two different Firebox or XTM device interfaces. The subsequent shows how computers are

connected to 802.1Q switches, and how the switches are connected to the device. Two 802.1Q

switches connected to device interfaces 3 and 4 carry traffic from the same VLAN.



31/198

Before You Begin


Note




1. From Policy Manager, select Network > Configuration.

2. Select the VLANtab.The VLAN settings list is empty because you have not defined any VLANs

3. Click Addand create a new VLAN.The New VLAN Configurationdialog box appears.


5. (Optional) In the Descriptiontext box, type a description of the VLAN.For this example, typeAccounting.

6. In the VLAN IDtext box, select a number for the VLAN. For this example, type 10.






For this example, type 192.168.10.10for the Starting Addressand 192.168.10.20forthe Ending Address.

d. Click OK.


10. Click OK.The new VLAN appears.

Figure 15: The VLANtab with new VLAN10

11. To make device Interfaces 3 and 4 members of the new VLAN, select the Interfacestab.

12. Select Interface 3and click Configure.Or, double-click the interface.

13. From the Interface Typedrop-down list, select VLAN.


32/198


Interface 3 will be a

taggedVLAN

interface because it

connects to a VLAN

switch that sends it

traffic with VLAN tags.


15. In the Membercolumn, select the check box for VLAN10.

Figure 16: Select the check box to make the interface a member of the VLAN


17. Repeat Steps 1116 for Interface 4 to make that interface a member of VLAN10.


The Interfacestab should look like this:.

Figure 17: Interfaces 3 and 4 are both type VLAN

The numbers in the

Interfacescolumn

use normal type to

indicate that these are

tagged interfaces. If

the interfaces are

configured as

untagged switch

ports, the entry

appears in boldtype.

The VLANtab should look like this:.

Figure 18: The VLANtab shows that interfaces 3 and 4 are members of VLAN10

19. Click and save this configuration to the device.Or, select File > Save > To Firebox.


33/198


34/198


6. If you configured VLAN10 to use the DHCP server, configure the computers network card to useDHCP to get an IP address automatically.See Step 9 on page 23.

7. If you did not configure the VLAN to use the DHCP server, configure the computers network cardwith an IP address in the VLAN subnet 192.168.10.x. Use subnet mask 255.255.255.0 and set the

computers default gateway to the device VLAN IP address 192.168.10.1

8. Repeat these steps to connect a computer to Switch B.

Testing the Connection

You should be able to ping from a computer connected to Switch A to a computer connected to Switch

B, and from a computer connected to Switch B to a computer connected to Switch A. Because they are

in the same VLAN, the two computers can communicate as if they were connected to the same physical

LAN.


35/198

Before You Begin


Exercise 4: Two VLANs as External Interfaces on the Same Device


Fireware XTM OS

versions prior to v11.7

had a hard limit of

four WAN interfaces.You can use VLANs as

External interfaces

when you need more

than four WAN

interfaces. You can

configure up to ten

External VLANs in

addition to the four

physical External

interfaces.

You use VLANs as External interfaces when your service provider gives you Internet and MPLS

connections on a single Ethernet cable, logically separated by VLANs. Rather than connecting the cable

to a managed switch, then to separate physical interfaces on your Firebox or XTM device, you can

connect the cable directly to a single physical interface configured as a trunk on your device.

Network Topology

This exercise simulates two service provider connections ISP-1 (VLAN 10) and ISP-2 (VLAN 20) carried

by a single trunk port of the switch to one Firebox or XTM device interface. In the subsequent diagram,

the WAN connection is connected to the 802.1Q switch, and the trunk port of the switch (Switch A) is

connected to device interface 3.


Note




36/198



1. From Policy Manager, select Network > Configuration.The Network Configurationdialog box appears.


3. Click Addto create a new VLAN.The New VLAN Configurationdialog box appears.

4. In the Name (Alias)text box, type a name for the VLAN. The name cannot contain spaces. For thisexample, type External-VLAN10.

5. (Optional) In the Descriptiontext box, type a description. For this example, type ISP-1.

6. In the VLAN IDtext box, type or select a number for the VLAN. For this example, select 10.Security zones

correspond to aliases

for interface security

zones. For example,

VLANs of type

External are

handled by policies

that use the alias

Any-External as a

source or destination.

7. From the Security Zonedrop-down list, select the security zone for the VLAN. For this example,select External.

8. Select Use Static IP.

9. In the IP Addresstext box, type the IP address. For this exercise, type 198.51.100.X/24.Replace theXin the IP address with the student number your instructor gives you. For example, ifyour student number if 10, type 198.51.100.10/24

10. In the Default Gateway type the gateway address. For this exercise, type 198.51.100.1.

This configuration must have a corresponding upstream connection that is the default gateway(198.51.100.1).

11. Click OK.

12. Click Addand create another new VLAN.The New VLAN Configurationdialog box appears.

13. In the Name (Alias)text box, type a name for the VLAN. The name cannot contain spaces. For thisexample, type External-VLAN20.

14. (Optional) In the Descriptiontext box, type a description. For this exercise, type ISP-2.

15. In the VLAN IDtext box, type or select a number for the VLAN. For this example, select 20.

16. From the Security Zonedrop-down list, select the security zone for the VLAN. For this example,select External.

17. Select Use Static IP.

18. In the IP Addresstext box, type the IP address. For this example, type 198.0.2.X/24. ReplacetheXin the IP address with the student number your instructor gives you. For example, if your

student number if 10, type 198.0.2.10/24

19. In the Default Gateway type the gateway address. For this exercise, type 198.0.2.1.This configuration must have a corresponding upstream connection that is the default gateway (198.0.2.1).

20. Click OK.The new VLANs appear.

Figure 20: VLANtab with new External-VLAN10 and External-VLAN20

21. Select the Interfacestab.


37/198

Before You Begin


22. Select Interface 3. Click Configure.

23. From the Interface Typedrop-down list, select VLAN.The Interface Type Configurationsection appears on the IPv4tab. Both new VLANs appear in the list.


25. In the Membercolumn, select the check boxes for External-VLAN10 and External-VLAN20.

Figure 21: The Member column shows which VLANs this interface is a member of.

26. Click OK.


The Interfacestab should look like this.

Figure 22: Interface 3 is now type VLAN


Figure 23: VLANtab after the VLANs are defined

28. Save this configuration to the device.


38/198



Add VLANS to the switch that connects to your ISP. In the diagram, this is labeled Switch A.

Refer to the instructions from your switch manufacturer to configure VLAN tagging on

Date post:	02-Jun-2018
Category:	Documents
Upload:	dandygarcia
View:	213 times
Download:	0 times

Network and Traffic Management v11!9!3

Documents