Port Based VLANs. Secure Computing SG570, SG300, SG560, SG565, SG550, SG530, SG580, SG575

Port Based VLANs

Note

SG560, SG565 and SG580 only.

The SG560, SG565 and SG580 have a VLAN-capable switch built in. This gives you the flexibility to either use it as a simple switch that allows access between all ports (this is the default), or use port based VLANs to control access between each individual port in the switch.

This port based VLAN configuration makes it possible to assign each of the four ports its own subnet address, declare it to be a LAN, WAN or DMZ independent of the other ports and generally treat it as if it was a completely separate physical port.

The SnapGear unit may also participate on an existing VLAN. When you add a VLAN interface to connect to the existing VLAN, you may associate it with one or more of the

SnapGear unit’s ports.

Tagged and untagged VLANs

When using port based VLANs, it is important to understand the differences between tagged and untagged VLANs.

Tagged VLAN interfaces add a VLAN header (see the VLAN Overview section earlier in this chapter) to outgoing network packets, and only accept incoming network packets that contain an appropriate VLAN header. Untagged VLAN interfaces do not add a VLAN header to outgoing network packets, and do not accept incoming packets that contains a

VLAN header.

A port may be a member of either a single untagged VLAN, or one or more tagged

VLANs. A port may not be a member of both tagged and untagged VLANs.

Once switch A has had port based VLANs enabled, ports that have not been explicitly assigned to one or more VLANs are assigned to the default VLAN. The default VLAN is untagged.

Typically, a tagged VLAN interface is used when you want to join an existing VLAN on the network, and an untagged VLAN interface is used when you are using the port based

VLAN feature to isolate the ports so that you can configure each of them individually.

Network Setup

97

Limitations of port based VLANs

There are few further limitations to keep in mind when using port based VLANs:

The total bandwidth from the switch into the CPU is 100Mbits/s, which is shared between the 4 ports. This may limit the bandwidth available to a single port when perform general routing, packet filtering, and other activities.

Port based VLANs can only be enabled if there are less than 16 total VLANs.

Switch A can only have one default VLAN, and any ports that are not explicity assigned to another VLAN are automatically placed on the default VLAN. The default VLAN is untagged.

You cannot add tagged VLANs to port A1; it is a member of the default VLAN only.

Enabling port based VLANs

Note

If you previously selected 1 LAN Port, 3 Isolated Ports in the Switch Configuration step of the Quick Setup Wizard, port based VLANs are already enabled.

Select Network Setup from the Networking menu. Next to the port based VLAN capable interface (Switch A on the SG560, SG565 and SG580), click the Edit icon then the Ethernet Configuration tab.

Network Setup

98

The following settings pertain to port based VLANs:

Enable port based VLANs: Check to enable port based VLANs.

Default port based VLAN ID: As the default VLAN is always untagged, typically you only need to change this from the default setting of 2 if you want another port to participate on an existing tagged VLAN with the ID of 2.

Adding port based VLANs

Note

If you previously selected 1 LAN Port, 3 Isolated Ports in the Switch Configuration step of the Quick Setup Wizard, a single isolated VLAN for each port has already been added.

Select Network Setup from the Networking menu. Under the Connection table, select

VLAN and click Add.

Network Setup

99

The following settings are displayed:

Interface: The port based VLAN capable interface on which to add the VLAN.

VLAN ID: If you are adding a VLAN interface to participate on an existing VLAN, enter its ID number here. Otherwise enter the next available VLAN ID; if the Default port

based VLAN ID has been left at its default setting of 2, Port A2 uses VLAN ID 3, Port

A3 uses VLAN ID 4, and so on.

Note

Some Cisco equipment uses tagged VLAN 1 for its own purposes. We therefore recommend setting the default VLAN ID to 2 or greater for tagged VLANs, unless you intend for the SnapGear unit and Cisco equipment to interact over tagged VLAN 1.

Mode: This is where you associate one or more of switch A’s ports with this VLAN interface. Select Disabled for the ports to exclude from this VLAN. If you are configuring a port or ports to participate on an existing tagged VLAN, set them

Tagged. Otherwise, to isolate a single port so that it may be configured individually, set the port Untagged.

Refer to the section entitled Tagged and untagged VLANs earlier in this chapter for further discussion of these settings.

Click Update. This VLAN interface now appears in the Connections table, and you may configure it as you would any other network interface.

Network Setup

100