Define a New VLAN

Before you create a new VLAN, make sure you understand all the VLAN concepts and restrictions, as described in About Virtual Local Area Networks (VLANs).

Configure a VLAN in Fireware Web UI

When you configure a VLAN in Fireware Web UI, you must select a VLAN tag setting for at least one VLAN interface. Before you create the VLAN, you must configure at least one interface as a VLAN interface.

Configure a VLAN in Policy Manager

In Policy Manager, you must create the VLAN before you can configure interfaces as a member of that VLAN. The VLAN configuration settings in Policy Manager do not include the list of interfaces that are members of the VLAN.

After you create the VLAN, you can configure interfaces as a member of the VLAN. For more information, see Assign Interfaces to a VLAN

See which interfaces are members of the VLAN

On the VLAN tab, you can see a summary of the VLAN configuration, and a list of interfaces that are members of the VLAN.

On the VLAN tab, the numbers in the Interfaces column show the physical interfaces that are members of this VLAN. The interface number in bold is the interface that sends untagged data to that VLAN.

Use DHCP on a VLAN 

For a VLAN in the Trusted, Optional, or Custom security zone, you can configure the Firebox as a DHCP server for the computers on your VLAN network.

For more information about per-interface DNS/WINS and DHCP options, see Configure an IPv4 DHCP Server.

Use DHCP Relay on a VLAN 

Make sure to add a route to the DHCP server, if necessary.

Apply Firewall Policies to Intra-VLAN Traffic

You can configure more than one Firebox interface as a member of the same VLAN. For an example of this type of configuration, see Configure One VLAN Bridged Across Two Interfaces.

To apply firewall policies to VLAN traffic between local interfaces, select the Apply firewall policies to intra-VLAN traffic check box.

Screen shot of Apply firewall policies to intra-VLAN traffic check box

Intra-VLAN traffic is traffic from a VLAN that is destined for the same VLAN. When you enable this feature, the Firebox applies policies to traffic that passes through the firewall between hosts that are on the same VLAN. If you want to apply policies to intra-VLAN traffic, make sure that no alternate path exists between the source and destination. The VLAN traffic must go through the Firebox in order for firewall policies to apply.

On an external VLAN interface, you must enable this setting so that the Firebox can:

  • Apply policy based routing and VPN tunnel routes to traffic received and sent by the same external VLAN interface
  • Apply firewall policies and NAT to traffic received and sent by the same external VLAN interface

Intra-VLAN policies are applied by IP address, user, or alias. If the intra-VLAN traffic does not match any defined policy, the traffic is denied as unhandled packets. Intra-VLAN non-IP packets are allowed.

Configure Network Settings for a VLAN on the External Interface

When you configure a VLAN on the external interface, you must configure how the VLAN gets the external IP address.

Enable IPv6 on a VLAN

To enable IPv6 on a VLAN interface:

  1. Select the IPv6 tab.
  2. Select the Enable IPv6 check box.
  3. Configure the IPv6 network settings the same as you would for any other interface.
    For information about how to configure the IPv6 settings, see

Configure a VLAN Secondary IP Addresses

For more information about secondary interface IP addresses, see Add a Secondary Network IP Address.

Enable Spanning Tree Protocol

In Fireware v11.12.2 and higher, you can enable Spanning Tree Protocol for some VLAN configurations. Not all VLAN configurations are supported. For more information about Spanning Tree Protocol, see About Spanning Tree Protocol.

To change the default Spanning Tree Protocol settings, you must use the Fireware command line interface (CLI). For more information about the default Spanning Tree Protocol settings, see Configure Spanning Tree Protocol Settings in the CLI.

To enable Spanning Tree Protocol from the Web UI:

  1. Click the Bridge Protocols tab.
  2. Select Enable Spanning Tree Protocol.

Screen shot of Spanning Tree setting for a VLAN

  1. Click Save.

To enable Spanning Tree Protocol in Policy Manager:

  1. Click the Bridge Protocols tab.
  2. Select Enable Spanning Tree Protocol.

Screen shot of Spanning Tree settings in Policy Manager

  1. Click Save.

You can now take the next step, and Assign Interfaces to a VLAN.

Before you can save this VLAN, you must Assign Interfaces to a VLAN.

See Also

About Virtual Local Area Networks (VLANs)

Common Interface Settings

About Network Modes and Interfaces

Give Us Feedback     Get Support     All Product Documentation     Technical Search