About Virtual Local Area Networks (VLANs)
An 802.1Q VLAN (virtual local area network) is a collection of computers on a LAN or LANs that are grouped together in a single broadcast domain, independent of their physical location. This enables you to group devices according to traffic patterns, instead of physical proximity. Members of a VLAN can share resources as if they were connected to the same LAN. You can also use VLANs to split a switch into multiple segments. For example, suppose your company has full-time employees and contract workers on the same LAN. If you want to restrict contract employees to a subset of the resources used by full-time employees, and use a stricter security policy for the contract workers, you can split the interface into two VLANs.
VLANs enable you to divide your network into groups with a logical, hierarchical structure or grouping instead of a physical one. This helps free IT staff from the restrictions of their existing network design and cable infrastructure. VLANs make it easier to design, implement, and manage your network. Because VLANs are software-based, you can quickly and easily adapt your network to additions, relocations, and reorganizations.
VLANs use bridges and switches, so broadcasts are more efficient because they go only to people in the VLAN, not everyone on the wire. Consequently, traffic across your routers is reduced, which means a reduction in router latency. You can configure your Firebox to act as a DHCP server for devices on the VLAN, or use DHCP relay with a separate DHCP server.
You assign a VLAN to the Trusted, Optional, or External security zone. VLAN security zones correspond to aliases for interface security zones. For example, VLANs of type Trusted are managed by policies that use the alias Any-Trusted as a source or destination. VLANs of type External appear in the list of external interfaces when you configure policy-based routing.
VLAN Requirements and Restrictions
In Fireware v11.12.2 and higher, Spanning Tree Protocol is supported for some VLAN configurations.
For more information about Spanning Tree Protocol support for VLANs, see About Spanning Tree Protocol.
- If your Firebox is configured in drop-in mode, you cannot use VLANs.
- A VLAN interface can send and received untagged traffic for only one trusted or optional VLAN.
For example, if a VLAN interface is configured to send and receive untagged traffic for VLAN-10, it cannot also send and receive VLAN traffic for any other untagged VLAN at the same time.
- A VLAN interface cannot send and receive untagged traffic for an external VLAN.
- A VLAN interface configured to send and receive tagged traffic for an external VLAN cannot also send and receive traffic for a trusted, optional, or custom VLAN.
- Multi-WAN configuration settings are applied to VLAN traffic, however, it can be easier to manage bandwidth when you use only physical interfaces in a multi-WAN configuration.
- The maximum number of VLANs you can create is specified in your Firebox feature key in the Total number of VLAN interfaces value.
- We recommend that you do not create more than 10 VLANs that operate on external interfaces. Too many VLANs on external interfaces affect performance.
- All network segments that you add to a VLAN must have IP addresses on the VLAN network.
- To use multiple VLANs on a single interface on a FireboxV or XTMv device in an ESXi environment, configure the VSwitch for the VLAN interface to use VLAN ID 4095 (All).
If you define VLANs in Fireware v11.12.1 or lower, you can ignore messages that include 802.1d unknown version. These messages occur because the WatchGuard VLAN implementation in Fireware v11.12.1 and lower does not support Spanning Tree Protocol. You might also see this message if you enable Spanning Tree Protocol for an unsupported VLAN configuration in Fireware v11.12.2 or higher.
To enable VLANs, you must deploy VLAN-capable switches in each site. The switch interfaces insert tags at layer 2 of the data frame that identify a network packet as part of a specified VLAN. These tags, which add an extra four bytes to the Ethernet header, identify that the frame belongs to a specific VLAN. Tags are specified by the IEEE 802.1Q standard.
The VLAN definition includes the disposition of tagged and untagged data frames. You must specify whether the VLAN receives tagged, untagged, or no data from each interface that is enabled. Your Firebox can insert tags for packets that are sent to a VLAN-capable switch. Your device can also remove tags from packets that are sent to a network segment that belongs to a VLAN that does not have a switch.
A Firebox interface can manage traffic for multiple tagged VLANs. This allows the interface to function as a VLAN trunk. The Firebox supports the 802.1Q standard.
About VLAN ID Numbers
By default, on most new switches that are not configured, each interface belongs to VLAN 1. Because this VLAN exists on every interface of most switches by default, the possibility exists that this VLAN can accidentally span the entire network, or at least very large portions of it.
We recommend you use a VLAN ID number that is not 1 for any VLAN that passes traffic to the Firebox.