Define a New VLAN
Before you create a new VLAN, make sure you understand all the VLAN concepts and restrictions, as described in About Virtual Local Area Networks (VLANs).
Before you can create a VLAN configuration, you must change at least one interface to be of type VLAN.
- Select Network > Interfaces.
- Select the interface that is connected to your VLAN switch. Click Edit.
- From the Interface Type drop-down list, select VLAN.
- Click Save.
When you define a new VLAN, you add an entry in the VLAN Settings table. To change the view of this table:
- Click a column header to sort the table based on the values in that column.
- Sort the table in descending or ascending order.
The values in the Interfaces column show the physical interfaces that are members of this VLAN.
The interface number in bold is the interface that sends untagged data to that VLAN.
To create a new VLAN:
- Select Network > VLAN.
The VLAN page appears, with a list of existing user-defined VLANs and their settings.
You can also configure network interfaces from the Interfaces list.
- Click Add.
The VLAN Settings page appears.
- In the Name text box, type a name for the VLAN.
The name cannot contain spaces.
- (Optional) In the Description text box, type a description of the VLAN.
- In the VLAN ID text box, or type or select a value for the VLAN.
- In the Security Zone text box, select Trusted, Optional, Custom, or External.
Security zones correspond to aliases for interface security zones. For example, VLANs of type Trusted are handled by policies that use the alias Any-Trusted as a source or destination.
- In the IP Address text box, type the address of the VLAN gateway.
Any computer in this new VLAN must use this IP address as its default gateway.
- In the Select a VLAN tag setting for each interface list, select one or more interfaces.
- From the Select Traffic drop-down list, select an option to apply to the selected interfaces:
- Tagged traffic — The interface sends and receives tagged traffic.
- Untagged traffic — The interface sends and receives untagged traffic.
- No traffic — Remove the interface from this VLAN configuration.
Use DHCP on a VLAN
For a VLAN in the Trusted, Optional, or Custom security zone, you can configure the XTM device as a DHCP server for the computers on your VLAN network.
- Select the Network tab.
From the DHCP Mode drop-down list, select DHCP Server. If necessary, type your domain name to supply it to the DHCP clients.
- To add an IP address pool, type the first and last IP addresses in the pool. Click Add.
You can configure a maximum of six address pools.
- To reserve a specific IP address for a client, type the IP address, reservation name, and MAC address for the device. Click Add.
To change the default lease time, from the drop-down list at the top of the page, select a different time interval.
This is the time interval that a DHCP client can use an IP address that it receives from the DHCP server. When the lease time is about to expire, the client sends a request to the DHCP server to get a new lease.
- To add DNS or WINS servers to your DHCP configuration, type the server address in the text box adjacent to the list. Click Add.
- To delete a server from the list, select the server from the list and click Remove.
For more information about per-interface DNS/WINS and DHCP options, see Configure IPv4 DHCP in Mixed Routing Mode.
Use DHCP Relay on a VLAN
On the Network tab, from the DHCP Mode drop-down list, select DHCP Relay.
- Type the IP address of the DHCP server. Make sure to add a route to the DHCP server, if necessary.
Apply Firewall Policies to Intra-VLAN Traffic
You can configure more than one XTM device interface as a member of the same VLAN.To apply firewall policies to VLAN traffic between local interfaces, select the Apply firewall policies to intra-VLAN traffic check box.
Intra-VLAN traffic is traffic from a VLAN that is destined for the same VLAN. When you enable this feature, the XTM device applies policies to traffic that passes through the firewall between hosts that are on the same VLAN. If you want to apply policies to intra-VLAN traffic, make sure that no alternate path exists between the source and destination. The VLAN traffic must go through the XTM device in order for firewall policies to apply.
For an external VLAN interface, this setting also applies to traffic from mobile VPN clients that connect through that interface. You must enable this setting on an external VLAN interface if you want firewall policies and NAT to function for users who use a mobile VPN client to connect to the external VLAN interface.
Intra-VLAN policies are applied by IP address, user, or alias. If the intra-VLAN traffic does not match any defined policy, the traffic is denied as unhandled packets. Intra-VLAN non-IP packets are allowed.
Configure Network Settings for a VLAN on the External Interface
When you configure a VLAN on the external interface, you must configure how the VLAN gets the external IP address.
- On the VLAN Settings tab, from the Security Zone drop-down list, select External.
- Select the Network tab.
From the Configuration Mode drop-down list, select Static IP, DHCP, or PPPoE.
- Configure the network settings with the same method you use for other external interfaces.
For more information, see Configure an External Interface.
If you configure an external VLAN interface to get an IP address through DHCP, you can release or renew the VLAN interface IP address in Fireware XTM Web UI on the System Status > Interfaces page. For more information, see Interfaces.
Enable IPv6 on a VLAN
IPv6 addresses for a VLAN interface are supported in Fireware XTM v11.9 and higher.
To enable IPv6 on a VLAN interface:
- Select the IPv6 tab.
- Select the Enable IPv6 check box.
- Configure the IPv6 network settings the same as you would for any other interface.
For information about how to configure the IPv6 settings, see
Configure a VLAN Secondary IP Addresses
Secondary IP addresses for a VLAN interface are supported in Fireware XTM v11.8.1 and higher.
To configure a secondary IPv4 network for a VLAN interface:
- Select the Secondary tab.
- Type an unassigned host IP address in slash notation from the secondary network.
- Click Add.
For more information about secondary interface IP addresses, see Add a Secondary Network IP Address.
Before you can save this VLAN, you must Assign Interfaces to a VLAN.
About Virtual Local Area Networks (VLANs)
Common Interface Settings
About Network Interface Setup