beautypg.com

Vlan, Section 3.4.4, “vlan – Amer Networks E5Web GUI User Manual

Page 168

background image

4.

Repeat the previous step to add the If2 interface

5.

Click OK

3.4.4. VLAN

Overview

Virtual LAN (VLAN) support in cOS Core allows the definition of one or more Virtual LAN interfaces
which are associated with a particular physical interface. These are then considered to be logical
interfaces by cOS Core and can be treated like any other interfaces in cOS Core rule sets and
routing tables.

VLANs are useful in several different scenarios. A typical application is to allow one Ethernet
interface to appear as many separate interfaces. This means that the number of physical Ethernet
interfaces on a Clavister Security Gateway need not limit how many totally separated external
networks can be connected.

Another typical usage of VLANs is to group together clients in an organization so that the traffic
belonging to different groups is kept completely separate in different VLANs. Traffic can then
only flow between the different VLANs under the control of cOS Core and is filtered using the
security policies described by the cOS Core rule sets.

As explained in more detail below, VLAN configuration with cOS Core involves a combination of
VLAN trunks from the Clavister Security Gateway to switches and these switches are configured
with port based VLANs on their interfaces. Any physical security gateway interface can, at the
same time, carry both non-VLAN traffic as well VLAN trunk traffic for one or multiple VLANs.

VLAN Processing

cOS Core follows the IEEE 802.1Q specification. The specifies how VLAN functions by adding a
Virtual LAN Identifier (VLAN ID) to Ethernet frame headers which are part of a VLAN's traffic.

The VLAN ID is a number between 0 and 4095 which is used to identify the specific Virtual LAN to
which each frame belongs. With this mechanism, Ethernet frames can belong to different Virtual
LANs but can still share the same physical Ethernet link.

The following principles are followed when cOS Core processes VLAN tagged Ethernet frames at
a physical interface:

Ethernet frames received on a physical interface by cOS Core, are examined for a VLAN ID. If a
VLAN ID is found and a matching VLAN interface has been defined for that interface, cOS
Core will use the VLAN interface as the logical source interface for further rule set processing.

If there is no VLAN ID attached to an Ethernet frame received on an interface then the source
of the frame is considered to be the physical interface and not a VLAN.

If VLAN tagged traffic is received on a physical interface and there is no VLAN defined for that
interface in the cOS Core configuration with a corresponding VLAN ID then that traffic is
dropped by cOS Core and an unknown_vlanid log message is generated.

The VLAN ID must be unique for a single cOS Core physical interface but the same VLAN ID
can be used on more than one physical interface. In other words, the same VLAN can span
many physical interfaces.

Chapter 3: Fundamentals

168

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: