Alcatel-Lucent Security Products Configuration Example Series Configuring VLAN’s Alcatel-Lucent Security Products Configuration Example Series

What is a VLAN? A VLAN is a collection of hosts on different physical segments of a switched network that communicate with each other as if they were on the same segment. VLAN’s allow network administrators to define multiple LAN’s on a single collection of switches. One useful way to think of VLAN’s is that the combination of the VLAN and the physical port form a virtual port. From this point of view, a trunk port is simply a collection of many virtual ports.

Examples of VLAN’s

What is the purpose of VLAN’s? There are many reasons to use VLAN’s. The most common reason is to segregate your broadcast domain keeping individual groups in their own broadcast domains, or on their own networks. An example of a VLAN application would be if you have multiple departments in one location. You would put your Accounting Department on one VLAN and your Engineering Department on another. You might have a case where you have part of both departments in two separate buildings or locations. You could then still keep them on their own network (broadcast domain) by assigning VLAN tags to their traffic. So for instance even though there are two locations you could have all of your accountants on VLAN 101 and all of your engineers on VLAN 102. VLAN tags are generally assigned at Ethernet switches, though they can also be assigned at routers or firewalls.

VLAN Features on a Brick Bricks can serve many functions when working with VLAN’s: They can respect existing tags applied by another device. They can strip tags They can strip tags and reassign different tags They can firewall different VLAN’s differently by applying different rule sets to different VLAN’s on the same interface. They can also firewall different VLAN’s differently in the same rule set by applying only certain rules to certain VLAN’s The most common use is to respect existing tags set by a switch and to assign one firewall to each VLAN. This configuration example assumes that your switches are assigning the tags and that you are already familiar with the concepts of VLAN’s.

Configuring VLAN’s Internet Buffalo engineers VLAN 101 NJ engineers This diagrams assumes that there are routers and NAT is running on the routers In this example we will essentially configure a Brick for this network Our goal is to connect the Buffalo Engineers to the NJ Engineers as if they are on the same physical network The same will need to be done on both Bricks We can do this in just a few steps

Configuring VLAN’s Open your ALSMS Navigator and choose the Brick that will be handling the VLAN’s Click on Always Show VLAN Information. This will add two additional tabs at the top of the screen. Once saved this information will permanently be displayed for this Brick

Configuring VLAN’s Next click on the Physical Ports Tab and double click on the port where you want to pass VLAN traffic. Here you will see 5 new fields related to VLAN’s as shown on the following slide. VLAN Domain leave this field blank unless the Brick is positioned between two switches with different numbering schemes. If it is, refer to the manual. Default VLAN ID leave this at 1. This is to handle any data that is untagged. VLAN Membership This is where you fill in the VLAN tag that you want to pass and filter. This can be individual tags, tags separated by comma’s or a range of tags separated by a dash. Receive Format the frame format allowed into this port. Set at either 802.1Q or Any.

Configuring VLAN’s Transmit Format Set this to Preserve This means that the packet is sent in the same format as it was received, no change to the tag. For more detail on these 5 fields see chapter six in the Administrative Guide. Click OK. Next you will either create the rule set that you want to apply to VLAN 101 or use an existing rule set. Create it just as you would any other rule set.

Configuring VLAN’s Your rule set may be just as simple as this one where you are passing everything between those two groups of engineers. Don’t worry about the VLAN Match here. You would use that if you had multiple VLAN’s going through one rule set, yet wanted to assign certain rules only to one VLAN. Leave that field with the wild card for now.

Configuring VLAN’s Next go back to your Brick Editor and select the Policy Assignment tab. Assign your new rule set to the physical port that the VLAN is connected to. Note when you assign it you will change the Zone VLAN ID’s field to Port Default. Remember that under the Physical ports tab on slide number 9 you set your VLAN Membership to 101. That is the default that you are matching here.

Configuring VLAN’s Once you save your work and do a save and apply to the Brick your engineers in Buffalo and NJ should be able to pass data to each other as if they are on the same LAN. This is only one simple example. You can get a lot fancier than this. The VLAN features of the Brick are rich and leave room for great creativity. If you now want to add another VLAN to your physical port one you would basically just go through the steps again. All you would need to do is modify the firewall. By adding a rule for all of the accountants, for example, to communicate you would just add a second rule to your rule set and add VLAN 102 to your VLAN Membership on Port 1. This is a fairly simple example. Much more detail can be found in the Administrative Guide.

AALSMS Upgrade Configuration Example For more detailed information on configuring VLAN’s go to chapter 6 in the Administrative Guide “Configuring VLAN’s on Bricks”. From the AALSMS you can access the manuals by clicking- Help>On Line Product Manuals>(choose manual)