Upload
anonymous-re8lrrm
View
219
Download
0
Embed Size (px)
Citation preview
8/16/2019 Network and Traffic Management v11!10!1
1/202
WatchGuard Certified Training
Network and Traffic Management
with Fireware
Fireware and WatchGuard System Manager v11.10
Revised: September 2015
Updated for: Fireware v11.10.1
8/16/2019 Network and Traffic Management v11!10!1
2/202
TRAINING
www.watchguard.com/training
SUPPORT
www.watchguard.com/support
U.S. and Canada +877.232.3531
All Other Countries +1.206.613.0456
ii WatchGuard Fireware Training
Disclaimer
Information in this guide is subject to change without notice. Companies, names, and data used in
examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or
transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express
written permission of WatchGuard Technologies, Inc.
Copyright and Patent Information
Copyright© 2015 WatchGuard Technologies, Inc. All rights reserved.
WatchGuard, Firebox, Fireware, LiveSecurity, and spamBlocker are either registered trademarks or
trademarks of WatchGuard Technologies, Inc. in the United States and other countries. This product is
covered by one or more pending patent applications.
All other trademarks and tradenames are the property of their respective owners.
Printed in the United States.
8/16/2019 Network and Traffic Management v11!10!1
3/202
ii
Table of Contents
Course Introduction ................................................................................................................ 1
Training Overview .......................................................................................................... 1
Necessary Equipment and Software ............................................................................ 1
Classroom Network Configuration ................................................................................ 2Student Device IP Addresses ....................................................................................................... 2
Instructor Device Network Configuration .................................................................................... 3
Configuration Changes for the Instructor Device ....................................................................... 5
(Optional) Set Up a Server to Host FTP and HTTP Downloads ................................................... 6
VLANs ....................................................................................................................................... 7
Introduction .................................................................................................................... 7What You Will Learn ...................................................................................................................... 7
Exercises ....................................................................................................................................... 7
What VLANs Can Do For You ........................................................................................................ 7
Terms and Concepts You Should Know ....................................................................... 8
VLAN Requirements and Recommendations .............................................................. 9
Before You Begin ......................................................................................................... 10Firewall Configuration ................................................................................................................. 10
Necessary Equipment and Services ......................................................................................... 10
Configuring the VLAN Switch .................................................................................................... 11
Exercise 1: Two VLANs on the Same Device Interface ................................................ 12
When to Use this Configuration ................................................................................................ 12Network Topology ....................................................................................................................... 12
Configure the Device ................................................................................................................. 13
Configure the Switch ................................................................................................................. 15
Physically Connect all Devices ................................................................................................... 16
Test the Configuration ................................................................................................................ 16
Exercise 2: One VLAN Bridged Across Two Device Interfaces .................................... 17
When to Use this Configuration ................................................................................................. 17
Network Topology ....................................................................................................................... 18
Configure the Device ................................................................................................................. 18
Configure the Switch ................................................................................................................. 21
Physically Connect all Devices .................................................................................................. 21
Test the Configuration ............................................................................................................... 21
Exercise 3: One VLAN Bridged Across Two Device Interfaces (Alternate Configuration)
22
When to Use This Configuration ............................................................................................... 22
Network Topology ....................................................................................................................... 22
Configure the Device ................................................................................................................. 23
Configure the Switches ............................................................................................................. 25
Physically Connect All Devices .................................................................................................. 25
Exercise 4: Two VLANs as External Interfaces on the Same Device .......................... 27
When to Use this Configuration ................................................................................................. 27
8/16/2019 Network and Traffic Management v11!10!1
4/202
iv WatchGuard Fireware Training
Network Topology ....................................................................................................................... 27
Configure the Device ................................................................................................................. 28
Configure the Switch ................................................................................................................. 30
Physically Connect All Devices .................................................................................................. 30
Test the Configuration ............................................................................................................... 30
Using VLANs in Device Policies ................................................................................... 31 Apply Firewall Policies to Intra-VLAN Traffic ............................................................................. 31
Aliases ........................................................................................................................................ 31Exercise 5: Configure VLANs for Wireless Access Points ............................................ 33
When to Use This Configuration ............................................................................................... 33
Network Topology ....................................................................................................................... 33
Frequently Asked Questions ....................................................................................... 38
What You Have Learned .............................................................................................. 38
Traffic Management ............................................................................................................. 39
What You Will Learn ..................................................................................................... 39
Control Bandwidth Use with Traffic Management Actions ........................................ 39Traffic Management Action Types ............................................................................................ 40
Traffic Management in Policies ................................................................................................ 40
Traffic Management in Application Control ............................................................................. 40Traffic Management Action Precedence .................................................................................. 40
Monitoring Bandwidth Statistics ................................................................................................ 41
Control Traffic Priority with QoS .................................................................................. 41 About Interface QoS Settings ..................................................................................................... 41
About Policy QoS Settings .......................................................................................................... 41
About Traffic Priority ................................................................................................................... 41
About Outgoing Interface Bandwidth ....................................................................................... 42
Exercise 1: Use a Traffic Management Action to Guarantee Bandwidth ................... 43
Enable Traffic Management and QoS ...................................................................................... 43
Verify the OS Compatibility Setting ........................................................................................... 43
Define Outgoing Interface Bandwidth ...................................................................................... 43
Create a Traffic Management Action ....................................................................................... 44Modify Policy Configuration ....................................................................................................... 45
Set Up Service Watch ................................................................................................................ 46
See the Results of the Configuration ........................................................................................ 47
Exercise 2: Use a Traffic Management Action to Limit Bandwidth ............................. 50
Re-Define Outgoing Interface Bandwidth ................................................................................ 50
Create a Traffic Management Action ....................................................................................... 51
Modify Policy Configuration ....................................................................................................... 51
See the Results of the Configuration ....................................................................................... 52
Exercise 3: Use Traffic Management with Application Control ................................... 55
Create two Traffic Management Actions .................................................................................. 55
Configure Application Control ................................................................................................... 56
Configure Application Control in Policies ................................................................................. 58Monitor the Traffic Management Actions in Firebox System Manager .................................. 59
Exercise 4: Use QoS to Mark and Prioritize Traffic ...................................................... 61
Before You Begin ....................................................................................................................... 61
Enable Prioritization by QoS Marking on Interfaces ................................................................ 61
Prioritize Traffic by Policy ........................................................................................................... 63
See the Results of the Configuration ....................................................................................... 64
What You Have Learned .............................................................................................. 65
Link Aggregation ................................................................................................................... 67
Introduction .................................................................................................................. 67
8/16/2019 Network and Traffic Management v11!10!1
5/202
v
What You Will Learn ................................................................................................................... 67
Course Outline ........................................................................................................................... 67
Terms and Concepts You Should Know ..................................................................... 67Link Aggregation ........................................................................................................................ 67
Link Aggregation Group (LAG) .................................................................................................. 68
Link Aggregation Interface ........................................................................................................ 68
Link Aggregation Member Interface ........................................................................................ 68
Link Aggregation Modes ........................................................................................................... 69Link Aggregation Interface Identifiers ...................................................................................... 69
Link Aggregation with Other Networking Features .................................................... 70
Exercise 1: Configure Active-Backup Link Aggregation ............................................... 71
Network Topology ........................................................................................................................ 71
Before You Begin ....................................................................................................................... 72
Add the Link Aggregation Interface .......................................................................................... 72
Add Member Interfaces .............................................................................................................. 74
Connect the Switches ................................................................................................................ 75
Monitor the Link Aggregation Interface .................................................................................... 76
Exercise 2: Static and Dynamic Link Aggregation ....................................................... 78
Topology ...................................................................................................................................... 78
Before You Begin ....................................................................................................................... 78 Add the Link Aggregation Interface .......................................................................................... 79
Add Member Interfaces ............................................................................................................. 80
Configure the Switch and Connect the Device to the Switch .................................................. 81
Connect the Device to the Switch .............................................................................................. 81
Monitor the Link Aggregation Interface ................................................................................... 82
Use Dynamic Mode .................................................................................................................... 82
Exercise 3: Use Link Aggregation with a VLAN ............................................................. 83
Network Topology ....................................................................................................................... 83
Before You Begin ....................................................................................................................... 83
Configure the Device ................................................................................................................. 84
Configure the Switch ................................................................................................................. 86
Physically Connect all Devices .................................................................................................. 86What You Have Learned .............................................................................................. 87
Multi-WAN Methods ............................................................................................................. 89
Introduction .................................................................................................................. 89What You Will Learn ................................................................................................................... 89
Exercises .................................................................................................................................... 89
What Multi-WAN Can Do For You .............................................................................................. 89
Terms and Concepts You Should Know ..................................................................... 90Outgoing Traffic and Multi-WAN ................................................................................................ 90
Incoming Traffic ......................................................................................................................... 90
IPSec VPN Traffic ....................................................................................................................... 90
Equal-Cost Multi-Path Routing (ECMP) ..................................................................................... 90Sticky Connections ..................................................................................................................... 91
Load Balancing Interface Group (LBIG) ................................................................................... 92
Policy-Based Routing ................................................................................................................. 93
Link Monitor Settings ................................................................................................................ 93
Failover/Failback ....................................................................................................................... 94
Fireware Multi-WAN Methods ..................................................................................... 96
The Round-Robin Multi-WAN Method ......................................................................... 96When to Use It ............................................................................................................................ 96
How It Works .............................................................................................................................. 96
Calculate Weights for Round-robin ............................................................................................ 97
8/16/2019 Network and Traffic Management v11!10!1
6/202
vi WatchGuard Fireware Training
How to Configure It .................................................................................................................... 98
When an External Interface Fails .............................................................................................. 99
The Failover Multi-WAN Method ............................................................................... 100When to Use It .......................................................................................................................... 100
How It Works ............................................................................................................................ 100
How to Configure It .................................................................................................................. 100
When an External Interface Fails ............................................................................................ 100
The Interface Overflow Multi-WAN Method .............................................................. 101When to Use It .......................................................................................................................... 101
How It Works ............................................................................................................................ 101
How to Configure It .................................................................................................................. 101
When an External Interface Fails ............................................................................................ 101
The Routing Table Multi-WAN Method ...................................................................... 102When to Use It .......................................................................................................................... 102
How It Works ............................................................................................................................ 102
How to Configure It .................................................................................................................. 102
When an External Interface Fails ............................................................................................ 102
Exercises — Before You Begin ................................................................................... 103Necessary Equipment and Services ....................................................................................... 103
Management Computer Configuration ................................................................................... 103Firewall Configuration .............................................................................................................. 104
Bandwidth Available at Each External Interface ................................................................... 104
Physically Connecting your Devices ........................................................................................ 104
Exercise 1: Demonstrate the Interface Overflow Multi-WAN Method and Sticky
Connections .................................................................................................................. 105
When to Use the Interface Overflow Method ......................................................................... 105
Network Topology ..................................................................................................................... 105
Configure the Device ............................................................................................................... 106
Demonstrate It ......................................................................................................................... 110
Exercise 2: Demonstrate the Failover Multi-WAN Method and Policy-Based Routing ....
114
When to Use the Failover Method ........................................................................................... 114
Network Topology ..................................................................................................................... 114
Configure the Device ............................................................................................................... 115
Demonstrate It ......................................................................................................................... 119
Exercise 3: Demonstrate Load Balancing with the Round Robin Multi-WAN Method ....
120
Configure the Device ............................................................................................................... 120
Demonstrate It ......................................................................................................................... 121
Appendix ..................................................................................................................... 122How Fireware Makes Multi-WAN Routing Decisions For Outbound Traffic .......................... 122
Multi-WAN Routing Decision Flow Chart ................................................................................ 123
What You Have Learned ............................................................................................ 125Routing ................................................................................................................................ 127
Introduction ................................................................................................................ 127What You Will Learn ................................................................................................................. 127
Terms and Concepts .................................................................................................. 128Route ........................................................................................................................................ 128
Router ....................................................................................................................................... 128
RouteTable ................................................................................................................................ 128
Route Metric ............................................................................................................................. 128
Routing Protocol ....................................................................................................................... 129
8/16/2019 Network and Traffic Management v11!10!1
7/202
vi
Convergence Time ................................................................................................................... 129
Routing Types and Protocols ..................................................................................... 130Static vs. Dynamic Routing ..................................................................................................... 130
Supported Dynamic Routing Protocols .................................................................................. 130
Dynamic Routing Policies .......................................................................................... 132
Network Link Types .................................................................................................... 133 Asymmetrical Routes Cause Routing Inconsistency ............................................................. 135
Routing and Branch Office VPNs .............................................................................. 136BOVPN Virtual Interface Routing Scenarios .......................................................................... 137
Failover from a Dynamic Route to a Branch Office VPN ....................................................... 138
Monitoring Tools ........................................................................................................ 139The Status Report .................................................................................................................... 139
Set the Diagnostic Log Level ................................................................................................... 140
Exercise 1: Configure Static Routing Over a Point-to-Point Link ............................... 142
Add a Static Route to the Site A Device ................................................................................. 143
Add a Static Route to the Site B Device ................................................................................. 144
Review the Route Table ........................................................................................................... 145
Test the Static Route ............................................................................................................... 146
The Disadvantage of Using Only Static Routes ..................................................................... 147
Exercise 2: Configure Dynamic Routing over a Point-to-Point Link .......................... 148
Network Topology ..................................................................................................................... 148
Remove the Static Routes ....................................................................................................... 148
Configure Dynamic Routing with OSPF .................................................................................. 149
Review the Route Table ........................................................................................................... 150
Add a New Network at Site B .................................................................................................. 151
Exercise 3: Configure Static Routing Over a Multi-Hop Link ..................................... 153
Network Topology ..................................................................................................................... 153
Before You Begin ..................................................................................................................... 153
Configure the Peer Interfaces ................................................................................................. 154
Configure Static Routes Between the Trusted Networks at Each Site ................................. 154
Test the Static Route ............................................................................................................... 156Exercise 4: Dynamic Routing Over a Multi-Hop Link ................................................. 157
Before You Begin ..................................................................................................................... 157
Configure Static Routes Between the Peer Interfaces .......................................................... 158
Configure Dynamic Routing with BGP .................................................................................... 161
Review the Route Table ........................................................................................................... 162
Test the Static Route ............................................................................................................... 162
Troubleshooting ....................................................................................................................... 162
What You Have Learned ............................................................................................ 163
FireCluster .......................................................................................................................... 165
Introduction ................................................................................................................ 165What You Will Learn ................................................................................................................. 165
About FireCluster ....................................................................................................... 165
Terms and Concepts You Should Know ................................................................... 166Cluster Member ....................................................................................................................... 166
Active/Active Cluster ................................................................................................................ 166
Active/Passive Cluster ............................................................................................................. 166
Load Balance Methods ........................................................................................................... 166
Cluster ID .................................................................................................................................. 167
Cluster Interface ...................................................................................................................... 167
Cluster Interface IP Address .................................................................................................... 167
Management Interface ............................................................................................................ 168
8/16/2019 Network and Traffic Management v11!10!1
8/202
viii WatchGuard Fireware Training
About Failover ............................................................................................................ 168Causes of FireCluster Failover ................................................................................................. 168
What Happens During a Failover ............................................................................................ 170
Monitoring Tools ........................................................................................................ 171Firebox System Manager ......................................................................................................... 171
Diagnostic Logging .................................................................................................................. 172
FireCluster Requirements ......................................................................................... 173
Hardware Requirements ......................................................................................................... 173License Requirements ............................................................................................................. 173
Network Configuration Requirements .................................................................................... 173
Switch and Router Requirements ............................................................................................ 174
FireCluster Pre-Configuration Checklist .................................................................................. 175
Exercise 1: Set Up an Active/Passive Cluster ............................................................ 176
Configure the External Interface to Use a Static IP Address ................................................ 176
Configure the Trusted Interface .............................................................................................. 177
Disable Unused Network Interfaces ....................................................................................... 178
Decide Which Interfaces and Interface Address to Use ....................................................... 179
Connect the Cables .................................................................................................................. 179
Run the FireCluster Setup Wizard ........................................................................................... 180
Reset the Second Device to Factory-Default Settings ........................................................... 188Discover the Second Cluster Member .................................................................................... 189
Exercise 2: Monitor Cluster Status ............................................................................. 190
Monitor the Cluster .................................................................................................................. 190
Monitor a Cluster Member ...................................................................................................... 191
Exercise 3: Test FireCluster Failover .......................................................................... 192
Force a Failover from Firebox System Manager .................................................................... 192
Trigger a Failover Due to Link Status ...................................................................................... 192
Use the Backup Cluster Interface ........................................................................................... 193
Trigger a Failover Due to Power Failure .................................................................................. 193
Test Failover with Network Traffic ........................................................................................... 193
Use Leave/Join in Firebox System Manager .......................................................................... 193
What You Have Learned ............................................................................................ 193
8/16/2019 Network and Traffic Management v11!10!1
9/202
1
Fireware Training
Course Introduction
Network and Traffic Management with Fireware
This training is for:
* The exercises in this course require Fireware with a Pro upgrade, which is included with most device models.For some 5 Series models (505, 510, 520, 530), you can purchase the Fireware Pro upgrade for your device.
Training Overview
About Side Notes
Side notes are extra
information that is
not necessary to
understand the
training. They might
be configuration or
troubleshooting tips,
or extra technical
information.
The WatchGuard Fireware Network and Traffic Management with Fireware course covers these topics:
• VLANs
• Traffic Management and QoS
• Link Aggregation
• Multi-WAN
• Routing
• FireCluster
This course assumes that you have completed the Fireware Essentials course and that you know how to
set up and configure basic networking features. This Course Introduction describes the software,
hardware, and network environment required to complete the exercises in this training courseware.
Necessary Equipment and Software
Because this course includes networking exercises, the training environment must include the
following network equipment in order to support all of the exercises in this course.
• One Firebox for each student (do not use Firebox T10 and XTM 2 Series models)
• One WatchGuard Firebox configured by the instructor as the default gateway
• Fireware v11.10 or higher installed on each Firebox
• One Windows computer per student, with WatchGuard System Manager v11.10 or later installed
• Three network hubs or switches, each with enough interfaces for the instructor and all of thestudent Firebox devices to connect.
- One switch is the primary external network for the student devices
- One switch is the secondary external network (WAN2) for the student devices in the
Multi-WAN exercises
- One switch is used for the multi-hop link in the Routing exercises
• Two managed switches with 802.1Q and 802.3ad support per student, for VLAN and Link
Aggregation exercises. Or students can pair up for these exercises.
• FTP Server (optional for some exercises)
Devices WatchGuard XTM 330 or higher
Device OS versions Fireware® v11.10*
Management software versions WatchGuard® System Manager v11.10
8/16/2019 Network and Traffic Management v11!10!1
10/202
2 WatchGuard Fireware Training
Classroom Network Configuration
The exercises in this course are designed using RFC 5737 documentation IP addresses to represent
public network IP addresses. The exercises in this training assume the following network configuration
Figure 1: Training network configuration
Student Device IP Addresses
Students may be assigned a number (10,20,30,etc.) to identify the last IP address octet for their external
addresses, or their third octet for internal addresses in relation to their devices. This allows for similar
configuration among devices and prevents IP address conflicts and subnet overlap.
The student devices are configured with these addresses, where X is the student number:
• Eth0 – External (WAN1) — 203.0.113. X /24, Default Gateway 203.0.113.1
• Eth1 – Trusted — 10.0. X .1/24• Eth2 – Optional — 172.16. X .1/24
• Eth3 – External or VLAN — Configuration varies by exercise
• Eth4, Eth5 - Link Aggregation — Configured in Link Aggregation exercises only
The student number is also used in the FireCluster exercises as the cluster ID. We recommend that you
assign student numbers in increments of at least 10, so the cluster ID does not create a virtual MAC
address conflict between multiple FireClusters.
In the exercises, your external interface and trusted interface IP addresses are determined by your
student number. Replace the X in the exercises with your student number.
8/16/2019 Network and Traffic Management v11!10!1
11/202
Classroom Network Configuration
Course Introduction 3
Instructor Device Network Configuration
Several interfaces on the instructor Firebox must be configured to support the exercises in this course.
The instructor device acts as the default gateway for the primary student external network,
203.0.113.0/24. For the Multi-WAN exercises that require a second external network, we use
192.51.100.1/24. The instructor device acts as the default gateway for both of these networks.
You must also
configure a DNS
server, in the
Network >
Configuration >
WINS/DNS tab, to
allow DNS to operate
from the training
environment.
For DNS to function
for students, the
student Firebox
devices and
computers must also
be configured to use
the DNS server.
The instructor Firebox is configured with these addresses:
• Eth0 (External) — Use appropriate addressing for a training environment with an Internetconnection.
• Eth1 (Trusted) — 203.0.113.1/24 — The default gateway for the primary external interface on
student devices.
• Eth2 (VLAN) — Send and receive untagged traffic for VLAN10. Also used as the default gateway for
the secondary external interface on student devices when a second WAN interface is configured.
• Eth3 (VLAN) — Send and receive tagged traffic for VLAN10 and VLAN20. Used when students
configure a VLAN with an external interface.
• Eth4 (Trusted) — 172.16.10.1/30 as the primary IP address, and 172.16. X .1/30 as secondaryaddresses for the optional networks on each student device. Used to simulate a multi-hop link for
some dynamic routing exercises.
Figure 2: Instructor Firebox network interfaces configuration
8/16/2019 Network and Traffic Management v11!10!1
12/202
4 WatchGuard Fireware Training
The instructor device must have 2 VLANs configured:
• VLAN10 – Trusted — 198.51.100.1/24, ID:10 — Untagged eth2, tagged eth3
• VLAN20 – Trusted — 192.0.2.1/24, ID:20 — Tagged eth3
Figure 3: Instructor Firebox VLAN configuration
The instructor device must have addresses defined on eth4 for the optional networks for all student
devices. These are used for the multi-hop dynamic routing exercises.
• Primary (for the Optional network of student 10) — 172.16.10.1/30 for s
• Secondary (for the Optional network of students 20 and higher)— 172.16. X .1/30
Figure 4: Secondary IP addresses for Eth4 on the instructor device, for a total of 8 students
8/16/2019 Network and Traffic Management v11!10!1
13/202
Classroom Network Configuration
Course Introduction 5
Configuration Changes for the Instructor Device
To make the training network functional for these exercises, the instructor must make three more
configuration changes to the instructor Firebox.
1. Create an Any policy to allow traffic between the trusted interfaces.
Figure 5: Any policy configuration for the instructor Firebox
2. To enable access to the Internet, update the settings in Network > NAT > Dynamic NAT to add adynamic entry for Any-Trusted - Any-External.
Or, you can add dynamic NAT rules from RFC 5737 addresses to Any-External (for example, add a
dynamic NAT rule for 203.0.113.0/24 – Any-External)
Figure 6: NAT configuration for the instructor Firebox
8/16/2019 Network and Traffic Management v11!10!1
14/202
6 WatchGuard Fireware Training
3. To configure the instructor Firebox to simulate a multi-hop link for the routing exercises, you mustadd static routes to route traffic to the trusted network on each student device. The next hop for
each is the IP address of the optional interface on each student device. The gateway corresponds to the primary and secondary networks defined for Eth4 on the instructor device.
Figure 7: Static route configuration for the instructor Firebox for a class with 8 students.
Optional) Set Up a Server to Host FTP and HTTP Downloads
Several of the exercises in this courseware require that the students download a file from an FTP server
or browse to a web site to observe the results of a configuration change. If your training environment
does not have Internet access, you can use the subsequent steps to help you build an FTP server and a
Web server on an existing Windows 2003 Server on your network, that students can use for the
exercises.
1. Connect the server’s network card to the same hub or switch that connects the device externalinterface to the Internet router.
Usually, you would connect your device directly to the LAN interface of your Internet router. For
this exercise, you must use a hub or switch to connect the Windows 2003 Server to the external
network of the device.
2. Set up the FTP server.
For more information, see this Microsoft article: http://support.microsoft.com/kb/323384.
3. Create a 350 MB text file named 350mbfile.txt and save it in the ftproot folder. The defaultlocation for this folder is c:\inetpub\ftproot.
To create a file in Windows, at the Command Prompt, type the fsutil command:fsutil file createnew c:\inetpub\ftproot\350mbfile.txt 358400000
4. Set up the web server on your Windows 2003 Server.
For more information, see this Microsoft article: http://support.microsoft.com/kb/324742
5. Copy the 350mbfile.txt file from the C:\inetpub\ftproot to the C:\inetpub\wwwroot
directory.
8/16/2019 Network and Traffic Management v11!10!1
15/202
7
Fireware Training
VLANs
Four Ways to Configure VLANs on a Firebox
Introduction
A virtual local area network (VLAN) is a collection of computers on a LAN or LANs that are grouped
together in a single broadcast domain independent of their physical location. A VLAN allows you to
group devices according to function or traffic patterns instead of location or IP address. Members of a
VLAN can share resources as if they were connected to the same LAN.
What You Will Learn
This course explains the concept of a VLAN and describes several different VLAN technologies that arein use today. You will learn everything necessary to successfully deploy VLANs with your Firebox. We
will present four typical use cases with VLANs, and you will configure the Firebox for each of these
situations.
Exercises
The exercises demonstrate situations in which you would use different VLAN configurations, a
simplified view of the network topology for each setup, and step-by-step procedures for how to
configure each setup. The exercises include:
You can also use
VLANs with link
aggregation. An
exercise for thatconfiguration is
included in the link
aggregation section
of this training.
• Two VLANs on the same Firebox interface
• One VLAN bridged across two Firebox interfaces
• One VLAN bridged across two Firebox interfaces (alternate configuration)
• Two VLANs as External Interfaces on the same Firebox
• Three VLANs for two SSIDs on an AP device
The course concludes with frequently asked questions about how to configure firewall policies to
restrict incoming and outgoing access on VLAN interfaces, or to allow or deny traffic between different
VLANs.
What VLANs Can Do For You
VLANs provide three main benefits:
• Increased performance by confining broadcasts.
Each computer you add to a LAN increases the amount of background (broadcast) traffic, whichcan reduce performance. With VLANs, you can restrict this traffic and reduce the amount of
bandwidth used by your network.
• Improved manageability and simplified network tuning.
When you consolidate common resources into a VLAN, you reduce the number of routing hops
needed for those devices to communicate. You can also manage traffic from each functional group
more easily when each group uses a different VLAN.
8/16/2019 Network and Traffic Management v11!10!1
16/202
8 WatchGuard Fireware Training
• Increased security options.
By default, members of one VLAN cannot see the traffic from another VLAN. You can apply separate
security policies to VLANs. By contrast, a secondary network on a Firebox interface gives no
additional security because there is no separation of traffic. The Firebox does not filter traffic
between the primary network of an interface and a secondary network on that interface. It
automatically routes traffic between primary and secondary networks on the same physical
interface with no access restrictions.
Terms and Concepts You Should Know
VLAN trunk interface
The physical interface (switch interface or device interface) that connects a VLAN device to another
VLAN device. Some vendors use this term only for a switch interface that carries traffic for more than
one VLAN. We use this as a general term to indicate an Ethernet interface on a VLAN-capable device
that connects the device to another VLAN-capable device.
VLAN ID (VID)
A number from 1 to 4094 associated with the VLAN. Every VLAN you use has a unique number.
Tag This term has two meanings: one for the verb usage, and one for the noun usage.
[noun] Information that is added to the header of an Ethernet frame. The format of the tag is defined
by the IEEE 802.1Q standard.
[verb] To add a VLAN tag to a data frame’s Ethernet header. The tag is added by an 802.1Q-compliant
device such as an 802.1Q switch or router, or the Firebox.
Because the physical segment between two 802.1Q devices normally carries only tagged data
packets, we call it the tagged data segment .
Untag
To remove a VLAN tag from a frame’s Ethernet header. When an 802.1Q device sends data to a
network device that cannot understand 802.1Q VLAN tags, the device untags the data frames.
Because the physical segment between a VLAN device and a device that cannot understand VLAN
tags normally carries only untagged data packets, we call it the untagged data segment .
Tagging and untagging per interface
When you assign VLAN membership for an Ethernet interface on an 802.1Q device, you also tell the
interface whether to send and accept tagged or untagged data frames. Some VLAN devices allow
one Ethernet interface to accept both tagged and untagged frames. This depends on which VLANs
the interface is a member of.
When you configure a Firebox Ethernet interface for VLAN, the interface will accept both tagged
and untagged data frames, but only for VLANs in the trusted, optional, and custom security zones.
For an external VLAN a device VLAN interface will accept only tagged data frames.
Use these two rules to decide whether to configure a switch interface for Tag or Untag: - If the interface connects to a device that can receive and understand 802.1Q VLAN tags,
configure the switch interface for Tag. Devices you connect to this interface are usually VLANswitches (managed switches) or routers.
- If the interface connects to a device that cannot receive and understand 802.1Q VLAN tags,
configure the switch interface for Untag. (Such devices will likely strip the VLAN tag from the
Ethernet header, or drop the frame altogether.) Devices you connect to this interface are
usually computers or printers.
8/16/2019 Network and Traffic Management v11!10!1
17/202
VLAN Requirements and Recommendations
VLANs 9
Switches
When you configure a Firebox Ethernet interface for VLAN, the switches that you connect to the
device interface must be able to use VLAN tags as defined in IEEE 802.1Q. A switch of this type is
commonly called a managed switch or an 802.1Q switch.
Types of VLANs
VLANs can use different parameters to assign membership:
- 802.1Q VLANs (used by the Firebox)
The Institute of Electrical and Electronic Engineers (IEEE) publishes the 802.1Q standard to
define the format of VLAN tags. This standard lets you use VLANs with any vendors’
equipment that conforms to 802.1Q standards.
- MAC address-based VLANs use the physical address on a computer’s network interface card
to put it in the correct logical group.
- VLANs based on multicast groups put computers into VLANs based on whether the
computer has subscribed to a particular multicast group.
- Protocol-based VLANs put computers into VLANs based on the communication protocol
each uses (such as IP, IPX, DECnet, or AppleTalk).
VLAN Requirements and Recommendations
To use a VLAN with a Firebox:
• If your Firebox is configured in drop-in mode, you cannot use VLANs.
• If your Firebox is configured in bridged mode you cannot configure VLANs on the device.
- The device in bridge mode can pass VLAN tagged traffic between 802.1Q bridges or
switches.
- You can configure a device in bridge mode to be managed from a VLAN that has a specified
VLAN tag.
• Each VLAN interface can send and received untagged traffic for only one trusted or optional VLAN.
For example, if a VLAN interface is configured to send and receive untagged traffic for VLAN-10, it
cannot also send and receive VLAN traffic for any other VLAN at the same time. Also, a VLANinterface cannot be configured to send and receive untagged traffic for an external VLAN.
• Multi-WAN configuration settings are applied to VLAN traffic. However, it can be easier to manage
bandwidth when you use only physical interfaces in a multi-WAN configuration.
• Your device model and license controls the number of VLANs you can create. To see the number of
VLANs you can add to your Firebox, Open Policy Manager and select Setup > Feature Keys. Find
the row labeled Total number of VLAN interfaces.
• We recommend that you do not create more than 10 VLANs that operate on external interfaces.
Too many VLANs on external interfaces affect performance.
• All network segments you want to add to a VLAN must have IP addresses on the VLAN network.
8/16/2019 Network and Traffic Management v11!10!1
18/202
10 WatchGuard Fireware Training
Before You Begin
Before you begin the exercises, you must:
1. Make sure the switches that connect to the Firebox do not use Spanning Tree Protocol. Disable thisprotocol for any switch interface that connects to a device Ethernet interface.
2. Know how to configure your VLAN switch. You should be familiar with how to configure your VLAN
switch. Consult the documentation from the device manufacturer for help.
Firewall Configuration
If your Firebox is not yet configured, run the Quick Setup Wizard first to configure it.
• Use the Routed mode for the Quick Setup Wizard. (You cannot use VLANs with Drop-in mode or
Bridge mode.) The Quick Setup Wizard with Routed mode has these defaults:
- The external Interface 0 is configured and enabled with static IP address 203.0.113. X /24.Replace X in the external IP address with the student number your instructor gives you.
- The trusted Interface 1 is configured and enabled with IP address 10.0. X .1/24.Replace X in the trusted IP address with the student number your instructor gives you.
- All of the other interfaces are set to Disabled.
- There are five policies in Policy Manager: FTP, Ping, WatchGuard WebUI, WatchGuard, and
Outgoing.
• The trusted interface (Interface 1) is not a member of any VLAN in any of the exercises.
• The management computer is connected directly to the trusted interface with an Ethernet cable.
Make sure your management computer has an IP address in the same subnet as the trusted
interface, with the correct subnet mask. Make sure the default gateway for the computer is the
trusted interface IP address.
Necessary Equipment and Services
• Management computer
Use a computer with WSM version 11.9 or higher software installed to configure the Firebox. This
computer is connected to the device trusted interface in all exercises.
• Two additional computers
To test traffic flow with the VLANs you send traffic between two computers. Each computer is
connected to a VLAN switch or to the Firebox itself, depending on the exercise.
You can also use the management computer for one of the two computers to test traffic flow
between VLANs.
• WatchGuard Firebox with Fireware v11.10 or higher
In the exercises, we assume that you ran the Quick Setup Wizard to configure the Firebox and you
selected Routed mode (not Drop-in or Bridge mode).
• 802.1Q VLAN switches - One switch for Exercises 1 and 2
- Two switches for Exercise 3 and 4
- One switch for Exercise 5
• Ethernet cables
At a minimum, to complete all the exercises you must have:
- Six Ethernet cables — To interconnect the devices altogether.
8/16/2019 Network and Traffic Management v11!10!1
19/202
Before You Begin
VLANs 11
Configuring the VLAN Switch
Each physical interface on a VLAN switch is generally classified as one of two types:
• VLAN Access port
A switch interface of this type removes VLAN tags from data frames before it sends them to the
device attached to it. The interface also adds a VLAN tag to untagged frames it gets from the
connected device.
You connect computers, printers, and other networked devices to this type of interface.
Configure this type of switch interface for untag mode.
• VLAN Trunk port
A switch interface of this type preserves any VLAN tags in the data frames it receives. It also
preserves VLAN tags when it sends tagged data frames to the device attached to it.
You connect other VLAN-capable devices such as VLAN switches and routers to this type of
interface. You also connect this type of interface to a Firebox interface configured to accept tagged
data frames.
Configure this type of switch interface for tag mode.
Select the VLAN ID Numbers
By default, each interface on most new, unconfigured switches belongs to VLAN number 1. Because
this VLAN exists on every interface of most switches by default, the possibility exists that this VLAN can
accidentally span the entire network, or at least very large portions of it.
We recommend you use a VLAN ID number other than 1 for any VLAN that passes traffic to the Firebox.
About the PVID
Some switch manufacturers require you to assign a Port VLAN ID (PVID) to each interface. The PVID
number determines the VLAN ID number that the switch adds to the untagged packets it gets from
devices connected to the interface. If you do not configure a PVID for an interface, it is possible that the
switch can tag the data packets it gets on that interface with the default VLAN ID of 1. This is the caseeven if you configure the interface to untag for a different VLAN ID number.
When you change the PVID setting on a switch interface to a PVID number that matches a VLAN
number, the switch adds a VLAN tag for that VLAN to untagged packets it receives on this interface. If
your switch uses PVID numbers, be sure to configure each switch interface that connects a computer to
use the correct PVID number.
8/16/2019 Network and Traffic Management v11!10!1
20/202
12 WatchGuard Fireware Training
Exercise 1: Two VLANs on the Same Device Interface
When to Use this Configuration
A Firebox interface is a member of more than one VLAN when the switch that connects to that
interface carries traffic from more than one VLAN.
You use multiple VLANs on one Firebox interface when you want to split a device interface intomultiple broadcast domains or multiple security zones. When you separate the traffic from different
functional groups before it enters the device interface, you get two major benefits:
• Broadcast traffic is confined within each VLAN, which reduces congestion.
• You can make access policies to allow limited traffic or no traffic between the VLANs. You also
control access from each VLAN to other parts of your network and to the Internet.
Compare the second benefit to the situation when you configure a Firebox interface as a physical
interface (instead of as a VLAN) with a secondary network also configured on the interface: The device
does not filter traffic between the primary network of an interface and a secondary network on that
interface. The primary network is not protected from a secondary network on that interface.
Network Topology
This exercise shows how to connect one switch that carries traffic from two different VLANs to one
Firebox interface. In the subsequent diagram, the computers are connected to the 802.1Q switch, and
the switch is connected to Firebox interface 3. The switch carries traffic from two different VLANs.
Figure 1: Network topology for Exercise 1
8/16/2019 Network and Traffic Management v11!10!1
21/202
Before You Begin
VLANs 13
Configure the Device
1. From Policy Manager, select Network > Configuration. The Network Configuration dialog box appears.
2. Select the VLAN tab.
Figure 2: VLAN tab of Network Configuration dialog box
3. Click Add and create a new VLAN.
4. In the Name (Alias) text box, type a name for the VLAN. The name cannot contain spaces.For this example, type VLAN10.
5. (Optional) In the Description text box, type a description.For this example, type Accounting.
6. In the VLAN ID text box, type or select a number for the VLAN.For this example, select 10.
Security zones
correspond to aliases
for interface security
zones. For example,
VLANs of type
“Trusted” are handled
by policies that use
the alias
“Any-Trusted” as a
source or destination.
VLANs can be defined
as Trusted, Optional,
or Custom.
7. From the Security Zone drop-down list, select the security zone for the VLAN.For this example, select Trusted.
8. In the IP Address text box, type the IP address of the VLAN gateway.For this example, type 192.168.10.1/24.Any computer in this new VLAN must use this IP address as its default gateway.
9. (Optional) Configure DHCP for the new VLAN.a. Select Use DHCP Server.
b. In the Address Pool section, click Add.
c. Type or select the Starting Address and the Ending Address.
For this example, type 192.168.10.10 for the Starting Address and 192.168.10.20 for
the Ending Address.
d. Click OK.
The new address pool appears in the Address Pool list.
10. Click OK. The new VLAN appears.
Figure 3: VLAN tab with new VLAN10
11. Click Add and create another new VLAN.
12. In the Name (Alias) text box, type a name for the VLAN. The name cannot contain spaces. For thisexample, type VLAN20.
8/16/2019 Network and Traffic Management v11!10!1
22/202
14 WatchGuard Fireware Training
13. (Optional) In the Description text box, type a description.For this example, type Sales.
14. In the VLAN ID text box, type or select a number for the VLAN.For this example, select 20.
15. From the Security Zone drop-down list, select the security zone for the VLAN.For this example, select Optional.
16. In the IP Address text box, type the IP address of the VLAN gateway.For this example, type 192.168.20.1/24.Any computer in this new VLAN must use this IP address as its default gateway.
17. (Optional) Configure DHCP for the new VLAN.a. Select Use DHCP Server.
b. In the Address Pool section, click Add.
c. Type or select the Starting Address and the Ending Address.
For this example, type 192.168.20.10 for the Starting Address and 192.168.20.20 for
the Ending Address.
d. Click OK.
The new address pool appears in the Address Pool box.
18. Click OK.Both VLANs now appear.
Figure 4: Two new VLANS: VLAN10 and VLAN20
19. Select the Interfaces tab.20. Select Interface 3 and click Configure.
21. From the Interface Type drop-down list, select VLAN.Because you cannot
add a secondary
network to a VLAN
interface, the
Secondary tab
remains unavailable
here.
You can add
secondary networks
to each of the VLANmembers. To do this,
edit the VLAN
members in the VLAN
tab.
The Interface Type Configuration section appears on the IPv4 tab. Both new VLANs appear in the list.
22. Select Send and receive tagged traffic for selected VLANs.
23. In the Member column, select the check boxes for VLAN10 and VLAN20.
Figure 5: The Member column shows which VLANs the interface is a member of.
24. Click OK. This interface now appears as type VLAN in the list of interfaces.
8/16/2019 Network and Traffic Management v11!10!1
23/202
Before You Begin
VLANs 15
25. Check your work.
The Interfaces tab should look like this.
Figure 6: Firebox Interface 3 is now type VLAN
The VLAN tab should look like this.
Figure 7: VLAN tab after the VLANs are defined
26. Click and save this configuration to the device.Or, select File > Save > To Firebox.
Configure the Switch
Refer to the instructions from your switch manufacturer to configure your switch.
As a general rule,
remember that the
physical segment
between this switch
interface and the
Firebox is a tagged
data segment. Traffic
that flows over this
segment must use
802.1Q VLAN tagging
Some switch
manufacturers refer
to a switch interface
that is configured like
Step 2 a trunk port or
trunk interface.
1. Add two VLANs to the 802.1Q switch configuration.Set the VLAN ID numbers for these VLANs to 10 and 20.
2. Configure the switch interface that connects the switch to the device interface 3.a. Disable Spanning Tree Protocol on any switch interface that connects to the device.
b. Configure this interface on the switch to be a member of both VLANs 10 and 20.
c. Configure this interface to tag for both VLANs.
d. If necessary for your switch operating system, configure the switch mode to trunk.
e. If necessary for your switch operating system, set encapsulation mode to 802.1Q.3. Configure the switch interfaces that connect computers in VLAN10 to the switch.
a. Configure each switch interface that will connect a computer in VLAN10 to be a member of
VLAN10.
b. Configure these interfaces to untag for VLAN10.
4. Configure the switch interfaces that connect computers in VLAN20 to the switch.a. Any switch interface that will connect a computer in VLAN20 must be a member of VLAN20.
b. Configure these interfaces to untag for VLAN20.
8/16/2019 Network and Traffic Management v11!10!1
24/202
16 WatchGuard Fireware Training
As a general rule,
remember that the
physical segment
between a switch
interface and a
computer (or other
networked device)
that connects to it is
an untagged data
segment. Traffic thatflows over this
segment does not
have VLAN tags.
Most switches sold
today have interfaces
that can auto-sense
MDI/MDI-X for the
Ethernet connection.
When the interface
senses a physical link,
it automatically
configures itself to be
a normal or uplink
interface. If you do not
get link lights on the
Ethernet interfaces
with one type of
Ethernet cable
(straight-through or
crossover), try the
other type of Ethernet
cable.
Physically Connect all Devices
1. Connect one end of an Ethernet cable to the device interface 3.
2. Connect the other end of the Ethernet cable to the interface on the switch that you configured totag for VLANs 10 and 20 (to the VLAN trunk interface of the switch).
3. Connect a computer to the interfaces on the switch that you configured to untag for VLAN10.
4. If you configured VLAN10 to use the DHCP server, configure the computer’s network card to use
DHCP to get an IP address automatically.For more information, see Step 9 on page 13.
5. If you did not configure the VLAN to use the DHCP server, configure the computer’s network cardwith an IP address in the VLAN subnet 192.168.10.x. Use subnet mask 255.255.255.0 and set thecomputer’s default gateway to the device VLAN IP address, 192.168.10.1.
6. Repeat Steps 1–3 to connect a computer to a switch interface that you configured to untag forVLAN20.
Test the Configuration
From the computer in VLAN10, you should be able to ping the computer in VLAN20, as well as ping the
VLAN10 computer from the VLAN20 computer. The two computers can ping each other because the
default settings of the Ping policy allow Any-Trusted and Any-Optional to send ICMP echo requests to
Any.
No other traffic is allowed between the two VLANs unless there is a policy that specifically allows it. The
basic configuration loaded by the Quick Setup Wizard does not allow any other traffic between the
VLANs.
8/16/2019 Network and Traffic Management v11!10!1
25/202
Before You Begin
VLANs 17
Exercise 2: One VLAN Bridged Across Two Device Interfaces
When to Use this Configuration
The primary benefit of this configuration is the ability to bridge a VLAN between computers connected
to a VLAN switch and computers directly connected to the Firebox. A typical network topology is this:
• You have a relatively large number of computers connected by way of a VLAN switch to one deviceinterface.
• You have a single computer (or a small group of computers) that must share the same resources as
the first group, but it is physically separated from the first group.
• It is more convenient or cost-effective to connect the smaller group directly to the device.
To solve the challenge of putting all these computers into one logical group, you configure the Firebox
with a VLAN that bridges two device interfaces:
• One device interface tags for the VLAN.
This interface connects, by way of an Ethernet cable, to the VLAN switch that links the majority of
the computers in this logical group.
• The other device interface untags for the VLAN. This interface has a direct Ethernet connection to one computer (or a small group of computers) in
the logical group. This second connection can be a shared media connection such as a hub
connected to the interface, or a single computer connected to the interface with a crossover
Ethernet cable.
With this configuration, all the computers can easily share resources, and their broadcasts are confined
to the VLAN.
8/16/2019 Network and Traffic Management v11!10!1
26/202
18 WatchGuard Fireware Training
Network Topology
The untagged Firebox
interface in Figure 8
(Interface 4, with one
computer connected)
operates in much the
same way as an
untagged switch port
on a VLAN switch.
This exercise shows how to connect a switch to one Firebox interface, and computers to another
Firebox interface. Figure 8 shows that the computers connected to the switch and to device interface 4
are in the same VLAN.
Figure 8: Network topology for Exercise 2
Note
If you have already completed the previous exercise, remove the VLANs and disable the VLAN
interface you configured in that exercise before you begin this one.
Configure the Device
1. From Policy Manager, select Network > Configuration.
2. Select the VLAN tab.
3. Click Add and create a new VLAN. The New VLAN Configuration dialog box appears.
4. In the Name (Alias) text box, type a name for the VLAN. The name cannot contain spaces.For this example, type VLAN10.
5. (Optional) In the Description text box, type a description of the VLAN.For this example, type Accounting.
6. In the VLAN ID text box, select a number for the VLAN.For this example, type 10.
7. From the Security Zone drop-down list, select the security zone for the VLAN.For this example, select Trusted.
8/16/2019 Network and Traffic Management v11!10!1
27/202
Before You Begin
VLANs 19
8. In the IP Address text box, type the IP address of the VLAN gateway.For this example, type 192.168.10.1/24.Any computer in this new VLAN must use this IP address as its default gateway.
9. (Optional) Configure DHCP for the new VLAN.a. Select Use DHCP Server.
b. In the Address Pool section, click Add.
c. Type or select the Starting Address and the Ending Address.
For this example, type 192.168.10.10 for the Starting Address and 192.168.10.20 forthe Ending Address.
d. Click OK.
The new address pool appears in the Address Pool list.
The Interfaces
column is blank for a
new VLAN because no
Firebox interfaces
have been assigned to
it yet. You assign the
VLAN to Firebox
interfaces in the next
steps.
10. Click OK. The new VLAN is added.
Figure 9: VLAN10 on the VLAN tab
11. To make device Interfaces 3 and 4 members of the new VLAN, select the Interfaces tab.
12. Select Interface 3 and click Configure.
13. From the Interface Type drop-down list, select VLAN.You configure
interface 3 to handle
tagged VLAN traffic,
because it connects to
a VLAN switch thatsends it traffic with
VLAN tags.
14. Select Send and receive tagged traffic for selected VLANs.
15. In the Member column, select the check box for VLAN10.
Figure 10: Select the check box to make the interface a member of the VLAN
16. Click OK. This interface now appears as type VLAN in the list of interfaces.
17. Double-click Interface 4 and configure it to untag for VLAN10.
18. From the Interface Type drop-down list, select VLAN.
8/16/2019 Network and Traffic Management v11!10!1
28/202
20 WatchGuard Fireware Training
You can only select
one VLAN for
untagged traffic.
This option is not
available if you
choose a VLAN that
has external specified
as the zone. You
cannot configure an
interface to send andreceive both tagged
and untagged traffic
when a VLAN is
configured as an
external zone.
If you do not want
computers connected
to a Firebox interface
to be part of a VLAN,
then do not configure
the interface to be of
type VLAN. Instead,
configure the
interface to be of type
Trusted or Optional.
19. At the bottom of the dialog box, select the Send and receive untagged traffic for selected VLANcheck box. From the adjacent drop-down list, select VLAN10 (192.168.10.1/24).
Figure 11: Make Interface 4 an untagged switch port20. Click OK and check your work.
The Interfaces tab should now look like this.
Figure 12: Firebox interfaces 3 and 4 now appear as type VLAN
The VLAN tab should look like this.
Figure 13: The VLAN interface used by interfaces 3 and 4
The VLAN settings list includes information about which interface tags and which interface untags
for a particular VLAN. It uses either boldface type or normal type for the numbers in the Interfaces
column:
- boldface type entries are Untag
- normal type entries are Tag.
21. Save this configuration to the Firebox.
8/16/2019 Network and Traffic Management v11!10!1
29/202
Before You Begin
VLANs 21
Configure the Switch
Refer to the instructions from your switch manufacturer to configure your switch.
1. Configure the switch interface that connects the switch to the Firebox interface 3.a. Disable Spanning Tree Protocol on any switch interface that connects to the device.
b. Configure this interface on Switch A to be a member of VLAN10.
c. Configure this interface to tag for VLAN10.
d. If necessary for your switch operating system, configure the switch mode to trunk.e. If necessary for your switch operating system, set encapsulation mode to 802.1Q.
2. Configure the switch interfaces that connect computers to the switch.Some switch
manufacturers call an
interface configured
this way either a
trunk port or a trunk
interface.
3. Configure the other switch interfaces to be members of VLAN10 and to untag for VLAN10.
As a general rule, remember that the physical segment between this switch interface and the
device is a tagged data segment. Traffic that flows over this segment must use 802.1Q VLAN
tagging.
As a general rule, remember that the physical segments between each of the other switch
interfaces and the computers (or other networked devices) that connect to them are untagged
data segments. Traffic that flows over these segments does not have VLAN tags.
Physically Connect all Devices
1. Connect one end of an Ethernet cable to the Firebox interface 3.
2. Connect the other end of the Ethernet cable to the interface on the switch that you configured totag for VLAN10 (to the VLAN trunk interface of the switch).
3. Connect a computer to the one of the interfaces on the switch that you configured to untag forVLAN10.
4. If you configured VLAN10 to use the DHCP server, configure the computer’s network card to useDHCP to get an IP address automatically.See Step 9 on page 19.
5. If you did not configure the VLAN to use the DHCP server, configure the computer’s network cardwith an IP address in the VLAN subnet 192.168.10.x. Use subnet mask 255.255.255.0 and set the
computer’s default gateway to the device VLAN IP address 192.168.10.1
6. Repeat these steps to connect a computer to device interface 4.
Test the Configuration
You should be able to send a ping from the computer connected to the switch to the computer
connected to device interface 4, and from the computer connected to device interface 4 to the
computer connected to the switch. The two computers can communicate as though they were
connected to the same physical LAN.
8/16/2019 Network and Traffic Management v11!10!1
30/202
22 WatchGuard Fireware Training
Exercise 3: One VLAN Bridged Across Two Device Interfaces
Alternate Configuration)
When to Use This Configuration
You might use a configuration like this if your organization is spread across multiple locations. For
example, suppose your network is on the first and second floors in the same building. Some of the
computers on the first floor are in the same functional group as some of the computers on the second
floor. You want to group these computers into one broadcast domain so that they can easily share
resources, such as a dedicated file server for their LAN, host-based shared files, printers, and other
network accessories.
You connect the computers on one floor to one VLAN switch, and connect that switch to a Firebox
interface. You connect the computers on the other floor to one VLAN switch, and connect that switch
to another Firebox interface. This puts all of the computers into one LAN.
One of the main benefits in this setup is cost savings: it is not necessary to connect another device to
combine the traffic from the two switches before it enters the device. The device combines the traffic,
and lets you apply strict security policies between the VLANs, the rest of your network, and untrusted
segments such as the Internet. This saves you the cost of a different device, such as a router or a layer 3switch.
Network Topology
This exercise shows how to connect two 802.1Q switches, both of which send traffic from the same
VLAN, to two different Firebox interfaces. The subsequent shows how computers are connected to
802.1Q switches, and how the switches are connected to the device. Two 802.1Q switches connected
to device interfaces 3 and 4 carry traffic from the same VLAN.
Figure 14: Network topology for Exercise 3
8/16/2019 Network and Traffic Management v11!10!1
31/202
Before You Begin
VLANs 23
Note
If you have already completed the previous exercise, remove the VLANs and disable the VLAN
interface you configured in that exercise before you begin this one.
Configure the Device
1. From Policy Manager, select Network > Configuration.
2. Select the VLAN tab. The VLAN settings list is empty because you have not defined any VLANs
3. Click Add and create a new VLAN. The New VLAN Configuration dialog box appears.
4. In the Name (Alias) text box, type a name for the VLAN. The name cannot contain spaces.For this example, type VLAN10.
5. (Optional) In the Description text box, type a description of the VLAN.For this example, type Accounting.
6. In the VLAN ID text box, select a number for the VLAN. For this example, type 10.
7. From the Security Zone drop-down list, select the security zone for the VLAN.For this example, select Trusted.
8. In the IP Address text box, type the IP address of the VLAN gateway.For this example, type 192.168.10.1/24.Any computer in this new VLAN must use this IP address as its default gateway.
9. (Optional) Configure DHCP for the new VLAN.a. Select Use DHCP Server.
b. In the Address Pool section, click Add.
c. Type or select the Starting Address and the Ending Address.
For this example, type 192.168.10.10 for the Starting Address and 192.168.10.20 forthe Ending Address.
d. Click OK.
The new address pool appears in the Address Pool list.
10. Click OK. The new VLAN appears.
Figure 15: The VLAN tab with new VLAN10
11. To make device Interfaces 3 and 4 members of the new VLAN, select the Interfaces tab.
12. Select Interface 3 and click Configure.Or, double-click the interface.
13. From the Interface Type drop-down list, select VLAN.
8/16/2019 Network and Traffic Management v11!10!1
32/202
24 WatchGuard Fireware Training
Interface 3 will be a
tagged VLAN
interface because it
connects to a VLAN
switch that sends it
traffic with VLAN tags.
14. Select Send and receive tagged traffic for selected VLANs.
15. In the Member column, select the check box for VLAN10.
Figure 16: Select the check box to make the interface a member of the VLAN
16. Click OK. This interface now appears as type VLAN in the list of interfaces.
17. Repeat Steps 11–16 for Interface 4 to make that interface a member of VLAN10.
18. Check your work.
The Interfaces tab should look like this:.
Figure 17: Interfaces 3 and 4 are both type VLAN
The numbers in the
Interfaces column
use normal type to
indicate that these are
tagged interfaces. If
the interfaces are
configured as
untagged switch
ports, the entry
appears in bold type.
The VLAN tab should look like this:.
Figure 18: The VLAN tab shows that interfaces 3 and 4 are members of VLAN10
19. Click and save this configuration to the device.Or, select File > Save > To Firebox.
8/16/2019 Network and Traffic Management v11!10!1
33/202
Before You Begin
VLANs 25
Configure the Switches
Refer to the instructions from your switch manufacturer to configure your switch.
Switch A
1. Configure the switch interface that connects the switch to the Firebox interface 3.a. Configure this interface on Switch A to be a member of VLAN10.
b. Configure this interface to send traffic with the VLAN10 tag.c. If necessary, set the switch mode to trunk.
d. If necessary, set the encapsulation mode to 802.1Q.
Some switch