network and traffic management v11!10!1

8/16/2019 Network and Traffic Management v11!10!1

1/202

WatchGuard Certified Training

Network and Traffic Management

with Fireware

Fireware and WatchGuard System Manager v11.10

Revised: September 2015

Updated for: Fireware v11.10.1


2/202

TRAINING

www.watchguard.com/training

[email protected]

SUPPORT

www.watchguard.com/support

[email protected]

U.S. and Canada +877.232.3531

All Other Countries +1.206.613.0456

ii WatchGuard Fireware Training

Disclaimer

Information in this guide is subject to change without notice. Companies, names, and data used in

examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or

transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express

written permission of WatchGuard Technologies, Inc.

Copyright and Patent Information

Copyright© 2015 WatchGuard Technologies, Inc. All rights reserved.

WatchGuard, Firebox, Fireware, LiveSecurity, and spamBlocker are either registered trademarks or

trademarks of WatchGuard Technologies, Inc. in the United States and other countries. This product is

covered by one or more pending patent applications.

All other trademarks and tradenames are the property of their respective owners.

Printed in the United States.


3/202

ii

Table of Contents

Course Introduction ................................................................................................................ 1

Training Overview .......................................................................................................... 1

Necessary Equipment and Software ............................................................................ 1

Classroom Network Configuration ................................................................................ 2Student Device IP Addresses ....................................................................................................... 2

Instructor Device Network Configuration .................................................................................... 3

Configuration Changes for the Instructor Device ....................................................................... 5

(Optional) Set Up a Server to Host FTP and HTTP Downloads ................................................... 6

VLANs ....................................................................................................................................... 7

Introduction .................................................................................................................... 7What You Will Learn ...................................................................................................................... 7

Exercises ....................................................................................................................................... 7

What VLANs Can Do For You ........................................................................................................ 7

Terms and Concepts You Should Know ....................................................................... 8

VLAN Requirements and Recommendations .............................................................. 9

Before You Begin ......................................................................................................... 10Firewall Configuration ................................................................................................................. 10

Necessary Equipment and Services ......................................................................................... 10

Configuring the VLAN Switch .................................................................................................... 11

Exercise 1: Two VLANs on the Same Device Interface ................................................ 12

When to Use this Configuration ................................................................................................ 12Network Topology ....................................................................................................................... 12

Configure the Device ................................................................................................................. 13

Configure the Switch ................................................................................................................. 15

Physically Connect all Devices ................................................................................................... 16

Test the Configuration ................................................................................................................ 16

Exercise 2: One VLAN Bridged Across Two Device Interfaces .................................... 17

When to Use this Configuration ................................................................................................. 17

Network Topology ....................................................................................................................... 18



Physically Connect all Devices .................................................................................................. 21

Test the Configuration ............................................................................................................... 21

Exercise 3: One VLAN Bridged Across Two Device Interfaces (Alternate Configuration)

22

When to Use This Configuration ............................................................................................... 22



Configure the Switches ............................................................................................................. 25

Physically Connect All Devices .................................................................................................. 25

Exercise 4: Two VLANs as External Interfaces on the Same Device .......................... 27

When to Use this Configuration ................................................................................................. 27


4/202

iv WatchGuard Fireware Training




Physically Connect All Devices .................................................................................................. 30

Test the Configuration ............................................................................................................... 30

Using VLANs in Device Policies ................................................................................... 31 Apply Firewall Policies to Intra-VLAN Traffic ............................................................................. 31

Aliases ........................................................................................................................................ 31Exercise 5: Configure VLANs for Wireless Access Points ............................................ 33

When to Use This Configuration ............................................................................................... 33


Frequently Asked Questions ....................................................................................... 38

What You Have Learned .............................................................................................. 38

Traffic Management ............................................................................................................. 39

What You Will Learn ..................................................................................................... 39

Control Bandwidth Use with Traffic Management Actions ........................................ 39Traffic Management Action Types ............................................................................................ 40

Traffic Management in Policies ................................................................................................ 40

Traffic Management in Application Control ............................................................................. 40Traffic Management Action Precedence .................................................................................. 40

Monitoring Bandwidth Statistics ................................................................................................ 41

Control Traffic Priority with QoS .................................................................................. 41 About Interface QoS Settings ..................................................................................................... 41

About Policy QoS Settings .......................................................................................................... 41

About Traffic Priority ................................................................................................................... 41

About Outgoing Interface Bandwidth ....................................................................................... 42

Exercise 1: Use a Traffic Management Action to Guarantee Bandwidth ................... 43

Enable Traffic Management and QoS ...................................................................................... 43

Verify the OS Compatibility Setting ........................................................................................... 43

Define Outgoing Interface Bandwidth ...................................................................................... 43

Create a Traffic Management Action ....................................................................................... 44Modify Policy Configuration ....................................................................................................... 45

Set Up Service Watch ................................................................................................................ 46

See the Results of the Configuration ........................................................................................ 47

Exercise 2: Use a Traffic Management Action to Limit Bandwidth ............................. 50

Re-Define Outgoing Interface Bandwidth ................................................................................ 50

Create a Traffic Management Action ....................................................................................... 51

Modify Policy Configuration ....................................................................................................... 51

See the Results of the Configuration ....................................................................................... 52

Exercise 3: Use Traffic Management with Application Control ................................... 55

Create two Traffic Management Actions .................................................................................. 55

Configure Application Control ................................................................................................... 56

Configure Application Control in Policies ................................................................................. 58Monitor the Traffic Management Actions in Firebox System Manager .................................. 59

Exercise 4: Use QoS to Mark and Prioritize Traffic ...................................................... 61

Before You Begin ....................................................................................................................... 61

Enable Prioritization by QoS Marking on Interfaces ................................................................ 61

Prioritize Traffic by Policy ........................................................................................................... 63

See the Results of the Configuration ....................................................................................... 64

What You Have Learned .............................................................................................. 65

Link Aggregation ................................................................................................................... 67

Introduction .................................................................................................................. 67


5/202

v

What You Will Learn ................................................................................................................... 67

Course Outline ........................................................................................................................... 67

Terms and Concepts You Should Know ..................................................................... 67Link Aggregation ........................................................................................................................ 67

Link Aggregation Group (LAG) .................................................................................................. 68

Link Aggregation Interface ........................................................................................................ 68

Link Aggregation Member Interface ........................................................................................ 68

Link Aggregation Modes ........................................................................................................... 69Link Aggregation Interface Identifiers ...................................................................................... 69

Link Aggregation with Other Networking Features .................................................... 70

Exercise 1: Configure Active-Backup Link Aggregation ............................................... 71

Network Topology ........................................................................................................................ 71

Before You Begin ....................................................................................................................... 72

Add the Link Aggregation Interface .......................................................................................... 72

Add Member Interfaces .............................................................................................................. 74

Connect the Switches ................................................................................................................ 75

Monitor the Link Aggregation Interface .................................................................................... 76

Exercise 2: Static and Dynamic Link Aggregation ....................................................... 78

Topology ...................................................................................................................................... 78

Before You Begin ....................................................................................................................... 78 Add the Link Aggregation Interface .......................................................................................... 79

Add Member Interfaces ............................................................................................................. 80

Configure the Switch and Connect the Device to the Switch .................................................. 81

Connect the Device to the Switch .............................................................................................. 81

Monitor the Link Aggregation Interface ................................................................................... 82

Use Dynamic Mode .................................................................................................................... 82

Exercise 3: Use Link Aggregation with a VLAN ............................................................. 83


Before You Begin ....................................................................................................................... 83



Physically Connect all Devices .................................................................................................. 86What You Have Learned .............................................................................................. 87

Multi-WAN Methods ............................................................................................................. 89

Introduction .................................................................................................................. 89What You Will Learn ................................................................................................................... 89

Exercises .................................................................................................................................... 89

What Multi-WAN Can Do For You .............................................................................................. 89

Terms and Concepts You Should Know ..................................................................... 90Outgoing Traffic and Multi-WAN ................................................................................................ 90

Incoming Traffic ......................................................................................................................... 90

IPSec VPN Traffic ....................................................................................................................... 90

Equal-Cost Multi-Path Routing (ECMP) ..................................................................................... 90Sticky Connections ..................................................................................................................... 91

Load Balancing Interface Group (LBIG) ................................................................................... 92

Policy-Based Routing ................................................................................................................. 93

Link Monitor Settings ................................................................................................................ 93

Failover/Failback ....................................................................................................................... 94

Fireware Multi-WAN Methods ..................................................................................... 96

The Round-Robin Multi-WAN Method ......................................................................... 96When to Use It ............................................................................................................................ 96

How It Works .............................................................................................................................. 96

Calculate Weights for Round-robin ............................................................................................ 97


6/202

vi WatchGuard Fireware Training

How to Configure It .................................................................................................................... 98

When an External Interface Fails .............................................................................................. 99

The Failover Multi-WAN Method ............................................................................... 100When to Use It .......................................................................................................................... 100

How It Works ............................................................................................................................ 100

How to Configure It .................................................................................................................. 100

When an External Interface Fails ............................................................................................ 100

The Interface Overflow Multi-WAN Method .............................................................. 101When to Use It .......................................................................................................................... 101

How It Works ............................................................................................................................ 101



The Routing Table Multi-WAN Method ...................................................................... 102When to Use It .......................................................................................................................... 102

How It Works ............................................................................................................................ 102



Exercises — Before You Begin ................................................................................... 103Necessary Equipment and Services ....................................................................................... 103

Management Computer Configuration ................................................................................... 103Firewall Configuration .............................................................................................................. 104

Bandwidth Available at Each External Interface ................................................................... 104

Physically Connecting your Devices ........................................................................................ 104

Exercise 1: Demonstrate the Interface Overflow Multi-WAN Method and Sticky

Connections .................................................................................................................. 105

When to Use the Interface Overflow Method ......................................................................... 105

Network Topology ..................................................................................................................... 105

Configure the Device ............................................................................................................... 106

Demonstrate It ......................................................................................................................... 110

Exercise 2: Demonstrate the Failover Multi-WAN Method and Policy-Based Routing ....

114

When to Use the Failover Method ........................................................................................... 114



Demonstrate It ......................................................................................................................... 119

Exercise 3: Demonstrate Load Balancing with the Round Robin Multi-WAN Method ....

120


Demonstrate It ......................................................................................................................... 121

Appendix ..................................................................................................................... 122How Fireware Makes Multi-WAN Routing Decisions For Outbound Traffic .......................... 122

Multi-WAN Routing Decision Flow Chart ................................................................................ 123

What You Have Learned ............................................................................................ 125Routing ................................................................................................................................ 127

Introduction ................................................................................................................ 127What You Will Learn ................................................................................................................. 127

Terms and Concepts .................................................................................................. 128Route ........................................................................................................................................ 128

Router ....................................................................................................................................... 128

RouteTable ................................................................................................................................ 128

Route Metric ............................................................................................................................. 128

Routing Protocol ....................................................................................................................... 129


7/202

vi

Convergence Time ................................................................................................................... 129

Routing Types and Protocols ..................................................................................... 130Static vs. Dynamic Routing ..................................................................................................... 130

Supported Dynamic Routing Protocols .................................................................................. 130

Dynamic Routing Policies .......................................................................................... 132

Network Link Types .................................................................................................... 133 Asymmetrical Routes Cause Routing Inconsistency ............................................................. 135

Routing and Branch Office VPNs .............................................................................. 136BOVPN Virtual Interface Routing Scenarios .......................................................................... 137

Failover from a Dynamic Route to a Branch Office VPN ....................................................... 138

Monitoring Tools ........................................................................................................ 139The Status Report .................................................................................................................... 139

Set the Diagnostic Log Level ................................................................................................... 140

Exercise 1: Configure Static Routing Over a Point-to-Point Link ............................... 142

Add a Static Route to the Site A Device ................................................................................. 143

Add a Static Route to the Site B Device ................................................................................. 144

Review the Route Table ........................................................................................................... 145

Test the Static Route ............................................................................................................... 146

The Disadvantage of Using Only Static Routes ..................................................................... 147

Exercise 2: Configure Dynamic Routing over a Point-to-Point Link .......................... 148


Remove the Static Routes ....................................................................................................... 148

Configure Dynamic Routing with OSPF .................................................................................. 149


Add a New Network at Site B .................................................................................................. 151

Exercise 3: Configure Static Routing Over a Multi-Hop Link ..................................... 153


Before You Begin ..................................................................................................................... 153

Configure the Peer Interfaces ................................................................................................. 154

Configure Static Routes Between the Trusted Networks at Each Site ................................. 154

Test the Static Route ............................................................................................................... 156Exercise 4: Dynamic Routing Over a Multi-Hop Link ................................................. 157

Before You Begin ..................................................................................................................... 157

Configure Static Routes Between the Peer Interfaces .......................................................... 158

Configure Dynamic Routing with BGP .................................................................................... 161


Test the Static Route ............................................................................................................... 162

Troubleshooting ....................................................................................................................... 162

What You Have Learned ............................................................................................ 163

FireCluster .......................................................................................................................... 165

Introduction ................................................................................................................ 165What You Will Learn ................................................................................................................. 165

About FireCluster ....................................................................................................... 165

Terms and Concepts You Should Know ................................................................... 166Cluster Member ....................................................................................................................... 166

Active/Active Cluster ................................................................................................................ 166

Active/Passive Cluster ............................................................................................................. 166

Load Balance Methods ........................................................................................................... 166

Cluster ID .................................................................................................................................. 167

Cluster Interface ...................................................................................................................... 167

Cluster Interface IP Address .................................................................................................... 167

Management Interface ............................................................................................................ 168


8/202

viii WatchGuard Fireware Training

About Failover ............................................................................................................ 168Causes of FireCluster Failover ................................................................................................. 168

What Happens During a Failover ............................................................................................ 170

Monitoring Tools ........................................................................................................ 171Firebox System Manager ......................................................................................................... 171

Diagnostic Logging .................................................................................................................. 172

FireCluster Requirements ......................................................................................... 173

Hardware Requirements ......................................................................................................... 173License Requirements ............................................................................................................. 173

Network Configuration Requirements .................................................................................... 173

Switch and Router Requirements ............................................................................................ 174

FireCluster Pre-Configuration Checklist .................................................................................. 175

Exercise 1: Set Up an Active/Passive Cluster ............................................................ 176

Configure the External Interface to Use a Static IP Address ................................................ 176

Configure the Trusted Interface .............................................................................................. 177

Disable Unused Network Interfaces ....................................................................................... 178

Decide Which Interfaces and Interface Address to Use ....................................................... 179

Connect the Cables .................................................................................................................. 179

Run the FireCluster Setup Wizard ........................................................................................... 180

Reset the Second Device to Factory-Default Settings ........................................................... 188Discover the Second Cluster Member .................................................................................... 189

Exercise 2: Monitor Cluster Status ............................................................................. 190

Monitor the Cluster .................................................................................................................. 190

Monitor a Cluster Member ...................................................................................................... 191

Exercise 3: Test FireCluster Failover .......................................................................... 192

Force a Failover from Firebox System Manager .................................................................... 192

Trigger a Failover Due to Link Status ...................................................................................... 192

Use the Backup Cluster Interface ........................................................................................... 193

Trigger a Failover Due to Power Failure .................................................................................. 193

Test Failover with Network Traffic ........................................................................................... 193

Use Leave/Join in Firebox System Manager .......................................................................... 193

What You Have Learned ............................................................................................ 193


9/202

1

Fireware Training

Course Introduction

Network and Traffic Management with Fireware

This training is for:

* The exercises in this course require Fireware with a Pro upgrade, which is included with most device models.For some 5 Series models (505, 510, 520, 530), you can purchase the Fireware Pro upgrade for your device.

Training Overview

About Side Notes

Side notes are extra

information that is

not necessary to

understand the

training. They might

be configuration or

troubleshooting tips,

or extra technical

information.

The WatchGuard Fireware Network and Traffic Management with Fireware course covers these topics:

• VLANs

• Traffic Management and QoS

• Link Aggregation

• Multi-WAN

• Routing

• FireCluster

This course assumes that you have completed the Fireware Essentials course and that you know how to

set up and configure basic networking features. This Course Introduction describes the software,

hardware, and network environment required to complete the exercises in this training courseware.

Necessary Equipment and Software

Because this course includes networking exercises, the training environment must include the

following network equipment in order to support all of the exercises in this course.

• One Firebox for each student (do not use Firebox T10 and XTM 2 Series models)

• One WatchGuard Firebox configured by the instructor as the default gateway

• Fireware v11.10 or higher installed on each Firebox

• One Windows computer per student, with WatchGuard System Manager v11.10 or later installed

• Three network hubs or switches, each with enough interfaces for the instructor and all of thestudent Firebox devices to connect.

- One switch is the primary external network for the student devices

- One switch is the secondary external network (WAN2) for the student devices in the

Multi-WAN exercises

- One switch is used for the multi-hop link in the Routing exercises

• Two managed switches with 802.1Q and 802.3ad support per student, for VLAN and Link

Aggregation exercises. Or students can pair up for these exercises.

• FTP Server (optional for some exercises)

Devices WatchGuard XTM 330 or higher

Device OS versions Fireware® v11.10*

Management software versions WatchGuard® System Manager v11.10


10/202

2 WatchGuard Fireware Training

Classroom Network Configuration

The exercises in this course are designed using RFC 5737 documentation IP addresses to represent

public network IP addresses. The exercises in this training assume the following network configuration

Figure 1: Training network configuration

Student Device IP Addresses

Students may be assigned a number (10,20,30,etc.) to identify the last IP address octet for their external

addresses, or their third octet for internal addresses in relation to their devices. This allows for similar

configuration among devices and prevents IP address conflicts and subnet overlap.

The student devices are configured with these addresses, where X is the student number:

• Eth0 – External (WAN1) — 203.0.113. X /24, Default Gateway 203.0.113.1

• Eth1 – Trusted — 10.0. X .1/24• Eth2 – Optional — 172.16. X .1/24

• Eth3 – External or VLAN — Configuration varies by exercise

• Eth4, Eth5 - Link Aggregation — Configured in Link Aggregation exercises only

The student number is also used in the FireCluster exercises as the cluster ID. We recommend that you

assign student numbers in increments of at least 10, so the cluster ID does not create a virtual MAC

address conflict between multiple FireClusters.

In the exercises, your external interface and trusted interface IP addresses are determined by your

student number. Replace the X in the exercises with your student number.


11/202


Course Introduction 3

Instructor Device Network Configuration

Several interfaces on the instructor Firebox must be configured to support the exercises in this course.

The instructor device acts as the default gateway for the primary student external network,

203.0.113.0/24. For the Multi-WAN exercises that require a second external network, we use

192.51.100.1/24. The instructor device acts as the default gateway for both of these networks.

You must also

configure a DNS

server, in the

Network >

Configuration >

WINS/DNS tab, to

allow DNS to operate

from the training

environment.

For DNS to function

for students, the

student Firebox

devices and

computers must also

be configured to use

the DNS server.

The instructor Firebox is configured with these addresses:

• Eth0 (External) — Use appropriate addressing for a training environment with an Internetconnection.

• Eth1 (Trusted) — 203.0.113.1/24 — The default gateway for the primary external interface on

student devices.

• Eth2 (VLAN) — Send and receive untagged traffic for VLAN10. Also used as the default gateway for

the secondary external interface on student devices when a second WAN interface is configured.

• Eth3 (VLAN) — Send and receive tagged traffic for VLAN10 and VLAN20. Used when students

configure a VLAN with an external interface.

• Eth4 (Trusted) — 172.16.10.1/30 as the primary IP address, and 172.16. X .1/30 as secondaryaddresses for the optional networks on each student device. Used to simulate a multi-hop link for

some dynamic routing exercises.

Figure 2: Instructor Firebox network interfaces configuration


12/202


The instructor device must have 2 VLANs configured:

• VLAN10 – Trusted — 198.51.100.1/24, ID:10 — Untagged eth2, tagged eth3

• VLAN20 – Trusted — 192.0.2.1/24, ID:20 — Tagged eth3

Figure 3: Instructor Firebox VLAN configuration

The instructor device must have addresses defined on eth4 for the optional networks for all student

devices. These are used for the multi-hop dynamic routing exercises.

• Primary (for the Optional network of student 10) — 172.16.10.1/30 for s

• Secondary (for the Optional network of students 20 and higher)— 172.16. X .1/30

Figure 4: Secondary IP addresses for Eth4 on the instructor device, for a total of 8 students


13/202


Course Introduction 5

Configuration Changes for the Instructor Device

To make the training network functional for these exercises, the instructor must make three more

configuration changes to the instructor Firebox.

1. Create an Any policy to allow traffic between the trusted interfaces.

Figure 5: Any policy configuration for the instructor Firebox

2. To enable access to the Internet, update the settings in Network > NAT > Dynamic NAT to add adynamic entry for Any-Trusted - Any-External.

Or, you can add dynamic NAT rules from RFC 5737 addresses to Any-External (for example, add a

dynamic NAT rule for 203.0.113.0/24 – Any-External)

Figure 6: NAT configuration for the instructor Firebox


14/202


3. To configure the instructor Firebox to simulate a multi-hop link for the routing exercises, you mustadd static routes to route traffic to the trusted network on each student device. The next hop for

each is the IP address of the optional interface on each student device. The gateway corresponds to the primary and secondary networks defined for Eth4 on the instructor device.

Figure 7: Static route configuration for the instructor Firebox for a class with 8 students.

Optional) Set Up a Server to Host FTP and HTTP Downloads

Several of the exercises in this courseware require that the students download a file from an FTP server

or browse to a web site to observe the results of a configuration change. If your training environment

does not have Internet access, you can use the subsequent steps to help you build an FTP server and a

Web server on an existing Windows 2003 Server on your network, that students can use for the

exercises.

1. Connect the server’s network card to the same hub or switch that connects the device externalinterface to the Internet router.

Usually, you would connect your device directly to the LAN interface of your Internet router. For

this exercise, you must use a hub or switch to connect the Windows 2003 Server to the external

network of the device.

2. Set up the FTP server.

For more information, see this Microsoft article: http://support.microsoft.com/kb/323384.

3. Create a 350 MB text file named 350mbfile.txt and save it in the ftproot folder. The defaultlocation for this folder is c:\inetpub\ftproot.

To create a file in Windows, at the Command Prompt, type the fsutil command:fsutil file createnew c:\inetpub\ftproot\350mbfile.txt 358400000

4. Set up the web server on your Windows 2003 Server.

For more information, see this Microsoft article: http://support.microsoft.com/kb/324742

5. Copy the 350mbfile.txt file from the C:\inetpub\ftproot to the C:\inetpub\wwwroot

directory.


15/202

7

Fireware Training

VLANs

Four Ways to Configure VLANs on a Firebox

Introduction

A virtual local area network (VLAN) is a collection of computers on a LAN or LANs that are grouped

together in a single broadcast domain independent of their physical location. A VLAN allows you to

group devices according to function or traffic patterns instead of location or IP address. Members of a

VLAN can share resources as if they were connected to the same LAN.

What You Will Learn

This course explains the concept of a VLAN and describes several different VLAN technologies that arein use today. You will learn everything necessary to successfully deploy VLANs with your Firebox. We

will present four typical use cases with VLANs, and you will configure the Firebox for each of these

situations.

Exercises

The exercises demonstrate situations in which you would use different VLAN configurations, a

simplified view of the network topology for each setup, and step-by-step procedures for how to

configure each setup. The exercises include:

You can also use

VLANs with link

aggregation. An

exercise for thatconfiguration is

included in the link

aggregation section

of this training.

• Two VLANs on the same Firebox interface

• One VLAN bridged across two Firebox interfaces

• One VLAN bridged across two Firebox interfaces (alternate configuration)

• Two VLANs as External Interfaces on the same Firebox

• Three VLANs for two SSIDs on an AP device

The course concludes with frequently asked questions about how to configure firewall policies to

restrict incoming and outgoing access on VLAN interfaces, or to allow or deny traffic between different

VLANs.

What VLANs Can Do For You

VLANs provide three main benefits:

• Increased performance by confining broadcasts.

Each computer you add to a LAN increases the amount of background (broadcast) traffic, whichcan reduce performance. With VLANs, you can restrict this traffic and reduce the amount of

bandwidth used by your network.

• Improved manageability and simplified network tuning.

When you consolidate common resources into a VLAN, you reduce the number of routing hops

needed for those devices to communicate. You can also manage traffic from each functional group

more easily when each group uses a different VLAN.


16/202


• Increased security options.

By default, members of one VLAN cannot see the traffic from another VLAN. You can apply separate

security policies to VLANs. By contrast, a secondary network on a Firebox interface gives no

additional security because there is no separation of traffic. The Firebox does not filter traffic

between the primary network of an interface and a secondary network on that interface. It

automatically routes traffic between primary and secondary networks on the same physical

interface with no access restrictions.

Terms and Concepts You Should Know

VLAN trunk interface

The physical interface (switch interface or device interface) that connects a VLAN device to another

VLAN device. Some vendors use this term only for a switch interface that carries traffic for more than

one VLAN. We use this as a general term to indicate an Ethernet interface on a VLAN-capable device

that connects the device to another VLAN-capable device.

VLAN ID (VID)

A number from 1 to 4094 associated with the VLAN. Every VLAN you use has a unique number.

Tag This term has two meanings: one for the verb usage, and one for the noun usage.

[noun] Information that is added to the header of an Ethernet frame. The format of the tag is defined

by the IEEE 802.1Q standard.

[verb] To add a VLAN tag to a data frame’s Ethernet header. The tag is added by an 802.1Q-compliant

device such as an 802.1Q switch or router, or the Firebox.

Because the physical segment between two 802.1Q devices normally carries only tagged data

packets, we call it the tagged data segment .

Untag

To remove a VLAN tag from a frame’s Ethernet header. When an 802.1Q device sends data to a

network device that cannot understand 802.1Q VLAN tags, the device untags the data frames.

Because the physical segment between a VLAN device and a device that cannot understand VLAN

tags normally carries only untagged data packets, we call it the untagged data segment .

Tagging and untagging per interface

When you assign VLAN membership for an Ethernet interface on an 802.1Q device, you also tell the

interface whether to send and accept tagged or untagged data frames. Some VLAN devices allow

one Ethernet interface to accept both tagged and untagged frames. This depends on which VLANs

the interface is a member of.

When you configure a Firebox Ethernet interface for VLAN, the interface will accept both tagged

and untagged data frames, but only for VLANs in the trusted, optional, and custom security zones.

For an external VLAN a device VLAN interface will accept only tagged data frames.

Use these two rules to decide whether to configure a switch interface for Tag or Untag: - If the interface connects to a device that can receive and understand 802.1Q VLAN tags,

configure the switch interface for Tag. Devices you connect to this interface are usually VLANswitches (managed switches) or routers.

- If the interface connects to a device that cannot receive and understand 802.1Q VLAN tags,

configure the switch interface for Untag. (Such devices will likely strip the VLAN tag from the

Ethernet header, or drop the frame altogether.) Devices you connect to this interface are

usually computers or printers.


17/202

VLAN Requirements and Recommendations

VLANs 9

Switches

When you configure a Firebox Ethernet interface for VLAN, the switches that you connect to the

device interface must be able to use VLAN tags as defined in IEEE 802.1Q. A switch of this type is

commonly called a managed switch or an 802.1Q switch.

Types of VLANs

VLANs can use different parameters to assign membership:

- 802.1Q VLANs (used by the Firebox)

The Institute of Electrical and Electronic Engineers (IEEE) publishes the 802.1Q standard to

define the format of VLAN tags. This standard lets you use VLANs with any vendors’

equipment that conforms to 802.1Q standards.

- MAC address-based VLANs use the physical address on a computer’s network interface card

to put it in the correct logical group.

- VLANs based on multicast groups put computers into VLANs based on whether the

computer has subscribed to a particular multicast group.

- Protocol-based VLANs put computers into VLANs based on the communication protocol

each uses (such as IP, IPX, DECnet, or AppleTalk).

VLAN Requirements and Recommendations

To use a VLAN with a Firebox:

• If your Firebox is configured in drop-in mode, you cannot use VLANs.

• If your Firebox is configured in bridged mode you cannot configure VLANs on the device.

- The device in bridge mode can pass VLAN tagged traffic between 802.1Q bridges or

switches.

- You can configure a device in bridge mode to be managed from a VLAN that has a specified

VLAN tag.

• Each VLAN interface can send and received untagged traffic for only one trusted or optional VLAN.

For example, if a VLAN interface is configured to send and receive untagged traffic for VLAN-10, it

cannot also send and receive VLAN traffic for any other VLAN at the same time. Also, a VLANinterface cannot be configured to send and receive untagged traffic for an external VLAN.

• Multi-WAN configuration settings are applied to VLAN traffic. However, it can be easier to manage

bandwidth when you use only physical interfaces in a multi-WAN configuration.

• Your device model and license controls the number of VLANs you can create. To see the number of

VLANs you can add to your Firebox, Open Policy Manager and select Setup > Feature Keys. Find

the row labeled Total number of VLAN interfaces.

• We recommend that you do not create more than 10 VLANs that operate on external interfaces.

Too many VLANs on external interfaces affect performance.

• All network segments you want to add to a VLAN must have IP addresses on the VLAN network.


18/202


Before You Begin

Before you begin the exercises, you must:

1. Make sure the switches that connect to the Firebox do not use Spanning Tree Protocol. Disable thisprotocol for any switch interface that connects to a device Ethernet interface.

2. Know how to configure your VLAN switch. You should be familiar with how to configure your VLAN

switch. Consult the documentation from the device manufacturer for help.

Firewall Configuration

If your Firebox is not yet configured, run the Quick Setup Wizard first to configure it.

• Use the Routed mode for the Quick Setup Wizard. (You cannot use VLANs with Drop-in mode or

Bridge mode.) The Quick Setup Wizard with Routed mode has these defaults:

- The external Interface 0 is configured and enabled with static IP address 203.0.113. X /24.Replace X in the external IP address with the student number your instructor gives you.

- The trusted Interface 1 is configured and enabled with IP address 10.0. X .1/24.Replace X in the trusted IP address with the student number your instructor gives you.

- All of the other interfaces are set to Disabled.

- There are five policies in Policy Manager: FTP, Ping, WatchGuard WebUI, WatchGuard, and

Outgoing.

• The trusted interface (Interface 1) is not a member of any VLAN in any of the exercises.

• The management computer is connected directly to the trusted interface with an Ethernet cable.

Make sure your management computer has an IP address in the same subnet as the trusted

interface, with the correct subnet mask. Make sure the default gateway for the computer is the

trusted interface IP address.

Necessary Equipment and Services

• Management computer

Use a computer with WSM version 11.9 or higher software installed to configure the Firebox. This

computer is connected to the device trusted interface in all exercises.

• Two additional computers

To test traffic flow with the VLANs you send traffic between two computers. Each computer is

connected to a VLAN switch or to the Firebox itself, depending on the exercise.

You can also use the management computer for one of the two computers to test traffic flow

between VLANs.

• WatchGuard Firebox with Fireware v11.10 or higher

In the exercises, we assume that you ran the Quick Setup Wizard to configure the Firebox and you

selected Routed mode (not Drop-in or Bridge mode).

• 802.1Q VLAN switches - One switch for Exercises 1 and 2

- Two switches for Exercise 3 and 4

- One switch for Exercise 5

• Ethernet cables

At a minimum, to complete all the exercises you must have:

- Six Ethernet cables — To interconnect the devices altogether.


19/202

Before You Begin

VLANs 11

Configuring the VLAN Switch

Each physical interface on a VLAN switch is generally classified as one of two types:

• VLAN Access port

A switch interface of this type removes VLAN tags from data frames before it sends them to the

device attached to it. The interface also adds a VLAN tag to untagged frames it gets from the

connected device.

You connect computers, printers, and other networked devices to this type of interface.

Configure this type of switch interface for untag mode.

• VLAN Trunk port

A switch interface of this type preserves any VLAN tags in the data frames it receives. It also

preserves VLAN tags when it sends tagged data frames to the device attached to it.

You connect other VLAN-capable devices such as VLAN switches and routers to this type of

interface. You also connect this type of interface to a Firebox interface configured to accept tagged

data frames.

Configure this type of switch interface for tag mode.

Select the VLAN ID Numbers

By default, each interface on most new, unconfigured switches belongs to VLAN number 1. Because

this VLAN exists on every interface of most switches by default, the possibility exists that this VLAN can

accidentally span the entire network, or at least very large portions of it.

We recommend you use a VLAN ID number other than 1 for any VLAN that passes traffic to the Firebox.

About the PVID

Some switch manufacturers require you to assign a Port VLAN ID (PVID) to each interface. The PVID

number determines the VLAN ID number that the switch adds to the untagged packets it gets from

devices connected to the interface. If you do not configure a PVID for an interface, it is possible that the

switch can tag the data packets it gets on that interface with the default VLAN ID of 1. This is the caseeven if you configure the interface to untag for a different VLAN ID number.

When you change the PVID setting on a switch interface to a PVID number that matches a VLAN

number, the switch adds a VLAN tag for that VLAN to untagged packets it receives on this interface. If

your switch uses PVID numbers, be sure to configure each switch interface that connects a computer to

use the correct PVID number.


20/202


Exercise 1: Two VLANs on the Same Device Interface

When to Use this Configuration

A Firebox interface is a member of more than one VLAN when the switch that connects to that

interface carries traffic from more than one VLAN.

You use multiple VLANs on one Firebox interface when you want to split a device interface intomultiple broadcast domains or multiple security zones. When you separate the traffic from different

functional groups before it enters the device interface, you get two major benefits:

• Broadcast traffic is confined within each VLAN, which reduces congestion.

• You can make access policies to allow limited traffic or no traffic between the VLANs. You also

control access from each VLAN to other parts of your network and to the Internet.

Compare the second benefit to the situation when you configure a Firebox interface as a physical

interface (instead of as a VLAN) with a secondary network also configured on the interface: The device

does not filter traffic between the primary network of an interface and a secondary network on that

interface. The primary network is not protected from a secondary network on that interface.

Network Topology

This exercise shows how to connect one switch that carries traffic from two different VLANs to one

Firebox interface. In the subsequent diagram, the computers are connected to the 802.1Q switch, and

the switch is connected to Firebox interface 3. The switch carries traffic from two different VLANs.

Figure 1: Network topology for Exercise 1


21/202

Before You Begin

VLANs 13

Configure the Device

1. From Policy Manager, select Network > Configuration. The Network Configuration dialog box appears.

2. Select the VLAN tab.

Figure 2: VLAN tab of Network Configuration dialog box

3. Click Add and create a new VLAN.

4. In the Name (Alias) text box, type a name for the VLAN. The name cannot contain spaces.For this example, type VLAN10.

5. (Optional) In the Description text box, type a description.For this example, type Accounting.

6. In the VLAN ID text box, type or select a number for the VLAN.For this example, select 10.

Security zones

correspond to aliases

for interface security

zones. For example,

VLANs of type

“Trusted” are handled

by policies that use

the alias

“Any-Trusted” as a

source or destination.

VLANs can be defined

as Trusted, Optional,

or Custom.

7. From the Security Zone drop-down list, select the security zone for the VLAN.For this example, select Trusted.

8. In the IP Address text box, type the IP address of the VLAN gateway.For this example, type 192.168.10.1/24.Any computer in this new VLAN must use this IP address as its default gateway.

9. (Optional) Configure DHCP for the new VLAN.a. Select Use DHCP Server.

b. In the Address Pool section, click Add.

c. Type or select the Starting Address and the Ending Address.

For this example, type 192.168.10.10 for the Starting Address and 192.168.10.20 for

the Ending Address.

d. Click OK.

The new address pool appears in the Address Pool list.

10. Click OK. The new VLAN appears.

Figure 3: VLAN tab with new VLAN10

11. Click Add and create another new VLAN.

12. In the Name (Alias) text box, type a name for the VLAN. The name cannot contain spaces. For thisexample, type VLAN20.


22/202


13. (Optional) In the Description text box, type a description.For this example, type Sales.

14. In the VLAN ID text box, type or select a number for the VLAN.For this example, select 20.

15. From the Security Zone drop-down list, select the security zone for the VLAN.For this example, select Optional.





For this example, type 192.168.20.10 for the Starting Address and 192.168.20.20 for

the Ending Address.

d. Click OK.

The new address pool appears in the Address Pool box.

18. Click OK.Both VLANs now appear.

Figure 4: Two new VLANS: VLAN10 and VLAN20

19. Select the Interfaces tab.20. Select Interface 3 and click Configure.

21. From the Interface Type drop-down list, select VLAN.Because you cannot

add a secondary

network to a VLAN

interface, the

Secondary tab

remains unavailable

here.

You can add

secondary networks

to each of the VLANmembers. To do this,

edit the VLAN

members in the VLAN

tab.

The Interface Type Configuration section appears on the IPv4 tab. Both new VLANs appear in the list.

22. Select Send and receive tagged traffic for selected VLANs.

23. In the Member column, select the check boxes for VLAN10 and VLAN20.

Figure 5: The Member column shows which VLANs the interface is a member of.

24. Click OK. This interface now appears as type VLAN in the list of interfaces.


23/202

Before You Begin

VLANs 15

25. Check your work.

The Interfaces tab should look like this.

Figure 6: Firebox Interface 3 is now type VLAN

The VLAN tab should look like this.

Figure 7: VLAN tab after the VLANs are defined

26. Click and save this configuration to the device.Or, select File > Save > To Firebox.

Configure the Switch

Refer to the instructions from your switch manufacturer to configure your switch.

As a general rule,

remember that the

physical segment

between this switch

interface and the

Firebox is a tagged

data segment. Traffic

that flows over this

segment must use

802.1Q VLAN tagging

Some switch

manufacturers refer

to a switch interface

that is configured like

Step 2 a trunk port or

trunk interface.

1. Add two VLANs to the 802.1Q switch configuration.Set the VLAN ID numbers for these VLANs to 10 and 20.

2. Configure the switch interface that connects the switch to the device interface 3.a. Disable Spanning Tree Protocol on any switch interface that connects to the device.

b. Configure this interface on the switch to be a member of both VLANs 10 and 20.

c. Configure this interface to tag for both VLANs.

d. If necessary for your switch operating system, configure the switch mode to trunk.

e. If necessary for your switch operating system, set encapsulation mode to 802.1Q.3. Configure the switch interfaces that connect computers in VLAN10 to the switch.

a. Configure each switch interface that will connect a computer in VLAN10 to be a member of

VLAN10.

b. Configure these interfaces to untag for VLAN10.

4. Configure the switch interfaces that connect computers in VLAN20 to the switch.a. Any switch interface that will connect a computer in VLAN20 must be a member of VLAN20.

b. Configure these interfaces to untag for VLAN20.


24/202


As a general rule,

remember that the

physical segment

between a switch

interface and a

computer (or other

networked device)

that connects to it is

an untagged data

segment. Traffic thatflows over this

segment does not

have VLAN tags.

Most switches sold

today have interfaces

that can auto-sense

MDI/MDI-X for the

Ethernet connection.

When the interface

senses a physical link,

it automatically

configures itself to be

a normal or uplink

interface. If you do not

get link lights on the

Ethernet interfaces

with one type of

Ethernet cable

(straight-through or

crossover), try the

other type of Ethernet

cable.

Physically Connect all Devices

1. Connect one end of an Ethernet cable to the device interface 3.

2. Connect the other end of the Ethernet cable to the interface on the switch that you configured totag for VLANs 10 and 20 (to the VLAN trunk interface of the switch).

3. Connect a computer to the interfaces on the switch that you configured to untag for VLAN10.

4. If you configured VLAN10 to use the DHCP server, configure the computer’s network card to use

DHCP to get an IP address automatically.For more information, see Step 9 on page 13.

5. If you did not configure the VLAN to use the DHCP server, configure the computer’s network cardwith an IP address in the VLAN subnet 192.168.10.x. Use subnet mask 255.255.255.0 and set thecomputer’s default gateway to the device VLAN IP address, 192.168.10.1.

6. Repeat Steps 1–3 to connect a computer to a switch interface that you configured to untag forVLAN20.

Test the Configuration

From the computer in VLAN10, you should be able to ping the computer in VLAN20, as well as ping the

VLAN10 computer from the VLAN20 computer. The two computers can ping each other because the

default settings of the Ping policy allow Any-Trusted and Any-Optional to send ICMP echo requests to

Any.

No other traffic is allowed between the two VLANs unless there is a policy that specifically allows it. The

basic configuration loaded by the Quick Setup Wizard does not allow any other traffic between the

VLANs.


25/202

Before You Begin

VLANs 17

Exercise 2: One VLAN Bridged Across Two Device Interfaces

When to Use this Configuration

The primary benefit of this configuration is the ability to bridge a VLAN between computers connected

to a VLAN switch and computers directly connected to the Firebox. A typical network topology is this:

• You have a relatively large number of computers connected by way of a VLAN switch to one deviceinterface.

• You have a single computer (or a small group of computers) that must share the same resources as

the first group, but it is physically separated from the first group.

• It is more convenient or cost-effective to connect the smaller group directly to the device.

To solve the challenge of putting all these computers into one logical group, you configure the Firebox

with a VLAN that bridges two device interfaces:

• One device interface tags for the VLAN.

This interface connects, by way of an Ethernet cable, to the VLAN switch that links the majority of

the computers in this logical group.

• The other device interface untags for the VLAN. This interface has a direct Ethernet connection to one computer (or a small group of computers) in

the logical group. This second connection can be a shared media connection such as a hub

connected to the interface, or a single computer connected to the interface with a crossover

Ethernet cable.

With this configuration, all the computers can easily share resources, and their broadcasts are confined

to the VLAN.


26/202


Network Topology

The untagged Firebox

interface in Figure 8

(Interface 4, with one

computer connected)

operates in much the

same way as an

untagged switch port

on a VLAN switch.

This exercise shows how to connect a switch to one Firebox interface, and computers to another

Firebox interface. Figure 8 shows that the computers connected to the switch and to device interface 4

are in the same VLAN.


Note

If you have already completed the previous exercise, remove the VLANs and disable the VLAN

interface you configured in that exercise before you begin this one.


1. From Policy Manager, select Network > Configuration.

2. Select the VLAN tab.

3. Click Add and create a new VLAN. The New VLAN Configuration dialog box appears.


5. (Optional) In the Description text box, type a description of the VLAN.For this example, type Accounting.

6. In the VLAN ID text box, select a number for the VLAN.For this example, type 10.



27/202

Before You Begin

VLANs 19





For this example, type 192.168.10.10 for the Starting Address and 192.168.10.20 forthe Ending Address.

d. Click OK.


The Interfaces

column is blank for a

new VLAN because no

Firebox interfaces

have been assigned to

it yet. You assign the

VLAN to Firebox

interfaces in the next

steps.

10. Click OK. The new VLAN is added.

Figure 9: VLAN10 on the VLAN tab

11. To make device Interfaces 3 and 4 members of the new VLAN, select the Interfaces tab.

12. Select Interface 3 and click Configure.

13. From the Interface Type drop-down list, select VLAN.You configure

interface 3 to handle

tagged VLAN traffic,

because it connects to

a VLAN switch thatsends it traffic with

VLAN tags.


15. In the Member column, select the check box for VLAN10.

Figure 10: Select the check box to make the interface a member of the VLAN


17. Double-click Interface 4 and configure it to untag for VLAN10.

18. From the Interface Type drop-down list, select VLAN.


28/202


You can only select

one VLAN for

untagged traffic.

This option is not

available if you

choose a VLAN that

has external specified

as the zone. You

cannot configure an

interface to send andreceive both tagged

and untagged traffic

when a VLAN is

configured as an

external zone.

If you do not want

computers connected

to a Firebox interface

to be part of a VLAN,

then do not configure

the interface to be of

type VLAN. Instead,

configure the

interface to be of type

Trusted or Optional.

19. At the bottom of the dialog box, select the Send and receive untagged traffic for selected VLANcheck box. From the adjacent drop-down list, select VLAN10 (192.168.10.1/24).

Figure 11: Make Interface 4 an untagged switch port20. Click OK and check your work.

The Interfaces tab should now look like this.

Figure 12: Firebox interfaces 3 and 4 now appear as type VLAN

The VLAN tab should look like this.

Figure 13: The VLAN interface used by interfaces 3 and 4

The VLAN settings list includes information about which interface tags and which interface untags

for a particular VLAN. It uses either boldface type or normal type for the numbers in the Interfaces

column:

- boldface type entries are Untag

- normal type entries are Tag.

21. Save this configuration to the Firebox.


29/202

Before You Begin

VLANs 21

Configure the Switch


1. Configure the switch interface that connects the switch to the Firebox interface 3.a. Disable Spanning Tree Protocol on any switch interface that connects to the device.

b. Configure this interface on Switch A to be a member of VLAN10.

c. Configure this interface to tag for VLAN10.

d. If necessary for your switch operating system, configure the switch mode to trunk.e. If necessary for your switch operating system, set encapsulation mode to 802.1Q.

2. Configure the switch interfaces that connect computers to the switch.Some switch

manufacturers call an

interface configured

this way either a

trunk port or a trunk

interface.

3. Configure the other switch interfaces to be members of VLAN10 and to untag for VLAN10.

As a general rule, remember that the physical segment between this switch interface and the

device is a tagged data segment. Traffic that flows over this segment must use 802.1Q VLAN

tagging.

As a general rule, remember that the physical segments between each of the other switch

interfaces and the computers (or other networked devices) that connect to them are untagged

data segments. Traffic that flows over these segments does not have VLAN tags.

Physically Connect all Devices

1. Connect one end of an Ethernet cable to the Firebox interface 3.

2. Connect the other end of the Ethernet cable to the interface on the switch that you configured totag for VLAN10 (to the VLAN trunk interface of the switch).

3. Connect a computer to the one of the interfaces on the switch that you configured to untag forVLAN10.

4. If you configured VLAN10 to use the DHCP server, configure the computer’s network card to useDHCP to get an IP address automatically.See Step 9 on page 19.

5. If you did not configure the VLAN to use the DHCP server, configure the computer’s network cardwith an IP address in the VLAN subnet 192.168.10.x. Use subnet mask 255.255.255.0 and set the

computer’s default gateway to the device VLAN IP address 192.168.10.1

6. Repeat these steps to connect a computer to device interface 4.

Test the Configuration

You should be able to send a ping from the computer connected to the switch to the computer

connected to device interface 4, and from the computer connected to device interface 4 to the

computer connected to the switch. The two computers can communicate as though they were

connected to the same physical LAN.


30/202


Exercise 3: One VLAN Bridged Across Two Device Interfaces

Alternate Configuration)

When to Use This Configuration

You might use a configuration like this if your organization is spread across multiple locations. For

example, suppose your network is on the first and second floors in the same building. Some of the

computers on the first floor are in the same functional group as some of the computers on the second

floor. You want to group these computers into one broadcast domain so that they can easily share

resources, such as a dedicated file server for their LAN, host-based shared files, printers, and other

network accessories.

You connect the computers on one floor to one VLAN switch, and connect that switch to a Firebox

interface. You connect the computers on the other floor to one VLAN switch, and connect that switch

to another Firebox interface. This puts all of the computers into one LAN.

One of the main benefits in this setup is cost savings: it is not necessary to connect another device to

combine the traffic from the two switches before it enters the device. The device combines the traffic,

and lets you apply strict security policies between the VLANs, the rest of your network, and untrusted

segments such as the Internet. This saves you the cost of a different device, such as a router or a layer 3switch.

Network Topology

This exercise shows how to connect two 802.1Q switches, both of which send traffic from the same

VLAN, to two different Firebox interfaces. The subsequent shows how computers are connected to

802.1Q switches, and how the switches are connected to the device. Two 802.1Q switches connected

to device interfaces 3 and 4 carry traffic from the same VLAN.



31/202

Before You Begin

VLANs 23

Note

If you have already completed the previous exercise, remove the VLANs and disable the VLAN

interface you configured in that exercise before you begin this one.


1. From Policy Manager, select Network > Configuration.

2. Select the VLAN tab. The VLAN settings list is empty because you have not defined any VLANs

3. Click Add and create a new VLAN. The New VLAN Configuration dialog box appears.


5. (Optional) In the Description text box, type a description of the VLAN.For this example, type Accounting.

6. In the VLAN ID text box, select a number for the VLAN. For this example, type 10.






For this example, type 192.168.10.10 for the Starting Address and 192.168.10.20 forthe Ending Address.

d. Click OK.


10. Click OK. The new VLAN appears.

Figure 15: The VLAN tab with new VLAN10

11. To make device Interfaces 3 and 4 members of the new VLAN, select the Interfaces tab.

12. Select Interface 3 and click Configure.Or, double-click the interface.

13. From the Interface Type drop-down list, select VLAN.


32/202


Interface 3 will be a

tagged VLAN

interface because it

connects to a VLAN

switch that sends it

traffic with VLAN tags.


15. In the Member column, select the check box for VLAN10.

Figure 16: Select the check box to make the interface a member of the VLAN


17. Repeat Steps 11–16 for Interface 4 to make that interface a member of VLAN10.

18. Check your work.

The Interfaces tab should look like this:.

Figure 17: Interfaces 3 and 4 are both type VLAN

The numbers in the

Interfaces column

use normal type to

indicate that these are

tagged interfaces. If

the interfaces are

configured as

untagged switch

ports, the entry

appears in bold type.

The VLAN tab should look like this:.

Figure 18: The VLAN tab shows that interfaces 3 and 4 are members of VLAN10

19. Click and save this configuration to the device.Or, select File > Save > To Firebox.


33/202

Before You Begin

VLANs 25

Configure the Switches


Switch A

1. Configure the switch interface that connects the switch to the Firebox interface 3.a. Configure this interface on Switch A to be a member of VLAN10.

b. Configure this interface to send traffic with the VLAN10 tag.c. If necessary, set the switch mode to trunk.

d. If necessary, set the encapsulation mode to 802.1Q.

Some switch

network and traffic management v11!10!1

Documents