hit counter script

D-Link NetDefendOS User Manual page 196

Network security firewall
Hide thumbs Also See for NetDefendOS:
Table of Contents

Advertisement

VLANs are useful in several different scenarios. A typical application is to allow one Ethernet
interface to appear as many separate interfaces. This means that the number of physical Ethernet
interfaces on a NetDefend Firewall need not limit how many totally separated external networks
can be connected.
Another typical usage of VLANs is to group together clients in an organization so that the traffic
belonging to different groups is kept completely separate in different VLANs. Traffic can then
only flow between the different VLANs under the control of NetDefendOS and is filtered using
the security policies described by the NetDefendOS rule sets.
As explained in more detail below, VLAN configuration with NetDefendOS involves a
combination of VLAN trunks from the NetDefend Firewall to switches and these switches are
configured with port based VLANs on their interfaces. Any physical firewall interface can, at the
same time, carry both non-VLAN traffic as well VLAN trunk traffic for one or multiple VLANs.
VLAN Processing
NetDefendOS follows the IEEE 802.1Q specification. The specifies how VLAN functions by adding
a Virtual LAN Identifier (VLAN ID) to Ethernet frame headers which are part of a VLAN's traffic.
The VLAN ID is a number between 0 and 4095 which is used to identify the specific Virtual LAN to
which each frame belongs. With this mechanism, Ethernet frames can belong to different Virtual
LANs but can still share the same physical Ethernet link.
The following principles are followed when NetDefendOS processes VLAN tagged Ethernet
frames at a physical interface:
Ethernet frames received on a physical interface by NetDefendOS, are examined for a VLAN
ID. If a VLAN ID is found and a matching VLAN interface has been defined for that interface,
NetDefendOS will use the VLAN interface as the logical source interface for further rule set
processing.
If there is no VLAN ID attached to an Ethernet frame received on an interface then the source
of the frame is considered to be the physical interface and not a VLAN.
If VLAN tagged traffic is received on a physical interface and there is no VLAN defined for that
interface in the NetDefendOS configuration with a corresponding VLAN ID then that traffic is
dropped by NetDefendOS and an unknown_vlanid log message is generated.
The VLAN ID must be unique for a single NetDefendOS physical interface but the same VLAN
ID can be used on more than one physical interface. In other words, the same VLAN can span
many physical interfaces.
A physical interface does not need to be dedicated to VLANs and can carry a mixture of VLAN
and non-VLAN traffic.
Physical VLAN Connection with VLAN
The illustration below shows the connections for a typical NetDefendOS VLAN scenario.
196
Chapter 3: Fundamentals

Hide quick links:

Advertisement

Table of Contents
loading

Table of Contents