Upload
dandygarcia
View
214
Download
0
Embed Size (px)
Citation preview
8/10/2019 Network and Traffic Management v11!9!3
1/198
8/10/2019 Network and Traffic Management v11!9!3
2/198
TRAINING
www.watchguard.com/training
SUPPORT
www.watchguard.com/support
U.S. and Canada +877.232.3531
All Other Countries +1.206.613.0456
ii WatchGuard Fireware Training
Disclaimer
Information in this guide is subject to change without notice. Companies, names, and data used in
examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or
transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express
written permission of WatchGuard Technologies, Inc.
Copyright and Patent Information
Copyright 2014 WatchGuard Technologies, Inc. All rights reserved.
WatchGuard, Firebox, Fireware, LiveSecurity, and spamBlocker are either registered trademarks or
trademarks of WatchGuard Technologies, Inc. in the United States and other countries. This product is
covered by one or more pending patent applications.
All other trademarks and tradenames are the property of their respective owners.
Printed in the United States.
8/10/2019 Network and Traffic Management v11!9!3
3/198
8/10/2019 Network and Traffic Management v11!9!3
4/198
iv WatchGuard Fireware Training
Network Topology ....................................................................................................................... 27
Configure the Device ................................................................................................................. 28
Configure the Switch ................................................................................................................. 30
Physically Connect All Devices .................................................................................................. 30
Test the Configuration ............................................................................................................... 30
Using VLANs in Device Policies ................................................................................... 31Apply Firewall Policies to Intra-VLAN Traffic ............................................................................. 31
Aliases ........................................................................................................................................ 31Exercise 5: Configure VLANs for Wireless Access Points ............................................ 33
When to Use This Configuration ............................................................................................... 33
Network Topology ....................................................................................................................... 33
Frequently Asked Questions ....................................................................................... 38
What You Have Learned .............................................................................................. 38
Traffic Management ............................................................................................................. 39
What You Will Learn ..................................................................................................... 39
Control Bandwidth Use with Traffic Management Actions ........................................ 39Traffic Management Action Types ............................................................................................ 40
Traffic Management in Policies ................................................................................................ 40
Traffic Management in Application Control ............................................................................. 40Traffic Management Action Precedence .................................................................................. 40
Monitoring Bandwidth Statistics ................................................................................................ 41
Control Traffic Priority with QoS .................................................................................. 41About Interface QoS Settings ..................................................................................................... 41
About Policy QoS Settings .......................................................................................................... 41
About Traffic Priority ................................................................................................................... 41
About Outgoing Interface Bandwidth ....................................................................................... 42
Exercise 1: Use a Traffic Management Action to Guarantee Bandwidth ................... 43
Enable Traffic Management and QoS ...................................................................................... 43
Verify the OS Compatibility Setting ........................................................................................... 43
Define Outgoing Interface Bandwidth ...................................................................................... 43
Create a Traffic Management Action ....................................................................................... 44Modify Policy Configuration ....................................................................................................... 45
Set Up Service Watch ................................................................................................................ 46
See the Results of the Configuration ........................................................................................ 47
Exercise 2: Use a Traffic Management Action to Limit Bandwidth ............................. 50
Re-Define Outgoing Interface Bandwidth ................................................................................ 50
Create a Traffic Management Action ....................................................................................... 51
Modify Policy Configuration ....................................................................................................... 51
See the Results of the Configuration ....................................................................................... 52
Exercise 3: Use Traffic Management with Application Control ................................... 55
Create two Traffic Management Actions .................................................................................. 55
Configure Application Control ................................................................................................... 56
Configure Application Control in Policies ................................................................................. 58Monitor the Traffic Management Actions in Firebox System Manager .................................. 59
Exercise 4: Use QoS to Mark and Prioritize Traffic ...................................................... 61
Before You Begin ....................................................................................................................... 61
Enable Prioritization by QoS Marking on Interfaces ................................................................ 61
Prioritize Traffic by Policy ........................................................................................................... 63
See the Results of the Configuration ....................................................................................... 64
What You Have Learned .............................................................................................. 65
Link Aggregation ................................................................................................................... 67
Introduction .................................................................................................................. 67
8/10/2019 Network and Traffic Management v11!9!3
5/198
v
What You Will Learn ................................................................................................................... 67
Course Outline ........................................................................................................................... 67
Terms and Concepts You Should Know ..................................................................... 67Link Aggregation ........................................................................................................................ 67
Link Aggregation Group (LAG) .................................................................................................. 68
Link Aggregation Interface ........................................................................................................ 68
Link Aggregation Member Interface ........................................................................................ 68
Link Aggregation Modes ........................................................................................................... 69Link Aggregation Interface Identifiers ...................................................................................... 69
Link Aggregation with Other Networking Features .................................................... 70
Exercise 1: Configure Active-Backup Link Aggregation ............................................... 71
Network Topology ........................................................................................................................ 71
Before You Begin ....................................................................................................................... 72
Add the Link Aggregation Interface .......................................................................................... 72
Add Member Interfaces .............................................................................................................. 74
Connect the Switches ................................................................................................................ 75
Monitor the Link Aggregation Interface .................................................................................... 76
Exercise 2: Static and Dynamic Link Aggregation ....................................................... 78
Topology ...................................................................................................................................... 78
Before You Begin ....................................................................................................................... 78Add the Link Aggregation Interface .......................................................................................... 79
Add Member Interfaces ............................................................................................................. 80
Configure the Switch and Connect the Device to the Switch .................................................. 81
Connect the Device to the Switch .............................................................................................. 81
Monitor the Link Aggregation Interface ................................................................................... 82
Use Dynamic Mode .................................................................................................................... 82
Exercise 3: Use Link Aggregation with a VLAN ............................................................. 83
Network Topology ....................................................................................................................... 83
Before You Begin ....................................................................................................................... 83
Configure the Device ................................................................................................................. 84
Configure the Switch ................................................................................................................. 86
Physically Connect all Devices .................................................................................................. 86What You Have Learned .............................................................................................. 87
Multi-WAN Methods ............................................................................................................. 89
Introduction .................................................................................................................. 89What You Will Learn ................................................................................................................... 89
Exercises .................................................................................................................................... 89
What Multi-WAN Can Do For You .............................................................................................. 89
Terms and Concepts You Should Know ..................................................................... 90Outgoing Traffic and Multi-WAN ................................................................................................ 90
Incoming Traffic ......................................................................................................................... 90
IPSec VPN Traffic ....................................................................................................................... 90
Equal-Cost Multi-Path Routing (ECMP) ..................................................................................... 90Sticky Connections ..................................................................................................................... 91
Load Balancing Interface Group (LBIG) .................................................................................... 91
Policy-Based Routing ................................................................................................................. 92
Link Monitor Settings ................................................................................................................ 92
Failover/Failback ....................................................................................................................... 93
The Round-Robin Multi-WAN Method ......................................................................... 94When to Use It ............................................................................................................................ 94
How It Works .............................................................................................................................. 94
Calculate Weights for Round-robin ........................................................................................... 95
How to Configure It .................................................................................................................... 96
8/10/2019 Network and Traffic Management v11!9!3
6/198
vi WatchGuard Fireware Training
When an External Interface Fails ............................................................................................... 97
The Failover Multi-WAN Method ................................................................................. 98When to Use It ............................................................................................................................ 98
How It Works .............................................................................................................................. 98
How to Configure It .................................................................................................................... 98
When an External Interface Fails .............................................................................................. 98
The Interface Overflow Multi-WAN Method ................................................................ 99
When to Use It ............................................................................................................................ 99How It Works .............................................................................................................................. 99
How to Configure It .................................................................................................................... 99
When an External Interface Fails .............................................................................................. 99
The Routing Table Multi-WAN Method ...................................................................... 100When to Use It .......................................................................................................................... 100
How It Works ............................................................................................................................ 100
How to Configure It .................................................................................................................. 100
When an External Interface Fails ............................................................................................ 100
Before You Begin ....................................................................................................... 101Necessary Equipment and Services ....................................................................................... 101
Management Computer Configuration ................................................................................... 101
Firewall Configuration .............................................................................................................. 102Bandwidth Available at Each External Interface ................................................................... 102
Physically Connecting your Devices ........................................................................................ 102
Exercise 1: Demonstrate the Interface Overflow Multi-WAN Method and Sticky
Connections .................................................................................................................. 103
When to Use the Interface Overflow Method ......................................................................... 103
Network Topology ..................................................................................................................... 103
Configure the Device ............................................................................................................... 104
Demonstrate It ......................................................................................................................... 108
Exercise 2: Demonstrate the Failover Multi-WAN Method and Policy-Based Routing ....
112
When to Use the Failover Method ........................................................................................... 112
Network Topology ..................................................................................................................... 112
Configure the Device ............................................................................................................... 113
Demonstrate It ......................................................................................................................... 117
Exercise 3: Demonstrate Load Balancing with the Round Robin Multi-WAN Method ....
118
Configure the Device ............................................................................................................... 118
Demonstrate It ......................................................................................................................... 119
Frequently Asked Questions ..................................................................................... 120
Appendix ..................................................................................................................... 121How Fireware XTM Makes Multi-WAN Routing Decisions For Outbound Traffic ................. 121
Multi-WAN Routing Decision Flow Chart ................................................................................ 122
What You Have Learned ............................................................................................ 124Routing ................................................................................................................................ 125
Introduction ................................................................................................................ 125What You Will Learn ................................................................................................................. 125
Terms and Concepts You Should Know .................................................................... 126Route ........................................................................................................................................ 126
Router ....................................................................................................................................... 126
Routing Table ........................................................................................................................... 126
Route Metric ............................................................................................................................. 126
Routing Protocol ....................................................................................................................... 126
8/10/2019 Network and Traffic Management v11!9!3
7/198
vi
Convergence Time ................................................................................................................... 127
Decide Which Type of Routing to Use ...................................................................... 128Static vs. Dynamic Routing ..................................................................................................... 128
Supported Dynamic Routing Protocols .................................................................................. 128
Dynamic Routing Policies .......................................................................................... 130
Network Link Types .................................................................................................... 131A Common Cause of Routing Inconsistency .......................................................................... 133
Routing and Branch Office VPNs .............................................................................. 134BOVPN Virtual Interface Routing Scenarios .......................................................................... 135
Failover from a Dynamic Route to a VPN that is not a BOVPN Virtual Interface ................. 136
Monitoring Tools ........................................................................................................ 137The Status Report .................................................................................................................... 137
Diagnostic Logging .................................................................................................................. 138
Exercise 1: Configure Static Routing Over a Point-to-Point Link ............................... 139
Add a Static Route to the Site A Device ................................................................................. 140
Add a Static Route to the Site B Device ................................................................................. 141
Review the Routing Tables ...................................................................................................... 142
Test the Static Route ............................................................................................................... 143
The Disadvantage of Using Only Static Routes ..................................................................... 144
Exercise 2: Configure Dynamic Routing over a Point-to-Point Link .......................... 145
Network Topology ..................................................................................................................... 145
Remove the Static Routes ....................................................................................................... 145
Configure Dynamic Routing with OSPF .................................................................................. 146
Review the Routing Table ........................................................................................................ 147
Add a New Network at Site B .................................................................................................. 148
Exercise 3: Configure Static Routing Over a Multi-Hop Link ..................................... 150
Network Topology ..................................................................................................................... 150
Before You Begin ..................................................................................................................... 150
Configure the Peer Interfaces ................................................................................................. 151
Configure Static Routes Between the Trusted Networks at Each Site ................................. 151
Test the Static Route ............................................................................................................... 153Exercise 4: Dynamic Routing Over a Multi-Hop Link ................................................. 154
Before You Begin ..................................................................................................................... 154
Configure Static Routes Between the Peer Interfaces .......................................................... 155
Configure Dynamic Routing with BGP .................................................................................... 158
Review the Routing Table ........................................................................................................ 159
Test the Static Route ............................................................................................................... 159
What You Have Learned ............................................................................................ 159
FireCluster .......................................................................................................................... 161
Introduction ................................................................................................................ 161What You Will Learn ................................................................................................................. 161
About FireCluster ....................................................................................................... 161
Terms and Concepts You Should Know ................................................................... 162Cluster Member ....................................................................................................................... 162
Active/Active Cluster ................................................................................................................ 162
Active/Passive Cluster ............................................................................................................. 162
Load Balance Methods ........................................................................................................... 162
Cluster ID .................................................................................................................................. 163
Cluster Interface ...................................................................................................................... 163
Cluster Interface IP Address .................................................................................................... 163
Management Interface ............................................................................................................ 164
About Failover ............................................................................................................ 164
8/10/2019 Network and Traffic Management v11!9!3
8/198
viii WatchGuard Fireware Training
Causes of FireCluster Failover ................................................................................................. 164
What Happens During a Failover ............................................................................................ 166
Monitoring Tools ........................................................................................................ 167Firebox System Manager ......................................................................................................... 167
Diagnostic Logging .................................................................................................................. 168
FireCluster Requirements ......................................................................................... 169Hardware Requirements ......................................................................................................... 169
License Requirements ............................................................................................................. 169Network Configuration Requirements .................................................................................... 169
Switch and Router Requirements ........................................................................................... 170
FireCluster Pre-Configuration Checklist .................................................................................. 171
Exercise 1: Set Up an Active/Passive Cluster ............................................................ 172
Configure the External Interface to Use a Static IP Address ................................................ 172
Configure the Trusted Interface .............................................................................................. 173
Disable Unused Network Interfaces ........................................................................................ 174
Decide Which Interfaces and Interface Address to Use ....................................................... 175
Connect the Cables .................................................................................................................. 176
Run the FireCluster Setup Wizard ........................................................................................... 177
Discover the Second Cluster Member .................................................................................... 186
Exercise 2: Monitor Cluster Status ............................................................................. 187Monitor the Cluster .................................................................................................................. 187
Monitor a Cluster Member ...................................................................................................... 188
Exercise 3: Test FireCluster Failover .......................................................................... 189
Force a Failover from Firebox System Manager .................................................................... 189
Trigger a Failover Due to Link Status ...................................................................................... 189
Use the Backup Cluster Interface ........................................................................................... 189
Trigger a Failover Due to Power Failure .................................................................................. 190
Test Failover with Network Traffic ........................................................................................... 190
Use Leave/Join in Firebox System Manager .......................................................................... 190
What You Have Learned ............................................................................................ 190
8/10/2019 Network and Traffic Management v11!9!3
9/198
1
Fireware Training
Course Introduction
Network and Traffic Management with Fireware
This training is for:
* The exercises in this course require Fireware with a Pro upgrade, which is included with most device models.For some 5 Series models (505, 510, 520, 530), you can purchase the Fireware XTM Pro upgrade for your device.
Training Overview
About Side Notes
Side notes are extra
information that is
not necessary to
understand the
training. They might
be configuration or
troubleshooting tips,
or extra technical
information.
The WatchGuard Fireware XTM Network and Traffic Management with Firewarecourse covers these
topics:
VLAN
Traffic Management and QoS
Link Aggregation
Multi-WAN
Routing
FireCluster
This course assumes that you have completed the Fireware Essentials course and that you know how to
set up and configure basic networking features. This Course Introductiondescribes the software,
hardware, and network environment required to complete the exercises in this training courseware.
Necessary Equipment and Software
Because this course includes networking exercises, the training environment must include the
following network equipment in order to support all of the exercises in this course.
One WatchGuard XTM 33 or higher device for each student
One WatchGuard Firebox or XTM device configured by the instructor as the default gateway
Fireware XTM v11.9 or higher installed on each Firebox or XTM device
One Windows computer per student, with WatchGuard System Manager v11.9 or later installed Three network hubs or switches, each with enough interfaces for the instructor and all of the
student Firebox or XTM devices to connect.
- One switch is the primary external network for the student devices
- One switch is the secondary external network (WAN2) for the student devices in the
Multi-WAN exercises
- One switch is used for the multi-hop link in the Routing exercises
Two managed switches with 802.1Q and 802.3ad support per student, for VLAN and Link
Aggregation exercises. Or students can pair up for these exercises.
Devices WatchGuard XTM 330 or higher
Device OS versions Fireware XTM v11.9.x*
Management software versions WatchGuard System Manager v11.9.x
8/10/2019 Network and Traffic Management v11!9!3
10/198
2 WatchGuard Fireware Training
FTP Server (optional for some exercises)
Classroom Network Configuration
The exercises in this course are designed using RFC 5737 documentation IP addresses to represent
public network IP addresses. The exercises in this training assume the following classroom network
configuration:
Figure 1: Training network configuration
Student Device IP Addresses
Students may be assigned a number (10,20,30,etc.) to identify the last IP address octet for their external
addresses, or their third octet for internal addresses in relation to their devices. This allows for similar
configuration among devices and prevents IP address conflicts and subnet overlap.
The student devices are configured with these addresses, whereXis the student number:
Eth0 External (WAN1) 203.0.113.X/24, Default Gateway 203.0.113.1
Eth1 Trusted 10.0.X.1/24
Eth2 Optional 172.16.X.1/24
Eth3 External or VLAN Configuration varies by exercise
8/10/2019 Network and Traffic Management v11!9!3
11/198
Classroom Network Configuration
Course Introduction 3
Eth4, Eth5 - Link Aggregation Configured in Link Aggregation exercises only
The student number is also used in the FireCluster exercises as the cluster ID. We recommend that you
assign student numbers in increments of at least 10, so the cluster ID does not create a virtual MAC
address conflict between multiple FireClusters.
In the exercises, your external interface and trusted interface IP addresses are determined by your
student number. Replace the X in the exercises with your student number.
Instructor Device Network Configuration
Several interfaces on the instructor Firebox or XTM device must be configured to support the exercises
in this course. The instructor device acts as the default gateway for the primary student external
network, 203.0.113.0/24. For the Multi-WAN exercises that require a second external network, we use
192.51.100.1/24. The instructor device acts as the default gateway for both of these networks.
You must also
configure a DNS
server, in the
Network >
Configuration >
WINS/DNStab, to
allow DNS to operatefrom the training
environment.
For DNS to function
for students, the
student Firebox or
XTM devices and
computers must also
be configured to use
the DNS server.
The instructor Firebox or XTM device is configured with these addresses:
Eth0 (External) Use appropriate addressing for a training environment with an Internet
connection.
Eth1 (Trusted) 203.0.113.1/24 The default gateway for the primary external interface on
student devices.
Eth2 (VLAN) Send and receive untagged traffic for VLAN10. Also used as the default gateway forthe secondary external interface on student devices when a second WAN interface is configured.
Eth3 (VLAN) Send and receive tagged traffic for VLAN10 and VLAN20. Used when students
configure a VLAN with an external interface.
Eth4 (Trusted) 172.16.10.1/30 as the primary IP address, and 172.16.X.1/30 as secondaryaddresses for the optional networks on each student device. Used to simulate a multi-hop link for
some dynamic routing exercises.
Figure 2: Instructor Firebox or XTM device network interfaces configuration
8/10/2019 Network and Traffic Management v11!9!3
12/198
4 WatchGuard Fireware Training
The instructor device must have 2 VLANs configured:
VLAN10 Trusted 198.51.100.1/24, ID:10 Untagged eth2, tagged eth3
VLAN20 Trusted 192.0.2.1/24, ID:20 Tagged eth3
Figure 3: Instructor Firebox or XTM device VLAN configuration
The instructor device must have addresses defined on eth4 for the optional networks for all student
devices. These are used for the multi-hop dynamic routing exercises.
Primary (for the Optional network of student 10) 172.16.10.1/30 for s
Secondary (for the Optional network of students 20 and higher) 172.16.X.1/30
Figure 4: Secondary IP addresses for Eth4 on the instructor device, for a total of 8 students
8/10/2019 Network and Traffic Management v11!9!3
13/198
Classroom Network Configuration
Course Introduction 5
Configuration Changes for the Instructor Device
To make the training network functional for these exercises, the instructor must make three more
configuration changes to the instructor Firebox or XTM device.
1. Create an Anypolicy to allow traffic between the trusted interfaces.
Figure 5: Any policy configuration for the instructor Firebox or XTM device
2. To enable access to the Internet, update the settings in Network > NAT > Dynamic NATto add adynamic entry for Any-Trusted-Any-External.
Or, you can add dynamic NAT rules from RFC 5737 addresses to Any-External (for example, add a
dynamic NAT rule for 203.0.113.0/24 Any-External)
Figure 6: NAT configuration for the instructor Firebox or XTM device
8/10/2019 Network and Traffic Management v11!9!3
14/198
6 WatchGuard Fireware Training
3. To configure the instructor Firebox or XTM device to simulate a multi-hop link for the routingexercises, you must add static routes to route traffic to the trusted network on each student device.
The next hop for each is the IP address of the optional interface on each student device.The gateway corresponds to the primary and secondary networks defined for Eth4 on the instructor device.
Figure 7: Static route configuration for the instructor Firebox or XTM device for a class with 8 students.
Optional) Set Up a Server to Host FTP and HTTP Downloads
Several of the exercises in this courseware require that the students download a file from an FTP server
or browse to a web site to observe the results of a configuration change. If your training environment
does not have Internet access, you can use the subsequent steps to help you build an FTP server and a
Web server on an existing Windows 2003 Server on your network, that students can use for the
exercises.
1. Connect the servers network card to the same hub or switch that connects the device externalinterface to the Internet router.
Usually, you would connect your device directly to the LAN interface of your Internet router. For
this exercise, you must use a hub or switch to connect the Windows 2003 Server to the external
network of the device.
2. Set up the FTP server.
For more information, see this Microsoft article: http://support.microsoft.com/kb/323384.
3. Create a 350 MB text file named 350mbfile.txtand save it in the ftprootfolder. The defaultlocation for this folder is c:\inetpub\ftproot.
To create a file in Windows, at the Command Prompt, type the fsutil command:fsutil file createnew c:\inetpub\ftproot\350mbfile.txt 358400000
4. Set up the web server on your Windows 2003 Server.
For more information, see this Microsoft article: http://support.microsoft.com/kb/324742
5. Copy the 350mbfile.txtfile from the C:\inetpub\ftprootto the C:\inetpub\wwwroot
directory.
8/10/2019 Network and Traffic Management v11!9!3
15/198
7
Fireware Training
VLANs in Fireware XTM
Four Ways to Configure a Device for VLANs
Introduction
A virtual local area network (VLAN) is a collection of computers on a LAN or LANs that are grouped
together in a single broadcast domain independent of their physical location. A VLAN allows you to
group devices according to function or traffic patterns instead of location or IP address. Members of a
VLAN can share resources as if they were connected to the same LAN.
What You Will Learn
This course explains the concept of a VLAN and describes several different VLAN technologies that arein use today. You will learn everything necessary to successfully deploy VLANs with your Firebox or XTM
device. We will present four typical use cases with VLANs, and you will configure the Firebox or XTM
device for each of these situations.
Exercises
The exercises demonstrate situations in which you would use different VLAN configurations, a
simplified view of the network topology for each setup, and step-by-step procedures for how to
configure each setup. The exercises include:
You can also use
VLANs with link
aggregation. An
exercise for thatconfiguration is
included in the link
aggregation section
of this training.
Two VLANs on the same Firebox or XTM device interface
One VLAN bridged across two Firebox or XTM device interfaces
One VLAN bridged across two Firebox or XTM device interfaces (alternate configuration)
Two VLANs as External Interfaces on the same Firebox or XTM device
Three VLANs for two SSIDs on an AP device
The course concludes with frequently asked questions about how to configure firewall policies to
restrict incoming and outgoing access on VLAN interfaces, or to allow or deny traffic between different
VLANs.
What VLANs Can Do For You
VLANs provide three main benefits:
Increased performance by confining broadcasts.
Each computer you add to a LAN increases the amount of background (broadcast) traffic, whichcan reduce performance. With VLANs, you can restrict this traffic and reduce the amount of
bandwidth used by your network.
Improved manageability and simplified network tuning.
When you consolidate common resources into a VLAN, you reduce the number of routing hops
needed for those devices to communicate. You can also manage traffic from each functional group
more easily when each group uses a different VLAN.
8/10/2019 Network and Traffic Management v11!9!3
16/198
8 WatchGuard Fireware Training
Increased security options.
By default, members of one VLAN cannot see the traffic from another VLAN. You can apply separate
security policies to VLANs. By contrast, a secondary network on a Firebox or XTM device interface
gives no additional security because there is no separation of traffic. The Firebox or XTM device
does not filter traffic between the primary network of an interface and a secondary network on
that interface. It automatically routes traffic between primary and secondary networks on the same
physical interface with no access restrictions.
Terms and Concepts You Should Know
VLAN trunk interface
The physical interface (switch interface or device interface) that connects a VLAN device to another
VLAN device. Some vendors use this term only for a switch interface that carries traffic for more than
one VLAN. We use this as a general term to indicate an Ethernet interface on a VLAN-capable device
that connects the device to another VLAN-capable device.
VLAN ID (VID)
A number from 1 to 4094 associated with the VLAN. Every VLAN you use has a unique number.
TagThis term has two meanings: one for the verb usage, and one for the noun usage.
[noun]Information that is added to the header of an Ethernet frame. The format of the tag is defined
by the IEEE 802.1Q standard.
[verb]To add a VLAN tag to a data frames Ethernet header. The tag is added by an 802.1Q-compliant
device such as an 802.1Q switch or router, or the Firebox or XTM device.
Because the physical segment between two 802.1Q devices normally carries only tagged data
packets, we call it the tagged data segment.
Untag
To remove a VLAN tag from a frames Ethernet header. When an 802.1Q device sends data to a
network device that cannot understand 802.1Q VLAN tags, the device untags the data frames.
Because the physical segment between a VLAN device and a device that cannot understand VLAN
tags normally carries only untagged data packets, we call it the untagged data segment.
Tagging and untagging per interface
When you assign VLAN membership for an Ethernet interface on an 802.1Q device, you also tell the
interface whether to send and accept tagged or untagged data frames. Some VLAN devices allow
one Ethernet interface to accept both tagged and untagged frames. This depends on which VLANs
the interface is a member of.
When you configure a Firebox or XTM device Ethernet interface for VLAN, the interface will accept
both tagged and untagged data frames, but only for VLANs in the trusted, optional, and custom
security zones. For an external VLAN a device VLAN interface will accept only tagged data frames.
Use these two rules to decide whether to configure a switch interface for Tag or Untag:- If the interface connects to a device that can receive and understand 802.1Q VLAN tags,
configure the switch interface for Tag. Devices you connect to this interface are usually VLANswitches (managed switches) or routers.
- If the interface connects to a device that cannot receive and understand 802.1Q VLAN tags,
configure the switch interface for Untag. (Such devices will likely strip the VLAN tag from the
Ethernet header, or drop the frame altogether.) Devices you connect to this interface are
usually computers or printers.
8/10/2019 Network and Traffic Management v11!9!3
17/198
VLAN Requirements and Recommendations
VLANs in Fireware XTM 9
Switches
When you configure a Firebox or XTM device Ethernet interface for VLAN, the switches that you
connect to the device interface must be able to use VLAN tags as defined in IEEE 802.1Q. A switch of
this type is commonly called a managed switchor an 802.1Q switch.
Types of VLANs
VLANs can use different parameters to assign membership:
- 802.1Q VLANs (used by the Firebox or XTM device)
The Institute of Electrical and Electronic Engineers (IEEE) publishes the 802.1Q standard to
define the format of VLAN tags. This standard lets you use VLANs with any vendors
equipment that conforms to 802.1Q standards.
- MAC address-based VLANs use the physical address on a computers network interface card
to put it in the correct logical group.
- VLANs based on multicast groups put computers into VLANs based on whether the
computer has subscribed to a particular multicast group.
- Protocol-based VLANs put computers into VLANs based on the communication protocol
each uses (such as IP, IPX, DECnet, or AppleTalk).
VLAN Requirements and Recommendations
To use a VLAN with a Firebox or XTM device:
If your Firebox or XTM device is configured in drop-in mode, you cannot use VLANs.
If your Firebox or XTM device is configured in bridged mode you cannot configure VLANs on the
device.
- The device in bridge mode can pass VLAN tagged traffic between 802.1Q bridges or
switches.
- You can configure a device in bridge mode to be managed from a VLAN that has a specified
VLAN tag.
Each VLAN interface can send and received untagged traffic for only one trusted or optional VLAN.
For example, if a VLAN interface is configured to send and receive untagged traffic for VLAN-10, itcannot also send and receive VLAN traffic for any other VLAN at the same time. Also, a VLAN
interface cannot be configured to send and receive untagged traffic for an external VLAN.
Multi-WAN configuration settings are applied to VLAN traffic. However, it can be easier to manage
bandwidth when you use only physical interfaces in a multi-WAN configuration.
Your device model and license controls the number of VLANs you can create. To see the number of
VLANs you can add to your Firebox or XTM device, Open Policy Manager and select Setup >
Feature Keys. Find the row labeled Total number of VLAN interfaces.
We recommend that you do not create more than 10 VLANs that operate on external interfaces.
Too many VLANs on external interfaces affect performance.
All network segments you want to add to a VLAN must have IP addresses on the VLAN network.
8/10/2019 Network and Traffic Management v11!9!3
18/198
10 WatchGuard Fireware Training
Before You Begin
Before you begin the exercises, you must:
1. Make sure the switches that connect to the Firebox or XTM device do not use Spanning TreeProtocol. Disable this protocol for any switch interface that connects to a device Ethernet interface
2. Know how to configure your VLAN switch. You should be familiar with how to configure your VLAN
switch. Consult the documentation from the device manufacturer for help.
Firewall Configuration
If your Firebox or XTM device is not yet configured, run the Quick Setup Wizard first to configure it.
Use the Routed mode for the Quick Setup Wizard. (You cannot use VLANs with Drop-in mode or
Bridge mode.) The Quick Setup Wizard with Routed mode has these defaults:
- The external Interface 0 is configured and enabled with static IP address 203.0.113.X/24.ReplaceXin the external IP address with the student number your instructor gives you.
- The trusted Interface 1 is configured and enabled with IP address 10.0.X.1/24.ReplaceXin the trusted IP address with the student number your instructor gives you.
- All of the other interfaces are set to Disabled.
- There are five policies in Policy Manager: FTP, Ping, WatchGuard WebUI, WatchGuard, and
Outgoing.
The trusted interface (Interface 1) is not a member of any VLAN in any of the exercises.
The management computer is connected directly to the trusted interface with an Ethernet cable.
Make sure your management computer has an IP address in the same subnet as the trusted
interface, with the correct subnet mask. Make sure the default gateway for the computer is the
trusted interface IP address.
Necessary Equipment and Services
Management computer
Use a computer with WSM version 11.9 or higher software installed to configure the Firebox or
XTM device. This computer is connected to the device trusted interface in all exercises.
Two additional computers
To test traffic flow with the VLANs you send traffic between two computers. Each computer is
connected to a VLAN switch or to the Firebox or XTM device itself, depending on the exercise.
You can also use the management computer for one of the two computers to test traffic flow
between VLANs.
WatchGuard Firebox or XTM device with Fireware XTM OS v11.9 or higher
In the exercises, we assume that you ran the Quick Setup Wizard to configure the Firebox or XTM
device and you selected Routed mode (not Drop-in or Bridge mode).
802.1Q VLAN switches- One switch for Exercises 1 and 2
- Two switches for Exercise 3 and 4
- One switch for Exercise 5
Ethernet cables
At a minimum, to complete all the exercises you must have:
- Six Ethernet cables To interconnect the devices altogether.
8/10/2019 Network and Traffic Management v11!9!3
19/198
Before You Begin
VLANs in Fireware XTM 11
Configuring the VLAN Switch
Each physical interface on a VLAN switch is generally classified as one of two types:
VLAN Access port
A switch interface of this type removes VLAN tags from data frames before it sends them to the
device attached to it. The interface also adds a VLAN tag to untagged frames it gets from the
connected device.
You connect computers, printers, and other networked devices to this type of interface.
Configure this type of switch interface for untagmode.
VLAN Trunk port
A switch interface of this type preserves any VLAN tags in the data frames it receives. It also
preserves VLAN tags when it sends tagged data frames to the device attached to it.
You connect other VLAN-capable devices such as VLAN switches and routers to this type of
interface. You also connect this type of interface to a Firebox or XTM device interface configured to
accept tagged data frames.
Configure this type of switch interface for tagmode.
Select the VLAN ID Numbers
By default, each interface on most new, unconfigured switches belongs to VLAN number 1. Because
this VLAN exists on every interface of most switches by default, the possibility exists that this VLAN can
accidentally span the entire network, or at least very large portions of it.
We recommend you use a VLAN ID number other than 1 for any VLAN that passes traffic to the Firebox
or XTM device.
About the PVID
Some switch manufacturers require you to assign a Port VLAN ID (PVID) to each interface. The PVID
number determines the VLAN ID number that the switch adds to the untagged packets it gets from
devices connected to the interface. If you do not configure a PVID for an interface, it is possible that theswitch can tag the data packets it gets on that interface with the default VLAN ID of 1. This is the case
even if you configure the interface to untag for a different VLAN ID number.
When you change the PVID setting on a switch interface to a PVID number that matches a VLAN
number, the switch adds a VLAN tag for that VLAN to untagged packets it receives on this interface. If
your switch uses PVID numbers, be sure to configure each switch interface that connects a computer to
use the correct PVID number.
8/10/2019 Network and Traffic Management v11!9!3
20/198
12 WatchGuard Fireware Training
Exercise 1: Two VLANs on the Same Device Interface
When to Use this Configuration
A Firebox or XTM device interface is a member of more than one VLAN when the switch that connects
to that interface carries traffic from more than one VLAN.
You use multiple VLANs on one Firebox or XTM device interface when you want to split a deviceinterface into multiple broadcast domains or multiple security zones. When you separate the traffic
from different functional groups before it enters the device interface, you get two major benefits:
Broadcast traffic is confined within each VLAN, which reduces congestion.
You can make access policies to allow limited traffic or no traffic between the VLANs. You also
control access from each VLAN to other parts of your network and to the Internet.
Compare the second benefit to the situation when you configure a Firebox or XTM device interface as a
physical interface (instead of as a VLAN) with a secondary network also configured on the interface: The
device does not filter traffic between the primary network of an interface and a secondary network on
that interface. The primary network is not protected from a secondary network on that interface.
Network Topology
This exercise shows how to connect one switch that carries traffic from two different VLANs to one
Firebox or XTM device interface. In the subsequent diagram, the computers are connected to the
802.1Q switch, and the switch is connected to Firebox or XTM device interface 3. The switch carries
traffic from two different VLANs.
Figure 1: Network topology for Exercise 1
8/10/2019 Network and Traffic Management v11!9!3
21/198
Before You Begin
VLANs in Fireware XTM 13
Configure the Device
1. From Policy Manager, select Network > Configuration.The Network Configurationdialog box appears.
2. Select the VLANtab.
Figure 2: VLANtab of Network Configurationdialog box
3. Click Addand create a new VLAN.
4. In the Name (Alias)text box, type a name for the VLAN. The name cannot contain spaces.For this example, type VLAN10.
5. (Optional) In the Descriptiontext box, type a description.For this example, typeAccounting.
6. In the VLAN IDtext box, type or select a number for the VLAN.For this example, select 10.
Security zones
correspond to aliases
for interface security
zones. For example,
VLANs of type
Trusted are handled
by policies that use
the alias
Any-Trusted as a
source or destination.
VLANs can be defined
as Trusted, Optional,
or Custom.
7. From the Security Zonedrop-down list, select the security zone for the VLAN.For this example, select Trusted.
8. In the IP Addresstext box, type the IP address of the VLAN gateway.For this example, type 192.168.10.1/24.Any computer in this new VLAN must use this IP address as its default gateway.
9. (Optional) Configure DHCP for the new VLAN.a. Select Use DHCP Server.
b. In the Address Poolsection, click Add.
c. Type or select the Starting Addressand the Ending Address.
For this example, type 192.168.10.10for the Starting Addressand 192.168.10.20for
the Ending Address.
d. Click OK.
The new address pool appears in the Address Poollist.
10. Click OK.The new VLAN appears.
Figure 3: VLANtab with new VLAN10
11. Click Addand create another new VLAN.
12. In the Name (Alias)text box, type a name for the VLAN. The name cannot contain spaces. For thisexample, type VLAN20.
8/10/2019 Network and Traffic Management v11!9!3
22/198
14 WatchGuard Fireware Training
13. (Optional) In the Descriptiontext box, type a description.For this example, type Sales.
14. In the VLAN IDtext box, type or select a number for the VLAN.For this example, select 20.
15. From the Security Zonedrop-down list, select the security zone for the VLAN.For this example, select Optional.
16. In the IP Addresstext box, type the IP address of the VLAN gateway.For this example, type 192.168.20.1/24.Any computer in this new VLAN must use this IP address as its default gateway.
17. (Optional) Configure DHCP for the new VLAN.a. Select Use DHCP Server.
b. In the Address Poolsection, click Add.
c. Type or select the Starting Addressand the Ending Address.
For this example, type 192.168.20.10for the Starting Addressand 192.168.20.20for
the Ending Address.
d. Click OK.
The new address pool appears in the Address Poolbox.
18. Click OK.Both VLANs now appear.
Figure 4: Two new VLANS: VLAN10 and VLAN20
19. Select the Interfacestab.20. Select Interface 3and click Configure.
21. From the Interface Typedrop-down list, select VLAN.Because you cannot
add a secondary
network to a VLAN
interface, the
Secondarytab
remains unavailable
here.
With Fireware XTM
v11.8.1 or higher, you
can add secondarynetworks to each of
the VLAN members.
To do this, edit the
VLAN members in the
VLAN tab.
The Interface Type Configurationsection appears on the IPv4tab. Both new VLANs appear in the list.
22. Select Send and receive tagged traffic for selected VLANs.
23. In the Membercolumn, select the check boxes for VLAN10 and VLAN20.
Figure 5: The Member column shows which VLANs the interface is a member of.
24. Click OK.This interface now appears as type VLAN in the list of interfaces.
8/10/2019 Network and Traffic Management v11!9!3
23/198
Before You Begin
VLANs in Fireware XTM 15
25. Check your work.
The Interfacestab should look like this.
Figure 6: Firebox or XTM device Interface 3 is now type VLAN
The VLANtab should look like this.
Figure 7: VLANtab after the VLANs are defined
26. Click and save this configuration to the device.Or, select File > Save > To Firebox.
Configure the Switch
Refer to the instructions from your switch manufacturer to configure your switch.
As a general rule,
remember that the
physical segment
between this switch
interface and the
Firebox or XTM device
is a taggeddata
segment. Traffic that
flows over this
segment must use
802.1Q VLAN tagging
Some switch
manufacturers refer
to a switch interface
that is configured like
Step 2 a trunk port or
trunk interface.
1. Add two VLANs to the 802.1Q switch configuration.Set the VLAN ID numbers for these VLANs to 10 and 20.
2. Configure the switch interface that connects the switch to the device interface 3.a. Disable Spanning Tree Protocol on any switch interface that connects to the device.
b. Configure this interface on the switch to be a member of both VLANs 10 and 20.
c. Configure this interface to tag for both VLANs.
d. If necessary for your switch operating system, configure the switch mode to trunk.
e. If necessary for your switch operating system, set encapsulation mode to 802.1Q.3. Configure the switch interfaces that connect computers in VLAN10 to the switch.
a. Configure each switch interface that will connect a computer in VLAN10 to be a member of
VLAN10.
b. Configure these interfaces to untag for VLAN10.
4. Configure the switch interfaces that connect computers in VLAN20 to the switch.a. Any switch interface that will connect a computer in VLAN20 must be a member of VLAN20.
b. Configure these interfaces to untag for VLAN20.
8/10/2019 Network and Traffic Management v11!9!3
24/198
16 WatchGuard Fireware Training
As a general rule,
remember that the
physical segment
between a switch
interface and a
computer (or other
networked device)
that connects to it is
an untaggeddata
segment. Traffic thatflows over this
segment does not
have VLAN tags.
Most switches sold
today have interfaces
that can auto-sense
MDI/MDI-X for the
Ethernet connection.
When the interface
senses a physical link,
it automatically
configures itself to be
a normal or uplink
interface. If you do not
get link lights on the
Ethernet interfaces
with one type of
Ethernet cable
(straight-through or
crossover), try the
other type of Ethernet
cable.
Physically Connect all Devices
1. Connect one end of an Ethernet cable to the device interface 3.
2. Connect the other end of the Ethernet cable to the interface on the switch that you configured totag for VLANs 10 and 20 (to the VLAN trunk interface of the switch).
3. Connect a computer to the interfaces on the switch that you configured to untag for VLAN10.
4. If you configured VLAN10 to use the DHCP server, configure the computers network card to use
DHCP to get an IP address automatically.For more information, see Step 9 on page 13.
5. If you did not configure the VLAN to use the DHCP server, configure the computers network cardwith an IP address in the VLAN subnet 192.168.10.x. Use subnet mask 255.255.255.0 and set thecomputers default gateway to the device VLAN IP address, 192.168.10.1.
6. Repeat Steps 13 to connect a computer to a switch interface that you configured to untag forVLAN20.
Test the Configuration
From the computer in VLAN10, you should be able to ping the computer in VLAN20, as well as ping the
VLAN10 computer from the VLAN20 computer. The two computers can ping each other because the
default settings of the Ping policy allow Any-Trusted and Any-Optional to send ICMP echo requests to
Any.
No other traffic is allowed between the two VLANs unless there is a policy that specifically allows it. The
basic configuration loaded by the Quick Setup Wizard does not allow any other traffic between the
VLANs.
8/10/2019 Network and Traffic Management v11!9!3
25/198
Before You Begin
VLANs in Fireware XTM 17
Exercise 2: One VLAN Bridged Across Two Device Interfaces
When to Use this Configuration
The primary benefit of this configuration is the ability to bridge a VLAN between computers connected
to a VLAN switch and computers directly connected to the Firebox or XTM device. A typical network
topology is this:
You have a relatively large number of computers connected by way of a VLAN switch to one device
interface.
You have a single computer (or a small group of computers) that must share the same resources as
the first group, but it is physically separated from the first group.
It is more convenient or cost-effective to connect the smaller group directly to the device.
To solve the challenge of putting all these computers into one logical group, you configure the Firebox
or XTM device with a VLAN that bridges two device interfaces:
One device interface tagsfor the VLAN.
This interface connects, by way of an Ethernet cable, to the VLAN switch that links the majority of
the computers in this logical group.
The other device interface untagsfor the VLAN.
This interface has a direct Ethernet connection to one computer (or a small group of computers) inthe logical group. This second connection can be a shared media connection such as a hub
connected to the interface, or a single computer connected to the interface with a crossover
Ethernet cable.
With this configuration, all the computers can easily share resources, and their broadcasts are confined
to the VLAN.
8/10/2019 Network and Traffic Management v11!9!3
26/198
18 WatchGuard Fireware Training
Network Topology
The untagged Firebox
or XTM device
interface in Figure 8
(Interface 4, with one
computer connected)
operates in much the
same way as an
untagged switch porton a VLAN switch.
This exercise shows how to connect a switch to one Firebox or XTM device interface, and computers to
another Firebox or XTM device interface. Figure 8shows that the computers connected to the switch
and to device interface 4 are in the same VLAN.
Figure 8: Network topology for Exercise 2
Note
If you have already completed the previous exercise, remove the VLANs and disable the VLAN
interface you configured in that exercise before you begin this one.
Configure the Device
1. From Policy Manager, select Network > Configuration.
2. Select the VLANtab.
3. Click Addand create a new VLAN.The New VLAN Configurationdialog box appears.
4. In the Name (Alias)text box, type a name for the VLAN. The name cannot contain spaces.For this example, type VLAN10.
5. (Optional) In the Descriptiontext box, type a description of the VLAN.For this example, typeAccounting.
6. In the VLAN IDtext box, select a number for the VLAN.For this example, type 10.
7. From the Security Zonedrop-down list, select the security zone for the VLAN.For this example, select Trusted.
8/10/2019 Network and Traffic Management v11!9!3
27/198
Before You Begin
VLANs in Fireware XTM 19
8. In the IP Addresstext box, type the IP address of the VLAN gateway.For this example, type 192.168.10.1/24.Any computer in this new VLAN must use this IP address as its default gateway.
9. (Optional) Configure DHCP for the new VLAN.a. Select Use DHCP Server.
b. In the Address Poolsection, click Add.
c. Type or select the Starting Addressand the Ending Address.
For this example, type 192.168.10.10for the Starting Addressand 192.168.10.20forthe Ending Address.
d. Click OK.
The new address pool appears in the Address Poollist.
The Interfaces
column is blank for a
new VLAN because no
Firebox or XTM device
interfaces have been
assigned to it yet. You
assign the VLAN to
Firebox or XTM device
interfaces in the next
steps.
10. Click OK.The new VLAN is added.
Figure 9: VLAN10 on the VLANtab
11. To make device Interfaces 3 and 4 members of the new VLAN, select the Interfacestab.
12. Select Interface 3and click Configure.
13. From the Interface Typedrop-down list, select VLAN.You configure
interface 3 to handle
tagged VLAN traffic,
because it connects to
a VLAN switch thatsends it traffic with
VLAN tags.
14. Select Send and receive tagged traffic for selected VLANs.
15. In the Membercolumn, select the check box for VLAN10.
Figure 10: Select the check box to make the interface a member of the VLAN
16. Click OK.This interface now appears as type VLAN in the list of interfaces.
17. Double-click Interface 4and configure it to untagfor VLAN10.
18. From the Interface Typedrop-down list, select VLAN.
8/10/2019 Network and Traffic Management v11!9!3
28/198
20 WatchGuard Fireware Training
You can only select
one VLAN for
untagged traffic.
This option is not
available if you
choose a VLAN that
has external specified
as the zone. You
cannot configure an
interface to send andreceive both tagged
and untagged traffic
when a VLAN is
configured as an
external zone.
If you do not want
computers connected
to a Firebox or XTM
device interface to be
part of a VLAN, then
do not configure the
interface to be of type
VLAN. Instead,
configure the
interface to be of type
Trusted or Optional.
19. At the bottom of the dialog box, select the Send and receive untagged traffic for selected VLANcheck box. From the adjacent drop-down list, select VLAN10 (192.168.10.1/24).
Figure 11: Make Interface 4 an untagged switch port20. Click OKand check your work.
The Interfacestab should now look like this.
Figure 12: Firebox or XTM device interfaces 3 and 4 now appear as type VLAN
The VLANtab should look like this.
Figure 13: The VLAN interface used by interfaces 3 and 4
The VLAN settings list includes information about which interface tags and which interface untags
for a particular VLAN. It uses either boldface type or normal type for the numbers in the Interfaces
column:
- boldface typeentries are Untag
- normal type entries are Tag.
21. Save this configuration to the Firebox or XTM device.
8/10/2019 Network and Traffic Management v11!9!3
29/198
Before You Begin
VLANs in Fireware XTM 21
Configure the Switch
Refer to the instructions from your switch manufacturer to configure your switch.
1. Configure the switch interface that connects the switch to the Firebox or XTM device interface 3.a. Disable Spanning Tree Protocol on any switch interface that connects to the device.
b. Configure this interface on Switch A to be a member of VLAN10.
c. Configure this interface to tag for VLAN10.
d. If necessary for your switch operating system, configure the switch mode to trunk.e. If necessary for your switch operating system, set encapsulation mode to 802.1Q.
2. Configure the switch interfaces that connect computers to the switch.Some switch
manufacturers call an
interface configured
this way either a
trunk port or a trunk
interface.
3. Configure the other switch interfaces to be members of VLAN10 and to untag for VLAN10.
As a general rule, remember that the physical segment between this switch interface and the
device is a taggeddata segment. Traffic that flows over this segment must use 802.1Q VLAN
tagging.
As a general rule, remember that the physical segments between each of the other switch
interfaces and the computers (or other networked devices) that connect to them are untagged
data segments. Traffic that flows over these segments does not have VLAN tags.
Physically Connect all Devices
1. Connect one end of an Ethernet cable to the Firebox or XTM device interface 3.
2. Connect the other end of the Ethernet cable to the interface on the switch that you configured totag for VLAN10 (to the VLAN trunk interface of the switch).
3. Connect a computer to the one of the interfaces on the switch that you configured to untag forVLAN10.
4. If you configured VLAN10 to use the DHCP server, configure the computers network card to useDHCP to get an IP address automatically.See Step 9 on page 19.
5. If you did not configure the VLAN to use the DHCP server, configure the computers network cardwith an IP address in the VLAN subnet 192.168.10.x. Use subnet mask 255.255.255.0 and set the
computers default gateway to the device VLAN IP address 192.168.10.1
6. Repeat these steps to connect a computer to device interface 4.
Test the Configuration
You should be able to send a ping from the computer connected to the switch to the computer
connected to device interface 4, and from the computer connected to device interface 4 to the
computer connected to the switch. The two computers can communicate as though they were
connected to the same physical LAN.
8/10/2019 Network and Traffic Management v11!9!3
30/198
22 WatchGuard Fireware Training
Exercise 3: One VLAN Bridged Across Two Device Interfaces
Alternate Configuration)
When to Use This Configuration
You might use a configuration like this if your organization is spread across multiple locations. For
example, suppose your network is on the first and second floors in the same building. Some of the
computers on the first floor are in the same functional group as some of the computers on the second
floor. You want to group these computers into one broadcast domain so that they can easily share
resources, such as a dedicated file server for their LAN, host-based shared files, printers, and other
network accessories.
You connect the computers on one floor to one VLAN switch, and connect that switch to a Firebox or
XTM device interface. You connect the computers on the other floor to one VLAN switch, and connect
that switch to another Firebox or XTM device interface. This puts all of the computers into one LAN.
One of the main benefits in this setup is cost savings: it is not necessary to connect another device to
combine the traffic from the two switches before it enters the device. The device combines the traffic,
and lets you apply strict security policies between the VLANs, the rest of your network, and untrusted
segments such as the Internet. This saves you the cost of a different device, such as a router or a layer 3switch.
Network Topology
This exercise shows how to connect two 802.1Q switches, both of which send traffic from the same
VLAN, to two different Firebox or XTM device interfaces. The subsequent shows how computers are
connected to 802.1Q switches, and how the switches are connected to the device. Two 802.1Q
switches connected to device interfaces 3 and 4 carry traffic from the same VLAN.
Figure 14: Network topology for Exercise 3
8/10/2019 Network and Traffic Management v11!9!3
31/198
Before You Begin
VLANs in Fireware XTM 23
Note
If you have already completed the previous exercise, remove the VLANs and disable the VLAN
interface you configured in that exercise before you begin this one.
Configure the Device
1. From Policy Manager, select Network > Configuration.
2. Select the VLANtab.The VLAN settings list is empty because you have not defined any VLANs
3. Click Addand create a new VLAN.The New VLAN Configurationdialog box appears.
4. In the Name (Alias)text box, type a name for the VLAN. The name cannot contain spaces.For this example, type VLAN10.
5. (Optional) In the Descriptiontext box, type a description of the VLAN.For this example, typeAccounting.
6. In the VLAN IDtext box, select a number for the VLAN. For this example, type 10.
7. From the Security Zonedrop-down list, select the security zone for the VLAN.For this example, select Trusted.
8. In the IP Addresstext box, type the IP address of the VLAN gateway.For this example, type 192.168.10.1/24.Any computer in this new VLAN must use this IP address as its default gateway.
9. (Optional) Configure DHCP for the new VLAN.a. Select Use DHCP Server.
b. In the Address Poolsection, click Add.
c. Type or select the Starting Addressand the Ending Address.
For this example, type 192.168.10.10for the Starting Addressand 192.168.10.20forthe Ending Address.
d. Click OK.
The new address pool appears in the Address Poollist.
10. Click OK.The new VLAN appears.
Figure 15: The VLANtab with new VLAN10
11. To make device Interfaces 3 and 4 members of the new VLAN, select the Interfacestab.
12. Select Interface 3and click Configure.Or, double-click the interface.
13. From the Interface Typedrop-down list, select VLAN.
8/10/2019 Network and Traffic Management v11!9!3
32/198
24 WatchGuard Fireware Training
Interface 3 will be a
taggedVLAN
interface because it
connects to a VLAN
switch that sends it
traffic with VLAN tags.
14. Select Send and receive tagged traffic for selected VLANs.
15. In the Membercolumn, select the check box for VLAN10.
Figure 16: Select the check box to make the interface a member of the VLAN
16. Click OK.This interface now appears as type VLAN in the list of interfaces.
17. Repeat Steps 1116 for Interface 4 to make that interface a member of VLAN10.
18. Check your work.
The Interfacestab should look like this:.
Figure 17: Interfaces 3 and 4 are both type VLAN
The numbers in the
Interfacescolumn
use normal type to
indicate that these are
tagged interfaces. If
the interfaces are
configured as
untagged switch
ports, the entry
appears in boldtype.
The VLANtab should look like this:.
Figure 18: The VLANtab shows that interfaces 3 and 4 are members of VLAN10
19. Click and save this configuration to the device.Or, select File > Save > To Firebox.
8/10/2019 Network and Traffic Management v11!9!3
33/198
8/10/2019 Network and Traffic Management v11!9!3
34/198
26 WatchGuard Fireware Training
6. If you configured VLAN10 to use the DHCP server, configure the computers network card to useDHCP to get an IP address automatically.See Step 9 on page 23.
7. If you did not configure the VLAN to use the DHCP server, configure the computers network cardwith an IP address in the VLAN subnet 192.168.10.x. Use subnet mask 255.255.255.0 and set the
computers default gateway to the device VLAN IP address 192.168.10.1
8. Repeat these steps to connect a computer to Switch B.
Testing the Connection
You should be able to ping from a computer connected to Switch A to a computer connected to Switch
B, and from a computer connected to Switch B to a computer connected to Switch A. Because they are
in the same VLAN, the two computers can communicate as if they were connected to the same physical
LAN.
8/10/2019 Network and Traffic Management v11!9!3
35/198
Before You Begin
VLANs in Fireware XTM 27
Exercise 4: Two VLANs as External Interfaces on the Same Device
When to Use this Configuration
Fireware XTM OS
versions prior to v11.7
had a hard limit of
four WAN interfaces.You can use VLANs as
External interfaces
when you need more
than four WAN
interfaces. You can
configure up to ten
External VLANs in
addition to the four
physical External
interfaces.
You use VLANs as External interfaces when your service provider gives you Internet and MPLS
connections on a single Ethernet cable, logically separated by VLANs. Rather than connecting the cable
to a managed switch, then to separate physical interfaces on your Firebox or XTM device, you can
connect the cable directly to a single physical interface configured as a trunk on your device.
Network Topology
This exercise simulates two service provider connections ISP-1 (VLAN 10) and ISP-2 (VLAN 20) carried
by a single trunk port of the switch to one Firebox or XTM device interface. In the subsequent diagram,
the WAN connection is connected to the 802.1Q switch, and the trunk port of the switch (Switch A) is
connected to device interface 3.
Figure 19: Network topology for Exercise 4
Note
If you have already completed the previous exercise, remove the VLANs and disable the VLAN
interface you configured in that exercise before you begin this one.
8/10/2019 Network and Traffic Management v11!9!3
36/198
28 WatchGuard Fireware Training
Configure the Device
1. From Policy Manager, select Network > Configuration.The Network Configurationdialog box appears.
2. Select the VLANtab.
3. Click Addto create a new VLAN.The New VLAN Configurationdialog box appears.
4. In the Name (Alias)text box, type a name for the VLAN. The name cannot contain spaces. For thisexample, type External-VLAN10.
5. (Optional) In the Descriptiontext box, type a description. For this example, type ISP-1.
6. In the VLAN IDtext box, type or select a number for the VLAN. For this example, select 10.Security zones
correspond to aliases
for interface security
zones. For example,
VLANs of type
External are
handled by policies
that use the alias
Any-External as a
source or destination.
7. From the Security Zonedrop-down list, select the security zone for the VLAN. For this example,select External.
8. Select Use Static IP.
9. In the IP Addresstext box, type the IP address. For this exercise, type 198.51.100.X/24.Replace theXin the IP address with the student number your instructor gives you. For example, ifyour student number if 10, type 198.51.100.10/24
10. In the Default Gateway type the gateway address. For this exercise, type 198.51.100.1.
This configuration must have a corresponding upstream connection that is the default gateway(198.51.100.1).
11. Click OK.
12. Click Addand create another new VLAN.The New VLAN Configurationdialog box appears.
13. In the Name (Alias)text box, type a name for the VLAN. The name cannot contain spaces. For thisexample, type External-VLAN20.
14. (Optional) In the Descriptiontext box, type a description. For this exercise, type ISP-2.
15. In the VLAN IDtext box, type or select a number for the VLAN. For this example, select 20.
16. From the Security Zonedrop-down list, select the security zone for the VLAN. For this example,select External.
17. Select Use Static IP.
18. In the IP Addresstext box, type the IP address. For this example, type 198.0.2.X/24. ReplacetheXin the IP address with the student number your instructor gives you. For example, if your
student number if 10, type 198.0.2.10/24
19. In the Default Gateway type the gateway address. For this exercise, type 198.0.2.1.This configuration must have a corresponding upstream connection that is the default gateway (198.0.2.1).
20. Click OK.The new VLANs appear.
Figure 20: VLANtab with new External-VLAN10 and External-VLAN20
21. Select the Interfacestab.
8/10/2019 Network and Traffic Management v11!9!3
37/198
Before You Begin
VLANs in Fireware XTM 29
22. Select Interface 3. Click Configure.
23. From the Interface Typedrop-down list, select VLAN.The Interface Type Configurationsection appears on the IPv4tab. Both new VLANs appear in the list.
24. Select Send and receive tagged traffic for selected VLANs.
25. In the Membercolumn, select the check boxes for External-VLAN10 and External-VLAN20.
Figure 21: The Member column shows which VLANs this interface is a member of.
26. Click OK.
27. Check your work.
The Interfacestab should look like this.
Figure 22: Interface 3 is now type VLAN
The VLANtab should look like this.
Figure 23: VLANtab after the VLANs are defined
28. Save this configuration to the device.
8/10/2019 Network and Traffic Management v11!9!3
38/198
30 WatchGuard Fireware Training
Configure the Switch
Add VLANS to the switch that connects to your ISP. In the diagram, this is labeled Switch A.
Refer to the instructions from your switch manufacturer to configure VLAN tagging on