You are on page 1of 12

Virtual LAN

Configuration Guide

Version 9

Document version 96-1.0-12/05/2009

Virtual LAN Configuration Guide

Elitecore has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented
without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any
products. Elitecore assumes no responsibility for any errors that may appear in this document. Elitecore reserves the
right, without notice to make changes in product design or specifications. Information is subject to change without notice.
The Appliance described in this document is furnished under the terms of Elitecores End User license agreement.
Please read these terms and conditions carefully before using the Appliance. By using this Appliance, you agree to be
bound by the terms and conditions of this license. If you do not agree with the terms of this license, promptly return the
unused Appliance and manual (with proof of payment) to the place of purchase for a full refund.
Software: Elitecore warrants for a period of ninety (90) days from the date of shipment from Elitecore: (1) the media on
which the Software is furnished will be free of defects in materials and workmanship under normal use; and (2) the
Software substantially conforms to its published specifications except for the foregoing, the software is provided AS IS.
This limited warranty extends only to the customer as the original licenses. Customers exclusive remedy and the entire
liability of Elitecore and its suppliers under this warranty will be, at Elitecore or its service centers option, repair,
replacement, or refund of the software if reported (or, upon, request, returned) to the party supplying the software to the
customer. In no event does Elitecore warrant that the Software is error free, or that the customer will be able to operate
the software without problems or interruptions. Elitecore hereby declares that the anti virus and anti spam modules are
powered by Kaspersky Labs and Commtouch respectively and the performance thereof is under warranty provided by
Kaspersky Labs and by Commtouch. It is specified that Kaspersky Lab does not warrant that the Software identifies all
known viruses, nor that the Software will not occasionally erroneously report a virus in a title not infected by that virus.
Hardware: Elitecore warrants that the Hardware portion of the Elitecore Products excluding power supplies, fans and
electrical components will be free from material defects in workmanship and materials for a period of One (1) year.
Elitecore's sole obligation shall be to repair or replace the defective Hardware at no charge to the original owner. The
replacement Hardware need not be new or of an identical make, model or part; Elitecore may, in its discretion, replace
the defective Hardware (or any part thereof) with any reconditioned product that Elitecore reasonably determines is
substantially equivalent (or superior) in all material respects to the defective Hardware.
Except as specified in this warranty, all expressed or implied conditions, representations, and warranties including,
without limitation, any implied warranty or merchantability, fitness for a particular purpose, non-infringement or arising
from a course of dealing, usage, or trade practice, and hereby excluded to the extent allowed by applicable law.
In no event will Elitecore or its supplier be liable for any lost revenue, profit, or data, or for special, indirect,
consequential, incidental, or punitive damages however caused and regardless of the theory of liability arising out of the
use of or inability to use the product even if Elitecore or its suppliers have been advised of the possibility of such
damages. In the event shall Elitecores or its suppliers liability to the customer, whether in contract, tort (including
negligence) or otherwise, exceed the price paid by the customer. The foregoing limitations shall apply even if the above
stated warranty fails of its essential purpose.
In no event shall Elitecore or its supplier be liable for any indirect, special, consequential, or incidental damages,
including, without limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual,
even if Elitecore or its suppliers have been advised of the possibility of such damages.
Copyright 1999-2009 Elitecore Technologies Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of
Elitecore Technologies Ltd.
Elitecore Technologies Ltd.
904 Silicon Tower, Off. C.G. Road,
Ahmedabad 380015, INDIA
Phone: +91-79-66065606
Fax: +91-79-26407640
Web site: ,

Virtual LAN Configuration Guide

Technical Support _________________________________________________________________________ 4
Typographic Conventions___________________________________________________________________ 5

Introduction________________________________________________________________________ 6
Cyberoam and VLAN support _______________________________________________________________ 6
VLAN Implementation Sample_______________________________________________________________ 7

Define Virtual Subinterface __________________________________________________________ 9

VLAN Management ________________________________________________________________ 11

Virtual LAN Configuration Guide

Technical Support
You may direct all questions, comments, or requests concerning the software you purchased, your
registration status, or similar issues to Customer care/service department at the following address:
Corporate Office
eLitecore Technologies Ltd.
904, Silicon Tower
Off C.G. Road
Ahmedabad 380015
Gujarat, India.
Phone: +91-79-66065606
Fax: +91-79-26407640
Web site:
Cyberoam contact:
Technical support (Corporate Office): +91-79-26400707
Web site:
Visit for the regional and latest contact information.

Virtual LAN Configuration Guide

Typographic Conventions
Material in this manual is presented in text, screen displays, or command-line notation.




Machine where Cyberoam Software - Server component is

Machine where Cyberoam Software - Client component is
The end user
Username uniquely identifies the user of the system

Part titles

Topic titles


Bold and
shaded font

Shaded font



Bold & Black


Navigation link

Bold typeface

Group Management Groups Create

it means, to open the required page click on Group
management then on Groups and finally click Create tab

Name of a
parameter /
field / command
button text

italic type

Enter policy name, replace policy name with the specific

name of a policy
Click Name to select where Name denotes command button
text which is to be clicked
refer to Customizing User database Clicking on the link will
open the particular topic

Notes & points

to remember

Bold typeface
between the
black borders
Bold typefaces
between the
black borders


Hyperlink in
different color

Notation conventions

Prerequisite details

Virtual LAN Configuration Guide

Local area network consists of the devices in the same broadcast domain. Routers stop
broadcasts while switches just forward them.
Virtual LAN (VLAN) is a broadcast domain configured on switch on a port-by- port basis.
Generally, router creates the broadcast domain but with VLAN, a switch can also create a
broadcast domain.
VLAN allow you to segment your switched network so that broadcast domains are smaller, leaving
more bandwidth for your end nodes. Devices that are in one VLAN can communicate with each
other but cannot communicate with the devices in another VLAN. The communication among
devices on a VLAN is independent of the physical network.
A VLAN segregates devices by adding 802.1Q VLAN tags to all of the packets sent and received
by the devices in the VLAN. VLAN ID/tags are 4-byte frame extensions that contain a VLAN
identifier as well as other information.
Increased Port density
Logical segmentation of Network irrespective of physical placement
Granular security on heterogeneous LANs
Improved Network throughput as VLAN confines broadcast domain

Cyberoam and VLAN support

Cyberoam support VLANs for constructing VLAN trunks between an IEEE 802.1Q-compliant
switch or router and the Cyberoam Appliances. Normally, the Cyberoam Appliance internal
interface connects to a VLAN trunk on an internal switch, and the external interface connects to an
upstream Internet router. Cyberoam can then apply different policies for traffic on each VLAN that
connects to the internal interface.
In a typical VLAN configuration, 802.1Q-compliant VLAN layer-2 switches or layer-3 routers add
VLAN IDs to packets. Layer-2 switches can handle packets passing between devices in the same
VLAN. A layer-3 device such as router or layer-3 switch must handle packets passing between
devices in different VLANs.
Cyberoam appliance functions as a layer-3 device to control the flow of packets between VLANs.
Cyberoam can also remove VLAN IDs/tags from incoming VLAN packets and forward untagged
packets to other networks, such as the Internet.
VLAN support on Cyberoam is achieved by means of virtual interface, which are logical interfaces
nested beneath a physical interface/port. Every unique VLAN ID requires its own virtual interface.
You add virtual interfaces to the Cyberoams internal interface that have VLAN IDs that match the
VLAN IDs of packets in the VLAN trunk. Cyberoam then directs packets with VLAN IDs to
interfaces with matching VLAN IDs.
You can also define virtual interfaces on all the Cyberoam interfaces except the external interface
i.e. interface for the WAN zone. Cyberoam can add VLAN IDs to packets leaving a VLAN interface
or remove VLAN IDs from incoming packets and add a different VLAN IDs to outgoing packets.

Virtual LAN Configuration Guide

Virtual interface has most of the capabilities and characteristics of a physical interface, including
zone membership, security services, routing, access rule controls, virus, and spam scanning.
Cyberoam supports up to 4093 interfaces.
Using VLANs, a single Cyberoam appliance can provide security services and control connections
between multiple domains. Configure Different VLAN IDs for the traffic of each domain. Cyberoam
recognizes VLAN IDs and applies security policies to secure network between domains. Cyberoam
also applies authentication, various policies, and firewall rule features for network.

VLAN (Virtual LAN) tags will be preserved even when antivirus scanning, spam filtering and web
filtering using Internet Access Policy (IAP) are applied to VLAN tagged traffic in Bridge mode.

VLAN Implementation Sample

VLAN is a switched network logically segmented by functions, project teams, or applications
without regard to the physical location of users. For example, several workstations grouped as a
department, such as engineering or accounting. When the workstations are physically located
close to one another, you can group them into a LAN segment. You can group workstations in
VLAN without regards to the physical location of workstations e.g. group workstations on different
floors, building of an enterprise in a VLAN.
You can assign each switch port to a VLAN. Ports in a VLAN share broadcast traffic. Ports that do
not belong to that VLAN do not share the broadcast traffic.
Below given example illustrates a typical deployment of a VLAN with an SME that spans over
multiple floors.

Virtual LAN Configuration Guide

In the above given example, Network has Cyberoam and VLAN switch, Web server farm and mail
server (DMZ zone) are also located in the same room while Management workstations and laptops
(LAN zone) are physically distributed.
Switch on first floor provides connectivity to the Engineering department and all the ports of this
switch are assigned to VLAN 100.
Switch on second floor provides connectivity to the Sales & Marketing department and all the ports
of this switch are assigned to VLAN 200.
Switch on third floor provides connectivity to the HR & Admin department and all the ports of this
switch are assigned to VLAN 300.
Cyberoam internal interfaces connect to:
A VLAN switch using an 802.1Q trunk and is configured with 3 Virtual Interfaces (VLAN 100,
VLAN 200, and VLAN 300).
Network in LAN zone
Network in DMZ
The external interface connects to the internet and is not configured with virtual subinterfaces.
When the switch receives packets from VLAN 100, VLAN 200, and VLAN 300, it applies VLAN ID
tags and forwards the packets to local ports and across the trunk to the Cyberoam appliance. The
Cyberoam appliance has policies that allow traffic to flow between the VLANs and from the VLANs
to the external network as well as to and from LAN zone.

Virtual LAN Configuration Guide

Define Virtual Subinterface

Select System Configure Network Manage Interface and click Add VLAN
Subinterface button to open the create page

Screen Add VLAN Subinterface screen elements

Screen Elements
Add VLAN Subinterface
Physical Interface


IP address and Netmask


Select parent Interface of virtual subinterface. Virtual
subinterface will be the member of selected physical
Specify VLAN ID. The interface VLAN ID can be any number
between 2 and 4094. The VLAN ID of each Virtual
subinterface must match the VLAN ID of the packet. If the IDs
do not match, the virtual subinterface will not receive the VLAN
tagged traffic. Virtual Interfaces added to the same physical
interface cannot have the same VLAN ID. However, you can
add virtual subinterfaces with the same VLAN ID to different
physical interfaces
Specify IP address and netmask for the interface. Assign static
IP address only. Only static IP address can be assigned and
Subnet ID should be unique across all the physical/virtual
Select a Zone to assign to the virtual subinterface. Virtual
subinterface will be the member of the selected zone. Virtual
subinterface created will remain unused until it is included in a
zone. Virtual subinterface can be the member of LAN, DMZ or
custom zone.
Please note: 1. Zone membership can be defined at the time

Virtual LAN Configuration Guide

of defining virtual subinterface or later whenever required.
2. One can also create a custom zone for virtual subinterface
and virtual subinterface can be the member of this custom
zone. Refer To create Zone on how to create custom zone.

Create button

3. Virtual subinterface cannot be the member of WAN zone

Click to save the configuration and creates virtual subinterface.
Interface details (System>Configuration Network>Manage
Interface page) will display newly defined virtual subinterface
under the physical interface selected in step 1
Table Add VLAN Subinterface screen elements

If the custom zone is created for Virtual subinterface, two default firewall rules for the zone are
automatically created depending on zone type of the custom zone. For example, if the zone type
for the virtual interface is LAN, two default firewall rules under virtual subinterface to WAN zone
are automatically created based on the default LAN to WAN zone firewall rules.

To define Zone membership of Virtual Subinterface

1. Select System Zone Manage and click the Zone in which the virtual subinterface is
to be included.
2. Click the virtual subinterface to be included from the Available Port(s) list and click to move to
the Member Port(s) list.
3. Specify description
4. Click Save button
Once the virtual interface is defined and is included in a zone, it can be treated exactly same as
the physical interface. Customization of firewall rules that govern the traffic between VLANs and
other interfaces, IDP policies and virus and spam scanning can be performed the same way as
done with the physical interface.


Virtual LAN Configuration Guide

VLAN Management
Use to:
Update virtual subinterface details
Change Zone membership
Delete virtual subinterface

Update Virtual subinterface

1. Select System Configure Network Manage Interface and click the Edit icon
against the Interface whose details is to be updated
2. Displays Interface name which cannot be updated
3. Displays IP address and netmask assigned to the Interface. Modify, if required. Assign static
IP address only and subnet ID should be unique across all the physical/virtual subinterfaces.
4. Click Update button to save the changes.

Screen Edit Virtual subinterface


Virtual LAN Configuration Guide

To change Zone membership of Virtual subinterface

To changes the zone membership, first remove the membership of the Virtual subinterface from
the zone and then define the membership in the required zone.
To remove the membership, refer To remove Zone membership of Virtual subinterface.
To define the membership, refer To define Zone membership of Virtual subinterface.

Delete Virtual subinterface

Vertical subinterface should be the member of any zone
No firewall rule created for the virtual subinterface
Select System Configure Network Manage Interface and click the Delete icon
against the Interface to be deleted

Screen Delete Virtual subinterface