User manual
Network Setup
90
A guide to bridging across an IPSec tunnel using GRE is provided in the section entitled
GRE over IPSec in the Virtual Private Networking chapter.
VLANs
Note
VLANs are not supported by the SG300.
VLAN stands for virtual local area network. It is a method of creating multiple virtual
network interfaces using a single physical network interface.
Packets in a VLAN are simply Ethernet packets that have an extra 4 bytes immediately
after the Ethernet header. The format for these bytes is defined by the standard IEEE
802.1Q. Essentially, they provide for a VLAN ID and a priority. The VLAN ID is used to
distinguish each VLAN. A packet containing a VLAN header is called a tagged packet.
When a packet is routed out the VLAN interface, the VLAN header is inserted and then
the packet is sent out on the underlying physical interface. When a packet is received on
the physical interface, it is checked for a VLAN header. If present, the router makes it
appear as though the packet arrived on the corresponding VLAN interface.
Once added, VLAN interfaces can be configured through the Network Setup ->
Connections table as if they were additional physical network interfaces.
Note
Since the addition and removal of the VLAN header are performed in software, any
network device can support VLANs. Further, this means that VLANs should not be used
for security unless you trust all the devices on the network segment.
A typical use of VLANs with the SG unit is to it to enforce access policies between ports
on an external switch that supports port-based VLANs.
In this scenario, only the switch and other trusted devices should be directly connected to
the LAN port of the SG unit. The SG unit and the switch are configured with a VLAN for
each port or group of ports on the switch. The switch is configured to map packets
between its ports and the VLANs. The SG unit can then be configured with firewall rules
for the VLANs, and these rules are effectively applied to the corresponding ports on the
switch.