How to configure a sub-interface for VLANs on an existing customer firewall

This guide will walk you through the steps to configure a sub-interface for VLANs.

Scenarios:

- Customer already has vlans configured and is adding a new one

- Customer had an unmanaged switch and is adding a managed switch with VLANs

General Information:

You will need the following Information to create a VLAN interface.

- VLAN ID / Tag

- Network ID

- Subnet mask

- Default Gateway (.1 or .254) i.e 192.168.0.1/24 or 192.168.0.254/24

- VLAN purpose (Trust LAN, Wireless, Guest, Management, Etc.) for zone placement or creation.

We also like to know the make and model of the down stream switch for our interface comments.

note: use of vlan 1 (aka the default vlan) is usually untagged. If vlan 1 is in use, ask if it is tagged or untagged. If they're unsure, leave it untagged and on the primary interface. If devices in vlan 1 are not able to communicate, create a sub-interface for vlan 1 with 1 as the vlan ID/tag.

It is important to review the current firewall configurations to get an understanding of the client network and preferences. If there are already VLANs configured, you can review the default gateway IPs to see if .1 or .254 is being used. If there's a mix, it is best to check with the client on what they would like to use.

We reserve the following ports for standardization:

OCS Default Port Reservations:

eth1/1 - WAN - Primary

eth1/2 - WAN - Backup

eth1/3 - LAN (preferred 1)

eth1/4 - LAN

eth1/5 - LAN (preferred 2)

eth1/6 - LAN

eth1/7 - Mgmt loopback

eth1/8 - LAN

If eth1/3 is already being used, we prefer eth1/5 as the next port. After that, you can choose any available port.

Interface Management Profiles:

Ping Only - Allows devices connected to the subnet to ping the default gateway.

- Use on most interfaces such as Guest, Staff, Accounting, etc.

LAN Mgmt - Allows devices connected to the subnet to reach the management interface of the firewall.

- Use when subnet is apart of Management or IT as these departments will help us in troubleshooting scenarios. This allows us to reach the firewall GUI from their respective LAN, if needed.

Lastly, we should check if there will be any additional security policies needed to support these vlans and their function. By default, we will permit each vlan to talk outbound to the internet. So we are mainly looking for how each subnet may interact with each other. Which VLANs should be allowed to talk to each other? What type of traffic is expected to traverse between each vlan?

Configuring the interface

Interface:

Step 1.) Determine which interface will be connected to the down stream switch. Typically, this will be eth1/3 if there is only 1 downlink connection to the LAN, but it can be any of the available LAN ports.

Step 2.) Configure the primary interface:

Comment: Make/Model of down stream switch and/or VLAN ID / Purpose

Type: layer 3

Netflow Profile: None

Virtual Router: Default

Security Zone: None or Zone of VLAN 1

IP Address: None or Default Gateway of VLAN1 (Default)

Note: the primary interface may be used if VLAN 1 (Default) is being used

Step 3.) Configure the sub-interface(s) (default gateways for each VLAN)

Name: eth1/x.[vlanid] i.e eth1/3.10

Comment: VLAN Purpose / ID

Tag: VLAN ID / Tag

Netflow: None

Virtual Router: Default

Security Zone: Refer to VLAN purpose, create a new zone if needed.

IPv4 > IP Address: Refer to Network ID + customer preference for default gateway IP(.1 or .254)

Advanced > Management Profile: Ping Only or LAN Mgmt

In addition to configuring the interfaces, the firewall will typically handle DHCP and NAT for these new networks. Configure these if applicable.

DHCP Server:

1. Ask client for DHCP scope preferences. If they have no preference, assign the following scope below:

-Ping IP when allocating new IP: Yes

- Lease Setting: Timeout

- Duration: 1 day (default) > 8 hours

- Interface: Ethernet1/x.[vlanid] i.e ethernet1/3.10

- IP pool: x.x.x.50-x.x.x.254 i.e 192.168.10.50-192.168.10.254

- Default Gateway: x.x.x.1 or x.x.x.254 (refer to IPv4 address assigned to sub-interface)

- subnet mask: 255.255.255.0 (refer to customer provided information)

- Primary DNS: 8.8.8.8

- Secondary DNS: 1.1.1.1

Note: Starting the IP pool at .50 allows .2-.49 to be "held" in case client wants to statically reserve any IP addresses to network resources such as printers, phones, servers, etc..

NAT Policies

Review default NAT policies and update to include new zones/source addresses, if necessary.

- ocs-outbound-isp (local egress)

- ocs-ipsec-dmz-out (tunnel egress)

Security Policies

Review default outbound security policies and update to include new zones/source addresses, if necessary.

- ocs-outbound-isp (local egress)

- ocs-ipsec-dmz-out (tunnel egress)

Client may need additional security policies for inter-vlan communication.