Use the Networking > WAN > VLAN page to configure a Virtual LAN (VLAN). VLANs allow you to segregate and isolate traffic. A PC on one VLAN cannot access the network resources on other VLANs.
The security appliance predefines three VLANs:
• A native VLAN (DEFAULT), with VLAN ID 1 and IP address 192.168.75.1. By default, this VLAN is in the LAN zone.
• A guest VLAN (GUEST), with VLAN ID 2 and IP address 192.168.25.1. By default, this VLAN is in the GUEST zone.
• A voice VLAN (VOICE) with VLAN ID 100 and IP address 10.1.1.2. By default, this VLAN is in the VOICE zone.
You can change the settings for predefined VLANs or add new VLANs to meet your business needs.
Note Up to 16 VLANs can be configured on the security appliance.
1. To add a new VLAN, click Add. To modify the settings for a VLAN, click the Edit (pencil) icon.
Other options: To delete a VLAN, click the Delete (x) icon. The default VLANs cannot be deleted.
2. In the Basic Settings tab, enter the following information:
• Name: Enter the name for the VLAN.
• VLAN ID: Enter a unique identification number for the VLAN, which can be any number from 3 to 4089. The VLAN ID 1 is reserved for the DEFAULT VLAN and the VLAN ID 2 is reserved for the GUEST VLAN.
• IP Address: Enter the subnet IP address for the VLAN.
• Netmask: Enter the subnet mask for the VLAN.
• Spanning Tree: Check this box to enable the Spanning Tree feature to determine if there are loops in the network topology. The Spanning Tree Protocol (STP) is a link layer network protocol that ensures a loop-free topology for any bridged LAN. The STP is used to prevent bridge loops and to ensure broadcast radiation.
• Voice VLAN: Check the box if you want voice applications to use this VLAN.
• Port: Assign the LAN ports to the VLAN. Traffic through the selected LAN ports is directed to the VLAN. All available ports including the dedicated LAN ports and the configurable ports appear in the Port list.
Choose the ports from the Port list and click Access to add them to the Member list and set the selected ports as the Access mode. Alternatively, you can choose the ports from the Port list and click Trunk to add them to the Member list and set the selected ports as the Trunk mode.
NOTE: This setting will change the port type and access mode of the selected physical ports. For example, choose a port that was set as a DMZ port and add it to the Member list. The DMZ port will be configured as a LAN port. Changing the port type will wipe out all configuration relative to the physical port.
• Zone: Choose the zone to which the VLAN is mapped. By default, the DEFAULT VLAN is mapped to the LAN zone, the GUEST VLAN is mapped to the GUEST zone, and the VOICE VLAN is mapped to the VOICE zone. You can click the Create Zone link to view, edit, or add the zones on the security appliance.
3. In the DHCP Pool Settings tab, choose the DHCP mode from the DHCP Mode drop-down list.
• Disable: Choose this option if the computers on the VLAN are configured with static IP addresses or are configured to use another DHCP server.
• DHCP Server: Allows the security appliance to act as a DHCP server and assigns IP addresses to all devices that are connected to the VLAN. Any new DHCP client joining the VLAN is assigned an IP address of the DHCP pool.
• DHCP Relay: Allows the security appliance to use a DHCP Relay. If you choose DHCP Relay, enter the IP address of the remote DHCP server in the Relay IP field.
4. If you choose DHCP Server as the DHCP mode, enter the following information:
• Start IP: Enter the starting IP address of the DHCP pool.
• End IP: Enter the ending IP address of the DHCP pool.
NOTE: The Start IP address and End IP address should be in the same subnet with the VLAN IP address.
• Lease Time: Enter the maximum connection time that a dynamic IP address is “leased” to a network user. When the time elapses, the user will be automatically renewed the dynamic IP address.
• DNS1: Enter the IP address of the primary DNS server.
• DNS2: Optionally, enter the IP address of the secondary DNS server.
• WINS1: Optionally, enter the IP address of the primary WINS server.
• WINS2: Optionally, enter the IP address of the secondary WINS server.
• Domain Name: Optionally, enter the domain name for the VLAN.
• Default Gateway: Enter the IP address for default gateway.
• Option 66: Provides provisioning server address information to hosts requesting this option. Only supports the IP address or host name of a single TFTP server. Enter the IP address of the single TFTP server for the VLAN.
• Option 67: Provides a configuration/bootstrap file name to the hosts requesting this option. This is used in conjunction with the option 66 to allow the client to form an appropriate TFTP request for the file. Enter the configuration/bootstrap file name on the specified TFTP server.
• Option 150: Supports a list of TFTP servers (2 TFTP servers). Enter the IP addresses of TFTP servers. Separate multiple entries with commas (,).
NOTE: Enterprises with small branch offices that implement a Cisco IP Telephony Voice over IP solution typically implement Cisco CallManager at a central office to control Cisco IP Phones at small branch offices. This implementation allows centralized call processing, reduces the equipment required, and eliminates the administration of additional Cisco CallManager and other servers at branch offices. Cisco IP Phones download their configuration from a TFTP server. When a Cisco IP Phone starts, if it does not have both the IP address and TFTP server IP address pre-configured, it sends a request with option 150 or 66 to the DHCP server to obtain this information.
5. In the IPv6 Setting tab, specify IPv6 addressing for the VLAN if you enable the IIPv4 or Pv6 mode.
• IPv6 Address: Enter the IPv6 address based on your network requirements.
• IPv6 Prefix Length: Enter the number of characters in the IPv6 prefix.
The IPv6 network (subnet) is identified by the prefix, which consists of the initial bits of the address. The default prefix length is 64 bits. All hosts in the network have the identical initial bits for the IPv6 address. The number of common initial bits in the addresses is set by the prefix length field.
6. Click OK to save your settings and close the pop-up window.
7. Click Save to apply your settings.
8. If you want to reserve certain IP addresses for specified devices, go to the Networking > DHCP Reservations page. See Configuring DHCP Reserved IPs. You must enable the DHCP Server or DHCP Relay mode for this purpose.