Help Center Help Articles Community RMA & Warranty Downloads Tech Specs

EdgeRouter - VLAN-Aware Switch

Overview

Readers will learn how to configure certain EdgeRouter models as a VLAN-Aware switch.

NOTES & REQUIREMENTS:

Configuring the VLAN-Aware Switch Setup

Back to Top

topology.png

The VLAN-aware switch feature is used place the traffic from hosts and wireless networks in different VLANs.

The VLAN-aware switch feature allows the EdgeRouter to tag and untag VLANs on different switch-ports. This is done by grouping the Ethernet ports under the switch0 interface and adding the VLAN values to the switch-ports.

The switch0 interface will be associated with multiple VLAN interfaces (VIFs) to allow the devices to communicate between VLANs. Afterwards, firewall policies can be applied to the VIFs to limit this traffic. The switch0 VIF interfaces and network ranges are:

  • switch0.10 Associated with VLAN10 and the 10.0.10.0/24 network.
  • switch0.20 Associated with VLAN20 and the 10.0.20.0/24 network.
ATTENTION:
  • If you are using VLAN1, then the associated VLAN interface is the switch0.1 VIF.
  • The base switch0 interface (without any VIF) is not associated with any VLANs.
  • It is not possible to add the 'LAN' (the network directly associated with the switch0 interface) to the VLAN-Aware switch. This is is because this interface is not assigned a VLAN ID.

In this example, the eth3 interface will be Untagged (U) for VLAN10. The eth4 interface will be Tagged (T) for VLAN20 for the wireless clients and Untagged (U) for VLAN10 for the access point's management traffic. Firewall policies will be used to limit the traffic of the VLAN20 guests:

  • Management access to the router is denied.
  • All traffic to VLAN10 is denied, with the exception of HTTPS traffic to the Webserver.
  • All other traffic is allowed (internet access).
GUI: Access the EdgeRouter Web UI.

1. Log in to the EdgeRouter on one of the unused Ethernet ports.

2. Navigate to the Dashboard tab to define the VLAN IDs and associate the switch0 VIF interfaces with an IP address.

Dashboard > Add Interface > Add VLAN

VLAN ID: 10
Interface: switch0
Address: Manually define IP address > 10.0.10.1/24

VLAN ID: 20
Interface: switch0
Address: Manually define IP address > 10.0.20.1/24

2.  Create the DHCP scopes for the relevant VLANs.

Services > DHCP Server > Add DHCP Server

DHCP Name: vlan10
Subnet: 10.0.10.0/24
Range Start: 10.0.10.11
Range Stop: 10.0.10.150
Router: 10.0.10.1
DNS 1: 10.0.10.1

DHCP Name: vlan20
Subnet: 10.0.20.0/24
Range Start: 10.0.20.11
Range Stop: 10.0.20.150
Router: 10.0.20.1
DNS 1: 10.0.20.1

4. Configure the switch0 interface to be VLAN-aware and tag/untag the VLANs on the ports.

Dashboard > switch0 > Actions > Config > VLAN

VLAN Aware: Enabled
eth3 pvid: 10
eth4 pvid: 10
vid: 20
NOTE:An untagged VLAN is defined with the pvid value, whereas a tagged VLAN is defined with vid.

5. Create the firewall rule that will prevent the guests in VLAN20 to manage the EdgeRouter.

Firewall/NAT > Firewall Policies > + Add Ruleset

Name: guest-local
Default action: Drop

6. Apply the firewall rule to the VLAN20 interface in the local direction.

Firewall/NAT > Firewall Policies > guest-local > Actions > Interfaces

Interface: switch0.20
Direction: local

7. Create the firewall rule that denies all traffic from VLAN20 to VLAN10, with the exception of HTTPS traffic to the Webserver.

Firewall/NAT > Firewall Policies > + Add Ruleset

Name: guest-in
Default action: Accept

Firewall/NAT > Firewall Policies > guest-in > Actions > Edit Ruleset > + Add New Rule

Description: https
Action: Accept
Protocol: TCP
Destination Address: 10.0.10.10
Destination Port: 443

Firewall/NAT > Firewall Policies > guest-in > Actions > Edit Ruleset > + Add New Rule

Description: other
Action: Drop
Protocol: All protocols
Destination Address: 10.0.10.0/24

8. Apply the firewall rule to the VLAN20 interface in the ingress/in direction.

Firewall/NAT > Firewall Policies > guest-in > Actions > Interfaces

Interface: switch0.20
Direction: in

The above configuration can also be set using the CLI:

CLI: Access the EdgeRouter Command Line Interface.
configure

set interfaces switch switch0 vif 10 address 10.0.10.1/24
set interfaces switch switch0 vif 20 address 10.0.20.1/24

set service dhcp-server shared-network-name vlan10 subnet 10.0.10.0/24 start 10.0.10.11 stop 10.0.10.150
set service dhcp-server shared-network-name vlan10 subnet 10.0.10.0/24 default-router 10.0.10.1
set service dhcp-server shared-network-name vlan10 subnet 10.0.10.0/24 dns-server 10.0.10.1

set service dhcp-server shared-network-name vlan20 subnet 10.0.20.0/24 start 10.0.20.11 stop 10.0.20.150
set service dhcp-server shared-network-name vlan20 subnet 10.0.20.0/24 default-router 10.0.20.1
set service dhcp-server shared-network-name vlan20 subnet 10.0.20.0/24 dns-server 10.0.20.1

set interfaces switch switch0 switch-port vlan-aware enable
set interfaces switch switch0 switch-port interface eth3 vlan pvid 10
set interfaces switch switch0 switch-port interface eth4 vlan pvid 10
set interfaces switch switch0 switch-port interface eth4 vlan vid 20

set firewall name guest-local default-action drop

set firewall name guest-in default-action accept

set firewall name guest-in rule 10 action accept
set firewall name guest-in rule 10 description https
set firewall name guest-in rule 10 log disable
set firewall name guest-in rule 10 protocol tcp
set firewall name guest-in rule 10 destination port 443
set firewall name guest-in rule 10 destination address 10.0.10.10

set firewall name guest-in rule 20 action drop
set firewall name guest-in rule 20 description other
set firewall name guest-in rule 20 log disable
set firewall name guest-in rule 20 protocol all
set firewall name guest-in rule 20 destination address 10.0.10.0/24

set interfaces switch switch0 vif 20 firewall in name guest-in
set interfaces switch switch0 vif 20 firewall local name guest-local

commit ; save

Related Articles

Back to Top

EdgeRouter - Zone-Based Firewall

EdgeRouter - Router on a Stick

Was this article helpful?