EdgeRouter - VLAN-Aware Switch
Overview
Readers will learn how to configure certain EdgeRouter models as a VLAN-Aware switch.
- This article is applicable to the latest EdgeOS firmware on the following EdgeRouter models:
Configuring the VLAN-Aware Switch Setup
The VLAN-aware switch feature is used place the traffic from hosts and wireless networks in different VLANs.
The VLAN-aware switch feature allows the EdgeRouter to tag and untag VLANs on different switch-ports. This is done by grouping the Ethernet ports under the switch0 interface and adding the VLAN values to the switch-ports.
The switch0 interface will be associated with multiple VLAN interfaces (VIFs) to allow the devices to communicate between VLANs. Afterwards, firewall policies can be applied to the VIFs to limit this traffic. The switch0 VIF interfaces and network ranges are:
-
switch0.10
Associated with VLAN10 and the 10.0.10.0/24 network. -
switch0.20
Associated with VLAN20 and the 10.0.20.0/24 network.
- If you are using VLAN1, then the associated VLAN interface is the switch0.1 VIF.
- The base switch0 interface (without any VIF) is not associated with any VLANs.
- It is not possible to add the 'LAN' (the network directly associated with the switch0 interface) to the VLAN-Aware switch. This is is because this interface is not assigned a VLAN ID.
In this example, the eth3 interface will be Untagged (U)
for VLAN10. The eth4 interface will be Tagged (T)
for VLAN20 for the wireless clients and Untagged (U)
for VLAN10 for the access point's management traffic. Firewall policies will be used to limit the traffic of the VLAN20 guests:
- Management access to the router is denied.
- All traffic to VLAN10 is denied, with the exception of HTTPS traffic to the Webserver.
- All other traffic is allowed (internet access).
1. Log in to the EdgeRouter on one of the unused Ethernet ports.
2. Navigate to the Dashboard tab to define the VLAN IDs and associate the switch0 VIF interfaces with an IP address.
Dashboard > Add Interface > Add VLAN
VLAN ID: 10
Interface: switch0
Address: Manually define IP address > 10.0.10.1/24
VLAN ID: 20
Interface: switch0
Address: Manually define IP address > 10.0.20.1/24
2. Create the DHCP scopes for the relevant VLANs.
Services > DHCP Server > Add DHCP Server
DHCP Name: vlan10
Subnet: 10.0.10.0/24
Range Start: 10.0.10.11
Range Stop: 10.0.10.150
Router: 10.0.10.1
DNS 1: 10.0.10.1
DHCP Name: vlan20
Subnet: 10.0.20.0/24
Range Start: 10.0.20.11
Range Stop: 10.0.20.150
Router: 10.0.20.1
DNS 1: 10.0.20.1
4. Configure the switch0 interface to be VLAN-aware and tag/untag the VLANs on the ports.
Dashboard > switch0 > Actions > Config > VLAN
VLAN Aware: Enabled
eth3 pvid: 10
eth4 pvid: 10
vid: 20
5. Create the firewall rule that will prevent the guests in VLAN20 to manage the EdgeRouter.
Firewall/NAT > Firewall Policies > + Add Ruleset
Name: guest-local
Default action: Drop
6. Apply the firewall rule to the VLAN20 interface in the local direction.
Firewall/NAT > Firewall Policies > guest-local > Actions > Interfaces
Interface: switch0.20
Direction: local
7. Create the firewall rule that denies all traffic from VLAN20 to VLAN10, with the exception of HTTPS traffic to the Webserver.
Firewall/NAT > Firewall Policies > + Add Ruleset
Name: guest-in
Default action: Accept
Firewall/NAT > Firewall Policies > guest-in > Actions > Edit Ruleset > + Add New Rule
Description: https
Action: Accept
Protocol: TCP
Destination Address: 10.0.10.10
Destination Port: 443
Firewall/NAT > Firewall Policies > guest-in > Actions > Edit Ruleset > + Add New Rule
Description: other
Action: Drop
Protocol: All protocols
Destination Address: 10.0.10.0/24
8. Apply the firewall rule to the VLAN20 interface in the ingress/in direction.
Firewall/NAT > Firewall Policies > guest-in > Actions > Interfaces
Interface: switch0.20
Direction: in
The above configuration can also be set using the CLI:
configure
set interfaces switch switch0 vif 10 address 10.0.10.1/24
set interfaces switch switch0 vif 20 address 10.0.20.1/24
set service dhcp-server shared-network-name vlan10 subnet 10.0.10.0/24 start 10.0.10.11 stop 10.0.10.150
set service dhcp-server shared-network-name vlan10 subnet 10.0.10.0/24 default-router 10.0.10.1
set service dhcp-server shared-network-name vlan10 subnet 10.0.10.0/24 dns-server 10.0.10.1
set service dhcp-server shared-network-name vlan20 subnet 10.0.20.0/24 start 10.0.20.11 stop 10.0.20.150
set service dhcp-server shared-network-name vlan20 subnet 10.0.20.0/24 default-router 10.0.20.1
set service dhcp-server shared-network-name vlan20 subnet 10.0.20.0/24 dns-server 10.0.20.1
set interfaces switch switch0 switch-port vlan-aware enable
set interfaces switch switch0 switch-port interface eth3 vlan pvid 10
set interfaces switch switch0 switch-port interface eth4 vlan pvid 10
set interfaces switch switch0 switch-port interface eth4 vlan vid 20
set firewall name guest-local default-action drop
set firewall name guest-in default-action accept
set firewall name guest-in rule 10 action accept
set firewall name guest-in rule 10 description https
set firewall name guest-in rule 10 log disable
set firewall name guest-in rule 10 protocol tcp
set firewall name guest-in rule 10 destination port 443
set firewall name guest-in rule 10 destination address 10.0.10.10
set firewall name guest-in rule 20 action drop
set firewall name guest-in rule 20 description other
set firewall name guest-in rule 20 log disable
set firewall name guest-in rule 20 protocol all
set firewall name guest-in rule 20 destination address 10.0.10.0/24
set interfaces switch switch0 vif 20 firewall in name guest-in
set interfaces switch switch0 vif 20 firewall local name guest-local
commit ; save