Home » D-Link Manuals » Networking » D-Link DFL-2500 » Manual Viewer

D-Link DFL-2500 User Guide - Page 75

Virtual LAN VLAN

Add to My Manuals
Save this manual to your list of manuals

Page 75 highlights

56 Chapter 9. Interfaces 9.2 Virtual LAN (VLAN) Virtual Networking is the ability of network appliances to manage the logical network topologies on top of the actual physical connections, allowing arbitrary segments within a network to be combined into a logical group. Since the flexibility and the ease of network control provided by the logical topologies, virtual networking has become one of the major areas in the internetworking. D-Link firewalls are fully compliant with IEEE 802.1Q specification for Virtual LANs, featured by defining virtual interfaces upon the physical Ethernet interface. Each virtual interface is interpreted as a logical interface by the firewall, with the same security policies control and configuration capabilities as regular interfaces. 9.2.1 VLAN Infrastructure A Local Area Network (LAN) is a broadcast domain, that is, a section of the network within whose boundaries any broadcast traffic is delivered to all end-nodes. When the LAN environment grows bigger, the support of broadcast or multicast applications that flood packets throughout the network costs considerable waste of bandwidth, since packets are often forwarded to nodes that do not require them. Virtual LAN (VLAN) allows a single physical LAN to be partitioned into several smaller logical LANs which are different broadcast domains. It limits the size of the broadcast domain for each logical LAN, saves the broadcast cost of the bandwidth to optimize the performance and resource allocation, and also divides larger LANs into several independent security zones to add security control points. Devices located in the same LAN can communicate without the awareness of the devices in other virtual LANs. This is ideal for separating industrial departments from physical topology to different function segments. A simple infrastructure of VLAN is shown in Figure 9.1. In this case, a D-Link firewall is configured to have 2 VLAN interfaces. Now, although the clients and servers are still sharing the same physical media, Client A can only communicate with Server D and the firewall since they are configured D-Link Firewalls User's Guide

Section	Page
I Preface	16
Document Version	18
Disclaimer	18
About this Document	18
Typographical Conventions	19
II Product Overview	20
1 Capabilities	22
1.1 Product Highlights	22
III Introduction to Networking	24
2 The OSI model	26
3 Firewall Principles	28
3.1 The Role of the Firewall	28
3.1.1 What is a Firewall?	28
3.1.2 How does a Firewall work?	28
3.2 What does a Firewall NOT protect against?	29
3.2.1 Attacks on Insecure pre-installed Components	30
3.2.2 Inexperienced Users on protected Networks	30
3.2.3 Data-Driven Network Attacks	30
3.2.4 Internal Attacks	32
3.2.5 Modems and VPN Connection	32
3.2.6 Holes between DMZs and Internal Networks	33
IV Administration	36
4 Configuration Platform	38
4.1 Configuring Via WebUI	38
4.1.1 Overview	38
4.1.2 Interface Layout	38
4.1.3 Configuration Operations	41
4.2 Monitoring Via CLI	42
5 Logging	44
5.1 Overview	44
5.1.1 Importance & Capability	44
5.1.2 Events	45
5.2 Log Receivers	47
5.2.1 Syslog Receiver	47
5.2.2 Memory Log Receiver	48
5.2.3 SMTP Event Receiver	48
6 Maintenance	50
6.1 Firmware Upgrades	50
6.2 Reset To Factory Defaults	51
6.3 Backup Configuration	53
7 Advanced Settings	54
7.1 Overview	54
V Fundamentals	56
8 Logical Objects	58
8.1 Address Book	58
8.1.1 IP address	58
8.1.2 Ethernet address	60
8.2 Services	60
8.2.1 Service Types	61
8.2.2 Error Report & Connection Protection	65
8.3 Schedules	67
8.4 X.509 Certificates	68
8.4.1 Introduction to Certificates	68
8.4.2 X.509 Certificates in D-Link Firewall	70
9 Interfaces	72
9.1 Ethernet	72
9.1.1 Ethernet Interfaces	72
9.1.2 Ethernet Interfaces in D-Link Firewalls	73
9.2 Virtual LAN (VLAN)	75
9.2.1 VLAN Infrastructure	75
9.2.2 802.1Q VLAN Standard	76
9.2.3 VLAN Implementation	77
9.2.4 Using Virtual LANs to Expand Firewall Interfaces	78
9.3 DHCP	79
9.3.1 DHCP Client	79
9.4 PPPoE	80
9.4.1 PPP	81
9.4.2 PPPoE Client Configuration	81
9.5 Interface Groups	84
9.6 ARP	85
9.6.1 ARP Table	85
10 Routing	88
10.1 Overview	88
10.2 Routing Hierarchy	89
10.3 Routing Algorithms	90
10.3.1 Static Routing	90
10.3.2 Dynamic Routing	91
10.3.3 OSPF	93
10.4 Route Failover	96
10.4.1 Scenario: Route Failover Configuration	97
10.5 Dynamic Routing Implementation	100
10.5.1 OSPF Process	100
10.5.2 Dynamic Routing Policy	100
10.5.3 Scenarios: Dynamic Routing Configuration	101
10.6 Scenario: Static Routing Configuration	106
10.7 Policy Based Routing(PBR)	107
10.7.1 Overview	107
10.7.2 Policy-based Routing Tables	108
10.7.3 Policy-based Routing Policy	108
10.7.4 PBR Execution	108
10.7.5 Scenario: PBR Configuration	110
10.8 Proxy ARP	113
11 Date & Time	114
11.1 Setting the Date and Time	115
11.1.1 Current Date and Time	115
11.1.2 Time Zone	115
11.1.3 Daylight Saving Time(DST)	116
11.2 Time Synchronization	117
11.2.1 Time Synchronization Protocols	117
11.2.2 Timeservers	117
11.2.3 Maximum Adjustment	118
11.2.4 Synchronization Interval	118
12 DNS	120
13 Log Settings	122
13.1 Implementation	122
13.1.1 Defining Syslog Receiver	122
13.1.2 Enabling Logging	123
VI Security Polices	126
14 IP Rules	128
14.1 Overview	128
14.1.1 Fields	129
14.1.2 Action types	130
14.2 Address Translation	131
14.2.1 Overview	131
14.2.2 NAT	131
14.2.3 Address translation in D-Link Firewall	133
14.3 Scenarios: IP Rules Configuration	135
15 Access (Anti-spoofing)	142
15.1 Overview	142
15.1.1 IP Spoofing	142
15.1.2 Anti-spoofing	143
15.2 Access Rule	143
15.2.1 Function	143
15.2.2 Settings	143
15.3 Scenario: Setting up Access Rule	145
16 DMZ & Port Forwarding	146
16.1 General	146
16.1.1 Concepts	146
16.1.2 DMZ Planning	148
16.1.3 Benefits	149
17 User Authentication	150
17.1 Authentication Overview	150
17.1.1 Authentication Methods	150
17.1.2 Password Criterion	151
17.1.3 User Types	152
17.2 Authentication Components	153
17.2.1 Local User Database(UserDB)	153
17.2.2 External Authentication Server	153
17.2.3 Authentication Agents	154
17.2.4 Authentication Rules	155
17.3 Authentication Process	156
17.4 Scenarios: User Authentication Configuration	156
VII Content Inspection	164
18 Application Layer Gateway (ALG)	166
18.1 Overview	166
18.2 FTP	167
18.2.1 FTP Connections	167
18.2.2 Scenarios: FTP ALG Configuration	169
18.3 HTTP	174
18.3.1 Components & Security Issues	174
18.3.2 Solution	175
18.4 H.323	177
18.4.1 H.323 Standard Overview	177
18.4.2 H.323 Components	177
18.4.3 H.323 Protocols	178
18.4.4 H.323 ALG Overview	179
18.4.5 Scenarios: H.323 ALG Configuration	180
19 Intrusion Detection System (IDS)	200
19.1 Overview	200
19.1.1 Intrusion Detection Rules	201
19.1.2 Pattern Matching	201
19.1.3 Action	201
19.2 Chain of Events	202
19.2.1 Scenario 1	202
19.2.2 Scenario 2	203
19.3 Signature Groups	205
19.4 Automatic Update of Signature Database	205
19.5 SMTP Log Receiver for IDS Events	206
19.6 Scenario: Setting up IDS	208
VIII Virtual Private Network (VPN)	210
20 VPN Basics	212
20.1 Introduction to VPN	212
20.1.1 VPNs vs Fixed Connections	212
20.2 Introduction to Cryptography	214
20.2.1 Encryption	214
20.2.2 Authentication & Integrity	217
20.3 Why VPN in Firewalls	219
20.3.1 VPN Deployment	220
21 VPN Planning	226
21.1 VPN Design Considerations	226
21.1.1 End Point Security	227
21.1.2 Key Distribution	229
22 VPN Protocols & Tunnels	232
22.1 IPsec	232
22.1.1 IPsec protocols	233
22.1.2 IPsec Modes	233
22.1.3 IKE	234
22.1.4 IKE Integrity & Authentication	238
22.1.5 Scenarios: IPSec Configuration	242
22.2 PPTP/ L2TP	247
22.2.1 PPTP	247
22.2.2 L2TP	253
22.3 SSL/TLS (HTTPS)	262
IX Traffic Management	264
23 Traffic Shaping	266
23.1 Overview	266
23.1.1 Functions	267
23.1.2 Features	268
23.2 Pipes	268
23.2.1 Precedences and Guarantees	269
23.2.2 Grouping Users of a Pipe	271
23.2.3 Dynamic Bandwidth Balancing	272
23.3 Pipe Rules	272
23.4 Scenarios: Setting up Traffic Shaping	272
24 Server Load Balancing (SLB)	280
24.1 Overview	280
24.1.1 The SLB Module	280
24.1.2 SLB Features	281
24.1.3 Benefits	282
24.2 SLB Implementation	283
24.2.1 Distribution Modes	283
24.2.2 Distribution Algorithms	283
24.2.3 Server Health Checks	284
24.2.4 Packets Flow by SAT	285
24.3 Scenario: Enabling SLB	285
X Misc. Features	288
25 Miscellaneous Clients	290
25.1 Overview	290
25.2 Dynamic DNS	290
25.3 Automatic Client Login	291
25.4 HTTP Poster	292
25.4.1 URL Format	292
26 DHCP Server & Relayer	294
26.1 DHCP Server	294
26.2 DHCP Relayer	296
XI Transparent Mode	298
27 Transparent Mode	300
27.1 Overview	300
27.2 Transparent Mode Implementation in D-Link Firewalls	301
27.3 Scenarios: Enabling Transparent Mode	303
XII Zone Defense	310
28 Zone Defense	312
28.1 Overview	312
28.2 Zone Defense Switches	312
28.2.1 SNMP	313
28.3 Threshold Rules	314
28.4 Manual Blocking & Exclude Lists	314
28.5 Limitations	315
28.6 Scenario: Setting Up Zone Defense	315
XIII High Availability	318
29 High Availability	320
29.1 High Availability Basics	320
29.1.1 What High Availability will do for you	320
29.1.2 What High Availability will NOT do for you	321
29.1.3 Example High Availability setup	322
29.2 How Rapid Failover is Accomplished	322
29.2.1 The shared IP address and the failover mechanism	323
29.2.2 Cluster heartbeats	324
29.2.3 The synchronization interface	325
29.3 Setting up a High Availability Cluster	325
29.3.1 Planning the High Availability cluster	326
29.3.2 Creating a High Availability cluster	326
29.4 Things to Keep in Mind	328
29.4.1 Statistics and Logging Issues	328
29.4.2 Configuration Issues	329
XIV Appendix	330
A Console Commands Reference	334
List of Commands	334
About	334
Access	335
ARP	335
ARPSnoop	336
Buffers	336
Certcache	337
CfgLog	338
Connections	338
Cpuid	339
DHCP	339
DHCPRelay	340
DHCPServer	340
DynRoute	340
Frags	341
HA	341
HTTPPoster	341
Ifacegroups	342
IfStat	342
Ikesnoop	343
Ipseckeepalive	344
IPSectunnels	344
IPSecstats	344
Killsa	345
License	345
Lockdown	346
Loghosts	346
Memory	346
Netcon	346
Netobjects	347
OSPF	347
Ping	348
Pipes	348
Proplists	349
ReConfigure	349
Remotes	350
Routes	350
Rules	351
Scrsave	351
Services	352
Shutdown	352
Sysmsgs	352
Settings	352
Stats	354
Time	355
Uarules	355
Userauth	355
Userdb	356
Vlan	357

Match case Limit results 1 per page

Chapter 9. Interfaces

9.2

Virtual LAN (VLAN)

Virtual Networking is the ability of network appliances to manage the

logical network topologies on top of the actual physical connections,

allowing arbitrary segments within a network to be combined into a logical

group. Since the ﬂexibility and the ease of network control provided by the

logical topologies, virtual networking has become one of the major areas in

the internetworking.

D-Link ﬁrewalls are fully compliant with IEEE 802.1Q speciﬁcation for

Virtual LANs, featured by deﬁning virtual interfaces upon the physical

Ethernet interface. Each virtual interface is interpreted as a logical

interface by the ﬁrewall, with the same security policies control and

conﬁguration capabilities as regular interfaces.

9.2.1

VLAN Infrastructure

A Local Area Network (LAN) is a broadcast domain, that is, a section of

the network within whose boundaries any broadcast traﬃc is delivered to

all end-nodes. When the LAN environment grows bigger, the support of

broadcast or multicast applications that ﬂood packets throughout the

network costs considerable waste of bandwidth, since packets are often

forwarded to nodes that do not require them.

Virtual LAN (VLAN) allows a single physical LAN to be partitioned into

several smaller logical LANs which are diﬀerent broadcast domains. It

limits the size of the broadcast domain for each logical LAN, saves the

broadcast cost of the bandwidth to optimize the performance and resource

allocation, and also divides larger LANs into several independent security

zones to add security control points. Devices located in the same LAN can

communicate without the awareness of the devices in other virtual LANs.

This is ideal for separating industrial departments from physical topology

to diﬀerent function segments.

A simple infrastructure of VLAN is shown in Figure

9.1

. In this case, a

D-Link ﬁrewall is conﬁgured to have 2 VLAN interfaces. Now, although the

clients and servers are still sharing the same physical media, Client A can

only communicate with Server D and the ﬁrewall since they are conﬁgured

D-Link Firewalls User’s Guide