This walkthrough will guide you through the setup process of a VLAN network using the command line interface (CLI).
Scenario
This walkthrough will go over a VLAN setup for a guest network. We will need to do the following:
- Create a DHCP Server pool – this will specify the IP network and IP addresses that will be distributed by the DHCP server. (ex: VLAN200_POOL)
- Create a VLAN. (ex: VLAN200)
- Create a ZONE for the vlan. (ex: Guest)
The guest network will be using an IP subnet of 10.192.168.0/24, the ZLD appliance will carry an IP address of 10.192.168.254 on this network. The DHCP server will provide IP address for the network starting with 10.192.168.11 and end with 10.192.168.210 (200 available IP's). Because we are dealing with a guest network scenario, users will be coming and going frequently. The 200 available addresses need to be available for new clients coming in. For this reason, we will set the DHCP lease time to expire after 30 minutes, this will allow the IP address to return to the available pool quicker.
Supported Devices
ZyWALL 110
ZyWALL 310
ZyWALL 1100
USG40
USG40W
USG60
USG60W
USG110
USG210
USG310
USG1100
USG1900
USG20-VPN
USG20W-VPN
USG2200-VPN
UAG2100
UAG4100
UAG5100
NXC2500
NXC5500
Accessing CLI
The ZLD appliance command line interface can be accessed via SSH, Telnet (disabled by default) or a Console connection. Connect to the CLI using one of the three methods and use the following commands to create a VLAN network on the ZLD appliance.
Create DHCP Server Pool
From the CLI menu type
configure terminal
This will provide access to the make changes to the device configuration.
Now that we are in the configuration panel, lets create the DHCP server pool:
- To create the guest DHCP server type in "ip dhcp pool <profile_name>". (ex: Based on the described scenario, our entry should be "ip dhcp pool VLAN200_POOL")
- Provide the network IP subnet by typing, "network IP /<1..32>". (ex: Based on the described scenario, our entry should be "network 10.192.168.0 /24")
- Specify the starting IP address for the pool and poo size, "starting-address <IP> pool-size <1..65535>". (ex: Based on the described scenario, our entry should be "starting-address 10.192.168.11 pool-size 200")
- Specify the DNS server entries provided by the DHCP server, "first-dns-server IP", "second-dns-server IP", and/or "third-dns-server IP". (ex: For our DHCP server we will configure two DNS server entries, "first-dns-server 8.8.8.8" and "second-dns-server 8.8.4.4")
- Provide the lease time for the DHCP, this can be specified in days, hours, minutes or an infinite (forever) lease "lease {<0..365> [<0..23>] [<0..59>] | infinite}". Because our network is meant for guest access and we'll require the IP's to be available more frequent, we will specify the lease time in minutes. (ex: For our lease time of 30 minutes, the command would be entered as "lease 0 0 30")
- Specify the default gateway for the nodes connected to the guest network, "default-router IP". (ex: Our scenario is simple and will use the ZLD appliance for the gateway, "default-router 10.192.168.254")
- More can be configured on the DHCP server, such as the client name for the ZLD device, domain name for the network, and MAC addresses to use and DHCP options. For this scenario, we will only configure what is necessary, if you wish to consider using other options please review the CLI reference guide for your ZLD appliance. This can be downloaded from ftp.zyxel.com.
- Type "exit" to close the VLAN200_POOL.
Create VLAN Interface
To create a vlan
- Create the VLAN interface by typing "interface <interface_name>". (ex: Based on our scenario, VLAN200 interface will be created by entering "interface vlan200")
- Specify the VLAN ID, "vlan-id <1..4094>". (ex: Based on our scenario the VLAN ID is 200, which is entered as "vlan-id 200")
- Specify the physical connection the VLAN will be connected to, "port <interface>". (ex: For our example, the guest network or VLAN200 will be connected to a LAN1 port, "port lan1")
- Provide the IP address for the VLAN interface, "ip address <IP> <mask>". (ex: Per the described scenario, the ZLD appliance will have an IP of 10.192.168.254 on the VLAN200 network, "ip address 10.192.168.254 255.255.255.0")
- Bind the DHCP Server pool profile created above to the VLAN interface, "ip dhcp-pool <profile_name>". (ex: Per our example the DHCP server profile name is VLAN200_POOL, "ip dhcp-pool VLAN200_POOL")
- VLAN interfaces can be created for the external or internal interfaces, the type of interface will need to be specified so the ZLD appliance by entering, "type <internal|external>". (ex: The guest VLAN is bound to an internal interface in lan1, so the VLAN type should be set as internal, "type internal")
- There are other options which can be configured for the interface such as MTU, upstream and downstream speeds, description for the interface, etc. For this scenario, we will only configure what is necessary, if you wish to consider using other options please review the CLI reference guide for your ZLD appliance. This can be downloaded from ftp.zyxel.com.
- Type "exit" to close the interface configuration.
Add VLAN to ZONE
The last step is to add the VLAN interface that was just created to a ZONE. A new ZONE can be created for this new network or it can be added to an existing ZONE. Creating a new ZONE will allow you to keep data isolated from other networks. Creating a new ZONE will also require creating new firewall rules or security policies (depending on ZLD appliance) to provide access to different resources (such as internet).
For a list of all the ZONEs type the following command:
show zone
This will provide a list of the zone "Name" and "Member" interface(s).
Add to Default ZONE
To add the guest network (VLAN200) to one of the default ZONEs (LAN1, LAN2, DMZ, etc.) type the following commands:
- "zone <zone_profile>" (ex: "zone LAN1")
- "interface <interface_name>" (ex : "interface vlan200")
- Type "exit" to close the ZONE.
This will add the VLAN200 guest network to the LAN1 zone. Any firewall/policy control rules that have been created for the LAN1 zone will also apply to the VLAN200 guest network.
Create New ZONE
To create a new zone for the guest network, type the following commands:
- "zone <name>" (ex: "zone GUEST")
- "interface <interface_name>" (ex: "interface vlan200")
- Type "exit" to close the ZONE
This will create and add VLAN200 to the GUEST zone. A firewall/policy control rule needs to be added to allow the GUEST network access to resources. VLAN200 is a guest network and only access to the internet is needed, nodes connected to this network don't need access to anything else, therefore a firewall/policy control rule for VLAN200 to internet access will need to be created.
- Insert a firewall/policy control rule to the number 1 slot, "secure-policy insert 1"
- Provide a name for the rule, "name GUEST-to-WAN" (Note: do not use spaces for the rule name)
- Optionally, a description of the rule can be added by typing, "description <description>" (Note: spaces are allowed for the description)
- Specify what zone traffic is originating, "from GUEST" (VLAN200)
- Specify what zone traffic is destined for, "to WAN" (internet connections)
- Provide an action for the rule to follow when traffic is matched, "action allow"
- Activate the rule by typing, "activate"
- Type "exit" to close the rule entry
With this rule created, any traffic from the GUEST zone or VLAN200 attempting to access the internet (WAN) will be allowed.
Comments
0 comments
Please sign in to leave a comment.