Cato Networks Knowledge Base

Connecting a Socket to a switch with VLANs (802.1q)

When configuring VLANs on the site level, it means that the Socket sends tagged packets with the VLAN ID (VID) attached to it.

On the switch, the configuration is straight forward - any layer 2 switch that supports VLANs tagging/ 802.1q can work with such configuration. VLANs support do not require layer 3 switch.

!! Pay attention to the following !! Native VLAN!

When configuring VLANs on the switch, the VIDs must match between the Socket and the switch.

In addition, the Native Range of LAN01 is considered the native VLAN.

* Native VLAN - can be also referred as Untagged VLAN. By design on each trunk/ tagged port there must have a default VLAN which is untagged (native). It means that this VLAN will not have any VID attached to it.

Most switches preconfigure the native VLAN on each trunk port, but some might not do it. In such case, make sure there's some native VLAN preconfigured on the trunk port.

** The Socket can provide DHCP range to the native VLAN as well - can be useful for providing an IP for the switch on the native VLAN.

Was this article helpful?

5 out of 7 found this helpful

Comments

2 comments

  • Comment author
    Victor Garcia

    Las Vlans en el socket funcionan saltando el FW o subenel trafico a la nube directo?

    1
  • Comment author
    Miguel Minicz

    Hola Victor Garcia,

    Las VLAN en el Socket pueden saltar o no el Firewall, dependiendo de cómo configure su enrutamiento.

    Supongamos que desea tener un control estricto del tráfico entre las VLAN. Simplemente no cree una ruta para ellos y cree una política para esto en el Firewall WAN. En ese caso, el tráfico va al PoP para ser revisado y usted puede controlar qué hosts de cada VLAN podrán establecer comunicación, o servicio, o horario del dia.

    Por otro lado, supongamos que tiene una VLAN dedicada a impresoras o CCTV, por ejemplo, y en ese caso, desea permitir que otros hosts de VLAN accedan a ella y confía en esa VLAN específica. Puede crear una ruta local en el Socket para ayudarlo con eso. No se crean reglas de firewall y no se envía tráfico al PoP, siendo enrutado en el sitio, por el socket, como un modelo de enrutador en un stick.

    =========================

    The VLANs in the Socket may or may not jump the Firewall, depending on how you configure your routing.

    Let's suppose you want to have strict control of the traffic between VLANs. You simply don't create a route for them and create a policy for this in the WAN Firewall. In that case, the traffic goes to the PoP to be checked, and you can control which hosts of each VLAN will be able to establish communication. 

    In another hand, let's suppose you have a VLAN that is dedicated to printers, or CCTV, for example, and in that case, you want to allow some other VLAN's hosts to access it, and you trust that specific VLAN. You can create a local route in the Socket to help you with that. No Firewall Rules are created, and no traffic is sent to the PoP, being routed in the Site, by the Socket, such as a Router-on-a-stick design.

    1

Please sign in to leave a comment.