LAN

VLANs

The VPN Gateway has an integrated 8-port intelligent switch that provides support for VLANS. If VLANs have been enabled, each port can potentially be configured as a separate virtual LAN, or multiple ports can provide access to the same VLAN. VLAN trunking is also supported. This allows more than one VLAN to be mapped to a single port. When trunking, a maximum of 24 VLANs can be configured on an VPN Gateway or VPN Gateway 8300. The VPN Gateway 8200 can have a maximum of 8 VLANs configured. VLAN configuration is defined in AT&T Administration Server and can be viewed through the VPN Gateway web interface. The web interface shows the mappings of ports to VLANS, the speed and duplex setting and IP/MAC addresses assigned to each port. If no VLANs are configured, all ports on the VPN Gateway are assigned to a default VLAN.

Each VLAN can be configured individually for tunnel mode type (see the section about Tunnel Configuration Options for more information); VPN Only mode, split tunneling, Internet Only mode, or No-NAT mode. In this way one VLAN can handle secure private business traffic, and another VLAN can be set to provide access only to the Internet.

By default, communications between devices on two VLANS was prohibited in the case where one of the VLANs was configured as secure and another for Internet access only. An optional inter-VLAN mode can allow traffic between an Internet only VLAN and secure VLANs. Devices on Internet Only VLANs cannot access any VPN tunnels that are available to the secure VLANs. When in this inter-VLAN mode, cascaded routes and LAN aliases associated with the Internet-Only VLAN will not have access to secure VLANs.

There is also the ability to mark a VLAN as no-NAT. Traffic from that VLAN leaving the VPN Gateway via a WAN interface that normally would be NAT’ed will not be. The VPN Gateway will issue a proxy ARP for each IP address in the no-NAT VLAN to allow the return traffic to be routed back through the VPN Gateway. These IP addresses in the no-NAT subnet also need to be real NIC registered addresses and ordered from the ISP so that they are routed properly through the Internet and ISP.

It is also possible to map each VLAN to a specific VPN tunnel, allowing administrators to limit which VLAN has access to each VPN. When the VLAN-to-VPN mapping feature is enabled for a VPN, each VLAN supports an individual routing table. Cascaded networks not marked as Internet Only that are attached to a specific VLAN will adhere to the routing behavior defined for the VLAN to which the network is attached. By default, VPN-enabled VLANs or cascaded networks are advertised down the VPN tunnel. However, a setting in the device’s profile on the AT&T Administration Server can disable the advertisement.

VLAN Trunking

VLAN trunking is used when more than 8 ports are required and a separate VLAN switch is to be used to increase the number of available ports. A single interface on the VPN Gateway is set as a trunk port with VLANs 1, 2, 3 and 4 mapped to it. The result is a single connection to a VLAN switch behind the VPN Gateway, and the ports can be mapped to VLANs as necessary on the VLAN switch.

In this configuration, the remaining Ethernet ports on the VPN Gateway can also be assigned to the same VLANs that are mapped to the trunk port, or to separate VLANs if desired, and devices can be attached to either the switch ports or the VPN Gateway LAN ports as appropriate. The two devices will then appear to function as a single VLAN switch. A maximum of 24 VLANs can be supported on the VPN Gateway and the VPN Gateway 8300. The VPN Gateway 8200 can have a maximum of 8 VLANs configured.

The VPN Gateway and VPN Gateway 8300 also support ‘Native VLANS’ where you can send trunked and untrunked traffic on a single port.

VLAN Tagging

VLAN tagging is supported on both the primary and secondary Ethernet interfaces. VLAN tagging on the primary Ethernet interface is configured exclusively through the VPN Gateway web interface. Changes to the VLAN tagging configuration on the primary Ethernet interface will require a reboot. VLAN tagging on the secondary Ethernet interface is configured via the AT&T Administration Server.

Interface Speed Settings

As with the WAN interface, the interface speed settings can either be set for automatic negotiation (default) or set to a specific speed and duplex setting. The setting is either at the VLAN or the VPN Gateway level depending on whether VLANs have been configured.

LAN Port Disabling

Unused LAN ports that are not going to be used in the target environment can be disabled in the central configuration. Any ports not specifically assigned to a VLAN will be considered part of the default VLAN (ID=4069). Plugging devices into default VLAN ports can cause routing problems in the AT&T network if more than one VPN Gateway reports the same subnet. Ports can now be centrally configured as ‘disabled’, and in that mode they will not give out IP addresses, or be able to route traffic through the VPN Gateway on either the LAN or WAN interfaces.

WiFi Extender

The Wi-Fi extender plugs into the Local LAN side of the VPN Gateway using an Ethernet connection, allowing the Wi-Fi radio inside the Wi-Fi extender to be further away from the VPN Gateway expanding the reach of Wi-Fi. All the IP services continue to exist within the VPN Gateway (routing, firewall, DHCP services etc.), the Wi-Fi extender is purely a wireless access point providing the Wi-Fi radio services bridging the traffic directly onto the LAN interface of the VPN Gateway.

Accelerated Concepts provides the Wi-Fi extender as a supported managed extension of the VPN Gateway LAN interface. Accelerated Concepts can be contacted through the following means: contact [email protected] or visit http://accelerated.com/products.