Jump to content


Photo

WebFilter on VLAN Trunk


  • Please log in to reply
7 replies to this topic

#1 Björn Wolter

Björn Wolter
  • Members
  • 0 posts

Posted 09 May 2011 - 02:32 AM

Hello,

I have read on http://blog.barracud...rmware-release/ that the new 4.4 firmware can handle / filter WebTraffic on VLAN trunks.

I have upgraded our WebFilter 310 to the new firmware and created a new vlan on the switches and trunks the port to the gateway / firewall.
But i didnt work. i can ping intet host, connect to ftp etc... but webtraffic seems to be droped... (as in the past firmware). The firewall ist config. correctly, for testing purpose i have opened all ports.

what is wrong in our situation

our config is:

inet --> connected to --> webfilter --> connected to --> cisco asa --> connected to --> VLAN (company net - filtering is working) and VLAN 10 (pub net) on the same firewall port --> connected to switch where firewall port is trunking is allowed to vlan 1 and 10

kind regards

bjoern

#2 Michael Wilkinson

Michael Wilkinson
  • Members
  • 1 posts

Posted 13 July 2011 - 10:22 AM

Have the same problem, WebFilter 410, firmware 4.4.

Config is a VLAN trunk on a Cisco Catalyst 3750 through the web filter (transparent mode) then into a Cisco ASA 5520 (then on out to the Internet).

I'm going to bang at it some more and post if I have any success.

Also, it would be VERY helpful to be able to change the VLAN from the console.

#3 Michael Pellegrino

Michael Pellegrino
  • Members
  • 3 posts

Posted 06 September 2011 - 02:07 PM

I may not use the correct terminology here as it seems to differ between manufacturers.

I had the exact same issue when I first attempted to filter VLANs. Apparently, the web filter IP has to be in the default vlan (1?) and untagged.

#4 Noah Perlite

Noah Perlite
  • Moderators
  • 0 posts

Posted 19 September 2011 - 01:20 PM

The New Firmwares allow vlans to be configured with the Webfilter. With this feature we are simply making the Webfilter aware of the vlans. The Webfilter will not be responsible for managing vlans.

A best practice often used with Explicit VLANs is to have the default vlan be untagged while all other vlans will have Explicit tagging. The Barracuda Webfilter is expecting this default VLAN to be untagged. In some environments however the default vlan will be tagged. The Webfilter accommodates for these networks with the configuration of the system vlan on the advanced/advanced ip configuration page. *Note* VLAN ID 1 cannot be used as the default vlan on the barracuda. The default VLAN is often the problem most customers run into when attempting the configure the Webfilter with VLANs.

What is your networks default VLAN?

#5 Jean Carlos

Jean Carlos
  • Members
  • 9 posts

Posted 06 December 2011 - 07:15 AM

Hello, i have a similiar topology:

Router <--> Cisco ASA <--> WebFilter <--> Switch <--> EndUsers

My Cisco ASA is configured with your port connected on the WebFilter like as trunk, and the switch port connected on the WebFilter like as trunk too. It's necessary configure some thing on the webfilter, to pass the vlans?
Not yet implemented this topology because the network is on production, but i need to use various vlans in my network.

Sorry my english.

Thanks

#6 Brian Arthur

Brian Arthur
  • Members
  • 2 posts

Posted 06 December 2011 - 12:57 PM

In my config, I have 2 tagged VLANs between the Firewall and Internal Router. The web filter sits between these two devices. No untagged VLAN on this link.
Example:
VLAN 10 - the web filter is in this VLAN, default gateway is the FW
VLAN 20 - second vlan (you could have more, I think the Max is 50)

On the Adv IP page I have:
VLAN Interface = Bridge
Both VLANs defined with their VLAN ID
System VLAN is set to VLAN 10
VLAN 20 is defined asa virtual interface (VLAN 10 does not get a Virtual IP)

It took some trial and error to come up with a config that worked, the documentation wasn't helpful enough. I wasn't in production at the time.
If you lose contact with the device when setting the System VLAN, you can clear that setting via the Console. Make sure you have a backup config.
I recall something about when using the System VLAN, you can only manage the web filter from that VLAN, but that is not the case in my network.

#7 Jean Carlos

Jean Carlos
  • Members
  • 9 posts

Posted 08 December 2011 - 09:07 AM

Thank's Brian, why VLAN10 have not a Virtual IP?

#8 Brian Arthur

Brian Arthur
  • Members
  • 2 posts

Posted 30 August 2012 - 01:18 PM

VLAN 10 is the "System VLAN" and the 610's IP address is in this VLAN, hence no need to assign a Virtual IP, that would be like assigning a second IP in the same subnet to the device.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users