VLANs for Logical Segmentation of a Physical Port: A Use Case

Introduction

A Virtual Local Area Network (VLAN) enables the segmentation of a physical network into multiple logical networks, allowing for better traffic control, security, and resource optimization. On EVE-OS, the use of VLANs helps isolate the management traffic from application traffic or to split applications and their traffic into different logical network instances. This allows the external networks to give preferential treatment and apply different policies based on their requirements.

This use case demonstrates how to configure edge node adapter VLANs and also how to use the VLANs on network instance ports to isolate traffic. For further information about network instances in general, see Network Instance Overview.

Example Scenario

This traffic segmentation scenario includes the following: 

• Edge node with three physical ethernet ports: eth0, eth2, eth3
• Four VLANs: VLAN 10, VLAN 20, VLAN 30, VLAN 100
• Port eth2 used directly to access the untagged traffic
• Four Network Instances: NI1 Local, NI2 Local, NI3 Local, NI4 Switch
• Four Applications: Application 1, Application 2, Application 3, Application 4 

The following diagram shows an edge node with three physical edge node ports and multiple VLAN  subinterfaces. The eth0 port is segmented into VLAN 10 for isolating management traffic from VLAN 20 for Application 1 traffic. The eth2 port has a VLAN 30 sub-interface to isolate Application 2 traffic from untagged Application 3 traffic. The eth3 port is connected to a switch network instance with VLAN filtering enabled, and the interface from the network instance to Application4 is configured as an access port for VLAN 100.

Prerequisites

• You have the SysManager or SysAdmin role role in your ZEDEDA Cloud enterprise.
• You have onboarded an edge node with at least three physical ports.
• Your edge node is running EVE-OS version 14.5.0-LTS or greater.
• You have configured three local network instances and a switch network instance. 
• You have four applications. 
• You have a switch configured with three trunk ports to carry traffic for multiple VLANs. 

Configure the Edge Node VLANs

1. You have already onboarded an edge node in the prerequisites. 
2. Click Edge Nodes in the left panel. 
3. Click the Name of your edge node.
4. From the Adapters tab, click the pencil icon.
5. For each of the Network Adapters, revise the following items:
   (Note that Logical labels should not contain whitespace characters.)
   
   • eth0:  This interface is being used only for VLANs. Any other traffic, such as untagged, will be dropped.
     1. For Interface Usage select VLANs Only
     2. Click the Expand icon
     3. Click VLAN Details
     4. Enter a Logical Label for VLAN 10 (for example, eth0.10).
     5. Enter a VLAN ID of 10
     6. Select Interface Usage of Management
     7. Click Add another VLAN
     8. Enter a Logical Label for VLAN 20 (for example, eth0.20). 
     9. Enter a VLAN ID of 20
     10. Select Interface Usage of App Shared
     11. Click Save
     12. Click Save
   • eth2: This interface is App Shared because it’s being used for both VLAN and untagged traffic. 
     1. For Interface Usage select App Shared
     2. Click the Expand icon
     3. Click VLAN Details
     4. Enter a Logical Label for VLAN 30 (for example eth2.30).
     5. Enter a VLAN ID of 30
     6. Select Interface Usage of App Shared
     7. Click Save
     8. Click Save
   • eth3:
     1. This one is different because it’s a VLAN Switch Network Instance.
     2. For Interface Usage select App Shared
     3. The (Access) VLAN 100 is configured when deploying Application 4. See the  Configure the Network Instance Ports section. 

Configure the Network Instance Ports

• You have already configured three local network instances and a switch network instance in the prerequisites. 
• Hover over Library in the left panel.
• Click Network Instances.
• For each of the network instances, revise the following items: 
  • VLAN 10: This one doesn’t need a network instance.  
  • VLAN 20: This traffic will be using the corresponding sub-interface based on the VLAN for eth0.
    1. Click the Name of your local network instance that you want to use for VLAN 20 app shared traffic.
    2. From the Basic Info tab, click the pencil icon.
    3. In the Details section, from the Port drop-down, select eth0.20 (VLAN 20).
    4. Click Save.
  • VLAN 30: This traffic will be using the corresponding sub-interface based on the VLAN for eth2.  
    1. Click the Name of your local network instance that you want to use for VLAN 30 app shared traffic.
    2. From the Basic Info tab, click the pencil icon.
    3. In the Details section, from the Port drop-down, select eth0.30 (VLAN 30).
    4. Click Save.
  • Untagged: The untagged traffic will be using the IP address that’s assigned to the network interface for eth2. 
    1. Click the Name of your local network instance that you want to use for untagged traffic.
    2. From the Basic Info tab, click the pencil icon.
    3. In the Details section, from the Port drop-down, select eth2.
    4. Click Save.
  • VLAN 100: This one is different from the others, as you apply the VLAN to the switch network instance of the edge app instance interface: 
    1. Deploy your Edge Application Instance.
    2. In the Adapters & Networks tab, for eth3, select the Name of your switch network instance that you want to use for VLAN 100. 
    3. Click the Expand icon.
    4. For Access VLAN Id, enter 100.
    5. Continue to configure as you choose, clicking Next.
    6. Click Deploy.