Separate VLANs on a ZyWALL/USG

Separate VLANs on a ZyWALL/USG

Guide:

1. Check if the VLANs are in the same zone

2. Creating VLANs

3. Set up the Policy Rule

4. Test the result

 

Scenario description:

When you have configured several VLANs which all belong to the same zone (for example LAN1), it is possible that the VLANs can communicate with each other, without configuring a route. Follow this step-by-step guide to prevent this.

Note:
The IP addresses which are used are only examples please use your own IP addresses.

 

  1. Check if the VLANs are in the same Zone

Go to Configuration > Object > Zone > System Default looks if two or more VLANs are in the same zone like this.

 

  1. Creating VLANs

Go to Configuration > Object > Address/Geo IP > Address. Now create for every VLAN an object. Click Add and give the rule a name (in this example VLAN10). Set Address Type to SUBNET and type in the VLANs IP address and mask. Repeat this step for ALL your VLANs.

 

  1. Set up the Policy Rule

Go to Configuration > Security Policy > Policy Control > IPv4 Configuration. Now set up the following steps: Click on Add and give the rule a name like VLAN_BLOCK or something.
As an example: To block the traffic between VLAN10 and VLAN20 set the source to the created VLAN10 and the destination to VLAN 20. The action of the rule is “deny”.

  1. Test the result

When you now try to ping a device from VLAN10 to VLAN20 the Policy Control has rejected it. When you go to Monitor > Log, you can see here that the access got blocked.

 

Articles in this section

Was this article helpful?
12 out of 15 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.