VLAN's and LLDP

Does the VLAN or DHCP forwarder on an M370 block or have any restrictions with LLDP or CDP? My VOIP phones are not getting any VLAN information form the DHCP scopes. If I turn off LLDP on the switches or bypass the WatchGuard everything works as intended. Just trying to track down if I missed anything when setting up the VLAN's on the M370 cluster.

This is for our remote office, and this is the first time we are using WatchGuard M370 instead of a Cisco ASA. This setup is working fine on our main site, but for some reason, it isn't in our branch.

Thanks for any advice

Comments

  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    Hi @jjmac

    It depends.

    There's a checkbox on each interface that VLANs are enabled on that says "Apply firewall policies to intra-vlan traffic" -- if it's checked, they do.

    If the firewall is denying anything, you should see a red deny log for that traffic (dhcp is ports 67 and 68) inside the firebox's traffic monitor.

    -James Carson
    WatchGuard Customer Support

  • @James_Carson
    Doesn't "Apply firewall policies to intra-vlan traffic" only apply to VLANs which are defined on 2 different firewall interfaces ?
    Not sure how this option if selected would apply to the question asked.
    Please enlighten me. Thanks.

    Apply Firewall Policies to Intra-VLAN Traffic
    on this page:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/vlan_define_new_c.html

  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    @Bruce_Briggs I'm assuming that we're spanning two interfaces -- you're correct -- if we're not it won't matter.

    If you're not spanning two interfaces, traffic on the same vlan won't traverse the firewall and we won't see any logs.

    -James Carson
    WatchGuard Customer Support

  • Thank you for your responses. I have 8 VLANs defined on one firewall interface. When I boot my Poly phone (VVX400) on VLAN A it should be checking for DHCP scope option 129 telling it to get an IP from VLAN B. Unfortunately, with LLDP enabled on the switch port it is getting an IP from VLAN A. It is the same setup and hardware that I am using at my main site, which is working. The only difference is that I'm using the WatchGuard for routing at the remote site as opposed to an HP/3Com in the primary site. I could just disable LLDP for the switches but would like that to be a last resort.

  • I tried enabling the "Apply firewall policies to intra-vlan traffic" to see if there would be any change or anything would show up on the traffic monitor. Sadly still no new information.

  • Consider opening a support incident on this.

Sign In to comment.