Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

VLAN Fields

JSA retains Virtual Local Area Network (VLAN) information that is exported in external flow records.

VLAN information can be found in flows that are received from IPFIX, NetFlow V9, sFlow V5, or J-Flow V9. It can also be viewed in internal flows, such as those that are received by Network Interface Cards, or a dedicated QRadar Network Insights appliance.

You can use the VLAN information in searches, filters, and custom rules.

Supported VLAN fields

The following VLAN fields are supported for IPFIX, Netflow version 9, and J-Flow flow records:

  • vlanId

  • postVlanId

  • dot1qVlanId

  • dot1qPriority

  • dot1qCustomerVlanId

  • dot1qCustomerPriority

  • postDot1qVlanId

  • postDotqCustomerVlanId

The following VLAN fields are supported for raw packets and sFlow version 5. QRadar Network Insights also supports these fields.

  • dot1qVlanId

  • dot1qPriority

  • dot1qCustomerVlanId

  • dot1qCustomerPriority

  • dot1qDEI

  • dot1qCustomerDEI

VLAN separation

All flows that contain VLAN information are tagged with the following specific fields to ensure that the network traffic from different groups of users is kept separate:

  • Enterprise VLAN ID

  • Customer VLAN ID

The values that appear in either field depend on the VLAN configuration:

  • If the VLANs are stacked, both the Enterprise VLAN ID and Customer VLAN ID fields are populated with the relevant VLAN values.

  • If the VLANs are nonstacked, the Enterprise VLAN ID property is set to 0, and the Customer VLAN ID shows the relevant VLAN value.

  • If the inner VLAN is set to 0, the Enterprise VLAN ID shows the VLAN value and the Customer VLAN ID shows as 0.

Assign Domains and Tenants to Flows with VLAN Information

With domain management support for VLAN flows, you can define your domains in JSA based on the VLAN information in your network.

In JSA, you can assign domains to incoming flows based on the VLAN information that is contained in the flow. The incoming flows are mapped to domains that contain the same VLAN definition. You can also filter and query the domains for the VLAN-based domain.

You can assign tenants to domain definitions to achieve multi-tenancy. The VLAN-based domain definitions enable multi-tenancy across different VLANs, if required.

For example, two domain definitions are created and mapped to two network tenants:

  • For tenant ABC, traffic is sent on Enterprise VLAN ID = 0, and Customer VLAN ID = 10.

  • For tenant DEF, traffic is sent on Enterprise VLAN ID = 0, and Customer VLAN ID = 20.

The first domain definition is created for tenant ABC, which contains a flow VLAN definition of Enterprise VLAN ID = 0 and customer VLAN ID = 10.

A second domain definition is created for tenant DEF, which contains a flow VLAN definition of Enterprise VLAN ID = 0 and customer VLAN ID = 20.

Incoming flows with Enterprise VLAN ID and Customer VLAN ID fields set to 0 and 10 are viewed only by tenant ABC. Similarly, incoming flows with Enterprise VLAN ID and Customer VLAN ID fields of 0 and 20 are only viewed by tenant DEF. This reflects the traffic ownership for each tenant in the network.

Related Documentation