VLAN fields
QRadar retains Virtual Local Area Network (VLAN) information that is exported in external flow records.
VLAN information can be found in flows that are received from IPFIX, NetFlow V9, sFlow V5, or J-Flow V9. It can also be viewed in internal flows, such as those that are received by Napatech or Network Interface Cards, or a dedicated IBM QRadar Network Insights appliance.
You can use the VLAN information in searches, filters, and custom rules.
Supported VLAN fields
The following VLAN fields are supported for IPFIX, Netflow version 9, and J-Flow flow records:
- vlanId
- postVlanId
- dot1qVlanId
- dot1qPriority
- dot1qCustomerVlanId
- dot1qCustomerPriority
- postDot1qVlanId
- postDotqCustomerVlanId
The following VLAN fields are supported for raw packets and sFlow version 5. IBM
QRadar Network Insights also supports these fields.
- dot1qVlanId
- dot1qPriority
- dot1qCustomerVlanId
- dot1qCustomerPriority
- dot1qDEI
- dot1qCustomerDEI
VLAN separation
All flows that contain VLAN information are tagged with the following IBM®-specific fields to ensure that the network traffic from different groups of
users is kept separate:
- Enterprise VLAN ID
- Customer VLAN ID
The values that appear in either field depend on the VLAN configuration:
- If the VLANs are stacked, both the Enterprise VLAN ID and Customer VLAN ID fields are populated with the relevant VLAN values.
- If the VLANs are nonstacked, the Enterprise VLAN ID property is set to 0, and the Customer VLAN ID shows the relevant VLAN value.
- If the inner VLAN is set to 0, the Enterprise VLAN ID shows the VLAN value and the Customer VLAN ID shows as 0.