VLAN Scanning Guide

Document created by Martin Walker Employee on Jun 18, 2018Last modified by Martin Walker Employee on Jun 18, 2018
Version 3Show Document
  • View in full screen mode

Introduction to VLAN Scanning

Qualys scanners support IEEE 802.1q VLAN tagging protocol. When connected to a suitably configured trunk port VLAN scanning allows the scanner to tag frames with the target VLAN ID, enabling your switching fabric to move scan traffic across your network, and allowing the scanner to participate in the VLAN and scan devices in the same VLAN directly as a “neighbor”. This eliminates dependencies on Layer 3 devices such as firewalls, load balancers, IDS/IPS and so forth.


Benefits to using VLAN scanning include:

  • A potential increase in overall scan performance by reducing the delays associated with transiting Layer 3 devices
  • Better OS and service fingerprinting since these Layer 3 devices often modify packet headers or change the handling of non-RFC compliant datagrams
  • Reduction of compute and other resources on Layer 3 devices particularly half open connection state tables
  • Reduction of “ghost host” issues due to inappropriate responses from Layer 3 devices to datagrams destined for unused NAT and VIP addresses

Use of VLAN tagging does not preclude the simultaneous use non-VLAN tagged scan traffic on the same interface. Neither does it require the use of a dual-NIC configuration on the scanner.



  • Your appliance must be configured with a static IP address, netmask, and default gateway address on the LAN interface as per normal.
  • Your appliance must be running Scanner Appliance software version 2.1 or later.
  • VLAN scanning must be enabled for your subscription. Please contact Support or your Technical Account Manager to enable this feature.
  • All virtual scanners support VLAN trunking except the public cloud provider distributions and offline scanner appliances.
  • The scanner must be connected to a trunk port.
  • The trunk port must be configured to present the necessary VLANs to the interface.



  • Hardware scanners - You can add up to 4094 VLANs, to devices with a serial number over 29000 and up to 99 VLANs to devices with a serial number under 29000.
  • Virtual scanners - You can add up to 4094 VLANs to each virtual scanner.


Required VLAN Information

The following information is required for each VLAN the scanner is configured to participate in:

  • Static IP Address
    • The IP address must be unique per appliance. This means the same IP address cannot be defined in another VLAN configuration for the same appliance. The IP address assigned to the VLAN interface on the scanner cannot be dynamically assigned
  • Netmask
    • A valid netmask defining the subnet. Example:
  • ID
    • A VLAN ID. You may specify a number between 0 and 4094, inclusive. The VLAN ID must be unique per appliance. This means the same VLAN ID cannot be defined in another VLANs configuration for the same appliance.
  • Name
    • A VLAN name to identify the VLAN configuration in the VLANs list.


Adding VLANs on the appliance console

It is possible to configure a single VLAN from the appliance console. This can be configure using the LCD panel (for a physical appliance) or virtual appliance console.


  • This VLAN cannot have static routes
  • This VLAN cannot be viewed or edited within the user interface
  • This VLAN takes precedence


How to Configure VLANs in the UI

The following step-by-step instructions describe how to configure VLANs via the Qualys UI. These steps assume you have already deployed, connected, and verified the scanner appliance is operational.


  1. Configure the trunk port on the switch to present the necessary VLANs
  2. Logged in to Qualys as a manager, go to Scans->Appliances, select the appliance, and choose Edit from the dropdown menu
  3. On the left hand side select the VLAN tab

   4.   Click “New” (or “Edit” to change existing VLAN information)

  1. Enter the IP address, subnet mask, ID, and a name for the new VLAN as shown below.
  2. When you have finished entering all the required VLAN information click Save.

Once configured the scanner will automatically use 802.1q VLAN tags for traffic matching a configured VLAN address and netmask. This will allow your switching fabric to move the traffic using Layer 2, enabling the scanner to scan targets in those subnets as a neighbor. Traffic for IPs not matching any of the configured VLANs will be sent via the default network interface and default gateway as per normal operations.

4 people found this helpful