Managing Sophos XG – Create VLANs

Pre-setup disclaimers:
– Some steps will vary depending on exact deployment. For this particular lab, a single trunk port is used between the XG Port 2 and the Switch (SW) Port 1. To maximize network throughput, this setup could split trunk ports between multiple 1Gbe ports on the XG to multiple 1Gbe ports on the SW. But that’s a project for another day.
– The switch used is a now-deprecated Linksys switch, SGE-2000P. It’s a faithful old steed and provides good PoE to the devices still tolerant of -at standards in an -af world.

Create the Interfaces

The first step is to create the interfaces needed for each VLAN. You’ll need to know which port(s) you’re trunking from the XG.

XG> Configure> Network> Interfaces> Add New Interface> Add VLAN>
– Give it an appropriate name.
– Select the appropriate trunk port.
– Select the desired zone. For the scope of this walkthrough, all VLANs will be “LAN”.
– Set the desired VLAN ID. It’s personal preference but I set the VLAN ID to the IP range of
that VLAN. It helps keeps my mind straight.
– Set your static IP range applicable to the VLAN. IE: 10.10.160.1/24 for the VLAN 160.
– Save the changes.

Setup DHCP

Each VLAN will need it’s own DHCP range to work properly.

XG> Configure> Network> DHCP> Server> Add>
– Give it a descriptive name. I tend to keep everything named with a convention similar to the VLAN itself.
– Select the interface for the VLAN.
– Set the dynamic IP lease range. I will typically set this smaller than the total to leave me some room for static assignments. IE: 10.10.160.100 – 10.10.160.200
– Set your static IP maps, if applicable. This is easy enough to do later, too.
– Leave “Use Interface IP as Gateway” checked.
– Leave all else default and Save changes.

XG Setup Complete!

That really is it – in the simplest sense. The default firewall rule will allow all traffic out so, unless otherwise specified, every VLAN should provide an IP via the DHCP server specified for that VLAN, provide DNS via the gateway IP for that VLAN, and allow all outbound.

Of course, this is useless without a properly configured switch. This is where things get tricky because unless you’re on the Cisco train, everything is done just a bit differently across all vendors. The next set of steps will apply to my switch as more of a “so I don’t forget” set of instructions to my future, post-annual-lab-nuke self but the overall concepts and lingo will hopefully help others conceptualize what they need to do in their labs.

Bring on the Switching

We first need to tell the switch what VLANs to expect from the XG.
VLAN Management> Properties> Add:
– Set the VLAN ID to a value set within the XG VLAN Interface.
– Give it a descriptive name.
– Do this for each VLAN set in the XG.

We then need to set the SW ports to the appropriate VLAN Mode.
VLAN Management> Interface Settings:
– Set Port 1 to Trunk (Access to XG)

Almost lastly, we need to tell the SW which VLANs to expect over the trunk Port 1.
VLAN Management> VLAN to Port> g1> Join VLAN:
– There will be one untagged VLAN and the rest tagged.
– The untagged VLAN will be the default VLAN assigned to non-VLAN-aware devices. This can be the admin VLAN (not recommended) or a guest VLAN or anything you choose.
– The tagged VLANs will be the remaining VLANs available to be assigned elsewhere in the switch. So we can tag VLAN 100 to Port 8 or VLAN 200 to Port 16.

I still need to go over the difference between “General” and “Access” ports as they relate to my schema but that’ll be an update for another night. As will screenshots.

Leave a Reply

Your email address will not be published. Required fields are marked *