Sophos AP/APX users may experience issues registering to Sophos Central. More info available here: Central Wireless
We'd love to hear about it! Click here to go to the product suggestion community
I'm not an expert with vlans so thx for any advice. We are getting voip phones to replace traditional phones, and a new secondary WAN (WAN2) for it, along with upgrading from XG105 to XG210 rev 3. We have 35 users now, and the XG105 is pretty overloaded anyways so the upgrade to 210 should be nice.
Problem is, it's not as straight forward as just plugging the phones into a specific switch port range because they are all over the place, and computers will connect into back of phones too.
We want to do this below, any known limitations in XG?
1. Phones will need to be on a new vlan, say 30. So I believe I should hardcode vlan 30 into each phone?
2. Computers (to be plugged into the back of the phones gigabit ports) will need another vlan, say 20 or leave on 1? How do ensure that the computers get onto vlan 20 or 1? I was thinking maybe they will receive it automatically if it's the native vlan on that XG port? But that begs the question, how would I then make a 3rd vlan for say, accounting computers and make those computers get vlan 40?
3. XG should route vlan 20 - voice, over WAN 2, and all other traffic over WAN 1. Is this possible using the tagged vlans mentioned above?
what you are asking about is possible, but will depend on whether the phones can act as managed switches to tag the PC port.
Your setup will depend on the type of switch you are using, is it managed with VLAN capabilities?
In reply to rfcat_vk:
Hey Ian, thanks a lot for your reply.
The phone vendor says the phones will have the feature on the switch port yes, and the switches are fully managed, with VLAN including 802.1q. They also have a feature called Voice VLAN which I think is a Cisco term, but I'm not entirely sure Sophos can do that, so I plan to stick to normal 802.1q.
I'll post results this week
In reply to apalm123:
for some odd reason I can't recall, I think the voice VLAN is VLAN2 and has inbuilt priority in the switch is you tick the VoIP box.
Thanks Ian. Project is completed, and I can say everything we needed to do, the XG let us. I'm satisfied with it. XG210 was the right size, it's even oversized for this task which I like. Hums at 2% a lot of the time, 40% memory with all the security settings I wanted to have. 4 VLANS, 4 DHCP scopes, 42 computers (hardwired and wireless), 10 external wifi guest type devices, about 30 ipsec vpn tunnels, 34 VOIP phones, 2 WAN circuits, good IPS on, and AV/web filtering.
1. Added the vlans created onto the main LAN interface. Added firewall rule to allow voip vlan to get out to wan just like the main network has one already. Note, not able to do vlans across bridged lan ports yet , not until v18 probably.
2. The phones/most VOIP phones in general I believe support 802.1q vlans, and they can literally request a vlan to be part of. Configured on the phones themselves or through management tool etc. And they can tag the PC port in the back with whatever you want too, which is necessary because PC's are generally not VLAN aware (unless you configure the NIC port on all of them, but lets face it that sounds like a bad idea in an enterprise but you could probably get away with it in small numbers.
3. The WAN part and having the voip lan go out wan2 was literally the easiest part of the whole project. Just needed to modify the default gateway on the firewall rule for voip to go out wan2. Made mistake of not modifying the main network wan setting on it's rule, and had a lot of our traffic doing load balancing out both circuits which caused some main services not work in the business that rely on having the specific WAN IP they originally did.
Overall, liking XG still, just looking forward to v18 to get some new needed features.
Some commands that were key to this project that we ran on XG: