Thread Info
  • State Not Answered
  • Replies 1 reply
  • Subscribers 4 subscribers
  • Views 2034 views
  • Users 0 members are here
Options
Suggested

How to manage CS 110-48P via a VLAN on a trunk port... is it possible?

Rayzorman

I am having real problem getting to the web management interface of our Sophos CS110-48P Switch across a VLAN .

This is the topology:

[Desktop PC]---vlan 10--[(U)port--Netgear SWITCH--Port(T)]-----[(T)Port--Netgear SWITCH--Port(T)]-----[(T)Port CS110-48P Sophos Switch port(T)]-----[(VLAN 10) Sophos XGS136]

From Desktop PC I can Ping the XGS136 and access the web management UI.
From Desktop PC I can ping the CS110-48P Sophos Switch but I can't access the web management interface.

I have configured the Sophos CS110-48P to have a default IP address (192.168.1.1) on port 1 whch is NOT used on any VLANS.
Ie. Port 1 has PVID of default 1 and is just an isolated port that I can can use as a get out of jail option when all else fails.
So I know the switch is ok and can get to the management UI that way,

It looks like there is an option to set up an IP address on a VLAN tagged port.
The Network options under the UI tab Configuration-System  gives the option to setup an IP address against each configured VLAN.

So for example the VLAN 10 ip address range is 192.168.10.0/255.255.255.0 and I have set the IP address on the CS110-48P for VLAN 10 to be 192.168.10.3

From my desktop PC (192.168.10.23) i can ping 192.168.10.3 but I can't access the https://192.168.10.3
If I change the Sophos port to type U I can access the https://192.168.10.3 but then I can not get access to the Sophos firewall so the VLAN loses internet access.

What am I missing?

Any help gratefully received.



Added TAGs
[edited by: Erick Jan at 6:18 AM (GMT -8) on 11 Jan 2024]
Parents
  • 0

    I think I have a handle on this issue now. 

    Basically the "switch brain", the entity that provides the UI, is a client to the the switch network. Thus the UI can only be connected to via a port of type U, ie an access port, So connect to a U type port on VLAN(1) and with the appropriate IP network configuration between switch and PC and the UI can be accessed.

    The problem is when you are on a VLAN, eg VLAN(10), the only port connected with a PVID of 1 is the T port connecting to the Firewall and this can't be used to access the "internal brain" of the switch,  It seems you can ping the switch via the T port but not https through it to the "internal brain".

    I guess the configure->System Settings->IP address settings should allow you to move the "brain" from VLAN(1) to a VLAN of your choice... but be aware, if for whatever reason you can't get onto that VLAN you are up the creek without a paddle and have to factory reset and start again.

    A much better solution, if you have a spare port on the firewall is to dedicate one port on the firewall to one port on the switch. Eg firewall port with IP 192.168.110.2 and port1 of the switch with IP 192.168.110.3 on default VLAN(1) type U. Create a host on the firewall. eg "sophos.switch" with that IP address and then you can make rules on the firewall to grant access in a very controlled way.  Works perfectly...!

    Hope this is helpful to someone and might save a bit of time.

Reply
  • 0

    I think I have a handle on this issue now. 

    Basically the "switch brain", the entity that provides the UI, is a client to the the switch network. Thus the UI can only be connected to via a port of type U, ie an access port, So connect to a U type port on VLAN(1) and with the appropriate IP network configuration between switch and PC and the UI can be accessed.

    The problem is when you are on a VLAN, eg VLAN(10), the only port connected with a PVID of 1 is the T port connecting to the Firewall and this can't be used to access the "internal brain" of the switch,  It seems you can ping the switch via the T port but not https through it to the "internal brain".

    I guess the configure->System Settings->IP address settings should allow you to move the "brain" from VLAN(1) to a VLAN of your choice... but be aware, if for whatever reason you can't get onto that VLAN you are up the creek without a paddle and have to factory reset and start again.

    A much better solution, if you have a spare port on the firewall is to dedicate one port on the firewall to one port on the switch. Eg firewall port with IP 192.168.110.2 and port1 of the switch with IP 192.168.110.3 on default VLAN(1) type U. Create a host on the firewall. eg "sophos.switch" with that IP address and then you can make rules on the firewall to grant access in a very controlled way.  Works perfectly...!

    Hope this is helpful to someone and might save a bit of time.

Children
No Data
Unfiltered HTML