Thread Info
  • Replies 3 replies
  • Subscribers 10 subscribers
  • Views 26774 views
  • Users 0 members are here
Options
Suggested

Sophos Switch: VLAN Configuration

FormerMember
FormerMember

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

This recommended Read aims to provide a complete guide on configuring VLANs, including both tagged and untagged ports, on a Sophos switch.

In the context of Sophos switches, it's important to note that we refer to 'tagged ports' as trunk ports, which are typically used to carry traffic for multiple VLANs, and 'untagged ports' or access ports, which are used for end devices within a single VLAN.

We will explore the process step by step to help you effectively set up and manage VLANs on your Sophos switch.

Scenario:

Scenario:

In this example, we have 2 workstation members of 2 different VLANs.

Access Switch

Ports: 2–4 Untagged Port VLAN 100

Ports: 5–7 Untagged Port VLAN 200

Port 8:

  • Tagged Port VLANs 100 and 200
  • Connected to XGS firewall to carry traffic for VLANs 100 & 200.

PC 1 – SUPPORT VLAN

Member of VLAN SUPPORT-100 which resides in VLAN 100.

Connected to port 2 on the Sophos Access Switch

PC 2 – SALES VLAN

Member of VLAN SALES-200 which resides in VLAN 200.

Connected to port 5 on the Sophos Access Switch

Configurations

Log in to Sophos Switch 

Add VLAN

To add VLAN navigate to Configure > VLAN settings > 802.1Q  then click “+Add

In the Add VLAN window enter the details of your desired VLAN

  1. Enter your desired VLAN ID. This must be a number from 2 to 4094.
  2. Enter the desired VLAN name.
  3. Then click ‘Apply.’

Tagged Ports (Trunk Port)

  1. To configure a tagged port, navigate to Configure > VLAN settings > 802.1Q then click ‘Edit’ on the VLAN(s) created.

  1. Click the 'Tagged' box.
  2. Select your desired tagged port. In this example, choose Port 8.
  3. Click the 'checkmark' icon.

5. Then click 'Apply'.

We have successfully created a Tagged Port (Trunk Port) for VLANs 100 and 200.

Untagged Port (Access Port)

  1. Click ‘Edit’ your desired VLAN to create untagged ports. In this example we choose SUPPORT-100.

 

  1. Click on the ‘Untagged’ Box
  2. Click on your desired port(s). In this example ports 2, 3 and 4.
  3. Click the 'checkmark' icon.

5.Then click on ‘Apply’.

Port VLAN ID (PDVID)

The PVID is a setting assigned to an individual switch port, specifying the VLAN ID to be assigned to incoming untagged traffic on that port.

In simpler terms, when an untagged frame arrives at a port, the switch assigns it the VLAN specified by the PVID for that particular port. In the context of Sophos switches, incoming traffic is initially set to PVID 1.

To ensure traffic is placed in the correct VLAN, it's essential to change or set the PVID to the appropriate VLAN ID on your desired port(s).

More details can found here for reference: Sophos Cloud Switch: PVID

PVID Configuration

In our example, we will be configuring PVIDs as follows:

  • PVID 100 on ports 2, 3 and 4.
  • PVID 200 on ports 5, 6 and 7.

To configure PVID navigate to

  1. Configure
  2. VLAN settings
  3. PVID and Ingress filter
  4. Choose your required port(s). In this example ports 2, 3 and 4
  5. Then click ‘Edit’

Once the PVID Window appears:

  1. Select your desired PVID, in this example 100 (SUPPORT-100).
  2. Click Apply.

Related Information

Techvid Video https://techvids.sophos.com/share/watch/fnLELAk4EchQoFRDepxJNA?



Edited TAGs
[edited by: Erick Jan at 12:00 AM (GMT -8) on 11 Jan 2024]
Parents

  • Thank you for posting this article. I don't know if this data was included in initial info which were online after we purchased switch.  Information about PVID is essential for VLANs and Sophos switches.  Sophos should not assume customers know what a PVID is yet alone how to use or configure.

    I thought that the PVID was a single default Vlan for the entire switch, or what is referred to as the "Native" Vlan, or 1.  - Wrong.

    Why must you set a PVID to ports after they have already been assigned to a VLAN (tagged or untagged).

    It would seem that it would be logical for this to happen be default.  Why would you want a port on Vlan 100 and the PVID to be 1, is there a use case or reason?

    I started looking for a better explanation or details about PVID and this makes sense to me, maybe it will help others:  www.megajason.com/2018/04/30/what-is-pvid/ - Credit given to Jason Doolittle:

    "PVID is short for Port VLAN identifier.

    The PVID of a port is the VLAN id that will be assigned to any untagged frames entering the switch on that port (assuming the switch is using port-based VLAN classification). This is a concept that is defined in IEEE 802.1Q.

    For example, if you intend to connect a PC or a printer to a port, you would set the port as untagged in VLAN 10 and excluded from all other VLANS. The switch knows to only send VLAN 10 stuff to that port and to remove the VLAN tagging information before sending anything out.

    But, what about untagged frames entering the switch from the PC or printer (They’ll be untagged because the PC or printer doesn’t know about VLAN). This is where PVID comes in. PVID tells the switch what to do with those untagged incoming frames. In this example, if the PVID doesn’t match the VLAN id, the PC won’t be able to communicate with anybody because the frames it sends into the switch will end up on the wrong VLAN.

    On some switches, if you set a port as untagged on VLAN 10 and excluded from all others, the switch will automatically take care of tagging the untagged incoming frames with the same VLAN id (because what else would you want?) without requiring you to set the PVID. Other switches require you to manually set the PVID. - (SOPHOS)"

Reply

  • Thank you for posting this article. I don't know if this data was included in initial info which were online after we purchased switch.  Information about PVID is essential for VLANs and Sophos switches.  Sophos should not assume customers know what a PVID is yet alone how to use or configure.

    I thought that the PVID was a single default Vlan for the entire switch, or what is referred to as the "Native" Vlan, or 1.  - Wrong.

    Why must you set a PVID to ports after they have already been assigned to a VLAN (tagged or untagged).

    It would seem that it would be logical for this to happen be default.  Why would you want a port on Vlan 100 and the PVID to be 1, is there a use case or reason?

    I started looking for a better explanation or details about PVID and this makes sense to me, maybe it will help others:  www.megajason.com/2018/04/30/what-is-pvid/ - Credit given to Jason Doolittle:

    "PVID is short for Port VLAN identifier.

    The PVID of a port is the VLAN id that will be assigned to any untagged frames entering the switch on that port (assuming the switch is using port-based VLAN classification). This is a concept that is defined in IEEE 802.1Q.

    For example, if you intend to connect a PC or a printer to a port, you would set the port as untagged in VLAN 10 and excluded from all other VLANS. The switch knows to only send VLAN 10 stuff to that port and to remove the VLAN tagging information before sending anything out.

    But, what about untagged frames entering the switch from the PC or printer (They’ll be untagged because the PC or printer doesn’t know about VLAN). This is where PVID comes in. PVID tells the switch what to do with those untagged incoming frames. In this example, if the PVID doesn’t match the VLAN id, the PC won’t be able to communicate with anybody because the frames it sends into the switch will end up on the wrong VLAN.

    On some switches, if you set a port as untagged on VLAN 10 and excluded from all others, the switch will automatically take care of tagging the untagged incoming frames with the same VLAN id (because what else would you want?) without requiring you to set the PVID. Other switches require you to manually set the PVID. - (SOPHOS)"

Children
  • in reply to AstaroNBack

    As far as i know, looking into this, Most of the smaller switches (Home setup switches) does the automatic setting of PVID to Untagged due the nature of your post - They predict the configuration to be "easier" and not to worry about PVID at all. 

    Other switches require the PVID to be manually setup. 

    To quote ChatGPT here about manually setup of PVID:  

    1. Flexibility and Control: By allowing administrators to explicitly configure the PVID on each port, switch manufacturers provide greater flexibility and control over VLAN assignments. This allows network administrators to have a more fine-grained control over the network configuration and ensures that untagged frames are consistently assigned to the desired VLAN.

    2. Consistency Across Different Switches: Different switch models and manufacturers may have different default behaviors or conventions. Allowing administrators to configure the PVID ensures consistency in VLAN assignments across various switches in a network.

    3. Avoiding Ambiguity: Automatic assignment of PVID may introduce ambiguity in cases where there are multiple VLANs on a network segment. Explicitly setting the PVID helps avoid any confusion about the VLAN to which untagged frames should be assigned.

    4. Security Considerations: Allowing automatic assignment of PVID to untagged frames might lead to unintentional misconfigurations or security vulnerabilities. Explicit configuration reduces the risk of misinterpretation or unintended VLAN assignments.

    5. Conforming to Standards: Some networking standards, such as IEEE 802.1Q, provide guidelines for VLAN implementation. Allowing manual configuration of PVID aligns with these standards and ensures that the switch behaves predictably according to industry norms.

    But there is potential to improve the switch handling here and i guess, we are looking into this, to better align to the needs of an administrator. 

    __________________________________________________________________________________________________________________

Unfiltered HTML