Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall

Discussions VLAN Trunk tagging or not?

Sophos Firewall requires membership for participation - click to join

Thread Info

State Suggested Answer
+1 person also asked this people also asked this
Locked Locked
Replies 5 replies
Answers 1 answer
Subscribers 42 subscribers
Views 12568 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VLAN Trunk tagging or not?

Bernhard Lang over 6 years ago

Hi,

i have a new XG125 in my Office.

I want to seperate my Networks with VLANs:

VLAN-ID1 = Admin / System-Management

VLAN-ID2 = User

...

Config on Switch:

Port 1 (to XG):

* VLAN-ID 1 tagged

* VLAN-ID 2 tagged

Config on XG:
Port 1 (to Switch):

* Zone LAN

* IP in VLAN 1

Port 1.2

* Zone LAN

* IP in VLAN 2

Routes to the VLANs over the Interfaces, no Gateways

FW-Rule: LAN2LAN allow, all Networks

But from my Clients in VLAN2 i can't access the XG, either the VLAN2-IP nor the VLAN1-IP.

When i untag the Port on my Switch, i can Access the XG in one VLAN, but not in the other?

What am i doing wrong? Thanks for any help!

Regards,

Bernhard

This thread was automatically locked due to age.

Parents

0 rfcat_vk over 6 years ago

The key issue will be your use of VLAN 1, use any other VLAN.

The VLANs need to be created in the XG and the common interface on the switch needs to be tagged.

Ian

XG115W - v20.0.2 MR-2 - Home

XG on VM 8 - v21 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Bernhard Lang over 6 years ago in reply to rfcat_vk

Hi,

Thank you!

I cant assign a VLAN id on Port1 on the XG!?

So how is the Frame assigned to the physical Port 1, when it is tagged with id 5?

Thanks.
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 6 years ago in reply to Bernhard Lang

In networks you add a VLAN. The new VLAN must have a seperate IP address range as to the physical port. It will be identified a 1.5 if you called it VLAN 5.

The physical port cannot be tagged in an XG.

Ian

XG115W - v20.0.2 MR-2 - Home

XG on VM 8 - v21 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 rfcat_vk over 6 years ago in reply to Bernhard Lang

In networks you add a VLAN. The new VLAN must have a seperate IP address range as to the physical port. It will be identified a 1.5 if you called it VLAN 5.

The physical port cannot be tagged in an XG.

Ian

XG115W - v20.0.2 MR-2 - Home

XG on VM 8 - v21 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Bernhard Lang over 6 years ago in reply to rfcat_vk

Hi and thanks.

Also this is not what i wanted, i used this hint ;-)

I used now VLAN1 untagged and as Port-VLAN-ID on the Switch. So all untagged Frames are assigned to VLAN1 on the physical Port of the XG. And when the XG sents an untagged Frame, the Switch assign this Frame to VLAN1.

So I can use the VLAN ID 1 as i wanted :)

All other VLANs are tagged on the Switch on the Trunk-Port and I configured a seperate VLAN-Interface on the XG for each other VLAN.
Cancel
Vote Up 0 Vote Down

Cancel
0 Kaloian Kirchev over 4 years ago in reply to Bernhard Lang

@Bernhard Lang

Hi,

Did you put VLAN1 IP address(GW) on physical port. And than every GW address from every vlan on subinterface.

For example :

Por1 - IP 10.1.1.1/24

Port1.10 - IP 10.1.1.11/24

Port1.20 - IP 10.1.1.21/24

And on switch every host in Vlan 1 should have 10.1.1.0/24 address.

This should work?

Also Can I enable DCHP on physical port(VLAN 1)? Or it would not work because of subinterfaces?
Cancel
Vote Up 0 Vote Down

Cancel