Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

Thread Info
  • State Suggested Answer
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 34 subscribers
  • Views 892 views
  • Users 0 members are here
Options
Suggested

Multiple VLAN on each port

myu_satech

On XGS series firewall, how to assign multiple VLANs  on each port (port 1-8), such that each port has a native VLAN, and some allowed VLANs.

e.g.:

  • port 1, native VLAN 1, allowed VLAN 2,3,4
  • port 2, native VLAN 2, allowed VLAN 4,5,6
  • port 3, native VLAN 3, allowed VLAN 1,3,5

Thanks!



Added tags
[edited by: Raphael Alganes at 2:59 AM (GMT -7) on 18 Sep 2023]
  • 0

    Hi,

    the native VLAN is always 1 and you don’t address it as a VLAN.

    ian

    you can have up to 1023 VLANs per port.

    XG115W - v20 EAP 1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    My use case is I will have a few physical switches, and each switch's upstream port will connect to a port on the firewall.

    One switch for one team/department, but will for sure have some inter-department (VLAN) traffic.

    In Cisco or Unifi, this is pretty straightforward. Set native & allow VLANs on each firewall eth port, and then on switch's upstream trunk port, make changes accordingly.

    I have yet found how to do that with Sophos.

  • 0 in reply to rfcat_vk

    >the native VLAN is always 1 and you don’t address it as a VLAN.

    Understood. But since each interface must have unique IP, how is native VLAN is defined?

    e.g.: switch 1 connects to firewall port 1; switch 2 connects to firewall port 2

    Firewall port 1: 10.10.1.1

    Firewall port 2: 10.10.2.1

    What are native VLANs for switch 1 and 2 respectively?

    Shall I use 10.10.1.1 /27 for port 1 and 10.10.1.33 /27 for port 2?

  • 0 in reply to myu_satech

    You will have to create a Bridge between all 3 Ports and then place the VLANs on the bridge. 

    Then you wont have the "Permitted" Stuff on a Port Level but generally speaking this wll work. 

    __________________________________________________________________________________________________________________

  • 0 in reply to myu_satech

    You don't need to provide an address for the native VLAN unless you are using that for traffic, this asumes you are setting up L2 type VLANs?

    Ian

    XG115W - v20 EAP 1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to LuCar Toni

    I don't want to bridge ports.

    It appears Sophos doesn't support many-to-many interface-VLAN mapping. In Sophos, one interface can have multiple VLANs, but one VLAN can only exist on one interface.Is this about true?

    For example:

    • VLAN 10 and VLAN 20 can exist on port 1 (a physical interface).
    • VLAN 10 and VLAN 20 cannot exist on both port 1 and port 2.
    • In order to make VLAN 10 and VLAN 20 work on physical port 1 and 2, I must create a virtual bridge interface, and bridge port 1 and port 2 together
    • After bridging port 1 and 2, VLAN 10 and 20 exist on the bridge interface, and only exist on this newly created bridge interface
  • 0 in reply to myu_satech

    I am trying to understand your issue.

    You can have vlan 20 on three different interfaces eg 1.20, 2.20, 3.20 and they can be connected via a firewall rule eg source LAN, vlan1.20, destination LAN, VLAN2.20, allow all for traffic to flow from VLAN1.20 to VLAN2.20. Each VLAN is unique because it has a different P address range assigned to it.

    The only issue would be if you connected 1.20 and 2.20, etc to the same switch.

    Ian

    XG115W - v20 EAP 1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML