This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

New AP6 Range - XGS and REDs

Hi all,

Early next year I've got to replace an aging UTM and 20 AP broadcasters for a customer and seen the AP6 range is coming but its Sophos Central managed only. 

The customer has a star topology, so HQ will have an XGS and other sites will have RED units. Every site will have 3 wifi networks, staff, personal and guest. Staff will access systems at HQ, personal is for personal phones needing internet only and guest is for outsiders coming in and needing wifi for a guest period of time.

UTM was awesome because you booted up the AP, be it at HQ or behind RED, it'll appear on the UTM, you imported it and to setup isolated wifi networks was a super easy because you didnt have to worry about VLANs or having VLAN enabled switches, etc per site.

Questions - With AP6 being Central managed only, I guess you have to setup VLANs on Central for the broadcasters then on the sites you'll need to have VLANs on the switches, REDs configured with VLANs and finally the XGS with VLANs too?

Or have I missed something or is my thought process overcomplicating the issue?

Many thanks for your time in advance



Added TAGs
[edited by: Erick Jan at 5:08 AM (GMT -8) on 12 Jan 2024]
Parents
  • Hello  ,

    Thank you for reaching out to the community, For AP6 with Sophos Central wireless, the access point has to be able to communicate with Sophos Central. And the Domains/IPs for Sophos Central connection are - wifi.cloud.sophos.com , prod.hydra.sophos.com , amazonaws.com. Therefore, the following requirements have to be fulfilled: 
    > DHCP and DNS servers are configured to provide an IP address to the access point and answer its DNS
    requests (IPv4 only).
    > Access point can reach Sophos Central without requiring a VLAN to be configured on the access point for this
    connection.
    > Communication on ports 443, 123, 80 to any internet server is possible
    > There is no HTTPS proxy on the communication path.
    > For VLANs - Add the proper VLANs in the trunk port of the Wired Switch. AP always communicates over untagged VLAN. Make sure the native or
    management VLAN is untagged in the Wired Switch.

    Note: If the AP6 is unable to get an IP address from a DHCP server, it will use a default IP address 192.168.2.2/24.

    AP6 Series Technical Documentation: https://doc.sophos.com/nsg/wifi/help/en-us/index.html 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Hi,

    Thanks for your detailed reply. Apologies for not making it clear, I mean about ap6 broadcasters having multiple wifi networks and handling them differently behind REDs. For example if I had three wifi networks of "staff", "personal" and "Guest, staff has access to internal systems at HQ, Personal is for personal devices that need just internet and guest is hotspot/voucher system, again isolated. On the UTM, you didnt need to worry about VLANs or anything like that, you could create wifi networks, assign to all broadcasters across the company, regardless whether they are behind reds or not and it worked.

    To me it seems by going central, VLANs are the only way to achieve this with AP6s and mixing with Sophos Firewall.

  • Essentially you are talking about the Separate Zone approach of the Firewalls. Both Firewalls supported this VXLAN Interface approach, which essentially did there job for customers without VLANs but had there "challenges". 

    See UTM Online help: 

    Essentially the recommendation for bigger deployment was: Use VLAN whenever possible to avoid this kind of problems. 

    Central Wireless for LegacyAP and APX solved this approach with a new technology called "Guest Network". It essentially build a firewall on the APX itself and blocked access to everything else but the internet. This means: A clients logs into the SSID "Guest" and can only reach the internet, which is most likely the use case of a Separate zone as well. 

    Then the network gives the client guest an IP Address from the DHCP, on your firewall, you only see WAN traffic, which you naturally allow, and thats it. Complete isolation on the AP itself. 

    This feature is not available in AP6 yet. So AP6 only supports VLANs. VLANs are also supported on RED, if you want to bridge it, but should not be used on multiple REDs at the same time. So as soon as we support the feature like above with the own Firewall, you could implement it like on the firewall as well, just as an alternative approach.

    What kind of "deployment size" are we talking about? Because there are multiple approaches to get to the best fitting solution as well. Because i am deploying right now multiple customers with 8 Port switches on there sites because they need a POE+ Approach as well. 

    __________________________________________________________________________________________________________________

Reply
  • Essentially you are talking about the Separate Zone approach of the Firewalls. Both Firewalls supported this VXLAN Interface approach, which essentially did there job for customers without VLANs but had there "challenges". 

    See UTM Online help: 

    Essentially the recommendation for bigger deployment was: Use VLAN whenever possible to avoid this kind of problems. 

    Central Wireless for LegacyAP and APX solved this approach with a new technology called "Guest Network". It essentially build a firewall on the APX itself and blocked access to everything else but the internet. This means: A clients logs into the SSID "Guest" and can only reach the internet, which is most likely the use case of a Separate zone as well. 

    Then the network gives the client guest an IP Address from the DHCP, on your firewall, you only see WAN traffic, which you naturally allow, and thats it. Complete isolation on the AP itself. 

    This feature is not available in AP6 yet. So AP6 only supports VLANs. VLANs are also supported on RED, if you want to bridge it, but should not be used on multiple REDs at the same time. So as soon as we support the feature like above with the own Firewall, you could implement it like on the firewall as well, just as an alternative approach.

    What kind of "deployment size" are we talking about? Because there are multiple approaches to get to the best fitting solution as well. Because i am deploying right now multiple customers with 8 Port switches on there sites because they need a POE+ Approach as well. 

    __________________________________________________________________________________________________________________

Children
  • Many thanks for your detailed reply.

    The deployment is not massive, it'll be HQ and 5, maybe 6 other sites each with their own REDs.

    Im interested to know why VLANs shouldnt be used with multiple REDs.

    Look forward to your reply

  • SFOS, UTM and Central Wireless follow the 1:1 SSID - VLAN ID approach. So you can define a SSID called Sophos, use VLAN ID 10 and use it on all products. 

    If you have multiple REDs, to get VLAN10 with the same Subnet to your firewall, you will have to build a network bridge on SFOS/UTM and bridge all REDs into it. 

    This works for a hand full of reds but more reds will get problematic. 

    TLDR: 5-6 REDs in a bridge and on the bridge your VLANs is no problem. 

    I have seens bridges with 100 REDs, which means, basically every multicast / broadcast packets will be send to all reds etc. It gets massively clunky. 

    Another approach is to use a smaller desktop box instead of the RED. Then you could use VLAN10, terminate it on the desktop appliance and do normal routing. 

    __________________________________________________________________________________________________________________

  • Thank you again for your response. I just wanted to clarify the last paragraph, a smaller desktop box, do you mean a small SFOS/UTM and do site-to-site VPN? 

  • Essentially that does not matter. If you have a VLAN on a firewall, you can route the traffic without the VLAN tag through a VPN Device. RED cannot do that. 

    SFOS / (and UTM) will remove the tag and route it. 

    __________________________________________________________________________________________________________________