Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 6 subscribers
  • Views 880 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bridging for Vlans

Happy_UTM

Hi All,

I was hoping someone come shed so light on this. I have searched forums and user guides but I cant seem to find an answer.

Sorry for the long thread.

Maybe bridging is not what I need but let me explain.

We use Sophos SG 650's in work. I manage the networks but not the Sophos' , I know very little about the Sophos' and our Firewall admin knows very little about

networking :)

Recently I have had several scenarios where I need some ports on the Sophos to behave like layer two ports in a vlan.

Is it possible I can have say for example 2 or more ports on a sophos device act similar to 2 ports on a layer 2 switch in the same vlan ?

Lets say I had 2 ports in Vlan 10 on a switch and they will pass all broadcast traffic etc. between them for that vlan, can I do similar setup to this on utm ?

At a push can I send BPDU's and link local multicast lets say for HSRP etc. over these links ?

If so is it possible to also have other uses for these same physical ports ? What I mean by this is when I look at our current setup I see our sophos admin has maybe

a few different "Sub interfaces" under some physical interfaces, like for example a physical interface assigned different logical interfaces.

Do I need a whole physical interface dedicated to the specific vlan\trunk or could I use this "bridging" method if other logical interfaces are setup on the same physical interface ?

Can these ports be set similar to switch trunk ports ? and can they assign 802.1Q tags ?

If I have 2 sophos SG650s in active active can they forward this type of "layer 2" traffic between them ? ie. if I cabled the 2 active/active sophos together with something similar to a cisco trunk port or is there such a setup available ? could they behave like 2 switches ? layer 2 traffic into one and across the "trunk link" into the other and out a port on same vlan or \ "trunk port allowing specified vlans" ?

Then do rules etc. also have to be applied.

Basically what I'm trying to get at is I'm looking for ways in which to run some ports on SG650's as switch ports that support vlans and trunking.

Has anyone any experience with this as the Sophos guides I look at don't go into much detail of this.

Thanks in Advance.



This thread was automatically locked due to age.
  • 0

    "switch ports that support vlans and trunking" - Yes.

    In WebAdmin, bridging is done at the NIC level - more than one is assigned to an interface.  Link Aggregation allows you to create a true hardware bridge (a LAG) that can be used in multiple Interface definitions including VLAN Interface definitions.  Multiple VLANs can be defined on a NIC or LAG.

    Is that what you're looking for?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Many thanks for your help Bob I really appreciate it.

    I'm just wondering if lets say I have 4 vlans - 10, 20, 30, 40.

    I understand I can put all these on one physical Sophos port and I just give each vlan an ip address on that port.

    So lets say I assign these 4 vlans to port 2 and give each of them an ip address on that interface.

    This is fine but can I also assign these same 4 vlans to another port on the same sophos firewall lets say port 6 for example

    and just configure different ip addresses than those on port 2.

    What I mean is, is there any way for several vlans to "traverse" the sophos firewall coming in one port and other another on the same firewall all

    the while only using two physical ports ?

    Or is the only way to do this is each single vlan needs 2 physical ports ?

    With regard to nic teaming or lag do the same lag rules apply to 2 sophos utms in an active active setup as a single utm on its own ?

    Like can if I have 2 sophos utms in active active can I use lets same port 3 on both of them to form one logical lag ? sort of like

    multi chassis etherchannel or can each lag only come from one physical sophos even if there are 2 of them in active active ?

    Thanks in advance.

  • 0 in reply to Happy_UTM

    Interesting questions!  Although I've not heard of anyone trying the multi-chassis Etherchannel approach, I'm fairly confident that it can't work...

    You cannot configure the same subnet on two separate NICs.  This would cause WebAdmin and the config daemon to create routing problems in the code that actually runs on the Sophos while it's working.

    Each LAG can "only come from one physical Sophos even if there are 2 of them in active active."

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML