Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Subscribers 6 subscribers
  • Views 12852 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM and VLAN routing

AZSysAdmin

Hello,

Hoping I can get some assistance with what I am missing on this UTM SG230 running 9.407-3. I have seen other questions on here, however could not find one with a...complete answer. As well, I know all configurations are different. So, even a push towards another question may help.

I have the following configuration on a L3 capable switch (CiscoNexus5548UP) it is the default gateway for the endpoints. However the VLANs I have configured are not understanding and seem to be dropping the VLAN traffic once the traffic gets to Sophos SG230.  

The Cisco has following VLANs with IP address assigned to vlan interface.

VLAN 1=101.1   *Default VLAN and EndPoint default GW
VLAN 102=102.1
VLAN 103=103.1  
VLAN 104=104.1

The UTM internal interface is 101.254 *eth0 of UTM
The UTM additional interfaces are 102.254, 103.254, and 104.254 *Interfaces & Routing tab, Interfaces, additional addresses tab

The Cisco routes  have been checked and double checked, all VLANs have route to firewall and 0.0.0.0 to firewall is primary route for VLAN1.
0.0.0.0/0, ubest/mbest: 1/0
    *via 192.168.101.254, Vlan1, [1/0], 1w4d, static
         recursive next hop: 192.168.101.254/32

I believe what is occurring is that the firewall does not recognize the traffic from the additional addresses or VLANs once it hits the firewall. So therefore does not reach a WWW address. The Cisco port is trunked to SG230. All VLAN traffic via trunk port to UTM, seems to not understand if a 102, 103, 104 subnet.

So, my question is and can provide more information. What do I need to enable/configure on the firewall to allow the UTM to recognize and route the VLAN endpoints through the firewall? Is there a interface setting I am missing to allow additional VLANs (102, 103, and 104) to use eth0 (Internal Interface) to route these to Internet?

I have tried configuring firewall rules, to troubleshoot and open traffic, example rule to allow Interface VLAN103-Any-Any rules and nothing. There are already many rules containing these VLANs or additional networks and UTM just doesn't seem to be configured to handle this.

I have been over the Cisco configuration with Cisco support three times now and configuration and L3 routing is configured properly. So, where and what can I do to allow more than the default VLAN to have traffic accepted and routed by SG230?

Thanks in advance,

Joel  



This thread was automatically locked due to age.
  • 0

    Hi Joel,

    Before reading through the complete question, you need to change the VLAN1 tag on this configuration as VLAN1 is reserved in UTM.

    Let me know if that change resolves the issue.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    sachingurung,

     

    Could you provide a little more detail? If I understand you're suggesting I associate the VLAN1 tagging on the interface or this post?

  • 0 in reply to sachingurung

    Sachingurung,

     

    Are you suggesting that I change the current internal interface to a VLAN interface?

     

    https://community.sophos.com/kb/en-us/118999

     

    This makes sense, however has not been needed until update to 9.407-3. It was all working fine before this update.

     

    The port to firewall/UTM is trunked and ALL traffic (VLAN102, 103, and 104 was) is being passed by VLAN 1 and was making it out to WWW. So, this is why I am asking for further details. Also, since it seems I can only make one VLAN per interface, this seems a bit...retarded for SG230. Thinking it should be able to route more than one VLAN on a interface. 

    So, any further information would be helpful.

    Thanks,

     

    Joel

  • 0 in reply to AZSysAdmin

    if i understand all correct you have to do following steps:

     

    1. define your lan interface as routing interface (eg. 192.168.200.0/24) and give your utm an ip (eg. 192.168.200.254)

    2. your vlans on l3 switch will have one default gateway, the ip of the routing lan (192.168.200.254) so your l3 switch will route all traffic he cant be handled to your utm.

    3. define on the utm the network definitions for your vlans (ega. vlan102 (IP subnet 192.168.10.0/24) vlan103 (IP Subnet 192.168.20.0/24) and create your rules (network, masquerades etc.)

    4. create a gateway route on the utm for each vlan you have and point it to the interface ips of your vlans on the l3 switch.

     

    now all have to work.

    Sophos Platinum Partner 
    Sophos Certified Architect
    (Ceritfied UTM Architect / Certified XG Architect)

  • 0 in reply to AZSysAdmin

    Joel, VLAN 1 is reserved in the UTM for Wireless Protection, so you may not use it at all.  As Sachin suggested, this may be the only problem you have.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Bob,

    Thank you for the further explanation. However, now I am very confused. Since VLAN1 is passing traffic to the UTM and was up until 11/24/2016. I need a way to get other VLANs through. If you have any other articles or solutions to UTM reserving VLAN1 for Wireless (even if not using this portion, yes?) could you please suggest how I overcome?

    VLAN1 traffic is passing, however nothing else. Does this VLAN1 reservation change in XG?

     

    Thanks in advance,

     

    Joel

  • +1 in reply to AZSysAdmin

    Hey joel, i dont find the information in your posts. Do you tag your vlan1? or is it untagged? if you have untagged its no problem.

    Sophos Platinum Partner 
    Sophos Certified Architect
    (Ceritfied UTM Architect / Certified XG Architect)

  • 0 in reply to x.cr3w

    x.cr3w,

     

    Yes the port off the Cisco to the UTM is trunked on VLAN1 and using dot1q tagging.

     

    All,

    I am feeling a bit frustrated with this post. The Cisco using same port (trunked to firewall default VLAN1) is working just fine before the 9.406-3 to 9.407-3 update and traffic was getting to Internet.

    However, after update to 9.407-3 the ONLY traffic being passed is the VLAN1 traffic. It gets to and through the firewall on VLAN1 without issue. If I understand the suggestions, VLAN1 will not work as this is reserved for Sophos Wireless Protection, then why does only VLAN1 work as expected and the others will not route to WWW?

    Thanks for patience with me,

     

    Joel

  • 0 in reply to x.cr3w

    All,

    The native VLAN on the Cisco Nexus 5548UP is untagged. So, the suggestion of removing the 802.1Q of VLAN1 would not be the issue.

    Result of query=vlan dot1q native tag is disabled

    So, I am still looking at what this could be.

Unfiltered HTML