Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 10953 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VLAN Interfaces

Darwin Lambeth

I am new to Sophos and I have the latest UTM home free edition. I have somewhat of a complex home network, and I want to setup VLAN control on the firewall. Below is a drawing of my cisco switch (3950 Layer 3) and it's associated vlans and connections. I am using trunking and allowing all vlans to pass through the two trunk ports (1 and 2), and ports 1 on both switches are connected with a standard ethernet cable. I have tried connecting the other trunk port (2) carrying all of the VLANS to "eth0" of my UTM and I lose all connectivity when I do so. I'm not sure what to do as I can't find much information on how to achieve this. I see where to add the subinterfaces to "eth0" of the type VLAN in the management gui, but I"m not sure what to do here. I'm also attaching my VLAN config on the router below. Any direction on how to achieve this would be awesome. 

Thanks,

FYI...The trunk ports are working properly between the switches, and I have connectivity between all vlans on both switches.

 

---------VLANS-------------------------------------------------------

VLAN1 Default (10.10.0.0/16)
VLAN2 DMZ (192.168.100.0/24)
VLAN50 Data ()
VLAN60 Subnet 1 (192.168.25.0/24)
VLAN99 Management (10.9.0.0/16) (Port 16 on both Switches)

-----------------Cisco Configs------------------------------------------------------------

SW2#show vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0/3, Fa1/0/4, Fa1/0/5, Fa1/0/6, Fa1/0/7, Fa1/0/8, Fa1/0/9, Fa1/0/10, Fa1/0/11, Fa1/0/12, Fa1/0/13, Fa1/0/14, Fa1/0/15, Gi1/0/1
Gi1/0/2, Gi1/0/3, Gi1/0/4
2 DMZ active Fa1/0/17, Fa1/0/18, Fa1/0/19, Fa1/0/20, Fa1/0/21, Fa1/0/22, Fa1/0/23, Fa1/0/24, Fa1/0/25, Fa1/0/26, Fa1/0/27, Fa1/0/28, Fa1/0/29
Fa1/0/30, Fa1/0/31, Fa1/0/32
50 Data active
60 Subnet1 active Fa1/0/33, Fa1/0/34, Fa1/0/35, Fa1/0/36, Fa1/0/37, Fa1/0/38, Fa1/0/39, Fa1/0/40, Fa1/0/41, Fa1/0/42, Fa1/0/43, Fa1/0/44, Fa1/0/45
Fa1/0/46, Fa1/0/47, Fa1/0/48
80 Native active
99 Management active Fa1/0/16
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

------------------------------------------------------------------------------------

Show Interfaces Trunk

Port Mode Encapsulation Status Native vlan
Fa1/0/1 on 802.1q trunking 80
Fa1/0/2 on 802.1q trunking 80

Port Vlans allowed on trunk
Fa1/0/1 1-99
Fa1/0/2 1-99

Port Vlans allowed and active in management domain
Fa1/0/1 1-2,50,60,80,99
Fa1/0/2 1-2,50,60,80,99

Port Vlans in spanning tree forwarding state and not pruned
Fa1/0/1 none
Fa1/0/2 1-2,50,60,80,99

----------------------------------------------------------------------------------



This thread was automatically locked due to age.
  • 0

    VLAN1 is reserved in UTM for wireless access points, that may be part of your problem. You shouldn't be using VLAN1 on the UTM.

    Furthermore you will first need to configure your ETH0 with all the VLAN interfaces you would like the UTM to serve. So you need to make additional VLAN interfaces which all point to hardware eth0 port.

    All these VLAN's will most likely need masquerading (when they need to access the internet other than by means of the webproxy).

    If you only have 2 physical interfaces on the UTM it's a little harder to configure a VLAN interface on the non-external interface, because I think you can only do so over the external interface without loosing all connection once you hit save. Or you could make sure to reconnect through a VLAN access port from the switch after making the change.

    If this doesn't help you enough, than please add a screenshot of your interfaces from UTM (Interfaces and routing -> Interfaces).

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0

    If you use trunk ports on a Cisco, they must connect to a vlan enabled port on the UTM (not a standard ethernet)

    You need to specify each vlan ID on the UTM port that you need connected (the equivalent on the Cisco of "switchport trunk allowed vlan 20,30,40" etc) eg eth0.20, eth0.30, eth0.40

    If your Cisco switch is using access ports eg switchport access vlan 20, you just connect via ethernet on the UTM (as opposed to ethernet vlan).

     

    And yes, if you are using tagging, you should get off vlan 1.....

  • 0 in reply to apijnappels

    Thanks for your input. I will need to work with this more and do some testing. It's one of those things where it's alien until you know how to do it. :)

     

    Thanks,

  • 0 in reply to Louis-M

    Okay, so all vlans assigned to "access" on the Cisco trunk going the UTM eth0 interface need a subinterface for each VLAN ID correct? My eSXI hosts are on the 10.10.0.0/16 network, and my eth0 ethernet interface is also on 10.10.0.0/16. It looks like I may have to move my eSXI servers over to another VLAN to make this work, that is kind of where I'm stuck at right now.

    Thanks,

  • +1 in reply to Darwin Lambeth

    Aha.... didn't know it was esxi.

    To do esxi, the Cisco trunk interfaces can go into a vswitch on the esxi server. Set the vswitch to ALL Vlans (4095)

    Then let the UTM VM actually do the vlans eg WAN v100, LAN v200, DMZ v 300

Unfiltered HTML