Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Answers 2 answers
  • Subscribers 32 subscribers
  • Views 27986 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VLANs on single LAN interface

Marco Bigini

Hello everybody and thank you for your support

I'm deploing a new couple of XG Firewals instead of two old UTM9 but i've found many problems on VLAN configuration.

This is my actual UTM9 configuration:

As you can see i've the ETH1 configured with 3 Vlans and everything works fine.

 

On the XG i'm trying to replicate my configuration creating 3 vlans on eth8 

My first question is: why do i have to configure an ip on the physical ifc if i'm configuring vlans on that interface?

And why the only working vlan is the one on the same subnet of the physical interface?

 

If i connect something on 172.16.100.X subnet everything works fine, but on 172.16.90.X don't work.

The only firewall rule i've created is from (zone) LAN (host) VLAN100 network; VLAN90 network ---> WAN

My network topology is very easy, just 2 FW and 2 managed switch. 

On the switches the port connected to the XG is configured in trunk mode.

 

 

I  have to use only one cable between XG and Switches as is

The XG version is SFOS 17.0.6 MR-6



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to rfcat_vk

    to start, if i'm wrong, show me official documentation that says otherwise but...

    no, just no.  vlans happen on L2.  L3 information gets associated with the vlan.  this is how, on every other device under the sun, you can have multiple physical interfaces with the same vlan and not have to associate a special ip to every one separately.  the physical is just a way to get to that vlan.  furthermore, the same should go whether it's a tagged vlan or an untagged vlan.  if i want 8 physical interfaces with untagged VID1 and 2 of those same physical interfaces with tagged VID2 and tagged VID3, that should totally be possible.  if not, sophos, you're doing it wrong.

  • 0 in reply to PigletJuggler

    You are correct, you do not need an IP address on the physical port, but you need the physical port to think it has an IP eg use DHCP.

    On the XG L2 VLANs do not work eg you cannot configure them. You cannot use VLAN ID 1 these are all facts when using an XG.

    Perhaps if you search the KBA section you will find the documentation you are looking for. I found the article but it does not have much information.

    You can have almost as many VLANs on an interface as you wish just not ID 1, I currently run 4 and they are connected to a Netgear switch.

    Ian