Sophos XG Isolating IOT's ZONE or VLAN

Hi,

I have my IoTs setup on the their own SSID and VLAN (seperate DHCP address range) with specific rules for their internet access. I also have rules to allow remote management of the devices which only works when they are fully configured. I also have them as clientless in their own IoT group so they appear in the daily reports.

Ian

Hey Ian, 

What's the difference between putting them on a VLAN vs creating a New Zone? Both allow for a seperate DHCP address range. (When creating a new SSID, under Client Traffic you can choose Zone or VLAN. I'm trying to figure out the benefit/differences) 

Hi,

I setup the VLANs as a test for someone who wanted to know how VLANs and APs were configured also I wanted to experiment. Once you create the AP with bridge to LAN you cannot change the configuration.

There isn't really any difference between using a zone or a VLAN, except VLANs isolate devices within the one interface where as zones require seperate cabling and interfaces. Also most IoT devices will only work on 2.4ghz.

ian

So do Zones not provide isolation?  

To me, Zones almost seem easier to set up. For example, let's say I want to create two seperate networks, one for Guests and one for IOTs. Both networks need to be isolated. 

If I create VLANs for both, they need to be assigned to Physical Interface (the port the AP55 sits on I suppose), I still then have to go and create zones (different rules for guests vs IOTs). 

However, when creating a new SSID, there is the option to simply choose a Zone (Let's say one Zone called IOT and another called Guest). So I select IOT, fill out the configuration and save. It then redirects to the next page to setup DHCP. No VLAN/Physical interface assignment (or cables/interfaces as you mentioned).

If both Zones and VLANs are essentially the same, then these options are redundant. There must be a reason the Sophos Development Team created both (and my guess is it's with much larger networks in mind). I just really don't understand the difference between the two. 

VLANs allow you to run multiple zones per interface where as a standard interface only has one zone.

Using the wifi zones in your example both are on the same network interface.

Ian

Just did some configuration fiddling with seperate zones and can see why I didn't go down that path because some of my IoT devices require a physical connection.

Thanks, I appreciate the information. 

Another question, under Network > Interfaces I see there is "GuestAP." I suspect Sophos puts this there to isolate guests from the rest of the network. What exactly is it? It doesn't show under zone (as it shares the Wifi zone). But it doesn't show under VLAN either.

Hi CMC,

the GuestAP is a default created at install time and more than likely aimed at the XGxxxW series devices with the inbuilt APs.

I delete it when I finish the configuration or it is automatically removed when restoring a config.

Ian

Hi CMC,

the GuestAP is a default created at install time and more than likely aimed at the XGxxxW series devices with the inbuilt APs.

I delete it when I finish the configuration or it is automatically removed when restoring a config.

Ian