Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Subscribers 29 subscribers
  • Views 49867 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is it possible to configure Layer 2 sub-interfaces in Bridge mode?

DanielTarrant

I am looking interpose two physical interfaces in the XG (VM on ESXi 6) on a trunk link between an edge router and L3 core switch, the aim being to apply policy/ monitor the various VLANs passing through the trunk without having the XG routing anything - Think VirtualWire on a Palo Alto.

It seems this isn't possible? Firstly, VLANs have to be assigned L3 IPs and secondly, physical interfaces forming part of a bridge cannot be further divided into sub-interfaces.

Would you be able to confirm please? 



This thread was automatically locked due to age.
Parents
  • 0
    This is exactly what I am trying to do too?! This is simple to configure on the Sophos UTM 9, which I want to replace with the XG, but it does not look like it is possible right now.
  • 0 in reply to MarkShorten

    I have investigated a bit further and think this is looking to be a non-issue actually. Sophos and PA just seem to handle it differently - I've never used the UTM.

    I have the XG interposed between a L3 switch and a router, the LAN GW is at one end and the WAN GW the other (single trunk link). I have the XG bridged interface IPd on the default (untagged) VLAN. Adding a pass-all rule for testing, traces show traffic flow over the trunk with the bridge IP as a natural hop (I've not changed any routing in the existing infrastructure). Additionally, traffic on tagged VLANs over the trunk (where I would use a sub-interface on the PA) shows in the IPv4 logs automagically.

    My hope is that if the XG can identify the tagged traffic within the trunk link, managed objects (VLAN12 = subnet 192.168.12.0/24 etc, VLAN6 = subnet 192.168.6.0/24 etc. etc.) can be created and rules applied directly to those without the need for sub-interfaces.

    I'll let you know my findings before I close it off as answered.

  • 0 in reply to DanielTarrant
    Identified that "enable routing on this interface" was ticked on the br0 default (which would account for the natural hop noted in the traces above) take that out and policy rules as described seem to work beautifully.

    Oddly enough my internet is actually down just now. Once I've verified all is well when functionality is restored I'll mark this as solved.
  • 0 in reply to DanielTarrant
    Important Update: Do make sure that the XG knows where your LAN-side GW is in this configuration. Add static routes for each internal VLAN on the XG.
  • 0 in reply to DanielTarrant

    Hi Daniel, did you install XG on a physical or virtual machine?

    I tried both of them... on physical it works as you wrote, but in virtual environment (esxi 6) I can see only default untagged vlan traffic. Of course I have configured esx vswitch to allow promiscuous mode.

    EDIT

    Ok, I got it! On esxi it's necessary to tag both sophos xg port as vlan id: All (4095).


    Thanks

    ema

  • 0 in reply to DanielTarrant

    Hi Daniel,

    thanks for your post. One question: when you refer to "Add static routes for each internal VLAN on the XG" that means that all of the vlan networks must be declared on IP static route, and the gateway is the same for all of them?

    e.g.:

    192.168.8.x VLAN TAG 1
    192.168.1.x VLAN TAG 2
    192.168.2.x VLAN TAG 6
    192.168.9.2 VLAN TAG 9
    192.168.10.x VLAN TAG 10
    192.168.60.x VLAN TAG 60

    Sophos is in bridge mode, in 192.168.8.x. It's default GW is 192.168.8.1. I need to add the next static routes?:

    192.168.1.0 GW 192.168.8.1

    192.168.2.0 GW 192.168.8.1

    192.168.9.0 GW 192.168.8.1

    192.168.10.0 GW 192.168.8.1

    192.168.60.0 GW 192.168.8.1

    ???

    Thanks for all your help,

    Jose

  • 0 in reply to JoseCasanova

    Hi Jose,

    Close but wrong end! The XG already knows about the default gateway so you don't need to add any static routing for that - you need to add the IP of the device it knows nothing about, I.e. the LAN side switch. This should be the same for each VLAN, so I'd expect it to be something like 192.168.8.254

    Hope that helps

    Daniel

  • 0 in reply to DanielTarrant

    Thanks for the answer Daniel,

    so, if the Gateway 192.168.8.1 (WAN side) is the router that has all the VLAN declared, I don't need to add any static route on the Sophos XG? Or I should add the IP of the core switch on the LAN side?

    e.g. if the IP of the core switch in the LAN Side is 192.168.8.254, the routes that I should add will be:

    192.168.1.0 to GW 192.168.8.254

    192.168.2.0 to GW 192.168.8.254 and so on...

    Sorry for the trouble...

    Regards,

    Jose 

  • 0 in reply to JoseCasanova

    Yup, that's it. You should add static routes pointing to the LAN gateway of the core switch - just like your example

Reply Children
No Data