Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 14 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 26252 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Replace Cisco 1921 With Sophos?

AllanD

Not sure where this question would go other then Initial Setup.  It's more of a design question but its the closest group I could find.

 

Currently our main office has a Sophos XG310 and a Cisco 1921 used for a point to point connection with a branch office.  The point to point carries tagged info for three VLANs and has voice priority for DSCP EF (46) QoS and also for one of the three VLANs (kinda a backup in case the traffic wasn't tagged).  This works fine.  However we are adding another branch office and will have a Sophos XG125 in that office (for local internet).  Can the Sophos do the routing in place of a Cisco 1921 with the QoS?  In other words can I forward traffic from the main office (10.10.*) to the suboffice (10.20.*) with those three VLAN's and then give priority to the VLAN for voice traffic?  It would be nice to not have to have the Cisco boxes in addition to the Sophos at each location.

 

-Allan



This thread was automatically locked due to age.
  • 0

    Allan,

    if you have already an XG into place, you can have a look at the Policy Route options under Routing Menu. As you can see you can define routing source/destination, services and interface used and apply DSCP Marking.

    Please refer to XG Manual too:

    http://docs.sophos.com/nsg/sophos-firewall/v16050/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp%2FPolicyRoutingEdit.html%23

    Regards

  • 0 in reply to lferrara

    So looking at this I'm not sure if I understand correctly but I also don't think I gave enough information in the first post.

     

    Currently we have a setup like this with a point to point T1 line (1.5Mbps):

     

    The Cisco 1921s support VLAN encapsulation (http://www.cisco.com/web/techdoc/dc/reference/cli/nxos/commands/l2/encapsulation_dot1Q.html) so its internal ethernet has the three VLAN's on it.  It then sends this between the offices.  We then have QoS rules to guaranty bandwidth for both VLAN 20 and for DSCP 46.  However Ethernet Private Line just became available at both offices which is faster (10Mbps) and slightly cheaper then the T1 line.  The way they describe it was its a purely layer 2 pipe between the offices and I would handle all layer 3 routing. 

     

    Both Cisco 1921's have two Ethernet ports so I could pretty simply change the configs and use the secondary Ethernet ports for the point to point but now over the EPL instead of the T1 and not have to change any QoS or routing.  Or try to use the Sophos boxes at both ends and get rid of the Cisco boxes:

     

     

    So would that still fall under the policy route and also can I setup a interface wit the three VLANS, use the policy routing, and have it work exactly as it did with the Ciscos? 

     

    Also to add to this we are adding a third office soon so if I stick with the Cisco route I have to add two more.  If I can get away with the Sophos boxes I'd only add one of those to the new office because the XG310 at the "main" office has ports available.

     

    -Allan

  • 0 in reply to AllanD

    Seems to me like this "magic" VLAN encapsulation just means the LAN port has tagged VLANs on it, those VLANs .
    Besides that, it's just routing, since VLANs on the left...have different IPs than VLANs on the right.

    Of course Sophos can do this routing.....but the QoS part....
    imho , XG ain't a star in the QoS department, it sums up all traffic to a single internal interface, where you can do limited QoS on.

  • 0 in reply to AllanD

    HI AllanDynes ,

    It is possible on XG ,

    Configuration steps:

    1. Add VLAN interface on the Port on the LAN side on each location.

    2. Add the Static Route for the remote location and point it to the remote device MPLS connected interface address.

    3. If the XG is configured as InterVlan Routing , then the process is automated or Otherwise the L3 switch would do the same and Static Route is necessary .

    As for the QOS : The QOS is mainly used to prioritize the traffic or to restrict the Bandwidth of the traffic . This is used if you do not wish your MPLS line to be Fully utilized by your users. 

  • 0 in reply to Aditya Patel

    sixteen again said:

    Seems to me like this "magic" VLAN encapsulation just means the LAN port has tagged VLANs on it, those VLANs .
    Besides that, it's just routing, since VLANs on the left...have different IPs than VLANs on the right.

    Yeah, I can agree with that.

    sixteen again said:

    Of course Sophos can do this routing.....but the QoS part....
    imho , XG ain't a star in the QoS department, it sums up all traffic to a single internal interface, where you can do limited QoS on.

     

     
    Yeah thats what I'm worried about.
     
     

    Aditya Patel said:

    1. Add VLAN interface on the Port on the LAN side on each location.

    2. Add the Static Route for the remote location and point it to the remote device MPLS connected interface address.

    3. If the XG is configured as InterVlan Routing , then the process is automated or Otherwise the L3 switch would do the same and Static Route is necessary .

    As for the QOS : The QOS is mainly used to prioritize the traffic or to restrict the Bandwidth of the traffic . This is used if you do not wish your MPLS line to be Fully utilized by your users. 

     

     
    The Sohpos would be plugged into a Trunk port on a Dell switch on each end like the Cisco routers are currently.  It handles interVLAN routing so the XG would not be setup that way.  The static routing rules on the current Cisco routers are pretty simplistic.  There are two routes, a default (0.0.0.0) going to the local Dell switch which handles most of the routing and a second one telling it to get to the other office.  For example:
     
    Location A (10.10.0.0)
    0.0.0.0 - 10.10.10.1 (Dell Switch)
    10.2.0.0 - 192.168.250.2 (Location B Cisco)
     
    Location B (10.20.0.0)
    0.0.0.0 - 10.20.10.1 (Dell Switch)
    10.1.0.0 - 192.168.250.1 (Location A Cisco)
     
     
    So I should be able to setup the same routes on the XG and set one of the interfaces on both ends to the 192.168.250.* for the routing.  I guess the problem in my head is currently the internal interface of the Sophos is 10.10.30.254.  Do I change that interface and add the three VLAN's with addresses 10.10.10.254, 10.10.20.254, and 10.10.30.254?
     
    As for the QoS this is not a MPLS line.  It's a "Ethernet Private Line" and acts like a extremely long patch cable, purely layer 2.  So I need QoS rules on the Sophos that always prioritize voice traffic.  On the Cisco I can simply say DSCP 46 wins so all traffic tagged with DSCP 46 will get priority.  Can I do the same on the Sophos?
     
    -Allan
  • 0 in reply to AllanD

    Routing can be done on XG. 

    Does the speed of this "Ethernet Private Line" match the speed of interface circuit?  For instance, if it's limited to 20Mb/s and ethernet speed is 100Mb/s, you need to do way more than prioritize dscp=46

    If link speed is pretty high 100Mb/s or up,  consider connecting XG to MPLS using external switch, and doing the QoS on the switch

  • 0 in reply to sixteen again

    We'd be looking at a Ethernet Private Line (EPL) thats 25Mb x 25Mb while the interface on the Sophos is 1Gb.  I know in the Sophos you can set the "Total Available WAN Bandwidth" but that doesn't help me in this situation as I don't see where you can set it per interface. 

     

    Could I make a Firewall rule with a To/From Any/Any and under Advanced select DSCP Marking 46 then apply the Traffic Shaping "VoIP Guarantee" policy to it?  Wouldn't that match any traffic with a DSCP 46 tag and make sure it wins for lack of a better term?  Or am I not understanding it correctly?

     

    I have a Dell N3048p layer three switch at the main location as the core switch and a N2048p Layer 3 "lite" switch at the branch locations for the core switch.  They both do inter VLAN routing (as mentioned).  Would it make more sense to just connect a trunk port on each of those through the EPL?  I know that I can make it work for routing  but I don't know if I trust the QoS on the Dell switches either.  I mean they have a "Auto VoIP" setting which is enabled and I have them set to trust DSCP tagging and so far they seem to work fine with this config (no dropped calls or issues).  But my gut feeling about the Dell QoS is the same as the Sophos while I'm 100% confident in the Cisco routers.  Their just expensive for what they are doing ($1k a piece for simplistic routing and QoS) and if I can get away with not using them and simplifying my network layout I would like to.  Also from lots of reading the 1900 might have a bandwidth bottleneck when it approaches 25Mbps through it which means I'd have to upgrade the routers anyway to something like their 43xx series.

     

    -Allan

  • 0 in reply to AllanD

    So our Ethernet Private Line should be finished with the install in two weeks.  I'm going to attempt to have the Sophos do the routing in place of the Cisco's, well at least test it.  Thanks to everyone for the info but I'm still a bit confused. 

     

    I have a XG310 in the "Main" office.  I have a XG125w in the sub office.  The Dell switches do inter-VLAN routing. 

     

    1) - Couldn't I assign a physical port on each Sophos box the 192.168.250.1 and .2 addresses and setup static routes on them?  Would the VLAN's even matter at this point?  I mean something on 10.10.10.24 (VLAN 10) in the main office trying to get to 10.20.10.54 (VLAN 10) in the sub office should just "work" right?  It would go from the client on VLAN 10 to the the core switch, intra-vlan routing would put it onto VLAN 30 to the Sophos then untagged through the route to the other Sophos, to the core switch there as VLAN 30 then intra-VLAN routing back to VLAN 10.

     

    2) If the above is true how do I setup the QoS since nothing would be tagged at this point?  ?  Is that what you meant by assign the VLAN's to the existing LAN port?  I believe this is what the Cisco 1921's are doing.  I have 4 VLAN's in each office but only route 3 between offices.  Won't this mess up my current config?  Wouldn't I have to move the Sophos LAN port to a Trunk port off my switch?  

     

    3) - The link is going to be a 50 x 50.   We only have 16 total phones in that office and its highly doubtful they would all be used let alone connected between offices (each office has it's own phone system too although if this works I might get rid of the sub office system).  So worst case 16 x 64k = 1 Mbps?  I wanted to set it as WAN but the traffic shaping takes into account all WAN bandwidth so that won't work.   So there isn't a good way to do QoS on this link it sounds like unless I do #2 above and all the traffic is already coming into the Sophos tagged.  Then hopefully I can give  higher priority to DSCP or even that VLAN completely.  VLAN 20 is all voice/phone system traffic....I'm ok with it always having priority.

     

     

    Turns out the Cisco 1921's I have are kinda old and I've been told they will max out on bandwidth around 25 - 30 Mbps so if I do have to go with Cisco I'm going to have to buy all new routers which seems silly to me when I have these Sophos units.  I also could try using the Dell switches but that's last resort if I can't get the Sophos to do what I want.

     

    -Allan

  • 0 in reply to AllanD

    Allan,

    you can create VLAN on XG and do all the routing. Can you upload a better network diagram of what you would like to achieve?

    This will help us to understand better which are the current limitations.

    Regards

  • 0 in reply to lferrara

    End result would be the one in the post above with the Sophos connecting the two offices.  I just don't know if it can do it for the reasons I stated.