Question regarding VLANs

Question

My limited experience with networking involves Cisco, so bare with me on this. 
 
 I'm not understanding why I need to IP an interface after I've created a VLAN on that same interface.The only way I can get this to work is if I put some bogus IP on the physical interface. 
 My actual DMZ network below is 10.0.41.0/24. What I'm used to is creating a subinterface, IPing that, and leaving nothing on the actual physical interface. I'm sure I'm missing something here but I'm not sure of what.

lferrara · Answer

Seth, 
 XG does not support VLAN layer 2. So for each VLAN, you need to assign an IP and so you have a layer 3 subinterface. 
 XG is not acting as a switch. 
 For those features, you still need a switch. 
 Regards

DaveHamer · Answer

Hi Seth, 
 What you are doing is the correct way to implement a VLAN on an interface that does not have a native VLAN (or isn't used) on a Sophos XG device. The 'primary/physical' interface must have an IP address set, however it does not need to be valid (or used). I believe we have used IPs in the 127.0.0.10-40 range before, or at least a range that is never used. Your example, including a 255.255.255.255 subnet mask is perfect. 
 I would also consider creating a separate zone for the physical interface for the ultimate security - no services bound under appliance access, and no rules created. 
 Kind Regards; 
 Dave