how to manage VLAN on sophos XG

Hi,

It depends on your core switch configuration.

if you would route your vlan/s via the traditional "router-on-a-stick" you could follow this KB: https://community.sophos.com/kb/en-us/123127

If you would use a routed vlan setup, you need to configure a static route on your core switch, routing each vlan network to XG's LAN IP as next hop.

vice versa you need to configure a static route back in XG firewall, defining the VLAN networks on your coreswitch and setting the coreswitch interface IP facing the XG as the next hop.

Let us know how it goes.

Regards,

Raphael

Hi Raphael !

Thanks very much for your ansewr.

the kb you sent me : https://community.sophos.com/kb/en-us/123127 , i think for creating vlan on XG, but what i need is to create it on switch core not on XG.

also the Inter-vlan routing must be configured on switch core, only if a the user from VLAN X want get internet then he can get out to internet from the XG, how i can do this ?

In brief : vlan created and communicate between them by the switch core, BUT , user10 from vlan10, when he try to get internet then this vlan10 will use xg to go internet

Plz help me what i must do in xg to let this working ?

Hi,

I'm not sure I got you right, but if you want to configure InterVLAN routing on your L3 switch, than you have to setup three L3 VLAN interfaces and one default route pointing to the firewall.

e.g.

ip routing

interface vlan 10

ip address 10.10.10.1 255.255.255.0

interface vlan 20

ip address 10.10.20.1 255.255.255.0

interface vlan 30

ip address 10.10.30.1 255.255.255.0

VLAN 30 is can be used as the transfer VLAN (network) to the firewall. Don't forget the default route ...

ip route 0.0.0.0 0.0.0.0 10.10.30.2

Find more details here .... https://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/41860-howto-L3-intervlanrouting.html

That's it ... hope this helps you..

Thanks for replay brother.

ok in XG what i must to do ? i'll create the vlan with same ID already created in switch core ? if yes, this vlan i must give it an @IP in XG ?? i must create some static route from XG to switch core ??

Hi,

on the XG you would connect the XG to an untagged port on your switch in the same address range as your VLAN. On the L3 switch you would have routing enabled as suggested in previous posts on this thread. eg high priority to send vlan address range traffic within the switch and 0.0.0.0 traffic as second priority to the IP address of the XG interface.

Ian.

Thanks brother rfcat_vk for your ansewr.

after i connect the XG on untagged switch port, and enbaled the routing, the most important question is in XG configuration, how i can apply policy on the multiple Vlans coming from the switchCore, for exemple vlan10 can't see facebook, but vlan20 can get access to the facebook, meaning i must create the vlan and its zone by the same way in this article : https://community.sophos.com/kb/en-us/123127 ?? or what brothers !!

Thanks very much for your help

Hi,

looking at your post and the answer given above, I think you will need to two more routing rules in your switch, one for each clan pointing at the untagged port address.

Ian

Hi,

looking at your post and the answer given above, I think you will need to two more routing rules in your switch, one for each clan pointing at the untagged port address.

Ian