Sophos XG Firewall: How to configure VLAN Trunking

1. The purpose of the article

This article will guide you on how to configure VLAN Trunking on Sophos devices in combination with switches to suit systems running multiple VLANs.

2. Diagram

Details:

In the diagram, we will have Sophos firewall device connected to the internet through port 2 with PPPoE protocol with IP of 14.169.x.x.

Next, we have port 1 that will be connected to the Gi0/2 port of the Cisco 2960 Switch, which is the trunking between the Sophos firewall and the Cisco switch.

From the Cisco 2960 switch we will have port 3 of VLAN 1 that allocates DHCP 172.16.20.0/24 connected to PC 1.

We have port 1 of VLAN 30 that allocates DHCP 172.16.30.0/24 connected to PC 2.

Port 2 of VLAN 40 allocating DHCP 172.16.40.0/24 is connected to PC 3.

3.Scenario

We will configure VLAN trunking on port 1 of the Sophos device and also on the cisco switch so that when PCs 1,2,3 connected to the ports as shown in the diagram, we will receive the correct IP from the corresponding network layer.

4. What to do

  • Configure IP for port 1
  • Configure VLAN for port 1
  • Create DHCP for port 1 and VLANs
  • Configure VLAN on Cisco switch
  • Assign ports to VLAN
  • Configure Trunking
  • Result

5. Configuration

5.1. Configure IP for port 1

To configure the IP for port 1 go to Network > Interfaces > left-click on the port name.

Configuration table will appear we configure according to the following information.

  • Name: Port 1
  • Network zone: select LAN.
  • IP assignment: select Static.
  • IPv4/netmask*: 172.16.20.1/24 [255.255.255.0]
  • Click Save.

5.2. Configure VLAN for port 1

To configure VLANs go to Network > Interfaces.

Click Add interface> Add VLAN and configure VLAN 30 according to the following parameters:

  • Name: VLAN 30
  • Interface: select Port 1
  • Zone: select LAN
  • VLAN ID: 30
  • IP assignment: select Static
  • IPv4/netmask*: 172.16.30.1/24 [255.255.255.0]
  • Click Save.

Similarly, click Add interface> Add VLAN and configure VLAN 40 according to the following parameters:

  • Name: VLAN 40
  • Interface: select Port 1
  • Zone: select LAN
  • VLAN ID: 40
  • IP assignment: select Static
  • IPv4/netmask*: 172.16.40.1/24 [255.255.255.0]
  • Click Save.

5.3. Create DHCP for port 1 and VLANs

To create DHCP go to Network > DHCP .

Click Add and configure DHCP for port 1 according to the following parameters.

Tab General Settings:

  • Name: DHCP_Port1
  • Interface: select Port1 – 172.16.20.1
  • Dynamic IP lease: Start IP – 172.16.20.2, End IP – 172.16.20.100
  • Subnet Mask: select /24 [255.255.255.0]
  • Gateway: check the box Use interface IP as gateway.
  • Conflict detection: check the box Enable.

Tab DNS server:

  • Primary DNS: 172.16.20.1
  • Secondary DNS: 8.8.8.8

Click Save.

Similarly we create DHCP for VLAN 30 as follows.

Tab General Settings:

  • Name: DHCP_VLAN30
  • Interface: select VLAN 30 – 172.16.30.1
  • Dynamic IP lease: Start IP – 172.16.30.2, End IP – 172.16.30.100
  • Subnet Mask: chọn /24 [255.255.255.0]
  • Gateway: tích chọn Use interface IP as a gateway.
  • Conflict detection: tích chọn Enable.

Tab DNS server:

  • Primary DNS: 172.16.30.1
  • Secondary DNS: 8.8.8.8

Click Save.

Create DHCP for VLAN 40.

Tab General Settings:

  • Name: DHCP_VLAN40
  • Interface: select VLAN 40 – 172.16.40.1
  • Dynamic IP lease: Start IP – 172.16.40.2, End IP – 172.16.40.100
  • Subnet Mask: select /24 [255.255.255.0]
  • Gateway: check box Use interface IP as gateway.
  • Conflict detection: check box Enable.

Tab DNS server:

  • Primary DNS: 172.16.40.1
  • Secondary DNS: 8.8.8.8

Click Save.

5.4. Configure VLAN on Switch Cisco

First, I will show you that all of the current ports are in VLAN 1.

To configure VLAN on the Cisco switch, you need to connect to the switch by console wire and use Putty software to access.

After accessing you to mode config and type the following command.

To create VLAN 30, type vlan 30 and press enter now vlan 30 has been successfully created, press exit and type vlan 40 to create VLAN 40.

To check if the vlan is created, you can type the command show vlan to see.

5.5. Assign ports to VLAN

To assign port to VLAN you need to do the following.

According to the diagram, port 3 is currently in VLAN 1, so we do not need to configure this port 3.

We will configure port 1 to vlan 30 and port 2 to vlan 40.

We will configure port 1 to vlan 30 using the following command:

  • Access to config mode and enter the command interface FastEthernet0/1 to enter this port
  • Type switchport access vlan 30 to assign this port to VLAN 30.

Similar to port 1, we will configure port 2 as follows.

  • Access to config mode and enter the command interface FastEthernet0/2 to enter this port
  • Type switchport access vlan 40 to assign this port to VLAN 30.

To check if the ports are assigned, enter the command show vlan.

5.6. Configure trunking

According to the diagram, the port Gi0/2 will be the port trunking.

To configure trunking we need to go to config mode and enter the command interface GigabitEthernet 0/2 to enter this port.

Next, enter the command switchport mode trunk to configure this port to be a port trunk.

To check if this port is in trunking mode after configuration, enter show running-config command to see.

5.7. Check the result

Finally, we will connect 3 PC devices 1,2,3 to 3 ports 1,2,3 respectively.

The result of PC 1 when connecting to port 1 vlan 30 received the IP allocated in network class 172.16.30.0/24 from the Sophos device, exactly like the vlan configuration we did earlier.

PC 2 when connecting to port 2 vlan 40 received the allocated IP of network class 172.16.40.0/24 from the Sophos device.

Finally, PC 3 connecting to port 3 running vlan 1 will get network class IP 172.16.20.0/24 from the Sophos device.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.