How to configure the Inter-VLAN Routing model with Sophos Firewall and Cisco Switch

1.About Inter-VLAN

Inter-VLAN is the most efficient established method by providing a single trunk link between the Switch and the Router that can carry traffic of multiple VLANs and where that traffic can in turn be routed by Router.

With Inter-VLAN Routing, the router receives a frame from the switch with the packet coming from a tagged VLAN. It associates frames with the appropriate subinterfaces and then decodes the contents of the frame (the IP packet portion). The router then performs a Layer 3 function based on the destination network address contained in the IP packet to determine the subinterface to forward the IP packet. The IP packets are now encapsulated in dot1Q (or ISL) frames to identify the VLAN of the forwarding subinterface and travel over the trunk to the switch.

2.Diagram

Details:

We will have the following devices:

  • Sophos Firewall is a device used to set up access policy, allocate DHCP, VLAN.
  • Switch Core is a device used to distribute IPs and VLANs down to computers.
  • 3 devices named PC1, PC2, PC3 running Windows 7.

3.Scenario

We will configure the VLAN interface, DHCP, the policy to allow communication between VLANs on the Sophos Firewall device and the Switch so that when the connected computers will receive the correct IP from the VLAN according to the network diagram.

4.What to do

Sophos Firewall:

  • Create IP Host.
  • Create interface VLAN.
  • Create DHCP for each VLAN interface.
  • Create policies that allows VLANs to communicate with each other.

Switch:

  • Create VLANs and assign ports to VLANs.
  • Implement trunk port.

Result.

5.Configuration

5.1.Sophos Firewall

5.1.1.Create IP Host

Phan We will perform the definition of the subnets of each VLAN by creating an IP Host.

To create, go to Hosts and services > IP Host > click Add.

Create IP Host for subnet 10,145.41.0/24 of VLAN 10 with the following parameters:

  • Name: VLAN10
  • IP version: IPv4
  • Type: Network
  • IP address/Subnet: 10.145.41.0/24.
  • Click Save.

Similarly, we create IP Host for subnet 10.145.42.0/24 of VLAN 20 with the following parameters:

  • Name: VLAN20
  • IP version: IPv4
  • Type: Network
  • IP address/Subnet: 10.145.42.0/24.
  • Click Save.

Similarly, we create IP Host for subnet 10,145.43.0/24 of VLAN 30 with the following parameters:

  • Name: VLAN30
  • IP version: IPv4
  • Type: Network
  • IP address/Subnet: 10.145.43.0/24.
  • Click Save.

5.1.2.Create interface VLAN.

As the network diagram we have 3 VLANs 10,20,30 so we will need to create 3 VLAN interfaces and set the IP for it according to the network diagram.

To create a VLAN interface for VLAN 10 on PortA we go to Network > Interfaces > Add interface > Add VLAN and configure the following parameters:

  • Name: VLAN 10
  • Interface: PortA
  • Zone: LAN
  • VLAN ID : 10
  • IP assignment: Static
  • IPv4/netmask: 10.145.41.254/24
  • Click Save

Similarly, we also create VLAN interface for VLAN 20 with the following parameters:

  • Name: VLAN 20
  • Interface: PortA
  • Zone: LAN
  • VLAN ID : 20
  • IP assignment:  Static
  • IPv4/netmask: 10.145.42.254/24
  • Click Save

Tương tự chúng ta cũng tạo interface VLAN cho VLAN 30 với các thông số sau:

  • Name: VLAN 30
  • Interface: PortA
  • Zone: LAN
  • VLAN ID : 30
  • IP assignment:  Static
  • IPv4/netmask: 10.145.43.254/24
  • Nhấn Save

5.1.3.Create DHCP for each VLAN interface

Next we need to create DHCP so that when the computers connect to it, they will automatically receive the IP.

To create DHCP go to Network > DHCP > Add.

Create DHCP for interface VLAN 10 with the following parameters:

  • Name: DHCP_VLAN10
  • Interface: select VLAN10 – 10.145.41.254 from drop-down menu
  • Dynamic IP Lease: 10.145.41.1 – 10.145.41.10
  • Subnet mask: /24 [255.255.255.0]
  • Click Save.

Similarly, we create DHCP for interface VLAN 20 according to the following parameters:

  • Name: DHCP_VLAN20
  • Interface: select VLAN20 – 10.145.42.254 from drop-down menu
  • Dynamic IP Lease: 10.145.42.1 – 10.145.42.10
  • Subnet mask: /24 [255.255.255.0]
  • Click Save.

Similarly, we create DHCP for interface VLAN 30 according to the following parameters:

  • Name: DHCP_VLAN30
  • Interface: chọn VLAN30 – 10.145.43.254 from drop-down menu
  • Dynamic IP Lease: 10.145.43.1 – 10.145.43.10
  • Subnet mask: /24 [255.255.255.0]
  • Click Save.

5.1.4.Create policies that allow VLANs to communicate with each other

Create policies that allows VLANs to communicate with each otherIn order for computers belonging to different VLANs to communicate with each other, we need to create a policy that allows this to happen.

To create it, go to Rules and policies > Firewall rules > click Add firewall rule > New firewall rule and create it with the following parameters.

5.2.Switch

5.2.1.Create VLANs and assign ports to VLANs

We will create VLAN 10, 20, 30 and assign the ports to the correct VLAN according to the network diagram.

Create VLAN 10 and assign port Gi0/1 with the following command.

Switch(config)#vlan 10

Switch(config-vlan)#exit

Switch(config)#interface gigabitEthernet 0/1

Switch(config-if)#switchport mode access

Switch(config-if)#switchport access vlan 10

Switch(config-if)#no shutdown

Similar to creating VLAN 10 and assigning port Gi0/2 with the following command.

Switch(config)#vlan 20

Switch(config-vlan)#interface gigabitEthernet 0/2

Switch(config-if)#switchport mode access

Switch(config-if)#switchport access vlan 20

Switch(config-if)#no shutdown

Similarly create VLAN 30 and assign port Gi0/3 with the following command.

Switch(config)#vlan 30

Switch(config-vlan)#exit

Switch(config)#interface gigabitEthernet 0/3

Switch(config-if)#switchport mode access

Switch(config-if)#switchport access vlan 30

Switch(config-if)#no shutdown

5.2.2.Implement trunk port

We will configure trunk for Gi0/0 port with the following command.

Switch(config)#interface gigabitEthernet 0/0

Switch(config-if)#switchport trunk encapsulation dot1Q

Switch(config-if)#switchport mode trunk

Switch(config-if)#no shutdown

5.3.Result.

PC 1 received the IP from the DHCP Pool of VLAN 10.

Similarly, PC 2 and PC 3 also receive IPs from the DHCP Pool of VLAN 20 and VLAN 30.

We will test the communication between VLANs by pinging between computers PC 1, PC 2 and PC 3.

Ping result from PC 3 to PC 2.

Ping result from PC 1 to PC 2.

Ping result from PC 1 to PC 3.

The results show that computers in different VLANs can communicate with each other.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.