Sophos UTM with Wireless VLAN and Cisco Switch

That title is a mouthful. Since putting a layer 3 Cisco switch into my home, I’ve been slowly moving off the legacy default VLAN and segementing the network. Clients, servers, cameras (with no external access), and VOIP phones all have their own VLAN. Until recently, the multiple WiFi networks were still on the legacy default VLAN. I could have gone a little crazy and put the wireless devices on it’s own VLAN, but then my various casting devices wouldn’t work correctly. At a minimum, I put the APs themselves on their own VLAN. I spent quite a bit of time and wanted to share my experience with others in case they are trying to do the same thing. I won’t turn this into much of a story, but just share some of the bits of configuration.

Cisco Switch Config:

interface GigabitEthernet1/0/20
description Sophos AP10
switchport trunk encapsulation dot1q
switchport trunk native vlan 15
switchport mode trunk
spanning-tree portfast

interface Vlan100
ip address 10.0.100.1 255.255.255.0
ip helper-address 10.0.0.1

The big part above that no one has mentioned on the Sophos forums is the native VLAN piece. They talk about setting them on the legacy VLAN, then moving them over, changing the VLAN tagging option, then waiting. If you do the native VLAN, you don’t need to worry about tagging before or after.

When it comes to your wireless networks, make sure you do the following in this general order (going from memory here):

  1. Remove all of your wireless networks from all of the APs so they aren’t being broadcast anymore.
  2. Change the networks to use Bridge to VLAN and set your VLANs as approriate.
  3. Modify each access point and enable the VLAN tagging option. Set the AP VLAN to that of the VLAN you want the APs to operate on. In the example above, I used 100. I also turned on STP.
  4. Power-cycle the APs after change the VLAN as above and wait for them to come back online (assuming you have DHCP on that VLAN).

I did use Sophos at the DHCP provider. I think there is some sort of hidden DHCP option that gets broadcast for the APs, so it’s best to use Sophos as the DHCP provider. If you know more about this, let me know.

Depending on your configuration between the UTM and the switch, you may need to add an allowed interface into the Global Settings for Wireless Protection. I am using my switch to do the IP routing internally, so everything goes over the primary “Internal” interface. If you need help configuring your Cisco switch as the layer 3 routing device and don’t want a new Interface for every VLAN, let me know. I’ll write another post for that. That one took me about two days to figure out.

Leave a Reply

Your email address will not be published. Required fields are marked *