VLAN tagging requirements
You can assign an access point to a wireless network only if the endpoint computer traffic option of the wireless network and the VLAN tagging option of the access point are compatible.
To introduce the usage of VLAN for your access points in your network, do as follows:
- Connect the access point to Sophos Firewall using the standard LAN for at least a minute. The connection through the standard LAN ensures the access point gets its configuration. If you connect the access point through a VLAN from the beginning, it won't know it's in a VLAN and can't connect to Sophos Firewall to get its configuration.
- When the access point appears in the list of available access points, turn on VLAN tagging and enter the VLAN ID.
- Connect the access point to its intended VLAN.
- Make sure that the VLAN interface is added to the allowed zone under Wireless settings > Allowed zone.
When there is a switch between the access point and Sophos Firewall, you must connect the access point to a trunk port on the switch.
When VLAN tagging is configured, the access point tries DHCP on the configured VLAN for 60 seconds. If it doesn't receive an IP address during that time, the access point tries DHCP on the regular LAN as a fallback.
Wireless network configuration
- For wireless networks configured as a separate zone, VLAN tagging of the access point can be turned on or off.
- For wireless networks configured as a bridge to an access point VLAN, you must turn off the access point's VLAN tagging.
- For wireless networks configured as a bridge to a VLAN, you must turn on the access point's VLAN tagging. The wireless clients will use the bridge to VLAN ID specified for the wireless network, or receive their VLAN ID from the RADIUS server, if specified.
- When you create a bridge to VLAN network, the VLAN interface and corresponding firewall rules are created automatically and transparently.
Don't configure separate zone and VLAN wireless networks for the same access point. If you have a VLAN in place for your main network, use a VLAN for your guest network.
Each access point creates a separate interface for each zone. This creates many backend interfaces, which can cause problems in large scale deployments. For example, if you configure one hundred access points all with a separate zone and a VLAN, there will be two hundred interfaces created.
- When setting up VLANs in your environment, we recommend separating user and management traffic into different VLAN subnets.
- After Sophos Firewall accepts the access point, you must configure the access point to use the VLAN for management traffic.