Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=network-interfaces-VLANs-add

Configure a VLAN interface

Virtual LANs are isolated broadcast domains within a network. VLANs let you separate physical networks into multiple logical networks to add security and improve performance. You can create VLANs on physical, RED, or virtual interfaces, such as bridge or LAG, and configure the general, IPv4, IPv6, and advanced settings.

Restriction

After configuring a VLAN on a physical interface with IP assignment set to Static, you can't change the physical interface's IP assignment to PPPoE (DSL) or DHCP.

To create and edit VLANS, go to Network > Interfaces.

To create a new VLAN, click Add interface and select Add VLAN.

To edit an existing VLAN, click VLAN, click the menu button Menu button. for the VLAN you want to edit, and click Edit interface.

When you finish creating or editing a VLAN, click Save to save your changes.

Go to Network > Interfaces and click a port to see the VLAN interfaces for that port listed below the physical interface.

See the VLAN interface.

Tip

You can also go to Network > Interfaces > VLAN to see your VLAN interfaces.

To delete an existing VLAN, click VLAN, click the menu button Menu button. for the VLAN you want to delete, and click Delete interface.

General settings

You can configure the following general settings for your VLAN:

  • Name: Enter a name up to a maximum of 58 characters. You can change this later. This is the name shown in other settings.
  • Hardware: The firewall creates the hardware name automatically using the selected interface and the VLAN ID.
  • Interface: The interface on which you want to create the VLAN. You can select from physical, RED, bridge, and LAG interfaces. The VLAN becomes a member of the interface you select.
  • Zone: The zone assigned to the interface. The virtual interface becomes a member of the selected zone.
  • VLAN ID: Enter an identifier for the VLAN between 1 and 4094. The firewall tags all VLAN traffic with the VLAN ID. You can't add a VLAN ID more than once on a physical interface.

IPv4 configuration

Under IPv4 configuration, select the IP assignment method from the following options:

  • Static: Assign a static IP address and gateway to the interface.
  • PPPoE: Use the username and password provided by your ISP to obtain an IP address from a PPPoE server.
  • DHCP: Obtain an IP address from a DHCP server.

You can configure the following settings based on your IP assignment selection:

When you specify a static IP address for the VLAN, you must configure the following options:

  • IPv4/netmask: Enter an IPv4 address for the VLAN and select the subnet mask from the drop-down list.
  • Gateway name: Enter a gateway name when setting Zone to WAN.
  • Gateway IP address: Enter a gateway IP address when setting Zone to WAN.

You can use the username and password provided by your ISP to obtain an IP address from a PPPoE server. You can configure the following options:

  • IPv4/netmask: Shows the IPv4 address and subnet mask for the VLAN assigned by the ISP.

  • Preferred IP: Enter the preferred IP address for the PPPoE connection. Many internet service providers assign a static IP address to PPPoE connections, and the firewall allows you to bind the static IP address to the PPPoE connection.

    Note

    Depending on the PPPoE server configuration, an address other than the preferred IP address may be assigned to the PPPoE connection.

  • Gateway name: Enter a gateway name when setting Zone to WAN.

  • Gateway IP address: Shows the IP address of the configured gateway.
  • Username: Enter the PPPoE account's username.
  • Password: Enter the PPPoE account's password.
  • Access concentrator/service name: The firewall initiates only those sessions with the access concentrator that can provide the specified service.

  • LCP echo interval: The firewall sends echo requests at this interval to check if the link is live. Select this option only if you want to change the default value, then enter the value.

    Note

    Clearing the checkbox doesn't turn off LCP. It only resets the interval to the default value (20 seconds).

  • LCP failure: The PPPoE connection is disconnected if the firewall doesn't receive a reply after the specified number of requests. Select this option only if you want to change the default number of echo requests, then enter the value.

    Note

    Clearing the checkbox doesn't turn off LCP. It only resets the number of echo request attempts to the default value (3).

  • Schedule time for reconnect: The address assigned to a PPPoE connection, whether dynamic or static, can have a predefined validity period. Once the validity expires, the PPPoE connection is terminated and reconnected. To prevent reconnection during working hours, turn on the PPPoE reconnect schedule and set the days and time you want to reconnect.

    When the firewall reconnects, the PPPoE server may assign a dynamic address rather than the preferred IP address to the PPPoE connection.

You can obtain an IP address from a DHCP server. The DHCP settings are as follows:

  • IPv4/netmask: Shows the IPv4 address and subnet mask for the interface assigned by the DHCP server.
  • Gateway name: Enter a gateway name when setting Zone to WAN.
  • Gateway IP: Shows the IP address of the configured gateway.

IPv6 configuration

Select IPv6 configuration to configure the following IPv6 options:

Select the IP assignment method from the following options:

  • Static: Assign a static IP address to a VLAN interface.
  • DHCP: Obtain an IPv6 address from a DHCPv6 server.
  • Delegated: Assign an IPv6 address to VLAN interfaces using the prefix delegated by the ISP.

You can specify a static IP address for the VLAN interface. The static IPv6 settings are as follows:

  • IPv6/prefix: Enter an IPv4 address for the VLAN and enter the prefix.
  • Gateway name: Enter a gateway name when setting Zone to WAN.
  • Gateway IP address: Enter a gateway IP address when setting Zone to WAN.

You can obtain an IP address and other parameters from a DHCPv6 server. You can obtain an IPv6 prefix from the ISP and delegate it to internal VLAN interfaces using DHCP prefix delegation.

  • Mode: Select the mode to configure an IPv6 address using stateful or stateless methods. Select from the following options:

    • Auto: Automatically assigns an IPv6 address to the VLAN according to the configuration method you use. The method can be DHCP only or Stateless.

    • Manual: Select an option from the following based on your method (DHCPv6 or SLAAC) of assigning an IPv6 address to the VLAN:

      • DHCP only: The firewall assigns the address and other parameters provided by the DHCPv6 server to the VLAN.
      • Stateless: The firewall assigns the VLAN address using Stateless Address Auto-Configuration (SLAAC) according to the Managed (M) Address Configuration and Other (O) Configuration flags advertised in the Router Advertisement (RA) message. You can select Accept other configuration from DHCP to configure other parameters using the DHCPv6 server. See Add an IPv6 router advertisement.

  • DHCP prefix delegation: Use an IPv6 prefix delegated by your ISP. See DHCP prefix delegation.

  • Preferred delegated prefix: Specify the preferred prefix you want. The ISP may delegate the preferred prefix or a different one. You must enter a prefix length of 48, 52, 56, or 60. The prefix address is optional.

  • DHCP rapid commit: Use a two-message exchange (solicit and reply) rather than a four-message exchange (solicit, advertise, request, and reply). This option provides faster configuration.

    Note

    You must turn on rapid commit in the DHCPv6 server.

  • Gateway name: Enter a gateway name when setting Zone to WAN.

  • Gateway IP: Shows the IPv6 address of the configured gateway.

You can select Delegated to use the WAN interface's delegated IPv6 prefix to automatically assign IPv6 addresses to the VLAN interface and endpoint devices.

Note

You must set the WAN interface's IPv6 IP assignment to DHCP and turn on DHCP prefix delegation. See DHCP prefix delegation.

You can configure the following settings:

  • Upstream interface: Select the WAN interface you've configured with DHCP prefix delegation from the drop-down list. The firewall automatically delegates an IPv6 address and prefix that appears in the IPv6 address field.
  • IPv6 address: This field shows the IPv6 address assigned to the interface, including the delegated prefix, subnet ID, interface ID, and prefix length.
  • Router advertisement: The firewall acts as the RA server. See IPv6 router advertisement.
  • DHCPv6 server: Configures a DHCPv6 server to provide other DHCP parameters, such as DNS. This option doesn't provide IPv6 addresses.
  • Gateway name: Enter a gateway name when setting Zone to WAN.
  • Gateway IP: When setting Zone to WAN, enter a gateway IPv6 address.

Advanced settings

When you select DHCP for IPv6 configuration, you can configure the following advanced settings:

  • DAD attempts: The number of consecutive Neighbor Solicitation messages sent while performing Duplicate Address Detection (DAD) on a tentative address.
  • Allowed RA servers: List of MAC or IPv6 addresses of Router Advertisement (RA) servers from which you want the interface to accept the stateless configuration. Select a server from the list or click Add to create a new one.