Help Needed Segmenting Existing Network with Sophos UTM Cisco Catalyst switches and RHEL6 Hypervisors

Sat May 23 02:48:45 UTC 2015

Hi!

I am in a bit of a planning and implementation quandary and I'm hoping
to solicit implementation assistance on an already existing network
which needs to have segmentation and security.

I have only remote access to the network which comprises a number of
Red Hat Linux 6-based hypervisor servers (hosting a multiplicity of
virtual machines in different networks), a Sophos UTM gateway device
(specifically ASG220) serving as a router, and two Cisco Catalyst 2960
switches (one on the internet side of the UTM gateway, and the other
allowing access to the UTM from the RHEL6 hypervisors).

There are a number of subnets defined on both the hypervisors and the
virtual machines, all using the Sophos UTM as their gateway to each
other, and to the internet. My task is to properly segregate access
and traffic between the devices, which do not have VLANs defined on
them. Remotely.

My question is, can I create VLANs, and their trunk ports on the 2960
switches (especially on the LAN switch) that will segregate traffic
between the networks defined on the UTM, the hypervisors and their
guest machines, without causing network downtime?

Is it best to attack the switches first, creating the VLANs there,
before implementing VLANs on the UTM and the hypervisors?

I would be grateful for any planning assistance. The data center is a
long way away, and any downtime will be catastrophic.

Thanks in advance!