Help Needed Segmenting Existing Network with Sophos UTM Cisco Catalyst switches and RHEL6 Hypervisors

Sina Owolabi at
Sat May 23 17:36:18 UTC 2015

Diagramming is a little difficult right now,  but think of the current
state as router-on-a-stick without VLANs, that needs to have VLANs setup.

On Sat, May 23, 2015, 6:57 AM olushile akintade <olushile at> wrote:

> Can you provide a quick diagram with the current subnet and traffic path?
> On Fri, May 22, 2015 at 7:51 PM Sina Owolabi < at>
> wrote:
>> Hi!
>> I am in a bit of a planning and implementation quandary and I'm hoping
>> to solicit implementation assistance on an already existing network
>> which needs to have segmentation and security.
>> I have only remote access to the network which comprises a number of
>> Red Hat Linux 6-based hypervisor servers (hosting a multiplicity of
>> virtual machines in different networks), a Sophos UTM gateway device
>> (specifically ASG220) serving as a router, and two Cisco Catalyst 2960
>> switches (one on the internet side of the UTM gateway, and the other
>> allowing access to the UTM from the RHEL6 hypervisors).
>> There are a number of subnets defined on both the hypervisors and the
>> virtual machines, all using the Sophos UTM as their gateway to each
>> other, and to the internet. My task is to properly segregate access
>> and traffic between the devices, which do not have VLANs defined on
>> them. Remotely.
>> My question is, can I create VLANs, and their trunk ports on the 2960
>> switches (especially on the LAN switch) that will segregate traffic
>> between the networks defined on the UTM, the hypervisors and their
>> guest machines, without causing network downtime?
>> Is it best to attack the switches first, creating the VLANs there,
>> before implementing VLANs on the UTM and the hypervisors?
>> I would be grateful for any planning assistance. The data center is a
>> long way away, and any downtime will be catastrophic.
>> Thanks in advance!

More information about the NANOG mailing list