Help Needed Segmenting Existing Network with Sophos UTM Cisco Catalyst switches and RHEL6 Hypervisors


I am in a bit of a planning and implementation quandary and I'm hoping
to solicit implementation assistance on an already existing network
which needs to have segmentation and security.

I have only remote access to the network which comprises a number of
Red Hat Linux 6-based hypervisor servers (hosting a multiplicity of
virtual machines in different networks), a Sophos UTM gateway device
(specifically ASG220) serving as a router, and two Cisco Catalyst 2960
switches (one on the internet side of the UTM gateway, and the other
allowing access to the UTM from the RHEL6 hypervisors).

There are a number of subnets defined on both the hypervisors and the
virtual machines, all using the Sophos UTM as their gateway to each
other, and to the internet. My task is to properly segregate access
and traffic between the devices, which do not have VLANs defined on
them. Remotely.

My question is, can I create VLANs, and their trunk ports on the 2960
switches (especially on the LAN switch) that will segregate traffic
between the networks defined on the UTM, the hypervisors and their
guest machines, without causing network downtime?

Is it best to attack the switches first, creating the VLANs there,
before implementing VLANs on the UTM and the hypervisors?

I would be grateful for any planning assistance. The data center is a
long way away, and any downtime will be catastrophic.

Thanks in advance!

Can you provide a quick diagram with the current subnet and traffic path?

Diagramming is a little difficult right now, but think of the current
state as router-on-a-stick without VLANs, that needs to have VLANs setup.

The answer to this one is easy. Yes, there is very likely a series of
steps, that will achieve what you want remotely. But...

"The data center is a long way away, and any downtime will be catastrophic".

The slightest misstep and you will be down until you arrive at the site. So
do not even think about trying this. You go there and you do it at night,
when the impact of a mistake is less.



Thanks Baldur. I am definitely planning on doing that.

Eric, no the VMs are not all segregated, they are all blended
together. You can find a 192.168 sharing the same physical host as a
I've never played with OpenVSwitch before, though. Would introducing
it here lead to any further complexities?