Sophos XG DHCP Scope Not Working for VLAN

I have been fighting with implementing a voice VLAN on Sophos XG for months.  We’d set the vlan to ‘voice’ on the switch and the phones would go to the voice vlan with not problem but then some phones just would not get a DHCP address.  I had been searching and searching but somehow today I got lucky and found Sophos XB article123952.  The issue for me is that the phones had been on the LAN DHCP scope and so XG wouldn’t give them a new IP on the voice VLAN.  I have no idea why some phones we could just bounce from VLAN to VLAN without issue and others we couldn’t but the fix makes that a moot point.  The key is to set STATIC ENTRY SCOPE to global.  Issue this command from the Sophos CLI.

system dhcp static-entry-scope global

For me that was an instant fix.  I rebooted the phones and everything worked as expected.  And while I say this is the fix (and it is) the reason isn’t 100% clear.  Today I had a phone had no entry in DHCP on the LAN scope but it would not get a Voice VLAN IP from DHCP.  But as soon as I set the static-entry-scope to global, it immediately worked after a reboot.  XG doesn’t give you a way to flush DHCP which I really don’t like.  As DHCP is one of the least developed areas of the XG gui (seriously, we can’t set DHCP options in the web gui!) my guess is even though the mac and IP aren’t showing up in the web gui somewhere in XG’s internal DHCP table the record is still there.  That’s just a guess…and again…the key is this should fix your issue.