The MR4 release adds new features and fixes to the switch firmware.

Centralized Administrator Authentication using Radius or TACACS+

Sophos switch can be configured to use Radius or TACACS+ for centralized authentication management for all switch administrators who need to gain access to the switch's local management interfaces. Using Radius or TACACS+ authentication supplies added security and better change control management by tracking the switch changes based on the administrator’s name.

802.1x Authentication using TACACS+

Sophos switch now supports TACACS+ authentication as an alternative to Radius for 802.1x user authentication.

Spanning Tree Protocol (STP) Root Guard

The STP Root Guard feature protects switch ports from receiving higher priority STP Bridge Protocol Data Units (BPDUs). Any ports that receive higher priority STP BPDU packets could become the STP Root.


The STP BPDU Guard feature protects the switch ports from receiving STP BPDUs, however, the port can transmit STP BPDU packets.

STP BPDU Forward

The STP BPDU Forward feature enables the switch to forward BPDU packets. BPDU forward is used for loop detection and the election of STP Root Bridge for all network devices' traffic flow without a loop.

Real-time Monitor for Switch Port Utilization

Adds a real-time monitor in the local GUI to display the port utilization by Tx and Rx rates for any actively used switch port.  

Bug Fixes:

Issue Key Summary Work Around
NSW-5000 In the local switch GUI on the Dashboard page, the Hardware Version field has been changed to Hardware ID.
NSW-4960 Syslog messages do not send the correct hostname value for the switch.
NSW-4234 Clients using a dynamic VLAN assignment lose connection when a static VLAN assignment is changed on the switch.
NSW-3847 LACP fails between a Sophos switch and a directly connected Windows 2019 server.
NSW-3619 An NTP sync issue causes the switch to lose its connection to Sophos Central.
NSW-3710 During a reset of the admin imported certificates, the rest button displays an ‘unknown error’ message instead of the correct message ‘Applied the configuration.’

Higher than expected latency was observed when a user was sending ping packets between two different networks attached to the same Sophos Switch.


PoE-capable devices that are not AF or AT compliant and require non-standard PoE (Example: Polycom VVX310 IP phone) may not power up when connected to a Sophos Switch.

This issue affects the following switch models: CS110-24FP, CS110-48P, CS110-48FP, CS210-24FP, and CS210-48FP.

Through the CLI enable legacy power mode using the following command ‘power legacy mode enable.’

Known Issues:

For a list of known issues please visit https://doc.sophos.com/support/kil/index.html.