Reflexion will be End-of-life on March 31,2023. See Sophos Reflexion EoL FAQs to learn more.
Reworked overview of my part - We are working now 2 weeks on the Sophos Switch to get it configured to apply to our customer situation:
Still existing problems:
Turn On Serdes Mac_Polling_PHY Config Enable PHY Polling Misc PHY init (unit 0) Mgmt_dev init (unit 0)Enter Esc key to stop autoboot: 0## Booting image from partition ... 1Skipping bad block 0x06220000 <-------------------------------- ERROR ????## Booting kernel from Legacy Image at 81000000 ... Image Name: IMG-01.0.0754 Created: 2021-11-25 8:30:39 UTC Image Type: MIPS Linux Kernel Image (lzma compressed) Data Size: 20264466 Bytes = 19.3 MB
Current Switch:
Model: CS110-24FPFirmware Version : 01.0.0754Logging Option : Console LoggingLogin Authentication Mode : LocalConfig Save Status : SuccessfulRemote Save Status : Not InitiatedConfig Restore Status : SuccessfulTraffic Separation Control : noneLoader Version : 03.02.01Protocol Version : 3.02.243aHardware Version : 1.0.0
Here is my sequence until i run into the error/problem - hopefully some can give us any hint on it:
Reset Switch
restore-defaultsNote: Reset also to default password (Sticker backside)
Script Block 1 General system settings
conf tsystem name "RT-DE010001"system contact "Martin Mustermanr"system location "Germany Aachen"set system description "Sophos CS110-24FP"set switch-name RT-DE010001username admin password Passw0rd! confirm-password Passw0rd! privilege 15
Script Block 2 - Create the Vlans and assign the Ports
vlan 1ports name Managementexitvlan 10ports name Serverexitvlan 11ports name VoicePbxexitvlan 15ports name WlcAccessPointsexitvlan 20ports name Clientsports add gigabitethernet 0/23 untagged gigabitethernet 0/23exitvlan 30ports name Printerexitvlan 99ports name TransferToFirewallports add gigabitethernet 0/1 untagged gigabitethernet 0/1ports add gigabitethernet 0/7 untagged gigabitethernet 0/7exitvlan 998ports name FirewallHaports add gigabitethernet 0/5 untagged gigabitethernet 0/5ports add gigabitethernet 0/11 untagged gigabitethernet 0/11exitvlan 999ports name WANports add gigabitethernet 0/3 untagged gigabitethernet 0/3ports add gigabitethernet 0/9 untagged gigabitethernet 0/9ports add gigabitethernet 0/17 untagged gigabitethernet 0/17exit
Script Block 3 - Setup Management VLAN with IP
int vlan 1description "Management VLAN"#to switch to static ip remove in config file: ip address dhcp -> ERROR: % Address allocation method must be manual to configure IP Addressno ip addressip address 10.30.0.1 255.255.255.0exit
Note: If you not stop here and wait you will see errors like this:
#RT-DE010001(config)# int vlan 99#RT-DE010001(config-if)# description "Transfer to Firewall VLAN"#RT-DE010001(config-if)# ip address 10.99.30.1 255.255.255.0#% Invalid SubnetMask For the Given Ipaddress# after waiting same command works suddenly !
Script Block 4 - Add more L3 vlan interfaces with IP
int vlan 99description "Transfer to Firewall VLAN"ip address 10.99.30.1 255.255.255.0exit
int vlan 10description "Server VLAN"ip address 10.30.10.1 255.255.255.0exit
int vlan 15description "WiFi WLC and AP VLAN"ip address 10.30.15.1 255.255.255.0exit
int vlan 20description "Clients VLAN"ip address 10.30.20.1 255.255.255.0
ERROR --> % No free interfaces are available
After adding the 4th vlan interface we always face this error message - same to local Web UI !
Script planned to finish configuration L3 interfaces but impossible:
int vlan 20description "Clients VLAN"ip address 10.30.20.1 255.255.255.0exit
int vlan 21description "Clients VLAN"ip address 10.30.21.1 255.255.255.0exit
int vlan 22description "Clients VLAN"ip address 10.30.22.1 255.255.255.0exit
int vlan 30description "Printer VLAN"ip address 10.30.30.1 255.255.255.0exit
Script Block to finish port setup
int gigabitethernet 0/1description "Sophos A Lan"switchport pvid 99switchport acceptable-frame-type allswitchport ingress-filterexit
int gigabitethernet 0/7description "Sophos B Lan"switchport pvid 99switchport acceptable-frame-type allswitchport ingress-filterexit
int gigabitethernet 0/5description "Sophos A HA"switchport pvid 998switchport acceptable-frame-type allswitchport ingress-filterexit
int gigabitethernet 0/11description "Sophos B HA"switchport pvid 998switchport acceptable-frame-type allswitchport ingress-filterexit
int gigabitethernet 0/3description "Sophos A WAN"switchport pvid 999switchport acceptable-frame-type allswitchport ingress-filterexit
int gigabitethernet 0/9description "Sophos B WAN"switchport pvid 999switchport acceptable-frame-type allswitchport ingress-filterexit
int gigabitethernet 0/17description "Router WAN"switchport pvid 999switchport acceptable-frame-type allswitchport ingress-filterexit
int gigabitethernet 0/23description "Laptop Client Network"switchport pvid 20switchport acceptable-frame-type allswitchport ingress-filterexit
# Route to actve Sophos HA LAN interfaceip route 0.0.0.0 0.0.0.0 10.99.30.254exitsave
We have also opened a ticket and also escalate it but from Sophos until now only unqualified replies!I am wondering that in this Switch section only people are reviewing but it looks to me most are also try to understand the product !I also hope we can exchange here more experience with the switches
Short Update:Feature is now present but with the known limitation to 3 IP vlan interfaces! the 4th IP is for the switch management reserved - Also Central support this configuration now!PS: For myself and my customers this is definitely not enough, and we never configure routing on a firewall! So we still use other brand for L3 routing
Expert-Zone.Net IT ConsultingNeuenhofer Weg 23 • D-52074 Aachen
I would like to meet guy who decided to have 3 VLANs with IP addresses . We got some switches and returning them back to Sophos requesting full refund as well as to cover all cost for shipping, returning, customs and VAT we have paid. They are doing false advertising. that's wrong and punishable by the law .
With this info, we would actually purchase Fortinet firewalls and switches. We will return these devices and ask for refund and additional cost we have. And we will never purchase these devices anymore.
and really: How came up with this:
Static Routing
Yes - all models(IPv4: 59 entries for static route, 4 entries for interface route and 1 entry for default route.)(IPv6: 5 entries for static route, 16 entries for interface route and 1 entry for default route.)
what is business and technical explanation for this setup?Since based on this, 8 switches will be returned and cca 100 canceled.
I am sorry, if you was misleading by the information. Sophos does not offer Core Switches.
But again: I would recommend to look into your network security and not rely on a core switch routing anymore. It will not protect you against any kind of lateral movement.
And the technically explanation is easy: This is not the focus nor the application field of this switch. Access Switches are not designed to do routing at all. They rely on a core switch // a firewall to do this job.
__________________________________________________________________________________________________________________
LuCar Toni said:It will not protect you against any kind of lateral movement.
Not even if we are running Intercept-X EDR, XDR, MDR?
You should always build up multiple layer of protection. Endpoint will do its best to protect the endpoint. But you will be completely open for network based attacks.
For example: Eternal Blue / Wannacry was a 0-Day Lateral Movement attack. Therefore it could spread through the entire network, if you rely solely on your core switch. Network segmentation will not stop it, if you have nothing to filter.
You would need a firewall in between.
Something nice to read about the difference: https://www.reddit.com/r/HomeNetworking/comments/q8pypp/is_there_any_significant_difference_between_a/
Nowadays: Core switches are moving more towards firewalls. Simply because back in the days, a firewall could not offer the needed backbone speed. But XGS Hardware and other vendors can do this now. So if you have for example SFP+ in your network, SFOS can route this AND protect the network.
Sophos currently does not look into the core switch segment, as we can protect the network with access switch + Firewall. There are still use cases for core switches to "connect to the firewall" but in the end, the L3 Routing does the firewall, as it can do more with the traffic than simply route.
LuCar Toni said:Sophos does not offer Core Switches.
Looks like Sophos has new definition of core switch.
LuCar Toni said:Access Switches are not designed to do routing at all. They rely on a core switch // a firewall to do this job.
why then are you bothering with those 4 routes you have?
LuCar Toni said:Access Switches are not designed to do routing at all.
this is maybe case with Sophos switches. Not with rest of the vendors.
LuCar Toni said:They rely on a core switch // a firewall to do this job.
Routing on XGS is another game
I will not do any kind of convincing toward your position. I just tried to explain your the situation. If you want to discuss this further, please reach out to your sales rep.
You just need to have proper documents available and correct. People makes decision based on those information,. That's all. Your sales reps either gone or went to work for competition.
We will update the docs shortly to reflect this in all documentations.
Thank you. Next time try to do it correct first time.