CS110-24FP - max 4 vlan interfaces can get ip assigned and no static routing ?

Reworked overview of my part - We are working now 2 weeks on the Sophos Switch to get it configured to apply to our customer situation:

Still existing problems:

  • Can only create 3 L3 vlan interfaces with IP addresses after we see this error:
    RT-DE010001(config)# int vlan 20
    RT-DE010001(config-if)# ip add
    RT-DE010001(config-if)# ip address 10.30.20.1 255.255.255.0
    RT-DE010001(config)# int vlan 30
    % No free interfaces are available



  • We also cannot get the Switch enabled for routing traffic between the L3 interfaces

  • Bad Block error on switch startup

Turn On Serdes
Mac_Polling_PHY Config
Enable PHY Polling
Misc
PHY init (unit 0)
Mgmt_dev init (unit 0)
Enter Esc key to stop autoboot: 0
## Booting image from partition ... 1
Skipping bad block 0x06220000 <-------------------------------- ERROR ????
## Booting kernel from Legacy Image at 81000000 ...
Image Name: IMG-01.0.0754
Created: 2021-11-25 8:30:39 UTC
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 20264466 Bytes = 19.3 MB

Current Switch:

Model: CS110-24FP
Firmware Version                  : 01.0.0754
Logging Option                    : Console Logging
Login Authentication Mode         : Local
Config Save Status                : Successful
Remote Save Status                : Not Initiated
Config Restore Status             : Successful
Traffic Separation Control        : none
Loader Version                    : 03.02.01
Protocol Version                  : 3.02.243a
Hardware Version                  : 1.0.0

Here is my sequence until i run into the error/problem - hopefully some can give us any hint on it:

Reset Switch

restore-defaults
Note: Reset also to default password (Sticker backside)

Script Block 1 General system settings

conf t
system name "RT-DE010001"
system contact "Martin Mustermanr"
system location "Germany Aachen"
set system description "Sophos CS110-24FP"
set switch-name RT-DE010001
username admin password Passw0rd! confirm-password Passw0rd! privilege 15

Script Block 2 - Create the Vlans and assign the Ports

vlan 1
ports name Management
exit
vlan 10
ports name Server
exit
vlan 11
ports name VoicePbx
exit
vlan 15
ports name WlcAccessPoints
exit
vlan 20
ports name Clients
ports add gigabitethernet 0/23 untagged gigabitethernet 0/23
exit
vlan 30
ports name Printer
exit
vlan 99
ports name TransferToFirewall
ports add gigabitethernet 0/1 untagged gigabitethernet 0/1
ports add gigabitethernet 0/7 untagged gigabitethernet 0/7
exit
vlan 998
ports name FirewallHa
ports add gigabitethernet 0/5 untagged gigabitethernet 0/5
ports add gigabitethernet 0/11 untagged gigabitethernet 0/11
exit
vlan 999
ports name WAN
ports add gigabitethernet 0/3 untagged gigabitethernet 0/3
ports add gigabitethernet 0/9 untagged gigabitethernet 0/9
ports add gigabitethernet 0/17 untagged gigabitethernet 0/17
exit

Script Block 3 - Setup Management VLAN with IP

int vlan 1
description "Management VLAN"
#to switch to static ip remove in config file: ip address dhcp -> ERROR: % Address allocation method must be manual to configure IP Address
no ip address
ip address 10.30.0.1 255.255.255.0
exit

Note: If you not stop here and wait you will see errors like this:


#RT-DE010001(config)# int vlan 99
#RT-DE010001(config-if)# description "Transfer to Firewall VLAN"
#RT-DE010001(config-if)# ip address 10.99.30.1 255.255.255.0
#% Invalid SubnetMask For the Given Ipaddress
# after waiting same command works suddenly !

Script Block 4 - Add more L3 vlan interfaces with IP

int vlan 99
description "Transfer to Firewall VLAN"
ip address 10.99.30.1 255.255.255.0
exit

int vlan 10
description "Server VLAN"
ip address 10.30.10.1 255.255.255.0
exit

int vlan 15
description "WiFi WLC and AP VLAN"
ip address 10.30.15.1 255.255.255.0
exit


int vlan 20
description "Clients VLAN"
ip address 10.30.20.1 255.255.255.0

ERROR --> % No free interfaces are available

After adding the 4th vlan interface we always face this error message - same to local Web UI !

Script planned to finish configuration L3 interfaces but impossible:

int vlan 20
description "Clients VLAN"
ip address 10.30.20.1 255.255.255.0
exit

int vlan 21
description "Clients VLAN"
ip address 10.30.21.1 255.255.255.0
exit

int vlan 22
description "Clients VLAN"
ip address 10.30.22.1 255.255.255.0
exit

int vlan 30
description "Printer VLAN"
ip address 10.30.30.1 255.255.255.0
exit

Script Block to finish port setup

int gigabitethernet 0/1
description "Sophos A Lan"
switchport pvid 99
switchport acceptable-frame-type all
switchport ingress-filter
exit

int gigabitethernet 0/7
description "Sophos B Lan"
switchport pvid 99
switchport acceptable-frame-type all
switchport ingress-filter
exit

int gigabitethernet 0/5
description "Sophos A HA"
switchport pvid 998
switchport acceptable-frame-type all
switchport ingress-filter
exit

int gigabitethernet 0/11
description "Sophos B HA"
switchport pvid 998
switchport acceptable-frame-type all
switchport ingress-filter
exit

int gigabitethernet 0/3
description "Sophos A WAN"
switchport pvid 999
switchport acceptable-frame-type all
switchport ingress-filter
exit

int gigabitethernet 0/9
description "Sophos B WAN"
switchport pvid 999
switchport acceptable-frame-type all
switchport ingress-filter
exit

int gigabitethernet 0/17
description "Router WAN"
switchport pvid 999
switchport acceptable-frame-type all
switchport ingress-filter
exit

int gigabitethernet 0/23
description "Laptop Client Network"
switchport pvid 20
switchport acceptable-frame-type all
switchport ingress-filter
exit


# Route to actve Sophos HA LAN interface
ip route 0.0.0.0 0.0.0.0 10.99.30.254
exit
save

We have also opened a ticket and also escalate it but from Sophos until now only unqualified replies!
I am wondering that in this Switch section only people are reviewing but it looks to me most are also try to understand the product !
I also hope we can exchange here more experience with the switches



Updated TAGs
[edited by: Erick Jan at 5:47 AM (GMT -8) on 11 Jan 2024]
  • https://www.sophos.com/en-us/medialibrary/pdfs/factsheets/sophos-switch-ds.pdf

    but your datasheet is still the same. You are sending mixed signals here

    Actually it is easy to answer: Use a Layer3 router feature on a firewall and not on the Switch.

    It is the year 2023 and we should consider to "not use a Layer3 router without anything for our internal network".

    Simply connect the VLAN to your firewall solution and do the routing there. 

    Sophos is not pointing out, the Switch is used for core switch business. It is a Access Layer switch. Who is routing L3 there? 

    The Sophos Switch Series offers a range of 8-, 24-, and 48-port network access layer switches

    Why bother even with these:

    Static Routing 

    Yes - all models
    (IPv4: 59 entries for static route, 4 entries for interface route and 1 entry for default route.)
    (IPv6: 5 entries for static route, 16 entries for interface route and 1 entry for default route.)

    what is it:

    - access switch

    - it is year 2023

    - ...

    I am curious: Who is genius who came up with this?

  • With this info, we would actually purchase Fortinet firewalls and switches. We will return these devices and ask for refund and additional cost we have. And we will never purchase these devices anymore.

  • Why are you doing a network segmentation in the first place, if you route on a switch? 

    What would stop a lateral movement attack? 

    IF you want a core switch, then you should look into the core switch segment. If you want a access switch, you will not route on a access switch at all. 

    Sophos switches also do not support other features, which are standard for core business: Stacking, Power supply redundancy etc. 

    __________________________________________________________________________________________________________________

  • and really: How came up with this:

    Static Routing 

    Yes - all models
    (IPv4: 59 entries for static route, 4 entries for interface route and 1 entry for default route.)
    (IPv6: 5 entries for static route, 16 entries for interface route and 1 entry for default route.)

    what is business and technical explanation for this setup?

    Since based on this, 8 switches will be returned and cca 100 canceled. 

  • I am sorry, if you was misleading by the information. Sophos does not offer Core Switches. 

    But again: I would recommend to look into your network security and not rely on a core switch routing anymore. It will not protect you against any kind of lateral movement. 

    And the technically explanation is easy: This is not the focus nor the application field of this switch. Access Switches are not designed to do routing at all. They rely on a core switch // a firewall to do this job. 

    __________________________________________________________________________________________________________________

  • It will not protect you against any kind of lateral movement. 

    Not even if we are running Intercept-X EDR, XDR, MDR? 

  • You should always build up multiple layer of protection. Endpoint will do its best to protect the endpoint. But you will be completely open for network based attacks. 

    For example: Eternal Blue / Wannacry was a 0-Day Lateral Movement attack. Therefore it could spread through the entire network, if you rely solely on your core switch. Network segmentation will not stop it, if you have nothing to filter. 

    You would need a firewall in between. 

    Something nice to read about the difference: https://www.reddit.com/r/HomeNetworking/comments/q8pypp/is_there_any_significant_difference_between_a/

    Nowadays: Core switches are moving more towards firewalls. Simply because back in the days, a firewall could not offer the needed backbone speed. But XGS Hardware and other vendors can do this now. So if you have for example SFP+ in your network, SFOS can route this AND protect the network. 

    Sophos currently does not look into the core switch segment, as we can protect the network with access switch + Firewall. There are still use cases for core switches to "connect to the firewall" but in the end, the L3 Routing does the firewall, as it can do more with the traffic than simply route. 

    __________________________________________________________________________________________________________________

  • Sophos does not offer Core Switches. 

    Looks like Sophos has new definition of core switch. 

    Access Switches are not designed to do routing at all. They rely on a core switch // a firewall to do this job. 

    why then are you bothering with those 4 routes you have?

    Access Switches are not designed to do routing at all.

    this is maybe case with Sophos switches. Not with rest of the vendors. 

    They rely on a core switch // a firewall to do this job. 

    Routing on XGS is another game Joy

  • I will not do any kind of convincing toward your position. I just tried to explain your the situation. If you want to discuss this further, please reach out to your sales rep. 

    __________________________________________________________________________________________________________________

  • You just need to have proper documents available and correct. People makes decision based on those information,. That's all.  Your sales reps either gone or went to work for competition.