We've had a core switch failure today. We used to have a Sophos UTM where it allowed us to configure LAN Aggregation. I can't seem to see this on the XG.
Is it possible, i really could do with connecting the XG to an additional core switch to protect against a failure such as what we've experienced.
Hello JohnHilton,Thank you for reaching out to the community, please refer the follow doc/kba below for configuring the Link aggregation on SFOS [Sophos XG] https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Network/Interfaces/NetworkLinkAggregationGroupAdd/index.html
Thanks & Regards,_______________________________________________________________
Vivek Jagad | Team Lead, Global Support & Services
Sophos Community | Product Documentation | Sophos Techvids | SMSIf a post solves your question please use the 'Verify Answer' button.
Thanks for the reply, thank you for this.
I wanted to add this to our currently active "lan" port (port1) and inactive unbound port5.
The documentation states:
"Only unbound static physical interfaces can be members of the LAG"
i assume because our port1 (lan) is currently active, i can't configure this to a lag without "downtime".
Yup, you'll need a down time.==========================Once configured you can verify with the following device console commands: > show network lag-interface> show network lag-interface < lag-interface> runconfig
When it says "unbound" does it mean removed from the "lan" zone or just disconnected? do i need to add a static IP address to each of the member ports + the lag group (3 static IPs in total) or just a single static IP on the LAG i've created?
Sorry for all the questions, i'll be doing this via the GUI.
Unbound Example can be seen below:
That's great thanks, i'll book some downtime in and give it a go and report back.
one more thing, if i unbind my LAN port, i won't be able to connect to the gui...... could i do this off site via central?
if you have another interface configured on the LAN zone and under the device access if you have allowed HTTPS access on LAN than you'll be able to access the appliance. But if non of the interface is active then you will not be able to. So better configure a temporary interface and connect a direct laptop/machine...
understood, but could i do this via central off site via WAN if i have enabled firewall management. I'll of course configure an additional port for LAN access outside of the LAG scope "just incase"
Yup, if sophos Central service is enabled for firewall management and as far as WAN connection is active. you are good to go and access the appliance via Sophos Central firewall management.