This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LAN Link aggregation or LAN Failover

Hi All,

We've had a core switch failure today. We used to have a Sophos UTM where it allowed us to configure LAN Aggregation. I can't seem to see this on the XG.

Is it possible, i really could do with connecting the XG to an additional core switch to protect against a failure such as what we've experienced.

thanks



This thread was automatically locked due to age.
Parents Reply
  • Thanks for the reply, thank you for this. 

    I wanted to add this to our currently active "lan" port (port1) and inactive unbound port5.

    The documentation states:

    "Only unbound static physical interfaces can be members of the LAG"

    i assume because our port1 (lan) is currently active, i can't configure this to a lag without "downtime".

    Kind regards 

Children
  • Yup, you'll need a down time.
    ==========================
    Once configured you can verify with the following device console commands: 
    > show network lag-interface
    > show network lag-interface < lag-interface> runconfig

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Thanks again.

    When it says "unbound" does it mean removed from the "lan" zone or just disconnected? do i need to add a static IP address to each of the member ports + the lag group (3 static IPs in total) or just a single static IP on the LAG i've created?

    Sorry for all the questions, i'll be doing this via the GUI.

    Kind regards

  • Unbound Example can be seen below:

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • That's great thanks, i'll book some downtime in and give it a go and report back.

    cheers

  • one more thing, if i unbind my LAN port, i won't be able to connect to the gui...... could i do this off site via central?

  • if you have another interface configured on the LAN zone and under the device access if you have allowed HTTPS access on LAN than you'll be able to access the appliance. But if non of the interface is active then you will not be able to. So better configure a temporary interface and connect a direct laptop/machine... 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • understood, but could i do this via central off site via WAN if i have enabled firewall management. I'll of course configure an additional port for LAN access outside of the LAG scope "just incase"

  • Yup, if sophos Central service is enabled for firewall management and as far as WAN connection is active. you are good to go and access the appliance via Sophos Central firewall management. 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • excellent thanks again. i'll report back tomorrow. Planning on doing this at home tonight out of hours.

  • This seems* to be ok after creating the new AGG group on ports 1 & 5. I did this remotely from Sophos Central via the firewall manager.

    Before i did this i connect to the site using Sophos connect and did a few things before hand (like doing a back up).

    I've rebooted the XG and reconnected via Central. I can ping internal (LAN) pcs via the new AGG interface so i assuming all is fine?

    *That being said. I don't seem to be able to VPN back into the site via Sophos connect, and all the sophos access points are showing as "inactive". I hoping this is a central bug? :s

    I'll be on site early tomorrow just in case. Anything that could have caused this?

    I connect to the firewall via central, unbound the single LAN port (port1) and noted it's settings. Created a new AGG interface with Port 1 & 5 (both unbound) and entered the address details noted above. 

    EDIT: looking at the VPN logs on the xg. i'm getting rejected because of wrong credentials. go figure ? 

    Regards