Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 14 replies
  • Subscribers 41 subscribers
  • Views 9396 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Network switch configure for Sophos HA

Stuart James

Interested in what other people have done with network switch configurations when using Sophos HA.

Documentation on their website covers the Sophos configuration, but doesn't really talk about what to do on the switch side of things, although it does say to disable STP, which makes sense.

We've always used a single trunk (LAG) binding one port on each switch together and plugging one of the Sophos units in to each one. Is this what most people do, or are other people simply using dumb ports and not worrying about creating a trunk/LAG?

docs.sophos.com/.../index.html



This thread was automatically locked due to age.
Parents
  • 0

    You could look into this and apply it to your switch: docs.sophos.com/.../index.html

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Interesting. So instead of creating a LAG (trunk) which combines port 13 on both CS210 switches in to one, same as the Sophos LAG, Sophos recommends leaving them as individual ports and disabling STP. Is there a reason behind this alternative configuration?

  • 0 in reply to Stuart James

    Why would you want to create a  LAG in this scenario?

    Given you are using active/passive HA only one of the cluster nodes is actually passing traffic.
    The other one sits passive until his turn comes in.

    When the failover happens this side takes over the (virtual, HA) MAC.
    From the switch side it looks like the plug has been pulled at one side and inserted at the other.

    There is no scenario when both sides simultaneously transmit traffic (given the HA link is intact and you have no split-brain.
    Also STP should cope with this. The only thing I could imagine is to set the port to STP edge (or portfast as Cisco calls it).

    LAG would only make sense if the two blue switches in your graph are capable to form a stack with distributed LAG/LACP interfaces (with Aruba the FlexFabric and OfficeConnect series supporting IRF does so) and the LAG is between ports going to the same XG cluster node.

  • 0 in reply to Alan Brand

    Switches are in a stack with same devices connected to both. There would be no point in having two Sophos units in HA if the switches weren’t HA as well.

  • 0 in reply to Stuart James

    In this case LAG makes perfect sense. We do so using two HPE FlexFabric switches with distributed LACP in two locations and the Sophos units wired cross-over like in your diagram.

Reply Children
Unfiltered HTML