Best Way to Configure Uplinks for a Switch Block (Sophos XGS4500 + Unifi Pro Aggregation Switches)

Question

Hey everyone, 
 I&rsquo;m working on setting up the uplinks between a Sophos XGS4500 firewall and a switch block consisting of two Unifi Pro Aggregation switches. I&rsquo;d really appreciate advice on the best way to configure the interfaces for optimal performance and redundancy. 
 Current Setup & Goals 
 
 Firewall: Sophos XGS4500 with 4x 10Gbps SFP+ ports. 
 Switches: 2x Unifi Pro Aggregation Switches. 
 Uplink Plan: Each switch should have a 20Gbps connection to the firewall. 
 The Links MUST distribute the same VLANS to the 2 Aggregation Switch - STP should then be able to block one of the switch by my logic

What&rsquo;s the Best Way to Configure This on Sophos? 
 I see three possible approaches, but I&rsquo;m not sure which one is correct or best practice: 
 
 Single LAG (4x 10Gbps) &rarr; Both Switches
 
 Create one LAG on the XGS4500 using all four SFP+ interfaces. 
 Connect both Unifi switches to this single aggregated link. 
 Does this work efficiently with two separate switches?

Separate LAGs (2x 10Gbps per Switch)
 
 Create two separate LAGs (each with 2x 10Gbps links). 
 Connect one LAG to each Unifi switch.

Bridge with Two LAGs (More Complex Setup)
 
 Create two LAGs (like option 2), then bridge them together. 
 Theoretically allows cross-switch redundancy while keeping structured LAGs.

Questions I got: 
 
 Which of these options is the best practice for this setup? 
 How should I configure the LAG settings on Sophos (LACP, static, etc.)? 
 Any considerations for VLANs, STP, or failover handling? 
 
 I&rsquo;d really appreciate any guidance or best practices from those who have done similar setups. 
 Thanks in advance!

----------------------After testing 19.03.25---------------------------- 
 It is actually possible to coonfigure example nr.3 : 
 
 Thats how i did it:

Configure LAGs first as needed: 
 
 LAG1 (Ports F1 and F2) 
 LAG2 (Ports F3 and F4)

Configure the Bridge (Bridge1) : 
 
 Add LAG1 and LAG2 as members. 
 Enable STP if redundancy is required.

Assign VLANs to Bridge1 as needed.

On D1 (Distribution Switch) and D2 : 
 
 Configure LAG1 on D1 . 
 Configure LAG2 on D2 .

Configure STP : 
 
 Set Bridge1 as the STP root . 
 D1 STP Priority: 12288 
 D2 STP Priority: 16384

Configure Trunking on the Switch to ensure proper VLAN propagation.

Configure native VLANs on Access Ports where required.

Tomorrow i can give a more updates on traffic testting 
 
 Tomi from Vienna -------------------------- Follower of the Holy Firewall Scriptures, Prophet of Lucartoni Network & Security Enthusiast Here to learn, share, and help!

LuCar Toni · Answer

LAG is meant to be build between "a Switch and a firewall". It means, if the switches in your example are Independent, then the LAG will run into issues. 
 LAG is a way to bound a connection from A to B. B should be one logical unit (virtual switches or one single switch). 
 So i would go for the option 2 - Based on the fact, that your switches are not one logical unit

Best Way to Configure Uplinks for a Switch Block (Sophos XGS4500 + Unifi Pro Aggregation Switches)

What’s the Best Way to Configure This on Sophos?

Top Replies