Sophos UTM HA failover and Stacked Cisco Switches | Cisco loses connection to Sophos after a failover

Hello,

first - you need 2 LAG Groups - at the cisco switches. Every LAG-Group may/should be distributed over the 2 Switches within the stack.

One UTM to one Cisco-LAG-Group (so you have only one LAG at configured at SG) -

Both LAG-Groups has the same configuration at the cisco switches.

Hi Dirk,

In terms of configurations for each LAG groups at the Cisco, how should they be configured? I prefer to do layer 3 (no switch port with IP address because I don’t like to deal with spanning tree), but the problem with this is, I can’t have the same IP subnet across two same switch ports (LAG groups). 

So, does that mean I have to use SVI and configure each LAG group as trunk ports?

Thank you.

SVITPRO said:

I can’t have the same IP subnet across two same switch ports (LAG groups). 

Sure ... i do this every week. Both LAG - Interfaces can resist within the same VLAN / Subnet...
A LAG-Port works like a physical port.
(can contain different vlans and these vlans IP-Interfaces)
And i don't configure L3 at the switch. ... if possible.
The design-question is, should the switch be the router between your LAN-segments (1) or the firewall (2),
(1) - you configure only one vlan/interface at the firewall an use a transfer-subnet to the switch, which takes care of the remaining routing tasks
(2) - the LAG contains all VLANS and there are no IP'interfaces at the switch (except the management-IP). All routing is done by the firewall.    
(1)-(2) it is possible to mix variant 1 and 2

PS: at the switch you don't configure IP’s on top of physical interfaces (or LAGs) directly..?

Hi Dirk,

Thank you for your reply.

My prefer design is [1] - the switch be the router between my LAN-segnments. 

Could you confirm if the below is correct?

- At the Sophos, I configure an "Ethernet VLAN" interface (let's say 10.10.0.1, 255.255.255.252, Vlan 5)

- At the Cisco, I configure a VLAN interface IP (or SVI) (let's say 10.10.0.2, 255.255.255.252, Vlan 5)

- At the Cisco, I configure a default route to send all VLAN-segments traffic to the Sophos via the Sophos's "Etherent VLAN" interface, 10.10.01

Finally, do I need to worry about looping or spanning tree for the traffic going back and forth between the switch and the Sophos?

Thank you.

SVITPRO said:

Finally, do I need to worry about looping or spanning tree for the traffic going back and forth between the switch and the Sophos?

no , it is a point-to-point connection.

SVITPRO said:

- At the Cisco, I configure a VLAN interface IP (or SVI) (let's say 10.10.0.2, 255.255.255.252, Vlan 5)

- and you add the 2 LAG-intervaces to this VLAN.

SVITPRO said:

I configure a default route to send all VLAN-segments traffic to the Sophos via the Sophos's "Etherent VLAN" interface, 10.10.0

- correct, and you configure one or some routes at the sophos for the LAN-Segments to gateway 10.10.0.2(Cisco)

Hi Dirk,

For this design, is it a requirement (or best practice) that the Sophos' interface be an "Ethernet VLAN" interface? Would this work if I just create an "Ethernet" interface? My understanding is that I would only create "Ethernet VLAN" interface at the Sophos if I want the Sophos to do the vlan-segments routing (like router-on-stick design).

Thank you.

Mostly I use VLAN interfaces because i am able to switch other VLAN's to this interface too.

So i am able to change the deep of Network segmentation without big disruptions.

Thanks. I will give this a try and let you know how it goes.

I want to report that it works great. Fail-over and fail-back now do not disconnect the switch's connection.

Much thanks to Dirk. Appreciate your assistance, sir.Cancel

Thanks for your feedback.

Please acknowledge the best answer(s).