Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 6 subscribers
  • Views 15198 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos bridged interface + Spanning tree protocol

CedricKessler

Hi,

Has anyone attempted to connect a 2 port bridged interface to 2 Cisco switches with STP enabled? I cannot get that to work like I would with a "normal" Cisco router.

I'm planning for the replacement of a non-redundant core switch with 2 Cisco 3650 (non-stacked). It's a fairly straightforward config on the switch - a few vlans and 2 trunks between the switches.

I would like to connect 1 port from each switch to the sophos appliance in the "Lan" network.

I am mostly concerned about the STP features on the Sophos appliances. I can't see any STP packets coming out with wireshark as opposed to my switches where I get all the STP packets. 

The result is pretty much a mess with all ports staying up, broadcast storms and well, it's not working - it looks like if you were to introduce a loop in your network with spanning tree disabled.

I tried to replace the sophos appliance with either an old ASA or another 3560 switch and as soon as I set up a similar config it works flawlessly. 

This is presently in my lab and the sophos appliance is a virtual machine in Hyper-V. I do not know if this could cause some issue but I don't believe so.

Is there something I am missing with bridged interfaces / STP on sophos appliances? Any help would be much appreciated!

Here's some information on the configuration;

----------------------Sophos appliance;

2 ports are members of a bridged interface

IP is let's say 192.168.0.1 /24 and STP is enabled

----------------------Switches;

Gig Ethernet Interfaces on the switches are as below at the moment (pretty basic);

switchport access vlan 1
switchport mode access

and there's a SVI on the switches (in HSRP), here's a part from the config;

interface VlanX
ip address 192.168.0.X 255.255.255.0
standby version 2
standby 1 ip 192.168.0.2
standby 1 preempt
standby 1 track 1 decrement 10

--------------



This thread was automatically locked due to age.
Parents
  • 0

    The only thing I see, Cedric, is that VLAN 1 is reserved in the UTM for Wireless Protection.  I don't know that that's your issue, but can you "hide" that from the UTM?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    The only thing I see, Cedric, is that VLAN 1 is reserved in the UTM for Wireless Protection.  I don't know that that's your issue, but can you "hide" that from the UTM?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson

    Hi,

    Thanks for the reply.

    Actually, I did not know that but I am not using vlan 1 on my actual config, I just wrote that for privacy reason so that is not the issue here.

    I have a spare physical sophos box somewhere so I'll try that but I really don't see why the Hyper-V switch would mess up with STP.

  • 0 in reply to CedricKessler

    Out of curiosity, could anyone check if their sophos box is sending any BPDU if you're using STP please? I haven't found a way to get my sophos VMs and Boxes to send any bpdu. That would be much appreciated !

    Thanks,

    C.

  • 0 in reply to CedricKessler

    Hello,

    I was wondering if you got this to work with your hardware appliance? I am planning on implementing a similar topology and I would like to have your feedback on how well it works.

     

    Thanks!

  • 0 in reply to Noct3

    Hi,

    I haven't been able to get this to work. I thought it could have been an issue with the virtual appliances/hyper-v but even with a single SG105 I had in spare, It never worked out. A simple bridged interface connected to the 2 switches with STP enabled (No HSRP) wasn't working. No matter what I did, I never saw a single BPDU / STP packet coming from the sophos appliance on Wireshark while the Cisco switches were operating normally.  Replacing the Sophos box with any other half decent HP / cisco router makes it work.

    We are planning to replace the sophos boxes with something else shortly so I think I've spent way too much time already trying to get this to work. I don't think something this simple should be this complicated - I even thought at first that I didn't need to go through an extensive pre-prod test with this since I was expecting it to just *work*.

  • 0 in reply to Noct3

    Hi, Anthony, and welcome to the UTM Community!

    Issues like these can be quickly and correctly answered by Sophos pre-sales engineers.  If you were already a UTM owner, you could have your reseller open a ticket with Sophos Support.

    I know that the UTM works with STP, but I have yet to work with this situation. 

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML