This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HA Interface on MGMT Port?

Hi,

we have 2 SG650 and both machines are connected via port eth0 [MGMT1] to administrate these.

At the moment our active-passive cluster ha interface is on etc2 [A1].

Does something speak against it to switch the HA interface onto eth1 [MGMT2]? We want to use all 8 Ports from the first additional card [A1-8] for other services.

 

Regards

Tobias



This thread was automatically locked due to age.
Parents
  • Tobias, since you can limit WebAdmin and Shell access to specific IPs, I never define a Management interface.  I would be hesitant to change the HA interface to a non-standard one as that might make replacing a failed node more difficult.  Please check with Sophos Support and let us know their recommendation.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Tobias, since you can limit WebAdmin and Shell access to specific IPs, I never define a Management interface.  I would be hesitant to change the HA interface to a non-standard one as that might make replacing a failed node more difficult.  Please check with Sophos Support and let us know their recommendation.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Hi Bob,

    what do you mean with a non-standard port? -> all FleXi Port Modules?

    This is our planning / current configuration:
    Both SG650 has 2 "normal onboard" ports [MGMT1][MGMT2], one flexi port module with 8x 1G copper [A1..8]  and one with 2x 10G SFP+ [B1][B2]

    Interface Current Planning
    MGMT1 Management Interface -
    MGMT2 empty HA Interface
    A1 empty lag1
    A2 HA Interface lag1
    A3 empty lag1
    A4 empty lag1
    A5 (lag1) Ethernet VLAN - all VLANs from our WLAN -
    A6 (lag1) Ethernet VLAN - all VLANs from our WLAN -
    A7 (lag1) Ethernet VLAN - all VLANs from our WLAN -
    A8 (lag1) Ethernet VLAN - all VLANs from our WLAN -
    B1 (lag0) other routing Stuff and default GW -
    B2 (lag0) other routing Stuff and default GW -

    Typical wlan, many clients, many connections but not that huge traffic, cause all our ap's are "only" connected via poe, so perfect for lacp :D

    Usually i simply would change the ha interface, but because the name is MGMT2 i'm a little bit confused

  • Hi Logan,

    I don't think bob has worked on a 450 Or higher utm like your 650  so he might be a bit confused.

    We have a 450 - As your not using the mgt interface I see no problem, but first see if it is selectable as an interface that can be used in the HA option. Sophos might exclude that interface being used.

    You will have to clear any config (ips etc) off that interface if there is any before it could be selected too.

    Let us know how you go.

    @Bob the 450 and higher UTMs use full card modules and the only interface onboard is the mgt or management interface. In these UTMs you select any ports you want to be designated the HA port. He is asking if he can use the onboard management port so he doesn't use up a port on his modular card.

  • yes, our 650 has only 2 onboard interfaces and 4 ports for flexi port modules (see my post above).

    the interface [MGM2] is unused and i can select it as HA interface in the HA options, so maybe mgmt2 is only a label

     

    We have planned to configure other network stuff on 27 August 2017.
    At the same time we want to upgrade the postgresql db from 32bit to 64bit. So i have to rebuild the cluster.
    In this step i will change the HA interface to eth1 [MGMT2] and see what happen. (I would say it works without problems)

    Next time I contact our local support partner, I will ask this question by the way.

    I'll update this post after this date with our results, if a nother person has the same question

     

    Regards

  • In our 550 HA A/P cluster we first used the mgmt ports.

    Now we have moved the SGs in two different locations (400m) and we are using a 1 GbE SFP port of one of our FlexiPorts.

    As far as i can see, you are able to use any port.