This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

New Small Office Setup

We are looking to set up a new small office with 20 users, VOIP and 4 servers. I've used SG210s in the past for larger environments but wondered whether or not this was overkill for such a small environment. Can anyone give advice on a network design that would accommodate the SG210 with regards L2 switching with VLANs and in particular how these switches interface with the SG210. I'm keen to avoid a ROAS configuration and keep VLANs to a minimum. In addition we would like redundancy at least in the switching - we have a couple of x48 port PoE Cisco 2960s sitting in the cupboard that we would like to utilise.



This thread was automatically locked due to age.
  • I'm not sure whether or not I completely understand your question or not, but when you need the 8 ports, there's also an SG135 and SG125 that both have 8 ports are less powerful in terms of CPU and memory but they might be powerful enough for your environment.

    In fact software for all UTM's is the same so there shouldn't be a difference in what you can setup.

    If you want redundancy in switches you might also need to build a HA environment using 2 UTM's. Or you might just be able to configure the switches with LAGs consisting of 2 ports on separate switches and then connect the LAG to the UTM (of course you need to also configure the LAG on UTM).


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • We want to utilise our existing SG210 UTMs and just wondered what the best and cheapest redundant switch design to sit underneath. I think I understand what you're saying is get two switches, configure a port from each switch into a LAG group (is this like an Etherchannel ?). Then interface each member of the LAG to each UTM configured in HA. Is this right ?

    Then is it just a case of creating the necessary VLANs for user, VOIP, datacentre etc on this switch and uplink from each VLAN to a separate physical port on the UTM (assuming there are not more VLANS than ports in the UTM).

    Because it is such a small environment there is no real need for 3-tier or even 2-tier switch deployment. Can I get away with a couple of switches configured in the way described above ? They would act as Access, Distribution and Core switches (a collapsed collapsed core!). If one of the switches then fails then the LAG would use the path to the other UTM ?

  • Yes, LAG = Etherchannel. If you configure the ports of SG210 as VLAN ports, than you must connect them to tagged ports in you switch. You can of course also configure them as "normal" (non-vlan) ports and then your switchport can just be an access port in the right VLAN.

    I thought you only had 1 SG210 to use, hence the LAG, however if you have 2 SG210s you can achieve the same without a LAG, but you need to connect every switch interface to both SG210s (in HA UTM all ports on all nodes need to be connected to the "same" source).

    As you can see in the drawing each switch needs to connect to each UTM with the same VLAN ports (so basically every VLAN needs a connection to both UTMs on the same UTM-port. Usually eth3 is used for HA, so use that to interconnect the UTMs.

    You must also connect your WAN connection(s) to both UTM's.

    When making a HA connection, both UTM's must be identical (both hardware and software version). You can first configure 1 UTM and make sure to have the other UTM factory default and off before connecting it to the HA port. If you've configured HA on the first UTM and you then switch on the second UTM, it should automatically start syncing. After it is synced, you can connect the ethernet cables to the second UTM.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Hi, and welcome to the UTM Community!

    Here's an old diagram of a full mesh solution that does take advantage of the LAG capability.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA