Redundant uplink > same ip address > uplink balancing vs LAG

hello all

 we are installing a new uplink next week we have 2 x sophos utm sg 330 in a HA active/passive setup

previously we had 1 uplink router, so 1 cable into each sophos utm 330 but will now receive 2 routers  in a master slave set up using cisco HSRP, short for Hot Standby Router Protocol

what this means is if the first router goes down , the second one takes over with the same configuration , same ip address etc is it possible to add the interfaces on the backup router using additional ports on the sophos utm AND giving them the same interface IP address ?

i would then put the second uplink interface into the standby network in the uplink section , rather than as active

I have tried this on our spare sophos utm sg  and it does allow you to specify the same IP address on the secondary interface

I asked sophos support if this would work and they are pointing me in the direction of  LAG groups (funnily the next tab from uplink balancing) 

So my question is does anyone have experience of something similar and what would you recommend ?

many thanks

  • Hallo Neil,

    My visual-tactile learning style can't "see" what you are suggesting, so I'm not sure I've understood what you're asking...

    At my client sites with two UTMs in Hot Standby and two ISPs, we have a switch between the UTMs and the ISPs.  The UTMs are cabled identically with a cable connecting them directly on eth3.  No HSRP in use as all fail-over is handled by the UTM configuration.  Uplink Balancing with Multipath rules is used to distribute the traffic over the two ISPs.  No LAG is involved in this aspect of the configuration.  Did that help?

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob thanks for the reply. what i am talking about is the part in green 

    we have a secondary ISP as a backup link , this is simple , its a seperate ip address and was added to the utm in the standby interfaces 

    what i am talking about is a service from our main ISP , they give us 2 routers one connected with fiber and one with coax ,  in the even that the fiber line / master router goes down, the  secondary router kicks in using the SAME ip addressing 

    the whole aim of this is to try and provide redundancy, so i was hoping to avoid placing a switch inbetween the sophos and the ISP

    there is no requirement for multipath or aggregation as such, at anyone time the traffic would be going over 1 of the 3 lines


    1. adds more complexity

    2. single point of failure 

    3. adds an extra hop

    4. is outside the firewall so security concerns 

    My initial thought was i could use the standby interface feature as used for the secondary isp , the question being can you assign the SAME ip address to the secondary interface on another port.   We have a cold utm for disaster , so on this one i have tried assiging a second interface the same ip address and it doesnt complain.  I asked sophos if this was possible and they suggested LAG.   from the utm documentation "Link aggregation is useful to increase the link speed beyond the speed of any one single NIC or to provide basic failover and fault tolerance by redundancy". however  beyond making the LAG there is no other configuration.   i notice in the XG documentation that there is the option to specify  the LAG as active/backup

    I guess i will just have to suck it and see once its here, weekend testing incoming ;)    if it doesnt work then i can go the switch inbetween route or even just treat it as a cold standby manually change the cables if it goes down

  • Thanks for the great diagram, Neil - I see now!

    Not sure what you gain by having the same IP regardless of whether the connection is via fiber or cable.  In any case, you're right that you would need a switch or a LAG to get the connection to the same Interface definition.  No Multipath rules or Uplink Balancing involved.

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • hello Bob

    thanks for the input, the only reason for trying to keep the same ip, was because of the SSL vpn connections and the IPSEC connections