This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LAG uplinks from Sophos UTM (Active-Passive cluster) to stacked Netgear 4300 switches - Best practice

Hey guys,
I'd like to ask you for help regarding a redundant network uplink from our Sophos SG 230 A/P Cluster to two stacked Netgear M4300 Switches.

Here's our setup:

As you can see, we installed two Flexiport-modules with 10G Fibre Modules in our Sophos SG 230 Firewalls. We'd like to uplink those to our newly bought Netgear M4300 Switches, that are connected by a stacking cable (DAC). This uplink needs to be a redundant VLAN-Trunk.

In Sophos UTM, I created a Link aggregation group over both Fibre-Modules (eth6 and eth7 in our case).

Now, in the Netgear Switch, I have different possibilities to configure the uplink ports:
- keep them "stupid", just setup a VLAN-Trunk over all 4 ports individually
- configure 2 LAGs over interfaces 0/1 and 1/2 (top row) and 0/2 and 1/2 (bottom row) and use these LAGs for the VLAN trunks

If we'd go for the second option, there are some configuration options we have for our Netgear switches, as can be seen on the next image.

We tried the second option first (LAG on both sides with different options set in our Netgear Switches), which did not work very well. Currently we do some testing with the first option (normal VLAN trunks and no LAG on Netgear side), which seems to work better.

For testing, we ping the Management VLAN of our Netgear Switch and:
- disconnect the LWL cables from our Master Sophos UTM one after another - ping should continue  --> works as expected
- power done one Netgear switch in our stack - ping should continue --> works for the Slave-Switch, not as we power down the master switch

Strange thing is: as soon as we power down the master switch, all ping packets are lost, however, the management interface is still available...

So, our config still does not seem "bulletproof", so I'd like to hear your opinion on our setup. Maybe, anyone in the Forum has a similar setup and can help us find the "best" setup.

Thanks a lot in advance!

Best regards
Sascha



This thread was automatically locked due to age.
  • Sascha, I've used the "stupid" solution with dumb switches, but I'm not familiar with your switches.  Can you make both switches "Master" at the same time?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hey Bob,

    thanks for looking into my issue. Having both switches act as master is not possible, only one switch can be the master switch.

    I was in contact yesterday with Netgear regarding my issue and was advised to change my stacking to "circle". Now it looks like the uplink / failover is working as intended, without having to configure a LAG on the Netgear side.

    However, as the stacking is different now, I'd like to give a LAG on the Netgear side another go and will report back, as soon as I had the chance to do so ;)

    Cheers
    Sascha

  • Hey Bob,
    here's the promised feedback regarding my issue. I did find some time to do some more testing, after changing the stack configuration.

    I created 2 LAGs on the Netgear switches, that are members of the stack. Interfaces 1/0/1 + 1/0/2 are LAG1 and uplink to the current Master-UTM. Interfaces 2/0/1 + 2/0/2 are LAG2 and connect to the current slave UTM, each with 10G fibre.

    I have a client in a VLAN, that needs routing through the UTM, connected to the Netgear switches for ping-testing.

    So, here are my results: no matter which hash mode I use on the Netgear (see screenshot further up), the result is the same all the time: it works;)

    When I pull the cord on one of the uplink connections to the active UTM, not a single ping is los. When I unplug the power cable on one of the Netgear switches, I might lose some 3-4 pings, until the connection is reestablished.

    So, it looks like the HAS-mode settings don't have any visible effect at all.

    Despite me not seeing any errors at all: is there a log or something on the Sophos UTM, where I might be able to track any errors / problems regarding LAG config, that I might overlook right now? I jus wanna be 100% sure we chose the "perfect" config ;)

    Thanks again, cheers
    Sascha

  • I don't know, the "suspects" are Fallback, Kernel Messages, Middleware, Selfmonitoring, Service Monitor daemon and System Messages.  Please let us know where you see anything related.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA