Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 26 subscribers
  • Views 3123 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LAG XG 330

cheikh ka

Hi,

i have 1 sophos XG330 and 2 cisco 4500 with redondancy

i create on LAG interface with 2 interfaces (one from switch A, one from switch B)

i set the 2 interfaces of switch with trunk

sometimes the LAN don't get internet, but when i edit the LAG, and save it again, the LAN get internet again 

the same thing happened when i set it LACP or Active-Backup

i need help for that



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi cheikh ka,

    The LAG would need to be configured on both ends of the link, i.e. on both XG and Switch end.

    From the description, it sounds like the LAG is not configured on the switch end and the STP may have one of the links blocked. 

    Please refer to the below link for LAG on XG - 

    Sophos XG Firewall: How to Configure Link Aggregation (LAG)

  • 0 in reply to FormerMember

    Hi, 

    this is exactly how i set the LAG on the Sophos as the link you sended me

    the switch interfaces faced to Sophos interfaces are set to trunk, as you can see it on the capture

     

  • 0 in reply to cheikh ka

    Hi,

    with the same architecture i set sub-interface attached to the LAG i create before (Vlan interface for each VLAN) which are gateway for each vlan

    when i set ACL (Add User/network rule) to allow trafic from one vlan to another i did not work (i unchecked ''Match known users''

    do someone meet this kind of issues?

    and solve it?

    i got this issue when the version of the firmware version was SFOS 17.1.3 MR-3

    I update it today to SFOS 17.5.9 MR-9

     

    i guess when i set sub-interface (Vlan interface for each VLAN) which are gateway for each vlan then i dont need to set routing on sophos for inter vlan routing

    as those sub-interface are connected to the LAG but To make vlan communicate between them we need firewall set, is this correct?

     

  • FormerMember
    0 FormerMember in reply to cheikh ka

    cheikh ka said:

    Hi, 

    this is exactly how i set the LAG on the Sophos as the link you sended me

    the switch interfaces faced to Sophos interfaces are set to trunk, as you can see it on the capture

     

     

    Hi cheikh ka, 

    Thanks for providing the screenshot of setup.

    The two trunk ports on switch should be configured as a LAG group (Etherchannel on Cisco in LACP mode).

    You would need to check if your switches support Switch stack to have the Etherchannel on different switches.

    Note, the above advice on Cisco is from my personal experience/knowledge and it might not be accurate on the used terms. 

  • FormerMember
    0 FormerMember in reply to cheikh ka

    cheikh ka said:

    Hi,

    with the same architecture i set sub-interface attached to the LAG i create before (Vlan interface for each VLAN) which are gateway for each vlan

    when i set ACL (Add User/network rule) to allow trafic from one vlan to another i did not work (i unchecked ''Match known users''

    do someone meet this kind of issues?

    and solve it?

    i got this issue when the version of the firmware version was SFOS 17.1.3 MR-3

    I update it today to SFOS 17.5.9 MR-9

     

    i guess when i set sub-interface (Vlan interface for each VLAN) which are gateway for each vlan then i dont need to set routing on sophos for inter vlan routing

    as those sub-interface are connected to the LAG but To make vlan communicate between them we need firewall set, is this correct?

     

     

    I would suggest to check on Log Viewer and see if the traffic hits the correct firewall rule you created for VLAN to VLAN firewall rule - 

  • 0 in reply to FormerMember

    Hi,

    ''The two trunk ports on switch should be configured as a LAG group (Etherchannel on Cisco in LACP mode)''. You mean green ports ? if yes why? i have just 1 cable connected from switch A to sophos and 1 cable connected from switch B to Sophos, we LAG group (Etherchannel on Cisco) if we should set 2 or more ports, it's not the case here

     

    ''You would need to check if your switches support Switch stack to have the Etherchannel on different switches''.

    Stack is not used, i wanted to use VSS technologie, it seems the cisco 4510 RE does not support it

    i just configure them using standby ip which is the gateway for access switch

    Maybe for access switch they are an inconsistent mac to correctly do the arp when the active Switch change

     

     

    My problem it works whith one switch and not whith the other

  • FormerMember
    0 FormerMember in reply to cheikh ka

    Hi cheikh ka,

    Yes, the green links need to be configured as an Etherchannel (LACP) to operate properly with XG's LAG.

    Similar to the Etherchannel between the two switches, it needs to be configured on both ends. When LAG is configured on XG, the other end (Cisco switch ports) needs to be configured as LACP.

    Please refer to the below Community Page for the configuration - 

    https://community.sophos.com/products/unified-threat-management/f/management-networking-logging-and-reporting/33964/lag-with-cisco-switch 

  • 0 in reply to FormerMember

    Hi,

    I want to set the LAG to Active and backup

    But i want a particular the port from them to be active and the other in backup

     

    e.g when i set port 1 and 5 for LAG

    i want the to force  Port 1 be active and port 5  backup

     

    Someone can help me for that please??