Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 27 subscribers
  • Views 1769 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Firewall HA configuration with switch layer 3 (inter vlan routing)

Hung Ho

Hi All,

I currently have a single XG310 connecting to my L3 switch configured with inter-VLAN routing.

I'm looking to add another XG310 to my network in a High Availability setup.

From the L3 switch, I've assigned an IP for the port.

My question is: Do I configure the port on my L3 switch that connects to the 2nd XG310 with the same configuration as the port that connects to the 1st XG310?

Thanks.



This thread was automatically locked due to age.
Parents
  • +1

    Hi 

    The simple answer is Yes. The ports connected to both firewalls must have the same configuration.

    in case you are using active/standby, there is no change in routing. the standby firewall remain passive as long as the active firewall is alive. if a failover happens, all IP addresses of the active firewall will failover to the passive (Auxillary). 

    keep in mind, if you are using dynamic Portchannel eg. with LACP, you need separate port channels for each firewall, don't use the same portchannel for both firewalls.

    If you are using  L3 Ports (eg. Cisco "no switchport"), you need to reconfigure it to SVI based port, since you probably can not have the same network on different switchports.   

    Pay special attention to the HA link, in case the XGs are located in two different sites and the link is not connected directly from XG to XG. That link needs to come up quite fast, means you have to disable spanning-tree (eg. with portfast command on cisco switches) otherwise the XG cluster will end up in a active/active bootloop. 

    community.sophos.com/.../xg-ha-primary-device-boot-loop-after-failover-to-auxilary

Reply
  • +1

    Hi 

    The simple answer is Yes. The ports connected to both firewalls must have the same configuration.

    in case you are using active/standby, there is no change in routing. the standby firewall remain passive as long as the active firewall is alive. if a failover happens, all IP addresses of the active firewall will failover to the passive (Auxillary). 

    keep in mind, if you are using dynamic Portchannel eg. with LACP, you need separate port channels for each firewall, don't use the same portchannel for both firewalls.

    If you are using  L3 Ports (eg. Cisco "no switchport"), you need to reconfigure it to SVI based port, since you probably can not have the same network on different switchports.   

    Pay special attention to the HA link, in case the XGs are located in two different sites and the link is not connected directly from XG to XG. That link needs to come up quite fast, means you have to disable spanning-tree (eg. with portfast command on cisco switches) otherwise the XG cluster will end up in a active/active bootloop. 

    community.sophos.com/.../xg-ha-primary-device-boot-loop-after-failover-to-auxilary

Children