Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 12597 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HA setup with VLAN

contact.pl contact.pl

Hi,

 

I have 2 XG210 boxes and I want to enable HA. Problem is that on 5 ports I am using VLAN's and only last port is without any VLAN. When I go through HA configuration on aux device I selected nontagged port as dedicated HA link but on primary device I have a problem because I cannot select tagged port as Peer Administration Port. So my question is - is there a way to setup HA on device which has VLAN's on 5 ports and only 1 port dedicated for HA has no VLAN.

 

Pawel



This thread was automatically locked due to age.
  • 0

    Contact, 

    can you share your interfaces configuration and the error you get?

    Thanks

  • 0 in reply to lferrara

    Here is definition of interfaces

    And here is problem - I am not getting any errors - in dropdown field on HA page I can only select physical interfaces and nothing else

  • 0 in reply to contact.pl contact.pl

    Thanks Contact.

    This in not an issue. You cannot use ports that are already used for other VLANs or already used in general. On that interface XG has to have to maximum throughtput in order to sync and talk with the peers. Any traffic can reduce the communication and introduce delay.

    You should plan to move VLANs to other interfaces or upgrade to a higher XG HW.

    Regards

  • 0 in reply to lferrara

    Luk,

    Thanks for info but for me it is strange. I understand that I need dedicated port for HA sync but having additional dedicated port just for administration purpose of aux device is a little overkill. At the end it means I have to use 2 physical ports for HA. Do You know exactly what is usage of Peer Administration Port? Maybe I am missing something but my understanding was that it is only used for UI so that I can log onto aux machine.

    Pawel 

  • 0

    Hi Pawel, 

    You can check #7 in my guide here for HA prerequisites. The other articles on HA deployments are easily available online.

    Thanks

  • 0 in reply to sachingurung

    Sachin,

    Thanks for links but I think I read this and some other articles but they all refer to HA sync port which I fully understand must be a dedicated physical port.  My question is related to Peer Administration Port which from my understanding is just used to connect through webUI to aux device so I don't see reason why it would need another dedicated physical port. Based on what I currently see I need 2 dedicated ports to have HA - one for HA Link and one as Administration Port and this is what no manual mentions :)

    Pawel 

  • +1 in reply to contact.pl contact.pl

    Pawel,

    you cannot use a port where VLAN exists for even the Administration port. It is a good feature! Open it on ideas.sophos.com

    Thanks

  • +1 in reply to lferrara

    Good idea Luk. In mean time I did following to solve my configuration problem (I used fact that both Sophos XG and my switch support tagged and non-tagged traffic on same port)

    - In my case port 5 had 3 VLAN's and one of them was management VLAN which I wanted to use as administration port

    - I removed management VLAN from interface 5 and configured its IP directly in Port 5

    - On switch to which Sophos Port 5 is connected I configured that non-tagged traffic should go to management VLAN

    - In HA configuration I choose port 5 as Administration port

    I need to test switch-over but for now HA is enabled and up and running :)

    Pawel

  • 0 in reply to contact.pl contact.pl

    I was not aware you could not have a VLAN on the administration port. My admin port is on a LAG interface and has VLAN's on it. Strange it let me do it that way.

  • 0 in reply to MichaelBolton

    Hello Michael

    We encounter a similar setup for our two-node XG210 FW cluster. Mng. IPs in LAG ports together with one VLAN on it. Did you notice any delay with communication as described above in the thread? Thanks.

     

    PM