Skip to content

Configure access layer switches for XGS HA

The following network diagram shows the network configuration used as a reference in this guide.

High availability network diagram.

Connectivity details:

  • Port1 of the firewall is connected to Port14 of the CS210-48FP switch.
  • Port13 of the CS210-48FP switch is connected to the LAN network.
  • Port5 of the firewall is connected to Port26 of the CS210-48FP switch.
  • Port25 of the CS210-48FP switch is connected to the DMZ network.
  • Port t4 of the firewall is connected to Port25 and Port27 of the CS110-24FP switch.
  • Port26 of CS110-24FP switch connected to the internet.
  • Port7 of both the firewall devices is a dedicated HA link port connected to each other directly.
  • Port52 of both CS210-48FP switches is connected directly as a redundant port.

To configure your switches, do as follows:

Configure the CS110-24FP switch

  1. Go to Configure > VLAN settings > 802.1Q.

    1. Click Add and create VLAN ID 300.
    2. Enter a name for the VLAN.
  2. Click Apply to save the changes.

    Here's an example:

    Add VLAN 300.

  3. Click Edit, select the Untagged text box, select ports 25, 26, and 27, and click the tick mark.

  4. Click Apply to save the changes.

    Assign ports untagged and tagged ports VLAN 300.

  5. Go to PVID and ingress filter.

  6. Select ports 25, 26, and 27, and then click Edit.
  7. Select the following settings:

    1. PVID: 300 (WANHA).
    2. Ingress filtering: On.
    3. Accept type: All.
  8. Click Apply.

    Edit VLAN 300 port settings.

  1. Sign in to the switch CLI and enter the configuration mode.

    configure terminal
    
  2. Create VLAN 300.

    vlan 300
    
  3. Name the VLAN WANHA.

    ports name WANHA
    
  4. Assign the tagged and untagged ports for the VLAN.

    ports add gigabitethernet 0/25-27 untagged gigabitethernet 0/25-27
    
  5. Exit the VLAN configuration.

    exit
    
  6. Select ports 25, 26, and 27.

    interface range gigabitethernet 0/25-27
    
  7. Assign PVID 300 to ports 25, 26, and 27.

    switchport pvid 300
    
  8. Set acceptable frame types for the ports.

    switchport acceptable-frame-type all
    
  9. Turn on the ingress filter.

    switchport ingress-filter
    
  10. Exit the interface configuration mode.

    exit
    
  11. Exit the configuration mode.

    exit
    
  12. Save the configuration.

    save
    

Configure both the CS210-48FP switches using the local web UI

  1. Go to Configure > VLAN settings > 802.1Q.

    1. Click Add, and create the VLAN IDs 100 and 200.
    2. Enter a name for the VLANs.
  2. Click Apply.

    Here's an example:

    Create VLANs 100 and 200.

  3. Click Edit for VLAN ID 100, select the Tagged text box and select Port 52. Select the Untagged text box, select ports 13 and 14, and click the tick mark.

  4. Click Apply to save the changes.

    Select tagged and untagged ports VLAN 100.

  5. Click Edit for VLAN ID 200, select the Tagged text box and select Port 52. Select the Untagged text box, select ports 25 and 26, and click the tick mark.

  6. Click Apply to save the changes.

    Select tagged and untagged ports VLAN 200.

  7. Go to PVID and ingress filter and select ports 13 and 14. Click Edit.

    Select PVIDS for ports 13 and 14.

  8. Select the following settings:

    1. PVID: LANHA (VLAN 100).
    2. Ingress filtering: On.
    3. Accept type: All.

    VLAN 100 settings.

  9. Click Apply.

  10. Select the ports 25 and 26 and click Edit.

    VLAN 200 settings.

  11. Select the following settings:

    1. PVID: DMZHA (VLAN 200).
    2. Ingress filtering: On.
    3. Accept type: All.

    VLAN 200 settings.

  12. Click Apply.

  1. Sign in to the switch CLI and enter the configuration mode.

    configure terminal
    
  2. Create VLAN 100.

    vlan 100
    
  3. Name the VLAN LANHA.

    ports name LANHA
    
  4. Assign the tagged and untagged ports for the VLAN.

    ports add gigabitethernet 0/13-14 untagged gigabitethernet 0/13-14
    
  5. Assign port 52 to the VLAN.

    ports add gigabit 0/52
    
  6. Exit the VLAN configuration mode.

    exit
    
  7. Select interfaces 13 and 14.

    interface range gigabitethernet 0/13-14
    
  8. Assign VLAN 100 to ports 13 and 14.

    switchport pvid 100
    
  9. Set the acceptable frame type for the port.

    switchport acceptable-frame-type all
    
  10. Turn on the ingress filter for the ports.

    switchport ingress-filter
    
  11. Exit the interface configuration mode.

    exit
    
  12. Exit the configuration mode.

    exit
    
  13. Save the configuration.

    save
    
  14. Enter the configuration mode.

    configure terminal
    
  15. Create VLAN 200.

    vlan 200
    
  16. Name the VLAN DMZHA.

    ports name DMZHA
    
  17. Add the untagged and tagged ports to the VLAN.

    ports add gigabitethernet 0/25-26 untagged gigabitethernet 0/25-26
    
  18. Add port 52 to the VLAN.

    ports add gigabit 0/52
    
  19. Exit the VLAN configuration mode.

    exit
    
  20. Select ports 25 and 26.

    interface range gigabitethernet 0/25-26
    
  21. Assign VLAN 200 to the ports.

    switchport pvid 200
    
  22. Set the acceptable frame type for the ports.

    switchport acceptable-frame-type all
    
  23. Turn on the ingress filter for the ports.

    switchport ingress-filter
    
  24. Exit the interface configuration mode.

    exit
    
  25. Exit the configuration mode.

    exit
    
  26. Save the configuration.

    save
    

HA configuration on auxiliary Sophos Firewall (2)

  1. Go to System Services > High Availability and specify the settings as follows:

    1. Initial device role: Auxiliary.
    2. HA configuration mode: Interactive mode.
    3. Passphrase: Create your own passphrase.
    4. Dedicated HA Link Port: Port7. This must be the same port on both the firewall devices.
  2. Click Initiate HA.

    Sophos Firewall auxiliary configuration.

If these details aren't configured on the auxiliary device, the primary device won't be able to connect to the auxiliary device.

HA configuration on primary Sophos Firewall (1)

  1. Go to System Services > High Availability and specify the settings as follows:

    1. Initial device role: Primary (active-active) or Primary (active-passive).
    2. HA configuration mode: Interactive mode.
    3. Cluster ID: 10 (this could be any number from 0 to 63).
    4. Passphrase: Enter the same passphrase as the auxiliary device.
    5. Dedicated HA Link: Port7 (this must be the same port as the auxiliary device).
    6. Dedicated peer HA Link IPv4 address: Enter the same IP address as the network.
    7. Select ports to be monitored: Port1, Port5 (this port is considered for HA monitoring).
    8. Peer administration settings: Port1. Enter the IP address of that subnet range. The web admin console of the auxiliary device can be accessed at this address.
    9. Keepalive request interval: 250 ms.
    10. Keepalive attempts: 16. The maximum number of attempts initiated by the firewall device before declaring the peer auxiliary device as unreachable.
    11. Fail back to primary device after it recovers: In the event of a failover, traffic is routed through the auxiliary. Select this option if you want to move back to the primary device automatically when it recovers.
  2. Click Initiate HA.

    Sophos Firewall primary configuration.

Verify HA status

To check the status of HA, go to Control Center and locate the HA details widget. It shows the configured HA mode.

Verify HA status.