Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2134
Views
10
Helpful
5
Replies

Cisco C3650 layer 3 - Sophos XG310 in HA mode

Go to solution
JackyHo
Level 1
Level 1

‎10-26-2020 08:26 PM

Hi All,

 

My current network is:

Firewall Sophos XG310 (IP: 10.10.80.250) <-> Switch C3650 Layer 3 (IP: 10.10.80.249) Inter-vlan routing <-> Layer 2 access switch <-> Users.

Currently, on the C3650 all the vlans are route through 10.10.80.250 to access internet by this command: ip route 0.0.0.0 0.0.0.0 10.10.80.250. 

I'm looking to put the 2nd firewall XG310 to establish HA mode. So how the configuration for the 2nd XG310 on the C3650? 

 

Thank you for reading my post.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ngkin2010
Level 7
Level 7
In response to JackyHo

‎10-26-2020 10:05 PM

Hi,

 

You need to change the routed port to SVI. It's require down time to reconfigure.

 

interface gi0/1   [connecting to node1]
  no ip address
  switchport
  switchport mode access
  switchport vlan [NEW-VLAN]
  spanning-tree portfast

interface gi0/X    [connecting to node2]
  no ip address
  switchport
  switchport mode access
  switchport vlan [NEW-VLAN]
  spanning-tree portfast

vlan [NEW-VLAN]
  name  [vlan-name for the Transit-VLAN]

interface [NEW-VLAN]
  no shutdown
  ip address 10.10.80.249 255.255.255.248

View solution in original post

0 Helpful
5 Replies 5

Go to solution
ngkin2010
Level 7
Level 7

‎10-26-2020 09:30 PM

Hi,

 

Assume that you are going to configure active-standby HA on XG310, then you don't need to change the routing on C3650. Because the 10.10.80.250 will belong to the HA cluster of XG310. Whenever active unit go down, the 10.10.80.250 will moved to secondary unit automatically.

 

The only configuration that you need to cater is the switch port's configuration. Make sure both XG310 connecting to C3650 with the identical port's setting on C3650. 

0 Helpful

Go to solution
JackyHo
Level 1
Level 1
In response to ngkin2010

‎10-26-2020 09:52 PM

Thank you for your reply @ngkin2010 

 

"The only configuration that you need to cater is the switch port's configuration. Make sure both XG310 connecting to C3650 with the identical port's setting on C3650. "

 

On port 1 of the C3650 connecting with the XG310 (let say it node1) the configure it is:

interface gi 0/1

no switchport

ip address 10.10.80.249 255.255.255.248

 

I've tried configure port 2 of the C3650 connecting with XG310 node 2 with the same config of port 1 but cannot, the C3650 said 10.10.80.248 overlaps with gi0/1

 

I'm stuck at that point.

0 Helpful

Go to solution
ngkin2010
Level 7
Level 7
In response to JackyHo

‎10-26-2020 10:05 PM

Hi,

 

You need to change the routed port to SVI. It's require down time to reconfigure.

 

interface gi0/1   [connecting to node1]
  no ip address
  switchport
  switchport mode access
  switchport vlan [NEW-VLAN]
  spanning-tree portfast

interface gi0/X    [connecting to node2]
  no ip address
  switchport
  switchport mode access
  switchport vlan [NEW-VLAN]
  spanning-tree portfast

vlan [NEW-VLAN]
  name  [vlan-name for the Transit-VLAN]

interface [NEW-VLAN]
  no shutdown
  ip address 10.10.80.249 255.255.255.248
0 Helpful

Go to solution
JackyHo
Level 1
Level 1
In response to ngkin2010

‎10-26-2020 11:12 PM

thank you for your quick reply.

 

After I configured the SVI. The HA on both XG can establish. I've tried to unplug the LAN cable connecting XG node1 <-> C3650, all system down ^^, it didn't auto switch to the XG node2. 

0 Helpful

Go to solution
JackyHo
Level 1
Level 1
In response to JackyHo

‎10-27-2020 12:01 AM

it's my fault on config on XG. Then it's ok now. Thank you @ngkin2010 for saving my life ^^

Customers Also Viewed These Support Documents