Vlans with a Sophos Firewall and two Cisco SG200 50P

VirtuOS · ‎09-26-2022

Hello,

We installed an sophos XGS116 and try to use the Lag configuration for connecting to the 2 switches Cisco SG200 50p.

The problem is that's not working. When i connect the first switch, all is alright but nothing on the second. But, when i connect only the second switch, it's working correctly but nothing on the first switch. Why ? Did we have a missconfiguration ?

Is there probably a problem with the default mgmt vlan on the cisco ? Because the cisco has the Vlan 1 as default but the vlan 200 as management vlan. That play a role ?

You will found in attachment the network topologie.

Any idea ?

Best regards

marce1000 · ‎09-26-2022

>...when i connect only the second switch, it's working correctly but nothing on the first switch.

Check logs, on the first (in fact better on both) sg's when you are doing this. More better still = configure a common/central syslog server on the XSG and Cisco devices , examine receiving logs when configuring is in progress or production stage is attempted , if needed enhance logging level to debugging . For XSG : https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/SystemServices/LogSettings/index.html#logs , for the sg200 devices : https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-small-business-200-series-managed-switches/smb104-manage-system-logs-on-the-200-300-series-managed-switches.html

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

VirtuOS · ‎09-26-2022

Hello,

I enabled the remote syslog and test the connectivity but without result.

Here the logs on the first switch :

Sep 27 07:55:53 192.168.10.2 LINK %LINK-I-Up: gi32
Sep 27 07:55:58 192.168.10.2 STP %STP-W-PORTSTATUS: gi32: STP status Forwarding
Sep 27 07:59:26 192.168.10.2 LINK %LINK-W-Down: gi37
Sep 27 07:59:29 192.168.10.2 LINK %LINK-I-Up: gi37
Sep 27 08:02:39 192.168.10.2 LINK %LINK-W-Down: gi37, aggregated (1)
Sep 27 08:02:39 192.168.10.2 LINK %LINK-I-Up: gi37, aggregated (1)
Sep 27 08:02:39 192.168.10.2 AAA %AAA-I-DISCONNECT: http connection for user cisco, source 192.168.10.73 destination 192.168.10.2 TERMINATED
Sep 27 08:04:37 192.168.10.2 LINK %LINK-W-Down: gi37, aggregated (1)
Sep 27 08:10:16 192.168.10.2 LINK %LINK-W-Down: gi28
Sep 27 08:40:06 192.168.10.2 LINK %LINK-W-Down: gi39
Sep 27 08:40:19 192.168.10.2 LINK %LINK-I-Up: gi39
Sep 27 08:40:23 192.168.10.2 STP %STP-W-PORTSTATUS: gi39: STP status Forwarding

And on the second switch :

Sep 27 08:00:14 192.168.10.3 STP %STP-W-PORTSTATUS: gi3: STP status Forwarding
Sep 27 08:01:24 192.168.10.3 LINK %LINK-I-Up: gi18
Sep 27 08:01:29 192.168.10.3 STP %STP-W-PORTSTATUS: gi18: STP status Forwarding
Sep 27 08:01:42 192.168.10.3 LINK %LINK-W-Down: gi18
Sep 27 08:03:27 192.168.10.3 LINK %LINK-I-Up: gi18, aggregated (1)
Sep 27 08:03:27 192.168.10.3 STP %STP-W-PORTSTATUS: gi18: STP status Forwarding, aggregated (1)
Sep 27 08:03:27 192.168.10.3 LINK %LINK-W-Down: gi3
Sep 27 08:04:40 192.168.10.3 LINK %LINK-W-Down: Vlan 204, aggregated (1)
Sep 27 08:04:43 192.168.10.3 LINK %LINK-I-Up: gi3, aggregated (1)
Sep 27 08:04:43 192.168.10.3 LINK %LINK-I-Up: Vlan 204, aggregated (1)
Sep 27 08:05:13 192.168.10.3 STP %STP-W-PORTSTATUS: gi3: STP status Forwarding, aggregated (1)
Sep 27 08:21:05 192.168.10.3 LINK %LINK-W-Down: gi18

On the Sophos, i can see nothing :-(.

Just a question. The default Vlan is 1. The management Vlan on the SG200 is the vlan200.
The only Vlan which work correctly is the vlan200. That play a role ? Did i need to have the same vlan as mgmt and default ?

Thank for your help

VirtuOS · ‎09-28-2022

Hello,

Has anyone a idea for me ?

Best regards

MatteoMonfardini · ‎10-03-2022

Hello VirtuOS

Checking your netrwork schema, it seems you have some LAG's on the Sophos, with a cable connected to one switch and the other to another switch

If this is right, you can do it only if the two switches are bonded together in stacking configuration. Otherwise you have to remove LAG and use bridge on the Sophos

VirtuOS · ‎10-07-2022

Hello Matteo,

How are you ?

This morning, i try to use the bridge mode on the Sophos but the STP on the cisco block the port of one of the switch.
Warning %STP-W-PORTSTATUS: gi44: STP status Blocking

The configuration :
Sophos :
Bridge port 1/6 Vlan 205 with the routing on this bridge pair enabled

Cisco 1 :
Port 44 trunk 200UP, 205T => P6 Sophos
STP 44 config : GE44 Enabled Disabled STP Alternate 20000 128 Discarding 32768-bc:67:1c:b6:ea:77 128-92
Port 45 trunk 205UP => Test Computer
Default Vlan : 1
Management Vlan : 200

Cisco 2 :
Port 44 : trunk 200UP, 205T => P1 Sophos
STP 44 config : GE44 Enabled Enabled STP Designated 20000 128 Forwarding 32768-bc:67:1c:b6:ea:77 128-92
Port 43 : trunk 205UP => Test Computer
Default Vlan : 1
Management Vlan : 200

With this configuration it's only working on the second switch but not on the first one.
Except if i disabled the port 44 on the switch :-).

Do you have any idea why ?

Thanks for your help :-).

MatteoMonfardini · ‎10-07-2022

Hello

You should create a bridge on the Sophos for every couple of link coming from both the switches

every vlan present on an uplink doesn't have to be present in any other link

if the STP block one port, it means you've got a loop in the network

I'm assuming your network schema is correct, so I think the trunk on the Cisco switches are not configured in the right way and the same vlans are present on more than one uplink

please take care the trunk in Cisco switches pemit all the VLAN pass by default. You should exclude the unneeded vlan from the trunks or configure the ports in General mode

Also note that the VLAN1 is always present and you have to forbid it

VirtuOS · ‎10-10-2022

Hello Matteo,

Last friday, i try your solution, all the criterias that you write it's okay but after test it still doesn't work.
The configuration is the same as before, but i retired the vlan 205 on the other port that aren't useful.
We don't see what else we can do.

But the STP is always blocking the port. Why ?
I search on the internet and i found something on the sophos community but without a response.
=> https://community.sophos.com/utm-firewall/f/hardware-installation-up2date-licensing/79687/sophos-bridged-interface-spanning-tree-protocol

Do you have any idea ?

Best regards

MatteoMonfardini · ‎10-10-2022

Hello
I repeat that the Spanning Treee block the uplink when there is some loop in the network
If you want to send me the two cisco switch config, I will check them
bye

VirtuOS · ‎10-10-2022

Hi,

I know but i didn't found it for the vlan 205...

Here in attachment the 2 config....

Thanks a lot for your help

MatteoMonfardini · ‎10-12-2022

Hi,

just to resume

on the sophos:

P3-P4 > bridge

P5-P6 > bridge

P7-P8 > bridge

You must set a rule allowing the traffic pass among the zones. I.e. if either P7 and P8 belong to LAN zone, there has to be a role allowing zone LAN talk to zone LAN. Else if they belong to the same zone, they are connected to different ports, so thei need a rule allowing the traffic.

STP: looking at you log I don't see the STP blocking the traffic: when you activate a switch port connecting a cable, the stp at once BLOCK traffic, listen if a loop exist, if not, it change the state of the port to FORWARD. It is the normal behaviour of STP, you can change this by setting the rapid STP or disable it if it's not needed on that port.

CISCO: in the uplink port you set the trunk behaviour if a port is configured in trunk mode. Then you should set it to work in trunk mode with the command "switchport mode trunk"

I don't see it in your config and I don't think if in SG200 the ports are trunks by default.

It is the correct config, but actually I'm experiencing some trouble just with sophos and cisco small business devices.

With other brand switches this configuration works as expected, with Cisco SG do not work and it seems the Sophos do not understand vlan tagging coming from the cisco.

I must investigate furter because I must solve that, also with Sophos support in Eire.

For the meanwhile please check the cisco config. I'm going to replicate your config ( hope on next week ) and stay in touch.

Bye

VirtuOS · ‎10-13-2022

Hi Matteo,

On the Sophos, all the vlans are in the same Zone (LAN).

Then, i don't normally need to create a rules for accepting the traffic through vlan's i think. Or do you think the opposite ?

I did some other tests. Here the config :

Switch 1 (192.168.10.2) : Port 44 => Sophos P6

Switch 2 (192.168.10.3) : Port 44 => Sophos P1

When connecting to port 43 of the switch 2 in untagged on test vlan 205, it’s working.

But, when I put the cable on the Switch 1 on a untagged port on test vlan 205, I received nothing and nor errors on the cisco ram memory or on the Sophos logs…

I think honestly that the problem is coming of a incompatibility of devices... No ?

I will wait on your tests before going further.

Best regards

MatteoMonfardini · ‎10-13-2022

You do need to create rules to allow traffic among different ports else if belong to the same zone

VirtuOS · ‎10-13-2022

Hi,

Some more details.

If i disabled the link between the Sophos P1 and the Cisco Switch 2.

The link is working with the port 45 on the switch 1... But always nothing on the logs :-(.
Thanks in advance for your help

VirtuOS · ‎10-13-2022

Hi Matteo,

I can understand what do you mean when you say :

You do need to create rules to allow traffic among different ports else if belong to the same zone

But the question is how ? Here under you can see the settings i can put for new rules :

And there isn't notion about Port allowing traffic too Zone or other ports....

Otherwise, when i turn the port 44 on the switch 1, i received an error with the stp :

The Spanning tree is blocking the link port. Why ? Did you have any idea ?

Best regards