Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Answers 2 answers
  • Subscribers 4 subscribers
  • Views 11456 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RED50 VLAN Examples please!!

EricFrancoeur

 Hello.

 

I have a SG330 at main office connecting to a RED50 in branch office(KG).  Connected to that RED is a Cisco switch with VLANs.  I want the VLANs from main office to talk to branch office VLANs

 

So on the SG330

Internal on eth9 - 10.0.0.248/24 - Type:Ethernet

Vlan5 on eth9(VLAN 5) - 10.0.10.248/24 - Type:Ethernet VLAN

Vlan10 on eth9(VLAN 10) - 10.0.10.248/24 - Type:Ethernet VLAN

plus a bunch of others eth9(VLAN X) with my Cisco switch plugged in port 9 (VLAN 1 UP, VLAN 5,10,20,30 T) 

 

KG RED50 VLAN 1 on red1 - 10.1.254.248 - Type:Ethernet

KG RED50 VLAN 1100 on red1 - 10.21.0.248 - Type:Ethernet VLAN

KG RED50 VLAN 1105 on red1 - 10.21.5.248 - Type:Ethernet VLAN

plus a bunch of others to add on red1 after I've got those to works.

I've alowed all these VLANs to all these VLANs in the firewall

In red1 switch port configuration I've tried a few things... with port 1

Untagged 1 or tagged(1,1100,1105)  or etc and playing with split and unified

RED50 port1 is connected to my Cisco switch port 1 (VLAN1 UP, VLAN 1100,1105 T)

On some random test RED VLAN 1 was able to talk to the other side to all VLANs, but never got the others to talks...

 

Any thoughts on how this could work??

Wondering if there is a proper guide for this??



This thread was automatically locked due to age.
  • 0

    Ok I'm getting there....

    My KG branch Cisco has port 2 VLAN1105 UP and Port 3 VLAN1100 and with red1 switch port configuration set to Tagged(1,1100,1105), VLAN 1100 and 1105 seems to be working well... VLAN1 not probably because "KG RED50 VLAN 1 on red1 - 10.1.254.248 - Type:Ethernet" is type:Ethernet and not Ethernet VLAN.  I can't put it VLAN1 because I'm scared that will screw up the main office VLAN1, which is technically "Internal on eth9 - 10.0.0.248/24 - Type:Ethernet"

    Maybe if I set my KG branch default VLAN something like 1254 then change "KG RED50 VLAN 1 on red1 - 10.1.254.248 - Type:Ethernet" to "KG RED50 VLAN 1254 on red1 - 10.1.254.248 - Type:Ethernet VLAN" all Vlan would go thru.... but in my case it's kinda pointless because all I have in KG Branch vlan 1 are the RED50 and the Switch. My servers are on 1100, Workstations on 1110 and Wireless devices on 1105... even if the main office and vlan1 don't talk, it would only affect IT staff that couldn't connect to the L3 switches on KG VLAN1 IP, but we could still connect to it's VLAN1100 IP.

  • 0 in reply to EricFrancoeur

    I feel like I'm talking to myself... :-P

     

    If your are putting multiple vlan in tagged red switch port configuration... don't put spaces between commas... ex: 10,20,30,40 because something like 10,20,30, 40 will cause oddities 

  • +1 in reply to EricFrancoeur

    Replying to myself again... Feels like I have no friends... :-P

    Anyway to who ever this may help...

    I've tried to make VLAN 1254 my default vlan and then changing "KG RED50 VLAN 1 on red1 - 10.1.254.248 - Type:Ethernet" to type Ethernet VLAN with 1254 as it's vlan.  And it didn't work as expected.

    So what I've realized that you have to burn a VLAN number on your switch to be the UNTAGGED vlan on the port that your RED50 is connected to... In my case all red1 interface are set to type ETHERNET VLAN.  Switch Port Configuration of LAN1 is TAGGED with LAN1 VIDs 1100,1105,1110,1254.

    Plug LAN1 into your switch port 1 (or any you want, doesn't matter)  On switch port 1 put the burnt VLAN number as UP (doesn't matter the number), and all your good vlan as T.  In my case I've put all vlan as tagged on port 1, so by default it puts VLAN 4095 as P and there is no U... so my port VLAN membership for port 1 looks like this 1100T, 1105T, 1110T, 1254T, 4095P.  Might do something else on your model.

    So now everyone talks to everyone and we are all a happy family

     

    Side note:  Even if I've set the Operation Mode to Standard/Split it seems that the Internet traffic goes thru the main office anyway... But it's Friday passed 5pm here, I'm not going to worry about that now...

  • 0 in reply to EricFrancoeur

    I'll be your friend! :)

    Just wanted to say this post really helped in getting VLANs working over a RED tunnel. We have a very similar setup and were struggling getting this to work. The main problem was that we had spaces for the VLANs in the VID field on the RED switch port configuration. As you mentioned spaces can cause oddities, having now removed the spaces all seems to be working fine. I'm surprised that this isn't documented anywhere, hopefully in a future version they will prevent the use of spaces in the VID field to avoid problems like this.

    Out of interest, did you manage to get VLAN 1 working?

  • 0 in reply to ac87

    Yes and no :-P

    What I've did at the remote site is to come in on a Saturday and change VLAN 1 on all the switch and devices to 1254 and made that the default vlan on all those device.

    What I've realized is that the RED doesn't create a tunnel between 2 networks like the good old VPN would do. Instead, it adds your remote site to the main local site. You can't have 2 subnets with the same VLAN ID on the same network, so this is the same, your remote is now part of the main local network, therefore it's VLAN IDs can't be the same as any of the main local one.

    Yes it's a bit of a pain, but then you can manage all your sites as 1 site, therefore keeping your policies standard on all sites.  It's all about your goals...

  • 0 in reply to EricFrancoeur

    Eric, VLAN 1 is reserved in the UTM for Wireless Protection.  I'm surprised it worked even a little bit.  Probably not for any traffic transiting the UTM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML