Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos SD-RED 20 and VLANs

Hello, I have the following scenario, I need to transport some VLANs that are on my core switch L3, behind the RED (Appliance), I have already tried to put the Firewall interface marked with the VLANs that I need, in Sophos I grouped the VLANs in a bridge, station behind RED gets ip from guest VLAN but does not browse.

I know it's not a good practice, but I need the Hotspot of my guest network, also in the branches.



This thread was automatically locked due to age.
Parents
  • This kind of design can work in smaller setups, but is not recommended for larger setups (Multiple REDs).

    You need to bridge the LAN port with the RED. Then place the VLANs as you want on this bridge. 

    You need to have Standard/Unified on RED to get this working. 

    __________________________________________________________________________________________________________________

  • But if I put the XG port that is connected to my core, in a Bridge with RED, I will lose the other VLANs that are configured there.

  • You can place as many VLANs on the bridge as you want. 

    __________________________________________________________________________________________________________________

  • Okay, I'll need to put two REDs in different locations, would it work the way you said?

  • Yeah, 2 RED should not cause much issues. If you scale this scenario up to multiple locations, this can get complex and a bridge with so many network interfaces is not recommended. 

    __________________________________________________________________________________________________________________

  • And what would be the ideal scenario? Of all the VLANs, the only one I need in branch offices is Guest.

  • From my point of view, expanding a VLAN is not a good idea. You should look at those locations as a own network and segment it there from a segmentation perspective. To expand the same VLAN to all locations would mean, you span the same network subnet to all locations, which means, all broadcast packets will be transfered to all locations. By segmenting in own VLANs with own subnet ranges, you have a clean cut between those networks. 

    __________________________________________________________________________________________________________________

Reply
  • From my point of view, expanding a VLAN is not a good idea. You should look at those locations as a own network and segment it there from a segmentation perspective. To expand the same VLAN to all locations would mean, you span the same network subnet to all locations, which means, all broadcast packets will be transfered to all locations. By segmenting in own VLANs with own subnet ranges, you have a clean cut between those networks. 

    __________________________________________________________________________________________________________________

Children