Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 23 replies
  • Subscribers 42 subscribers
  • Views 10153 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos SD-RED 20 and VLANs

Vict0r-

Hello, I have the following scenario, I need to transport some VLANs that are on my core switch L3, behind the RED (Appliance), I have already tried to put the Firewall interface marked with the VLANs that I need, in Sophos I grouped the VLANs in a bridge, station behind RED gets ip from guest VLAN but does not browse.

I know it's not a good practice, but I need the Hotspot of my guest network, also in the branches.



This thread was automatically locked due to age.
Parents
  • 0

    This kind of design can work in smaller setups, but is not recommended for larger setups (Multiple REDs).

    You need to bridge the LAN port with the RED. Then place the VLANs as you want on this bridge. 

    You need to have Standard/Unified on RED to get this working. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I tried to configure a lab as you suggested, I used a firewall as a red server, and another as a red client, I grouped the interfaces in a bridge at both ends, I put a switch to mark the packets, but without success. Perhaps a firewall like the red client works another way?

  • 0 in reply to Vict0r-

    What did you place on the other end of the firewall? Because the firewall will not tag the traffic in that sense like a PVID. Can you check the tcpdump/Packet capture of the firewalls, if the traffic is flowing? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Behind the RED Client I put a Switch to mark the packets.
    The router is configured to be the L3 of the headquarter VLANs. VLAN 150 is configured on it.

    My test topology:

  • 0 in reply to Vict0r-

    If your topology really is like above, then you do not transport all VLANs to the Sophos PortA.

    You need a trunk port to transport all VLANs and the Sophos will pass them on unmodified.

    The only thing you configure a VLAN on a Sophos port is to become a member of that particular VLAN with that port.

    At least this is my observation and experience so far.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    Hello! That's right, my topology is like the one mentioned. So on my Switch I set the Sophos Uplink interface to Tagged?

  • 0 in reply to Vict0r-

    Your image shows e0/0 which is going to Sophos PortA as "tagged" VLAN on both sides. You did ot show the VLAN ID ("number") of this.

    If you want to transport any other or all other VLAN IDs, you have to configure this interface e0/0 accordingly. Port e0/0 has to be a "trunk port" for this to transport more than one VLAN. If this is configured as "access port", which I suspect, then this transports ONLY your tagged VLAN and nothing else. I am talking Cisco configuration-wise here.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    On my switch, the Sophos uplink port is already tagging the VLANs I need (in this case 150). Sophos RED Server and Sophos RED Client also have VLAN 150 on the bridge. I put a /32 IP because I can't create the VLAN without IP.
    Interface PortA, is where the Switch is connected, on both sides.

    RED-Client: 

    RED-Server:

Reply
  • 0 in reply to PhilippRusch

    On my switch, the Sophos uplink port is already tagging the VLANs I need (in this case 150). Sophos RED Server and Sophos RED Client also have VLAN 150 on the bridge. I put a /32 IP because I can't create the VLAN without IP.
    Interface PortA, is where the Switch is connected, on both sides.

    RED-Client: 

    RED-Server:

Children
No Data
Unfiltered HTML