Thread Info
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 1452 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Pros and cons in deploying a lot of REDs using bridging?

daniel wang

 Background: we are an electric company with hundreds of substations and a few crew offices that we are constantly adding to our internal WAN over microwave links. The WAN is handled by our Communications department which acts like an ISP for corporate IT. They've just moved from Metro Ethernet to MPLS on the WAN. Due to past network disruptions on the WAN, e.g., spanning tree or whatnots, management wanted us to eliminate all potential layer 2 issues on WAN by using layer 3 connections to these sites.

One of the design options I am considering is deploying a RED at each remote location and a big enough Sophos XG at the headquarters in a hub and spoke topology.

I know I can add a RED interface and subnet for each location, or bridge them together to share a big enough subnet. Can someone shed some light on the pros and cons of either setup?

I am thinking bridging will make network and firewall interface management a quite bit simpler but potentially dampen network performance by propagating broadcast packets everywhere.  But the impact may not be that big since these substations only get visited briefly by patrolmen who do data entry with a tablet and occasionally by technicians with laptops.

Thanks!



This thread was automatically locked due to age.

  • Hi Daniel,


    A couple of months ago I asked myself the same question when I was preparing the installation of a XG210 with 6 RED's.
    At first I choose the bridge configuration because it would be easy to manage and to deploy: just add a new RED to the bridge, no need to add another firewall rule or modify the existing one.

    After a few days of getting the feel of the RED bridge, I decided not to use it and went for a RED interface and subnet for each location.
    My main reason was actually troubleshooting: based on the subnet I now know immediately which location has issues and I know what subnet to use when filtering the XG logs.
    In my case the RED's are located at Home Offices, connecting some devices (PC/laptop, printers, AP's,...) to a Main Office. 

    The RED Bridge DHCP will hand out IP's from the same subnet to all locations. Asking a customer what's the IP of his PC, when he's reporting a problem, was going to be challenging! And I didn't want to start configuring static IP MAC mapping in DHCP.

    In your case however you are talking about hundreds of locations with no permanent occupation (I suppose?) and a few crew stations (with a permanent occupation?).
    You could combine both possibilities: using a RED bridge for the substations and a RED interface with dedicated subnet and firewall rule for each crew station.

    Hope this helps.

  • in reply to 2ServeErik

    I too have conceptualised this and demoed with Customers and juat like you, i came to the same conclusions.

    Subnetting and separation is absolutely the best way to go, yes there is a management overhead but you will be thanking past you for not doing bridging when dealing with issues.

    And if you're smart with your zoning and use of ip host groups, you can actually make the deployment of new sites quite simple and low overhead for rules. You can do this by putting all the REDs in a "RED" zone and your firewall rules are:

    RED zone source

    RED networks ip host group

    Destination zone WAN

    Services whatever

    RED zone source

    RED networks ip host group

    Destination zone LAN

    Destination Network: whatever subnets needed

    Services whatever

    To commission a RED site, just configure the RED and add its subnet to the host group and off you trot.

    And XG bridging?

    It honestly leaves a lot to be desired and can only recommend it for doing fully transparent webfiltering when unable to displace the firewall.

    Hope that helps.

    Emile

  • in reply to 2ServeErik

    Just came back from the Holiday. Thanks so much for the quick reply!

    Yes, there is no permanent occupation at all the substations and traffic is minimal 99% of the time when being used, and a few crew members stationed at each crew offices. 

    I like your suggestion for a combination of both methods. I think it's a great idea. I think always change back to more subnetting if the bridging the substations doesn't work well.

  • in reply to Emile Belcourt

    Emile,

    Thanks a lot for the insight and suggestions, which are very helpful!

    Can you elaborate a bit more on the issue with XG bridging? You said you would only "recommend it for doing fully transparent webfiltering when unable to displace the firewall". Can you give me a scenario?

    I am inclined to do a hybrid deployment as the other gentleman suggested but would love to hear more about your experience and concerns with bridging.