Thread Info
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 1453 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Pros and cons in deploying a lot of REDs using bridging?

daniel wang

 Background: we are an electric company with hundreds of substations and a few crew offices that we are constantly adding to our internal WAN over microwave links. The WAN is handled by our Communications department which acts like an ISP for corporate IT. They've just moved from Metro Ethernet to MPLS on the WAN. Due to past network disruptions on the WAN, e.g., spanning tree or whatnots, management wanted us to eliminate all potential layer 2 issues on WAN by using layer 3 connections to these sites.

One of the design options I am considering is deploying a RED at each remote location and a big enough Sophos XG at the headquarters in a hub and spoke topology.

I know I can add a RED interface and subnet for each location, or bridge them together to share a big enough subnet. Can someone shed some light on the pros and cons of either setup?

I am thinking bridging will make network and firewall interface management a quite bit simpler but potentially dampen network performance by propagating broadcast packets everywhere.  But the impact may not be that big since these substations only get visited briefly by patrolmen who do data entry with a tablet and occasionally by technicians with laptops.

Thanks!



This thread was automatically locked due to age.
Parents

  • Hi Daniel,


    A couple of months ago I asked myself the same question when I was preparing the installation of a XG210 with 6 RED's.
    At first I choose the bridge configuration because it would be easy to manage and to deploy: just add a new RED to the bridge, no need to add another firewall rule or modify the existing one.

    After a few days of getting the feel of the RED bridge, I decided not to use it and went for a RED interface and subnet for each location.
    My main reason was actually troubleshooting: based on the subnet I now know immediately which location has issues and I know what subnet to use when filtering the XG logs.
    In my case the RED's are located at Home Offices, connecting some devices (PC/laptop, printers, AP's,...) to a Main Office. 

    The RED Bridge DHCP will hand out IP's from the same subnet to all locations. Asking a customer what's the IP of his PC, when he's reporting a problem, was going to be challenging! And I didn't want to start configuring static IP MAC mapping in DHCP.

    In your case however you are talking about hundreds of locations with no permanent occupation (I suppose?) and a few crew stations (with a permanent occupation?).
    You could combine both possibilities: using a RED bridge for the substations and a RED interface with dedicated subnet and firewall rule for each crew station.

    Hope this helps.

  • in reply to 2ServeErik

    Just came back from the Holiday. Thanks so much for the quick reply!

    Yes, there is no permanent occupation at all the substations and traffic is minimal 99% of the time when being used, and a few crew members stationed at each crew offices. 

    I like your suggestion for a combination of both methods. I think it's a great idea. I think always change back to more subnetting if the bridging the substations doesn't work well.

Reply
  • in reply to 2ServeErik

    Just came back from the Holiday. Thanks so much for the quick reply!

    Yes, there is no permanent occupation at all the substations and traffic is minimal 99% of the time when being used, and a few crew members stationed at each crew offices. 

    I like your suggestion for a combination of both methods. I think it's a great idea. I think always change back to more subnetting if the bridging the substations doesn't work well.

Children
No Data