Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 11 replies
  • Answers 3 answers
  • Subscribers 27 subscribers
  • Views 2876 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Setup REDs on Bridge Mode

Chacha Kairu

Hi Team,

Does anyone have some in-depth on how RED bridged network works. The current documentation seems abit 'outdated'.

Also, i would like some clarification in regards to VPN traffic to and from REDs in a bridged setup and how routing is done.

Thanks

Chacha Kairu 



This thread was automatically locked due to age.
Parents
  • 0

    Chacha, 

    what do you mean bridged? Do you mean transparent mode?

    Thanks

  • 0 in reply to lferrara

    lferrara said:

    Chacha, 

    what do you mean bridged? Do you mean transparent mode?

    Thanks

     

     

    I have 33 REds devices to deploy on multiple branches. I think i read somewhere that to ease deployment, one can create a bridge and attach REDs to the bridge for ease of deployment.

    Needed some more info on this especially in cases where we need to have VPN traffic reaching the REDs network.

    Thanks

  • 0 in reply to Chacha Kairu

    Bridging is used when XG lan and red networks have the same IP/Subnet addresses or when you have more than one network with the same ip/mask. For example, 2 red sites with same addresses.

    community.sophos.com/.../red-on-same-subnet

    Regards

  • 0 in reply to lferrara

    I would highly recommend to not Bridge the REDs into one big bridge. 

    There are many issues in this deployments regarding handling. 

    The Interface on XG is the LAN port of RED. A network bridge is like a ethernet bridge and build in the linux kernel to bridge physical interfaces together. 

    It will work, but now lets take a brief look at the real world. 

    If one RED goes down, for what ever reason, the Bridge would loose one interface (in kernel), which could lead to a reload of the whole bridge. So to speak all other sites could go down for couple seconds. 

     

    Some customer bridge one RED with their local Network, yes thats fine for me. 

    But if you consider to build a 33 Interface Bridge together, i would assume, that is not the best idea, consider the point i made earlier.

  • 0 in reply to LuCar Toni

    LuCar Toni said:

    I would highly recommend to not Bridge the REDs into one big bridge. 

    There are many issues in this deployments regarding handling. 

    The Interface on XG is the LAN port of RED. A network bridge is like a ethernet bridge and build in the linux kernel to bridge physical interfaces together. 

    It will work, but now lets take a brief look at the real world. 

    If one RED goes down, for what ever reason, the Bridge would loose one interface (in kernel), which could lead to a reload of the whole bridge. So to speak all other sites could go down for couple seconds. 

     

    Some customer bridge one RED with their local Network, yes thats fine for me. 

    But if you consider to build a 33 Interface Bridge together, i would assume, that is not the best idea, consider the point i made earlier.

     

    Toni,

    This's well noted but my other issue would be, the VPN traffic going to and from REDs to partner network. I will have to add each REDs network to the VPN and also create static routes on the same.

    In my opinion, this is alot of work especially in a scenario where i'm connecting to partner's network which i have no control of. That's my dilemma.

     

     

  • 0 in reply to lferrara

    Great @lferrara.

    I was looking for this. Unfortunately, am not sure if this would work in my scenario if this's what bridge means.

     

    Thanks

    Chacha Kairu

  • 0 in reply to Chacha Kairu

    Since you have VPN on another end that you cannot control, bridging does not help. If you have multiple remote site and the other end needs to access the red network, you need to collaborate with the other party. You cannot avoid that. If you know the network ip/mask you will assign to the red networks, you can communicate them all at once and setup one-by-one red network.

    Regards

Reply
  • 0 in reply to Chacha Kairu

    Since you have VPN on another end that you cannot control, bridging does not help. If you have multiple remote site and the other end needs to access the red network, you need to collaborate with the other party. You cannot avoid that. If you know the network ip/mask you will assign to the red networks, you can communicate them all at once and setup one-by-one red network.

    Regards

Children
  • 0 in reply to lferrara

    You "could" talk to the other party and asked for 33 IPs in the SA to SNAT the Traffic. Its not nice but it could actually work. 

    The Point is, if you try to Bridge everything together, this could work in the first place, but could lead to other issues. 

    Why does your RED Network actually need access to the IPsec Site? Maybe you could workaround this with other manner (DNAT/SNAT on XGv18 etc.). 

  • 0 in reply to LuCar Toni

    NAT is always an option but...without a network diagram and project details, we cannot say "this is correct" or "this is not correct!"

  • 0 in reply to lferrara

    I think the simplest way was to assign all REDs to a single Subnet then allow traffic to and from the whole subnet through the VPN/tunnel. 

    ie 192.168.0.0/16 (RED subnet). Any additional REDs will be assigned an IP within the range.

     

    Thanks Guys.

    learning something new everyday and i really appreciate your input 

  • 0 in reply to Chacha Kairu

    If you are designing A new network A new network, it is better to start with different IP and subnet. Bridging is an option when you don’t have other way to deal with the problem. Otherwise, use nat as Luca suggested.