Skip to content

RED device requirements and traffic behavior

Learn about the RED device requirements and traffic behavior.

Warning

RED 15, 15 (w), and 50 are now end-of-life (EOL). We recommend you use SD-RED 20 or 60.

RED 50 vs. SD-RED 60 traffic behavior

The RED 50 and SD-RED 60 devices handle untagged VLAN (hybrid port) traffic differently.

The table below shows how all traffic is handled across all ports.

How the RED 50 and SD-RED 60 handle traffic

Modes VLAN traffic Non-VLAN traffic

Untagged (hybrid port)

(Only one VLAN configuration is allowed)

RED 50

Forwarded: Any VLAN traffic is forwarded using the specified VLAN.

SD-RED 60

Forwarded: Any VLAN traffic is forwarded without change.

Forwarded: Non-VLAN traffic is tagged using the specified VLAN.

Untagged, drop tagged (Access port)

(Only one VLAN configuration is allowed)

Dropped: All VLAN traffic is dropped. Forwarded: Non-VLAN traffic is tagged using specified VLAN.

Tagged (trunk port)

(Multiple VLAN ID configuration allowed)

Forwarded: Traffic matching configured VLANs is forwarded, and traffic that doesn't match is dropped. Dropped: Non-VLAN traffic is dropped.
Disabled Dropped Dropped

Warning

You can only tag VLAN traffic on the SD-RED 60 in standard/unified mode.

When you set the LAN switch port mode to VLAN, the SD-RED 60 encapsulates tagged and untagged traffic over the RED tunnel. This means that you can configure your remote switch port to replicate head office VLAN separation.

Tip

If you need the VLAN guest network behind the RED device to use the local gateway, you can route this traffic through an XGS series desktop model.

RED 15w requirements

The traffic is handled according to the mode and wireless traffic type. Before you set up a RED 15w (wireless), you must meet the requirements for the mode.

The RED 15w and REDs with the Wi-Fi expansion module use DHCP option 234 to communicate with Sophos Firewall or Sophos UTM, if you've configured them as wireless access points.

In standard/unified mode, all traffic from the RED is sent to the firewall.

In standard/split mode, all traffic from the split networks is sent to the firewall. All other traffic is sent to the default gateway specified by the remote DHCP server. This is usually the router to which the RED is connected at the remote site.

In transparent/split mode, only split networks are reachable through the firewall. All other networks are routed through the router at the remote site. The remote network also provides DHCP and DNS. In this case, the RED interface must obtain an IP address through the remote DHCP server.

The following requirements must be met for wireless traffic:

  • A RED interface must be available and must have an IP address.
  • DNS must be resolvable on the RED interface.
  • For standard/unified and standard/split modes, a DHCP server must be running on the RED interface.
  • For transparent/spilt mode, the remote DHCP server must provide DHCP option 234, which contains the IP address of the RED interface on the firewall site. (Otherwise, 1.2.3.4 is used.)

Here's the workflow for each wireless traffic type:

  • Separate zone: All traffic from a separate zone network is sent to Sophos Firewall using Virtual Extensible LAN (VXLAN) protocol. The packets are encrypted while crossing the RED tunnel. The separate zone networks are connected to each other in Sophos Firewall. You must configure Sophos Firewall to allow traffic for the Astaro Wireless Extension (AWE) client and VXLAN (RFC 7348) for the RED interface.

    The AWE client is a client daemon that runs on access points and REDs with wireless support. It registers access points on Sophos Firewall.

  • Bridge to AP LAN: The RED will bridge the SSID in the LAN network behind the RED. This includes LAN ports 1–4. Clients connected to this SSID are able to reach the RED tunnel endpoint interface on the firewall site if the firewall allows traffic from the RED network to the RED interface.

  • Bridge to VLAN (Standard/Unified): The RED will tag all traffic from clients connected to this SSID using the configured VLAN tag. Clients can reach all network devices with the same VLAN tag connected to LAN ports 1–4 and a VLAN-tagged interface on top of the tunnel endpoint interface on the firewall site.

  • Bridge to VLAN (Standard/Split): The clients can reach all hosts behind the RED that own the same VLAN tag. Also, the tunnel endpoint is reachable if a VLAN interface is configured on top of the RED interface on the firewall site. The split networks can't be reached as these are routed for untagged packets only.

  • Bridge to VLAN (Transparent/Split): The clients can reach all hosts behind the RED that own the same VLAN tag on LAN ports 1–4 and on the WAN port. The split networks can't be reached as these are routed for untagged packets only.