Sonicwall SONICOS 5.7 User Manual

Switching on the SonicWALL NSA 2400MX in SonicOS Enhanced 5.7

Document Scope

This solutions document describes how to configure and manage the Switching feature on a SonicWALL
NSA 2400MX running SonicOS Enhanced 5.7.

This document contains the following sections:

• “Feature Overview” section on page 1

• “Configuring Switching” section on page 4

• “Glossary” section on page 30

Feature Overview

This section provides an introduction to the Switching feature. This section contains the following
subsections:

• “What is Switching on the SonicWALL NSA 2400MX?” section on page 1

• “Benefits of Switching” section on page 2

• “How Does Switching Work on the SonicWALL NSA 2400MX?” section on page 3

• “Supported Platforms” sectio n on pag e 3

What is Switching on the SonicWALL NSA 2400MX?

SonicOS Enhanced 5.7 introduces Layer 2 (data link la yer) switc hing functionality on the SonicWALL NSA
2400MX appliance.

The SonicWALL NSA 2400MX appliance is a Unified Threat Management (UTM) security appliance that
integrates the WAN flexibility of a router with 24 built-in Ethernet switch ports. The appliance provides two
expansion slots to allow modular card flexibility. Both 3G wireless cards and V.90 modem cards are
supported.

The functionality supports the following switching features:

• VLAN Trunking – Provides the ability to trunk different VLANs between multiple switches.

• Rapid Spanning Tree Protocol – Prevents loops from being formed when switches or bridges are

interconnected via multiple paths and provides for network convergence after a topology change.

Switching in SonicOS Enhanced 5.7

1

Feature Overview

• Layer 2 Network Discov ery – Uses IEEE 802.1AB (LLDP) and Microsoft LL TD protocols and switch

forwarding table to discover devices visible from a port.

• Link Aggreg ation – Provides the ability to aggregate ports for increased performance and redundancy.

• Port Mirroring – Allows the administrator to assign a mirror port to mirror ingress, egress or

bidirectional packets coming from a group of ports.

• Layer 2 Quality of Service – On a per port basis, allows configuration to trust Cost of Service (CoS)

(802.1p) or trust DSCP marking and treat the frames appropriately.

• Rate Control / Flow Control – On a per port basis, the bandwidth of ingress frames can be tuned in

four modes by limiting all/flooded unicast/multicast/broadcast frames. Rate limiting for egress frames
can be enabled or disabled.

• Port Security – Provides the ability to bind a MA C address or m ultiple MA C addresses to a specific port

interface.

Benefits of Switching

The SonicWALL NSA 2400MX provides a combined security and switching solution. Layer 2 switching
features enhance the deployment and interoperability of SonicW all d evices within existing La yer-2 netw orks.

The NSA 2400MX provides flexible, intelligent switching capabilities with its unique PortShield
architecture, increased port density with 26 interfaces, and advanced switching features.

The advanced switching features on a network security appliance provide the following benefits:

• Increased port density – With one appliance providing 26 interfaces, including 24 switch ports, you can

decrease the number of devices on your internal network.

• Increased security across multiple switch ports – The PortShield architecture pro vi des the flexibility to

configure all 26 LAN switch ports into separate security zones such as LANs, WLANs and DMZs,
providing protection not only from the WAN and DMZ, but also between devices inside the LAN.
Effectively, eac h security zone has its own wire-speed ‘mini-switch’ that benefits from the protection of
a dedicated deep packet inspection firewall.

• VLAN Trunking – Simplifies VLAN management and configuration by reducing the need to configure

VLAN information on every switch.

• Layer 2 Discovery – Provides La yer 2 networ k information for all devices attached to the NSA 2400MX.

• Link Agg regation – Aggregated por ts provide increased perfor mance through load balan cing when

connected to a switch that supports aggregation, and provide redundancy when connected to a switch
or server that supports ag g r egatio n.

• Port Security – Allows administrators to bind a trusted MAC address or multiple MAC addresses to a

specific port to decrease unauthorized access on that port.

• Rapid Spanning Tree Protocol – Allows for redundancy in case a connection goes down, while

preventing loops from being formed when switches or bridges are interconnected via multiple paths.

• Layer 2 Quality of Service – Allows for traffic prioritization and bandwidth management to minimize

network delay using Cost of Service (CoS) classification, and DSCP marking.

• Port Mirroring – Allows the administr ator to easily monitor and insp ect networ k traffic on one or more

ports.

• Rate Control / Flow Control – Back-pressure flow control on half-duplex ports and pause frame-based

flow control on full-duplex por ts allow zero packet loss under temporary traffic congestion.

• Port Security – Binding a MA C address or multiple MA C add resses to a specific port interface provides

security, as frames whose source addresses are not contained in the table will be dropped.

2

Switching in SonicOS Enhanced 5.7

Feature Overview

How Does Switching Work on the SonicWALL NSA 2400MX?

The switching features have their own menu group in the left navigation pane of the SonicOS management
interface.

Some switching features operate on PortShield Groups and require preliminary configuration on the
Network > PortShield Groups page. Some operate on existing Network > Interface configurations. The
Port Security feature uses MAC address objects. For more information about configuring these related
features in SonicOS, see the SonicOS Enhanced 5.7 Administrator’s Guide.

For details about the operation of each switching feature, see the related section under the “Configuring

Switching” section on page 4.

Supported Platforms

Switching is available on the SonicWALL NSA 2400MX running SonicOS Enhan ced 5.7 and higher.
Switching features are only available on ports X2 - X25, not on X0 (LAN) or X1 (WAN).

The hardware design of the SonicWALL NSA 2400MX includes the following elements:

• Dual core 700 MHZ CPU

• 8 Gigabit Ethernet interfaces

• 16 10/100 Megabit Fast Ethernet interfaces

• 1 Gigabit Ethernet WAN port

• 1 Gigabit Ethernet LAN port

• 2 USB extension ports that support exter nal 3G wireless cards or V.90 analog modem cards

• 2 Expansion Slots for future use

Switching in SonicOS Enhanced 5.7

3

Configuring Switching

Configuring Switching

This section contains the following sections:

• “Configuring VLAN Trunking” section on page 4

• “Configuring Rapid Spanning Tree” section on page 11

• “Configuring Layer 2 Discovery” section on page 14

• “Configuring Link Agg reg ation” section on pa ge 15

• “Configuring Port Mirroring” section on page 19

• “Configuring Layer 2 Quality of Service” section on page 20

• “Configuring Rate Control” section on page 25

• “Configuring Port Security” section on page 27

Configuring VLAN Trunking

Unassigned switch ports on the SonicWALL NSA 2400MX appliance can function as VLAN tr unk por ts.

4

Switching in SonicOS Enhanced 5.7

Configuring Switching

Y ou can enable or disable VLANs on the trunk ports, allowing the e xisting VLANs on the SonicWALL NSA
2400MX appliance to be bridged to respective VLANs on another switch connected via the trunk port. The
SonicW ALL NSA 2400MX appliance supports 802.1Q encapsulation on the trunk ports. A maximum of 32
VLANs can be enabled on each trunk port.

The VLAN trunking feature provides the following functions:

• Change VLAN ID’s of existing PortShield groups

• Add/delete VLAN trunk ports

• Enable/disable VLANs on the trunk por ts

The allowed VLAN ID range is 1-4094. Some VLAN IDs are reserved for PortShield use. The reserved
range is displayed in the SonicOS management interface. You can mark certain PortShield groups as
“Trunked”. Once the P ortShield group is dismantled, the associated VLAN is automatically disabled on the
trunk ports.

VLANs can exist locally in the form of PortShield groups or can be totally remote VLANs. Below, the
Network > PortShield page shows a PortShield group with X14 as the PortShield interface and X15, X16,
and X17 as members of the PortShield group. X20 and X21 are VLAN trunk ports.

Switching in SonicOS Enhanced 5.7

5

Configuring Switching

You can change the VLAN ID of PortShield groups on the SonicWALL NSA 2400MX appliance. This
allows easy integration with existing VLAN numbering.

Unlike traditional Layer 2 switches, the SonicWALL NSA 240 0MX appliance does not allow changing port
VLAN membershi p in an ad-hoc manner. VLAN membership of a port must be configured via PortShield
configuration in the SonicOS management interface.

For more information about configuring PortShield groups, see the “Configuring Po r tShield Interfaces”
chapter in the SonicOS Enhanced 5.7 Administrator’s Guide.

A virtual interface (called the VLAN Trunk Interface) is automatically created for remote VLANs. When
the same remote VLAN is enabled on another trunk port, no new interface is created. All packets with the
same VLAN tag ingressing on different trunk ports are handled by the same virtual interface. This is a key
difference between VLAN sub-interfaces and VLAN trunk interfaces.

The Name column on the Network > Interfaces page displays the VLAN Trunk Interfaces for the VLAN
trunks on which VLAN IDs 100 and 200 are enabled.

6

Switching in SonicOS Enhanced 5.7

Configuring Switching

Y ou can enable any VLAN , local or remote, on a VLAN trunk to allow bridging to to respectiv e VLANs on
another switch. For example, local VLAN 3787, created from a Por tShield g roup, can be enabled on the
VLAN trunk for port X20, which also has two remote VLANs enabled on it.

The VLAN Table on the Switching > VLAN Trunking page displays the trunk port, X20, as a member of
local VLAN 3787 after the VLAN is enabled on the VLAN trunk.

Switching in SonicOS Enhanced 5.7

7

Configuring Switching

2400MX

NetworkSecurity Appliance

Switch

Sales

Eng

Switch

Eng

QA

Sales QA Finance

VLAN
Trunk

VLAN
Trunk

Two Trunk Ports:

X20, X21

Four VLANS:

v100 - Sales
v200 - Engineering
v300 - QA
v400 - Finance

x20: v100
x20: v200
x20: v300
x20: v400

Finance

VLAN Trunk Interfaces:

Internet

The diagram illustrates a VLAN trunk with two trunk por ts, bridging the Sales, Engineering, QA, and
Finance VLANs through the NSA 2400MX. Each remote VLAN was enabled on VLAN trunk port X20
initially, causing the creation of four virtual VLAN trunk interfaces. When these VLANs were also enabled
on trunk port X21, no new vir tual interfaces were created.

VLAN trunking interoperates with Rapid Spanning Tree Protocol (RSTP), Link Aggreg ation and Port
Mirroring features. A VLAN trunk port can be mirrored, but cannot act as a mirror port itself. You cannot
enable Static port security on the VLAN trunk por t.

Ports configured as VLAN trunks cannot be used for any other function and are reser ved for use in Layer
2 only. For example, you cannot configure an IP Address for the trunk ports.

When a Trunk VLAN interface has been configured on a particular trunk port, that tr unk por t cannot be
deleted until the VLAN interface is removed, even though the VLAN is enabled on multiple trunk ports.
This is an implementation limitation and will be addressed in a future release.

See the following procedures:

• “Editing VLANs” on page 9

• “Adding a VLAN Trunk Port” on page 9

• “Deleting VLAN Trunk Ports” on page 10

• “Enabling a VLAN on a Trunk Port” on page 10

8

Switching in SonicOS Enhanced 5.7

Editing VLANs

Step 1 On the Switching > VLAN Trunking page, click the Configure icon in the VLAN Table row for the

Step 2 In the Edit Vlan for PortShield window, do one of the following:

To edit a VLAN, perform the following steps:

VLAN ID you want to edit.

–

T ype a different VLAN ID into the Vlan ID field. You can enter any VLAN ID except the original
system-specified VLAN ID or any others in the Reserved VLAN IDs.

–

Use the VLAN ID number in the Vlan ID field, which matches the one for which you click ed the
Configure icon.

Configuring Switching

Step 3 To enable trunking for this VLAN, select the Trunked checkbox. To disable trunking for this VLAN, clear

the checkbox.

Step 4 Click OK.

Adding a VLAN Trunk Port

To add a VLAN trunk port, perform the following steps:

Step 1 On the Switching > VLAN Trunking page under VLAN Trunks, click the Add button.
Step 2 In the Add VLAN Truck Port window, select the port to add from the Trunk Port drop-down list.

Step 3 Click OK.

Switching in SonicOS Enhanced 5.7

9