en-US
search-icon

SonicOS 5.9 Admin Guide

Switching
(NSA 2400MX only)

Configuring Switching

* 
NOTE: Switching is available on the NSA 2400MX only.

About Switching

This chapter describes how to configure and manage the Layer 2 (data link layer) switching functionality on the SonicWall NSA 2400MX appliance.

Topics:

Switching Overview

Topics:

What is Switching?

The SonicWall NSA 2400MX appliance is a firewall security appliance that integrates the WAN flexibility of a router with 24 built-in Ethernet switch ports. The appliance provides two expansion slots to allow modular card flexibility. Both 3G wireless cards and V.90 modem cards are supported.

The functionality supports the following switching features:

VLAN Trunking – Provides the ability to trunk different VLANs between multiple switches.
Layer 2 Network Discovery – Uses IEEE 802.1AB (LLDP) and Microsoft LLTD protocols and switch forwarding table to discover devices visible from a port.
Link Aggregation – Provides the ability to aggregate ports for increased performance and redundancy.
Port Mirroring – Allows the administrator to assign a mirror port to mirror ingress, egress or bidirectional packets coming from a group of ports.

Benefits of Switching

The SonicWall NSA 2400MX provides a combined security and switching solution. Layer 2 switching features enhance the deployment and interoperability of SonicWall devices within existing Layer-2 networks.

The NSA 2400MX provides flexible, intelligent switching capabilities with its unique PortShield architecture, increased port density with 26 interfaces, and advanced switching features.

The advanced switching features on a network security appliance provide the following benefits:

Increased port density – With one appliance providing 26 interfaces, including 24 switch ports, you can decrease the number of devices on your internal network.
Increased security across multiple switch ports – The PortShield architecture provides the flexibility to configure all 26 LAN switch ports into separate security zones such as LANs, WLANs and DMZs, providing protection not only from the WAN and DMZ, but also between devices inside the LAN. Effectively, each security zone has its own wire-speed ‘mini-switch’ that benefits from the protection of a dedicated deep packet inspection firewall.
VLAN Trunking – Simplifies VLAN management and configuration by reducing the need to configure VLAN information on every switch.
Layer 2 Discovery – Provides Layer 2 network information for all devices attached to the NSA 2400MX.
Link Aggregation – Aggregated ports provide increased performance through load balancing when connected to a switch that supports aggregation, and provide redundancy when connected to a switch or server that supports aggregation.
Port Mirroring – Allows the administrator to easily monitor and inspect network traffic on one or more ports.
Rate Control / Flow Control – Back-pressure flow control on half-duplex ports and pause frame-based flow control on full-duplex ports allow zero packet loss under temporary traffic congestion.

How Does Switching Work?

The switching features have their own menu group in the left navigation pane of the SonicOS management interface.

Some switching features operate on PortShield Groups and require preliminary configuration on the Network > PortShield Groups page. Some operate on existing Network > Interface configurations. The Port Security feature uses MAC address objects. For more information about configuring these related features in SonicOS, see the corresponding sections:

For details about the operation of each switching feature, see the related section, Configuring Switching.

Supported Platforms

Anti-Spam for UTM is available on the SonicWall NSA 2400MX running SonicOS Enhanced 5.7 and higher. Switching features are only available on ports X2 - X25, not on X0 (LAN) or X1 (WAN).

The hardware design of the SonicWall NSA 2400MX includes the following elements:

Dual core 700 MHZ CPU
8 Gigabit Ethernet interfaces
16 10/100 Megabit Fast Ethernet interfaces
1 Gigabit Ethernet WAN port
1 Gigabit Ethernet LAN port
2 USB extension ports that support external 3G wireless cards or V.90 analog modem cards
2 Expansion Slots for future use

Switching Glossary

 

Switching Glossary Terms

BPDU

Bridge Protocol Data Unit – Used in RSTP, BPDUs are special data frames used to exchange information about bridge IDs and root path costs. BPDUs are exchanged every few seconds to allow switches to keep track of network topology and start or stop port forwarding.

CoS

Class Of Service – Cos (IEEE 802.1p) defines eight different classes of service that are indicated in a 3-bit user_priority field in an IEEE 802.1Q header added to an Ethernet frame when using tagged frames on an 802.1 network.

DSCP

Differentiated Services Code Point – Also known as DiffServ, DSCP is a networking architecture that defines a simple, coarse-grained, class-based mechanism for classifying and managing network traffic and providing Quality of Service (QoS) guarantees on IP networks. RFC 2475, published in 1998 by the IETF, defines DSCP. DSCP operates by marking an 8-bit field in the IP packet header.

IETF

Internet Engineering Task Force – The IETF is an open standards organization that develops and promotes Internet standards.

L2

OSI Layer 2 (Ethernet) – Layer 2 of the seven layer OSI model is the Data Link Layer, on which the Ethernet protocol runs. Layer 2 is used to transfer data among network entities.

LACP

Link Aggregation Control Protocol – LACP is an IEEE specification that provides a way to combine multiple physical ports together to form a single logical channel. LACP allows load balancing by the connected devices.

LLDP

Link Layer Discovery Protocol (IEEE 802.1AB) – LLDP is a Layer 2 protocol used by network devices to communicate their identity, capabilities, and interconnections. This information is stored in a MIB database on each host, which can be queried with SNMP to determine the network topology. The information includes system name, port name, VLAN name, IP address, system capabilities (switching, routing), MAC address, link aggregation, and more.

LLTD

Link Layer Topology Discovery (Microsoft Standard) – LLTD is a Microsoft proprietary protocol with functionality similar to LLDP. It operates on wired or wireless networks (Ethernet 802.3 or wireless 802.11). LLTD is included on Windows Vista and Windows 7, and can be installed on Windows XP.

PDU

Protocol Data Unit – In the context of the Switching feature, the Layer 2 PDU is the frame. It contains the link layer header followed by the packet.

RSTP

Rapid Spanning Tree Protocol (IEEE 802.1D-2004) – RSTP was defined in 1998 as an improvement to Spanning Tree Protocol. It provides faster spanning tree convergence after a topology change.

Configuring Switching

How to configure switching is described in the following:

 

Configuring VLAN Trunking

 
* 
NOTE: Switching is available on the NSA 2400MX only.

Switching > VLAN Trunking

Unassigned switch ports on the SonicWall NSA 2400MX appliance can function as VLAN trunk ports.

You can enable or disable VLANs on the trunk ports, allowing the existing VLANs on the SonicWall NSA 2400MX appliance to be bridged to respective VLANs on another switch connected via the trunk port. The SonicWall NSA 2400MX appliance supports 802.1Q encapsulation on the trunk ports. A maximum of 25 VLANs can be enabled on each trunk port.

The VLAN trunking feature provides the following functions:

Change VLAN ID’s of existing PortShield groups
Add/delete VLAN trunk ports
Enable/disable VLANs on the trunk ports

The allowed VLAN ID range is 1-4094. Some VLAN IDs are reserved for PortShield use. The reserved range is displayed in the Switching > VLAN Trunking page. You can mark certain PortShield groups as Trunked. When the PortShield group is dismantled, the associated VLAN is automatically disabled on the trunk ports.

VLANs can exist locally in the form of PortShield groups or can be totally remote VLANs. Below, the Network > PortShield page shows a PortShield group with X14 as the PortShield interface and X15, X16, and X17 as members of the PortShield group. X20 and X21 are VLAN trunk ports.

You can change the VLAN ID of PortShield groups on the SonicWall NSA 2400MX appliance. This allows easy integration with existing VLAN numbering.

Unlike traditional Layer 2 switches, the SonicWall NSA 2400MX appliance does not allow changing port VLAN membership in an ad-hoc manner. VLAN membership of a port must be configured via PortShield configuration in the SonicOS management interface. For more information about configuring PortShield groups, see Network > PortShield Groups.

A virtual interface (called the VLAN Trunk Interface) is automatically created for remote VLANs. When the same remote VLAN is enabled on another trunk port, no new interface is created. All packets with the same VLAN tag ingressing on different trunk ports are handled by the same virtual interface. This is a key difference between VLAN sub-interfaces and VLAN trunk interfaces.

The Name column on the Network > Interfaces page displays the VLAN Trunk Interfaces for the VLAN trunks on which VLAN IDs 100 and 200 are enabled.

You can enable any VLAN, local or remote, on a VLAN trunk to allow bridging to respective VLANs on another switch. For example, local VLAN 3787, created from a PortShield group, can be enabled on the VLAN trunk for port X20, which also has two remote VLANs enabled on it.

The VLAN Table on the Switching > VLAN Trunking page displays the trunk port, X20, as a member of local VLAN 3787 after the VLAN is enabled on the VLAN trunk.

Sample VLAN Trunk Topology illustrates a VLAN trunk with two trunk ports, bridging the Sales, Engineering, QA, and Finance VLANs through the NSA 2400MX. Each remote VLAN was enabled on VLAN trunk port X20 initially, causing the creation of four virtual VLAN trunk interfaces. When these VLANs were also enabled on trunk port X21, no new virtual interfaces were created.

Sample VLAN Trunk Topology

VLAN trunking interoperates with Rapid Spanning Tree Protocol (RSTP), Link Aggregation and Port Mirroring features. A VLAN trunk port can be mirrored, but cannot act as a mirror port itself. You cannot enable Static port security on the VLAN trunk port.

Ports configured as VLAN trunks cannot be used for any other function and are reserved for use in Layer 2 only. For example, you cannot configure an IP Address for the trunk ports.

When a Trunk VLAN interface has been configured on a particular trunk port, that trunk port cannot be deleted until the VLAN interface is removed, even though the VLAN is enabled on multiple trunk ports. This is an implementation limitation and will be addressed in a future release.

Topics:

Editing VLANs

To edit a VLAN:
1
On the Switching > VLAN Trunking page, click the Configure icon in the VLAN Table row for the VLAN ID you want to edit. The Edit Vlan for PortShield dialog displays.

2
Do one of the following:
Type a different VLAN ID into the Vlan ID field. You can enter any VLAN ID except the original system-specified VLAN ID or any others in the Reserved VLAN IDs.
Use the VLAN ID number in the Vlan ID field that matches the one for which you clicked the Configure icon.
3
To enable trunking for this VLAN, select the Trunked check box. This option is disabled by default.

To disable trunking for this VLAN, clear the check box.

4
Click OK.

Adding a VLAN Trunk Port

To add a VLAN trunk port:
1
On the Switching > VLAN Trunking page under VLAN Trunks, click the Add button. The Add VLAN Truck Port dialog displays.

2
Select the port to add from the Trunk Port drop-down menu.
3
Click OK.

Deleting VLAN Trunk Ports

To delete one or more VLAN trunk ports:
1
On the Switching > VLAN Trunking page under VLAN Trunks, select one or more check boxes for the VLAN trunk ports you want to delete. The Delete button becomes active and available.
2
Click the Delete button. A confirmation dialog displays.
3
Click OK.

Enabling a VLAN on a Trunk Port

To enable a custom VLAN ID on a specific trunk port:
1
On the Switching > VLAN Trunking page under VLAN Trunks, click the Enable VLAN button. The Enable VLAN dialog displays.

2
Select a trunked port from the Trunked Port drop-down menu. This is the port that you want to use to trunk the VLAN ID indicated in the next field.
3
In the VLAN ID field, type in the VLAN ID to be trunked. This can be a VLAN ID on another switch.
4
Click OK.

 

Configuring RSTP Bridge and Port Settings

* 
NOTE: Switching is available on the NSA 2400MX only.

Switching > Rapid Spanning Tree

The Rapid Spanning Tree Protocol (RSTP) is implemented to support Layer 2 network designs with redundant paths.

SonicWall’s RSTP implementation conforms to the IEEE 802.1D-2004 specification. The 802.1D specification is VLAN unaware and creates a common spanning tree (CST) that is applied to all VLANs present in the network. The RSTP implementation is backward compatible with the original 802.1D standard (STP).

RSTP supports configuration of the following objects:

Bridge Priority
Trunk ports on which RSTP is enabled/disabled
Port Priority
Port Cost
Hello Time
Forward Delay

Auto detection of non-edge ports is not supported. A non-edge port is one that is connected directly to an end-user computer such as a PC or laptop.

You can enable/disable RSTP on VLAN trunk ports only. By default, RSTP is disabled on trunk ports. You should enable the RSTP before performing physical network connectivity between the NSA 2400MX and another switch.

When the NSA 2400MX is booting up, ports are disabled until Spanning Tree configuration is applied. The NSA 2400MX automatically soft-bridges the STP Bridge Protocol Data Units (BPDUs) between the ports to prevent loops when ports in the same VLAN (PortShield group or L2 Bridge mode) are connected to another switch. This allows the remote switch to detect that its ports are connected to another switch and it can automatically block certain ports.

Spanning Tree Configuration

You can view the following in the Switching > Rapid Spanning Tree page:

Current port status (forwarding, discarding, blocking)
Roles (root, designated, alternate, backup, disabled)
Current Root Bridge ID, priority, and other information
BPDU Rx/Tx counters

You can configure the following in the Switching > Rapid Spanning Tree page:

Port Cost – Can be left in auto-mode, in which case port cost will be determined based on link speed.
Port Priority – Defaults to interface number unless configured otherwise. A lower number means higher priority. Port priority is only important when ports are connected to the same switch and there is a possible loop. The port with the lower priority is blocked.
Topics:

Bridge Information Table

The Bridge Information table displays information, such as root bridge ID, priority, and path cost.

Configuring Bridge Settings

To configure RSTP Bridge Settings:
1
Navigate to the Bridge Settings section of the Switching > Rapid Spanning Tree page.

2
To specify the spanning tree protocol version to use, select one of the following from the Force Version drop-down menu:
RSTP Operation (default) – Use Rapid Spanning Tree Protocol.
STP Only – Use the original Spanning Tree Protocol.
3
To specify the priority of the root bridge, type the desired priority into the Bridge Priority field. The minimum is 0, the maximum is 61440, and the default is 32768.
4
To specify the Hello time, type the desired number of seconds to allow into the Hello Time (secs) field. The Hello time is the time interval between transmission of BPDUs by the root bridge. The default is 3 seconds, and the range is 1 to 10 seconds. The Hello time is communicated to other switches by including it in the BPDU.
5
To specify the forward delay, type the desired number of seconds into the Forward Delay (secs) field. The forward delay is the time allowed for the listening and learning state. The default is 15 seconds, and the range is 4 to 30 seconds. The forward delay setting is communicated to other switches by including it in the BPDU.
6
When finished, click Accept.

Configuring Port Settings

When port settings have been specified for an interface, the Port Settings table on the Switching > Rapid Spanning Tree page contains a row for that interface. A Configure icon is enabled for it unless Link Aggregation is enabled for the interface.

To configure Port Settings:
1
Navigate to the Port Settings section of the Switching > Rapid Spanning Tree page.
2
Click the Configure icon in the row for the interface you want to edit.
3
In the Edit RSTP Settings window, select the Enable RSTP check box to enable Rapid Spanning Tree Protocol for this interface. Clear the check box to disable RSTP on this interface.

4
To specify the path cost for the port, type the desired cost value into the Port Path Cost field. If left in auto-mode, the port cost is determined based on link speed. You can also assign an arbitrary cost value or base the cost on guidelines provided by the RSTP or STP specification. The cost is higher for lower bandwidth connections. According to some guidelines, the cost of a 1 Gbps bandwidth connection would be 2, compared to the cost of 100 for a 10 Mbps connection.
5
To specify the port priority, type the desired priority into the Port Priority field. A lower number indicates higher priority. Port priority is important when multiple ports are connected to the same switch and there is a possible loop. The port with the lower priority is blocked.
6
Click OK.

 

Monitoring L2 Discovery

* 
NOTE: Switching is available on the NSA 2400MX only.

Switching > Layer 2 Discovery

The NSA 2400MX uses IEEE 802.1AB (LLDP)/Microsoft LLTD protocols and switch forwarding table to discover nodes visible from a port. These are Layer 2 protocols and do not cross a broadcast domain. More information is available at the following links:

http://en.wikipedia.org/wiki/Link_Layer_Topology_Discovery

http://en.wikipedia.org/wiki/Link_Layer_Discovery_Protocol

An ARP table is used to connect MAC addresses to IP addresses.

* 
NOTE: Windows XP users need to download, install, and enable the LLTD responder driver from Microsoft.
Topics:

Refreshing the Display

The LLDP transmitter is not implemented in SonicOS Enhanced 5.7.0.0. This feature does not proactively manage the discovery. Discovery is active when the system boots up and then does not restart unless you click the L2 Discovery Refresh icon in the View All column.

To restart Layer 2 discovery on multiple interfaces:
1
Select the check box next to the desired interfaces.
2
Click the Refresh Selected button at the bottom of the page.

Displaying Details about an Interface

To display data about an interface:
1
Click the Show Details icon in the View All column for the interface. The Interface dialog displays.

 

Configuring and Displaying Aggregation for Interfaces

* 
NOTE: Switching is available on the NSA 2400MX only.

Switching > Link Aggregation

Link Aggregation allows port redundancy and load balancing in Layer 2 networks. Load balancing is controlled by the hardware, based on source and destination MAC address pairs. The Switching > Link Aggregation page provides information and statistics, and allows configuration of interfaces for aggregation.

Topics:

About Link Aggregation

Static and Dynamic Link Aggregation are supported. Dynamic Link Aggregation is supported with the use of LACP (IEEE 802.1AX). Ports that are in the same VLAN (same PortShield Group) or are VLAN trunk ports are eligible for link aggregation. Up to four ports can be aggregated in a logical group and there can be four Logical Links (LAGs) configured.

Two main types of usage are enabled by this feature:

NSA 2400MX to Server – This is implemented by enabling Link Aggregation on ports within the same VLAN (same PortShield Group). This configuration allows port redundancy, but does not support load balancing in the NSA 2400MX-to-Server direction due to a hardware limitation on the NSA 2400MX.
NSA 2400MX to Switch – This is allowed by enabling Link Aggregation on VLAN trunk ports. Load balancing is automatically performed by the hardware. The NSA 2400MX supports one load balancing algorithm based on source and destination MAC address pairs.

Sample Logical Link (LAG) Configuration shows LAGs to a server and to a switch:

Sample Logical Link (LAG) Configuration

Similarly to PortShield configuration, you select an interface that represents the aggregated group. This port is called an aggregator. The aggregator port must be assigned a unique key. By default, the aggregator port key is the same as its interface number. Non-aggregator ports can be optionally configured with a key, which can help prevent an erroneous LAG if the switch connections are wired incorrectly.

Ports bond together if connected to the same link partner and their keys match. If there is no key configured for a port (if the port is in auto mode), it will bond with an aggregator that is connected to the same link partner. The link partner is discovered via LACP messages. A link partner cannot be discovered for Static link aggregation. In this case, ports aggregate based on keys alone.

Like a PortShield host, the aggregator port cannot be removed from the LAG since it represents the LAG in the system.

* 
NOTE: Once link aggregation has been enabled on VLAN trunk ports, additional VLANs cannot be added or deleted on the LAG.
* 
NOTE: If you need to enable RSTP on the LAG, first enable RSTP on the individual members and then enable link aggregation.

Creating a Logical Link (LAG)

To create a Logical Link (LAG):
1
On the Switching > Link Aggregation page, click the Add button. The Add LAG Port dialog displays.

2
Select the interface from the Port drop-down list.
3
To specify a key:
a
Clear the Auto-Detect check box.
b
Enter the desired key into the Key field.
4
If this interface will be the aggregator for the LAG, select the Aggregator check box. Only one interface can be an aggregator for a LAG.
5
To enable LACP, select the LACP Enable check box. Dynamic Link Aggregation is supported with the use of LACP. The link partner is discovered via LACP messages.
6
Click OK.
7
On the Switching > Link Aggregation page, click the Add button again. The Add LAG Port dialog displays.
8
Select the interface for the link partner from the Port drop-down list.
9
If you:
Specified a key for the first interface (the aggregator):
a)
Clear the Auto-Detect check box.
b)
Enter the same key into the Key field.
Left Auto-Detect enabled for the first interface, leave it enabled for this one as well.
10
Clear the Aggregator check box. Only one interface can be an aggregator for a LAG.
11
Select the LACP Enable check box.
12
Click OK.

The Switching > Link Aggregation page displays the LAG. The Partner column displays the MAC addresses of the link partners after they are physically connected.

Displaying LAG Port Statistics

You can display statistics about a LAG port by mousing over the Statistics icon for the port.

Deleting a Link Aggregation Port

To delete a link aggregation port, click the Delete icon in the Action column for the port.

 

Configuring Mirrored Ports

* 
NOTE: Switching is available on the NSA 2400MX only.

Switching > Port Mirroring

You can configure Port Mirroring on the SonicWall NSA 2400MX to send a copy of network packets seen on one or more switch ports (or on a VLAN) to another switch port, called the mirror port. By connecting to the mirror port, you can monitor the traffic passing through the mirrored port(s).

A VLAN trunk port can be mirrored, but cannot act as a mirror port itself.

The Switching > Port Mirroring page allows you to assign mirror ports to mirror ingress, egress, or bidirectional packets coming from a group of ports.

Topics:

Configuring a Port Mirroring Group

To create a new port mirroring group:
1
On the Switching > Port Mirroring page, click the New Group button. The Edit Mirror Group dialog displays.

2
Enter a descriptive name for the group into the Interface Group Name field.
3
For the Direction, select one of the following:
ingress –Monitor traffic arriving on the mirrored port(s).
egress – Monitor traffic being sent out on the mirrored port(s).
both – Monitor traffic in both directions on the mirrored port(s).
4
To enable port mirroring for these ports, select the Enable check box.
* 
TIP: You can enable mirroring later through the Groups table on the Switching > Port Mirroring page.
5
In the All Interfaces list:
a
Select the port to mirror the traffic to.
b
Click the top right-arrow button to move the port to the Mirror Port field.

You must use an unassigned port as the mirror port. The Mirror Port must have a lower number than the Mirrored Ports. For example, specify X9 as a Mirror Port and X10 as the Mirrored Port. Specifying X10 as the Mirror Port and X9 as the Mirrored Port results in a Data is incorrectly formatted error.

6
In the All Interfaces list:
a
Select one or more ports to be monitored.
b
Click the lower right-arrow button to move it/them to the Mirrored Ports field.

You will be able to monitor traffic on the mirrored port(s) by connecting to the mirror port.

7
Click OK.

Deleting Entries in a Port Mirroring Group

To remove entries in a port mirroring group:
1
On the Switching > Port Mirroring page, select the check box next to the port mirroring group or Mirrored Port entries you want to delete. The Ungroup button becomes active and available.
* 
NOTE: Selecting the Mirror Group instead of Mirrored Ports deletes the group.
2
Click the Ungroup button.A confirmation dialog displays.

3
Click OK.

Deleting a Single Mirror Port or Group

To remove a single Mirror Port or a port mirroring group:
1
On the Switching > Port Mirroring page, click the Delete icon for the Mirror Port entry or mirroring group you want to delete. The Ungroup button becomes active and available. A confirmation dialog displays.

2
Click OK.

 

Configuring Per-Interface QoS

* 
NOTE: Switching is available on the NSA 2400MX only.

Switching > Layer 2 QoS

The SonicWall NSA 2400MX appliance can be configured to trust Class of Service (CoS) (IEEE 802.1p) and/or trust Differentiated Services Code Point (DSCP) per port and treat the frames appropriately.

The Switching > Layer 2 QoS page allows you to configure QoS (Qualify of Service) settings per interface.

Four queues with different priority levels (low, normal, high, highest) are supported, as shown in Layer 2 QoS Priority Levels. These are mapped to the eight levels defined in IEEE 802.1p and cannot be changed.

 

Layer 2 QoS Priority Levels

User Priority

Traffic Type

Queue Priority

0

Best Effort

Normal

1

Background

Low

2

Spare

Low

3

Excellent Effort

Normal

4

Controlled Load

High

5

Video

High

6

Voice

Highest

7

Network Control

Highest

The DSCP mapping can be configured. Frames received on ports configured to trust CoS or DSCP are queued appropriately according to the mapping table. An option is provided to select the field to use when both the 802.1p tag field and the DSCP field are present in incoming frames.

For QoS settings, ports can be assigned a default priority. The default priority is used when Trust CoS or Trust DSCP is enabled, but the information is absent. When Fixed Priority is enabled, the 802.1p tag field and DSCP field are ignored and the default priority is used.

Topics:

Configuring the Scheduling Mechanism

To configure Weighted Round-Robin or Strict Priority Queue as the output scheduling mechanism:
1
On the Switching > Layer 2 QoS page, select one of the following from the Output Scheduling Mechanism drop-down menu:

Weighted Round-Robin – When Weighted Round-Robin is selected, the weighting factors are 8:4:2:1. This is the default.
Strict Priority Queue – When Strict Priority Queue is used, the 802.1p tag field and DSCP field are ignored and the default priority is used.
2
Click the Accept button.

Configuring DSCP Mapping

You can configure the DSCP mapping by setting the priority levels for DSCP values 0 through 63. The Switching > Layer 2 QoS page also provides a Reset DSCP Remap button to reset the priority levels back to the default, which is Normal.

To configure DSCP mapping:
1
To show the DSCP Remap table, click Hide/Show next to the DSCP Remap Table heading. The priority settings for all DSCP values, 0 - 63, are displayed.

2
For each DSCP value (0 - 63) that you want to change, select one of the following from the Priority drop-down menu:
Low
Normal (default)
High
Highest
3
Click the Accept button. The DSCP Remap table is hidden, but if you show it again you will see the updated priority settings.
4
To reset all DSCP mapping back to the default, Normal:
a
Click the Reset DSCP Remap button.
b
Click OK in the confirmation dialog box.

Showing the CoS Remap Table

To show the CoS Remap table, click Hide/Show next to the CoS Remap Table heading. The priority levels cannot be configured.

To hide the CoS Remap table, click Hide/Show next to the CoS Remap Table heading again.

Configuring QoS Settings

The QoS Settings table lists all interfaces on the SonicWall NSA 2400MX. You can configure the QoS settings for each interface individually or for multiple interfaces at the same time.

Topics:

Configuring QoS Settings for an Individual Interface

To configure QoS settings for frames received on an individual interface:
1
On the Switching > Layer 2 QoS page under QoS Settings, click the Configure icon in the row for the interface you want to configure. The Edit QoS Settings dialog opens.

2
To enable fixed priority for frames arriving on this interface, select the Fixed Priority check box. This option is disabled by default.
 
* 
NOTE: When Fixed Priority is selected, the remaining check boxes are cleared and disabled (greyed out). The Fixed Priority check box must be cleared before you can select any other check box.

If the Trust CoS and/or Trust DSCP check box is selected, the Fixed Priority check box becomes dimmed and disabled.

The CoS 802.1p tag field and DSCP field are ignored, and the ingress port’s default priority is always used.

3
To enable the use of the CoS 802.1p tag field settings for Quality of Service on this interface, select the Trust CoS check box. This option is enabled by default.
4
To enable the use of the DSCP field settings for Quality of Service on this interface, select the Trust DSCP check box.
5
If both Trust CoS and Trust DSCP are selected, do one of the following:
Select the Prefer CoS check box to give preference to the CoS 802.1p tag field settings when both the 802.1p tag field and the DSCP field are present in incoming frames. This check box is selected by default.
Clear the Prefer CoS check box to give preference to the DSCP field settings when both the 802.1p tag field and the DSCP field are present in incoming frames.
6
Select one of the following priority levels from the Default Priority drop-down menu:
Low
Normal (default)
High
Highest

If incoming frames do not contain either a CoS 802.1p tag field or a DSCP field, the default priority is used.

7
Click OK.

Configuring QoS Settings for Multiple Interfaces

To configure QoS settings for frames received on any of several interfaces:
1
On the Switching > Layer 2 QoS page under QoS Settings, select the checkboxes next to the interfaces you want to configure.
2
Click the Configure button at the bottom of the page. The Edit QoS Settings dialog opens.

3
The Keep original QoS mode of each port check box is selected by default. When this check box is selected, each individual port’s QoS mode remains unchanged, and only the Default Priority setting is changed to the configured value (Step 9) for each port being configured.

To activate the other check boxes in this dialog and make changes to the QoS settings of the selected interfaces, clear the Keep original QoS mode of each port check box.

4
To enable fixed priority for frames arriving on these interfaces, select the Fixed Priority check box.
5
When Fixed Priority is selected, the subsequent check boxes are cleared and disabled (greyed out).
* 
NOTE: When Fixed Priority is selected, the remaining check boxes are cleared and disabled (greyed out). The Fixed Priority check box must be cleared before you can select any other check box.

If the Trust CoS and/or Trust DSCP check box is selected, the Fixed Priority check box becomes dimmed and disabled.

The CoS 802.1p tag field and DSCP field are ignored and the ingress port’s default priority is always used.

6
To enable the use of the CoS 802.1p tag field settings for Quality of Service on these interfaces, select the Trust CoS check box.
7
To enable the use of the DSCP field settings for Quality of Service on these interfaces, select the Trust DSCP check box.
8
If both Trust CoS and Trust DSCP are selected, do one of the following:
Select the Prefer CoS check box to give preference to the CoS 802.1p tag field settings when both the 802.1p tag field and the DSCP field are present in incoming frames. This check box is selected by default.
Clear the Prefer CoS check box to give preference to the DSCP field settings when both the 802.1p tag field and the DSCP field are present in incoming frames.
9
Select one of the following priority levels from the Default Priority drop-down menu:
Keep Original Settings – Choose this setting to allow each interface to default to its original individual QoS settings. This is the default setting.
Low
Normal
High
Highest

If incoming frames do not contain either a CoS 802.1p tag field or a DSCP field, the default priority is used.

10
Click OK.

 

Configuring Per-Interface Flow Control

* 
NOTE: Switching is available on the NSA 2400MX only.

Switching > Rate Control

The Switching > Rate Control page provides information and configuration of per-interface flow control.

Both the Rate Control and Flow Control features are controlled on a per-port basis.

The bandwidth of ingress frames can be tuned in four modes:

Limit All Frames
Limit just multicast and flooded unicast frames (including broadcast)
Limit just multicast (including broadcast)
Limit just broadcast frames

The rate limiting for egress frames can only be enabled or disabled, no mode can be selected.

The ingress rate limit is rounded to the nearest increment, depending on the granularity available for that rate. The granularities are different depending on the range of rates:

128kbps ~ 1Mbps – increments of 64kbps
1Mbps ~ 100Mbps – increments of 1Mbps
100Mbps ~ 1000Mbps – increments of 10Mbps (for gigabit ports)

Back-pressure flow control on half-duplex ports and pause frame-based flow control on full-duplex ports are provided to support zero packet loss under temporary traffic congestion.

Full-duplex flow control requires support from the peer end station. Full-duplex flow control works as follows: when a port’s free buffer space is almost empty, the devices send out a PAUSE frame with the maximum pause time to stop the remote node from sending more frames into the switch. The devices also respond to the pause command. Once the PAUSE frame is detected, the port will stop transmission of new data for the amount of time defined in the pause time field of the received PAUSE frame.

Half-duplex flow control is used to throttle the throughput rate of an end station to avoid dropping packets during network congestion.

Configuring Rate Control Settings for an Interface

To configure rate control settings or to enable flow control:
1
On the Switching > Rate Control page, click the Configure icon in the row for the interface you want to configure. The Edit Rate Control Settings dialog opens.

2
To enable flow control on this interface, select the Enable Flow Control check box.
3
To set the mode for limiting the bandwidth of ingressing frames, select one of the following from the Ingress Mode drop-down menu:
Limit All
Limit Broadcast, Multicast and Flooded Unicast (default)
Limit Broadcast and Multicast
Limit Only Broadcast
4
Type the desired ingress rate limit in kilobits per second into the Ingress Rate field.

To turn off the ingress rate limit and allow unlimited traffic, enter 0 (zero).

The value you enter is rounded to the nearest increment, depending on the granularity available for that rate. The granularities are different depending on the range of rates:

128kbps ~ 1Mbps – increments of 64kbps
1Mbps ~ 100Mbps – increments of 1Mbps
100Mbps ~ 1000Mbps – increments of 10Mbps (for gigabit ports)
5
Type the desired egress rate limit in kilobits per second into the Egress Rate field.

To turn off the egress rate limit and allow unlimited traffic, enter 0 (zero). This is the default.

The value you enter is rounded to the nearest increment, depending on the granularity available for that rate. The granularities are the same as for the ingress rate.

6
Click OK.

 

Configuring Secure Ports

* 
NOTE: Switching is available on the NSA 2400MX only.

Switching > Port Security

To configure secure ports, create MAC address objects for the trusted MAC addresses and bind them to specific ports. Frames whose source addresses are not contained in the table are dropped.

* 
NOTE: Only static Port Security is supported.
* 
NOTE: A secure port is meant to receive untagged frames. If a frame has a tag, even when its Security Association (SA) is trusted, it is discarded.

A LACP Port or VLAN trunk port cannot also be a Secure Port at the same time.

Each port can be configured to enable or disable the Discard Tagged option. When it is enabled, all frames with a LLDP 802.1AB tag will be discarded. This prevents a non-trunk port from connecting to a trunk port.

Topics:

Adding MAC Addresses to an Interface

You must use an address object to bind MAC address(es) to an interface. You can create an address object from within this procedure, or use an existing one. For more information about address objects, see Network > Address Objects.

To add MAC addresses to an interface:
1
On the Switching > Port Security page, click the Add button at the bottom of the page. The Add Static MAC Address dialog opens.

2
Select the desired interface from the Port drop-down menu.
3
If the address object that contains the desired MAC addresses already exists, select it from the MAC Address drop-down menu.

To create an address object, select Create new address object from the drop-down list. The Add Address Object dialog opens.

* 
NOTE: Turn off the pop-up blocker in your browser before selecting Create new address object.

a
Type a descriptive name for the address object into the Name field.
b
Select the zone from the Zone Assignment drop-down menu.
c
The Type is set to MAC and cannot be changed.
d
Enter the MAC address in the MAC Address field.
e
If the device with this MAC address can have multiple IP addresses, select the Multi-homed host check box. Otherwise, clear this check box.
f
Click OK in the Add Address Object dialog. The new address object appears in the MAC Address field of the Add Static MAC Address dialog.
4
Click OK.

Editing MAC Address Objects

To edit a MAC address object for a secure port:
1
Click the Configure icon in the row for the MAC address object you want to edit. The Edit Static MAC Address dialog opens.

2
Select a different address object or select Create new address object from the MAC Address drop-down menu.
3
When finished, click OK.

Deleting MAC Address Objects

To delete one or more MAC address objects:
1
To delete:
A single MAC address object, click the Delete icon in the row for the MAC address object you want to delete.
Multiple MAC address objects:
a)
Select the check boxes next to the MAC address objects you want to delete .
b)
Click the Delete Selected button at the bottom of the page.
2
Click OK in the confirmation dialog.