en-US
search-icon

SonicOS 6.2 Admin Guide

Switching
* 
NOTE: This section describes advanced switching in SonicOS, which is different from managing a Dell X‑Series switch from a TZ appliance. For more information about managing X-Series switches, see SonicOS Support of X‑Series Switches.

 

Switching Overview

* 
NOTE: Switching is available on all products except the NSA 2600, TZ series, and SOHO W appliances.
* 
NOTE: This section describes advanced switching in SonicOS, which is different from managing a Dell X‑Series switch from a SonicWall firewall. For more information about managing X‑Series switches, see SonicOS Support of X‑Series Switches.

About Switching

This section describes switching and benefits of the Layer 2 (data link layer) switching functionality feature in SonicOS.

Topics:  

What is Switching?

SonicOS provides Layer 2 (data link layer) switching functionality. The functionality supports these switching features:

VLAN Trunking – Provides the ability to trunk different VLANs between multiple switches.
Layer 2 Network Discovery – Uses IEEE 802.1AB (LLDP) and Microsoft LLTD protocols and switch forwarding table to discover devices visible from a port.
Link Aggregation – Provides the ability to aggregate ports for increased performance and redundancy.
* 
NOTE: On the NSA 2600, Link Aggregation for Network Interfaces is a separate feature from Link Aggregation for Switching. The NSA 2600 does support Link Aggregation for Network Interfaces (see Configuring Link Aggregation and Port Redundancy), but the NSA 2600 does not support Switching and, therefore, does not support Link Aggregation for Switching.

Link Aggregation is supported on NSA 3600 and higher firewalls.

Port Mirroring – Allows you to assign a mirror port to mirror ingress, egress or bidirectional packets coming from a group of ports.
Jumbo Frames – Supporting jumbo frames allows the SonicOS to process Ethernet frames with payloads ranging from 1500-9000 bytes.
* 
NOTE: Jumbo frames are supported on NSA 3600 and higher appliances.

Benefits of Switching

SonicOS provides a combined security and switching solution. Layer 2 switching features enhance the deployment and interoperability of SonicWall devices within existing Layer-2 networks.

* 
NOTE: Advanced switching is supported on NSA 3600 and higher appliances.

The advanced switching features on a network security appliance provide these benefits:

Increased port density – With one appliance providing up to 26 interfaces, including up to 24 switch ports, you can decrease the number of devices on your internal network.
Increased security across multiple switch ports – The PortShield architecture provides the flexibility to configure all LAN switch ports into separate security zones such as LANs, WLANs and DMZs, providing protection not only from the WAN and DMZ, but also between devices inside the LAN. Effectively, each security zone has its own wire-speed “mini-switch” that benefits from the protection of a dedicated deep packet inspection firewall.
VLAN Trunking – Simplifies VLAN management and configuration by reducing the need to configure VLAN information on every switch; provides the ability to trunk different VLANs between multiple switches.
Layer 2 Network Discovery – Provides Layer 2 network information for all devices attached to the appliance; uses IEEE 802.1AB (LLDP) and Microsoft LLTD protocols and switch forwarding table to discover devices visible from a port.
Link Aggregation – Aggregated ports provide increased performance through load balancing when connected to a switch that supports aggregation, and provide redundancy when connected to a switch or server that supports aggregation.
Port Mirroring – Allows you to easily monitor and inspect network traffic on one or more ports and to assign a mirror port to mirror ingress, egress or bidirectional packets coming from a group of ports.
Jumbo Frames – Allows increased throughput and reduces the number of Ethernet frames to be processed by allowing SonicOS to process Ethernet frames with payloads ranging from 1500-9000 bytes. Throughput increase may not be seen in some cases. However, there will be some improvement in throughput if the packets traversing are really jumbo size.
* 
NOTE: Jumbo frames are supported on NSA 3600 and higher appliances.

How Switching Works

Some switching features operate on PortShield Groups and require preliminary configuration on the Network > PortShield Groups page. Some operate on existing Network > Interface configurations. For more information about configuring these related features in SonicOS, see:

For details about the operation of each switching feature, see:

Glossary

 

BPDU

Bridge Protocol Data Unit – Used in RSTP, BPDUs are special data frames used to exchange information about bridge IDs and root path costs. BPDUs are exchanged every few seconds to allow switches to keep track of network topology and start or stop port forwarding.

CoS

Class Of Service – Cos (IEEE 802.1p) defines eight different classes of service that are indicated in a 3-bit user_priority field in an IEEE 802.1Q header added to an Ethernet frame when using tagged frames on an 802.1 network.

DSCP

Differentiated Services Code Point – Also known as DiffServ, DSCP is a networking architecture that defines a simple, coarse-grained, class-based mechanism for classifying and managing network traffic and providing Quality of Service (QoS) guarantees on IP networks. RFC 2475, published in 1998 by the IETF, defines DSCP. DSCP operates by marking an 8-bit field in the IP packet header.

IETF

Internet Engineering Task Force – The IETF is an open standards organization that develops and promotes Internet standards.

L2

OSI Layer 2 (Ethernet) – Layer 2 of the seven layer OSI model is the Data Link Layer, on which the Ethernet protocol runs. Layer 2 is used to transfer data among network entities.

LACP

Link Aggregation Control Protocol – LACP is an IEEE specification that provides a way to combine multiple physical ports together to form a single logical channel. LACP allows load balancing by the connected devices.

LLDP

Link Layer Discovery Protocol (IEEE 802.1AB) – LLDP is a Layer 2 protocol used by network devices to communicate their identity, capabilities, and interconnections. This information is stored in a MIB database on each host, which can be queried with SNMP to determine the network topology. The information includes system name, port name, VLAN name, IP address, system capabilities (switching, routing), MAC address, link aggregation, and more.

LLTD

Link Layer Topology Discovery (Microsoft Standard) – LLTD is a Microsoft proprietary protocol with functionality similar to LLDP. It operates on wired or wireless networks (Ethernet 802.3 or wireless 802.11). LLTD is included on Windows Vista and Windows 7, and can be installed on Windows XP.

PDU

Protocol Data Unit – In the context of the Switching feature, the Layer 2 PDU is the frame. It contains the link layer header followed by the packet.

RSTP

Rapid Spanning Tree Protocol (IEEE 802.1D-2004) – RSTP was defined in 1998 as an improvement to Spanning Tree Protocol. It provides faster spanning tree convergence after a topology change.

Configuring VLAN Trunking

* 
NOTE: Switching is available on all products except the NSA 2600, TZ series, and SOHO W appliances.

Switching > VLAN Trunking

Topics:  

About Trunking

Unassigned switch ports on SonicOS can function as VLAN trunk ports. You can enable or disable VLANs on the trunk ports, allowing the existing VLANs on SonicOS to be bridged to respective VLANs on another switch connected via the trunk port. SonicOS support 802.1Q encapsulation on the trunk ports. A maximum of 32 VLANs can be enabled on each trunk port.

The VLAN trunking feature provides these functions:

Change VLAN ID’s of existing PortShield groups
Add/delete VLAN trunk ports
Enable/disable customer VLAN IDs on the trunk ports

The allowed VLAN ID range is 1-4094. Some VLAN IDs are reserved for PortShield use, and the reserved range is displayed on the Switching > VLAN Trunking page.

You can mark certain PortShield groups as “Trunked.” If the PortShield group is dismantled, the associated VLAN is automatically disabled on the trunk ports.

VLANs can exist locally in the form of PortShield groups or can be totally remote VLANs. You can change the VLAN ID of PortShield groups on SonicOS. This allows easy integration with existing VLAN numbering.

SonicOS does not allow changing port VLAN membership in an ad-hoc manner. VLAN membership of a port must be configured via PortShield configuration in the SonicOS management interface. For more information about configuring PortShield groups, see Configuring PortShield Interfaces.

A virtual interface (called the VLAN Trunk Interface) is automatically created for remote VLANs. When the same remote VLAN is enabled on another trunk port, no new interface is created. All packets with the same VLAN tag ingressing on different trunk ports are handled by the same virtual interface. This is a key difference between VLAN sub-interfaces and VLAN trunk interfaces.

The Name column on the Network > Interfaces page displays the VLAN IDs of the VLAN Trunk Interfaces for the VLAN trunks; Example of VLAN IDS for VLAN trunk interfaces shows the VLAN trunks for which VLAN IDs are enabled.

Example of VLAN IDS for VLAN trunk interfaces

You can enable any VLAN, local or remote, on a VLAN trunk to allow bridging to two respective VLANs on another switch. For example, local VLAN 345 can be enabled on the VLAN trunk for port X2, which also has two remote VLANs enabled on it. Example of VLAN table with VLAN enabled shows the VLAN Table on the Switching > VLAN Trunking page displaying the trunk port, X9, as a member of local VLANs after the VLAN is enabled on the VLAN trunk.

Example of VLAN table with VLAN enabled

VLAN trunking interoperates with Link Aggregation and Port Mirroring features. A VLAN trunk port can be mirrored, but cannot act as a mirror port itself.

Ports configured as VLAN trunks cannot be used for any other function and are reserved for use in Layer 2 only. For example, you cannot configure an IP Address for the trunk ports.

When a Trunk VLAN interface has been configured on a particular trunk port, that trunk port cannot be deleted until the VLAN interface is removed, even though the VLAN is enabled on multiple trunk ports. This is an implementation limitation and will be addressed in a future release.

Viewing VLANs

Topics:  

Reserved VLAN Information

The Reserved VLAN Information table lists the range of reserved VLAN IDs:

Starting VLAN ID
Ending VLAN ID

VLAN Table

 

VLAN ID

ID of the VLAN.

Interface

Interface assigned to the VLAN.

Member Ports

Ports associated with the interface.

Trunked

Indicates whether this VLAN is trunked.

Configure

Contains Edit icons for the VLANs.

VLAN Trunks Table

 

Trunk Port

Interface for the Trunk port and the number of VLAN entries associated with it

VLAN ID

ID(s) of the VLAN(s)

Configure

Contains Delete icons for the VLANs

To display the VLAN ID(s) of the Trunk Port, click the Expand icon for the Trunk port. To display the VLAN ID(s) of all the Trunk Ports, click the Expand icon in the VLAN Trunks table header. To hide the VLAN ID(s), click the appropriate Collapse icon.

Editing VLANs

To edit a VLAN:
1
On the Switching > VLAN Trunking page, click the Configure icon in the VLAN Table row for the VLAN ID you want to edit. The Edit VLAN for PortShield Host dialog displays.

2
Do one of the following:
Type a different VLAN ID into the VLAN ID field. You can enter any VLAN ID except the original system-specified VLAN ID or any others in the Reserved VLAN Information table.
Use the VLAN ID number in the VLAN ID field, which matches the one for which you clicked the Configure icon.
3
To enable trunking for this VLAN, select the Trunked checkbox. To disable trunking for this VLAN, clear the checkbox.
4
Click OK.

Adding a VLAN Trunk Port

To add a VLAN trunk port:
1
On the Switching > VLAN Trunking page under VLAN Trunks, click the Add button. The Add VLAN Truck Port dialog displays.

2
Select the port to add from the Trunk Port drop-down menu.
3
Click OK.

Enabling a VLAN on a Trunk Port

To enable a custom VLAN ID on a specific trunk port:
1
On the Switching > VLAN Trunking page under VLAN Trunks, click the Enable VLAN button. The Enable VLAN dialog displays.

2
Select a trunked port from the Trunked Port drop-down menu. This is the port that you want to use to trunk the VLAN ID indicated in the VLAN ID field.
3
In the VLAN ID field, type in the VLAN ID to be trunked. This can be a VLAN ID on another switch.
4
Click OK.

Deleting VLAN Trunk Ports

You can delete one VLAN trunk port, multiple ports at a time, or all ports.

To delete a VLAN trunk port:
1
Click the Delete icon in the Configure column for the port to be deleted.
To delete multiple VLAN trunk ports:
1
In the VLAN Trunks table, select one or more checkboxes for the VLAN trunk ports you want to delete.
2
Click the Delete button.
3
Click OK in the confirmation dialog.
To delete all VLAN trunk ports:
1
In the VLAN Trunks table, select the checkbox in the VLAN Trunks table heading.
2
Click the Delete button.
3
Click OK in the confirmation dialog.

 

Viewing Layer 2 Discovery

* 
NOTE: Switching is available on all firewalls except the NSA 2600, TZ series, and SOHO W appliances.

Switching > L2 Discovery

The SonicOS firewall uses IEEE 802.1AB (LLDP)/Microsoft LLTD protocols and a switch forwarding table to discover nodes visible from a port. These are Layer 2 protocols and do not cross a broadcast domain. More information about these protocols is available at:

Topics:  

Viewing L2 Discovery

By default, the L2 Discovery table displays only the interfaces, the number of nodes visible through the port, and the Refresh icons for the interfaces.

To display L2 discovery information, click the Expand icon for the desired interface. Information about the nodes discovered for the interface are displayed.

MAC Address
Vendor name
IP Address or N/A (if applicable)
System Name (if applicable)
Description (if applicable)

Activating L2 Discovery

Discovery is active when the system boots up, but then does not restart unless you click the Refresh icon for a particular interface.

To restart Layer 2 discovery on multiple interfaces:
1
Select the checkbox next to the desired interfaces.
2
Click the Refresh Selected button at the bottom of the table.
To restart Layer 2 discovery on all interfaces:
1
Select the checkbox in the table heading.
2
Click the Refresh Selected button at the bottom of the table.

 

Configuring Link Aggregation

* 
NOTE: Switching is available on all NSA 3600 and above and SuperMassive appliances.

Switching > Link Aggregation

Topics:  

About Link Aggregation

* 
NOTE: Static Link Aggregation (LAG) is supported for NSA 3600 and higher firewalls.

Link Aggregation allows port redundancy and load balancing in Layer 2 networks. Load balancing is controlled by the hardware, based on source and destination MAC address pairs. The Switching > Link Aggregation page provides information and statistics about and allows configuration of interfaces for aggregation.

Static Link Aggregation is supported. Ports that are in the same VLAN (same PortShield Group) or are VLAN trunk ports are eligible for link aggregation. Up to four ports can be aggregated in a logical group, and there can be four Logical Links (LAGs) configured.

* 
NOTE: Dynamic Link Aggregation protocol LACP (IEEE 802.1AX) is supported only on the SM 9800 and NSA 2650.

Two main types of usage are enabled by this feature:

Firewall to Server – This is implemented by enabling Link Aggregation on ports within the same VLAN (same PortShield Group). This configuration allows port redundancy, but does not support load balancing in the appliance-to-Server direction due to a hardware limitation on the appliance.
Firewall to Switch – This is allowed by enabling Link Aggregation on VLAN trunk ports. Load balancing is automatically performed by the hardware. the appliance supports one load balancing algorithm based on source and destination MAC address pairs.

Similarly to PortShield configuration, you select an interface that represents the aggregated group. This port is called an aggregator. The aggregator port must be assigned a unique key. By default, the aggregator port key is the same as its interface number. Non-aggregator ports can be optionally configured with a key, which can help prevent an erroneous LAG if the switch connections are wired incorrectly.

Ports bond together if connected to the same link partner and their keys match. A link partner cannot be discovered for Static link aggregation. In this case, ports aggregate based on keys alone.

Like a PortShield host, the aggregator port cannot be removed from the LAG since it represents the LAG in the system.

* 
NOTE: After link aggregation has been enabled on VLAN trunk ports, additional VLANs cannot be added or deleted on the LAG.

Viewing Link Aggregation

Topics:  

Viewing Status

The Status table displays the MAC address System ID for the firewall.

Viewing Link Aggregation Ports

 

Port

Interface used as an aggregator port or a member port

LAG ID

System-configured link aggregator. A port that is not an aggregator has a LAG ID of the aggregator of which it is a member.

Key

Indicates port membership from the Add LAG Port dialog. If the key was kept Auto-Detect, the word Auto displays.

Aggregator

Indicates an aggregator port by a green checkmark; otherwise, it is blank.

LACP Enable

Indicates whether LACP is enabled.

Status

Indicates whether the port is up or down.

Partner

MAC addresses of the link partners after they are physically connected; for

Static LAG, displays 00:00:00:00:00:00
Dynamic LAG, displays the partner’s MAC address

Vendor

Displays the name of the equipment manufacturer.

Action

Displays these icons:

Statistics – when moused over, displays the LAG Port Statistics popup:

Delete

Creating a Logical Link (LAG)

How you create a LAG depends on whether the firewall is a SuperMassive 9800 or an other SonicWall firewall.

Topics:  

Creating a LAG on a non-SuperMassive 9800 Firewall

To create a Logical Link (LAG):
1
On the Switching > Link Aggregation page, click the Add button. The Add LAG Port dialog displays.

2
Select the interface from the Port drop-down menu.
3
To:
Enable auto-detection of port membership in an LAG group, ensure the Key Auto-Detect checkbox is selected. This option is selected by default.
Disable auto-detection and specify a key:
a)
Clear the Auto-Detect checkbox.
b)
Type the desired key into the Key field. The minimum value is 1, and the maximum value is 255.
4
If this interface will be the aggregator for the LAG, select the Aggregator checkbox. Only one interface can be an aggregator for a LAG. This option is not selected by default.
5
Click OK.
6
On the Switching > Link Aggregation page, click the Add button again. The Add LAG Port dialog redisplays.
7
Select the interface for the link partner from the Port drop-down menu.
8
If you specified a key for the first interface (the aggregator), clear the Auto-Detect checkbox and type the same key into the Key field. If Auto-Detect was left enabled for the first interface, leave it enabled for this one as well.
* 
NOTE: The Auto-Detect option cannot be used with a static LAG.
9
Clear the Aggregator checkbox. Only one interface can be an aggregator for a LAG.
10
Click OK.

The Switching > Link Aggregation page displays the LAG. The Partner column displays the MAC addresses of the link partners after they are physically connected.

Creating a LAG on a SuperMassive 9800 Firewall

To create a Logical Link (LAG) on a SuperMassive 9800:
1
On the Switching > Link Aggregation page, click the Add button. The Add LAG Port dialog displays.

2
Select the interface from the Aggregator Port drop-down menu.
3
Specify the port membership to an LAG group by entering the desired key into the Key field. The minimum value is 1, and the maximum value is 255. The field has a default value of 0, which must be replaced.
4
Select the ports to be aggregated from the Member Ports drop-down menu. You can select any number of ports in the list by selecting the checkbox for each port to be aggregated.

* 
NOTE: The listed ports depend on the interface chosen in Step 2.
5
To enable Link Aggregation Control Protocol (LACP) for this port, select the LACP Enable checkbox. This option is not selected by default.
6
From the Load Balance Type drop-down menu, select the how load balancing is performed:
SRC_MAC, ETH_TYPE, VLAN, INTF (default)
DST_MAC, ETH_TYPE, VLAN, INTF
SRC_MAC, DST_MAC, ETH_TYPE, VLAN, INTF
SRC_IP, SRC_PORT
DST_IP, DST_PORT
SRC_IP, SRC_PORT, DST_IP, DST_PORT
7
Click OK.

 

Configuring Port Mirroring

* 
NOTE: Switching is available on all NSA 3600 and above firewalls.

Switching > Port Mirroring

Topics:  

About Port Mirroring

You can configure Port Mirroring on SonicOS to send a copy of network packets seen on one or more switch ports (or on a VLAN) to another switch port called the mirror port. By connecting to the mirror port, you can monitor the traffic passing through the mirrored port(s).

A VLAN trunk port can be mirrored, but cannot act as a mirror port itself.

The Switching > Port Mirroring page allows you to assign mirror ports to mirror ingress, egress or bidirectional packets coming from a group of ports.

Viewing Mirrored Ports

You monitor traffic on the mirrored port(s) by connecting to the mirror port.

 

Group Name

Name of the interface group.

Mirror Port

Interface used as the mirror port, that is, the port that monitors other ports on the selected direction.

Direction

Direction of the traffic being mirrored:

 

both (bidirectional)

 

ingress

 

egress

Ingress

Number of packets arriving on the mirrored port(s). For egress-only ports, this is always 0.

Egress

Number of packets sent out on the mirrored port(s). For ingress-only ports, this is always 0.

Enable

Indicates whether mirroring is enabled – a checkmark is in the checkbox – or disabled – the checkbox is blank – for the group.

Configure

Contains the Edit and Delete icons for the group entry and a Delete icon for each port in the group.

Expanding/Collapsing the Groups

To expand the mirror group to see the interfaces in the group, click the Expand icon for the group.

To hide the group members, click the group’s Collapse icon.

Configuring a Port Mirroring Group

To create a new port mirroring group:
1
On the Switching > Port Mirroring page, click the New Group button. The Edit Mirror Group dialog displays.

2
Enter a descriptive name for the group into the Interface Group Name field. The default name is New Group.
3
For the Direction, select one of the following:
ingress – Monitors traffic arriving on the mirrored port(s).
egress – Monitors traffic being sent out on the mirrored port(s).
both – Monitors traffic in both directions on the mirrored port(s).
4
From the All Interfaces list:
a
Select the port to mirror the traffic to. You must use an unassigned port as the mirror port.
b
Click the top right-arrow button to move it to the Mirror Port field.
5
From the All Interfaces list:
a
Select one or more ports to be monitored. You monitor traffic on the mirrored port(s) by connecting to the mirror port.
b
Click the lower right-arrow button to move it/them to the Mirrored Ports field.
6
To enable port mirroring for these ports, select the Enable checkbox.
* 
NOTE: Only one ingress group and one egress group can be enabled at one time. If a group has both directions and it is enabled, the individual ingress and egress groups or another group with both directions cannot be enabled. The individual ingress and egress groups can be enabled separately.
7
Click OK.
8
To enable mirroring, on Groups table, click the Enable checkbox for the mirrored group.

Editing a Port Mirroring Group

To edit a port mirroring group:
1
Click the group’s Edit icon. The Edit Mirror Group dialog for the group displays.

2
Make the changes to any of the options.
* 
NOTE: You can add or delete mirrored ports. If you delete a member of the group, no confirmation message is displayed.
3
If mirroring has been enabled for the group, the Enable checkbox is selected. To disable port mirroring for these ports, deselect the Enable checkbox.
* 
NOTE: Only one ingress group and one egress group can be enabled at one time. If a group has both directions and it is enabled, the individual ingress and egress groups or another group with both directions cannot be enabled. The individual ingress and egress groups can be enabled separately.
4
Click OK.

Deleting Port Mirroring Groups

You can delete members of a mirror group, a mirror group, multiple groups, or all groups.

Topics:  

Removing Port Group Members

You can delete a member of a port group as described in Editing a Port Mirroring Group or you can delete it in the Groups table.

To remove a member of a Port Group in the Groups table:
1
Display the group members by clicking the group’s Expand button.
2
Either:
Click the Delete icon for the member(s) to be deleted.
Click one or more checkboxes of the members to be deleted, and then click the Ungroup button.

A confirmation message displays.

3
Click OK.

Removing a Port Mirror Group

To remove a port mirror group in the Groups table:
1
Either:
Click the Delete icon for the group to be deleted.
Select the checkbox for the group and then click the Ungroup button.

A confirmation message displays:

2
Click OK.

Removing Multiple Port Mirror Groups

To remove multiple port mirror groups:
1
In the Groups table, select the checkbox next to the port mirror groups you want to delete.
2
Click the Ungroup button. A confirmation dialog displays.

3
Click OK in the confirmation dialog.

Removing All Port Mirror Groups

To remove multiple port mirror groups:
1
In the Groups table, select the checkbox in the table heading.
2
Click the Ungroup button. A confirmation dialog displays.

3
Click OK in the confirmation dialog.