en-US
search-icon

X‐Series Solution Deployment Guide

About the SonicWall X‑Series Solution

Overview

Topics:

SonicWall X‑Series Solution: a Unified Approach

Critical network elements, such as a firewall and switch, need to be managed, usually individually. The SonicWall™ X-Series Solution allows unified management of both the firewall and a Dell X‑Series switch using the firewall management interface (UI) and GMS.

In certain deployments, the number of ports required might easily exceed the maximum number of interfaces available on the firewall. For example, the maximum number of interfaces available on SonicWall TZ firewalls range from 5 (TZ300) to 10 (TZ600); see Interfaces per firewall.

 

Interfaces per firewall

Firewall model

Available interfaces

SM 9600

20 (4 10 GbE SFP+, 8 1 GbE SFP, 8 1GE copper), 1 GbE Management, and 1 Console

SM 9400

20 (4 10 GbE SFP+, 8 1 GbE SFP, 8 1GE copper), 1 GbE Management, and 1 Console

SM 9200

20 (4 10 GbE SFP+, 8 1 GbE SFP, 8 1GE copper), 1 GbE Management, and 1 Console

NSA 6600

20 (4 10 GbE SFP+, 8 1 GbE SFP, 8 1GE copper), 1 GbE Management, and 1 Console

NSA 5600

18 (2 10 GbE SFP+, 4 1 GbE SFP, 12 1GE copper) and 1 Management

NSA 4600

18 (2 10 GbE SFP+, 4 1 GbE SFP, 12 1GE copper) and 1 Management

NSA 3600

18 (2 10 GbE SFP+, 4 1 GbE SFP, 12 1GE copper) and 1 Management

TZ600

10 GbE

TZ500 Series

8 GbE

TZ400 Series

7 GbE

TZ300 Series

5 GbE

With the SonicWall X‑Series Solution, ports on a Dell X‑Series switch are viewed as extended interfaces of the firewall, thereby increasing the number of interfaces available for use up to 192, depending on the X‑Series switch. These extended ports can be portshielded and/or configured for high availability and treated as any other interface on the firewall.

* 
NOTE: X‑Series switch, X‑Switch, and extended switch are used interchangeably.

Beginning in SonicOS Release 6.2.5.1, the TZ Series firewalls supported a maximum of two X‑Series switches. Beginning in SonicOS Release 6.2.7, the SonicWall firewalls shown in X‑Series switches supported by SonicWall firewalls support the listed X‑Series switches. A SonicWall firewall can provision up to four X‑Series switches.

* 

X‑Series switches supported by SonicWall firewalls

These SonicWall firewalls

 

 

SuperMassive 9600
SuperMassive 9400
SuperMassive 9200
NSA 6600
NSA 5600
NSA 4600
NSA 3600
TZ600
TZ500/TZ500W
TZ400/TZ400W
TZ300/TZ300W

Support these X‑Series switches (ports)

 

X1008 (8 10/100/1000Base-T GbE)
X1008P (8 10/100/1000Base-T GbE, 2 1GbE SFP fiber, 8 PoE up to 123 W total)
X1018 (16 10/100/1000Base-T GbE, 2 1GbE SFP fiber)
X1018P (16 10/100/1000Base-T GbE, 2 1GbE SFP fiber, 16 PoE up to 246W total)
X1026 (24 10/100/1000Base-T GbE, 2 1GbE SFP fiber)
X1026P (24 10/100/1000Base-T GbE, 2 1GbE SFP fiber, 24 PoE/12 PoE+ up to 369W total)
X1052 (48 10/100/1000Base-T GbE, 2 10GbE SFP/SFP+ fiber)
X1052P (48 10/100/1000Base-T GbE, 24 PoE/12 PoE+ up to 369W total)
X4012 (12 10GbE SFP/SFP+ fiber)
* 
NOTE: The X-Series Solution is not supported on the SM 9800, NSA 2600, or SOHO W firewalls.

Terminology

 

HA

High Availability

IDV

Interface Disambiguation via VLAN – The reconfiguring of ports, portshielded to firewall interfaces, on the extended switch as access ports of the VLAN corresponding to the PortShield VLAN.

PoE

Power over Ethernet – A system than passes electrical power along with data on Ethernet cabling, which allows a single cable to provide both data connection and electrical power to devices. PoE is the 802.3af IEEE standard with 15.4W per port.

PoE+

Power over Ethernet Plus – An enhanced version of PoE that provides more power than PoE. PoE+ is the 802.3at IEEE standard with 25.5W per port.

SFP

Small form-factor pluggable – A compact, hot-pluggable transceiver used for both telecommunication and data communications applications and supports 1Gb fiber modules.

SFP+

Enhanced small form-factor pluggable – An enhanced version of SFP that supports 10 Gb fiber modules.

SPM

Single Point Management

STP

Spanning Tree Protocol – A network protocol that ensures a loop-free topology for Ethernet networks and allows redundant (spare) links to provide backup paths if an active link fails.

Performance Requirements

With SonicOS 6.2.7, X‑Series switch integration functionality has been extended from just TZ Series firewalls to include both SM Series and NSA Series firewalls. A SonicOS firewall can now:

Be provisioned for a maximum of four X-Series switches.
Manage an increased number of ports.

If multiple switches are provisioned, they must be connected directly to the firewall; they cannot be cascaded or daisy chained, that is, one switch connected to another switch, which is then connected to the firewall.

Features Provided by the SonicWall X‑Series Solution

Key features supported by the SonicWall X‑Series Solution are:

Provisioning an X‑Series switch as an extended switch – Up to four X‑Series switches can be provisioned as an extended switch on a SonicWall firewall. When provisioned, the ports on the X‑Series switch are managed as are the other ports of the firewall.
PortShield functionality – Ports on the X‑Switch are viewed as “extended” interfaces of the firewall and can join PortShield Groups. For further information, see PortShield Functionality and X‑Series Switches.
Configuring the extended switch Interface settings – The switch interface settings are configured as regular interface settings through the SonicOS GUI.
Managing the basic extended switch global parameters using GMS:
STP Mode – By default, STP mode is set to Rapid on the extended switch.
STP State – By default, STP is Enabled globally on the extended switch.
* 
NOTE: The following PoE parameters are available only on PoE-capable extended switches.
PoE Alert Usage Threshold – By default, the threshold is set to 95% on the extended switch.
PoE Traps – By default, traps are disabled globally on the extended switch.
PoE Power Limit Mode – By default, the mode is set to Port limit (default)
Managing the extended switch using GMS – The X‑Series switch integration feature allows unified management of both the firewall and the switch using the SonicOS management interface and SonicWall GMS version 8.1 SP1 or higher. GMS supports all configuration operations, such as provisioning of an extended switch, configuration of extended switch interface settings, and manageability of extended switch global parameters.

For information about managing extended switches with GMS, refer to the latest SonicWall GMS Administration Guide.

High Availability (HA) with PortShield functionality – Extended switches can be added to firewalls in an HA configuration with PortShield functionality.
Diagnostics support for the extended switch:
Retrieving statistics of extended switch ports: the firewall polls the extended switch ports periodically and displays the statistics on the External Switch Diagnostics tab of the Network > PortShield Groups page.
Clearing statistics of extended switch ports
Upgrading of the firmware image, or boot image, on the extended switch
Restarting the extended switch
Support for VLANs in a dedicated or common uplink configuration – VLAN is supported on extended switches with these caveats:
Overlapping VLANs cannot exist under firewall interfaces configured as dedicated uplinks to the same switch because the VLAN space is global on the X‑Series switch. For example, if X3 and X5 are configured for dedicated uplinks, VLAN 100 cannot be present under both X3 and X5. Such a configuration is rejected. If X3 and X5 are dedicated uplinks to different X‑Series switches, however, then the configuration is accepted.
Overlapping VLANs cannot exist under common uplink interfaces. For example, if X3 is set up as a common uplink to an X‑Series switch and VLAN 100 exists under X3, another interface—X4, which is configured as a common uplink to a second X‑Series switch, cannot have a VLAN 100 subinterface.

For further information about VLAN support, see Configuring VLAN(s) with Common or Dedicated Uplink(s).

SPM (Single Point of Management) support removes the need for a dedicated uplink for VLAN interfaces. SPM support allows a common uplink for VLAN interfaces, thereby allowing a single link between the firewall and the X‑Switch to carry:
Management traffic of the firewall managing the X‑Switch.
PortShield traffic for the IDV VLANs corresponding to the firewall interfaces.
Traffic for the VLAN subinterfaces present under the common uplink interface.

For further information about SPM support, see Configuring a Common Uplink for VLAN(s) with SPM.

X‑Switch-related features conflict with other switching features on SM Series and NSA series firewalls, such as wiremode, port redundancy, link aggregation, and mirroring. For example, if an interface is configured for wiremode, the interface cannot be configured as a firewall uplink to an X‑Series switch and vice versa. If such a conflict occurs, the second configuration is rejected.
PoE/PoE+ and SFP/SFP+ functionality for SonicWall firewalls by certain X‑Series switches – For X‑Switches that provide PoE/PoE+ functionality, see PoE/PoE+ and SFP/SFP+ Support.
Batching configuration messages – To facilitate faster programming of X‑Series switches, configuration messages can be batched before being sent to an X‑Series switch.

PortShield Functionality and X‑Series Switches

PortShield architecture allows configuration of firewall ports into separate security zones, thereby allowing protection of a deep-packet inspection firewall for traffic between devices across zones. For more information about PortShield functionality and how to manage PortShield Groups with X-Series switches, see the SonicOS 6.2 Administration Guide.

The X-Series Solution allows support for portshielding interfaces on the extended switch to firewall interfaces. X‑Series switches are L2 switches, and by default, all ports on the extended switch are configured as access ports of the default VLAN 1. When ports of the extended switch are portshielded to firewall interfaces, the ports are reconfigured as access ports part of the VLAN corresponding to the PortShield VLAN, also known as the IDV VLAN of the PortShield host interface.

How Traffic is Handled with Portshield

Traffic between network devices connected to the ports on the extended switch:

That are part of the same Portshield group are switched automatically by the extended switch.
And devices connected to ports on the firewall that are part of the same Portshield group are switched by the internal switch on the firewall.
Destined to firewall interfaces are handled by the data-path in software. Such traffic may be subjected to firewall security services such as access rules, deep packet inspection, and intrusion prevention.
And devices connected to ports on the firewall that are part of different zone or part of a different Portshield group are forwarded by the data-path in software. Such traffic is subjected to firewall security services in software.

PoE/PoE+ and SFP/SFP+ Support

SonicWall firewalls do not support PoE/PoE+, but this functionality can be added with certain X‑Series switches, as shown in X-Series switch PoE/PoE+ and SFP/SFP+ support. This additional functionality enhances SonicPoint usage by the SonicWall firewalls, especially for new SonicPoints supporting 802.11ac (802.11ac supports up to 30W maximum power; 802.11a/b/g/h supports up to 15.4 W maximum power). For further information about which ports on which models are PoE/PoE+ capable, see the Dell™ Networking™ X1000 and X4000 Series Switches Getting Started Guide.

Some X‑Series switches also support SFP/SFP+, as shown in X-Series switch PoE/PoE+ and SFP/SFP+ support. SFP/SFP+ ports are not PoE capable, so port-based PoE settings are not available on SFP/SFP+ ports.

X-Series switch PoE/PoE+ and SFP/SFP+ support

This X‑Series switch

Supports

X1008

1 PoE PD port; by default, port 8 is the PD port

X1008P

8 PoE ports, up to 123W total; by default, ports 1 through 8 support PoE

X1018

2 1GbE SFP ports; by default, ports 17 and 18 support SFP

X1018P

16 PoE ports, up to 246W total; by default, ports 1 through 16 support PoE

2 1GbE SFP ports; by default, ports 17 and 18 support SFP

X1026

2 1GbE SFP ports; by default, ports 25 and 26 support SFP

X1026P

24 PoE/12 PoE+ ports, up to 369W total; by default:

Ports 1 through 12 support PoE+
Ports 13 through 24 support PoE

2 1GbE SFP ports; by default, ports 25 and 26 support SFP

X1052

4 10GbE SFP+ ports; by default, ports 49 through 52 support SFP+

X1052P

24 PoE/12 PoE+ ports, up to 369W total; by default:

Ports 1 through 12 support PoE+
Ports 13 through 24 support PoE
Ports 25 through 48 support neither PoE nor PoE+

4 10GbE SFP+ ports; by default, ports 49 through 52 support SFP+

X4012

12 10GbE SFP+ ports; by default, ports 1 through 12 support SFP+

* 
IMPORTANT: A SonicPoint AC without an external power source must be portshielded through ports 1 through 12 on an X1026P or X1052P X‑Series switch.

Any non-SonicPoint AC model without an external power source can be portshielded through ports 1 through 8 (X1008P), 1 through 16 (X1018P), or 1 through 24 (X1026P and X1052P).

Any SonicPoint with an external power source (AC power supply or power adapter) can be portshielded to any Ethernet port.

Configuration of the PoE/PoE+ ports on the X‑Series switch is managed from the UI of the X‑Series switch and the Network > Portshield Groups page on the firewall.

X-Series Solution and SonicPoints

Ports on an extended switch can be portshielded to the WLAN zone of a SonicWall firewall, and SonicPoint access points can be connected to these ports. When connecting SonicPoint access points to an X‑Series switch, it is important to consider the SonicPoint's power requirements. A SonicPoint ACe/ACi/N2 access point requires a minimum of 25.5 watts. If your X‑Series switch does not support PoE+, you must use a SonicPoint power injector. For which switches support PoE+, see PoE/PoE+ and SFP/SFP+ Support. For more information about managing SonicPoint access points, see the Knowledge Base article, SonicWall TZ Series and SonicWall X‑Series Solution managing SonicPoint ACe/ACi/N2 access points (SW13970).

Recommended reading

 

For the X-Series Solution:

SonicWall X‑Series Solution Overview (185439)

SonicWall X‑Series Solution: SonicWall integration with Dell X‑Series Switches FAQ (185430)

 

SonicWall TZ - X solution: How to provision X‑Series switches on SonicWall TZ series firewalls (185057)

 

SonicWall X‑Series Solution: How to provision X‑Series Switches on a SonicWall TZ High Availability (HA) system (186085)

 

SonicWall X‑Series Solution - How to manage X‑Series switch's admin credentials and management IP through the X‑Switch's UI and in CLI (185479)

 

SonicWall X‑Series Solution: Which models of X-Switches has support for POE+ (186709)

 

SonicWall X‑Series Solution - Support for SonicWall Virtual Interfaces (VLANs) (189771)

 

SonicWall TZ Series and SonicWall X‑Series Solution managing SonicPoint ACe/ACi/N2 access points (SW13970)

 

SonicWall X‑Series Solution – How to backup and restore X‑Series switches (189204)

For SonicOS and PortShield:

SonicOS 6.2 Administration Guide

For managing X‑Series switches with GMS:

SonicWall GMS OS Administration Guide

For Dell X‑Series switches:

Dell™ Networking™ X1000 and X4000 Series Switches Getting Started Guide

Dell™ Networking™ X1000 and X4000 Series Switches User Guide