en-US
search-icon

X‐Series Solution Deployment Guide

Configuring the X-Series Solution in Various Topologies

* 
IMPORTANT: Before setting up the interface between the SonicWall firewall and the X‑Series switch, set up the switch as described in Provisioning an X‑Switch on a SonicWall Appliance.
* 
IMPORTANT: When an extended switch has been powered off and then the firewall is restarted (rebooted), it may take up to 5 minutes before the firewall discovers the extended switch and reports the Status of the switch as Connected.

When configuring extended switches in a PortShield group, it may take up to 5 minutes for the configuration to be displayed on the Network > PortShield Groups page.

About Topologies

The key supported topologies for the X-Series Solution are:

Common uplink configuration
Dedicated uplink configuration
Hybrid configuration with common and dedicated uplink(s)
Isolated links configuration for management and data traffic
HA and PortShield configurations with dedicated uplink(s)
HA and PortShield configurations with common uplink(s)
VLAN(s) with dedicated uplink(s) configuration
SonicPoints with dedicated uplink configuration

About Links

A common link carries data and management traffic. Common links carry all PortShield traffic and all the PortShield groups.

A dedicated link can carry only one PortShield group, and that group must be portshielded to the dedicated port on the SonicWall firewall.

An isolated link can carry management traffic OR data traffic, but not both at the same time. Isolated links usually have separate connections between the firewall and the X‑Switch for management traffic and data traffic.

About Uplink Interfaces

Uplink interfaces can be viewed as “trunk” ports set up to carry tagged/untagged traffic. When an extended switch is added with firewall uplink and X‑Switch uplink options, the port on the firewall configured as the firewall uplink and the port on the extended switch configured as the switch uplink are set up automatically to receive/send tagged traffic for all IDV VLANs. The IDV VLAN of the tagged traffic allows the firmware to derive the PortShield host interface for the traffic.

Criteria for Configuring an Uplink Interface

The interface must be a physical interface; virtual interfaces are not allowed.
The interface must be a switch interface. (On some platforms, some firewall interfaces are not connected to the switch. Such interfaces are not allowed.)
The interface cannot be a PortShield host (some other firewall interface cannot be portshielded to it) or a PortShield group member (cannot be portshielded to another firewall interface).
The interface cannot be a bridge primary or bridge secondary interface.
The interface cannot have any children (it cannot be a parent interface for other child interfaces).

Connecting the X‑Series Switch Management Port to a SonicWall Firewall

The interface connected to the management port of the X‑Switch must have an IP address from the same subnet as the switch. For example, if the management connection between the switch and the firewall is through X2, then X2 must have an IP address from the same subnet, such as 192.168.2.1/24.

All port-based configuration operations are disabled on the X‑Switch port designated as the switch management and switch uplink ports. This action ensures that configuration operations on these critical ports do not lead to switch-reachability issues jeopardizing the integration solution.

Configuring the Different Topologies

* 
NOTE: For a complete description of creating PortShield groups, see the SonicOS 6.2 Administration Guide and Adding the X‑Series Switch to SonicOS. The following sections describe only those steps required for the various topologies.
Topics:  

Configuring a Common Uplink

X-Series switches can be managed by the firewall, thereby providing a unified management option for managing critical network elements such as the firewall/switch. This configuration allows a single link between the firewall and the X‑Series switch to be designated as the uplink that carries all PortShield traffic, both management and data. Both the firewall and switch ports are configured as trunk ports for carrying tagged traffic for VLANs corresponding to all the firewall interfaces. The VLAN tag of the traffic is used to associate the traffic to the PortShield group to which it belongs.

The advantage of such a deployment option is a separate set of firewall/switch ports are not being used for management traffic. The disadvantage is that a high amount of data traffic can penalize forwarding of management traffic as the same link is shared for both types of traffic.

Common uplink topology shows a typical integration topology of a TZ500 firewall with an X1026P switch:

The firewall uplink interface is X3.
The X‑Series switch uplink interface is 2.

This uplink between X3 on the firewall and port 2 on the extended switch is a common link set up to carry PortShield traffic between H1 and H3 and H2 and H4. The uplink is also the one on which the X‑Series switch is managed by the firewall. In such a configuration, X3 is configured in the same subnet as the IP of the switch. Also, X3 is configured as the firewall uplink, and port 2 is configured as the switch management as well as the switch uplink when a switch is provisioned.

* 
NOTE: If necessary, you may choose to have different links carry the PortShield traffic and management traffic. For more information, see Configuring Isolated Links for Management and Data Uplinks.

Common uplink topology

To configure a common link:
1
Set up the switch as described in Provisioning an X‑Switch on a SonicWall Appliance.
2
Connect an RJ45 cable between TZ port X3 and X-Switch port 2.
3
Navigate to the Network > Interfaces page.

4
Ensure that X3 has an IP address in the range 192.168.2.n/24.
5
Navigate to the Network > PortShield Groups page.
6
Click the External Switch Configuration tab.
7
Click the Add Switch button. The Add External Switch dialog displays.

8
Configure the ID through Confirm Password options as described in Adding an Extended Switch.
9
Select the port on the switch via which the firewall manages the switch from the Switch Management drop-down menu.
10
Select the Firewall Uplink and Switch Uplink options from their respective drop-down menus.

11
For information about configuring the Advanced tab, see Adding an Extended Switch.
12
Click Add. The External Switch Configuration tab shows the link between X3 and the X‑Switch port 2.

Status – a green Enabled icon
Switch Management – port 2
Firewall Uplink – X3
Switch Uplink – port 2
13
Click the Port Graphics tab.

The X3 port and X‑Switch 1 port 2 have the same color and small arrow, which means they are the uplink, that is, connected by cable.

14
To PortShield ports on the firewall and X‑Switch, see the PortShield sections in the SonicOS 6.2 Administration Guide.

Configuring a Dedicated Uplink

This configuration allows a given link between the firewall and the X‑Series switch to be designated as the dedicated uplink set up to carry PortShield traffic corresponding to the connected firewall interface. The firewall and switch ports are configured in access mode for the VLAN corresponding to the PortShield VLAN of the firewall interface.

This configuration can be used in deployments where a dedicated 1G link is needed for a particular firewall interface. Cases where this configuration is necessary:

VLANs are used; for example, another switch behind the X‑Switch.
There will be a large volume of traffic and there needs to be a separate uplink for this traffic.

The risk associated with such a configuration is using up interfaces on the firewall fairly soon.

* 
NOTE: In this example, there is no common uplink to carry the PortShield traffic for the rest of the firewall interfaces (excluding X0 and X5 for which dedicated links are set up).
* 
IMPORTANT: For the dedicated uplink to work, the physical link must be connected before being configured.

Dedicated uplink topology shows a dedicated uplink setup of a TZ500 firewall with an X1026P switch. There are two dedicated uplinks in this scenario:

The uplink between X3 on the firewall and port 1 on the extended switch is used to manage the switch. In this configuration, X3 is configured in the same subnet as the IP of the X‑Series switch.
In addition, there are two dedicated uplinks:
The uplink between X0 on the firewall and port 11 on the extended switch is a dedicated link to carry all PortShield traffic for X0.
The uplink between X5 on the firewall and port 7 on the extended switch is a dedicated link to carry all PortShield traffic for X5.

Dedicated uplink topology

You can configure a dedicated uplink with or without setting up the common uplink to carry all PortShield traffic for the different firewall interfaces. In both cases, the common uplink is used to manage the extended switch.

Topics:

Configuring a Dedicated Uplink without a Common Uplink

To configure a dedicated uplink topology without an common uplink:
1
Set up the switch as described in Provisioning an X‑Switch on a SonicWall Appliance.
2
Navigate to the Network > PortShield Groups page.
3
Click the External Switch Configuration tab.
4
Click the Edit icon for an unassigned switch. The Edit External Switch dialog displays.

5
Configure the ID through Confirm Password options as described in Adding an Extended Switch.
6
Select the port on the switch via which the firewall manages the switch from the Switch Management drop-down menu.
7
To provision the extended switch for a dedicated uplink without a common uplink, ensure the Firewall Uplink and Switch Uplink options are set to None.
8
For information about configuring the Advanced tab, see Adding an Extended Switch.
9
Click Add. The dialog closes.
10
Click either the:
Port Graphics tab.
Port Configuration tab.
11
On the:
Port Graphics tab:
a)
Select the desired PortShield Interface.
b)
Click the Configure button.
Port Configuration tab, click the Edit icon of the desired PortShield Interface.

The Edit Switch Port dialog displays.

12
Select the Dedicated Uplink option.
13
Click OK.

Configuring a Dedicated Uplink with a Common Uplink

To configure a dedicated uplink topology with an common uplink:
1
Provision the switch as described in Provisioning an X‑Switch on a SonicWall Appliance.
* 
NOTE: For this example, a cable is connected to firewall port X3 and switch port 2, which has a human icon in the port icon. This connection is a common link because it carries both management and data traffic.
2
Set up the common uplink as described in Adding an Extended Switch.

The External Switch Configuration tab is updated.

The External Switch Configuration and Port Graphics tabs are updated.

On the Port Graphics tab, the icons for firewall port X3 and switch port 2 are the same color and contain an up arrow.

3
Click either the:
Port Graphics tab.
Port Configuration tab.
4
On the:
Port Graphics tab:
a)
Select the desired PortShield Interface(s).

b)
Click the Configure button.
Port Configuration tab, click the Edit icon of the desired PortShield Interface.

The Edit Switch Port dialog displays.

5
Select the Dedicated Uplink option.
6
Click OK.

The graphics on the Port Graphics tab show the firewall X5 and switch port 5 icons have the same color (green in this example) and an up arrow, which indicates a dedicated link.

Configuring a Hybrid System with Common and Dedicated Uplink(s)

This configuration allows a combination of common and dedicated uplinks to be set up between the firewall and the X‑Series switch. The dedicated uplinks are used to carry PortShield traffic corresponding to the connected firewall interface. The common uplink is used to carry PortShield traffic for the remaining firewall interfaces (with no dedicated uplinks).

Hybrid uplink topology shows a hybrid uplink integration topology of a TZ400 firewall with an X1026P switch:

The dedicated uplink between X0 on the firewall and port 11 on the extended switch is set up to carry PortShield traffic for X0.
The common link between X3 on the firewall and port 2 on the extended switch carries PortShield traffic for firewall interfaces other than X0.
Ports X0 and 11 for the dedicated uplink are access ports for the VLAN corresponding to X0. Ports X3 and 2 for the common uplink are trunk ports, and VLANs corresponding to all firewall interfaces, except X0, are added as members to this trunk to facilitate carrying the PortShield VLAN-tagged traffic.

In this configuration, the link between X3 and 2 is also used to carry management traffic between the firewall and the switch.

Hybrid uplink topology

Setting up a hybrid configuration is done in two steps:

1
Configure an common uplink.
2
Configure the dedicated uplink.
To set up a hybrid configuration with common and dedicated uplinks:
1
Set up the switch as described in Adding the X‑Series Switch to SonicOS.
2
Configure the uplink as described in Configuring a Dedicated Uplink with a Common Uplink.

Configuring Isolated Links for Management and Data Uplinks

This configuration allows separate links between the firewall and X‑Series switch to carry management traffic and data traffic. With a common link, the management traffic and data traffic run in the same uplink; if data traffic is congested, so is management traffic, which results in a delay in forwarding management traffic. If data traffic will be congested, consider configuring separate links for management traffic and data traffic. Although similar to a common link configuration, the isolated management/data configuration runs separate uplinks for management traffic and data traffic. This configuration ensures that even with a high amount of data traffic, management traffic to the switch is forwarded without being delayed.

* 
IMPORTANT: The MGMT port cannot be portshielded.

Isolated link topology shows an isolated link setup of a TZ400 firewall with an X1026P switch:

The link between X2 on the firewall and port 1 on the external switch carries management traffic to the switch. In such a configuration, X2 is configured in the same subnet as the IP of the X-Series switch.
The link between X3 on the firewall and port 2 on the external switch is the uplink set up to carry PortShield traffic between H1 and H2.
X3 is configured as the firewall uplink.
Port 1 is configured as the switch MGMT port.
Port 2 is configured as the switch data uplink.

Isolated link topology

To set up isolated links for management and data traffic:
1
Provision the switch as described in Provisioning an X‑Switch on a SonicWall Appliance.
2
Set up the data uplink as described in Adding an Extended Switch.
3
Navigate to the Network > PortShield Groups page.
4
Click the External Switch Configuration tab.
5
Click Add Switch. The Add External Switch dialog displays.

6
Configure the ID through Confirm Password options as described in Adding an Extended Switch.
7
To specify the port on the switch via which the firewall manages the switch, select the port from the Switch Management drop-down menu.
8
Select the Firewall Uplink and Switch Uplink options from their respective drop-down menus:

9
Click Add.

The extended switch configuration is displayed on the Network > PortShield Groups > External Switch Configuration tab.

The Port Graphics tab displays:

The extended switch port 1 is management (it is grey with a human icon in it).
The data uplink is between X3 and extended port 2.

Configuring HA and PortShield with Dedicated Uplink(s)

* 
IMPORTANT: To use the SonicWall X‑Series Solution with HA, you must first create an HA system, and then add the X‑Switch.

There are two ways to configure HA units with dedicated uplinks:

Configuring HA using One Extended Switch Management Port

In this configuration with PortShield functionality in HA mode, firewall interfaces that serve as PortShield hosts should be connected to the X‑Series switch on both the active and standby units. The PortShield members should also be connected to ports on the switch. The link between the firewall interface serving as the PortShield host and the switch is set up as a dedicated uplink.

HA pair using one extended switch management port topography shows a TZ300 HA pair with an X1026 switch and one dedicated link:

The firewall interfaces, X3 and X4, on the primary unit are connected to ports 12 and 13 on the X‑Series switch.
X3 and X4 are configured as PortShield hosts.
Similarly, the firewall interfaces X3 and X4 on the secondary unit are connected to ports 14 and 15 on the X‑Series switch.
Ports 12 and 14 on the switch are portshielded to X3 with the dedicated uplink option enabled.
Ports 13 and 15 on the switch are portshielded to X4 with the dedicated uplink option enabled.
Ports 2 and 4 are portshielded to X3.
Ports 3 and 5 are portshielded to X4.

When the primary unit acts in active HA mode, traffic between H1 and X3 is carried over the dedicated link between X3 and 12 and traffic between H3 and X4 is carried over the dedicated link between X4 and 13.

When the secondary unit acts in active HA mode, traffic between H1 and X3 is carried over the dedicated link between X3 and 14, and traffic between H3 and X4 is carried over the dedicated link between X4 and 15.

The link between the firewall interface, X0, and port 1 on the X‑Series switch, carries the management traffic to manage the switch from the firewall. In such a configuration, X0 is configured to be in the same subnet as the switch. Also, X0 on the primary as well as the secondary is ensured to be connected to port 1 of the switch (for example, via a hub) so that when the secondary firewall becomes the active unit, the switch can be managed via the link between the firewall interface X0 on the secondary and port 1 of the switch. In such a configuration, when the switch is provisioned, the Primary Switch Management and Secondary Switch Management are set to 1.

HA pair using one extended switch management port topography

To set up HA with one dedicated uplink:
1
Provision the switch as described in Provisioning an X‑Switch on a SonicWall Appliance.
2
Set up the data uplink as described in Adding an Extended Switch.
3
Configure the options as described in Configuring a Common Uplink except:
a
Select the Primary Switch Management and Secondary Switch Management interfaces from their respective drop-down menus:
* 
NOTE: The Firewall Uplink and Switch Uplink options are not relevant for a firewall operating in HA mode. The primary Firewall Uplink option and both the primary and secondary Switch Uplink options are set to None.

4
Click Add.

Configuring HA using Two Extended Switch Management Ports

You can connect X0 of the primary and secondary firewalls directly to the ports on the X‑Series switch. In this case, two switch ports are used on the switch for management traffic.

HA pair using two extended switch management ports topography shows a a TZ300 HA pair with an X1026 switch and two dedicated links:

X0 of the primary unit is connected to port 1.
X0 of the secondary unit is connected to port 7

When the switch is provisioned, Primary Switch Management is set to port 1 and Secondary Switch Management is set to port 7. When the primary firewall is active, the link between X0 of the primary and port 1 of the switch carry the management traffic. When the secondary firewall is active, the link between X0 of the secondary and port 7 of the switch is used by the firewall to manage the switch.

HA pair using two extended switch management ports topography

To set up HA with two extended switch management ports:
1
Provision the switch as described in Provisioning an X‑Switch on a SonicWall Appliance.
2
Set up the data uplink as described in Adding an Extended Switch.
3
Configure the options as described in Configuring a Common Uplink except:
a
Select the Primary Switch Management and Primary Switch Management interfaces from their respective drop-down menus:
* 
NOTE: The Firewall Uplink and Switch Uplink options are not relevant for a firewall operating in HA mode. The primary Firewall Uplink option and both the primary and secondary Switch Uplink options are set to None.

4
Click Add.

Configuring HA and PortShield with a Common Uplink

In this configuration with PortShield functionality in HA mode, a link between the active/standby firewalls and the X‑Series switch serves as a common uplink to carry all the portshielded traffic. Firewall interfaces that serve as PortShield hosts are connected to a separate switch (not necessarily an X‑Series switch) and not the same X‑Series switch connected to the active and standby units. This other switch avoids the looping of packets for the same PortShield VLAN. The PortShield members can be connected to ports on the X‑Series switch that is controlled by the active/standby firewalls.

HA pair using a common switch topography shows a TZ600 HA pair and two X1026P switches. The link between X3 and X1026P-1 is set up as a common uplink. Similarly, the link between X2 and X1026P-2 is set up as a common uplink. The PortShield hosts’ X0 are connected to a different switch (which could be an X‑Series switch or any other vendor’s switch) to avoid looping of packets. Ports 10 on both X1026P-1 and X1026P-2 are portshielded to X0, and hosts connected to Ports 10 on both switches can communicate using the common uplink.

HA pair using a common switch topography

To set up HA with a common uplink:
1
Provision the switch(es) as described in Provisioning an X‑Switch on a SonicWall Appliance.
2
Set up the data uplink as described in Adding an Extended Switch.
3
On the Network > Interfaces page, configure these interfaces for both firewalls:
 

X0

LAN/PortShield host

X1

WAN

X2

Firewall uplink on the firewall for X1026P-2

X3

Firewall uplink on the firewall for X1026P-1

4
Configure the options as described in Configuring a Common Uplink except for these ports:
 

X1026P-1 Interfaces:

10

Host-facing interface portshielded to X0

 

21

Switch uplink for the primary firewall

 

23

Switch uplink for the secondary firewall

 

X1026P-2 Interfaces:

10

Host-facing interface portshielded to X0

 

21

Switch uplink for the primary firewall

 

23

Switch uplink for the secondary firewall

Configuring VLAN(s) with Common or Dedicated Uplink(s)

Topics:  

Prerequisites for VLAN Support

Support for VLANs is available on both dedicated and common uplinks.For example, VLANs can be configured under firewall interfaces configured as a dedicated uplink. VLANs also can be configured under the firewall interface provisioned as the common uplink for the X‑Series switch.
Overlapping VLANs cannot exist under appliance interfaces configured as dedicated uplinks to the same switch because VLAN space on the X‑Series switch is global. For example, if X3 and X5 are configured for dedicated uplinks to the same X‑Series switch, VLAN 100 cannot be present under both X3 and X5. Such a configuration is rejected. If X3 an X5 are X5 are dedicated uplinks to different X‑Series switches, however, then such a configuration is accepted
Overlapping VLANs cannot exist under common uplink interfaces. For example, if X3 is set up as a common uplink to an X‑Series switch and VLAN 100 exists under X3, another interface that is configured as a common uplink to a second X‑Series switch, for example, X4, cannot have a VLAN 100 sub-interface.
PortShield of extended switch interfaces to common uplink interfaces without selecting any VLANs for access/trunk configuration is not supported.

For more information about X-Series Solution support for VLAN, see SonicWall X‑Series Solution - Support for SonicWall Virtual Interfaces (VLANs) (189771).

Configuring a Common Uplink for VLANs

For information about prerequisites and limitation for VLAN configurations, see Prerequisites for VLAN Support.

Topics:
Configuring a Common Uplink for VLAN(s) with SPM

With Single Point of Management (SPM), you can configure a common uplink to carry management traffic of the firewall managing the X‑Series switch plus PortShield traffic for the IDV VLANs corresponding to the firewall interfaces plus traffic corresponding to the VLAN subinterfaces under the common uplink.

VLAN(s) with common uplink topography shows a TZ500 with an X1026P switch:

The link between X5 and port 3 on the extended switch is configured as a common uplink for carrying PortShield traffic for the different firewall interfaces.
The link between X5 and port 3 is also used by the firewall to manage the switch.
Interface X5 is configured to be in the same subnet as the IP of the switch. In this configuration example, the switch is first provisioned with the Firewall Uplink as X5, Switch Uplink as 3, and Switch Management as 3.
There are three VLAN interfaces with VLAN tags 100, 150, and 200 configured under X5.
The link between X5 on the firewall and port 3 on the extended switch is a common link set up to carry management traffic, PortShield traffic, and traffic tagged with VLANs 100, 150, 200.

Supporting such a topology requires this configuration:

A switch is provisioned using X5 as the Firewall Uplink and 3 as both the Switch Uplink and Switch Management.

Port 2 is portshielded to X3 with the dedicated link option.
* 
NOTE: This configuration is also possible without the presence of the dedicated link and just using the common uplink between X5 and 3.
Port 3 is portshielded to X5 with dedicated uplink option.
Port 10 is portshielded to X5 and configured as a trunk to carry VLAN 100.
Port 11 is portshielded to X5 and configured as a trunk to carry VLAN 150.
Port 12 is portshielded to X5 and configured as an access to carry VLAN 200

VLAN(s) with common uplink topography

To configure a common uplink for a VLAN:
1
Provision the switch as described in Provisioning an X‑Switch on a SonicWall Appliance.
2
Set up the data uplink as described in Adding an Extended Switch.
3
Configure the uplinks as described in Configuring a Common Uplink.
Configuring a Dedicated Uplink plus a Common Uplink for a VLAN
To configure a dedicated uplink plus a common uplink for a VLAN:
1
Provision the switch as described in Provisioning an X‑Switch on a SonicWall Appliance.
2
Set up the data uplink as described in Adding an Extended Switch.
3

Configuring a Dedicated Uplink for VLANs

Topics:
Dedicated Uplink for VLAN Topology

In a dedicated uplink configuration, a given link between the firewall and the X‑Series switch designated as the dedicated uplink is set up to carry traffic for all VLANs configured under the firewall interface plus PortShield traffic corresponding to the firewall interface.

VLAN with dedicated uplink topology shows a TZ500 with an X1026P switch:

VLAN with dedicated uplink topology

The link between X3 and port 1 on the extended switch is used by the firewall to manage the switch.
Interface X3 is configured to be in the same subnet as the IP of the switch.
* 
NOTE: In this example, a common uplink is not required, hence, the extended switch is provisioned with the Firewall Uplink and Switch Uplink options set to None and Switch Management set to 1.
There are three VLAN interfaces with VLAN tags 100, 150, and 200 configured under X5.
The link between X5 on the firewall and port 3 on the extended switch is a dedicated link set up to carry traffic tagged with VLANs 100, 150, and 200 and untagged traffic for X5.

Supporting such a topology, requires this configuration:

Port 3 is portshielded to X5 with dedicated uplink option.
Port 10 is portshielded to X5 and configured as a trunk to carry VLAN 100.
Port 11 is portshielded to X5 and configured as a trunk to carry VLAN 150.
Port 12 is portshielded to X5 and configured as an access to carry VLAN 200.
Configuring a Dedicated Uplink for a VLAN

Support for VLAN(s) is achieved in a multi-step configuration process:

1
Provision the switch. The switch can be provisioned with the:
Firewall uplink and switch uplink set to None if support for VLAN(s) alone is needed.
Common uplink option if support is needed for an common trunk interface to carry PortShield traffic for other firewall interfaces along with VLAN(s) support.
2
Configure the dedicated link by:
a
Choosing an extended switch port that is connected physically to the firewall interface.
b
Portshielding the port to the firewall interface.
c
Choosing the dedicated link option.
3
Select the extended switch port on which VLAN(s) need to be enabled
4
Portshield the switch port to the firewall interface.
5
Configure the required VLAN(s) under the VLAN tab.
To configure a dedicated uplink for VLANs without a common uplink:
1
Provision the switch as described in Provisioning an X‑Switch on a SonicWall Appliance.
2
Set up the data uplink as described in Adding an Extended Switch.
3
Configure the options as described in Configuring a Dedicated Uplink except ensure to select the Dedicated Uplink option.

When a dedicated uplink is set up for a given firewall interface, if VLAN(s) exist under the firewall interface, a new tab, VLANs, displays on the Edit Switch Port dialog when the PortShield Interface is selected:

4
Use the VLANs tab to configure an extended switch port in trunk or access mode. In this example, Port 10 is portshielded to X5 and configured as a trunk to carry VLAN 100 by selecting Enabled for the VLAN Trunk option and choosing VLAN 100 from the available list of VLANs:

5
Similarly, Port 11 is portshielded to X5 and configured as a trunk to carry VLAN 150 by:
a
Selecting Enabled for the VLAN Trunk option.
b
Choosing VLAN 150 from the available list of VLANs.

6
Portshield port 12 to X5 and configure it as an access for VLAN 200 by:
a
Selecting Disabled for the VLAN Trunk option.
b
Choosing VLAN 200 from the available list of VLANs:
* 
NOTE: For access, only a single VLAN can be selected from the available list of VLANs, whereas when configured as a trunk, multiple VLANs can be selected for a given port.

With this configuration, port 3 on the extended switch carries tagged traffic for VLANs 100,150, and 200 and untagged traffic for IDV VLAN 6. Port 10 is a trunk port carrying tagged traffic for VLAN 100, Port 11 is a trunk port carrying tagged traffic for VLAN 150, and Port 12 is an access port carrying untagged traffic for VLAN 200. Ports 10, 11, and 12 are portshielded to X5 through the dedicated link between X5 and port 2.

Configuring a Dedicated Link for SonicPoint Access

It is recommended that SonicPoint access points be connected through dedicated links because SonicPoint access points carry several VLANS, and dedicated links pass through VLAN tunnels. The dedicated links act as trunks passing tagged traffic from the access point through the X‑Series switch to the firewall.

For non-SonicPoint access points and for SonicPoints without particular management, the port in the firewall can be configured as ANY (LAN/WAN/DMZ, although usually LAN). In this case, the pair of ports between the firewall and the X‑Series switch must be configured as a dedicated link. Other ports on the switch that are expected to connect to access points with RJ45 are portshielded to that dedicated port.

If the SonicPoint access points are behind the firewall and are to be managed, the pair ports on the firewall and the X‑Series switch must be configured as a dedicated link. The dedicated port on the firewall must be configured as WLAN. Other ports on the switch that are expected to connect to SonicPoint access points with RJ45 are portshielded to that dedicated port.

* 
IMPORTANT: Any SonicPoint with an external power source (AC power supply or power adapter) can be portshielded to any Ethernet port.

When SonicPoints are configured with X‑Series switches, the SonicPoints must be portshielded in a group configured to a port of the dedicated link. See SonicPoints and a dedicated uplink.

SonicPoints and a dedicated uplink

For more information about using SonicPoints with an X‑Series switch, see SonicWall TZ Series and SonicWall X‑Series Solution managing SonicPoint ACe/ACi/N2 access points (SW13970).

To configure a dedicated uplink for SonicPoints:
1
Provision the switch as described in Provisioning an X‑Switch on a SonicWall Appliance.
2
Set up the data uplink as described in Adding an Extended Switch.
3
Configure the uplinks as described in Configuring a Dedicated Uplink for VLANs.
4
Ensure that all SonicPoints are connected to X‑Switch ports configured in the PortShield group of the dedicated link.