Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

How do I configure Static Link Aggregation VLAN trunks when extending networks to PortShield Groups?

10/14/2021 86 People found this article helpful 107,103 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    This article provides information on how to configure Static Link Aggregation VLAN trunks when extending networks to PortShield Groups on SonicOS 6.2 and above.

    SonicOS provides Layer 2 (data link layer) switching functionality with its unique PortShield architecture. Layer 2 switching features enhance the deployment and interoperability of SonicWall devices within existing Layer-2 networks with the following benefits:


    Increased security across multiple switch ports The PortShield architecture provides the flexibility to configure all switch ports into separate security zones such as LANs, WLANs and DMZs, providing protection not only from the WAN and DMZ, but also between devices inside the LAN. Effectively, each security zone has its own wire-speed mini-switch' that benefits from the protection of a dedicated deep packet inspection firewall.


    Link Aggregation adds port redundancy and load balancing to extended PortShield networks. Ports that are in the same VLAN (same PortShield Group) or are VLAN trunk ports are eligible for link aggregation. Up to four ports can be aggregated in a logical group and there can be four Logical Links (LAGs) configured.

    Support for Static Link Aggregation. Static Link Aggregation is where no Dynamic Link Aggregation protocols are used.PortShield cannot be enabled if SonicWall is in high availability (HA) mode. If you have a SonicWall appliance in stand alone mode with PortShield enabled, PortShield must be disabled before it can be enabled for HA.

    Resolution

     

    Resolution for SonicOS 6.5

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

    Configure/view interfaces and PortShield groups

    • Login to the SonicWall UTM appliance and configure/view interfaces from Manage | Network | Interfaces page and PortShield Groups from Manage | Network | PortShield Groups page. This example shows two PortShield Groups, LAN PortShield and DMZ PortShield groups.

      Image

      NOTE: If the SonicWall is part of a High Availability (HA) pair, PortShield is disabled and VLAN tagging of PortShield groups is not possible. If you have a SonicWall appliance in stand alone mode with PortShield enabled, PortShield must be disabled before it can be enabled for HA.

    Configure Switching attributes

     

    • From the Manage | Switching | VLAN Trunking page you will see a VLAN table listing attributes of each interface, assigned VLAN ID, associated member ports, and trunked status. At the top of the page is the list of reserved VLAN IDs used by SonicOS. In this example PortShield group (X0) with one member is assigned VLAN ID 100 and PortShield group (X2) with 4 members is assigned VLAN ID 200.

      NOTE: You can only manage VLAN attributes of interfaces associated with a PortShield Group. Image

      NOTE: The reserved VLAN Information is not enforced, the Edit Vlan for PortShield Host Window does not check to see if a VLAN tag has already been used. It is up to the Administrator to keep track of VLAN tags already allocated. 

    • At the bottom of the VLAN table is VLAN Trunks. Click the Add button to add an interface for VLAN Trunking from a list of available ports from the Add Vlan Trunk Port Window . EXAMPLE:In this example there are three VLAN Trunk ports, X5, X6, and X7 and the objective is to create LAG bundle with these VLAN Trunk ports.
    • To assign a VLAN ID to a VLAN Trunk, select the Trunk Port check box and click the Enable VLAN to add a VLAN ID. In this example VLAN ID 200 has been assigned to each VLAN Trunk.ImageImageImage




    Create a VLAN Aggregation (LAG) bundle

    • From the Manage | Switching | LinkAggregation page, click Add button to select the ports for a Link Aggregation (LAG) bundle, multiple ports maybe added to a LAG bundle one at a time. A SonicWall LAG bundle may have from 2 to 4 ports.
      Image

      NOTE:Ports bond together if connected to the same link partner and their keys match. If there is no key configured for a port (if the port is in auto mode), the member port will bond with an aggregator that is connected to the same link partner. The link partner is discovered via LACP messages. A link partner cannot be discovered for Static link aggregation. In this case, ports aggregate based on keys alone. Like a PortShield host, the aggregator port cannot be removed from the LAG since it represents the LAG in the system.

    •  EXAMPLE: In this example, three VLAN Trunks are bonded together with X5 as the aggregator and X6, and X7 are the members linked together with Key of 1.Image

      NOTE:  Ports that are in the same VLAN (same PortShield Group) or are VLAN trunk ports are eligible for link aggregation. Up to four ports can be aggregated in a logical group and there can be four Logical Links (LAGs) configured.

     

    Demonstrate a LAG bundle between the SonicWall and a third party switch.

    • Let's connect a SonicWall staticLAG bundle to a switch, In this example we will connect to a Cisco 2950 switch. On the Cisco 2950 switch, we can setup the LAG bundle.
    • On the Cisco 2950, define a Port-channel, define the VLANs.
    • Define a static LAG bundle of 3 ports, port 0/9, port 0/10, and port 0/11. Channel-group 1 with mode on is for no LAG protocol, this is for a static LAG.
    • On the SonicWall show the Rx and Tx frame counters. For a static LAG which does not any LAG protocols, Rx and Tx PDUs counters are zero.
    • Show the LAG status on the Cisco 2950 switch. This is a static LAG bundle and no LAG protocol is used.


    Resolution for SonicOS 6.2 and Below

    The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

     

    Configure/view interfaces and PortShield groups

    • Login to the SonicWall UTM appliance and configure/view interfaces from the Network | Interfaces page and PortShield Groups from the Network | PortShield Groups page. This example shows two PortShield Groups, LAN PortShield and DMZ PortShield groups.
      Image

      NOTE: If the SonicWall is part of a High Availability (HA) pair, PortShield is disabled and VLAN tagging of PortShield groups is not possible. If you have a SonicWall appliance in stand alone mode with PortShield enabled, PortShield must be disabled before it can be enabled for HA.

    Configure Switching attributes

     

    • From the Switching | VLAN Trunking page you will see a VLAN table listing attributes of each interface, assigned VLAN ID, associated member ports, and trunked status. At the top of the page is the list of reserved VLAN IDs used by SonicOS. In this example PortShield group (X0) with one member is assigned VLAN ID 100 and PortShield group (X2) with 4 members is assigned VLAN ID 200.

      NOTE: You can only manage VLAN attributes of interfaces associated with a PortShield Group.
      Image

      NOTE:The reserved VLAN Information is not enforced, the Edit Vlan for PortShield Host Window does not check to see if a VLAN tag has already been used. It is up to the Administrator to keep track of VLAN tags already allocated.

    • At the bottom of the VLAN table is VLAN Trunks. Click the Add button to add an interface for VLAN Trunking from a list of available ports from the Add Vlan Trunk Port Window . In this example there are three VLAN Trunk ports, X5, X6, and X7 and the objective is to create LAG bundle with these VLAN Trunk ports.
    • To assign a VLAN ID to a VLAN Trunk, select the Trunk Port check box and click the Enable VLAN to add a VLAN ID. EXAMPLE: VLAN ID 200 has been assigned to each VLAN Trunk.
      Image



    Create a VLAN Aggregation (LAG) bundle

     

    • From the Switching | LinkAggregation page, click Add button to select the ports for a Link Aggregation (LAG) bundle, multiple ports maybe added to a LAG bundle one at a time. A SonicWall LAG bundle may have from 2 to 4 ports.
      Image

    • In the Add LAG Port window, choose an interface to be the primary or aggregator port for the Link Aggregator (LAG) bundle and select the Aggregator check box. For the Key, unselect the Auto-Detect check box and enter a Key number from 1-255 in the Key box. Click the OK button to accept the Aggregator port. The concept of a SonicOS LAG bundle with a Aggregator port is similar a PortShield group with primary PortShield interface.
      Image

    • Next add member ports to the LAG bundle. In the Add LAG Port window, choose an interface to be a port member for the LAG bundle. Unselect the Aggregator check box. For the Key, unselect the Auto-Detect check box and enter the Aggregator Key number. Click the OK button to accept the member port.
    • Multiple LAG bundles can be created by creating multiple Aggregators ports with unique Keys. Members ports are linked to Aggregator ports by their unique Keys.Image

      NOTE:Ports bond together if connected to the same link partner and their keys match. If there is no key configured for a port (if the port is in auto mode), the member port will bond with an aggregator that is connected to the same link partner. The link partner is discovered via LACP messages. A link partner cannot be discovered for Static link aggregation. In this case, ports aggregate based on keys alone. Like a PortShield host, the aggregator port cannot be removed from the LAG since it represents the LAG in the system.

    • EXAMPLE: In this example, three VLAN Trunks are bonded together with X5 as the aggregator and X6, and X7 are the members linked together with Key of 1.Image


      NOTE: Ports that are in the same VLAN (same PortShield Group) or are VLAN trunk ports are eligible for link aggregation. Up to four ports can be aggregated in a logical group and there can be four Logical Links (LAGs) configured.

     

    Demonstrate a LAG bundle between the SonicWall and a third party switch

    • Let s connect a SonicWall staticLAG bundle to a switch, In this example we will connect to a Cisco 2950 switch. On the Cisco 2950 switch, we can setup the LAG bundle.
    • On the Cisco 2950, define a Port-channel, define the VLANs.
    • Define a static LAG bundle of 3 ports, port 0/9, port 0/10, and port 0/11. Channel-group 1 with mode on is for no LAG protocol, this is for a static LAG.
    • On the SonicWall show the Rx and Tx frame counters. For a static LAG which does not any LAG protocols, Rx and Tx PDUs counters are zero.
    • Show the LAG status on the Cisco 2950 switch. This is a static LAG bundle and no LAG protocol is used.


    Related Articles

    • Client VPN hanging at acquiring IP using SonicWall DHCP
    • GVC stuck on acquiring IP for some users
    • App Control fails by schema error when editing VPN category

    Categories

    • Firewalls > NSa Series > Networking
    • Firewalls > NSv Series > Networking
    • Firewalls > TZ Series > Networking

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2022 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top
    Trace:cc0750a261fdf1eb77a7d3e0cb0c4ff9-90