How do I configure Static Link Aggregation VLAN trunks when extending networks to PortShield Groups?
10/14/2021 96 People found this article helpful 408,204 Views
Description
This article provides information on how to configure Static Link Aggregation VLAN trunks when extending networks to PortShield Groups on SonicOS 6.2 and above.
SonicOS provides Layer 2 (data link layer) switching functionality with its unique PortShield architecture. Layer 2 switching features enhance the deployment and interoperability of SonicWall devices within existing Layer-2 networks with the following benefits:
Increased security across multiple switch ports The PortShield architecture provides the flexibility to configure all switch ports into separate security zones such as LANs, WLANs and DMZs, providing protection not only from the WAN and DMZ, but also between devices inside the LAN. Effectively, each security zone has its own wire-speed mini-switch' that benefits from the protection of a dedicated deep packet inspection firewall.
Link Aggregation adds port redundancy and load balancing to extended PortShield networks. Ports that are in the same VLAN (same PortShield Group) or are VLAN trunk ports are eligible for link aggregation. Up to four ports can be aggregated in a logical group and there can be four Logical Links (LAGs) configured.
Support for Static Link Aggregation. Static Link Aggregation is where no Dynamic Link Aggregation protocols are used.PortShield cannot be enabled if SonicWall is in high availability (HA) mode. If you have a SonicWall appliance in stand alone mode with PortShield enabled, PortShield must be disabled before it can be enabled for HA.
Resolution
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
Configure/view interfaces and PortShield groups
- Login to the SonicWall UTM appliance and configure/view interfaces from Manage | Network | Interfaces page and PortShield Groups from Manage | Network | PortShield Groups page. This example shows two PortShield Groups, LAN PortShield and DMZ PortShield groups.
NOTE: If the SonicWall is part of a High Availability (HA) pair, PortShield is disabled and VLAN tagging of PortShield groups is not possible. If you have a SonicWall appliance in stand alone mode with PortShield enabled, PortShield must be disabled before it can be enabled for HA.
Configure Switching attributes
Create a VLAN Aggregation (LAG) bundle
Demonstrate a LAG bundle between the SonicWall and a third party switch.
- Let's connect a SonicWall staticLAG bundle to a switch, In this example we will connect to a Cisco 2950 switch. On the Cisco 2950 switch, we can setup the LAG bundle.
- On the Cisco 2950, define a Port-channel, define the VLANs.
- Define a static LAG bundle of 3 ports, port 0/9, port 0/10, and port 0/11. Channel-group 1 with mode on is for no LAG protocol, this is for a static LAG.
- On the SonicWall show the Rx and Tx frame counters. For a static LAG which does not any LAG protocols, Rx and Tx PDUs counters are zero.
- Show the LAG status on the Cisco 2950 switch. This is a static LAG bundle and no LAG protocol is used.
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
Configure/view interfaces and PortShield groups
- Login to the SonicWall UTM appliance and configure/view interfaces from the Network | Interfaces page and PortShield Groups from the Network | PortShield Groups page. This example shows two PortShield Groups, LAN PortShield and DMZ PortShield groups.
NOTE: If the SonicWall is part of a High Availability (HA) pair, PortShield is disabled and VLAN tagging of PortShield groups is not possible. If you have a SonicWall appliance in stand alone mode with PortShield enabled, PortShield must be disabled before it can be enabled for HA.
Configure Switching attributes
Create a VLAN Aggregation (LAG) bundle
- From the Switching | LinkAggregation page, click Add button to select the ports for a Link Aggregation (LAG) bundle, multiple ports maybe added to a LAG bundle one at a time. A SonicWall LAG bundle may have from 2 to 4 ports.
- In the Add LAG Port window, choose an interface to be the primary or aggregator port for the Link Aggregator (LAG) bundle and select the Aggregator check box. For the Key, unselect the Auto-Detect check box and enter a Key number from 1-255 in the Key box. Click the OK button to accept the Aggregator port. The concept of a SonicOS LAG bundle with a Aggregator port is similar a PortShield group with primary PortShield interface.
- Next add member ports to the LAG bundle. In the Add LAG Port window, choose an interface to be a port member for the LAG bundle. Unselect the Aggregator check box. For the Key, unselect the Auto-Detect check box and enter the Aggregator Key number. Click the OK button to accept the member port.
- Multiple LAG bundles can be created by creating multiple Aggregators ports with unique Keys. Members ports are linked to Aggregator ports by their unique Keys.
NOTE:Ports bond together if connected to the same link partner and their keys match. If there is no key configured for a port (if the port is in auto mode), the member port will bond with an aggregator that is connected to the same link partner. The link partner is discovered via LACP messages. A link partner cannot be discovered for Static link aggregation. In this case, ports aggregate based on keys alone. Like a PortShield host, the aggregator port cannot be removed from the LAG since it represents the LAG in the system.
- EXAMPLE: In this example, three VLAN Trunks are bonded together with X5 as the aggregator and X6, and X7 are the members linked together with Key of 1.
NOTE: Ports that are in the same VLAN (same PortShield Group) or are VLAN trunk ports are eligible for link aggregation. Up to four ports can be aggregated in a logical group and there can be four Logical Links (LAGs) configured.
Demonstrate a LAG bundle between the SonicWall and a third party switch
- Let s connect a SonicWall staticLAG bundle to a switch, In this example we will connect to a Cisco 2950 switch. On the Cisco 2950 switch, we can setup the LAG bundle.
- On the Cisco 2950, define a Port-channel, define the VLANs.
- Define a static LAG bundle of 3 ports, port 0/9, port 0/10, and port 0/11. Channel-group 1 with mode on is for no LAG protocol, this is for a static LAG.
- On the SonicWall show the Rx and Tx frame counters. For a static LAG which does not any LAG protocols, Rx and Tx PDUs counters are zero.
- Show the LAG status on the Cisco 2950 switch. This is a static LAG bundle and no LAG protocol is used.
Related Articles
Categories