How do I configure Static Link Aggregation VLAN trunks when extending networks to PortShield Groups?

03/26/2020 71 20443

DESCRIPTION:

This article provides information on how to configure Static Link Aggregation VLAN trunks when extending networks to PortShield Groups on SonicOS 6.2 and above.

SonicOS provides Layer 2 (data link layer) switching functionality with its unique PortShield architecture. Layer 2 switching features enhance the deployment and interoperability of SonicWall devices within existing Layer-2 networks with the following benefits:

Increased security across multiple switch ports The PortShield architecture provides the flexibility to configure all switch ports into separate security zones such as LANs, WLANs and DMZs, providing protection not only from the WAN and DMZ, but also between devices inside the LAN. Effectively, each security zone has its own wire-speed mini-switch' that benefits from the protection of a dedicated deep packet inspection firewall.

Link Aggregation adds port redundancy and load balancing to extended PortShield networks. Ports that are in the same VLAN (same PortShield Group) or are VLAN trunk ports are eligible for link aggregation. Up to four ports can be aggregated in a logical group and there can be four Logical Links (LAGs) configured.

Support for Static Link Aggregation. Static Link Aggregation is where no Dynamic Link Aggregation protocols are used.PortShield cannot be enabled if SonicWall is in high availability (HA) mode. If you have a SonicWall appliance in stand alone mode with PortShield enabled, PortShield must be disabled before it can be enabled for HA.

RESOLUTION:

Configure/view interfaces and PortShield groups

• Login to the SonicWall UTM appliance and configure/view interfaces from Manage | Network | Interfaces page and PortShield Groups from Manage | Network | PortShield Groups page. This example shows two PortShield Groups, LAN PortShield and DMZ PortShield groups.
  
  
  

  NOTE: If the SonicWall is part of a High Availability (HA) pair, PortShield is disabled and VLAN tagging of PortShield groups is not possible. If you have a SonicWall appliance in stand alone mode with PortShield enabled, PortShield must be disabled before it can be enabled for HA.

Configure Switching attributes

• From the Manage | Switching | VLAN Trunking page you will see a VLAN table listing attributes of each interface, assigned VLAN ID, associated member ports, and trunked status. At the top of the page is the list of reserved VLAN IDs used by SonicOS. In this example PortShield group (X0) with one member is assigned VLAN ID 100 and PortShield group (X2) with 4 members is assigned VLAN ID 200.
  
  

  NOTE: You can only manage VLAN attributes of interfaces associated with a PortShield Group. 
  
  

  NOTE: The reserved VLAN Information is not enforced, the Edit Vlan for PortShield Host Window does not check to see if a VLAN tag has already been used. It is up to the Administrator to keep track of VLAN tags already allocated. 

• At the bottom of the VLAN table is VLAN Trunks. Click the Add button to add an interface for VLAN Trunking from a list of available ports from the Add Vlan Trunk Port Window . EXAMPLE:In this example there are three VLAN Trunk ports, X5, X6, and X7 and the objective is to create LAG bundle with these VLAN Trunk ports.
• To assign a VLAN ID to a VLAN Trunk, select the Trunk Port check box and click the Enable VLAN to add a VLAN ID. In this example VLAN ID 200 has been assigned to each VLAN Trunk.

Create a VLAN Aggregation (LAG) bundle

• From the Manage | Switching | LinkAggregation page, click Add button to select the ports for a Link Aggregation (LAG) bundle, multiple ports maybe added to a LAG bundle one at a time. A SonicWall LAG bundle may have from 2 to 4 ports.
  
  
  

  NOTE:Ports bond together if connected to the same link partner and their keys match. If there is no key configured for a port (if the port is in auto mode), the member port will bond with an aggregator that is connected to the same link partner. The link partner is discovered via LACP messages. A link partner cannot be discovered for Static link aggregation. In this case, ports aggregate based on keys alone. Like a PortShield host, the aggregator port cannot be removed from the LAG since it represents the LAG in the system.

•  EXAMPLE: In this example, three VLAN Trunks are bonded together with X5 as the aggregator and X6, and X7 are the members linked together with Key of 1.
  
  

  NOTE:  Ports that are in the same VLAN (same PortShield Group) or are VLAN trunk ports are eligible for link aggregation. Up to four ports can be aggregated in a logical group and there can be four Logical Links (LAGs) configured.

Demonstrate a LAG bundle between the SonicWall and a third party switch.

• Let's connect a SonicWall staticLAG bundle to a switch, In this example we will connect to a Cisco 2950 switch. On the Cisco 2950 switch, we can setup the LAG bundle.
• On the Cisco 2950, define a Port-channel, define the VLANs.
• Define a static LAG bundle of 3 ports, port 0/9, port 0/10, and port 0/11. Channel-group 1 with mode on is for no LAG protocol, this is for a static LAG.
• On the SonicWall show the Rx and Tx frame counters. For a static LAG which does not any LAG protocols, Rx and Tx PDUs counters are zero.
• Show the LAG status on the Cisco 2950 switch. This is a static LAG bundle and no LAG protocol is used.
  
  
  

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

Configure/view interfaces and PortShield groups

• Login to the SonicWall UTM appliance and configure/view interfaces from the Network | Interfaces page and PortShield Groups from the Network | PortShield Groups page. This example shows two PortShield Groups, LAN PortShield and DMZ PortShield groups.
  
  
  

  NOTE: If the SonicWall is part of a High Availability (HA) pair, PortShield is disabled and VLAN tagging of PortShield groups is not possible. If you have a SonicWall appliance in stand alone mode with PortShield enabled, PortShield must be disabled before it can be enabled for HA.

Configure Switching attributes

• From the Switching | VLAN Trunking page you will see a VLAN table listing attributes of each interface, assigned VLAN ID, associated member ports, and trunked status. At the top of the page is the list of reserved VLAN IDs used by SonicOS. In this example PortShield group (X0) with one member is assigned VLAN ID 100 and PortShield group (X2) with 4 members is assigned VLAN ID 200.
  
  

  NOTE: You can only manage VLAN attributes of interfaces associated with a PortShield Group.
  

  NOTE:The reserved VLAN Information is not enforced, the Edit Vlan for PortShield Host Window does not check to see if a VLAN tag has already been used. It is up to the Administrator to keep track of VLAN tags already allocated.
  
  

• At the bottom of the VLAN table is VLAN Trunks. Click the Add button to add an interface for VLAN Trunking from a list of available ports from the Add Vlan Trunk Port Window . In this example there are three VLAN Trunk ports, X5, X6, and X7 and the objective is to create LAG bundle with these VLAN Trunk ports.
• To assign a VLAN ID to a VLAN Trunk, select the Trunk Port check box and click the Enable VLAN to add a VLAN ID. EXAMPLE: VLAN ID 200 has been assigned to each VLAN Trunk.
  

Create a VLAN Aggregation (LAG) bundle

• From the Switching | LinkAggregation page, click Add button to select the ports for a Link Aggregation (LAG) bundle, multiple ports maybe added to a LAG bundle one at a time. A SonicWall LAG bundle may have from 2 to 4 ports.
  
  
  
• In the Add LAG Port window, choose an interface to be the primary or aggregator port for the Link Aggregator (LAG) bundle and select the Aggregator check box. For the Key, unselect the Auto-Detect check box and enter a Key number from 1-255 in the Key box. Click the OK button to accept the Aggregator port. The concept of a SonicOS LAG bundle with a Aggregator port is similar a PortShield group with primary PortShield interface.
  
  
  
• Next add member ports to the LAG bundle. In the Add LAG Port window, choose an interface to be a port member for the LAG bundle. Unselect the Aggregator check box. For the Key, unselect the Auto-Detect check box and enter the Aggregator Key number. Click the OK button to accept the member port.
• Multiple LAG bundles can be created by creating multiple Aggregators ports with unique Keys. Members ports are linked to Aggregator ports by their unique Keys.
  
  

  NOTE:Ports bond together if connected to the same link partner and their keys match. If there is no key configured for a port (if the port is in auto mode), the member port will bond with an aggregator that is connected to the same link partner. The link partner is discovered via LACP messages. A link partner cannot be discovered for Static link aggregation. In this case, ports aggregate based on keys alone. Like a PortShield host, the aggregator port cannot be removed from the LAG since it represents the LAG in the system.
  
  

• EXAMPLE: In this example, three VLAN Trunks are bonded together with X5 as the aggregator and X6, and X7 are the members linked together with Key of 1.
  
  
  

  NOTE: Ports that are in the same VLAN (same PortShield Group) or are VLAN trunk ports are eligible for link aggregation. Up to four ports can be aggregated in a logical group and there can be four Logical Links (LAGs) configured.

Demonstrate a LAG bundle between the SonicWall and a third party switch

• Let s connect a SonicWall staticLAG bundle to a switch, In this example we will connect to a Cisco 2950 switch. On the Cisco 2950 switch, we can setup the LAG bundle.
• On the Cisco 2950, define a Port-channel, define the VLANs.
• Define a static LAG bundle of 3 ports, port 0/9, port 0/10, and port 0/11. Channel-group 1 with mode on is for no LAG protocol, this is for a static LAG.
• On the SonicWall show the Rx and Tx frame counters. For a static LAG which does not any LAG protocols, Rx and Tx PDUs counters are zero.
• Show the LAG status on the Cisco 2950 switch. This is a static LAG bundle and no LAG protocol is used.