L2 Bridge Mode with High Availability

SonicOS includes L2 (Layer 2) Bridged Mode, a method of unobtrusively integrating a Security Appliance into any Ethernet network. L2 Bridged Mode is ostensibly similar to SonicOS’s Transparent Mode in that it enables a Security Appliance to share a common subnet across two interfaces and to perform a Stateful and deep-packet inspection on all traversing IP traffic, but it is functionally more versatile.

L2 Bridged Mode employs a secure learning bridge architecture, enabling it to pass and inspect traffic types that cannot be handled by many other methods of transparent Security Appliance integration. Using L2 Bridged Mode, a SonicWall Security Appliance can be non-disruptively added to any Ethernet network to provide in-line deep-packet inspection for all traversing IPv4 TCP and UDP traffic. In this scenario, the Security Appliance is not used for security enforcement, but instead for bidirectional scanning, blocking viruses and spyware, and stopping intrusion attempts.

We can also use L2 bridge mode with High availability deployment.

NOTE: To configure L2 bridge mode on Standalone firewall use: Configuring Layer 2 Bridge Mode In SonicOS Enhanced

This method is appropriate in networks where both High Availability (HA) and Layer 2 Bridged Mode are desired. This example is for SonicWall Security Appliances and assumes the use of switches with VLANs configured.

The Security Appliance HA pair consists of two Security Appliances, connected together on port X5, the designated HA port. Port X1 on each appliance is configured for normal WAN connectivity and is used for access to the management interface of that device. Layer 2 Bridged Mode is implemented with port X0 bridged to port X2.

When setting up this scenario, there are several things to take note of on both the Security Appliances and the switches.

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

• Under Device | High Availability | Settings does not enable the Virtual MAC option when configuring High Availability. In a Layer 2 Bridged Mode configuration, this function is not useful.
• Enabling Preempt Mode is not recommended in an inline environment such as this. If Preempt Mode is required, follow the recommendations in the documentation for your switches, as the trigger and Failover time values play a key role here.                                      

• Consider reserving an interface for the management network (this example uses X1). If it is necessary to assign IP addresses to the bridge interfaces for probe purposes or other reasons, SonicWall recommends using the management VLAN network assigned to the switches for security and administrative purposes.

NOTE: The IP addresses assigned for HA purposes do not directly interact with the actual traffic flow.

On the switches:

• Using multiple tag ports: As shown in Internal security example: Both High Availability and Layer 2 Bridged Mode are desired, two tags (802.1q) ports were created for VLAN 100 on both the Edge switch (ports 23 and 24) and Core switch (C24 - D24). The Security Appliances are connected inline between these two switches. In a high-performance environment, it is usually recommended to have Link Aggregation/ Port Trunking, Dynamic LACP, or even a completely separate link designated for such a deployment (using OSPF), and the fault tolerance of each of the switches must be considered. Consult your switch documentation for more information.
• On HP ProCurve switches, when two ports are tagged in the same VLAN, the port group is automatically placed into a Failover configuration. In this case, as soon as one port fails, the other one becomes active.
  

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

• Under Manage | High Availability | Base Setup does not enable the Virtual MAC option when configuring High Availability. In a Layer 2 Bridged Mode configuration, this function is not useful.
• Enabling Preempt Mode is not recommended in an inline environment such as this. If Preempt Mode is required, follow the recommendations in the documentation for your switches, as the trigger and Failover time values play a key role here.
  
  
• Consider reserving an interface for the management network (this example uses X1). If it is necessary to assign IP addresses to the bridge interfaces for probe purposes or other reasons, SonicWall recommends using the management VLAN network assigned to the switches for security and administrative purposes.

NOTE: The IP addresses assigned for HA purposes do not directly interact with the actual traffic flow.

On the switches:

• Using multiple tag ports: As shown in Internal security example: Both High Availability and Layer 2 Bridged Mode are desired, two tags (802.1q) ports were created for VLAN 100 on both the Edge switch (ports 23 and 24) and Core switch (C24 - D24). The Security Appliances are connected inline between these two switches. In a high-performance environment, it is usually recommended to have Link Aggregation/ Port Trunking, Dynamic LACP, or even a completely separate link designated for such a deployment (using OSPF), and the fault tolerance of each of the switches must be considered. Consult your switch documentation for more information.
• On HP ProCurve switches, when two ports are tagged in the same VLAN, the port group is automatically placed into a Failover configuration. In this case, as soon as one port fails, the other one becomes active.