SonicOS 7 System

Technical Documentation>  Interfaces>  Interface Settings IPv4>  Layer 2 Bridged Mode>  Sample Topologies>  Layer 2 Bridged Mode with High Availability
Table of Contents

Layer 2 Bridged Mode with High Availability

This method is appropriate in networks where both High Availability (HA) and Layer 2 Bridged Mode are desired. This example is for appliances, and assumes the use of switches with VLANs configured. See Internal Security Example: Both High Availability and Layer 2 Bridged Mode are Desired.

Internal Security Example: Both High Availability and Layer 2 Bridged Mode are Desired

The appliance HA pair consists of two appliances, connected together on port X5, the designated HA port. Port X1 on each appliance is configured for normal WAN connectivity and is used for access to the management interface of that device. Layer 2 Bridged Mode is implemented with port X0 bridged to port X2.

When setting up this scenario, there are several things to take note of on both the appliances and the switches.

On the appliances:

  • Do not enable the Virtual MAC option when configuring High Availability. In a Layer 2 Bridged Mode configuration, this function is not useful.
  • Enabling Preempt Mode is not recommended in an inline environment such as this. If Preempt Mode is required, follow the recommendations in the documentation for your switches, as the trigger and failover time values play a key role here.
  • Consider reserving an interface for the management network (this example uses X1). If it is necessary to assign IP addresses to the bridge interfaces for probe purposes or other reasons, SonicWall recommends using the management VLAN network assigned to the switches for security and administrative purposes.

The IP addresses assigned for HA purposes do not directly interact with the actual traffic flow.

On the switches:

  • Using multiple tag ports: As shown in Internal Security Example: Both High Availability and Layer 2 Bridged Mode are Desired, two tag (802.1q) ports were created for VLAN 100 on both the Edge switch (ports 23 and 24) and Core switch (C24 - D24). The appliances are connected inline between these two switches. In a high-performance environment, it is usually recommended to have Link Aggregation/ Port Trunking, Dynamic LACP, or even a completely separate link designated for such a deployment (using OSPF), and the fault tolerance of each of the switches must be considered. Consult your switch documentation for more information.
  • On HP ProCurve switches, when two ports are tagged in the same VLAN, the port group is automatically placed into a failover configuration. In this case, as soon as one port fails, the other one becomes active.