Read configuring_vlans.fm text version

Configuring VLANs

Document Scope

This document describes how to plan, design, implement, and manage a Virtual LAN (VLAN). This document contains the following sections:

· · · ·

"VLAN Overview" on page 1 "Using VLANs" on page 4 "Deploying VLAN Examples" on page 12 "Glossary" on page 26

VLAN Overview

A VLAN is an entity that uses IP header tagging to simulate multiple LANs within a single physical LAN. By identifying or tagging specific headers to indicate a specific broadcast domain they belong to, VLANs enable you to assign either physical or virtual ports to reside within partitioned port groups, within the actual LAN on the device. This provides you with the ability to create specialized domains that have common topical or geographical attributes, giving you flexibility in your network setup. While multiple VLANs are distinct from one another like multiple LANs are, multiple VLANs can exist together on the same physical networking segment. VLANs require VLAN-aware networking devices to offer this kind of virtualization. These include switches, routers and firewalls that have the ability to recognize, process, remove and insert VLAN tags to direct packets to the correct VLAN location after arriving at the device. The following figure shows how VLANs can be partitioned from the physical LAN on the SonicWALL PRO 5060.

LAN 1 10.100.1.1/24

LAN 2 10.100.2.1/24

LAN 3 10.100.3.1/24

VLAN-aware switch

SonicWALL PRO 5060

LAN 1 10.100.1.1/24

LAN 2 10.100.2.1/24

LAN 3 10.100.3.1/24

Configuring VLANs

1

VLAN Overview

Benefits

VLANs are useful because they enable you to provide logical rather than physical broadcast domains, extending the flexibility of a device's resources beyond the actual LAN boundaries. This works both to segment larger physical LANs into smaller virtual LAN's, as well as to bring physically distinct LANs together into a logically contiguous virtual LAN. The benefits of this include:

·

Increased performance ­ Creating smaller, logically partitioned broadcast domains decreases overall network utilization, sending broadcasts only where they need to be sent, thus leaving more available bandwidth for application traffic. Decreased costs ­ Historically, broadcast segmentation was performed with routers, requiring additional hardware and configuration. With VLANs, the functional role of the router is reversed ­ rather than being used for the purposes of inhibiting communications, it is used to facilitate communications between separate VLANs as needed. Virtual workgroups ­ Workgroups are logical units that commonly share information. Common dedicated VLANs in a company would include its Marketing and Engineering departments. For reasons of efficiency, broadcast domain boundaries should be created to align with these functional workgroups, although sometimes, that may not be possible. A scenario where you would be unable to create an alignment would be where Engineering and Marketing users might be commingled, sharing the same floor (and the same workgroup switch) in a building. Another non-alignment scenario would be the obverse of that, where, the Engineering team might be spread across an entire campus. Attempting to solve these alignment challenges with complex wiring can be expensive and impossible to maintain with constant adds and moves. VLANs allow for switches to be quickly reconfigured so that logical network alignment can remain consistent with workgroup requirements. Security ­ Hosts on one VLAN cannot communicate with hosts on another VLAN unless some networking device facilitates communication between them.

·

·

·

Standards

SonicOS Enhanced supports the IEEE standard 802.1q method of VLAN tagging on the PRO 4060 and PRO 5060 platforms, wherein 4 bytes are added to the standard IP frame for purposes of differentiation. The following are descriptions of selected portions of the frame.

· ·

TPID: Tag Protocol Identifier begins at byte 12 (after the 6 byte destination and source fields), is 2 bytes long, and has an Ethertype of 0x8100. User Priority (QoS): The first three bits of the TCI (Tag Control Information beginning at byte 14, and spanning 2 bytes) define user priority, giving eight (2^3) priority levels. IEEE 802.1P defines the operation for these 3 user priority bits.

Configuring VLANs

2

VLAN Overview

·

CFI: Canonical Format Indicator is a single-bit flag, always set to zero for Ethernet switches. CFI is used for compatibility reasons between Ethernet networks and Token Ring networks. If a frame received at an Ethernet port has a CFI set to 1, then that frame should not be forwarded as it is to an untagged port. VLAN ID: VLAN ID (starts at bit 5 of byte 14) is the identification of the VLAN. It has 12 bits and allows for the identification of 4,096 (2^12) unique VLAN ID's. Of the 4,096 possible IDs, an ID of 0 is used to identify priority frames, and an ID of 4,095 (FFF) is reserved, so the maximum possible VLAN configurations are 4,094.

·

Sub-Interfaces

VLAN support on SonicOS Enhanced is achieved by means of sub-interfaces, which are logical interfaces nested beneath a physical interface. Every unique VLAN ID requires its own sub-interface. For reasons of security and control, SonicOS does not participate in any VLAN trunking protocols, but instead requires that each supported VLAN be configured and assigned appropriate security characteristics.

Note

Dynamic VLAN Trunking protocols, such as VTP (VLAN Trunking Protocol) or GVRP (Generic VLAN Registration Protocol), should not be used on trunk links from other devices connected to the SonicWALL. Trunk links from VLAN capable switches are supported by declaring the relevant VLAN ID's as a sub-interface on the SonicWALL, and configuring them in much the same way that a physical interface would be configured. In other words, only those VLANs which are defined as sub-interfaces will be part

handled by the SonicWALL, the rest will be discarded as uninteresting. This method also allows the parent physical interface on the SonicWALL to which a trunk link is connected to operate as a conventional interface, providing support for any native (untagged) VLAN traffic that might also exist on the same link. Alternatively, the parent interface may remain in an `unassigned' state. VLAN sub-interfaces have most of the capabilities and characteristics of a physical interface, including zone assignability, security services, WAN assignability (static addressing only), GroupVPN, DHCP server, IP Helper, routing, and full NAT policy and Access Rule controls. Features excluded from VLAN sub-interfaces at this time are VPN policy binding, WAN dynamic client support, and multicast support. The PRO 4060 supports up to 200 sub-interfaces, and the PRO 5060 supports up to 400 sub-interfaces.

Configuring VLANs

3

Using VLANs

Platforms

VLAN is available in SonicOS Enhanced version 3.0 or newer on:

· ·

SonicWALL PRO 4060 SonicWALL PRO 5060

Using VLANs

This section contains the following subsections:

· ·

"Understanding IP Assignment Modes" on page 4 "VLAN Integration" on page 8

Understanding IP Assignment Modes

You can use two different types of address assignment modes to create VLANs. They are Static and Transparent. Each has benefits to it depending on the number of addresses you want to assign to a VLAN. The following two sections describe each.

Working in Static Mode

When you create a VLAN in Static Mode, you manually create an explicit address to be applied to the VLAN. All ports mapped to the interface are identified by this address. Static mode is available on interfaces assigned to Trusted, Public, or Wireless zones. This approach is appropriate if you are configuring only one address for a VLAN as it gives you more control over the address selected while not taking a lot of time to manually make the assignment.

! Note

When you create a VLAN in Static Mode, make sure the IP address you assign to the interface is not already in use by another PortShield interface.

Working in Transparent Mode

Transparent Mode addressing allows for the WAN subnetwork to be shared by the current interface using Address Object assignments. The interface's IP address is the same as the WAN interface IP address. Transparent mode is available on interfaces assigned to Trusted and Public Zones.

Configuring VLAN Sub-Interfaces

When you add a VLAN sub-interface, you need to assign it to a Zone, assign it a VLAN Tag (or VLAN ID), and assign it to a physical interface. Based on your zone assignment, you configure the VLAN sub-interface the same way you configure a physical interface for the same zone.

Configuring VLANs

4

Using VLANs

Adding a virtual interface

1. 2.

In the left-navigation menu click on Network and then Interfaces to display the Network > Interfaces page. At the bottom of the Interface Settings list, click Add Interface. SonicOS displays the Edit Interface window.

3.

Select a Zone to assign to the interface. You can select LAN, WAN, DMZ, WLAN, or a custom zone. The zone assignment does not have to be the same as the parent (physical) interface. In fact, the parent interface can even remain Unassigned. Your configuration choices for the network settings of the sub-interface depend on the zone you select.

­ LAN, DMZ, or a custom zone of Trusted type: Static or Transparent. ­ WAN or a custom zone of Untrusted type: static IP only (no IP Assignment list). ­ WLAN or a custom Wireless zone: static IP only (no IP Assignment list).

4.

Assign a VLAN tag (ID) to the sub-interface. Valid VLAN ID's are 1 to 4095, although some switches reserve VLAN 1 for native VLAN designation. You will need to create a VLAN sub-interface with a corresponding VLAN ID for each VLAN you wish to secure with your security appliance. Click on the Parent Interface list box and select the parent (physical) interface to which this sub-interface will belong. There is no per-interface limit to the number of sub-interfaces you can assign ­ you may assign sub-interfaces up to the system limit (200 for the PRO 4060, 400 for the PRO 5060). Select the IP Assignment method, either Static or Transparent. Configure the sub-interface network settings based on the zone you selected. Select the management and user-login methods for the sub-interface. Click OK.

5.

6. 7. 8.

Configuring VLANs

5

Deploying VLANs

Deploying VLANs

The following examples illustrate some typical deployments of a VLAN within a corporate network.

Example 1: Geographically Redundant Online Retailer

The above illustration depicts a sample VLAN implementation as might be employed by one location of a geographically redundant online retailer. The network has a PRO 5060 and a core switch located in the same server room. Also in the server room are dedicated management workstations and shared file servers connected to X0 (LAN Zone) of the PRO 5060. A small collection of publicly available FTP and mail servers are connected to X3 (DMZ) which is operating in transparent mode using a block of addresses from the WAN. Attached to X2 (WLAN) are a series of SonicPoints which have been located throughout the four floors of the building. On each of the four floors is a 48 port workgroup switch, connected back to the core switch with Gigabit Ethernet links. The switch on Floor 1 provides connectivity to the company's technical support and IT departments, and while most of their network communications occur within their broadcast domain, they require regular access to the rest of the network, particularly to the servers connected to X0. All 48 ports on the switch are assigned to VLAN 100. Floors 2 and 4 contain mixed groups of users, primarily from the Sales and Engineering teams. Ports to which Engineering users are connected are assigned to VLAN 250, and ports to which Sales and other users are connected are assigned to VLAN 150. Each group has dedicated servers, with appropriate VLAN assignments, and both groups communicate regularly with the servers connected to X0. Floor 3 houses the company's main public server farm, with dozens of load balanced web-servers. The load-balancers present three public facing IP addresses, and distribute the traffic among the real servers. The public facing interfaces of the load-balancers are connected to six ports on the switch, which have

Configuring VLANs

6

Deploying VLANs

been assigned to VLAN 200. The remainder of the switch ports have been assigned to VLAN 210, and have connected to them the real servers and the internal interfaces of the load-balancers. The only network access to these servers is through the load-balancers. The core switch is layer 3 capable, but rather than routing between the VLANs it trunks VLANs 100, 150, 200, and 250 to the PRO 5060 with a single Gigabit connection to X4. Since most of the workgroups' traffic remains within the workgroup, the bandwidth capacity of this approach proves adequate, although if their utilization continues to grow, they can trunk VLAN 100 and 200 via one link to X4 and trunk VLAN 150 and 250 via a second link to X5, thus doubling their effective capacity. DHCP Services can be enabled on all physical interfaces and all VLAN sub-interfaces, allowing clients to automatically obtain addressing:

The following screen shots show the SonicOS interface configuration required to support the above scenario (the and icons can be used to expand and collapse the interface trees):

Configuring VLANs

7

Deploying VLANs

VLAN Integration

When a packet with a VLAN tag arrives on a physical interface, the VLAN ID is evaluated to determine if it is supported. The VLAN tag is stripped, and packet processing continues as it would for any other traffic. A simplified view of the inbound and outbound packet path includes the following potentially reiterative steps (refer to the SonicOS Enhanced State Diagram for a more complete reference):

· · · · · · · · · ·

IP validation and reassembly Decapsulation (802.1q, PPP) Decryption Connection cache lookup and management Route policy lookup NAT Policy lookup Access Rule (policy) lookup Bandwidth management NAT translation Advanced Packet Handling (as applicable)

­ TCP validation ­ Management traffic handling ­ Content Filtering ­ Transformations and flow analysis: H.323, SIP, RTSP, ILS/LDAP, FTP, Oracle, NetBIOS, Real

Audio, TFTP

­ IPS and GAV

At this point, if the packet has been validated as acceptable traffic, it is forwarded to its destination. The packet egress path includes:

· · ·

Encryption Encapsulation IP fragmentation

On egress, if the route policy lookup determines that the gateway interface is a VLAN sub-interface, the packet is tagged (encapsulated) with the appropriate VLAN ID header. The creation of VLAN sub-interfaces automatically updates the SonicWALL's routing policy table:

Configuring VLANs

8

Deploying VLANs

The auto-creation of NAT policies, Access Rules with regard to VLAN sub-interfaces behave exactly the same as with physical interfaces. Customization of the rules and policies that govern the traffic between VLANs can be performed with customary SonicOS ease and efficiency. When creating a zone (either as part of general administration, or as a step in creating a sub-interface), a checkbox will be presented on the Zone creation page to control the auto-creation of a GroupVPN for that zone. By default, only newly created Wireless type zones will have `Create GroupVPN for this Zone' enabled, although the option can be enabled for other Zone types by selecting the checkbox during creation.

Configuring VLANs

9

Deploying VLANs

Management of security services between VLAN sub-interfaces is accomplished at the Zone level. All security services are configurable and applicable to zones comprising physical interfaces, VLAN sub-interfaces, or combinations of physical and VLAN sub-interfaces.

Gateway Anti-Virus and Intrusion Prevention Services between the different workgroups can easily be employed with the use of VLAN segmentation, obviating the need for dedicated physical interfaces for each protected segment. The Gateway AV protection between X4:V100 (LAN) and X0 (LAN) with host name resolution is shown in the following policy entry.

The IPS Detection between X4:V150 (Sales) and X0 (LAN) with host name resolution in the following policy entry.

VLAN support enables organizations to offer meaningful internal security (as opposed to simple packet filtering) between various workgroups, and between workgroups and server farms without having to use dedicated physical interfaces on the SonicWALL. The robust VLAN support of SonicOS Enhanced allows for extremely flexible configurations, by providing the following benefits:

· · ·

Improved traffic efficiency by enabling you to reserve port groups for more demanding traffic and other port groups for less demanding traffic. Improved traffic efficiency by enabling you to group users into logical networks by limiting traffic to users performing similar functions, improving efficiency. Blocking designated ports from accepting sensitive information, segmenting the ports from more general traffic targeted for other ports which may be more prone to performance degrading packet analysis, and filtering mechanisms. Insulating designated ports from distressed segments experiencing flutter or that have failed, reducing the potential for data loss, degraded data, and floods of error messages.

·

Configuring VLANs

10

Deploying VLANs

Example 2: Assigning VLANs to the WAN Zone

Here the ability to assign VLAN sub-interfaces to the WAN Zone, and to use the WAN client mode (only Static addressing is supported on VLAN sub-interfaces assigned to the WAN Zone) is illustrated, along with the ability to support WAN Load-balancing and failover. Also demonstrated is the distribution of SonicPoints throughout the network by means of connecting them to access mode VLAN ports on workgroup switches. These switches are then backhauled to the core switch, which then connects all the VLANs to the PRO 5060 via a trunk link.

Configuring VLANs

11

Deploying VLAN Examples

Deploying VLAN Examples

Overview

This example is a medium sized business which uses VLANs to divide the traffic for seven different zones: Finance, Human Resources, Sales, Marketing, Engineering, Quality Assurance, and a DMZ for their public mail and web servers: Finance 10.100.1.1/28 Human Resources 10.100.2.1/24

Sales 10.100.3.1/24

Marketing 10.100.4.1/24

DMZ 64.69.184.13/29

Engineering 10.90.1.1/24

Quality Assurance 10.90.2.1/24

Configuring VLANs

12

Deploying VLAN Examples

Overview

In this example, the corporate lan is divided into six zones to separate each department grouping and provide security services between the departments. The DMZ is placed on a VLAN sub-interface so the DMZ can take advantage of the same 48-port switch as the rest of the network.

Zones in this Example

Finance: The accounting, billing, and payroll departments of the company. Given the sensitive nature of the information handled in these departments, this zone has the least access of any zone. In addition to the SonicWALL security services, the subnet only allows the number of clients actually in the department

· · · · · ·

Subnet: 10.100.1.0/28 (16 nodes) Servers: 4. Clients: 12 Wireless: Not a Wireless zone Guest Services: None enabled Associated with the VLAN sub-interface tag: 10 Subnet: 10.100.2.0/24 Servers: 2 Clients: 20 Wireless: Wireless Zone with SonicPoint Enforcement disabled Guest Services: yes - for candidates. Associated with the VLAN sub-interface tag: 20 Subnet: 10.100.3.0/24 Servers: 4 Clients: 30 Wireless: Wireless Zone with SonicPoint Enforcement disabled Guest Services: yes - for guests. Associated with the VLAN sub-interface tag: 30 Subnet: 10.100.4.0/24 Servers: 3 Clients: 30 Wireless: Wireless Zone with SonicPoint Enforcement disabled Guest Services: yes - for guests. Associated with the VLAN sub-interface tag: 40 Subnet: 10.90.1.0/24

Human Resources: The HR and Benefits departments of the company.

· · · · · ·

Sales: The HR and Benefits departments of the company.

· · · · · ·

Marketing: The Marketing and Product Management departments of the company.

· · · · · ·

Engineering: The HR and Benefits departments of the company.

·

Configuring VLANs

13

Deploying VLAN Examples

· · · · ·

Servers: 10 Clients: 65 Wireless: Wireless Zone with SonicPoint Enforcement disabled Guest Services: yes - for Guests and Product Management. Associated with the VLAN sub-interface tag: 100 Subnet: 10.90.2.0/24 Servers: 10 Clients: 20 Wireless: Wireless Zone with SonicPoint Enforcement disabled Guest Services: yes - for testing. Associated with the VLAN sub-interface tag: 120 Subnet: 10.100.1.0/30 Servers: 2 Clients: 1 Wireless: no Guest Services: no Associated with the VLAN sub-interface tag: 200

Quality Assurance: The HR and Benefits departments of the company.

· · · · · ·

DMZ: The HR and Benefits departments of the company.

· · · · · ·

Configuration Steps

Configuring the example deployment involves the following procedures:

· · · ·

Configure the SonicPoint Profile Configure the Zones Configure the VLAN Subinterfaces Configure the VLAN-aware Switch

Configure the SonicPoint Profile

This example uses SonicPoints in five of the seven zones to grant wireless access to users throughout the company. Employees can log in with their accounts, and guest users can log in using Wireless Guest Services. The SonicPoint profile contains the settings that the security appliance automatically applies to all connected SonicPoints. Follow the procedures in The SonicOS Enhanced Administrator's Guide to configure five SonicPoint profiles, one for each zone. All five profiles are the same except for the name and the SSIDD. That way, where there are places within the company where the wireless coverage overlaps, users can identify the wireless connection they usually connect to. Keep the defaults except where appropriate for your

Configuring VLANs

14

Deploying VLAN Examples

installation. Give the profile a name that identifies it with the zone where it will be used. Set the SSID for both 802.11a and 802.11g radios to a name that identifies the department in which the SonicPoints are deployed, for example "SonicWALL Marketing."

Configure the Zones

Where a company would use a single corporate LAN, this example uses six zones. Using a VLAN allows the company to segment the network by department, meeting the varying security needs of each department and allowing the use of security services on traffic between departments. In addition, public servers are set up in a DMZ zone, in transparent mode. From the Network > Zones page in the SonicOS management interface, add the zones used in this example:

Financials: Configure the Financials zone with the following values:

Configuring VLANs

15

Deploying VLAN Examples

General tab settings Name: Security Type Allow Interface Trust Enforce Content Filtering Service Enforce Content Filtering Service Enforce Network Anti-Virus Service Enable Gateway Anti-Virus Service Enable IPS Enable Anti-Spyware Enforce Global Security Clients Create Group VPN Financials Trusted Checked Checked Checked Checked Checked Checked Checked Not necessary because you are not configuring WiFiSec protected access or remote VPN access to this zone Not necessary because you are not configuring WiFiSec protected access or remote VPN access to this zone

Configuring VLANs

16

Deploying VLAN Examples

Human Resources: Configure the Human Resources zone with the following values: General tab settings Name: Security Type Allow Interface Trust Enforce Content Filtering Service Enforce Content Filtering Service Enforce Network Anti-Virus Service Enable Gateway Anti-Virus Service Enable IPS Enable Anti-Spyware Enforce Global Security Clients Create Group VPN Wireless tab settings Only allow traffic generated by a SonicPoint WiFiSec Enforcement SonicPoint Provisioning Profile Guest Services tab settings Enable Wireless Guest Services Enable Dynamic Address Translation (DAT) Custom Authentication Page Check this option to enable access to the internet for guest users who do not have employee accounts Check this option to enable guest users to connect without having to change their internet connection settings Only check this option if you want to create a custom login page for guest users Leave this option unchecked. This disables SonicPoint enforcement, allowing both wired and wireless connections through this zone Check this option to enforce WiFiSec security, requiring employees to use a VPN client to connect Select the profile you configured you configured for the HR zone. The settings in this profile will automatically be applied to the SonicPoints you set on this zone HR Wireless. Select Wireless so you can use the same zone for the both wired connections and SonicPoints Checked Checked Checked Checked Checked Checked Checked Only check if you want to require SonicWALL Global Security Client for your employees to log into the network Check to enforce WiFiSec security, requiring your employees to use a VPN client to connect

Configuring VLANs

17

Deploying VLAN Examples

Sales: Configure the Sales zone with the following values: General tab settings Name: Security Type Allow Interface Trust Enforce Content Filtering Service Enforce Content Filtering Service Enforce Network Anti-Virus Service Enable Gateway Anti-Virus Service Enable IPS Enable Anti-Spyware Enforce Global Security Clients Create Group VPN Wireless tab settings Only allow traffic generated by a SonicPoint WiFiSec Enforcement SonicPoint Provisioning Profile Guest Services tab settings Enable Wireless Guest Services Enable Dynamic Address Translation (DAT) Custom Authentication Page Check this option to enable access to the internet for guest users who do not have employee accounts Check this option to enable guest users to connect without having to change their internet connection settings Only check this option if you want to create a custom login page for guest users Leave this option unchecked. This disables SonicPoint enforcement, allowing both wired and wireless connections through this zone Check this option to enforce WiFiSec security, requiring employees to use a VPN client to connect Select the profile you configured you configured for the Sales zone. The settings in this profile will automatically be applied to the SonicPoints you set on this zone Sales Wireless. Select Wireless so you can use the same zone for the both wired connections and SonicPoints Checked Checked Checked Checked Checked Checked Checked Only check if you want to require SonicWALL Global Security Client for your employees to log into the network Check to enforce WiFiSec security, requiring your employees to use a VPN client to connect

Configuring VLANs

18

Deploying VLAN Examples

Marketing: Configure the Marketing zone with the following values: General tab settings Name: Security Type Allow Interface Trust Enforce Content Filtering Service Enforce Content Filtering Service Enforce Network Anti-Virus Service Enable Gateway Anti-Virus Service Enable IPS Enable Anti-Spyware Enforce Global Security Clients Create Group VPN Wireless tab settings Only allow traffic generated by a SonicPoint WiFiSec Enforcement SonicPoint Provisioning Profile Leave this option unchecked. This disables SonicPoint enforcement, allowing both wired and wireless connections through this zone Check this option to enforce WiFiSec security, requiring employees to use a VPN client to connect Select the profile you configured you configured for the Marketing zone. The settings in this profile will automatically be applied to the SonicPoints you set on this zone Check this option to enable access to the internet for guest users who do not have employee accounts Check this option to enable guest users to connect without having to change their internet connection settings Only check this option if you want to create a custom login page for guest users Marketing Wireless. Select Wireless so you can use the same zone for the both wired connections and SonicPoints Checked Checked Checked Checked Checked Checked Checked Only check if you want to require SonicWALL Global Security Client for your employees to log into the network Check to enforce WiFiSec security, requiring your employees to use a VPN client to connect

Guest Services tab settings Enable Wireless Guest Services Enable Dynamic Address Translation (DAT) Custom Authentication Page

Configuring VLANs

19

Deploying VLAN Examples

Engineering: Configure the Engineering zone with the following values: General tab settings Name: Security Type Allow Interface Trust Enforce Content Filtering Service Enforce Content Filtering Service Enforce Network Anti-Virus Service Enable Gateway Anti-Virus Service Enable IPS Enable Anti-Spyware Enforce Global Security Clients Create Group VPN Wireless tab settings Only allow traffic generated by a SonicPoint WiFiSec Enforcement SonicPoint Provisioning Profile Leave this option unchecked. This disables SonicPoint enforcement, allowing both wired and wireless connections through this zone Check this option to enforce WiFiSec security, requiring employees to use a VPN client to connect Select the profile you configured you configured for the Engineering zone. The settings in this profile will automatically be applied to the SonicPoints you set on this zone Check this option to enable access to the internet for guest users who do not have employee accounts Check this option to enable guest users to connect without having to change their internet connection settings Only check this option if you want to create a custom login page for guest users Engineering Wireless. Select Wireless so you can use the same zone for the both wired connections and SonicPoints Checked Checked Checked Checked Checked Checked Checked Only check if you want to require SonicWALL Global Security Client for your employees to log into the network Check to enforce WiFiSec security, requiring your employees to use a VPN client to connect

Guest Services tab settings Enable Wireless Guest Services Enable Dynamic Address Translation (DAT) Custom Authentication Page

Configuring VLANs

20

Deploying VLAN Examples

Quality Assurance: Configure the Quality Assurance zone with the following values: General tab settings Name: Security Type Allow Interface Trust Enforce Content Filtering Service Enforce Content Filtering Service Enforce Network Anti-Virus Service Enable Gateway Anti-Virus Service Enable IPS Enable Anti-Spyware Enforce Global Security Clients Create Group VPN Wireless tab settings Only allow traffic generated by a SonicPoint WiFiSec Enforcement SonicPoint Provisioning Profile Guest Services tab settings Enable Wireless Guest Services Enable Dynamic Address Translation (DAT) Custom Authentication Page Check this option to enable access to the internet for guest users who do not have employee accounts Check this option to enable guest users to connect without having to change their internet connection settings Only check this option if you want to create a custom login page for guest users Leave this option unchecked. This disables SonicPoint enforcement, allowing both wired and wireless connections through this zone Check this option to enforce WiFiSec security, requiring employees to use a VPN client to connect Select the profile you configured you configured for the QA zone. The settings in this profile will automatically be applied to the SonicPoints you set on this zone QA Wireless. Select Wireless so you can use the same zone for the both wired connections and SonicPoints Checked Checked Checked Checked Checked Checked Checked Only check if you want to require SonicWALL Global Security Client for your employees to log into the network Check to enforce WiFiSec security, requiring your employees to use a VPN client to connect

Configuring VLANs

21

Deploying VLAN Examples

DMZ: The DMZ zone already exists.For this example, keep the default configuration

Configure the Physical Interfaces

This example uses the F0 fiber port on a PRO 5060 for all the VLAN subinterfaces except the DMZ. The DMZ is assigned to X2. You can leave the X2 interface unassigned. You only need to configure the Link Speed for the fiber interface. Configure the F0 interface:

1. 2. 3.

In the Network > Interfaces page, click the configure icon for the F0 interface. Leave the interface unassigned. The interface can remain unassigned and still carry VLAN traffic. Click the Advanced tab and make sure the Link Speed is set to 1000 Mbps - Full Duplex. With some VLAN-aware switches, the fiber ports cannot autonegotiate the port speed and duplex.

4.

Click OK.

Configure the VLAN Subinterfaces

For this example, configure seven VLAN subinterfaces, one for each zone you created and one for the DMZ. The DMZ is assigned a VLAN subinterface so it can be routed through the same VLAN-aware switch the rest of the network uses. Configure the VLAN Subinterfaces:

1.

In the Network > Interfaces page, click Add below the list of interfaces.

Configuring VLANs

22

Deploying VLAN Examples

2.

In the Add Interface window, enter the values for the subinterface you are using for the Financials zone:

General tab settings Zone: VLAN Tag Parent Interface IP Assignment IP Address Subnet Mask

3.

Financials 10 F0. You can assign all subinterfaces to the same parent interface Static 10.100.1.1 255.255.255.239

Configure the remaining five subinterfaces for the zones you created. HR

General tab settings Zone: VLAN Tag Parent Interface IP Assignment IP Address Subnet Mask Sales General tab settings HR 20 F0. You can assign all subinterfaces to the same parent interface Static 10.100.2.1 255.255.255.0

Configuring VLANs

23

Deploying VLAN Examples

Zone: VLAN Tag Parent Interface IP Assignment IP Address Subnet Mask Marketing General tab settings Zone: VLAN Tag Parent Interface IP Assignment IP Address Subnet Mask Engineering General tab settings Zone: VLAN Tag Parent Interface IP Assignment IP Address Subnet Mask QA General tab settings Zone: VLAN Tag Parent Interface IP Assignment IP Address Subnet Mask

4.

Sales 30 F0. You can assign all subinterfaces to the same parent interface Static 10.100.3.1 255.255.255.0

Marketing 40 F0. You can assign all subinterfaces to the same parent interface Static 10.100.4.1 255.255.255.0

Engineering 100 F0. You can assign all subinterfaces to the same parent interface Static 10.90.1.1 255.255.255.0

QA 110 F0. You can assign all subinterfaces to the same parent interface Static 10.90.2.1 255.255.255.0

Configure the subinterface for the DMZ in transparent mode, using a range of address in the WAN:

Configuring VLANs

24

Deploying VLAN Examples

­ In the IP Assignment field, select Transparent

­ In the Transparent Range field, select an address object that is assigned to the DMZ zone and

has an IP address rang of at least three addresses in your WAN subnet, or click Create new address object to add an address object.

General tab settings Zone: VLAN Tag Parent Interface IP Assignment Transparent Range DMZ 110 X2. use a different physical interface for the DMZ if it is to carry a greater amount of traffic Transparent Select or create an address object assigned to the DMZ zone with a range of at least three IP addresses in your WAN subnet range.

Configure the VLAN-aware Switch

This example uses a VLAN-aware switch with at least

Configuring VLANs

25

Glossary

Configure the VLAN Sub Interfaces

This example uses a VLAN-aware switch with at least 120 ports. The lines from the VLAN-aware switch can further lead to simple switches and hubs to distribute network access where needed. Each family of VLAN-aware switches has a different management interface. This example assumes a Command Line Interface (CLI) like on a Cisco Catalyst series switch. On your switch, configure the following:

· ·

The VLAN port assignments The trunk lines to communicate with the SonicWALL security appliance.

Configure the trunk lines. One trunk must be a fiber port to connect with the F0 port of the PRO 5060. The other must be a 1-gigabit fast Ethernet copper port do connect with the X2 port of the PRO 5060.

Configure the VLAN Port Assignments

In the CLI for the switch, enter:

set set set set set set set vlan vlan vlan vlan vlan vlan vlan 10 2/25-32 20 2/33-48 30 3/49-60 40 3/62-72 100 4/73-96 110 5/97-120 200 1/20-24

Configure the trunk interfaces

In the CLI for the switch, enter:

set trunk 1/1 nonegotiate dot1q 25-120

Thus, you connect port 1 on slot 1 on the switch to the F0 interface on the security appliance. It serves as the trunk for all the VLANS except the DMZ.

set trunk 1/12 nonegotiate dot1q 20-24

Thus you connect port 12 on slot 1 on the switch to the X2 interface on the security appliance. It serves as the trunk for the single DMZ VLAN.

Glossary

·

Virtual Local Area Network - An entity that uses IP header tagging to simulate multiple LANs within a single physical LAN. While multiple VLANs are distinct from one another like multiple LANs are, multiple VLANs have the added property of being able to exist together on the same physical networking segment. VLAN Tag - A virtual marker assigned to an IP address header of a packet that identifies the VLAN to which it belongs. This information is detected by a VLAN-aware device when the packet arrives at the device. The device then maps the packet, based on the tagging data, to the appropriate VLAN ID. The device then directs the packet through the appropriate sub-interface. The range of selectable VLAN tags you can apply to an address header is between 1 and 4095. VLAN ID - A value between 0 and 4,095 that identifies the VLAN as a unique entity. The VLAN ID value is applied to a packet based on the tag information in the packet so that a VLAN-aware device can direct the packet through the appropriate sub-interface. These tags map the sub-interface to the VLAN ID, ensuring it is identifiable as belonging to the correct VLAN.

·

·

Configuring VLANs

26

Glossary

·

Virtual Workgroup - A method that allows for clustering of non-contiguous nodes into a logical unit based on like attributes, using VLANs, to fulfill the requirements of a functional group that may not be geographically close. 802.1q - The IEEE standard that supports VLAN technology. Sub-Interface - A logical interface nested beneath a physical interface used by VLANs to create logical groups of interfaces. Every unique VLAN ID requires its own sub-interface. Transparent Mode - A method of address assignment to a sub-interface that allows for the WAN subnetwork to be shared by the current interface using Address Objects. The interface's IP address is the same as the WAN interface IP address. Transparent mode is available on interfaces assigned to Trusted and Public Zones. Static Mode - A method of address assignment to a sub-interface that allows you to manually configure a single IP address to it.

· · ·

·

Configuring VLANs

27

Glossary

Solution Document Version History

Version Number

1

Date

4/18/2005

Notes

This document was created.

Configuring VLANs

28

Information

configuring_vlans.fm

28 pages

Report File (DMCA)

Our content is added by our users. We aim to remove reported files within 1 working day. Please use this link to notify us:

Report this file as copyright or inappropriate

816002