SonicOS 5.7: Advanced Switching Feature Guide and Screencast Tutorial This solutions document describes how to configure and manage the Switching feature on a SonicWALL NSA 2400MX running SonicOS 5.7. A screencast tutorial on Port Mirroring is also provided.
Feature Overview Feature Overview This section provides an introduction to the Switching feature. This section contains the following subsections: • “What is Switching on the SonicWALL NSA 2400MX?” section on page 2 • “Benefits of Switching in SonicOS” section on page 3 • “How Does Switching Work on the SonicWALL NSA 2400MX?” section on page 4 • “Supported Platforms” section on page 4 What is Switching on the SonicWALL NSA 2400MX? SonicOS 5.
Feature Overview Benefits of Switching in SonicOS The SonicWALL NSA 2400MX provides a combined security and switching solution with the objective of improved security for all tasks. Layer 2 switching features enhance the deployment and interoperability of SonicWall devices within existing Layer 2 networks. The SonicWALL NSA 2400MX provides flexible, intelligent switching capabilities with its unique PortShield architecture, increased port density with 26 interfaces, and advanced switching features.
Feature Overview How Does Switching Work on the SonicWALL NSA 2400MX? The switching features have their own menu group in the left navigation pane of the SonicOS management interface. Figure 1 Switching in SonicOS – Navigation Pane Some switching features operate on PortShield Groups and require preliminary configuration on the Network > PortShield Groups page. Some operate on existing Network > Interface configurations. The Port Security feature uses MAC address objects.
Configuring Switching Configuring Switching This section contains the following sections: • “Configuring VLAN Trunking” section on page 5 • “Configuring Rapid Spanning Tree” section on page 13 • “Configuring Layer 2 Discovery” section on page 18 • “Configuring Link Aggregation” section on page 21 • “Configuring Port Mirroring” section on page 25 • “Configuring Layer 2 Quality of Service” section on page 27 • “Configuring Rate Control” section on page 32 • “Configuring Port Security” section
Configuring Switching Figure 2 shows the Switching > VLAN Trunking page. The page displays the range of reserved VLANs in the Reserved VLAN Information section, details about current VLANs in the VLAN Table, and the VLAN trunks configured on the system in the VLAN Trunks area.
Configuring Switching The values displayed on the Switching > VLAN Trunking page are described in Table 1. Table 1 Item VLAN Trunking Page Description Description Reserved VLAN Information Starting VLAN ID The lowest ID number in the VLAN range reserved for PortShield use. This VLAN range is reserved for local VLANs associated with a PortShield group. Ending VLAN ID The highest ID number in the VLAN range reserved for PortShield use. VLAN Table VLAN ID Interface The ID number of the VLAN.
Configuring Switching Item Description VLAN ID The VLAN ID of each VLAN enabled on the trunk port is displayed when the arrow next to the interface name is pointing downward. Click the right arrow to expand the list. Configure The Configure column shows a delete icon if the entry on the row can be deleted. A row containing a VLAN ID that is marked as Trunked in the VLAN Table will not display a delete icon. You can mark certain PortShield groups as “Trunked”.
Configuring Switching You can change the VLAN ID of PortShield groups on the SonicWALL NSA 2400MX appliance. This allows easy integration with existing VLAN numbering. Unlike traditional Layer 2 switches, the SonicWALL NSA 2400MX appliance does not allow changing port VLAN membership in an ad-hoc manner. VLAN membership of a port must be configured via PortShield configuration in the SonicOS management interface.
Configuring Switching Figure 5 shows the user interface while enabling the local VLAN 3787 on the trunk port, X20. Figure 5 Enabling a Local VLAN on a VLAN Trunk In Figure 6, the VLAN Table on the Switching > VLAN Trunking page displays the trunk port, X20, as a member of local VLAN 3787 after the VLAN is enabled on the VLAN trunk. Figure 6 10 VLAN Table SonicOS 5.
Configuring Switching Figure 7 illustrates a VLAN trunk with two trunk ports, bridging the Sales, Engineering, QA, and Finance VLANs through the SonicWALL NSA 2400MX. Each remote VLAN is initially enabled on VLAN trunk port X20, causing the creation of four virtual VLAN trunk interfaces. When these VLANs are also enabled on trunk port X21, no new virtual interfaces are created.
Configuring Switching Editing VLANs To edit a VLAN, perform the following steps: Step 1 On the Switching > VLAN Trunking page, click the Configure icon VLAN ID you want to edit. Step 2 In the Edit Vlan for PortShield window, do one of the following: in the VLAN Table row for the – Type a different VLAN ID into the Vlan ID field. You can enter any VLAN ID except the original system-specified VLAN ID or any others in the Reserved VLAN IDs.
Configuring Switching Enabling a VLAN on a Specific Trunk Port Using this method rather than the method described in “Editing VLANs” on page 12, you can specify a single trunk port to be used for a particular VLAN ID. To enable a custom VLAN ID on a specific trunk port, perform the following steps: Step 1 On the Switching > VLAN Trunking page under VLAN Trunks, click the Enable VLAN button. Step 2 In the Enable VLAN window, select a trunked port from the Trunked Port drop-down list.
Configuring Switching allows faster spanning tree convergence after a topology change, typically within 3 times the Hello interval, a total of 6 seconds in the default configuration. The original STP can take 30 to 50 seconds for convergence after a topology change. SonicWALL’s RSTP implementation conforms to the IEEE 802.1D-2004 specification. The 802.1D specification is VLAN unaware and creates a common spanning tree (CST) that is applied to all VLANs present in the network.
Configuring Switching The settings displayed in the Bridge Information section of the Switching > Rapid Spanning Tree page are described in Table 2. Table 2 RSTP Configurable Objects Item Description Root Bridge ID The root bridge ID is an 8-byte value with 2 bytes for the bridge priority and 6 bytes for the MAC address. The root bridge has the lowest value for priority among all switches in the network.
Configuring Switching Figure 9 illustrates the possible loop that is logically blocked when ports in the same VLAN exist on multiple connected switches in a network.
Configuring Switching Configuring Bridge Settings To configure the Bridge Settings on the Switching > Rapid Spanning Tree page, perform the following steps: Step 1 To specify the spanning tree protocol version to use, select one of the following from the Force Version drop-down list: • RSTP Operation – Use Rapid Spanning Tree Protocol. • STP Only – Use the original Spanning Tree Protocol. Step 2 To specify the priority of the root bridge, type the desired priority into the Bridge Priority field.
Configuring Switching Step 2 In the Edit RSTP Settings window, select the Enable RSTP checkbox to enable Rapid Spanning Tree Protocol for this interface. Clear the checkbox to disable RSTP on this interface. Step 3 To allow the path cost for the port to be automatically calculated by SonicOS, select the Auto checkbox. The Auto option is enabled by default. If left in auto-mode, the port cost is determined based on link speed.
Configuring Switching On many switches and network devices, the LLDP information is stored as a management information database (MIB). Simple Network Management Protocol (SNMP) is used to query the MIB for device information, including system name, port name, VLAN name, IP address, system capabilities (such as switching or routing), MAC address, and link aggregation settings. The topology of a network can be discovered by crawling the hosts and querying the MIB database on each.
Configuring Switching Viewing Device Information in the Layer 2 Discovery Page To view the LLDP/LLTD discovery results for your network, perform the following steps: Step 1 Enable LLDP on any switches or other network devices in your network, using a command such as “lldp run”. LLDP is usually not enabled by default. Step 2 To get LLTD results from Windows XP machines in your network, download, install, and enable the LLTD responder driver from Microsoft on those machines.
Configuring Switching Configuring Link Aggregation SonicOS 5.7 supports the IEEE 802.1AX-2008 Link Aggregation Control Protocol (LACP). LACP is used when multiple network ports are connected in parallel between two switches or between a switch and a server. Link aggregation makes it possible to increase the bandwidth beyond the limits of a single connection, and to provide seamless, higher availability by creating a redundant link. Link aggregation in SonicOS 5.
Configuring Switching Figure 14 illustrates the two types of link aggregation. Figure 14 Two Types of Link Aggregation: NSA to Server and NSA to Switch Server Logical Link Redundant - Not Load Balanced Network Security Appliance 2400MX Logical Link Redundant and Load Balanced Internet Switch Eng VLAN QA VLAN Similarly to PortShield configuration, you select an interface that represents the aggregated group. This port is called an aggregator. The aggregator port must be assigned a unique key.
Configuring Switching Creating a Logical Link To create a Logical Link, perform the following steps: Step 1 On the Switching > Link Aggregation page, click the Add button. Step 2 In the Add LAG Port window, select the interface from the Port drop-down list. Step 3 To specify a key, clear the Auto-Detect checkbox and type the desired key into the Key field. Step 4 If this interface will be the aggregator for the Logical Link, select the Aggregator checkbox.
Configuring Switching Step 8 In the Add LAG Port window, select the interface for the link partner from the Port drop-down list. Step 9 If you specified a key for the first interface (the aggregator), clear the Auto-Detect checkbox and type the same key into the Key field. If Auto-Detect was left enabled for the first interface, leave it enabled for this one as well. Step 10 Clear the Aggregator checkbox. Only one interface can be an aggregator for a Logical Link.
Configuring Switching Configuring Port Mirroring You can configure Port Mirroring on the SonicWALL NSA 2400MX to send a copy of network packets seen on one or more switch ports (or on a VLAN) to another switch port called the mirror port. By connecting to the mirror port, you can monitor the traffic passing through the mirrored port(s). Figure 15 shows the Switching > Port Mirroring page with one mirror group configured.
Configuring Switching Step 2 In the Edit Mirror Group window, type a descriptive name for the group into the Interface Group Name field. Step 3 For the Direction, select one of the following: • ingress – Select ingress to monitor traffic arriving on the mirrored port(s). • egress – Select egress to monitor traffic being sent out on the mirrored port(s). • both – Select both to monitor traffic in both directions on the mirrored port(s).
Configuring Switching Configuring Layer 2 Quality of Service Quality of service (QoS) refers to a method of resource control that provides different priority to different types of applications, data, or users. QoS can also be used to guarantee a certain bit rate, delay, jitter, or error rate to a type of network traffic.
Configuring Switching In SonicOS, four queues with different priority levels (low, normal, high, highest) are supported. These are mapped to the eight levels defined in IEEE 802.1p (CoS) and cannot be changed. Table 4 shows the mapping between the CoS priority levels and the four supported queue priority levels. Table 4 802.
Configuring Switching • Step 2 Strict Priority Queue – When Strict Priority Queue is selected, packets containing an 802.1p tag or DSCP marking with a priority level matching the Highest queue priority are forwarded or received. Packets matching High, Normal or Low priority may be dropped. Click the Apply button. Configuring DSCP Mapping You can configure the DSCP mapping by setting the priority levels for DSCP values 0 through 63.
Configuring Switching Configuring QoS Settings The QoS Settings table on the Switching > Layer 2 QoS page lists all interfaces on the SonicWALL NSA 2400MX. You can configure the QoS settings for each interface individually or for multiple interfaces at the same time. A portion of the QoS Settings table is shown in Figure 18.
Configuring Switching Step 5 Step 6 If both Trust CoS and Trust DSCP are selected, do one of the following: • Select the Prefer CoS checkbox to give preference to the CoS 802.1p tag field settings when both the 802.1p tag field and the DSCP field are present in ingressing frames. • Clear the Prefer CoS checkbox to give preference to the DSCP field settings when both the 802.1p tag field and the DSCP field are present in ingressing frames.
Configuring Switching Step 5 To enable the use of the DSCP field settings for Quality of Service on these interfaces, select the Trust DSCP checkbox. The Fixed Priority checkbox must be cleared before you can select this checkbox. Step 6 If both Trust CoS and Trust DSCP are selected, do one of the following: Step 7 • Select the Prefer CoS checkbox to give preference to the CoS 802.1p tag field settings when both the 802.1p tag field and the DSCP field are present in ingressing frames.
Configuring Switching The Switching > Rate Control page, shown in Figure 19, provides information and configuration for per-interface rate limiting and flow control. Both the rate limiting and flow control features are configured on a per port basis. Figure 19 Switching > Rate Control Page Egress Traffic Rate Limiting In SonicOS, the rate limiting for egress frames can only be enabled or disabled, no mode can be selected.
Configuring Switching Flow Control In SonicOS, back-pressure flow control on half-duplex ports and pause frame-based flow control on full-duplex ports are provided to support zero packet loss under temporary traffic congestion. • Full-duplex flow control requires support from the peer end station.
Configuring Switching Step 4 Type the desired ingress rate limit in kilobits per second into the Ingress Rate field. To turn off the ingress rate limit and allow unlimited traffic, type 0 (zero). The value you type will be rounded to the nearest increment, depending on the the granularity available for that rate.
Configuring Switching See the following procedures for information about configuring port security: • “Creating a Secure Port by Adding a MAC Address Object” on page 36 • “Editing MAC Address Objects in Port Security Settings” on page 37 • “Deleting MAC Address Objects from Port Security Settings” on page 37 Creating a Secure Port by Adding a MAC Address Object To configure port security, you must use an address object to bind MAC address(es) to an interface.
Configuring Switching Step 6 Select the zone from the Zone Assignment drop-down list. This is the zone for the computer with this MAC address. You can select any zone that exists on the SonicWALL NSA 2400MX, including custom zones and the SonicOS default zones, which are LAN, WAN, DMZ, VPN, SSLVPN, MULTICAST, and WLAN. Step 7 The only available selection for Type is MAC, indicating that you are creating a MAC Address Object.
Troubleshooting and Verification Troubleshooting and Verification This section provides methods you can use to verify and troubleshoot the behavior of your Switching configuration.
Troubleshooting and Verification Step 2 In the Edit Mirror Group window, type a name for the Mirror Group. Step 3 For Direction, select both. This allows mirroring of traffic arriving on, and being transmitted from, the mirrored ports. Step 4 In the All Interfaces box, scroll down and select a gigabit interface for the Mirror Port. The selected interface must have an Unassigned zone. You can verify this on the Network > Interfaces page.
Troubleshooting and Verification The X20, X24, and X25 interfaces are shown below on the Network > Interfaces page. You can see that all three are gigabit Ethernet ports, that the Zone for X20 is Unassigned and it is configured as a Mirror Port, and that X24 and X25 are configured as VLAN Trunk ports. X25 is marked as a member of a Logical Link. Using Wireshark Wireshark is a popular, open source network analysis tool that runs on Windows or Mac OS X computers.
Troubleshooting and Verification Step 6 Launch Wireshark. Step 7 Do one of the following: – Click the Start Capture button in the upper left corner, and then, in the dialog box, select the Start checkbox for the gigabit interface connected to the Mirror Port. – Under Start capture on interface, click the link for the interface connected to the Mirror Port. Step 8 View the frames in the Wireshark main window. Step 9 When finished, click the Stop Capture button.
Troubleshooting and Verification Viewing Log Event Messages for Switching A new log event, logstrAdvSwitch, is introduced in SonicOS 5.7 to address SonicOS Switching activities. It falls under a new category, Advanced Switching, which can only be seen on devices with the switching hardware, such as the SonicWALL NSA 2400MX. Other SonicWALL appliances will not show the new category, as it is not applicable to the hardware.
Troubleshooting and Verification Filtering the Log for Switching Events To display only the log events related to switching, perform the following steps: Step 1 Navigate to the Log > View page in the SonicOS management interface. Step 2 In the Log View Settings section, select Advanced Switching from the Category drop-down list. Step 3 Optionally select specific interfaces from the Source and/or Destination drop-down lists.
Technical FAQ Technical FAQ How do I view the CAM table on the SonicWALL NSA 2400MX? The SonicOS 5.7.0.0 user interface or CLI does not provide a way to display the CAM, or MAC Address, table directly, but provides the same information in the ARP table and on the Switching > L2 Discovery page. A Content Addressable Memory (CAM) table is a dynamic, internal, purely Layer 2 mapping between switch ports and the MAC addresses that are bound to them.
Glossary Glossary BPDU Bridge Protocol Data Unit – Used in RSTP, BPDUs are special data frames used to exchange information about bridge IDs and root path costs. BPDUs are exchanged every few seconds to allow switches to keep track of network topology and start or stop port forwarding. bridge A bridge is a data communications device that connects two Ethernet segments of a network together.
Glossary Solution Document Version History 46 Version Number Date Notes 1 3/30/2010 This document was created by Susan Weigand 2 5/19/2010 Added conceptual information, more details about configuration, Troubleshooting and Technical FAQ sections. Embedded Port Mirroring screencast tutorial. 3 6/29/2010 Replaced embedded Port Mirroring screencast tutorial with final version. Added direct link to it as well. SonicOS 5.
