Documente Academic
Documente Profesional
Documente Cultură
Document Scope
This document describes how to plan, design, implement, and manage a Virtual LAN (VLAN). This document contains the following sections:
VLAN Overview on page 1 Using VLANs on page 4 Deploying VLAN Examples on page 12 Glossary on page 26
VLAN Overview
A VLAN is an entity that uses IP header tagging to simulate multiple LANs within a single physical LAN. By identifying or tagging specific headers to indicate a specific broadcast domain they belong to, VLANs enable you to assign either physical or virtual ports to reside within partitioned port groups, within the actual LAN on the device. This provides you with the ability to create specialized domains that have common topical or geographical attributes, giving you flexibility in your network setup. While multiple VLANs are distinct from one another like multiple LANs are, multiple VLANs can exist together on the same physical networking segment. VLANs require VLAN-aware networking devices to offer this kind of virtualization. These include switches, routers and firewalls that have the ability to recognize, process, remove and insert VLAN tags to direct packets to the correct VLAN location after arriving at the device. The following figure shows how VLANs can be partitioned from the physical LAN on the SonicWALL PRO 5060.
LAN 1 10.100.1.1/24
LAN 2 10.100.2.1/24
LAN 3 10.100.3.1/24
VLAN-aware switch
LAN 1 10.100.1.1/24
LAN 2 10.100.2.1/24
LAN 3 10.100.3.1/24
Configuring VLANs
VLAN Overview
Benefits
VLANs are useful because they enable you to provide logical rather than physical broadcast domains, extending the flexibility of a devices resources beyond the actual LAN boundaries. This works both to segment larger physical LANs into smaller virtual LANs, as well as to bring physically distinct LANs together into a logically contiguous virtual LAN. The benefits of this include:
Increased performance Creating smaller, logically partitioned broadcast domains decreases overall network utilization, sending broadcasts only where they need to be sent, thus leaving more available bandwidth for application traffic. Decreased costs Historically, broadcast segmentation was performed with routers, requiring additional hardware and configuration. With VLANs, the functional role of the router is reversed rather than being used for the purposes of inhibiting communications, it is used to facilitate communications between separate VLANs as needed. Virtual workgroups Workgroups are logical units that commonly share information. Common dedicated VLANs in a company would include its Marketing and Engineering departments. For reasons of efficiency, broadcast domain boundaries should be created to align with these functional workgroups, although sometimes, that may not be possible. A scenario where you would be unable to create an alignment would be where Engineering and Marketing users might be commingled, sharing the same floor (and the same workgroup switch) in a building. Another non-alignment scenario would be the obverse of that, where, the Engineering team might be spread across an entire campus. Attempting to solve these alignment challenges with complex wiring can be expensive and impossible to maintain with constant adds and moves. VLANs allow for switches to be quickly reconfigured so that logical network alignment can remain consistent with workgroup requirements. Security Hosts on one VLAN cannot communicate with hosts on another VLAN unless some networking device facilitates communication between them.
Standards
SonicOS Enhanced supports the IEEE standard 802.1q method of VLAN tagging on the PRO 4060 and PRO 5060 platforms, wherein 4 bytes are added to the standard IP frame for purposes of differentiation. The following are descriptions of selected portions of the frame.
TPID: Tag Protocol Identifier begins at byte 12 (after the 6 byte destination and source fields), is 2 bytes long, and has an Ethertype of 0x8100. User Priority (QoS): The first three bits of the TCI (Tag Control Information beginning at byte 14, and spanning 2 bytes) define user priority, giving eight (2^3) priority levels. IEEE 802.1P defines the operation for these 3 user priority bits.
Configuring VLANs
VLAN Overview
CFI: Canonical Format Indicator is a single-bit flag, always set to zero for Ethernet switches. CFI is used for compatibility reasons between Ethernet networks and Token Ring networks. If a frame received at an Ethernet port has a CFI set to 1, then that frame should not be forwarded as it is to an untagged port. VLAN ID: VLAN ID (starts at bit 5 of byte 14) is the identification of the VLAN. It has 12 bits and allows for the identification of 4,096 (2^12) unique VLAN IDs. Of the 4,096 possible IDs, an ID of 0 is used to identify priority frames, and an ID of 4,095 (FFF) is reserved, so the maximum possible VLAN configurations are 4,094.
Sub-Interfaces
VLAN support on SonicOS Enhanced is achieved by means of sub-interfaces, which are logical interfaces nested beneath a physical interface. Every unique VLAN ID requires its own sub-interface. For reasons of security and control, SonicOS does not participate in any VLAN trunking protocols, but instead requires that each supported VLAN be configured and assigned appropriate security characteristics.
Note
Dynamic VLAN Trunking protocols, such as VTP (VLAN Trunking Protocol) or GVRP (Generic VLAN Registration Protocol), should not be used on trunk links from other devices connected to the SonicWALL. Trunk links from VLAN capable switches are supported by declaring the relevant VLAN IDs as a sub-interface on the SonicWALL, and configuring them in much the same way that a physical interface would be configured. In other words, only those VLANs which are defined as sub-interfaces will be part
handled by the SonicWALL, the rest will be discarded as uninteresting. This method also allows the parent physical interface on the SonicWALL to which a trunk link is connected to operate as a conventional interface, providing support for any native (untagged) VLAN traffic that might also exist on the same link. Alternatively, the parent interface may remain in an unassigned state. VLAN sub-interfaces have most of the capabilities and characteristics of a physical interface, including zone assignability, security services, WAN assignability (static addressing only), GroupVPN, DHCP server, IP Helper, routing, and full NAT policy and Access Rule controls. Features excluded from VLAN sub-interfaces at this time are VPN policy binding, WAN dynamic client support, and multicast support. The PRO 4060 supports up to 200 sub-interfaces, and the PRO 5060 supports up to 400 sub-interfaces.
Configuring VLANs
Using VLANs
Platforms
VLAN is available in SonicOS Enhanced version 3.0 or newer on:
Using VLANs
This section contains the following subsections:
When you create a VLAN in Static Mode, make sure the IP address you assign to the interface is not already in use by another PortShield interface.
Configuring VLANs
Using VLANs
In the left-navigation menu click on Network and then Interfaces to display the Network > Interfaces page. At the bottom of the Interface Settings list, click Add Interface. SonicOS displays the Edit Interface window.
3.
Select a Zone to assign to the interface. You can select LAN, WAN, DMZ, WLAN, or a custom zone. The zone assignment does not have to be the same as the parent (physical) interface. In fact, the parent interface can even remain Unassigned. Your configuration choices for the network settings of the sub-interface depend on the zone you select.
LAN, DMZ, or a custom zone of Trusted type: Static or Transparent. WAN or a custom zone of Untrusted type: static IP only (no IP Assignment list). WLAN or a custom Wireless zone: static IP only (no IP Assignment list).
4.
Assign a VLAN tag (ID) to the sub-interface. Valid VLAN IDs are 1 to 4095, although some switches reserve VLAN 1 for native VLAN designation. You will need to create a VLAN sub-interface with a corresponding VLAN ID for each VLAN you wish to secure with your security appliance. Click on the Parent Interface list box and select the parent (physical) interface to which this sub-interface will belong. There is no per-interface limit to the number of sub-interfaces you can assign you may assign sub-interfaces up to the system limit (200 for the PRO 4060, 400 for the PRO 5060). Select the IP Assignment method, either Static or Transparent. Configure the sub-interface network settings based on the zone you selected. Select the management and user-login methods for the sub-interface. Click OK.
5.
6. 7. 8.
Configuring VLANs
Deploying VLANs
Deploying VLANs
The following examples illustrate some typical deployments of a VLAN within a corporate network.
The above illustration depicts a sample VLAN implementation as might be employed by one location of a geographically redundant online retailer. The network has a PRO 5060 and a core switch located in the same server room. Also in the server room are dedicated management workstations and shared file servers connected to X0 (LAN Zone) of the PRO 5060. A small collection of publicly available FTP and mail servers are connected to X3 (DMZ) which is operating in transparent mode using a block of addresses from the WAN. Attached to X2 (WLAN) are a series of SonicPoints which have been located throughout the four floors of the building. On each of the four floors is a 48 port workgroup switch, connected back to the core switch with Gigabit Ethernet links. The switch on Floor 1 provides connectivity to the companys technical support and IT departments, and while most of their network communications occur within their broadcast domain, they require regular access to the rest of the network, particularly to the servers connected to X0. All 48 ports on the switch are assigned to VLAN 100. Floors 2 and 4 contain mixed groups of users, primarily from the Sales and Engineering teams. Ports to which Engineering users are connected are assigned to VLAN 250, and ports to which Sales and other users are connected are assigned to VLAN 150. Each group has dedicated servers, with appropriate VLAN assignments, and both groups communicate regularly with the servers connected to X0. Floor 3 houses the companys main public server farm, with dozens of load balanced web-servers. The load-balancers present three public facing IP addresses, and distribute the traffic among the real servers. The public facing interfaces of the load-balancers are connected to six ports on the switch, which have
Configuring VLANs
Deploying VLANs
been assigned to VLAN 200. The remainder of the switch ports have been assigned to VLAN 210, and have connected to them the real servers and the internal interfaces of the load-balancers. The only network access to these servers is through the load-balancers. The core switch is layer 3 capable, but rather than routing between the VLANs it trunks VLANs 100, 150, 200, and 250 to the PRO 5060 with a single Gigabit connection to X4. Since most of the workgroups traffic remains within the workgroup, the bandwidth capacity of this approach proves adequate, although if their utilization continues to grow, they can trunk VLAN 100 and 200 via one link to X4 and trunk VLAN 150 and 250 via a second link to X5, thus doubling their effective capacity. DHCP Services can be enabled on all physical interfaces and all VLAN sub-interfaces, allowing clients to automatically obtain addressing:
The following screen shots show the SonicOS interface configuration required to support the above scenario (the and icons can be used to expand and collapse the interface trees):
Configuring VLANs
Deploying VLANs
VLAN Integration
When a packet with a VLAN tag arrives on a physical interface, the VLAN ID is evaluated to determine if it is supported. The VLAN tag is stripped, and packet processing continues as it would for any other traffic. A simplified view of the inbound and outbound packet path includes the following potentially reiterative steps (refer to the SonicOS Enhanced State Diagram for a more complete reference):
IP validation and reassembly Decapsulation (802.1q, PPP) Decryption Connection cache lookup and management Route policy lookup NAT Policy lookup Access Rule (policy) lookup Bandwidth management NAT translation Advanced Packet Handling (as applicable)
TCP validation Management traffic handling Content Filtering Transformations and flow analysis: H.323, SIP, RTSP, ILS/LDAP, FTP, Oracle, NetBIOS, Real
Audio, TFTP
IPS and GAV
At this point, if the packet has been validated as acceptable traffic, it is forwarded to its destination. The packet egress path includes:
On egress, if the route policy lookup determines that the gateway interface is a VLAN sub-interface, the packet is tagged (encapsulated) with the appropriate VLAN ID header. The creation of VLAN sub-interfaces automatically updates the SonicWALLs routing policy table:
Configuring VLANs
Deploying VLANs
The auto-creation of NAT policies, Access Rules with regard to VLAN sub-interfaces behave exactly the same as with physical interfaces. Customization of the rules and policies that govern the traffic between VLANs can be performed with customary SonicOS ease and efficiency. When creating a zone (either as part of general administration, or as a step in creating a sub-interface), a checkbox will be presented on the Zone creation page to control the auto-creation of a GroupVPN for that zone. By default, only newly created Wireless type zones will have Create GroupVPN for this Zone enabled, although the option can be enabled for other Zone types by selecting the checkbox during creation.
Configuring VLANs
Deploying VLANs
Management of security services between VLAN sub-interfaces is accomplished at the Zone level. All security services are configurable and applicable to zones comprising physical interfaces, VLAN sub-interfaces, or combinations of physical and VLAN sub-interfaces.
Gateway Anti-Virus and Intrusion Prevention Services between the different workgroups can easily be employed with the use of VLAN segmentation, obviating the need for dedicated physical interfaces for each protected segment. The Gateway AV protection between X4:V100 (LAN) and X0 (LAN) with host name resolution is shown in the following policy entry.
The IPS Detection between X4:V150 (Sales) and X0 (LAN) with host name resolution in the following policy entry.
VLAN support enables organizations to offer meaningful internal security (as opposed to simple packet filtering) between various workgroups, and between workgroups and server farms without having to use dedicated physical interfaces on the SonicWALL. The robust VLAN support of SonicOS Enhanced allows for extremely flexible configurations, by providing the following benefits:
Improved traffic efficiency by enabling you to reserve port groups for more demanding traffic and other port groups for less demanding traffic. Improved traffic efficiency by enabling you to group users into logical networks by limiting traffic to users performing similar functions, improving efficiency. Blocking designated ports from accepting sensitive information, segmenting the ports from more general traffic targeted for other ports which may be more prone to performance degrading packet analysis, and filtering mechanisms. Insulating designated ports from distressed segments experiencing flutter or that have failed, reducing the potential for data loss, degraded data, and floods of error messages.
Configuring VLANs
10
Deploying VLANs
Here the ability to assign VLAN sub-interfaces to the WAN Zone, and to use the WAN client mode (only Static addressing is supported on VLAN sub-interfaces assigned to the WAN Zone) is illustrated, along with the ability to support WAN Load-balancing and failover. Also demonstrated is the distribution of SonicPoints throughout the network by means of connecting them to access mode VLAN ports on workgroup switches. These switches are then backhauled to the core switch, which then connects all the VLANs to the PRO 5060 via a trunk link.
Configuring VLANs
11
Sales 10.100.3.1/24
Marketing 10.100.4.1/24
DMZ 64.69.184.13/29
Engineering 10.90.1.1/24
Configuring VLANs
12
Overview
In this example, the corporate lan is divided into six zones to separate each department grouping and provide security services between the departments. The DMZ is placed on a VLAN sub-interface so the DMZ can take advantage of the same 48-port switch as the rest of the network.
Subnet: 10.100.1.0/28 (16 nodes) Servers: 4. Clients: 12 Wireless: Not a Wireless zone Guest Services: None enabled Associated with the VLAN sub-interface tag: 10 Subnet: 10.100.2.0/24 Servers: 2 Clients: 20 Wireless: Wireless Zone with SonicPoint Enforcement disabled Guest Services: yes - for candidates. Associated with the VLAN sub-interface tag: 20 Subnet: 10.100.3.0/24 Servers: 4 Clients: 30 Wireless: Wireless Zone with SonicPoint Enforcement disabled Guest Services: yes - for guests. Associated with the VLAN sub-interface tag: 30 Subnet: 10.100.4.0/24 Servers: 3 Clients: 30 Wireless: Wireless Zone with SonicPoint Enforcement disabled Guest Services: yes - for guests. Associated with the VLAN sub-interface tag: 40 Subnet: 10.90.1.0/24
Configuring VLANs
13
Servers: 10 Clients: 65 Wireless: Wireless Zone with SonicPoint Enforcement disabled Guest Services: yes - for Guests and Product Management. Associated with the VLAN sub-interface tag: 100 Subnet: 10.90.2.0/24 Servers: 10 Clients: 20 Wireless: Wireless Zone with SonicPoint Enforcement disabled Guest Services: yes - for testing. Associated with the VLAN sub-interface tag: 120 Subnet: 10.100.1.0/30 Servers: 2 Clients: 1 Wireless: no Guest Services: no Associated with the VLAN sub-interface tag: 200
Configuration Steps
Configuring the example deployment involves the following procedures:
Configure the SonicPoint Profile Configure the Zones Configure the VLAN Subinterfaces Configure the VLAN-aware Switch
Configuring VLANs
14
installation. Give the profile a name that identifies it with the zone where it will be used. Set the SSID for both 802.11a and 802.11g radios to a name that identifies the department in which the SonicPoints are deployed, for example SonicWALL Marketing.
Configuring VLANs
15
General tab settings Name: Security Type Allow Interface Trust Enforce Content Filtering Service Enforce Content Filtering Service Enforce Network Anti-Virus Service Enable Gateway Anti-Virus Service Enable IPS Enable Anti-Spyware Enforce Global Security Clients Create Group VPN Financials Trusted Checked Checked Checked Checked Checked Checked Checked Not necessary because you are not configuring WiFiSec protected access or remote VPN access to this zone Not necessary because you are not configuring WiFiSec protected access or remote VPN access to this zone
Configuring VLANs
16
Human Resources: Configure the Human Resources zone with the following values: General tab settings Name: Security Type Allow Interface Trust Enforce Content Filtering Service Enforce Content Filtering Service Enforce Network Anti-Virus Service Enable Gateway Anti-Virus Service Enable IPS Enable Anti-Spyware Enforce Global Security Clients Create Group VPN Wireless tab settings Only allow traffic generated by a SonicPoint WiFiSec Enforcement SonicPoint Provisioning Profile Guest Services tab settings Enable Wireless Guest Services Enable Dynamic Address Translation (DAT) Custom Authentication Page Check this option to enable access to the internet for guest users who do not have employee accounts Check this option to enable guest users to connect without having to change their internet connection settings Only check this option if you want to create a custom login page for guest users Leave this option unchecked. This disables SonicPoint enforcement, allowing both wired and wireless connections through this zone Check this option to enforce WiFiSec security, requiring employees to use a VPN client to connect Select the profile you configured you configured for the HR zone. The settings in this profile will automatically be applied to the SonicPoints you set on this zone HR Wireless. Select Wireless so you can use the same zone for the both wired connections and SonicPoints Checked Checked Checked Checked Checked Checked Checked Only check if you want to require SonicWALL Global Security Client for your employees to log into the network Check to enforce WiFiSec security, requiring your employees to use a VPN client to connect
Configuring VLANs
17
Sales: Configure the Sales zone with the following values: General tab settings Name: Security Type Allow Interface Trust Enforce Content Filtering Service Enforce Content Filtering Service Enforce Network Anti-Virus Service Enable Gateway Anti-Virus Service Enable IPS Enable Anti-Spyware Enforce Global Security Clients Create Group VPN Wireless tab settings Only allow traffic generated by a SonicPoint WiFiSec Enforcement SonicPoint Provisioning Profile Guest Services tab settings Enable Wireless Guest Services Enable Dynamic Address Translation (DAT) Custom Authentication Page Check this option to enable access to the internet for guest users who do not have employee accounts Check this option to enable guest users to connect without having to change their internet connection settings Only check this option if you want to create a custom login page for guest users Leave this option unchecked. This disables SonicPoint enforcement, allowing both wired and wireless connections through this zone Check this option to enforce WiFiSec security, requiring employees to use a VPN client to connect Select the profile you configured you configured for the Sales zone. The settings in this profile will automatically be applied to the SonicPoints you set on this zone Sales Wireless. Select Wireless so you can use the same zone for the both wired connections and SonicPoints Checked Checked Checked Checked Checked Checked Checked Only check if you want to require SonicWALL Global Security Client for your employees to log into the network Check to enforce WiFiSec security, requiring your employees to use a VPN client to connect
Configuring VLANs
18
Marketing: Configure the Marketing zone with the following values: General tab settings Name: Security Type Allow Interface Trust Enforce Content Filtering Service Enforce Content Filtering Service Enforce Network Anti-Virus Service Enable Gateway Anti-Virus Service Enable IPS Enable Anti-Spyware Enforce Global Security Clients Create Group VPN Wireless tab settings Only allow traffic generated by a SonicPoint WiFiSec Enforcement SonicPoint Provisioning Profile Leave this option unchecked. This disables SonicPoint enforcement, allowing both wired and wireless connections through this zone Check this option to enforce WiFiSec security, requiring employees to use a VPN client to connect Select the profile you configured you configured for the Marketing zone. The settings in this profile will automatically be applied to the SonicPoints you set on this zone Check this option to enable access to the internet for guest users who do not have employee accounts Check this option to enable guest users to connect without having to change their internet connection settings Only check this option if you want to create a custom login page for guest users Marketing Wireless. Select Wireless so you can use the same zone for the both wired connections and SonicPoints Checked Checked Checked Checked Checked Checked Checked Only check if you want to require SonicWALL Global Security Client for your employees to log into the network Check to enforce WiFiSec security, requiring your employees to use a VPN client to connect
Guest Services tab settings Enable Wireless Guest Services Enable Dynamic Address Translation (DAT) Custom Authentication Page
Configuring VLANs
19
Engineering: Configure the Engineering zone with the following values: General tab settings Name: Security Type Allow Interface Trust Enforce Content Filtering Service Enforce Content Filtering Service Enforce Network Anti-Virus Service Enable Gateway Anti-Virus Service Enable IPS Enable Anti-Spyware Enforce Global Security Clients Create Group VPN Wireless tab settings Only allow traffic generated by a SonicPoint WiFiSec Enforcement SonicPoint Provisioning Profile Leave this option unchecked. This disables SonicPoint enforcement, allowing both wired and wireless connections through this zone Check this option to enforce WiFiSec security, requiring employees to use a VPN client to connect Select the profile you configured you configured for the Engineering zone. The settings in this profile will automatically be applied to the SonicPoints you set on this zone Check this option to enable access to the internet for guest users who do not have employee accounts Check this option to enable guest users to connect without having to change their internet connection settings Only check this option if you want to create a custom login page for guest users Engineering Wireless. Select Wireless so you can use the same zone for the both wired connections and SonicPoints Checked Checked Checked Checked Checked Checked Checked Only check if you want to require SonicWALL Global Security Client for your employees to log into the network Check to enforce WiFiSec security, requiring your employees to use a VPN client to connect
Guest Services tab settings Enable Wireless Guest Services Enable Dynamic Address Translation (DAT) Custom Authentication Page
Configuring VLANs
20
Quality Assurance: Configure the Quality Assurance zone with the following values: General tab settings Name: Security Type Allow Interface Trust Enforce Content Filtering Service Enforce Content Filtering Service Enforce Network Anti-Virus Service Enable Gateway Anti-Virus Service Enable IPS Enable Anti-Spyware Enforce Global Security Clients Create Group VPN Wireless tab settings Only allow traffic generated by a SonicPoint WiFiSec Enforcement SonicPoint Provisioning Profile Guest Services tab settings Enable Wireless Guest Services Enable Dynamic Address Translation (DAT) Custom Authentication Page Check this option to enable access to the internet for guest users who do not have employee accounts Check this option to enable guest users to connect without having to change their internet connection settings Only check this option if you want to create a custom login page for guest users Leave this option unchecked. This disables SonicPoint enforcement, allowing both wired and wireless connections through this zone Check this option to enforce WiFiSec security, requiring employees to use a VPN client to connect Select the profile you configured you configured for the QA zone. The settings in this profile will automatically be applied to the SonicPoints you set on this zone QA Wireless. Select Wireless so you can use the same zone for the both wired connections and SonicPoints Checked Checked Checked Checked Checked Checked Checked Only check if you want to require SonicWALL Global Security Client for your employees to log into the network Check to enforce WiFiSec security, requiring your employees to use a VPN client to connect
Configuring VLANs
21
DMZ: The DMZ zone already exists.For this example, keep the default configuration
In the Network > Interfaces page, click the configure icon for the F0 interface. Leave the interface unassigned. The interface can remain unassigned and still carry VLAN traffic. Click the Advanced tab and make sure the Link Speed is set to 1000 Mbps - Full Duplex. With some VLAN-aware switches, the fiber ports cannot autonegotiate the port speed and duplex.
4.
Click OK.
In the Network > Interfaces page, click Add below the list of interfaces.
Configuring VLANs
22
2.
In the Add Interface window, enter the values for the subinterface you are using for the Financials zone:
General tab settings Zone: VLAN Tag Parent Interface IP Assignment IP Address Subnet Mask
3.
Financials 10 F0. You can assign all subinterfaces to the same parent interface Static 10.100.1.1 255.255.255.239
Configure the remaining five subinterfaces for the zones you created. HR
General tab settings Zone: VLAN Tag Parent Interface IP Assignment IP Address Subnet Mask Sales General tab settings HR 20 F0. You can assign all subinterfaces to the same parent interface Static 10.100.2.1 255.255.255.0
Configuring VLANs
23
Zone: VLAN Tag Parent Interface IP Assignment IP Address Subnet Mask Marketing General tab settings Zone: VLAN Tag Parent Interface IP Assignment IP Address Subnet Mask Engineering General tab settings Zone: VLAN Tag Parent Interface IP Assignment IP Address Subnet Mask QA General tab settings Zone: VLAN Tag Parent Interface IP Assignment IP Address Subnet Mask
4.
Sales 30 F0. You can assign all subinterfaces to the same parent interface Static 10.100.3.1 255.255.255.0
Marketing 40 F0. You can assign all subinterfaces to the same parent interface Static 10.100.4.1 255.255.255.0
Engineering 100 F0. You can assign all subinterfaces to the same parent interface Static 10.90.1.1 255.255.255.0
QA 110 F0. You can assign all subinterfaces to the same parent interface Static 10.90.2.1 255.255.255.0
Configure the subinterface for the DMZ in transparent mode, using a range of address in the WAN:
Configuring VLANs
24
In the Transparent Range field, select an address object that is assigned to the DMZ zone and
has an IP address rang of at least three addresses in your WAN subnet, or click Create new address object to add an address object.
General tab settings Zone: VLAN Tag Parent Interface IP Assignment Transparent Range DMZ 110 X2. use a different physical interface for the DMZ if it is to carry a greater amount of traffic Transparent Select or create an address object assigned to the DMZ zone with a range of at least three IP addresses in your WAN subnet range.
Configuring VLANs
25
Glossary
The VLAN port assignments The trunk lines to communicate with the SonicWALL security appliance.
Configure the trunk lines. One trunk must be a fiber port to connect with the F0 port of the PRO 5060. The other must be a 1-gigabit fast Ethernet copper port do connect with the X2 port of the PRO 5060.
Configure the VLAN Port Assignments
Thus, you connect port 1 on slot 1 on the switch to the F0 interface on the security appliance. It serves as the trunk for all the VLANS except the DMZ.
set trunk 1/12 nonegotiate dot1q 20-24
Thus you connect port 12 on slot 1 on the switch to the X2 interface on the security appliance. It serves as the trunk for the single DMZ VLAN.
Glossary
Virtual Local Area Network - An entity that uses IP header tagging to simulate multiple LANs within a single physical LAN. While multiple VLANs are distinct from one another like multiple LANs are, multiple VLANs have the added property of being able to exist together on the same physical networking segment. VLAN Tag - A virtual marker assigned to an IP address header of a packet that identifies the VLAN to which it belongs. This information is detected by a VLAN-aware device when the packet arrives at the device. The device then maps the packet, based on the tagging data, to the appropriate VLAN ID. The device then directs the packet through the appropriate sub-interface. The range of selectable VLAN tags you can apply to an address header is between 1 and 4095. VLAN ID - A value between 0 and 4,095 that identifies the VLAN as a unique entity. The VLAN ID value is applied to a packet based on the tag information in the packet so that a VLAN-aware device can direct the packet through the appropriate sub-interface. These tags map the sub-interface to the VLAN ID, ensuring it is identifiable as belonging to the correct VLAN.
Configuring VLANs
26
Glossary
Virtual Workgroup - A method that allows for clustering of non-contiguous nodes into a logical unit based on like attributes, using VLANs, to fulfill the requirements of a functional group that may not be geographically close. 802.1q - The IEEE standard that supports VLAN technology. Sub-Interface - A logical interface nested beneath a physical interface used by VLANs to create logical groups of interfaces. Every unique VLAN ID requires its own sub-interface. Transparent Mode - A method of address assignment to a sub-interface that allows for the WAN subnetwork to be shared by the current interface using Address Objects. The interfaces IP address is the same as the WAN interface IP address. Transparent mode is available on interfaces assigned to Trusted and Public Zones. Static Mode - A method of address assignment to a sub-interface that allows you to manually configure a single IP address to it.
Configuring VLANs
27
Glossary
Version Number
1
Date
4/18/2005
Notes
This document was created.
Configuring VLANs
28