Documente Academic
Documente Profesional
Documente Cultură
9
SonicPoint Layer 3
Management Guide
| 1
NOTE: A NOTE indicates important information that helps you make better use of your system.
CAUTION: A CAUTION indicates potential damage to hardware or loss of data if instructions are
not followed.
WARNING: A WARNING indicates a potential for property damage, personal injury, or death.
P/N 232-002233-00
Rev. C
Feature Overview
This section provides an introduction to the SonicPoint Layer 3 Management feature. This
section contains the following subsections:
| 3
The SonicWALL Advanced Management Protocol (SAMP) suite consists of these three
protocols:
Local Layer 2 Management When a Dell SonicWALL network security appliance and its
SonicPoints are deployed in the same Layer 2 network, the existing Layer 2 discovery
protocol, SDP, is used to manage the access points.
Local Layer 3 Management When SonicPoints are deployed outside of the Layer 2
network, but within the same Intranet as the Dell SonicWALL security appliance (for
example when there is a third-party router between the Dell SonicWALL security appliance
and the SonicPoints), Layer 3 management protocols can be used to manage the access
points.
Remote Layer 3 Management When SonicPoints are deployed in a remote site across
the Internet cloud, Layer 3 management can be used to manage the remote network access
points. A single SSL VPN NetExtender tunnel is established between the SonicPoint and
the remote Dell SonicWALL security appliance. Each wireless client does not need to
install and launch NetExtender to establish an SSL VPN tunnel. All the wireless clients
share the same VPN tunnel. This reduces the number of NetExtender licenses required on
the Dell SonicWALL security appliance. It also eliminates the need to establish individual
tunnels for each SonicPoint.
Benefits
SonicPoint Layer 3 Management offers the following benefits:
Reduces the number of NetExtender licenses and sessions. All remote users are tunneled
over a single NetExtender session.
Supported Platforms
SonicPoint Layer 3 Management is supported on all Dell SonicWALL security appliances that
can provision SonicPoints.
| 5
2.
3.
4.
5.
6.
Step 2
Click the Configure icon for the desired interface, such as X4.
Step 3
Step 4
Step 5
In the IP Address box, enter the IP address of the interface. For example, 10.10.10.1.
Step 6
in the Subnet Mask box, enter the subnet mask for the interface. For example, 255.255.255.0.
Step 7
Click OK.
| 7
Step 2
Step 3
Click the Add Option button. The Add DHCP Option Object dialog appears.
Step 4
In the Option Name box, enter a descriptive name for the DHCP option object, such as cap.
Step 5
From the Option Number menu, select 138 (CAPWAP AC IPv4 Address List).
Step 6
Step 7
Step 8
In the Option Value menu, enter the IP address for the interface (X4) you configured in
Configuring the Access Controller Interface on page 6. For example, 10.10.10.1.
Step 9
Click OK.
The new Option Object is displayed in the DHCP Advanced Settings dialog.
| 9
Step 2
Under the DHCP Server Lease Scopes table, click the Add Dynamic button.
The Dynamic Range Configuration dialog appears.
Step 3
Step 4
Enter the appropriate IP addresses or values in the Range Start, Range End, Lease Time
(minutes), Default Gateway, and Subnet Mask boxes.
Step 5
Step 6
In the DHCP Generic Option Group menu, select the DHCP Option Object you created in
Configuring the DHCP Server on page 8.
Step 7
Step 8
Click OK.
| 11
Step 2
Step 3
Step 4
From the VPN Policy menu, select the appropriate VPN policy. This menu is auto-populated
with the VPN policies that you create.
Step 5
Step 6
In the IP Address box, enter the IP address for the WLAN tunnel interface. For example,
172.17.31.1.
Step 7
Step 8
Step 9
Click OK.
A default DHCP IP address pool, such as 172.17.31.1/24, is automatically created for wireless
clients.
Step 10 To verify, navigate to the Firewall > Access Rules page. You should see a Layer 3
Step 2
Step 3
Step 4
From the Destination menu, select the address object of the default gateway. For example
30.30.30.0/255.255.255.0.
Step 5
Step 6
Step 7
Step 8
Step 9
Click OK.
| 13
For the interface on the remote router that is connected to the Dell SonicWALL security
appliance, configure the IP address 10.10.10.2/24.
Step 2
For the interface on the remote router that is connected to the SonicPoint, configure the IP
address 30.30.30.1/24.
Step 3
Configure a DHCP relay policy from the interface connected to the SonicPoint to the X4
interface on the Dell SonicWALL security appliance, which has the IP address 10.10.10.1.
To configure VAPs for SonicPoint Layer 3 Management, perform the following steps:
| 15
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
In the IP Address box, enter the IP address for the WLAN. For example, 172.4.1.1.
Step 9
In the Subnet Mask box, enter the Subnet Mask. For example, 255.255.255.0.
Step 2
Step 3
Step 4
in the SSID box, enter a SSID that represents the Layer 3 management network. For example,
wirelessDev_L3_vap.
Step 5
From the VLAN ID menu, select the VLAN Tag ID that you configured in Configuring a WLAN
Interface for VAPs on page 16. For example, ID 4.
Step 6
Step 7
Click OK.
Step 8
| 17
Step 2
Step 3
In the Virtual AP Group Name box, enter a name for the VAP group. For example, L3 VAP
Group.
The Available Virtual AP Objects box should be populated with the VAP objects you created
in Configuring a VAP Object on page 17.
Step 4
Move the VAP objects you want from the Available Virtual AP Objects box to the Member of
Virtual AP Group box.
Step 5
Click OK.
Step 2
Click the Configure icon for the SonicPoint you want to configure.
The Edit SonicPoint Profile dialog appears.
Step 3
Step 4
From the 802.11n Radio Virtual AP Group menu, select the Virtual AP Group you created in
Configuring a VAP Group on page 18. For example, L3 VAP Group.
Step 5
Click OK.
| 19
Note
This example assumes that the VPN IPSec tunnel between the two Dell SonicWALL security
appliances is established successfully.
1.
2.
3.
Configuring the CAPWAP DHCP Option Object on the Central Gateway on page 30
4.
5.
On the Central Gateway management interface, navigate to the VPN > Settings page.
Step 2
Step 3
Step 4
From the Authentication Method menu, select the method you want.
For example, IKE using Preshared Secret.
Step 5
In the Name menu, enter a descriptive name for the VPN tunnel.
For example, VPN to Central Gateway.
Step 6
Step 7
| 21
Step 8
Step 9
Under Local Networks, select the Choose local network from list option.
Step 10 From the Choose local network from list menu, select X0 Subnet.
Step 11 Under Remote Networks, select the option you want and the network you want from the menu.
| 23
On the Remote Gateway management interface, navigate to the VPN > Settings page.
Step 2
Step 3
Step 4
From the Authentication Method menu, select the appropriate method for your network.
For example, IKE using Preshared Secret.
Step 5
In the Name menu, enter a descriptive name for the VPN tunnel.
For example, VPN to Remote Gateway.
Step 6
In the IPSec Primary Gateway Name or Address menu, enter the IP address of the remote
gateway. For example, 10.03.49.79.
| 25
Step 7
Step 8
Under Local Networks, select the Choose local network from list option.
Step 9
From the Choose local network from list menu, select X0 Subnet.
Step 10 Under Remote Networks, select the option you want and the network you want from the
appropriate menu.
Note
If you have not created an address object for your remote gateway, you can do so by
selecting Create new address object from one of the menus.
Step 11 Under Remote Networks, select Create new address object from the appropriate menu.
| 27
Step 21 From the DHCP over VPN menu, select Remote Gateway, and click the Configure button.
Step 22 From the DHCP lease bound to menu, select the interface that is connected to the SonicPoint.
Step 23 (Optional) Select the Accept DHCP Request from bridged WLAN interface option if you want
it.
Step 24 In the Relay IP Address box, enter the IP address of the interface connected to the SonicPoint.
Step 25 In the Remote Management IP Address menu, enter the IP address that is used to manage
this Dell SonicWALL security appliance remotely from behind the Central Gateway.
Note
This IP address was configured in Configuring the Access Controller Interface on page 6,
and must be reserved in the DHCP scope on the DHCP server. In our example it is
10.10.10.1.
Step 26 Select the Block traffic through tunnel when IP spoof detected option.
Step 27 Select the Obtain temporary lease from local DHCP server if tunnel is down option.
Step 28 In the Temporary Lease Time (minutes) box, leave the default value of 2.
Step 29 Click OK.
| 29
On the Central Gateway management interface, navigate to the Network > DHCP Server page.
Step 2
Step 3
Step 4
Step 5
From the Option Number menu, select 138 (CAPWAP AC IPv4 Address List).
Step 6
In the Option Value box, enter the IP address you want to use for the DHCP group.
For example, 192.168.168.168.
Step 7
Step 8
Click OK to close the DHCP Advanced Settings window and return to the Network > DHCP
Server page.
| 31
On the Central Gateway management interface, navigate to the Network > DHCP Server page.
Step 2
Step 3
Step 4
Step 5
In the Range Start box, enter the IP address at which to start the DHCP range.
For example, 30.30.30.2.
Note
The range values must be within the same subnet as the Default Gateway.
For example, 30.30.30.2 to 30.30.30.100.
Step 6
In the Range End box, enter the IP address at which to end the DHCP range.
For example, 30.30.30.100.
Step 7
In the Lease Time (minutes) box, use the default value, 1440.
Step 8
In the Default Gateway box, enter the IP address of the default gateway.
Note
Step 9
This value will be the IP address of the interface connected to the SonicPoint.
For example, 30.30.30.1.
In the Subnet Mask box, enter the subnet mask of the default gateway.
For example, 255.255.255.0.
| 33
Step 11 In the DHCP Generic Options panel, from the DHCP Generic Option Group menu, select the
Note
The CAPWAP DHCP option was created in Configuring the CAPWAP DHCP Option Object
on the Central Gateway on page 30.
On the Central Gateway management interface, navigate to the Network > Interfaces page.
Step 2
Click Add WLAN Tunnel Interface. The Add WLAN Tunnel Interface window is displayed.
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
From the SonicPoint Limit menu, select the maximum number of SonicPoints allowed on your
network. For example, 48 SonicPoints.
| 35
| 65