Sample Topologies

The following are sample topologies depicting common deployments. Inline Layer 2 Bridge Mode represents the addition of a SonicWall security appliance to provide firewall services in a network where an existing firewall is in place. Perimeter Security represents the addition of a SonicWall security appliance in pure L2 Bridge mode to an existing network, where the SonicWall is placed near the perimeter of the network. Internal Security represents the full integration of a SonicWall security appliance in mixed-mode, where it provides simultaneous L2 bridging, WLAN services, and NATed WAN access. Layer 2 Bridge Mode with High Availability represents the mixed-mode scenario where the SonicWall HA pair provide high availability along with L2 bridging. Layer 2 Bridge Mode with SSL VPN represents the scenario where a SonicWall SSL VPN Series appliance is deployed in conjunction with L2 Bridge mode.

Topics:
Wireless Layer 2 Bridge
Inline Layer 2 Bridge Mode
Perimeter Security
Internal Security
Layer 2 Bridge Mode with High Availability (SonicWall NSA series appliances)
Layer 2 Bridge Mode with SSL VPN
Wireless Layer 2 Bridge

In wireless mode, after bridging the wireless (WLAN) interface to a LAN or DMZ zone, the WLAN zone becomes the secondary bridged interface, allowing wireless clients to share the same subnet and DHCP pool as their wired counterparts. See Wireless Layer 2 Bridge Topology.

Wireless Layer 2 Bridge Topology

To configure a WLAN to LAN Layer 2 interface bridge:
1
Navigate to the Network > Interfaces page in the SonicOS management interface.
2
Click the Configure icon for the wireless interface you wish to bridge. The Edit Interface dialog displays.

3
Select Layer 2 Bridged Mode as the IP Assignment.
* 
NOTE: Although a general rule is automatically created to allow traffic between the WLAN zone and your chosen bridged interface, WLAN zone type security properties still apply. Any specific rules must be manually added.
4
Select the Interface which the WLAN should be Bridged To. In this instance, the X0 (default LAN zone) is chosen.
5
Configure the remaining options normally. For more information on configuring WLAN interfaces, see Configuring Wireless Interfaces.
Inline Layer 2 Bridge Mode

This method is useful in networks where there is an existing firewall that will remain in place, but you wish to utilize the SonicWall’s firewall services without making major changes to the network. By placing the SonicWall in Layer 2 Bridge mode, the X0 and X1 interfaces become part of the same broadcast domain/network (that of the X1 WAN interface).

This example refers to a SonicWall network security appliance installed in a Hewlitt Packard ProCurve switching environment.

HP’s ProCurve Manager Plus (PCM+) and HP Network Immunity Manager (NIM) server software packages can be used to manage the switches as well as some aspects of the SonicWall network security appliance. See Inline Layer 2 Bridge Topology.

Inline Layer 2 Bridge Topology

To configure the SonicWall appliance for this scenario:
1
Navigate to the Network > Interfaces page.

2
Click the Configure icon for the X0 LAN interface.
3
On the X0 Settings dialog, set the:
IP Assignment to Layer 2 Bridged Mode.
Bridged To: interface to X1.
4
Ensure the interface is configured for HTTP and SNMP so it can be managed from the DMZ by PCM+/NIM.
5
Click OK to save and activate the change.

You will also need to make sure to modify the firewall access rules to allow traffic from the LAN to WAN, and from the WAN to the LAN, otherwise traffic will not pass successfully. You may also need to modify routing information on your firewall if your PCM+/NIM server is placed on the DMZ.

Perimeter Security

Perimeter Security Topology depicts a network where the SonicWall is added to the perimeter for the purpose of providing security services (the network may or may not have an existing firewall between the SonicWall and the router).

Perimeter Security Topology

In this scenario, everything below the SonicWall (the Primary Bridge Interface segment) will generally be considered as having a lower level of trust than everything to the left of the SonicWall (the Secondary Bridge Interface segment). For that reason, it would be appropriate to use X1 (Primary WAN) as the Primary Bridge Interface.

Traffic from hosts connected to the Secondary Bridge Interface (LAN) would be permitted outbound through the SonicWall to their gateways (VLAN interfaces on the L3 switch and then through the router), while traffic from the Primary Bridge Interface (WAN) would, by default, not be permitted inbound.

If there were public servers, for example, a mail and Web server, on the Secondary Bridge Interface (LAN) segment, an Access Rule allowing WAN->LAN traffic for the appropriate IP addresses and services could be added to allow inbound traffic to those servers.

Internal Security

Internal Security Topology

Internal Security Topology depicts a network where the SonicWall will act as the perimeter security device and secure wireless platform. Simultaneously, it will provide L2 Bridge security between the workstation and server segments of the network without having to readdress any of the workstation or servers.

This typical inter-departmental Mixed Mode topology deployment demonstrates how the SonicWall can simultaneously Bridge and route/NAT. Traffic to/from the Primary Bridge Interface (Server) segment from/to the Secondary Bridge Interface (Workstation) segment will pass through the L2 Bridge.

Since both interfaces of the Bridge-Pair are assigned to a Trusted (LAN) zone, the following apply:
All traffic will be allowed by default, but Access Rules could be constructed as needed.

Consider, for the point of contrast, what would occur if the X2 (Primary Bridge Interface) was instead assigned to a Public (DMZ) zone: All the Workstations would be able to reach the Servers, but the Servers would not be able to initiate communications to the Workstations. While this would probably support the traffic flow requirements (that is, Workstations initiating sessions to Servers), it would have two undesirable effects:

a
The DHCP server would be in the DMZ. DHCP requests from the Workstations would pass through the L2 Bridge to the DHCP server (192.168.0.100), but the DHCP offers from the server would be dropped by the default DMZ->LAN Deny Access Rule. An Access Rule would have to be added, or the default modified, to allow this traffic from the DMZ to the LAN.
b
Security services directionality would be classified as Outgoing for traffic from the Workstations to the Server since the traffic would have a Trusted source zone and a Public destination zone. This might be sub-optimal since it would provide less scrutiny than the Incoming or (ideally) Trust classifications.
Security services directionality would be classified as Trust, and all signatures (Incoming, Outgoing, and Bidirectional) will be applied, providing the highest level of security to/from both segments.

For detailed instructions on configuring interfaces in Layer 2 Bridge Mode, see Configuring Layer 2 Bridge Mode.

Layer 2 Bridge Mode with High Availability (SonicWall NSA series appliances)

This method is appropriate in networks where both High Availability and Layer 2 Bridge Mode are desired. This example is for SonicWall NSA series appliances, and assumes the use of switches with VLANs configured. See Layer 2 Bridge with High Availability Topology.

Layer 2 Bridge with High Availability Topology

The SonicWall HA pair consists of two SonicWall NSA 3500 appliances, connected together on port X5, the designated HA port. Port X1 on each appliance is configured for normal WAN connectivity and is used for access to the management interface of that device. Layer 2 Bridge Mode is implemented with port X0 bridged to port X2.

When setting up this scenario, there are several things to take note of on both the SonicWalls and the switches.

On the SonicWall appliances:
Do not enable the Virtual MAC option when configuring High Availability. In a Layer 2 Bridge Mode configuration, this function is not useful.
Enabling Preempt Mode is not recommended in an inline environment such as this. If Preempt Mode is required, follow the recommendations in the documentation for your switches, as the trigger and failover time values play a key role here.
Consider reserving an interface for the management network (this example uses X1). If it is necessary to assign IP addresses to the bridge interfaces for probe purposes or other reasons, SonicWall recommends using the management VLAN network assigned to the switches for security and administrative purposes. Note that the IP addresses assigned for HA purposes do not directly interact with the actual traffic flow.

On the switches:
Using multiple tag ports: As shown in the above diagram, two tag (802.1q) ports were created for VLAN 100 on both the Edge switch (ports 23 and 24) and Core switch (C24 - D24). The NSA 3500 appliances are connected inline between these two switches. In a high performance environment, it is usually recommended to have Link Aggregation/ Port Trunking, Dynamic LACP, or even a completely separate link designated for such a deployment (using OSPF), and the fault tolerance of each of the switches must be considered. Consult your switch documentation for more information.
On HP ProCurve switches, when two ports are tagged in the same VLAN, the port group will automatically be placed into a failover configuration. In this case, as soon as one port fails, the other one becomes active.
Layer 2 Bridge Mode with SSL VPN

This sample topology covers the proper installation of a SonicWall network security appliance device into your existing SonicWallSonicWall EX-Series SSL VPN or SonicWall SSL VPN networking environment. By placing the firewall into Layer 2 Bridge Mode, with an internal, private connection to the SSL VPN appliance, you can scan for viruses, spyware, and intrusions in both directions. In this scenario the SonicWall network security appliance is not used for security enforcement, but instead for bidirectional scanning, blocking viruses and spyware, and stopping intrusion attempts. When programmed correctly, the firewall will not interrupt network traffic, unless the behavior or content of the traffic is determined to be undesirable. Both one- and two-port deployments of the SonicWall network security appliance are covered in this section.

Topics:
WAN to LAN Access Rules
Configure the Network Interfaces and Activate L2B Mode
Install the SonicWall Network Security Appliance between the Network and SSL VPN Appliance
Configure or Verify Settings
WAN to LAN Access Rules

Because the firewall will be used in this deployment scenario only as an enforcement point for anti-virus, anti-spyware and intrusion prevention, its existing security policy must be modified to allow traffic to pass in both directions between the WAN and LAN.

On the Firewall > Access Rules page, click the Configure icon for the intersection of WAN to LAN traffic. Click the Configure icon next to the default rule that implicitly blocks uninitiated traffic from the WAN to the LAN.

In the Edit Rule dialog, select Allow for the Action setting, and then click OK.

Configure the Network Interfaces and Activate L2B Mode

In this scenario the WAN interface is used for the following:
Access to the management interface for the administrator
Subscription service updates on MySonicWall
The default route for the device and subsequently the “next hop” for the internal traffic of the SSL VPN appliance (this is why the firewall device WAN interface must be on the same IP segment as the internal interface of the SSL VPN appliance)

The LAN interface on the firewall is used to monitor the unencrypted client traffic coming from the external interface of the SSL VPN appliance. This is the reason for running in Layer 2 Bridge Mode (instead of reconfiguring the external interface of the SSL VPN appliance to see the LAN interface as the default route).

On the Network > Interfaces page of the SonicOS management interface, click the Configure icon for the WAN interface, and then assign it an address that can access the Internet so that the appliance can obtain signature updates and communicate with NTP.

The gateway and internal/external DNS address settings will match those of your SSL VPN appliance:
IP address: This must match the address for the internal interface on the SSL VPN appliance.
Subnet Mask, Default Gateway, and DNS Server(s): Make these addresses match your SSL VPN appliance settings.

For the Management setting, select the HTTPS and Ping check boxes. Click OK to save and activate the changes.

To configure the LAN interface settings, navigate to the Network > Interfaces page and click the Configure icon for the LAN interface.

For the IP Assignment setting, select Layer 2 Bridged Mode. For the Bridged to setting, select X1.

If you also need to pass VLAN tagged traffic, supported on SonicWall NSA series appliances, click the VLAN Filtering tab and add all of the VLANs that will need to be passed.

Click OK to save and activate the change. You may be automatically disconnected from the firewall’s management interface. You can now disconnect your management laptop or desktop from the firewall’s X0 interface and power the firewall off before physically connecting it to your network.

Install the SonicWall Network Security Appliance between the Network and SSL VPN Appliance

Regardless of your deployment method (single- or dual-homed), the SonicWall network security appliance should be placed between the X0/LAN interface of the SSL VPN appliance and the connection to your internal network. This allows the device to connect out to SonicWall’s licensing and signature update servers, and to scan the decrypted traffic from external clients requesting access to internal network resources.

If your SSL VPN appliance is in two-port mode behind a third-party firewall, it is dual-homed.

To connect a dual-homed SSL VPN appliance:
1
Cable the X0/LAN port on the firewall to the X0/LAN port on the SSL VPN appliance.
2
Cable the X1/WAN port on the firewall to the port where the SSL VPN was previously connected.
3
Power on the firewall.

If your SSL VPN appliance is in one-port mode in the DMZ of a third-party firewall, it is single-homed.

To connect a single-homed SSL VPN appliance:
1
Cable the X0/LAN port on the firewall to the X0/LAN port of the SSL VPN appliance.
2
Cable the X1/WAN port on the firewall to the port where the SSL VPN was previously connected.
3
Power on the firewall.

Configure or Verify Settings

From a management station inside your network, you should now be able to access the management interface on the firewall using its WAN IP address.

Make sure that all security services for the SonicWall network security appliance are enabled. See Licensing Services and Activating Firewall Services on Each Zone.

SonicWall Content Filtering Service must be disabled before the device is deployed in conjunction with a SonicWall SMA 1000 Series SSL VPN appliance. On the Network > Zones page, click Configure next to the LAN (X0) zone, clear the Enforce Content Filtering Service check box and then click OK.

If you have not yet changed the administrative password on the SonicWall network security appliance, you can do so on the System > Administration page.

To test access to your network from an external client, connect to the SSL VPN appliance and log in. Once connected, attempt to access to your internal network resources. If there are any problems, review your configuration and see Configuring the Common Settings for L2 Bridge Mode Deployments.