This section is divided into:
For general information on interfaces, see
Network > Interfaces
.
Static means that you assign a fixed IP address to the interface.
|
Step 1
|
Click on the
Configure
icon  in the Configure
column for the Interface you want to configure. The Edit Interface
window is displayed.
|
|
|
•
|
You can configure
X0
through X8
, depending on the number of interfaces on your appliance.
|
|
Step 3
|
Select
Static
from the IP Assignment
menu.
|
To allow access to the WAN interface for management from another zone on the same
appliance, access rules must be created. See “Allowing WAN Primary IP Access from the LAN Zone”
for more information.
If you need to force an Ethernet speed, duplex and/or MAC address, click the
Advanced
tab.
The
Ethernet Settings
section allows you to manage the Ethernet settings of links connected to the SonicWALL. Auto Negotiate
is selected by default as the Link Speed
because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection. If you want to specify the forced Ethernet speed and duplex, select one of the following options from the Link Speed
menu:
You can choose to override the
Default MAC Address
for the Interface by selecting Override
Default MAC Address
and entering the MAC address in the field.
Check
Enable Multicast Support
to allow multicast reception on this interface.
Transparent Mode enables the SonicWALL security appliance to bridge the WAN subnet onto
an internal interface. To configure an interface for transparent mode, complete the following steps:
|
Step 1
|
Click on the
Configure
icon in the Configure
column for Unassigned
Interface you want to configure. The Edit Interface
window is displayed.
|
|
Step 3
|
Select
Transparent Mode
from the IP Assignment
menu.
|
|
Step 4
|
From the
Transparent Range
menu, select an address object that contains the range of IP addresses you want to have access through this interface. The address range must be within the WAN zone and must not include the WAN interface IP address. If you do not have an address object configured that meets your needs:
|
|
a.
|
In the
Transparent Range
menu, select Create New Address Object.
|
|
b.
|
In the
Add Address Object
window, enter a name for the address range.
|
|
a.
|
For
Zone Assignment
, select WAN.
|
|
d.
|
Click
OK
to create the address object and return to the Edit Interface
window.
|
See
“
Network > Address Objects
”
for more information.
To allow access to the WAN interface for management from another zone on the same
appliance, access rules must be created. See “Allowing WAN Primary IP Access from the LAN Zone”
for more information.
If you need to force an Ethernet speed, duplex and/or MAC address, click the
Advanced
tab. The Ethernet Settings
section allows you to manage the Ethernet settings of links connected to the SonicWALL. Auto Negotiate
is selected by default as the Link Speed
because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection. If you want to specify the forced Ethernet speed and duplex, select one of the following options from the Link Speed
menu:
You can choose to override the
Default MAC Address
for the Interface by selecting Override
Default MAC Address
and entering the MAC address in the field.
Check
Enable Multicast Support
to allow multicast reception on this interface.
A Wireless interface is an interface that has been assigned to a Wireless zone and is used to
support SonicWALL SonicPoint secure access points.
|
Step 1
|
Click on the
Configure
icon in the Configure
column for the Interface you want to configure. The Edit Interface
window is displayed.
|
|
Step 2
|
In the
Zone
list, select WLAN or a custom Wireless zone.
|
|
|
Note
|
The upper limit of the subnet mask is determined by the number of SonicPoints you select
in the SonicPoint Limit field. If you are configuring several interfaces or subinterfaces as Wireless interfaces, you may want to use a smaller subnet (higher) to limit the number of potential DHCP leases available on the interface. Otherwise, if you use a class C subnet (subnet mask of 255.255.255.0) for each Wireless interface you may exceed the limit of DHCP leases available on the security appliance.
|
|
Step 4
|
In the
SonicPoint Limit
field, select the maximum number of SonicPoints allowed on this interface.
|
|
|
Note
|
The above table depicts the maximum subnet mask sizes allowed. You can still use class-
full subnetting (class A, class B, or class C) or any variable length subnet mask that you wish on WLAN interfaces. You are encouraged to use a smaller subnet mask (e.g. 24-bit class C - 255.255.255.0 - 254 total usable IPs), thus allocating more IP addressing space to clients if you have the need to support larger numbers of wireless clients.
|
To allow access to the WAN interface for management from another zone on the same
appliance, access rules must be created. See “Allowing WAN Primary IP Access from the LAN Zone”
for more information.
If you need to force an Ethernet speed, duplex and/or MAC address, click the
Advanced
tab.
The
Ethernet Settings
section allows you to manage the Ethernet settings of links connected to the SonicWALL. Auto Negotiate
is selected by default as the Link Speed
because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection. If you want to specify the forced Ethernet speed and duplex, select one of the following options from the Link Speed
menu:
You can choose to override the
Default MAC Address
for the Interface by selecting Override
Default MAC Address
and entering the MAC address in the field.
Check
Enable Multicast Support
to allow multicast reception on this interface.
On SonicWALL NSA series appliances, select the
Enable 802.1p tagging
checkbox to tag information passing through this interface with 802.1p priority information for Quality of Service (QoS) management. Packets sent through this interface are tagged with VLAN id=0 and carry 802.1p priority information. In order to make use of this priority information, devices connected to this interface should support priority frames. QoS management is controlled by access rules on the Firewall > Access Rules
page. For information on QoS and bandwidth management, see “Firewall Settings > QoS Mapping”
.
Configuring the WAN interface enables Internet connect connectivity. You can configure up to
two WAN interfaces on the SonicWALL security appliance.
|
Step 1
|
Click on the
Edit
icon in the Configure
column for the Interface you want to configure. The Edit Interface
window is displayed.
|
|
|
•
|
Static
- configures the SonicWALL for a network that uses static IP addresses.
|
|
|
•
|
DHCP
- configures the SonicWALL to request IP settings from a DHCP server on the Internet. NAT with DHCP Client is a typical network addressing mode for cable and DSL customers.
|
|
|
•
|
PPPoE
- uses Point to Point Protocol over Ethernet (PPPoE) to connect to the Internet. If desktop software and a username and password is required by your ISP, select NAT with PPPoE. This protocol is typically found when using a DSL modem.
|
|
|
•
|
PPTP
- uses PPTP (Point to Point Tunneling Protocol) to connect to a remote server. It supports older Microsoft Windows implementations requiring tunneling connectivity.
|
|
|
•
|
L2TP
- uses IPsec to connect a L2TP (Layer 2 Tunneling Protocol) server and encrypts all data transmitted from the client to the server. However, it does not encrypt network traffic to other destinations.
|
To allow access to the WAN interface for management from another zone on the same
appliance, access rules must be created. See “Allowing WAN Primary IP Access from the LAN Zone”
for more information.
|
Step 6
|
Check
Add rule to enable redirect from HTTP to HTTPS
, if you want an HTTP connection automatically redirected to a secure HTTPS connection to the SonicWALL security appliance management interface.
|
The
Advanced
tab includes settings for forcing an Ethernet speed and duplex, overriding the Default MAC address, setting up bandwidth management, and creating a default NAT policy automatically.
If you need to force an Ethernet speed, duplex and/or MAC address, click the
Advanced
tab. The Ethernet Settings
section allows you to manage the Ethernet settings of links connected to the SonicWALL. Auto Negotiate
is selected by default as the Link Speed
because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection. If you want to specify the forced Ethernet speed and duplex, select one of the following options from the Link Speed
menu:
You can choose to override the
Default MAC Address
for the Interface by selecting Override
Default MAC Address
and entering the MAC address in the field.
Check
Enable Multicast Support
to allow multicast reception on this interface.
On SonicWALL NSA series appliances, check
Enable 802.1p tagging
to tag information passing through this interface with 802.1p priority information for Quality of Service (QoS) management. Packets sent through this interface are tagged with VLAN id=0 and carry 802.1p priority information. In order to make use of this priority information, devices connected to this interface should support priority frames. QoS management is controlled by access rules on the Firewall > Access Rules
page. For information on QoS and bandwidth management, see “
Firewall Settings > QoS Mapping
”
.
You can also specify any of these additional
Ethernet Settings
:
|
|
•
|
Interface MTU
- Specifies the largest packet size that the interface can forward without fragmenting the packet.
|
SonicOS Enhanced can apply bandwidth management to both egress (outbound) and ingress
(inbound) traffic on the interfaces in the WAN zone. Outbound bandwidth management is done using Class Based Queuing. Inbound Bandwidth Management is done by implementing ACK delay algorithm that uses TCP’s intrinsic behavior to control the traffic.
Class Based Queuing (CBQ) provides guaranteed and maximum bandwidth Quality of Service
(QoS) for the SonicWALL security appliance. Every packet destined to the WAN interface is queued in the corresponding priority queue. The scheduler then dequeues the packets and transmits it on the link depending on the guaranteed bandwidth for the flow and the available link bandwidth.
Use the
Bandwidth Management
section of the Edit Interface
screen to enable or disable the ingress and egress bandwidth management. Egress and Ingress available link bandwidth can be used to configure the upstream and downstream connection speeds in kilobits per second.
Both Link Aggregation and Port Redundancy are configured on the
Advanced
tab of the Edit
Interface
window in the SonicOS UI.
|
|
•
|
“
Link Aggregation
”
- Groups multiple Ethernet interfaces together forming a single logical link to support greater throughput than a single physical interface could support. This provides the ability to send multi-gigabit traffic between two Ethernet domains.
|
|
|
•
|
“
Port Redundancy
”
- Configures a single redundant port for any physical interface that can be connected to a second switch to prevent a loss of connectivity in the event that either the primary interface or primary switch fail.
|
Link Aggregation is used to increase the available bandwidth between the firewall and a switch
by aggregating up to four interfaces into a single aggregate link, referred to as a Link Aggregation Group (LAG). All ports in an aggregate link must be connected to the same switch. The firewall uses a round-robin algorithm for load balancing traffic across the interfaces in a Link Aggregation Group. Link Aggregation also provides a measure of redundancy, in that if one interface in the LAG goes down, the other interfaces remain connected.
Link Aggregation is referred to using different terminology by different vendors, including Port
Channel, Ether Channel, Trunk, and Port Grouping.
SonicWALL provides multiple methods for protecting against loss of connectivity in the case of
a link failure, including High Availability (HA), Load Balancing Groups (LB Groups), and now Link Aggregation. If all three of these features are configured on a firewall, the following order of precedence is followed in the case of a link failure:
HA takes precedence over Link Aggregation. Because each link in the LAG carries an equal
share of the load, the loss of a link on the Active firewall will force a failover to the Idle firewall (if all of its links remain connected). Physical monitoring needs to be configured only on the primary aggregate port.
When Link Aggregation is used with a LB Group, Link Aggregation takes precedence. LB will
take over only if all the ports in the aggregate link are down.
To configure Link Aggregation, perform the following tasks:
|
1.
|
On the
Network > Interfaces
page, click the configure
icon for the interface that is to be designated the master of the Link Aggregation Group. The Edit Interface window displays.
|
|
3.
|
In the
Redundant/Aggregate Ports
pulldown menu, select Link Aggregation
.
|
|
4.
|
The
Aggregate Port
option is displayed with a checkbox for each of the currently unassigned interfaces on the firewall. Select up to three other interfaces to assign to the LAG.
|
|
5.
|
Set the
Link Speed
for the interface to Auto-Negotiate
.
|
Port Redundancy provides a simple method for configuring a redundant port for a physical
Ethernet port. This is a valuable feature, particularly in high-end deployments, to protect against switch failures being a single point of failure.
When the primary interface is active, it processes all traffic to and from the interface. If the
primary interface goes down, the backup interface takes over all outgoing and incoming traffic. The backup interface assumes the MAC address of the primary interface and sends the appropriate gratuitous ARP on a failover event. When the primary interface comes up again, it resumes responsibility for all traffic handling duties from the backup interface.
In a typical Port Redundancy configuration, the primary and backup interfaces are connected
to different switches. This provides for a failover path in case the primary switch goes down. Both switches must be on the same Ethernet domain. Port Redundancy can also be configured with both interfaces connected to the same switch.
SonicWALL provides multiple methods for protecting against loss of connectivity in the case of
a link failure, including High Availability (HA), Load Balancing Groups (LB Groups), and now Port Redundancy. If all three of these features are configured on a firewall, the following order of precedence is followed in the case of a link failure:
When Port Redundancy is used with HA, Port Redundancy takes precedence. Typically an
interface failover will cause an HA failover to occur, but if a redundant port is available for that interface, then an interface failover will occur but not an HA failover. If both the primary and backup redundant ports go down, then an HA failover will occur (assuming the backup firewall has the corresponding port active).
When Port Redundancy is used with a LB Group, Port Redundancy again takes precedence.
Any single port (primary or backup) failures are handled by Port Redundancy just like with HA. When both the ports are down then LB kicks in and tries to find an alternate interface.
To configure Port Redundancy, perform the following tasks:
|
1.
|
On the
Network > Interfaces
page, click the configure
icon for the interface that is to be designated the master of the Link Aggregation Group. The Edit Interface window displays.
|
|
3.
|
In the
Redundant/Aggregate Ports
pulldown menu, select Port Redundancy
.
|
|
4.
|
The
Redundant Port
pulldown menu is displayed, with all of the currently unassigned interfaces available. Select one of the interfaces.
|
|
5.
|
Set the
Link Speed
for the interface to Auto-Negotiate
.
|
Routed Mode provides an alternative for NAT for routing traffic between separate public IP
address ranges. Consider the following topology where the firewall is routing traffic across two public IP address ranges:
By enabling Routed Mode on the interface for the 172.16.6.0 network, NAT translations will be
automatically disabled for the interface, and all inbound and outbound traffic will be routed to the WAN interface configured for the 10.50.26.0 network.
To configure Routed Mode, perform the following steps:
|
1.
|
Click on the
configure
icon for the appropriate interface. The Edit Interface window displays.
|
|
3.
|
Under the
Expert Mode Settings
heading, select the Use Routed Mode - Add NAT Policy
to prevent outbound\inbound translation
checkbox to enable Routed Mode for the interface.
|
|
4.
|
In the
Set NAT Policy's outbound\inbound interface to
pulldown menu, select the WAN interface that is to be used to route traffic for the interface.
|
The firewall then creates “no-NAT” policies for both the configured interface and the selected
WAN interface. These policies override any more general M21 NAT policies that may be configured for the interfaces.