Filter
Top Products
Network > Interfaces
210
SonicOS 5.8.1 Administrator Guide
When setting up this scenario, there are several things to take note of on both the SonicWALLs
and the switches.
On the SonicWALL appliances:
• Do not enable the Virtual MAC option when configuring High Availability. In a Layer 2 Bridge
Mode configuration, this function is not useful.
• Enabling Preempt Mode is not recommended in an inline environment such as this. If
Preempt Mode is required, follow the recommendations in the documentation for your
switches, as the trigger and failover time values play a key role here.
• Consider reserving an interface for the management network (this example uses X1). If it
is necessary to assign IP addresses to the bridge interfaces for probe purposes or other
reasons, SonicWALL recommends using the management VLAN network assigned to the
switches for security and administrative purposes. Note that the IP addresses assigned for
HA purposes do not directly interact with the actual traffic flow.
On the switches:
• Using multiple tag ports: As shown in the above diagram, two tag (802.1q) ports were
created for VLAN 100 on both the Edge switch (ports 23 and 24) and Core switch (C24 -
D24). The NSA 3500 appliances are connected inline between these two switches. In a high
performance environment, it is usually recommended to have Link Aggregation/ Port
Trunking, Dynamic LACP, or even a completely separate link designated for such a
deployment (using OSPF), and the fault tolerance of each of the switches must be
considered. Consult your switch documentation for more information.
• On HP ProCurve switches, when two ports are tagged in the same VLAN, the port group
will automatically be placed into a failover configuration. In this case, as soon as one port
fails, the other one becomes active.
Layer 2 Bridge Mode with SSL VPN
This sample topology covers the proper installation of a SonicWALL UTM device into your
existing SonicWALL EX-Series SSL VPN or SonicWALL SSL VPN networking environment. By
placing the UTM appliance into Layer 2 Bridge Mode, with an internal, private connection to the
SSL VPN appliance, you can scan for viruses, spyware, and intrusions in both directions. In this
scenario the SonicWALL UTM appliance is not used for security enforcement, but instead for
bidirectional scanning, blocking viruses and spyware, and stopping intrusion attempts. When
programmed correctly, the UTM appliance will not interrupt network traffic, unless the behavior
or content of the traffic is determined to be undesirable. Both one- and two-port deployments
of the SonicWALL UTM appliance are covered in this section.
WAN to LAN Access Rules
Because the UTM appliance will be used in this deployment scenario only as an enforcement
point for anti-virus, anti-spyware and intrusion prevention, its existing security policy must be
modified to allow traffic to pass in both directions between the WAN and LAN.