About the SonicWall X‑Series Solution

About the SonicWall X‑Series Solution
• Overview
• SonicWall X‑Series Solution: a Unified Approach
• Performance Requirements
• Features Provided by the SonicWall X‑Series Solution
• PortShield Functionality and X‑Series Switches
• PoE/PoE+ and SFP/SFP+ Support
• X-Series Solution and SonicPoints
• Recommended reading
Overview
Topics:
•
•
•
•
•
•
•
SonicWall X‑Series Solution: a Unified Approach
Performance Requirements
Features Provided by the SonicWall X‑Series Solution
PoE/PoE+ and SFP/SFP+ Support
X-Series Solution and SonicPoints
PortShield Functionality and X‑Series Switches
Recommended reading
SonicWall X‑Series Solution: a Unified Approach
Critical network elements, such as a firewall and switch, need to be managed, usually individually. The SonicWall™ X-Series Solution allows unified
management of both the firewall and a Dell X‑Series switch using the firewall management interface (UI) and GMS.
In certain deployments, the number of ports required might easily exceed the maximum number of interfaces available on the firewall. For example, the
maximum number of interfaces available on SonicWall TZ firewalls range from 5 (TZ300) to 10 (TZ600); see Interfaces per firewall.
Interfaces per firewall
Firewall model Available interfaces
SM 9600
20 (4 10 GbE SFP+, 8 1 GbE SFP, 8 1GE copper), 1 GbE
Management, and 1 Console
SM 9400
20 (4 10 GbE SFP+, 8 1 GbE SFP, 8 1GE copper), 1 GbE
Management, and 1 Console
SM 9200
20 (4 10 GbE SFP+, 8 1 GbE SFP, 8 1GE copper), 1 GbE
Management, and 1 Console
NSA 6600
20 (4 10 GbE SFP+, 8 1 GbE SFP, 8 1GE copper), 1 GbE
Management, and 1 Console
NSA 5600
18 (2 10 GbE SFP+, 4 1 GbE SFP, 12 1GE copper) and 1
Management
NSA 4600
18 (2 10 GbE SFP+, 4 1 GbE SFP, 12 1GE copper) and 1
Management
NSA 3600
18 (2 10 GbE SFP+, 4 1 GbE SFP, 12 1GE copper) and 1
Management
TZ600
10 GbE
TZ500 Series
8 GbE
TZ400 Series
7 GbE
TZ300 Series
5 GbE
With the SonicWall X‑Series Solution, ports on a Dell X‑Series switch are viewed as extended interfaces of the firewall, thereby increasing the number of
interfaces available for use up to 192, depending on the X‑Series switch. These extended ports can be portshielded and/or configured for high availability
and treated as any other interface on the firewall.
NOTE: X‑Series switch, X‑Switch, and extended switch are used interchangeably.
Beginning in SonicOS Release 6.2.5.1, the TZ Series firewalls supported a maximum of two X‑Series switches. Beginning in SonicOS Release 6.2.7, the
SonicWall firewalls shown in X‑Series switches supported by SonicWall firewalls support the listed X‑Series switches. A SonicWall firewall can provision
up to four X‑Series switches.
NOTE: For complete information about X‑Series switches, see the Dell™ Networking™
X1000 and X4000 Series Switches User Guide and the Dell™ Networking™ X1000 and
X4000 Series Switches Getting Started Guide.
X‑Series switches supported by SonicWall firewalls
These SonicWall firewalls
• SuperMassive 9600
• SuperMassive 9400
• SuperMassive 9200
•
•
•
•
NSA 6600
NSA 5600
NSA 4600
NSA 3600
•
•
•
•
TZ600
TZ500/TZ500W
TZ400/TZ400W
TZ300/TZ300W
Support these X‑Series switches (ports)
• X1008 (8 10/100/1000Base-T GbE)
• X1008P (8 10/100/1000Base-T GbE, 2 1GbE SFP fiber, 8 PoE up to 123 W
total)
• X1018 (16 10/100/1000Base-T GbE, 2 1GbE SFP fiber)
• X1018P (16 10/100/1000Base-T GbE, 2 1GbE SFP fiber, 16 PoE up to 246W
total)
• X1026 (24 10/100/1000Base-T GbE, 2 1GbE SFP fiber)
• X1026P (24 10/100/1000Base-T GbE, 2 1GbE SFP fiber, 24 PoE/12 PoE+ up to
369W total)
• X1052 (48 10/100/1000Base-T GbE, 2 10GbE SFP/SFP+ fiber)
• X1052P (48 10/100/1000Base-T GbE, 24 PoE/12 PoE+ up to 369W total)
• X4012 (12 10GbE SFP/SFP+ fiber)
NOTE: The X-Series Solution is not supported on the SM 9800, NSA 2600, or SOHO W
firewalls.
Terminology
HA
High Availability
IDV
Interface Disambiguation via VLAN – The reconfiguring of ports, portshielded to firewall
interfaces, on the extended switch as access ports of the VLAN corresponding to the
PortShield VLAN.
PoE
Power over Ethernet – A system than passes electrical power along with data on Ethernet
cabling, which allows a single cable to provide both data connection and electrical power
to devices. PoE is the 802.3af IEEE standard with 15.4W per port.
PoE+
Power over Ethernet Plus – An enhanced version of PoE that provides more power than
PoE. PoE+ is the 802.3at IEEE standard with 25.5W per port.
SFP
Small form-factor pluggable – A compact, hot-pluggable transceiver used for both
telecommunication and data communications applications and supports 1Gb fiber
modules.
SFP+
Enhanced small form-factor pluggable – An enhanced version of SFP that supports 10
Gb fiber modules.
SPM
Single Point Management
STP
Spanning Tree Protocol – A network protocol that ensures a loop-free topology for
Ethernet networks and allows redundant (spare) links to provide backup paths if an
active link fails.
Performance Requirements
With SonicOS 6.2.7, X‑Series switch integration functionality has been extended from just TZ Series firewalls to include both SM Series and NSA Series
firewalls. A SonicOS firewall can now:
• Be provisioned for a maximum of four X-Series switches.
• Manage an increased number of ports.
If multiple switches are provisioned, they must be connected directly to the firewall; they cannot be cascaded or daisy chained, that is, one switch
connected to another switch, which is then connected to the firewall.
Features Provided by the SonicWall X‑Series Solution
Key features supported by the SonicWall X‑Series Solution are:
• Provisioning an X‑Series switch as an extended switch – Up to four X‑Series switches can be provisioned as an extended switch on a SonicWall
firewall. When provisioned, the ports on the X‑Series switch are managed as are the other ports of the firewall.
• PortShield functionality – Ports on the X‑Switch are viewed as “extended” interfaces of the firewall and can join PortShield Groups. For further
information, see PortShield Functionality and X‑Series Switches.
• Configuring the extended switch Interface settings – The switch interface settings are configured as regular interface settings through the SonicOS
GUI.
• Managing the basic extended switch global parameters using GMS:
• STP Mode – By default, STP mode is set to Rapid on the extended switch.
• STP State – By default, STP is Enabled globally on the extended switch.
NOTE: The following PoE parameters are available only on PoE-capable extended
switches.
• PoE Alert Usage Threshold – By default, the threshold is set to 95% on the extended switch.
• PoE Traps – By default, traps are disabled globally on the extended switch.
• PoE Power Limit Mode – By default, the mode is set to Port limit (default)
• Managing the extended switch using GMS – The X‑Series switch integration feature allows unified management of both the firewall and the switch
using the SonicOS management interface and SonicWall GMS version 8.1 SP1 or higher. GMS supports all configuration operations, such as
provisioning of an extended switch, configuration of extended switch interface settings, and manageability of extended switch global parameters.
For information about managing extended switches with GMS, refer to the latest SonicWall GMS Administration Guide.
• High Availability (HA) with PortShield functionality – Extended switches can be added to firewalls in an HA configuration with PortShield
functionality.
• Diagnostics support for the extended switch:
• Retrieving statistics of extended switch ports: the firewall polls the extended switch ports periodically and displays the statistics on the External
Switch Diagnostics tab of the Network > PortShield Groups page.
• Clearing statistics of extended switch ports
• Upgrading of the firmware image, or boot image, on the extended switch
• Restarting the extended switch
• Support for VLANs in a dedicated or common uplink configuration – VLAN is supported on extended switches with these caveats:
• Overlapping VLANs cannot exist under firewall interfaces configured as dedicated uplinks to the same switch because the VLAN space is
global on the X‑Series switch. For example, if X3 and X5 are configured for dedicated uplinks, VLAN 100 cannot be present under both X3
and X5. Such a configuration is rejected. If X3 and X5 are dedicated uplinks to different X‑Series switches, however, then the configuration
is accepted.
• Overlapping VLANs cannot exist under common uplink interfaces. For example, if X3 is set up as a common uplink to an X‑Series switch
and VLAN 100 exists under X3, another interface—X4, which is configured as a common uplink to a second X‑Series switch, cannot have a
VLAN 100 subinterface.
For further information about VLAN support, see Configuring VLAN(s) with Common or Dedicated Uplink(s).
• SPM (Single Point of Management) support removes the need for a dedicated uplink for VLAN interfaces. SPM support allows a common uplink
for VLAN interfaces, thereby allowing a single link between the firewall and the X‑Switch to carry:
• Management traffic of the firewall managing the X‑Switch.
• PortShield traffic for the IDV VLANs corresponding to the firewall interfaces.
• Traffic for the VLAN subinterfaces present under the common uplink interface.
For further information about SPM support, see Configuring a Common Uplink for VLAN(s) with SPM.
• X‑Switch-related features conflict with other switching features on SM Series and NSA series firewalls, such as wiremode, port redundancy, link
aggregation, and mirroring. For example, if an interface is configured for wiremode, the interface cannot be configured as a firewall uplink to an
X‑Series switch and vice versa. If such a conflict occurs, the second configuration is rejected.
• PoE/PoE+ and SFP/SFP+ functionality for SonicWall firewalls by certain X‑Series switches – For X‑Switches that provide PoE/PoE+ functionality,
see PoE/PoE+ and SFP/SFP+ Support.
• Batching configuration messages – To facilitate faster programming of X‑Series switches, configuration messages can be batched before being sent
to an X‑Series switch.
PortShield Functionality and X‑Series Switches
PortShield architecture allows configuration of firewall ports into separate security zones, thereby allowing protection of a deep-packet inspection firewall
for traffic between devices across zones. For more information about PortShield functionality and how to manage PortShield Groups with X-Series
switches, see the SonicOS 6.2 Administration Guide.
The X-Series Solution allows support for portshielding interfaces on the extended switch to firewall interfaces. X‑Series switches are L2 switches, and by
default, all ports on the extended switch are configured as access ports of the default VLAN 1. When ports of the extended switch are portshielded to
firewall interfaces, the ports are reconfigured as access ports part of the VLAN corresponding to the PortShield VLAN, also known as the IDV VLAN of
the PortShield host interface.
How Traffic is Handled with Portshield
Traffic between network devices connected to the ports on the extended switch:
• That are part of the same Portshield group are switched automatically by the extended switch.
• And devices connected to ports on the firewall that are part of the same Portshield group are switched by the internal switch on the firewall.
• Destined to firewall interfaces are handled by the data-path in software. Such traffic may be subjected to firewall security services such as access
rules, deep packet inspection, and intrusion prevention.
• And devices connected to ports on the firewall that are part of different zone or part of a different Portshield group are forwarded by the data-path
in software. Such traffic is subjected to firewall security services in software.
PoE/PoE+ and SFP/SFP+ Support
SonicWall firewalls do not support PoE/PoE+, but this functionality can be added with certain X‑Series switches, as shown in X-Series switch PoE/PoE+
and SFP/SFP+ support. This additional functionality enhances SonicPoint usage by the SonicWall firewalls, especially for new SonicPoints supporting
802.11ac (802.11ac supports up to 30W maximum power; 802.11a/b/g/h supports up to 15.4 W maximum power). For further information about which
ports on which models are PoE/PoE+ capable, see the Dell™ Networking™ X1000 and X4000 Series Switches Getting Started Guide.
Some X‑Series switches also support SFP/SFP+, as shown in X-Series switch PoE/PoE+ and SFP/SFP+ support. SFP/SFP+ ports are not PoE
capable, so port-based PoE settings are not available on SFP/SFP+ ports.
X-Series switch PoE/PoE+ and SFP/SFP+ support
This X‑Series switch Supports
X1008
1 PoE PD port; by default, port 8 is the PD port
X1008P
8 PoE ports, up to 123W total; by default, ports 1 through 8
support PoE
X1018
2 1GbE SFP ports; by default, ports 17 and 18 support SFP
X1018P
16 PoE ports, up to 246W total; by default, ports 1 through 16
support PoE
2 1GbE SFP ports; by default, ports 17 and 18 support SFP
X1026
2 1GbE SFP ports; by default, ports 25 and 26 support SFP
X1026P
24 PoE/12 PoE+ ports, up to 369W total; by default:
• Ports 1 through 12 support PoE+
• Ports 13 through 24 support PoE
2 1GbE SFP ports; by default, ports 25 and 26 support SFP
X1052
4 10GbE SFP+ ports; by default, ports 49 through 52 support
SFP+
X1052P
24 PoE/12 PoE+ ports, up to 369W total; by default:
• Ports 1 through 12 support PoE+
• Ports 13 through 24 support PoE
• Ports 25 through 48 support neither PoE nor PoE+
4 10GbE SFP+ ports; by default, ports 49 through 52 support
SFP+
X4012
12 10GbE SFP+ ports; by default, ports 1 through 12 support
SFP+
IMPORTANT: A SonicPoint AC without an external power source must be portshielded
through ports 1 through 12 on an X1026P or X1052P X‑Series switch.
Any non-SonicPoint AC model without an external power source can be portshielded through
ports 1 through 8 (X1008P), 1 through 16 (X1018P), or 1 through 24 (X1026P and X1052P).
Any SonicPoint with an external power source (AC power supply or power adapter) can be
portshielded to any Ethernet port.
Configuration of the PoE/PoE+ ports on the X‑Series switch is managed from the UI of the X‑Series switch and the Network > Portshield Groups page
on the firewall.
X-Series Solution and SonicPoints
Ports on an extended switch can be portshielded to the WLAN zone of a SonicWall firewall, and SonicPoint access points can be connected to these
ports. When connecting SonicPoint access points to an X‑Series switch, it is important to consider the SonicPoint's power requirements. A SonicPoint
ACe/ACi/N2 access point requires a minimum of 25.5 watts. If your X‑Series switch does not support PoE+, you must use a SonicPoint power injector.
For which switches support PoE+, see PoE/PoE+ and SFP/SFP+ Support. For more information about managing SonicPoint access points, see the
Knowledge Base article, SonicWall TZ Series and SonicWall X‑Series Solution managing SonicPoint ACe/ACi/N2 access points (SW13970).
Recommended reading
For the X-Series
Solution:
SonicWall X‑Series Solution Overview (185439)
SonicWall X‑Series Solution: SonicWall integration with Dell X‑Series
Switches FAQ (185430)
SonicWall TZ - X solution: How to provision X‑Series switches on
SonicWall TZ series firewalls (185057)
SonicWall X‑Series Solution: How to provision X‑Series Switches on a
SonicWall TZ High Availability (HA) system (186085)
SonicWall X‑Series Solution - How to manage X‑Series switch's admin
credentials and management IP through the X‑Switch's UI and in CLI
(185479)
SonicWall X‑Series Solution: Which models of X-Switches has support
for POE+ (186709)
SonicWall X‑Series Solution - Support for SonicWall Virtual Interfaces
(VLANs) (189771)
SonicWall TZ Series and SonicWall X‑Series Solution managing
SonicPoint ACe/ACi/N2 access points (SW13970)
SonicWall X‑Series Solution – How to backup and restore X‑Series
switches (189204)
For SonicOS and
PortShield:
SonicOS 6.2 Administration Guide
For managing
X‑Series switches
with GMS:
SonicWall GMS OS Administration Guide
For Dell X‑Series
switches:
Dell™ Networking™ X1000 and X4000 Series Switches Getting
Started Guide
Dell™ Networking™ X1000 and X4000 Series Switches User Guide