Link to home
Start Free TrialLog in
Avatar of Webcc
WebccFlag for United States of America

asked on

VLANS with a second Sonicwall in series

Want to implement VLANs as our network has grown.  We have a Sonicwall Pro 3060 that is supported by a third party.  In order to have control over most of the network would like to install another Sonicwall, setup 3 VLANs and have the new Sonicwall feed traffic to the existing Sonicwall.  Do not want to have to go to through the third party vendor every time we want to make a change to the network.
In addition to the Sonicwall we have 2 Dell 5524 switches, an HP switch that is also VLAN capable and several unmanaged switches.

First question - Since I'm new to VLANs do we have to eliminate all non-VLAN switches in order to setup properly? I'm pretty sure the answer is yes.

Second question - What do you think of the network design with 2 Sonicwall's? I know I can do it with a layer 3 switch, but I'm more familiar with the Sonicwalls.

Final question - Can you mix and match different switches as long as they are VLAN capable?
Thanks for your replies!
Avatar of KevinSeddon81
KevinSeddon81

Hi Webcc.

Q1) you don't need to eliminate the non-vlan switches to convert to using vlans. When you connect the non-vlan switch to your core switch, just place the switchport to the relevant vlan you want that to service. If no other settings are set such as ftp, then I should work as a normal switch.
Q2) personally, I wouldn't put a sonicwall behind a sonicwall as you will be creating a double nat'd environment and unnecessary complication to your management. Is there no way you can take over the management of the sonicwall?

If you wanted to go through that route, all you would need to do is create a wan port on the second sonicwall on the same subnet of the internal network of the first sonicwall, and use the first sw as the wan gateway. On the dhcp, assign the second firewall as the lan gateway.  In order for the second sonicwall to take over full management, you would need to put the first in transparent mode or instruct it to send incoming traffic to the second.
Q3) all switches that ieee 802.1q & ad should work with each other for vlans
Sorry, I meant vtp, not ftp. Autocorrect
Avatar of Blue Street Tech
Hi Webcc,

I think the more professional approach would be to figure out who owns the Pro 3060. If you (your client) does then contact the third-party running the Pro 3060 and have them give you the credentials to login. If the third-party owns the Pro 3060 in some type of lease or HaaS deal them tell them we no longer need your services and install your second SonicWALL as the one and only primary firewall. If your unit is the same model and either same firmware version or lower see if the third-party will provide you the settings backup so you can import it to your device and maintain the same config w/o having to manually re-enter it all.

I agree with KevinSeddon81's comment about over complicating the situation. Multiple firewalls are really only warranted in special situations or for high security like banks etc. Worst case scenario and something happens you can't get into the guts of the issue...you will be limiting your abilities by this third-party plus as mentioned before it will over complicate things and it's not a best practice.

Lastly, the Pro 3060 is EOL (End Of Life), which means its deprecated and no longer supported nor is it robust enough to handle today's threats nor does it have the built-in functionality to meet today's business needs. Definitely try to remove it if at all possible!

Let me know if you have any other questions!
Avatar of Webcc

ASKER

Okay  I hear you loud and clear.  If I want to setup 3 vlans and connect them to the one sonicwall, each will be on their own segment - 192.168.41.0, 192.168.42.0 and 192.168.43.0.  Want to put the servers and printers that need to be accessed from the vlan1 and vlan2 on vlan3.  
What needs to happen if I just connect the layer 2 switches to the one Sonicwall?  Do I need a layer 3 switch?  Do we need a seperate interface on the sonicwall for each vlan?

Thanks
VLANs are actually simpler than they sound. Whatever the device (managed switch, AP with VLAN capability, etc.) tags the packet and from there it can go through anything...managed or unmanaged until it reaches a layer 3 device that understands VLANs to route it.

Does the traffic need to be isolated for security purposes? Meaning do you want VLAN1 talking with VLAN2? If you need separation for security reasons or otherwise you should create a Zone for each VLAN thereby giving you the ability to create Access Rules between them.

You have two options here:

A) Assign Each Port individually - Use PortShielding and assign each port a Zone & Interface. Then you can connect each port to multiple Layer 2 switches to disseminate traffic.
Port Config e.g. X0 (LAN), X1 (WAN), X2 (VLAN1), X3 (VLAN2), X4 (VLAN3), X5 (LAN)

B) Assign One Port w/multiple subinterfaces - Create a Zone for all three VLANs that attaches by one port to a Layer 3 switch to disseminate traffic.
Port Config e.g. X0 (LAN), X1 (WAN), X2 (VLAN1, VLAN2, VLAN3), X3-X5 (LAN)

Let me know which option you choose and I can provided step-by-step instructions for either!
Avatar of Webcc

ASKER

Want e.g. VLAN1 for staff traffic, VLAN2 for public traffic, VLAN3 for servers and printers they share.
Thought I'd seperate with having all of the VLAN1 on one Dell 5524 switch,  VLAN2 on the second Dell 5524 switch and on a HP 2810 along with VLAN3.  But I guess I would have to setup VLAN3 on all switches.  Need some clarity.  Not a network engineer.
What would be best?
Hi webcc.
Avoid using vlan 1 if you can. It is the default vlan on many switches and can cause little complications in the future. Instead, look at your subnets, and maybe use vlans 41, 42, 43.

Have you got a dedicated core switch on your network, which you can connect to the sonicwall and your 3 other switches?
@KevinSeddon81 - VLAN1 is for demonstrative purposes, hence "E.G." meaning exempli gratia or an example in English!! We haven't even gotten to configurations yet. I'd agree to go with the last octet in the host portion of the subnets...it's a very common practice but "VLAN1" is more academic rather than a real issue.

@Webcc - Typically, the last octet in the host portion of the network IP address is used...so your C Class network of 192.168.41.0, 192.168.42.0 and 192.168.43.0 would translate as VLAN tag 41, 42 and 43 respectively, but we'll cover that when we go over the configuration & setup steps.

How many total users (PCs, mobiles, etc) and how many servers are you supporting under this firewall?

You said,
...VLAN1 for staff traffic...
Static traffic meaning what? The entire subnet will be full of static addresses? or the subnet will consist of static routes? If these questions don't make sense to you tell me what your goal is for this VLAN.
...VLAN2 for public traffic...
Public traffic meaning this will be your DMZ or is this dedicated for Public WiFi? Again, if these questions don't make sense to you tell me what your goal is for this VLAN.
...VLAN3 for servers and printers they share...
So what is the function of your LAN? Are these servers and printers to be shared with both VLAN1 & VLAN2 or just VLAN1 or ???

Answering these questions will help me to recommend the best path for you. Also, help me understand why you need these VLANs...your reasoning behind them...you said your network has grown...does this mean you've run out of addresses? Thanks!
Avatar of Webcc

ASKER

VLAN41 for staff computers and printers (this is an educational institution).
Total of 32 devices - desktops, laptops, wireless devices and networked printers.

VLAN42 for the public provided computers.
Total of 32 devices - desktops and networked printers.

VLAN43 for 3 servers and 2 printers which are shared between staff and the public.
1 server is running Hyper-V with 4 guest VMs.
Thinking about creating two domains one for staff and one for public, would provide better security and facilitate recovery in the event of AD corruption, etc.

The public wireless is on a seperate subnet.

Thanks for your responses!
Great. Thanks for the feedback.

Keep in mind separate subnets do not equal security! So that means anything that needs security should have its own Zone...their own interfaces and subnets come with the territory.

Is there a reason you want Servers and printers in a VLAN? Why not just have one VLAN for Public and the staff PCs, servers printers in the LAN? Then have your Public wireless in a VAP.

It would simplify things and still provide the same security.

Thoughts?
Avatar of Webcc

ASKER

Thanks for the response, can you elaborate on best practices for my configuration.  I'm open to suggestions.  That is just what I envisioned, but by all means lay out a plan.

Best Regards
Well if you want to be explicit about every connection meaning filtering inbound & outbound traffic between Zones then have three Zones LAN (Servers & Printers), VLAN A (PCs (staff)) & VLAN B (Public). I think being explicit on both inbound & outbound traffic is way overkill unless you are in the financial industry, have extremely sensitive info or are bound by compliance to do so, e.g. PCI, SOX, FISMA, SSAE 16, etc. Regardless its up to you...it will just increase manageability and support.

Otherwise, I'd recommend two Zones LAN & VLAN A (Public).
Your LAN would contain the staff PCs, servers & printers. Then VLAN A would contain the Public PCs or whatever resources they have. WLAN will have its own Zone and then enable WGS for public access to WiFi (if available in your SonicWALL). Then block all traffic in both LAN > VLAN A and VLAN A > LAN. Then explicitly set rules based on allowed traffic to each zone which will tighten security.

Thoughts?
Avatar of Webcc

ASKER

Main goal is to keep Staff and Public traffic seperate for the most part to reduce broadcast and to provide added security.
So just need two zones as you put it -
VLAN for staff
VLAN for public

Right?
Which SonicWALL model is yours (e.g. TZ 215, NSA 220, NSA 3600, etc)?
OK, so let's get into the config or the How-to.

Overview:

We'll use PortShielding to separate & assign the ports to each subnet and Zone respectively. Your Default PortShielding setup should be: X0 (LAN), X1 (WAN), X2-4 (LAN), W0 (WiFi (if available)). So we are going to utilize X0 as your new LAN (all staff equipment, PCs, Servers & Printers) and X2 as your new VLAN1, VLAN42 or whatever you are going to call it. The LAN would be in it's own zone by default and set to the 192.168.41.0 network while the VLAN42 would be set to the 192.168.42.0 network. For the Public wireless access I'd recommend enabling WGS (Wireless Guest Services) depending if you have built-in WiFi or not.

Login to the SonicWALL.

1. Unassign a PortShield Group

Go to Network > PortShield Groups
In the X2 name row click on Configure on the far right side.
Under PortShield Interface, select Unassigned.
Click OK.

2. Setup a New Interface

Go to Network > Interfaces
Click Add Interface...
This will popup the Add Interface dialogue box.
Zone: Create new Zone...
This will popup the Add Zone dialogue box.
Name: <type VLAN42 or whatever you want to call it>
Security Type: Public
Allow Interface Trust: Uncheck
Select all the applicable Security Services you want to apply to this Zone.
Click OK.
Now you are back to the Add Interface dialogue box.
VLAN Tag: <42 or whatever you want...some like to match the same octet number e.g. 192.168.42.0, then they'd set this tag to 42>
Parent Interface: X2
Mode / IP Assignment: Static IP Mode
IP Address: <e.g. 192.168.42.0 (this will be the Interface IP)>
Subnet Mask: 255.255.255.0 (depending on your IP class, etc.)
Comment: <any documenting, etc.>
Management: <select if you want to allow these services by default, e.g. HTTPS Management or Ping, etc.>
User Login: <you can leave unchecked for now.>

Now you have create a separate subnet and zone which are assigned to the X2 port. To protect the Zone & lock down the traffic to the Zone follow the steps below.

3. Lock Down Zones

Go to Firewall > Access Rules
You should find a Access Rule in the LAN > VLAN42 Zone like this:
Action: Allow (*Change this to Deny)
From Zone: LAN
To Zone: VLAN42
Service: Any
Source: Any
Destination: Any
Users Allowed: All
Schedule: Always on
Comment: <anything you want to document the rule>
Click OK.

Do the same for the VLAN42 > LAN Access Rule. This will deny all traffic from LAN > VLAN42 and VLAN42 > LAN.

4. Define Explicit Access

Go to Firewall > Access Rules
Click Add...
This will popup the Add Rule dialogue box.
Action: Allow
From Zone: VLAN42
To Zone: LAN
Service: <here you should explicitly define the Service if not already found in the Service Objects List, e.g. Jetdirect (TCP 9100)>
Source: <here you should explicitly define the Source (an Address Object ) if not already found in the Service Objects List, e.g. Public DHCP Pool (192.168.42.20-55)>
Destination: <here you should explicitly define the Service if not already found in the Service Objects List, e.g. Jetdirect (TCP 9100)>
Users Allowed: <if you are using SSO or having all users login to gain access to SonicWALL for filtering purposes use that group otherwise use "All">
Schedule: <if you are want to specify a schedule so that this denies access after hours of operation set the schedule here otherwise use "Always on">
Comment: <anything you want to document the rule>
Click OK.

Once I understand which model you have and how your WiFi is setup I can discuss that setup further (where applicable).

Let me know if you have any questions!
Avatar of Webcc

ASKER

Sonicwall 3060.

Questions:
So you would not suggest purchasing a second Sonicwall (TZ 215 e.g.) applying your configuration and go from the WAN port to the LAN port of the Sonicwall 3060 currently in place?  Because do not want to be beholden to the firm that manages that Sonicwall.

Or a layer 3 switch to feed the 3060.

Referencing above configuration - just one VLAN for public and therefore would have to configure the layer 2 switch accordingly.  LAN (X0) would remain as is without having to setup a second VLAN for staff, servers and printers.  Seems like a fairly simple configuration if I understand this correctly.

Thanks for imparting your knowledge to me!
You're welcome...my pleasure!

Questions:
So you would not suggest purchasing a second Sonicwall (TZ 215 e.g.) applying your configuration and go from the WAN port to the LAN port of the Sonicwall 3060 currently in place?  Because do not want to be beholden to the firm that manages that Sonicwall.

Or a layer 3 switch to feed the 3060.
I would only have one SonicWALL as your single and only firewall running this config as set forth here: http:#a39541919. If that means you need to purchase a SonicWALL TZ 215, so be it.

The Pro 3060 is EOL (End Of Life) - it's not supported nor is it even close to being robust enough to defend/protect your network from today's rapidly evolving threats. So, to keep this active would be shooting yourself in the foot, so to speak, because now your performance is significantly impacted by this depreciated firewall and you are driving up complexity in support and management with this type of architecture.

What is your fundamental goal or purpose for this architecture? What are you trying to achieve?

FYI: This type of architecture is also known as "one out of two" (1oo2) protection scheme or multiple firewall topology.

I can't recommend this config because this architecture that you desire is very deprecated now - it's outdated and will only overly complicate something that doesn't need to be and cost you more in hardware, licensing & management costs to achieve the very same thing, if not far better, using a single, standalone, Next-Gen firewall (like a TZ 215) utilizing Zones.

Keep in mind when using a 1oo2 topology or multiple firewall topology between the public Internet and private networks in order to attain this now superannuated "higher risk mitigation" there are some simple rules that must be followed:
1. Both firewalls must inspect all seven layers of the OSI model.
2. Using a packet filter firewall that inspects packets only up to layer 4 of the OSI model as your first firewall and a firewall that inspects all seven layers of the OSI model as your second firewall effectively eliminates any risk mitigation at the same time it decreases overall reliability and manageability when compared to using a single standalone firewall.
3. The inspection methodologies must use disparate technology.
4. Using two firewalls that inspect all seven layers of the OSI model but rely on the same software and inspection methodology provides little, if any, risk mitigation while at the same time it decreases overall reliability when compared to using a standalone firewall.
5. The firewalls must operate on top of disparate operating systems.
6. Using the same operating system on both firewalls reduces risk mitigation since a single exploit of the operating system can take out both firewalls.
Even if the Pro 3060 was a new firewall (5th/6th Gen like a NSA 220) you would still be doing yourself a disservice using this topology.

Referencing above configuration - just one VLAN for public and therefore would have to configure the layer 2 switch accordingly.  LAN (X0) would remain as is without having to setup a second VLAN for staff, servers and printers.  Seems like a fairly simple configuration if I understand this correctly.
Yes, the goal is always to streamline for efficiency in both performance and management. Only add complexity where situation warrant them!

Layer 2 switches cannot be configured to route VLANs - they will only blindly pass traffic. Any layer 3 device will interpret the VLAN tags and route them accordingly.

 Hope this clears it up for you!
Avatar of Webcc

ASKER

The goal here is to reduce broadcast traffic and to provide better security between the public and staff LANs.

Final questions:

So, to satisfy the replacement of our currently outdated 3060 a TZ215 would suit us fine?
Also, it would fulfill the requirement for routing between the LAN and VLAN through Zones as I understand it without the need for a Layer 3 switch?

Lastly, for VLAN42 e.g., the layer 2 switch would still have to be setup for VLAN42 as well.  When you say that Layer 2's cannot be setup to handle VLAN's I think is incorrect, they cannot route traffic that has to be done at the layer 3 level I know.  Please explain.

Once I get your response I will end this thread and again thanks!
Bill
ASKER CERTIFIED SOLUTION
Avatar of Blue Street Tech
Blue Street Tech
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Webcc

ASKER

Ok very good!  Appreciate your expertise.  Thanks again!!
I'm glad I could help and thanks for the points!