sonicos 5.9 sonicpoint layer 3 management guide

8/10/2019 SonicOS 5.9 SonicPoint Layer 3 Management Guide

1/37

| 1

SonicOS 5.9 SonicPoint Layer 3

Management Guide


2/37

Notes, Cautions, and Warnings

2013 Dell Inc.

Trademarks: Dell, the DELL logo, SonicWALL, SonicWALL GMS, SonicWALL Analyzer, Reassem-bly-Free Deep Packet Inspection, Dynamic Security for the Global Network, SonicWALL Clean VPN,SonicWALL Clean Wireless, SonicWALL Comprehensive Gateway Security Suite, SonicWALL MobileConnect, and all other SonicWALL product and service names and slogans are trademarks of Dell Inc.

2013 0 7 P/N 232-00223 3-00 Rev. C

NOTE : A NOTE indicates important information that helps you make better use of your system.

CAUTION : A CAUTION indicates potential damage to hardware or loss of data if instructions arenot followed.

WARNING : A WARNING indicates a potential for property damage, personal injury, or death.


3/37

| 3

SonicPoint Layer 3 Management

Document ScopeThis document describes how to configure and manage SonicPoints using the SonicPoint Layer3 Management feature. This document contains the following sections:

Feature Overview on page 3

Configuring SonicPoint Layer 3 Management on page 5

Feature OverviewThis section provides an introduction to the SonicPoint Layer 3 Management feature. Thissection contains the following subsections:

What is SonicPoint Layer 3 Management? section on page 3

How Does SonicPoint Layer 3 Management Work? section on page 4

Supported Platforms section on page 5

What is SonicPoint Layer 3 Management?In previous releases, the Dell SonicWALL security appliance and the SonicPoints that itmanages had to be in the same Layer 2 network, which limits the scalability of networks,especially enterprise networks.

SonicPoint Layer 3 Management provides a wireless solution that can be easily scaled fromsmall to large while maintaining the centralized SonicOS network security protection andproviding flexible policy control.

Layer 3 Management Protocols

The Controlling and Provisioning of Wireless Access Points (CAPWAP) protocol is a standard,interoperable protocol that enables an Access Controller (in our case, the Dell SonicWALLsecurity appliance) to manage a collection of Wireless Termination Points (in our case,SonicPoints), independent of Layer 2 technology. CAPWAP is defined in RFC 5415:

http://www.ietf.org/rfc/rfc5415.txt

Dell SonicWALL CAPWAP supports both Layer 2 and Layer 3 management.
http://www.ietf.org/rfc/rfc5415.txthttp://www.ietf.org/rfc/rfc5415.txt


4/37

4 | SonicPoint Layer 3 Management

The SonicWALL Advanced Management Protocol (SAMP) suite consists of these threeprotocols:

SonicWALL DHCP-based Discovery Protocol (SDDP) - SDDP enables the DellSonicWALL security appliance and the SonicPoints to be discovered automatically acrossLayer 3 networks. The appliance acts as the DHCP sever and the SonicPoint acts as theDHCP client. Any routers or other network devices between the appliance and theSonicPoint must be configured to allow DHCP relay.

SonicWALL Control and Provisioning Wireless Access Point (SCAPWAP) - SCAPWAPis a Dell SonicWALL extension of CAPWAP that is customized for Dell SonicWALLproducts. The Dell SonicWALL network security appliance gateway manages theSonicPoints using SCAPWAP, independent of Layer 2 and Layer 3 networks. The DellSonicWALL security appliance and the SonicPoints must be configured to do mutualauthentication using either a pre-shared key or a public key-based certificates.

SonicWALL SSLVPN-based Management Protocol (SSMP) - SSMP is based on the DellSonicWALL SSL VPN infrastructure and enables the SonicPoints to be managed over theinternet by a Dell SonicWALL security appliance. In this case, a single NetExtender SSLVPN tunnel is established between the appliance and the SonicPoint. All of a usersSonicPoint traffic to the appliance is tunneled over this single NetExtender session.

How Does SonicPoint Layer 3 Management Work?SonicPoint Layer 3 Management provides a broader wireless solution for both local and remotenetworks and for both small and large deploymentsall with centralized SonicOS networksecurity protection and flexible policy control.

The following three SonicPoint deployment scenarios are supported:

Local Layer 2 Management When a Dell SonicWALL network security appliance and itsSonicPoints are deployed in the same Layer 2 network, the existing Layer 2 discoveryprotocol, SDP, is used to manage the access points.

Local Layer 3 Management When SonicPoints are deployed outside of the Layer 2

network, but within the same Intranet as the Dell SonicWALL security appliance (forexample when there is a third-party router between the Dell SonicWALL security applianceand the SonicPoints), Layer 3 management protocols can be used to manage the accesspoints.

Remote Layer 3 Management When SonicPoints are deployed in a remote site acrossthe Internet cloud, Layer 3 management can be used to manage the remote network accesspoints. A single SSL VPN NetExtender tunnel is established between the SonicPoint andthe remote Dell SonicWALL security appliance. Each wireless client does not need toinstall and launch NetExtender to establish an SSL VPN tunnel. All the wireless clientsshare the same VPN tunnel. This reduces the number of NetExtender licenses required onthe Dell SonicWALL security appliance. It also eliminates the need to establish individualtunnels for each SonicPoint.

BenefitsSonicPoint Layer 3 Management offers the following benefits:

Simplifies the management of multiple wireless networks. SonicPoints located at multiplelocations are managed by a single Dell SonicWALL security appliance.

Reduces the number of NetExtender licenses and sessions. All remote users are tunneledover a single NetExtender session.


5/37

| 5

Supported PlatformsSonicPoint Layer 3 Management is supported on all Dell SonicWALL security appliances thatcan provision SonicPoints.

Configuring SonicPoint Layer 3 ManagementThis document describes three popular scenarios for SonicPoint Layer 3 Management:

Configuring Basic SonicPoint Layer 3 Management on page 5

Configuring SonicPoint Virtual Access Points for Layer 3 Management on page 15

Configuring Layer 3 Management over IPSec on page 20

Configuring Basic SonicPoint Layer 3 Management A basic SonicPoint Layer 3 Management scenario is shown in the graphic below. The

SonicPoints are connected to a third-party router, which is connected over the LAN zone to theDell SonicWALL security appliance.


6/37


Configuring SonicPoint Layer 3 Management requires configurations across several pages ofthe SonicOS UI. Thus to configure this scenario, the configuration is divided into the followingsteps:

1. Configuring the Access Controller Interface on page 6

2. Configuring the DHCP Server on page 8

3. Configuring a DHCP Pool of Addresses on page 10

4. Configuring the WLAN Tunnel Interface on page 12

5. Add a Route Policy on page 13

6. Configuring a Remote Router Connected to SonicPoints on page 14

Configuring the Access Controller Interface

To configure an interface on a Dell SonicWALL security appliance that is connected to a third-party router:

Step 1 Navigate to the Network > Interface page.

Step 2 Click the Configure icon for the desired interface , such as X4 .


7/37

| 7

The Edit Interface dialog appears.

Step 3 From the Zone menu, select LAN .

Step 4 From the Mode / IP Assignment menu, select Static IP Mode .

Step 5 In the IP Address box, enter the IP address of the interface. For example, 10.10.10.1 .

Step 6 in the Subnet Mask box, enter the subnet mask for the interface. For example, 255.255.255.0 .

Step 7 Click OK .


8/37


Configuring the DHCP Server

To configure a DHCP Option Object for CAPWAP and a DHCP pool of IP addresses for theSonicPoints behind a third-party router:

Step 1 Navigate to the Network > DHCP Server page.

Step 2 Click the Advanced button.

The DHCP Advanced Settings window is displayed.


9/37

| 9

Step 3 Click the Add Option button. The Add DHCP Option Object dialog appears.

Step 4 In the Option Name box, enter a descriptive name for the DHCP option object, such as cap .

Step 5 From the Option Number menu, select 138 (CAPWAP AC IPv4 Address List) .

Step 6 Select the Option Array option.

Step 7 From the Option Type menu, select IP Address .

Step 8 In the Option Value menu, enter the IP address for the interface (X4) you configured inConfiguring the Access Controller Interface on page 6 . For example, 10.10.10.1 .

Step 9 Click OK .

The new Option Object is displayed in the DHCP Advanced Settings dialog.


10/37


Configuring a DHCP Pool of Addresses

To configure a DHCP pool of addresses for the SonicPoints behind the router:

Step 1 Navigate to the Network > DHCP Server page.

Step 2 Under the DHCP Server Lease Scopes table, click the Add Dynamic button.

The Dynamic Range Configuration dialog appears.

Step 3 Select the Enable this DHCP Scope option.

Step 4 Enter the appropriate IP addresses or values in the Range Start , Range End , Lease Time(minutes) , Default Gateway , and Subnet Mask boxes.


11/37

| 11

Step 5 Click the Advanced tab.

Step 6 In the DHCP Generic Option Group menu, select the DHCP Option Object you created inConfiguring the DHCP Server on page 8 .

Step 7 Select the Send Generic options always option.

Step 8 Click OK .


12/37


Configuring the WLAN Tunnel Interface

To configure a WLAN tunnel interface and assign it to the X4 interface:

Step 1 Navigate to the Network > Interface page.

Step 2 From the Add Interface menu, select Tunnel Interface .

The Add Tunnel Interface dialog appears.

Step 3 From the Zone menu, select WLAN .

Step 4 From the VPN Policy menu, select the appropriate VPN policy. This menu is auto-populatedwith the VPN policies that you create.

Step 5 From the Mode IP Assignment menu, select Static .

Step 6 In the IP Address box, enter the IP address for the WLAN tunnel interface. For example,172.17.31.1 .

Step 7 In the Subnet Mask box, enter the subnet mask.

Step 8 (Optional) In the Comment box, enter a descriptive comment.Step 9 Click OK .

A default DHCP IP address pool, such as 172.17.31.1/24, is automatically created for wirelessclients.


13/37

| 13

Step 10 To verify, navigate to the Firewall > Access Rules page. You should see a Layer 3Management option in the Access Rules table.

Add a Route Policy

To configure a route policy that forwards all packets intended for a Layer 3 SonicPoint networkto the default gateway :

Step 1 Navigate to the Network > Routing page.

Step 2 In the Route Policies table, click Add .

Step 3 From the Source menu, select Any .

Step 4 From the Destination menu, select the address object of the default gateway. For example30.30.30.0/255.255.255.0 .

Step 5 From the Service menu, select Any .

Step 6 From the Gateway menu, select 10.10.10.2 .

Step 7 From the Interface menu, select X4 .

Step 8 In the Metric box, enter 1 .

Step 9 Click OK .


14/37


Configuring a Remote Router Connected to SonicPoints

To configure a third-party router that is connected to a Dell SonicWALL security interface at oneend and to SonicPoints at the other end:

Step 1 For the interface on the remote router that is connected to the Dell SonicWALL securityappliance, configure the IP address 10.10.10.2/24 .

Step 2 For the interface on the remote router that is connected to the SonicPoint, configure the IPaddress 30.30.30.1/24 .

Step 3 Configure a DHCP relay policy from the interface connected to the SonicPoint to the X4interface on the Dell SonicWALL security appliance, which has the IP address 10.10.10.1.


15/37

| 15

Configuring SonicPoint Virtual Access Points for Layer 3Management

This scenario extends the previous example, Configuring Basic SonicPoint Layer 3Management on page 5 , by adding Virtual Access Points (VAPs) for the SonicPoints.

To configure VAPs for SonicPoint Layer 3 Management, perform the following steps:

Configuring a WLAN Interface for VAPs on page 16

Configuring a VAP Object on page 17

Configuring a VAP Group on page 18

Assigning a VAP Group to a SonicPoint on page 19


16/37


17/37

| 17

Step 9 In the Subnet Mask box, enter the Subnet Mask. For example, 255.255.255.0 .

Step 10 From the SonicPoint Limit menu, select 48 SonicPoints

Step 11 Click OK .

Configuring a VAP Object

To configure a VAP object on a Dell SonicWALL network security appliance:

Step 1 Navigate to the SonicPoint > Virtual Access Point page.

Step 2 In the Virtual Access Points table, click Add .The Virtual Access Point General Settings dialog appears.

Step 3 In the Name box, enter a descriptive name for the VAP.

Step 4 in the SSID box, enter a SSID that represents the Layer 3 management network. For example,wirelessDev_L3_vap .

Step 5 From the VLAN ID menu, select the VLAN Tag ID that you configured in Configuring a WLANInterface for VAPs on page 16 . For example, ID 4 .

Step 6 Select the Enable Virtual Access Point option.

Step 7 Click OK .

Step 8 Repeat this procedure to add additional Virtual Access Points.


18/37


Configuring a VAP Group

To configure a VAP group:

Step 1 Navigate to the SonicPoint > Virtual Access Point page.

Step 2 In the Virtual Access Points Groups table, Click Add Group .

The Add Virtual Access Point Group dialog appears.

Step 3 In the Virtual AP Group Name box, enter a name for the VAP group. For example, L3 VAPGroup .

The Available Virtual AP Objects box should be populated with the VAP objects you createdin Configuring a VAP Object on page 17 .

Step 4 Move the VAP objects you want from the Available Virtual AP Objects box to the Member ofVirtual AP Group box.

Step 5 Click OK .


19/37

| 19

Assigning a VAP Group to a SonicPoint

To assign a VAP group to a SonicPoint that is connected to a third-party router:

Step 1 Navigate to the SonicPoint > SonicPoints page.

Step 2 Click the Configure icon for the SonicPoint you want to configure.

The Edit SonicPoint Profile dialog appears.

Step 3 Select the Enable SonicPoint option.

Step 4 From the 802.11n Radio Virtual AP Group menu, select the Virtual AP Group you created inConfiguring a VAP Group on page 18 . For example, L3 VAP Group .

Step 5 Click OK .


20/37


Configuring Layer 3 Management over IPSecIn this example, the central IPSec gateway acts as the SonicPoint WLAN controller. TheSonicPoint is deployed under the VPN local LAN subnet of the remote IPSec gateway.SonicPoint clients receive a DHCP client lease for the SonicPoint from the DHCP scope on thecentral gateway. The DHCP over VPN feature must be configured on the remote IPSecgateway.

Note This example assumes that the VPN IPSec tunnel between the two Dell SonicWALL securityappliances is established successfully.

1. Configuring the VPN Tunnel on the Central Gateway on page 21

2. Configuring the VPN Tunnel on the Remote Gateway on page 25

3. Configuring the CAPWAP DHCP Option Object on the Central Gateway on page 30

4. Configuring the DHCP Scope on the Central Gateway on page 32

5. Configuring the WT0 Interface on the Central Gateway on page 35


21/37

| 21

Configuring the VPN Tunnel on the Central Gateway

To configure the VPN tunnel on the Central Gateway:

Step 1 On the Central Gateway management interface, navigate to the VPN > Settings page.

Step 2 Under the VPN Policies table, click Add .

The VPN Policy, General tab dialog appears.

Step 3 From the Policy Type menu, select Site to Site .

Step 4 From the Authentication Method menu, select the method you want.For example, IKE using Preshared Secret .

Step 5 In the Name menu, enter a descriptive name for the VPN tunnel.For example, VPN to Central Gateway .

Step 6 In the IPSec Primary Gateway Name or Address menu,enter the IP address of the remote gateway. For example, 10.03.49.77 .

Step 7 If you are using IKE, configure the IKE authentication settings.


22/37


Step 8 Click the Network tab.

Step 9 Under Local Networks , select the Choose local network from list option.

Step 10 From the Choose local network from list menu, select X0 Subnet .

Step 11 Under Remote Networks , select the option you want and the network you want from the menu.


23/37

| 23


Step 13 Select the Allow SonicPointN Layer 3 Management option.

Step 14 Click OK .

Step 15 Navigate to the VPN > DHCP over VPN page.

Step 16 From the DHCP over VPN menu, select Central Gateway .


24/37


25/37

| 25

Configuring the VPN Tunnel on the Remote Gateway

To configure the VPN tunnel on the remote gateway:

Step 1 On the Remote Gateway management interface, navigate to the VPN > Settings page.

Step 2 Under the VPN Policies table, click Add .

The VPN Policy, General tab dialog appears.

Step 3 From the Policy Type menu, select Site to Site .

Step 4 From the Authentication Method menu, select the appropriate method for your network. For example, IKE using Preshared Secret .

Step 5 In the Name menu, enter a descriptive name for the VPN tunnel.For example, VPN to Remote Gateway .

Step 6 In the IPSec Primary Gateway Name or Address menu, enter the IP address of the remotegateway. For example, 10.03.49.79 .


26/37


Step 7 Click the Network tab.

Step 8 Under Local Networks , select the Choose local network from list option.

Step 9 From the Choose local network from list menu, select X0 Subnet .

Step 10 Under Remote Networks , select the option you want and the network you want from theappropriate menu.

Note If you have not created an address object for your remote gateway, you can do so byselecting Create new address object from one of the menus.


27/37

| 27

Step 11 Under Remote Networks , select Create new address object from the appropriate menu. The Add Address Object dialog appears.

Step 12 In the Name box, enter Remote Gateway X0 Subnet .Step 13 From the Zone menu, select LAN .

Step 14 From the Type menu, select Network .

Step 15 In the Network box, enter the IP address of the remote gateway. For example, 192.168.168.0 .

Step 16 In the Netmask/Prefix Length box, enter the mask. For example, 255.255.255.0 .


28/37


29/37

| 29

Step 21 From the DHCP over VPN menu, select Remote Gateway , and click the Configure button.The DHCP over VPN Configuration dialog appears.

Step 22 From the DHCP lease bound to menu, select the interface that is connected to the SonicPoint.For example, Interface X7 .

Step 23 (Optional) Select the Accept DHCP Request from bridged WLAN interface option if you wantit.

Step 24 In the Relay IP Address box, enter the IP address of the interface connected to the SonicPoint.For example 30.30.30.1 .

Step 25 In the Remote Management IP Address menu, enter the IP address that is used to managethis Dell SonicWALL security appliance remotely from behind the Central Gateway.

Note This IP address was configured in Configuring the Access Controller Interface on page 6 ,and must be reserved in the DHCP scope on the DHCP server. In our example it is 10.10.10.1 .

Step 26 Select the Block traffic through tunnel when IP spoof detected option.

Step 27 Select the Obtain temporary lease from local DHCP server if tunnel is down option.

Step 28 In the Temporary Lease Time (minutes) box, leave the default value of 2 .

Step 29 Click OK .


30/37


Configuring the CAPWAP DHCP Option Object on the Central Gateway

To configure the CAPWAP DHCP Option Object on the Central Gateway:

Step 1 On the Central Gateway management interface, navigate to the Network > DHCP Server page.

Step 2 Under the DHCP Server Settings panel, click Advanced .The DHCP Advanced Settings dialog appears.


31/37

| 31

Step 3 Click Add Option .The Add DHCP Option Object window is displayed.

Step 4 In the Option Name box, enter a descriptive name, such as capwap .

Step 5 From the Option Number menu, select 138 (CAPWAP AC IPv4 Address List) .

Step 6 In the Option Value box, enter the IP address you want to use for the DHCP group.For example, 192.168.168.168 .

Step 7 Click OK to add the DHCP Option Object.

Step 8 Click OK to close the DHCP Advanced Settings window and return to the Network > DHCPServer page.


32/37


Configuring the DHCP Scope on the Central Gateway

To configure the DHCP Scope on the Central Gateway:

Step 1 On the Central Gateway management interface, navigate to the Network > DHCP Server page.

Step 2 Click the Add Dynamic button.


33/37

| 33

The Dynamic Range Configuration dialog appears.

Step 3 Configure the following settings:

Step 4 Select the Enable this DHCP Scope option.

Step 5 In the Range Start box, enter the IP address at which to start the DHCP range.For example, 30.30.30.2 .

Note The range values must be within the same subnet as the Default Gateway.For example, 30.30.30.2 to 30.30.30.100 .

Step 6 In the Range End box, enter the IP address at which to end the DHCP range.

For example, 30.30.30.100 .Step 7 In the Lease Time (minutes) box, use the default value, 1440 .

Step 8 In the Default Gateway box, enter the IP address of the default gateway.

Note This value will be the IP address of the interface connected to the SonicPoint.For example, 30.30.30.1 .

Step 9 In the Subnet Mask box, enter the subnet mask of the default gateway.For example, 255.255.255.0 .


34/37



Step 11 In the DHCP Generic Options panel, from the DHCP Generic Option Group menu, select theCAPWAP DHCP option.

Note The CAPWAP DHCP option was created in Configuring the CAPWAP DHCP Option Objecton the Central Gateway on page 30 .

Step 12 Select the Send Generic options always option.

Step 13 Click OK .


35/37

| 35

Configuring the WT0 Interface on the Central Gateway

To configure the Wireless Tunnel interface (WT0) on the Central Gateway:

Step 1 On the Central Gateway management interface, navigate to the Network > Interfaces page.

Step 2 Click Add WLAN Tunnel Interface . The Add WLAN Tunnel Interface window is displayed.

Step 3 From the Zone menu, select WLAN .

Step 4 In the Tunnel Id box, select 0 .

Step 5 From the Tunnel Source Interface , select X0 .

Step 6 From the Mode / IP Assignment menu, Static IP Mode .

Step 7 In the IP Address box, select 172.17.31.1 .

Step 8 In the Subnet Mask box, 255.255.255.0 .

Step 9 From the SonicPoint Limit menu, select the maximum number of SonicPoints allowed on yournetwork. For example, 48 SonicPoints .

Step 10 Click OK .


36/37



37/37

sonicos 5.9 sonicpoint layer 3 management guide

Documents