La comunicació de risc com a norma

The following sections outline some of the features & guidelines to consider while designing network.

7.1.1 Active/Standby High Availability

In this architecture, NSA6600s are used as high available devices providing seamless connectivity to outside world. Two NSA6600’s are configured for Active/Standby HA pair to support campus reference architecture needs. One firewall is the Active (primary) device, processing and handling all traffic. The other firewall is in standby mode until a keep alive between the primary and standby expires, or a monitored link goes down. The NSA6600 comes with 4x10GbE and 8x1GbE interfaces. 2x10GbE ports from each device are static lagged to 2 N4064Fs. These interfaces will be monitored for any link failure or link down. As shown in Figure 58, 10GbE ports are used for data link & 1GbE link are used for control link.

Figure 58 Firewall Aggregation Layer

NSA 6600 supports four operation modes in high availability namely Active/Standby, Active/Active DPI, Active/Active Clustering, Active/Active DPI Clustering. Based on campus architecture needs NSA devices are configured for Active/Standby mode. Figure 59 provides a snapshot of the HA status.

Note: The HA feature needs a single license to operate. Both devices share a single license once configured as a HA pair in Active/Standby. SonicWall devices support static lag. Support for dynamic lag (LACP) is planned for the near future.

Figure 59 Snap shot of working HA status

7.1.2 Security Services Licenses

The Dell SonicWALL Comprehensive Gateway Security Suite is a powerful security solution for businesses

Dell SonicWall Gateway Security Suite delivers intelligent, real-time network security protection against sophisticated application layer and content-based attacks, including viruses, spyware and worms.

Configurable tools prevent data leakage and enable visualization of network traffic.

Dell SonicWALL Content Filtering Service provides granular controls and unequalled content filtering to enforce Internet use policies and block access to websites containing information or images that are objectionable or unproductive. Figure 60 provides a snapshot of an enabled license.

Figure 60 Snap shot of enabled license

7.1.3 NAT Policies, Zones & Firewall

The Network Address Translation (NAT) engine in SonicOS allows users to define granular NAT polices for their incoming and outgoing traffic. By default, the Dell SonicWALL Security Appliance has a preconfigured NAT policy to allow all systems connected to the X0 interface to perform Many-to-One NAT using the IP address of the X1 interface, and policy to not perform NAT when traffic crosses between the other interfaces.

portions of the packet and can dynamically rewrite the information in specified fields for incoming, as well as outgoing traffic.

This reference architecture topology has remote APs deployed across the WAN. These remote APs and networks utilize a VPN connection terminating on the W-Series controller within the campus network. In order to support this communication between the remote APs and the controller, the SonicWall needs to have appropriate NAT policies to convert a public address to a private address. The NAT policy table is shown in Figure 60.

Topology has IAP sitting somewhere outside network, connected & managed from controller within the network. In order to make this communication between IAP & controller, As show in Figure 61 SonicWall needs to have appropriate NAT policies to convert the public address to private address vice versa.

Figure 61 Capture of Zones Enabled with Proper Security Services

A network security zone (Figure 62) is simply a logical method of grouping one or more interfaces with friendly, user-configurable names, and applying security rules as traffic passes from one zone to another zone. Security zones provide an additional, more flexible, layer of security for the firewall. With the zone-based security, the administrator can group similar interfaces and apply the same policies to them, instead of having to write the same policy for each interface. Best practice is to enable appropriate security services for each zone.

Figure 62 Capture of Zones Enabled with Proper Security Services

A Resources and References

Support.Dell.com Dell’s Support Site – Manuals DellTechCenter.com

Dell IT Community for sharing knowledge, best practices, and information about Dell products and installations Dell Networking Hardware and Devices

Additional information on all Dell Networking products Wireless Networking page

Additional information on Dell W-Series Wireless Networking W-Series Whitepapers and Validated Reference Designs VRDs and Whitepapers

Stacking Dell Networking Switches

Document detailing stacking on Dell Networking N-Series switches OpenManage Network Manager WIKI

Videos and Documentation

OpenManage Network Manager User Guide 5.3 SP1

Dell OpenManage Network Manager Release Notes 5.3 SP1 Dell OpenManage Network Manager Quick Start Guide 5.3 SP1 OMNM Documentation

B Attachments

This document includes the following attachments.

 Access Switch Stack 1.txt

 Access Switch Stack 2.txt

 Aggregation Switch 1.txt

 Dell Networking W-ClearPass Configuration.pdf

 Dell Networking W-Instant Configuration.pdf

 Instant AP225 Remote Site.txt

 Master Controller.txt

 Standby Controller.txt

Support and Feedback

Contacting Technical Support

Support Contact Information Web: http://Support.Dell.com/

Telephone: USA: 1-800-945-3355 Feedback for this document

We encourage readers of this publication to provide feedback on the quality and usefulness of this deployment guide by sending an email to [email protected]