SonicOS 5.

9
SonicPoint Layer 3
Management Guide

| 1

Notes, Cautions, and Warnings

NOTE: A NOTE indicates important information that helps you make better use of your system.

CAUTION: A CAUTION indicates potential damage to hardware or loss of data if instructions are
not followed.
WARNING: A WARNING indicates a potential for property damage, personal injury, or death.

2013 Dell Inc.

Trademarks: Dell, the DELL logo, SonicWALL, SonicWALL GMS, SonicWALL Analyzer, Reassembly-Free Deep Packet Inspection, Dynamic Security for the Global Network, SonicWALL Clean VPN,
SonicWALL Clean Wireless, SonicWALL Comprehensive Gateway Security Suite, SonicWALL Mobile
Connect, and all other SonicWALL product and service names and slogans are trademarks of Dell Inc.
2013 07

P/N 232-002233-00

Rev. C

SonicPoint Layer 3 Management

Document Scope
This document describes how to configure and manage SonicPoints using the SonicPoint Layer
3 Management feature. This document contains the following sections:

Feature Overview on page 3

Configuring SonicPoint Layer 3 Management on page 5

Feature Overview
This section provides an introduction to the SonicPoint Layer 3 Management feature. This
section contains the following subsections:

What is SonicPoint Layer 3 Management? section on page 3

How Does SonicPoint Layer 3 Management Work? section on page 4

Supported Platforms section on page 5

What is SonicPoint Layer 3 Management?

In previous releases, the Dell SonicWALL security appliance and the SonicPoints that it
manages had to be in the same Layer 2 network, which limits the scalability of networks,
especially enterprise networks.
SonicPoint Layer 3 Management provides a wireless solution that can be easily scaled from
small to large while maintaining the centralized SonicOS network security protection and
providing flexible policy control.

Layer 3 Management Protocols

The Controlling and Provisioning of Wireless Access Points (CAPWAP) protocol is a standard,
interoperable protocol that enables an Access Controller (in our case, the Dell SonicWALL
security appliance) to manage a collection of Wireless Termination Points (in our case,
SonicPoints), independent of Layer 2 technology. CAPWAP is defined in RFC 5415:
http://www.ietf.org/rfc/rfc5415.txt
Dell SonicWALL CAPWAP supports both Layer 2 and Layer 3 management.

| 3

The SonicWALL Advanced Management Protocol (SAMP) suite consists of these three
protocols:

SonicWALL DHCP-based Discovery Protocol (SDDP) - SDDP enables the Dell

SonicWALL security appliance and the SonicPoints to be discovered automatically across
Layer 3 networks. The appliance acts as the DHCP sever and the SonicPoint acts as the
DHCP client. Any routers or other network devices between the appliance and the
SonicPoint must be configured to allow DHCP relay.

SonicWALL Control and Provisioning Wireless Access Point (SCAPWAP) - SCAPWAP

is a Dell SonicWALL extension of CAPWAP that is customized for Dell SonicWALL
products. The Dell SonicWALL network security appliance gateway manages the
SonicPoints using SCAPWAP, independent of Layer 2 and Layer 3 networks. The Dell
SonicWALL security appliance and the SonicPoints must be configured to do mutual
authentication using either a pre-shared key or a public key-based certificates.

SonicWALL SSLVPN-based Management Protocol (SSMP) - SSMP is based on the Dell

SonicWALL SSL VPN infrastructure and enables the SonicPoints to be managed over the
internet by a Dell SonicWALL security appliance. In this case, a single NetExtender SSL
VPN tunnel is established between the appliance and the SonicPoint. All of a users
SonicPoint traffic to the appliance is tunneled over this single NetExtender session.

How Does SonicPoint Layer 3 Management Work?

SonicPoint Layer 3 Management provides a broader wireless solution for both local and remote
networks and for both small and large deploymentsall with centralized SonicOS network
security protection and flexible policy control.
The following three SonicPoint deployment scenarios are supported:

Local Layer 2 Management When a Dell SonicWALL network security appliance and its
SonicPoints are deployed in the same Layer 2 network, the existing Layer 2 discovery
protocol, SDP, is used to manage the access points.

Local Layer 3 Management When SonicPoints are deployed outside of the Layer 2
network, but within the same Intranet as the Dell SonicWALL security appliance (for
example when there is a third-party router between the Dell SonicWALL security appliance
and the SonicPoints), Layer 3 management protocols can be used to manage the access
points.

Remote Layer 3 Management When SonicPoints are deployed in a remote site across
the Internet cloud, Layer 3 management can be used to manage the remote network access
points. A single SSL VPN NetExtender tunnel is established between the SonicPoint and
the remote Dell SonicWALL security appliance. Each wireless client does not need to
install and launch NetExtender to establish an SSL VPN tunnel. All the wireless clients
share the same VPN tunnel. This reduces the number of NetExtender licenses required on
the Dell SonicWALL security appliance. It also eliminates the need to establish individual
tunnels for each SonicPoint.

Benefits
SonicPoint Layer 3 Management offers the following benefits:

Simplifies the management of multiple wireless networks. SonicPoints located at multiple

locations are managed by a single Dell SonicWALL security appliance.

Reduces the number of NetExtender licenses and sessions. All remote users are tunneled
over a single NetExtender session.

4 | SonicPoint Layer 3 Management

Supported Platforms
SonicPoint Layer 3 Management is supported on all Dell SonicWALL security appliances that
can provision SonicPoints.

Configuring SonicPoint Layer 3 Management

This document describes three popular scenarios for SonicPoint Layer 3 Management:

Configuring Basic SonicPoint Layer 3 Management on page 5

Configuring SonicPoint Virtual Access Points for Layer 3 Management on page 15

Configuring Layer 3 Management over IPSec on page 20

Configuring Basic SonicPoint Layer 3 Management

A basic SonicPoint Layer 3 Management scenario is shown in the graphic below. The
SonicPoints are connected to a third-party router, which is connected over the LAN zone to the
Dell SonicWALL security appliance.

| 5

Configuring SonicPoint Layer 3 Management requires configurations across several pages of

the SonicOS UI. Thus to configure this scenario, the configuration is divided into the following
steps:
1.

Configuring the Access Controller Interface on page 6

2.

Configuring the DHCP Server on page 8

3.

Configuring a DHCP Pool of Addresses on page 10

4.

Configuring the WLAN Tunnel Interface on page 12

5.

Add a Route Policy on page 13

6.

Configuring a Remote Router Connected to SonicPoints on page 14

Configuring the Access Controller Interface

To configure an interface on a Dell SonicWALL security appliance that is connected to a thirdparty router:
Step 1

Navigate to the Network > Interface page.

Step 2

Click the Configure icon for the desired interface, such as X4.

6 | SonicPoint Layer 3 Management

The Edit Interface dialog appears.

Step 3

From the Zone menu, select LAN.

Step 4

From the Mode / IP Assignment menu, select Static IP Mode.

Step 5

In the IP Address box, enter the IP address of the interface. For example, 10.10.10.1.

Step 6

in the Subnet Mask box, enter the subnet mask for the interface. For example, 255.255.255.0.

Step 7

Click OK.

| 7

Configuring the DHCP Server

To configure a DHCP Option Object for CAPWAP and a DHCP pool of IP addresses for the
SonicPoints behind a third-party router:
Step 1

Navigate to the Network > DHCP Server page.

Step 2

Click the Advanced button.

The DHCP Advanced Settings window is displayed.

8 | SonicPoint Layer 3 Management

Step 3

Click the Add Option button. The Add DHCP Option Object dialog appears.

Step 4

In the Option Name box, enter a descriptive name for the DHCP option object, such as cap.

Step 5

From the Option Number menu, select 138 (CAPWAP AC IPv4 Address List).

Step 6

Select the Option Array option.

Step 7

From the Option Type menu, select IP Address.

Step 8

In the Option Value menu, enter the IP address for the interface (X4) you configured in
Configuring the Access Controller Interface on page 6. For example, 10.10.10.1.

Step 9

Click OK.
The new Option Object is displayed in the DHCP Advanced Settings dialog.

| 9

Configuring a DHCP Pool of Addresses

To configure a DHCP pool of addresses for the SonicPoints behind the router:
Step 1

Navigate to the Network > DHCP Server page.

Step 2

Under the DHCP Server Lease Scopes table, click the Add Dynamic button.
The Dynamic Range Configuration dialog appears.

Step 3

Select the Enable this DHCP Scope option.

Step 4

Enter the appropriate IP addresses or values in the Range Start, Range End, Lease Time
(minutes), Default Gateway, and Subnet Mask boxes.

10 | SonicPoint Layer 3 Management

Step 5

Click the Advanced tab.

Step 6

In the DHCP Generic Option Group menu, select the DHCP Option Object you created in
Configuring the DHCP Server on page 8.

Step 7

Select the Send Generic options always option.

Step 8

Click OK.

| 11

Configuring the WLAN Tunnel Interface

To configure a WLAN tunnel interface and assign it to the X4 interface:
Step 1

Navigate to the Network > Interface page.

Step 2

From the Add Interface menu, select Tunnel Interface.

The Add Tunnel Interface dialog appears.

Step 3

From the Zone menu, select WLAN.

Step 4

From the VPN Policy menu, select the appropriate VPN policy. This menu is auto-populated
with the VPN policies that you create.

Step 5

From the Mode IP Assignment menu, select Static.

Step 6

In the IP Address box, enter the IP address for the WLAN tunnel interface. For example,
172.17.31.1.

Step 7

In the Subnet Mask box, enter the subnet mask.

Step 8

(Optional) In the Comment box, enter a descriptive comment.

Step 9

Click OK.
A default DHCP IP address pool, such as 172.17.31.1/24, is automatically created for wireless
clients.

12 | SonicPoint Layer 3 Management

Step 10 To verify, navigate to the Firewall > Access Rules page. You should see a Layer 3

Management option in the Access Rules table.

Add a Route Policy

To configure a route policy that forwards all packets intended for a Layer 3 SonicPoint network
to the default gateway:
Step 1

Navigate to the Network > Routing page.

Step 2

In the Route Policies table, click Add.

Step 3

From the Source menu, select Any.

Step 4

From the Destination menu, select the address object of the default gateway. For example
30.30.30.0/255.255.255.0.

Step 5

From the Service menu, select Any.

Step 6

From the Gateway menu, select 10.10.10.2.

Step 7

From the Interface menu, select X4.

Step 8

In the Metric box, enter 1.

Step 9

Click OK.

| 13

Configuring a Remote Router Connected to SonicPoints

To configure a third-party router that is connected to a Dell SonicWALL security interface at one
end and to SonicPoints at the other end:
Step 1

For the interface on the remote router that is connected to the Dell SonicWALL security
appliance, configure the IP address 10.10.10.2/24.

Step 2

For the interface on the remote router that is connected to the SonicPoint, configure the IP
address 30.30.30.1/24.

Step 3

Configure a DHCP relay policy from the interface connected to the SonicPoint to the X4
interface on the Dell SonicWALL security appliance, which has the IP address 10.10.10.1.

14 | SonicPoint Layer 3 Management

Configuring SonicPoint Virtual Access Points for Layer 3

Management
This scenario extends the previous example, Configuring Basic SonicPoint Layer 3
Management on page 5, by adding Virtual Access Points (VAPs) for the SonicPoints.

To configure VAPs for SonicPoint Layer 3 Management, perform the following steps:

Configuring a WLAN Interface for VAPs on page 16

Configuring a VAP Object on page 17

Configuring a VAP Group on page 18

Assigning a VAP Group to a SonicPoint on page 19

| 15

Configuring a WLAN Interface for VAPs

To configure a WLAN interface for the VAPs:
Step 1

Navigate to the Network > Interfaces page.

Step 2

Click Add Interface.

The Add Interface dialog appears.

Step 3

From the Zone menu, select WLAN.

Step 4

From the menu, select

Step 5

From the VLAN Tag menu, select 4.

Step 6

From the Parent Interface menu, select WT0.

Step 7

From the Mode / IP Assignment menu, select Static.

Step 8

In the IP Address box, enter the IP address for the WLAN. For example, 172.4.1.1.

16 | SonicPoint Layer 3 Management

Step 9

In the Subnet Mask box, enter the Subnet Mask. For example, 255.255.255.0.

Step 10 From the SonicPoint Limit menu, select 48 SonicPoints

Step 11 Click OK.

Configuring a VAP Object

To configure a VAP object on a Dell SonicWALL network security appliance:
Step 1

Navigate to the SonicPoint > Virtual Access Point page.

Step 2

In the Virtual Access Points table, click Add.

The Virtual Access Point General Settings dialog appears.

Step 3

In the Name box, enter a descriptive name for the VAP.

Step 4

in the SSID box, enter a SSID that represents the Layer 3 management network. For example,
wirelessDev_L3_vap.

Step 5

From the VLAN ID menu, select the VLAN Tag ID that you configured in Configuring a WLAN
Interface for VAPs on page 16. For example, ID 4.

Step 6

Select the Enable Virtual Access Point option.

Step 7

Click OK.

Step 8

Repeat this procedure to add additional Virtual Access Points.

| 17

Configuring a VAP Group

To configure a VAP group:
Step 1

Navigate to the SonicPoint > Virtual Access Point page.

Step 2

In the Virtual Access Points Groups table, Click Add Group.

The Add Virtual Access Point Group dialog appears.

Step 3

In the Virtual AP Group Name box, enter a name for the VAP group. For example, L3 VAP
Group.
The Available Virtual AP Objects box should be populated with the VAP objects you created
in Configuring a VAP Object on page 17.

Step 4

Move the VAP objects you want from the Available Virtual AP Objects box to the Member of
Virtual AP Group box.

Step 5

Click OK.

18 | SonicPoint Layer 3 Management

Assigning a VAP Group to a SonicPoint

To assign a VAP group to a SonicPoint that is connected to a third-party router:
Step 1

Navigate to the SonicPoint > SonicPoints page.

Step 2

Click the Configure icon for the SonicPoint you want to configure.
The Edit SonicPoint Profile dialog appears.

Step 3

Select the Enable SonicPoint option.

Step 4

From the 802.11n Radio Virtual AP Group menu, select the Virtual AP Group you created in
Configuring a VAP Group on page 18. For example, L3 VAP Group.

Step 5

Click OK.

| 19

Configuring Layer 3 Management over IPSec

In this example, the central IPSec gateway acts as the SonicPoint WLAN controller. The
SonicPoint is deployed under the VPN local LAN subnet of the remote IPSec gateway.
SonicPoint clients receive a DHCP client lease for the SonicPoint from the DHCP scope on the
central gateway. The DHCP over VPN feature must be configured on the remote IPSec
gateway.

Note

This example assumes that the VPN IPSec tunnel between the two Dell SonicWALL security
appliances is established successfully.
1.

Configuring the VPN Tunnel on the Central Gateway on page 21

2.

Configuring the VPN Tunnel on the Remote Gateway on page 25

3.

Configuring the CAPWAP DHCP Option Object on the Central Gateway on page 30

4.

Configuring the DHCP Scope on the Central Gateway on page 32

5.

Configuring the WT0 Interface on the Central Gateway on page 35

20 | SonicPoint Layer 3 Management

Configuring the VPN Tunnel on the Central Gateway

To configure the VPN tunnel on the Central Gateway:
Step 1

On the Central Gateway management interface, navigate to the VPN > Settings page.

Step 2

Under the VPN Policies table, click Add.

The VPN Policy, General tab dialog appears.

Step 3

From the Policy Type menu, select Site to Site.

Step 4

From the Authentication Method menu, select the method you want.
For example, IKE using Preshared Secret.

Step 5

In the Name menu, enter a descriptive name for the VPN tunnel.
For example, VPN to Central Gateway.

Step 6

In the IPSec Primary Gateway Name or Address menu,

enter the IP address of the remote gateway. For example, 10.03.49.77.

Step 7

If you are using IKE, configure the IKE authentication settings.

| 21

Step 8

Click the Network tab.

Step 9

Under Local Networks, select the Choose local network from list option.

Step 10 From the Choose local network from list menu, select X0 Subnet.
Step 11 Under Remote Networks, select the option you want and the network you want from the menu.

22 | SonicPoint Layer 3 Management

Step 12 Click the Advanced tab.

Step 13 Select the Allow SonicPointN Layer 3 Management option.

Step 14 Click OK.
Step 15 Navigate to the VPN > DHCP over VPN page.
Step 16 From the DHCP over VPN menu, select Central Gateway.

| 23

Step 17 Click the Configure button.

The DHCP over VPN Configuration dialog appears.

Step 18 Select the following options:

User Internal DHCP Server

For Global VPN Client

For Remote Firewall

Step 19 Click OK.

24 | SonicPoint Layer 3 Management

Configuring the VPN Tunnel on the Remote Gateway

To configure the VPN tunnel on the remote gateway:
Step 1

On the Remote Gateway management interface, navigate to the VPN > Settings page.

Step 2

Under the VPN Policies table, click Add.

The VPN Policy, General tab dialog appears.

Step 3

From the Policy Type menu, select Site to Site.

Step 4

From the Authentication Method menu, select the appropriate method for your network.
For example, IKE using Preshared Secret.

Step 5

In the Name menu, enter a descriptive name for the VPN tunnel.
For example, VPN to Remote Gateway.

Step 6

In the IPSec Primary Gateway Name or Address menu, enter the IP address of the remote
gateway. For example, 10.03.49.79.

| 25

Step 7

Click the Network tab.

Step 8

Under Local Networks, select the Choose local network from list option.

Step 9

From the Choose local network from list menu, select X0 Subnet.

Step 10 Under Remote Networks, select the option you want and the network you want from the

appropriate menu.

Note

If you have not created an address object for your remote gateway, you can do so by
selecting Create new address object from one of the menus.

26 | SonicPoint Layer 3 Management

Step 11 Under Remote Networks, select Create new address object from the appropriate menu.

The Add Address Object dialog appears.

Step 12 In the Name box, enter Remote Gateway X0 Subnet.

Step 13 From the Zone menu, select LAN.
Step 14 From the Type menu, select Network.
Step 15 In the Network box, enter the IP address of the remote gateway. For example, 192.168.168.0.
Step 16 In the Netmask/Prefix Length box, enter the mask. For example, 255.255.255.0.

| 27

Step 17 Click the Advanced tab.

Step 18 Select the Allow SonicPointN Layer 3 Management option.

Step 19 Click OK.
Step 20 Navigate to the VPN > DHCP over VPN page.

28 | SonicPoint Layer 3 Management

Step 21 From the DHCP over VPN menu, select Remote Gateway, and click the Configure button.

The DHCP over VPN Configuration dialog appears.

Step 22 From the DHCP lease bound to menu, select the interface that is connected to the SonicPoint.

For example, Interface X7.

Step 23 (Optional) Select the Accept DHCP Request from bridged WLAN interface option if you want

it.

Step 24 In the Relay IP Address box, enter the IP address of the interface connected to the SonicPoint.

For example 30.30.30.1.

Step 25 In the Remote Management IP Address menu, enter the IP address that is used to manage

this Dell SonicWALL security appliance remotely from behind the Central Gateway.

Note

This IP address was configured in Configuring the Access Controller Interface on page 6,
and must be reserved in the DHCP scope on the DHCP server. In our example it is
10.10.10.1.

Step 26 Select the Block traffic through tunnel when IP spoof detected option.
Step 27 Select the Obtain temporary lease from local DHCP server if tunnel is down option.
Step 28 In the Temporary Lease Time (minutes) box, leave the default value of 2.
Step 29 Click OK.

| 29

Configuring the CAPWAP DHCP Option Object on the Central Gateway

To configure the CAPWAP DHCP Option Object on the Central Gateway:
Step 1

On the Central Gateway management interface, navigate to the Network > DHCP Server page.

Step 2

Under the DHCP Server Settings panel, click Advanced.

The DHCP Advanced Settings dialog appears.

30 | SonicPoint Layer 3 Management

Step 3

Click Add Option.

The Add DHCP Option Object window is displayed.

Step 4

In the Option Name box, enter a descriptive name, such as capwap.

Step 5

From the Option Number menu, select 138 (CAPWAP AC IPv4 Address List).

Step 6

In the Option Value box, enter the IP address you want to use for the DHCP group.
For example, 192.168.168.168.

Step 7

Click OK to add the DHCP Option Object.

Step 8

Click OK to close the DHCP Advanced Settings window and return to the Network > DHCP
Server page.

| 31

Configuring the DHCP Scope on the Central Gateway

To configure the DHCP Scope on the Central Gateway:
Step 1

On the Central Gateway management interface, navigate to the Network > DHCP Server page.

Step 2

Click the Add Dynamic button.

32 | SonicPoint Layer 3 Management

The Dynamic Range Configuration dialog appears.

Step 3

Configure the following settings:

Step 4

Select the Enable this DHCP Scope option.

Step 5

In the Range Start box, enter the IP address at which to start the DHCP range.
For example, 30.30.30.2.

Note

The range values must be within the same subnet as the Default Gateway.
For example, 30.30.30.2 to 30.30.30.100.

Step 6

In the Range End box, enter the IP address at which to end the DHCP range.
For example, 30.30.30.100.

Step 7

In the Lease Time (minutes) box, use the default value, 1440.

Step 8

In the Default Gateway box, enter the IP address of the default gateway.

Note
Step 9

This value will be the IP address of the interface connected to the SonicPoint.
For example, 30.30.30.1.
In the Subnet Mask box, enter the subnet mask of the default gateway.
For example, 255.255.255.0.
| 33

Step 10 Click the Advanced tab.

Step 11 In the DHCP Generic Options panel, from the DHCP Generic Option Group menu, select the

CAPWAP DHCP option.

Note

The CAPWAP DHCP option was created in Configuring the CAPWAP DHCP Option Object
on the Central Gateway on page 30.

Step 12 Select the Send Generic options always option.

Step 13 Click OK.

34 | SonicPoint Layer 3 Management

Configuring the WT0 Interface on the Central Gateway

To configure the Wireless Tunnel interface (WT0) on the Central Gateway:
Step 1

On the Central Gateway management interface, navigate to the Network > Interfaces page.

Step 2

Click Add WLAN Tunnel Interface. The Add WLAN Tunnel Interface window is displayed.

Step 3

From the Zone menu, select WLAN.

Step 4

In the Tunnel Id box, select 0.

Step 5

From the Tunnel Source Interface, select X0.

Step 6

From the Mode / IP Assignment menu, Static IP Mode.

Step 7

In the IP Address box, select 172.17.31.1.

Step 8

In the Subnet Mask box, 255.255.255.0.

Step 9

From the SonicPoint Limit menu, select the maximum number of SonicPoints allowed on your
network. For example, 48 SonicPoints.

Step 10 Click OK.

| 35

36 | SonicPoint Layer 3 Management

| 65