Feb 22, 2012

Sonicwall with Spanning Tree Best Practices

Sweet baby Jesus I have to say that I love Sonicwall firewalls! I used to work at a company back when I started Bauer-Power that used various Sonicwall firewalls in over 30 locations around the United States. For the main offices they used Sonicwall Pro appliances, and for the small offices they used TZ-170's. It worked out great, and they are very easy to use. The company I went to after that used a Cisco ASA firewall that was pretty cool, but for me I just thought it was overly complicated. I wanted to go back to the comforting arms of Sonciwall.

Well at my current gig I got my wish, although it was a few months after I got started. They were using Sonicwalls, but they were managed for us by a group of incompetant, overcharging jerks (Just my opinion). Anyway, we purchased the firewalls from them and took our business elsewhere. Now I am knee mutha' flippin' deep in all things Sonicwall, and I thought I would share with you some of my findings. I already shared with you how one configures an HA pair with HSRP a few days ago. Today I will talk about Sonicwall's compatibility issues with Spanning Tree (STP).

If you don't know what STP is, Wikipedia says:

The Spanning Tree Protocol (STP) is a network protocol that ensures a loop-free topology for any bridged Ethernet local area network. The basic function of STP is to prevent bridge loops and the broadcast radiation that results from them. Spanning tree also allows a network design to include spare (redundant) links to provide automatic backup paths if an active link fails, without the danger of bridge loops, or the need for manual enabling/disabling of these backup links.

There are two documents I will be referring to in this post. One is the HA configuration guide for several Sonicwall devices here: (How to Configure High Availability (HA) in SonicOS Enhanced)

The other is a PDF on the best practices for deploying SonicPoint devices: (SonicWALL SonicPoint Deployment Best Practices Guide)

The first one has this to say about switch ports that are connected to Sonicwall ports:

If you are connecting the Primary and Backup appliances to an Ethernet switch that uses the spanning tree protocol, please be aware that it may be necessary to adjust the link activation time on the switch port that the SonicWALL interfaces connect to. For example, on a Cisco Catalyst-series switch, it is necessary to activate spanning tree port fast for each port connecting to the SonicWALL security appliance’s interfaces.

That is all well and good. I am actually connecting the appliance to some Dell PowerConnect 5424 switches, and have spanning tree port fast (Fastlink if you use the web GUI) enabled on the ports connected to the Sonicwall. For the most part this works fine, but if the network drops for a few seconds, I have noticed that it will cause a failover for about a minute, then it will fail right back. That is not good at all. It doesn't cause any outages with our web servers per se, but it does create a hiccup that lasts for a few seconds.

With that little issue I searched around for some more info on Sonicwall and STP and I found the following in the second document:

When an Ethernet port becomes electrically active, most switches by default will activate the spanning-tree protocol on the port to determine if there are loops in the network topology. During this detection period of 50-60 seconds the port does not pass any traffic – this feature is well-known to cause problems with SonicPoints. If you do not need spanning-tree, disable it globally on the switch, or disable it on each port connected to a SonicPoint device

So one document recommends enabling port fast with STP, and one says just disable STP if possible. I realize that a SonicPoint is different from a Sonicwall NSA appliance, but if they both have known issues with STP, I think it is best practice to disable it altogether on the ports connected to the Sonicwall. If your switch doesn't support turning off STP for individual ports, you may just want to disable it altogether if you're going to use a Sonicwall firewall. You will have to be especially careful not to create loops in your network though.

Are any of you Sonicwall CSSA certified? If so, can you shed some light on this? Do you agree with my evaluation? Disagree? Let me know in the comments.

del.icio.us tags:         

Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam