Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Dell Networking Wired, Wireless and Security Solutions Lab

5,496 views

Published on

The Dell Networking wired, wireless and security solutions lab demonstrates employee and guest wireless access with policies and content filtering. Each lab station represents a remote site, incorporating a SonicWALL TZ300 for security, an X-Series X1008P or X1018P switch for Ethernet connectivity, and an Instant Access Point IAP-205 for wireless device access. Learn more: http://dell.com/networking

Published in: Devices & Hardware
  • Be the first to like this

Dell Networking Wired, Wireless and Security Solutions Lab

  1. 1. Dell Enterprise User Forum: NHOL4 Dell Networking Wired, Wireless and Security Solutions Lab
  2. 2. W-Series Instant Access Points SonicWALL TZ Series Firewalls X-Series Smart Managed Switches Dell Gear You will use in the Lab
  3. 3. Lab Setting • Each of your Stations – Represents an office or branch within a larger business › (or an individual office for a smaller business) – Guest & Employee at each location – Wireless, Wired, Firewall at each location Headquarters Offices
  4. 4. Lab Agenda & Plan • Administrator GUIs for W-Instant, X-Series, and SonicWALL • Setup key interfaces and features • Test the resulting access connectivity and security set up in the lab
  5. 5. Lab Flow Configure •Configure X-Series switch – VLANs for Employee and Guest – Assign VLANs to ports •Configure SonicWALL – Interfaces and site-to-site VPN •Configure Wireless Access Point – Guest and Employee access Test •Test Guest access – Access “internet” – Blocked access to corporate data center •Test Employee access – Access “internet” – Access corporate data center through VPN •Enable App Control – Test image files are identified by signature and blocked
  6. 6. Notes •Configurations are for demonstration purposes only •Chrome is the default browser for all configuration tasks •Wireless authentication used is WPA2-PSK (pre-shared key) – W-Instant Access Points are capable of enterprise 802.1x authentication. •Internet access is simulated – Public internet is simulated with a single subnet, and a webserver hosting a custom “public” website. – Corporate Data Center is simulated with a separate webserver hosting a custom “private” website.
  7. 7. Administrator network • This lab can be fully configured through the admin network • Access through SSID: stationX_admin • Click on WLAN icon in toolbar, select the admin network according to your station number • password “dell1234” Lab stations are numbered 1 thru 8. Several configuration settings use the lab station numbers • example: Subnets 172.20.X.1 and 10.1.100.X • Wireless SSIDs: E_TestX and G_TestX Replace X with station number (see lab guide)
  8. 8. Lab
  9. 9. Dell World User Forum: NHOL4 Session Dell Networking Wired, Wireless and Security Solutions Lab Step-by-Step Lab Guide Dell Network Solutions Engineering October 2015
  10. 10. 2 Revisions Date Description Authors October 2015 Initial release Colin King, Neal Beard ©2015 Dell Inc., All rights reserved. Except as stated below, no part of this document may be reproduced, distributed or transmitted in any form or by any means, without express permission of Dell. You may distribute this document within your company or organization only, without alteration of its contents. THIS DOCUMENT IS PROVIDED “AS-IS”, AND WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED. IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE SPECIFICALLY DISCLAIMED. PRODUCT WARRANTIES APPLICABLE TO THE DELL PRODUCTS DESCRIBED IN THIS DOCUMENT MAY BE FOUND AT: http://www.dell.com/learn/us/en/vn/terms-of-sale-commercial-and-public-sector-warranties Performance of network reference architectures discussed in this document may vary with differing deployment conditions, network loads, and the like. Third party products may be included in reference architectures for the convenience of the reader. Inclusion of such third party products does not necessarily constitute Dell’s recommendation of those products. Please consult your Dell representative for additional information. Trademarks used in this text: Dell™, the Dell logo, Dell Boomi™, Dell Precision™ ,OptiPlex™, Latitude™, PowerEdge™, PowerVault™, PowerConnect™, OpenManage™, EqualLogic™, Compellent™, KACE™, FlexAddress™, Force10™ and Vostro™ are trademarks of Dell Inc. Other Dell trademarks may be used in this document. Cisco Nexus®, Cisco MDS®, Cisco NX- 0S®, and other Cisco Catalyst® are registered trademarks of Cisco System Inc. EMC VNX®, and EMC Unisphere® are registered trademarks of EMC Corporation. Intel®, Pentium®, Xeon®, Core® and Celeron® are registered trademarks of Intel Corporation in the U.S. and other countries. AMD® is a registered trademark and AMD Opteron™, AMD Phenom™ and AMD Sempron™ are trademarks of Advanced Micro Devices, Inc. Microsoft®, Windows®, Windows Server®, Internet Explorer®, MS-DOS®, Windows Vista® and Active Directory® are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Red Hat® and Red Hat® Enterprise Linux® are registered trademarks of Red Hat, Inc. in the United States and/or other countries. Novell® and SUSE® are registered trademarks of Novell Inc. in the United States and other countries. Oracle® is a registered trademark of Oracle Corporation and/or its affiliates. Citrix®, Xen®, XenServer® and XenMotion® are either registered trademarks or trademarks of Citrix Systems, Inc. in the United States and/or other countries. VMware®, Virtual SMP®, vMotion®, vCenter® and vSphere® are registered trademarks or trademarks of VMware, Inc. in the United States or other countries. IBM® is a registered trademark of International Business Machines Corporation. Broadcom® and NetXtreme® are registered trademarks of Broadcom Corporation. Qlogic is a registered trademark of QLogic Corporation. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and/or names or their products and are the property of their respective owners. Dell disclaims proprietary interest in the marks and names of others.
  11. 11. 3 Table of contents Revisions............................................................................................................................................................................................. 2 1 Dell Networking Wired, Wireless and Security Solutions Lab............................................................................................4 1.1 Dell Networking X-Series Smart Managed Switches................................................................................................4 1.2 Dell SonicWALL TZ300 Firewall....................................................................................................................................4 1.3 Dell Networking W-Series Instant Access Points, W-IAP205 ................................................................................. 5 1.4 Lab Description and Diagram ....................................................................................................................................... 5 2 Dell Networking X-Series Configuration ............................................................................................................................... 7 3 Dell Networking SonicWALL Firewall Configuration.........................................................................................................20 4 Dell Networking W-IAP205 Wireless Configuration..........................................................................................................27 5 Dell Networking Testing and Validation ..............................................................................................................................35 A Important Lab IP Address Information.................................................................................................................................46 B Lab Notes: .................................................................................................................................................................................47
  12. 12. 4 1 Dell Networking Wired, Wireless and Security Solutions Lab 1.1 Dell Networking X-Series Smart Managed Switches Dell Networking X-Series 1008 and 1018P The Dell Networking X-Series is a family of smart managed 1GbE and 10GbE Ethernet switches designed for those who need enterprise-class network control fused with consumer-like ease. Features Demonstrated in this lab  Managed mode with GUI  Setup VLANs and interface IPs  Trunk mode on interface to wireless access points  DHCP server  PoE/PoE+ interface powering for wireless access points 1.2 Dell SonicWALL TZ300 Firewall Dell SonicWALL TZ300 Dell SonicWALL TZ series firewalls are high-performance, enterprise-grade network security solutions. Dell SonicWALL products encompass enterprise grade network protection that includes anti-malware, intrusion prevention, application control and content/URL filtering Features Demonstrated in this lab Network Security with focus on:  Application Control  VPN – Site to Site
  13. 13. 5 1.3 Dell Networking W-Series Instant Access Points, W-IAP205 Dell Networking W-IAP205 W-Series access points maximize mobile device performance in enterprise WiFi environments. Features Demonstrated in this lab  Employee and Guest wireless access with policies  Captive portal with authentication 1.4 Lab Description and Diagram This lab demonstrates employee and guest wireless access with policies and content filtering. Each station represents a remote site, incorporating security, switching, and wireless devices. Lab attendees will start from a base configuration with some pre-configured settings to enable the features highlighted in the preceding pages. In this lab, attendees will become experts in:  Experience with the administrator GUIs  Setup key interfaces and features  Tested connectivity and security
  14. 14. 6
  15. 15. 7 2 Dell Networking X-Series Configuration Dell Networking X-Series 1008 and 1018P Objectives: Configure employee VLAN 20 o Assign vlan to ports 7 and 8 o Assign vlan interface an IP address  Configure guest VLAN 30 o Assign vlan to ports 5 and 6 o Assign vlan interface an IP address  Define a static default route to the employee interface on the SonicWALL Step 1 Connect to the wireless network for your station number SSID: “stationX_admin” (X is the station number). Password: dell1234 Launch the Chrome browser and type in 192.168.2.1 to browse to the X-Series login page. Login with username and password of admin/admin and hit enter.
  16. 16. 8 Step 2 In the X-Series Dell Networking Administrator GUI Dashboard view, click on the VLAN radio button under the Configure menu on the right hand side of the screen. This will launch the VLAN wizard and allow the Guest and Employee VLANs to be configured. Step 3 In the VLAN wizard, choose Configure VLAN and click Next. Step 4 Click on the +Add button to add the Employee VLAN 20
  17. 17. 9 Step 5 Enter 20 in the VLAN ID field and Employee in the VLAN Name field and click Ok. Step 6 Click the +Add button to add the Guest VLAN 30 Step 7 Enter 30 in the VLAN ID field and Guest in the VLAN Name field and click Ok.
  18. 18. 10 Step 8 After creating VLAN’s 20 and 30 for the Employee and Guest networks, click Next to review the VLANs created. Step 9 After confirming that the VLAN numbering and names are correct click Apply to assign ports to the VLANs
  19. 19. 11 Step 10 After clicking the Apply button in Step. 9, the assign ports to VLAN wizards is launched. Click Yes to confirm that assigning ports to VLANS is the next task. Step 11 Click on ports 7 and 8 (highlights blue), click on Vlan ID 20 then choose Next.
  20. 20. 12 Step 12 Review that the correct ports are assigned to the correct Vlan ID then click Apply. Step 13 In the X-Series Dell Networking Administrator GUI Dashboard view, click on the VLAN radio button under the Configure menu on the right hand side of the screen. This will launch the VLAN wizard and allow ports 5 and 6 to be assigned to the Employee Vlan 30.
  21. 21. 13 Step 14 Select Configure and Assign Ports to VLAN and click Next Step 15 Click on ports 5 and 6, click on Vlan ID 30 then choose Next.
  22. 22. 14 Step 16 Review that the correct ports are assigned to the correct Vlan ID then click Apply. Now that the Guest and Employee VLANs have been created and ports have been assigned the next step is to assign an IP address to each Vlan interface. Step 17 From the X-Series Dashboard main menu click on Switch Management then click on IPv4 Addressing. In the IPv4 Addressing menu VLAN1 is assigned the current management IP address, click on the Edit icon on the right hand side of the screen to start assigning IP addresses to the Guest and Employee VLANs.
  23. 23. 15 Step 18 Click on the +Add button Step 19 In the Add IPv4 Addressings page for the Employee Vlan 20:  Interface Type: VLAN  Interface: 20  IP Address Source: Static  IP address: 172.20.X.1 (X is station number)  Address Class: Prefix Length  Prefix Length: 24 Finally in the Apply to: field use the drop down arrow and pick Running and Startup Configuration then click on Ok.
  24. 24. 16 Step 20 Click on Edit again, then +Add icon to add the IP interface to Guest Vlan 30 Step 21 In the Add IPv4 Addressings page for the Guest Vlan 30:  Interface Type: VLAN  Interface: 30  IP Address Source: Static  IP address: 172.30.X.1 (X is station number)  Address Class: Prefix Length  Prefix Length: 24 Finally in the Apply to: field use the drop down arrow and pick Running and Startup Configuration then click on Ok.
  25. 25. 17 Step 22 In the IPv4 Addressing page confirm that the correct IP addresses have been assigned to the correct VLAN interfaces. To exit this menu click on the Menu > navigation link then click on the Dashboard navigation link. Step 23 Now that the Vlans have had an IP address assigned to them the final step in the X-Series configuration is to assign a default static route that will allow a public address to route through the SonicWALL TZ300. In order to navigate to the IPv4 Route Settings, from the main Dashboard menu click on Network Administration, then click on Route Settings, then click on IPv4 Route Settings. In order to set a default station route click on the Edit icon. (IPv4 routes list is shown below, hit down arrow to reveal if desired)
  26. 26. 18 Step 24 In the Add IPv4 Routes Table page:  Destination IPv4 Prefix: 0.0.0.0  Network Mask: 0.0.0.0  Route Type: Remote  Next Hop: 172.20.X.2 (X is station number) Finally in the Apply to: field use the drop down arrow and pick Running and Startup Configuration then click on Ok. Step 25 In the Edit IPv4 Routes Table page confirm that the static default route is input correctly, then click on the X to exit this menu.
  27. 27. 19 Step 26 The final step in the X-Series lab configuration will be to save all the switch settings to the Startup Configuration. Click on the Gear Icon in the upper right corner and then click on Save to Startup Configuration.
  28. 28. 20 3 Dell Networking SonicWALL Firewall Configuration Dell Networking SonicWALL TZ300 Objectives:  Configure the X3 interface o Assign a Employee ip address o Assign this interface to a VPN  Configure the X4 interface o Assign a Guest ip address  Set the VPN to allow the X3 interface Step 1. Launch the Chrome browser and type in 192.168.2.2 to browse to the SonicWALL login page. Login with username and password of admin/password and hit enter. Note: If the Chrome browser flashes the warning: “Your connection is not private”. Click on the Advanced link and then click on Proceed to 192.168.2.2 (unsafe).
  29. 29. 21 Step 2 In the SonicWALL browser interface, click on Network then click on Interfaces. In the Interfaces section click on the Configure icon to the far right of the X3 interface. Step 3 In the Edit Interface applet window, Under the General Tab click on the Unassigned field across from Zone: and choose LAN
  30. 30. 22 Step 4 Once LAN is chosen for the Zone, the next menu choices are:  Mode / IP Assignment: Static IP Mode  IP Address: 172.20.X.2 (X is station number)  Subnet Mask: 255.255.255.0  Management: HTTPS and Ping Once all the values are entered click Ok, this will return you back to the Interfaces section.
  31. 31. 23 Step 5 In the SonicWALL browser interface, click on Network then click on Interfaces. In the Interfaces section click on the Configure icon to the far right of the X4 interface. Step 6 In the Edit Interface applet window, Under the General Tab click on the Unassigned field across from Zone: and choose LAN. (see picture in Step 3 above) Step 7 Once LAN is chosen for the Zone, the next menu choices are:  Mode / IP Assignment: Static IP Mode  IP Address: 172.30.X.2 (X is station number)  Subnet Mask: 255.255.255.0  Management: HTTPS and Ping Once all the values are entered click Ok, this will return you back to the Interfaces section.
  32. 32. 24 Step 8 Next go down the menu to VPN and click on the Add button. Step 9 In the General tab under Security Policy enter the following values:  Policy type: Site to Site  Authentication Method: IKE using Preshared Secret  Name: To_Corporate  IPsec Primary Gateway Name or Address: 10.1.100.200 In the IKE Authentication section enter the following values:  Shared Secret: dell  Confirm Shared Secret: dell  Local IKE ID: 10.1.100.X (X is station number)  Peer IKE ID: 10.1.100.200 Do not click OK, Continue with Step 10.
  33. 33. 25 Step 10 Once all the values have been entered on the General tab, click on the Network tab. Local Networks section: Choose local network from list: X3 Subnet Remote Networks section: Choose destination network from list: click on the Select Remote Network drop down arrow and select create new address object Step 11 When create new address object is selected this generates a new applet window. In this applet window enter:  Name: Corporate  Zone Assignment: LAN  Type: Network  Network: 172.20.100.0  Netmask/Prefix Length: 255.255.255.0 Once these values have been entered click Ok
  34. 34. 26 Step 12 Once the values have been properly entered in the Network tab section (Do not click Ok), click on the Advanced tab and check the box next to Enable Keep Alive. Click Ok. Step 13 Once the VPN values have been entered and you have clicked Ok in the Advanced tab, the SonicWall GUI will return to the main VPN interface. In the main VPN interface we can see that VPN Policy is green or healthy. In the Currently Active VPN Tunnels section, we can see that the VPN policy To_Corporate is listed.
  35. 35. 27 4 Dell Networking W-IAP205 Wireless Configuration Dell Networking W-Series W-IAP205 Objectives:  Configure the Employee WLAN  Configure the Guest WLAN  Set the VPN Step 1 Launch the Chrome browser and type in 192.168.2.10X (X is station number) to browse to the W-IAP205 login page. Login with username and password of admin/admin and hit enter.
  36. 36. 28 Note: If the Chrome browser flashes a warning “Your connection is not private”. Click on the Advanced link and then click on Proceed to 192.168.2.2 (unsafe). Step 2 In the W-IAP205 main page under the Network menu click on New
  37. 37. 29 Step 3 In this step the Employee wireless network will be created. After clicking on New, a New WLAN window will be launched. In this New WLAN window enter in the name or SSID of the Employee network. For each assigned station the name will be E_TestX (X will be replaced with the assigned station number). Once the name has been entered click Next.
  38. 38. 30 Step 4 Under Client IP and VLAN Assignment:  Client IP assignment: Network assigned  Client VLAN assignment: Static  VLAN ID: 20 Click Next to go to the Security section. Step 5 In the Security section enter:  Passphrase: dell1234 Retype: dell1234 Click Next
  39. 39. 31 Step 6 Click Finish to return to the main menu. Step 7 In the W-IAP205 main page under the Network menu click on New
  40. 40. 32 Step 8 In this step the Guest wireless network will be created. After clicking on New, a New WLAN window will be launched. In this New WLAN window enter in the name or SSID of the Guest network. For each assigned station the name will be G_TestX (X will be replaced with the assigned station number). Once the name has been entered go to Primary Usage and choose Guest click Next to continue. Step 9 In the VLAN section under Client VLAN assignment choose Custom. In the drop down menu next to Custom choose guest (vlan:30). Click Next to continue.
  41. 41. 33 Step 10. In the Security section choose:  Encryption: Enabled  Key management: WPA-2 Personal (default setting)  Passphrase: dell1234  Retype: dell1234  Redirect URL: http://10.1.100.101 Click Next to continue.
  42. 42. 34 Step 11 In the final Access Rules section click Finish. Step 12. In the main W-Series Instant IAP page we can see that both WLAN networks have been successfully configured.
  43. 43. 35 5 Dell Networking Testing and Validation Now that the networking equipment has been configured to allow guest and employee access to their online resources, we will test and validate the areas of concern. Step 1 Connect to the G_TestX (X is station number) WLAN in Windows Network and Sharing Center. Once you have connected, open chrome and enter the ip address 1.1.1.1 (or any other ip address). This demonstrates the fact that the IAP will redirect the guest user to the IAP captive portal splash page on any access attempt. Click on Accept and you will be redirected to the public internet site of the Guest network.
  44. 44. 36 Step 2 By accessing this website, this proves that the Guest network on the IAP can reach the internet through the X-Series switch and the SonicWALL firewall. The ip address 10.1.100.101 in the Chrome url bar is the same ip address entered in for the URL Redirect on the Security tab for step 10 during the IAP Guest network configuration. This setting can also be used to direct to an internal home page.
  45. 45. 37 Step 3 In the Chrome browser enter the ip address 172.20.100.100. This is the corporate data center web server for the Employee network, accessed through the VPN. This webpage will not be accessible by the Guest user due to the topology of this lab configuration. Administrators can further protect their network by implementing policies and zones within the firewall.
  46. 46. 38 Step 4 Disconnect from the Guest network (G_TestX) WLAN and connect to the Employee network (E_TestX) WLAN. Open the chrome browser, enter the ip address 172.20.100.100 if it is not already there. This ip address allows employee to access to the internal data center web server.
  47. 47. 39 Step 5 Enter the ip address 10.1.100.101. This is the same public internet site that the Guest users were able to access. Step 6 Login to the SonicWALL TZ300 admin page at the ip address 172.20.X.2 (X is station number) Reminder> username:admin password:password On the menu click on Firewall, then go to App Control Advanced. Under App Control Global Settings  Check Enable App Control  Check Enable Logging For All Apps Click Accept. Note: the ip management interface was enabled for all three interfaces, admin, employee, and guest.
  48. 48. 40 Step 7 TIME CHECK- The app control policy has already been configured for you. If you have time, follow steps 7, 8, and 9 to discover what the policy settings look like. If you’re limited on time, skip to step 10. In the App Control Page, scroll down to App Control Advanced and click on the Category drop down menu. Choose FILETYPE-DETECTION, click on the Configure icon for Image.
  49. 49. 41 Step 8 In the Image configuration settings:  Block: Enable  Log: Enable  Included Users/Groups: All (Admin, Employee, and Guest)  Included IP Address Range: All Click Cancel when you are finished reviewing the settings.
  50. 50. 42 Step 9 Under the App Control Advanced section, in View Style: click on the Application drop down menu and choose Image, next click on the Viewed By: drop down menu and choose Signature. We can now see what image file types the advanced app control is filtering or blocking.
  51. 51. 43 Step 10 Logout of the SonicWALL. Open a new browser window. In the Chrome browser click on the Clear Cache button on the bookmark bar then click on the Clear browsing data button.
  52. 52. 44 Step 11 In the Chrome URL field enter the ip address 10.1.100.101. With the SonicWALL firewall image app control enabled the .gif and .jpg images on the public internet web page are being blocked.
  53. 53. 45 Step 12. Log back in to the SonicWall firewall. In the SonicWALL menu scroll down to Log, click on it to expand its sub-menu choices and then click on Log Monitor. In the Log Monitor entries, there will be two Application Control Firewall Alerts for GIF and JPEG HTTP download attempts.
  54. 54. 46 A Important Lab IP Address Information X-Series Switch SonicWALL W-Series Instant X-1008P/1018P TZ300 W-IAP205 Management IP address Management IP address Management IP address Station 1 192.168.2.1 192.168.2.2 192.168.2.101 Station 2 192.168.2.1 192.168.2.2 192.168.2.102 Station 3 192.168.2.1 192.168.2.2 192.168.2.103 Station 4 192.168.2.1 192.168.2.2 192.168.2.104 Station 5 192.168.2.1 192.168.2.2 192.168.2.105 Station 6 192.168.2.1 192.168.2.2 192.168.2.106 Station 7 192.168.2.1 192.168.2.2 192.168.2.107 Station 8 192.168.2.1 192.168.2.2 192.168.2.108 X-Series Switch SonicWALL X-1008P/1018P TZ300 Employee VLAN 20 interface IP address Employee VLAN 20 interface IP address Station 1 172.20.1.1 172.20.1.2 Station 2 172.20.2.1 172.20.2.2 Station 3 172.20.3.1 172.20.3.2 Station 4 172.20.4.1 172.20.4.2 Station 5 172.20.5.1 172.20.5.2 Station 6 172.20.6.1 172.20.6.2 Station 7 172.20.7.1 172.20.7.2 Station 8 172.20.8.1 172.20.8.2 X-Series Switch SonicWALL X-1008P/1018P TZ300 Guest VLAN 30 interface IP address Guest VLAN 30 interface IP address Station 1 172.30.1.1 172.30.1.2 Station 2 172.30.2.1 172.30.2.2 Station 3 172.30.3.1 172.30.3.2 Station 4 172.30.4.1 172.30.4.2 Station 5 172.30.5.1 172.30.5.2 Station 6 172.30.6.1 172.30.6.2 Station 7 172.30.7.1 172.30.7.2 Station 8 172.30.8.1 172.30.8.2
  55. 55. 47 B Lab Notes:

×