SonicWall NSA 240 to 6224 issue.

What is the sonic wall ip address?

When you say you can access the sonic wall from vlan 200, how are you accessing it?  what port?

When you say you cannot access the sonic wall from the other vlans, how are your trying to access it?

 

The SonicWall address is normally 192.168.100.254 (The 192.168.200.199 is the old firewall being used until the SW is up and working properly).

I can access the sonic wall from any vlan as long as I set the default route in the 6224 to the local interface of the SW on that vlan.  For example, if the sonic wall default XO interface is set to 192.168.100.254, and the sub-interface for VLAN 200 is set to 192.168.200.2, I can make VLAN 200 work correctly by setting the default route in the 6224 to point to 192.168.200.2.  Everything on the 200 Vlan works just fine, but I can't do anything with devices on VLAN 100, 110 or 120.  Ditto if I set the default route to point to the local SW address on one of the other vlans.  The SW is physically connected to 6224 switch port G1.

The most obvious is using ping, but all of the published systems on the various vlan only work if the default route is set to that specific VLAN.

I'm having the mirror conversations over on SonicWall's forum.  The problem seems to stem from how the trunk port is configured.  I initially configured this network using trunk ports between the seven managed switches, which seemed to work fine.  I was informed on the SW forum that the dell switch trunk port needed to be set to general in order for the firewall to work properly.  Once changed, the routing from the SonicWall worked correctly on all VLANS, but it was causing terminal applications to disconnect.  In response, I restored the sonicwall to factory defaults and reconfigured.  But, now it doesn't route correctly.  So that's why I'm asking here to see if anyone sees anything wrong with my 6224 configuration before I press the issue over at SW.

I hope that makes sense, and I do appreciate your time.

Good questions. 

Each system uses the appropriate vlan address of the L3 switch as the gateway.  The subnet's are correct on the systems within each vlan. I don't have any troubles with routing between the various vlans on any of the switches.

Regarding no ip proxy-arp, that must be the default setting.  I haven't changed any settings on this.

The vlan association entries come from the Bind IP Subnet section on the GUI.

I am unable to ping the 192.168.100.254 address from any vlan besides the 100 vlan.  I can, however ping any other device on the 100 vlan from any other vlan.

Subnets and addressing are correct and double checked.

Some questions that may or may not help figure this out.

What are the default routes of the systems you are pinging from set to?  The default route of your systems needs to be the IP address of the appropriate vlan of the 6224.

 Why do you have the vlans set for "no ip proxy-arp"?  This will keep the router from responding to ARP requests for routing interfaces.

Why are you using the "vlan association" entries?  This seems odd since this will allow ingress untagged traffic on trunk/general ports to be put in the listed vlan, however on your general ports you are egressing only tagged traffic.

Are you trying to ping SW 192.168.100.254 address from the different vlans or are you pinging the SW x.x.x.2 address in the same vlan?

Have you checked the subnet masks on the SW and the stations?

I took another look at the switch tonight and made some changes based on your observations.  Everything on the switch side still works great, but I'm still having problems with the SonicWall.  I did notice, however, that the on the SonicWall, I can ping all internal assets, but can't ping the sonicwall itself from any but the vlan the current default route is on.  Unless anyone see's anything of interest in this configuration, I'm going to move my attention to the SonicWall.

Thanks again for the assistance.

Steve

!Current Configuration:
!System Description "Dell 24 Port Gigabit Ethernet, 2.1.0.13, VxWorks5.5.1"
!System Software Version 2.1.0.13
!
configure
vlan database
vlan  100,110,120,200
exit
snmp-server location "MDF"
hostname "sw01"
stack
member 1 1
exit
ip address 192.168.10.1 255.255.255.0
ip default-gateway 192.168.10.254
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.200.2
interface vlan 100
name "Network Core"
routing
ip address  192.168.100.1  255.255.255.0
exit
interface vlan 110
name "Access Control"
routing
ip address  192.168.110.1  255.255.255.0
exit
interface vlan 120
name "Surveillance"
routing
ip address  192.168.120.1  255.255.255.0
exit
interface vlan 200
name "Data"
routing
ip address  192.168.200.1  255.255.255.0
exit
username "admin" password ########################## level 15 encrypted
!
interface ethernet 1/g1
no negotiation
description 'SonicWall'
spanning-tree cost 20000
spanning-tree portfast
switchport mode general
switchport general pvid 200
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 100,110,120,200 tagged
exit
!
interface ethernet 1/g2
switchport mode general
switchport general pvid 200
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 100,110,120,200 tagged
exit
!
interface ethernet 1/g3
switchport mode general
switchport general pvid 110
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 100,110,120,200 tagged
exit
!
interface ethernet 1/g4
switchport mode general
switchport general pvid 200
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 100,110,120,200 tagged
exit
!
interface ethernet 1/g5
switchport mode general
switchport general pvid 120
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 100,110,120,200 tagged
exit
!
interface ethernet 1/g6
switchport mode general
switchport general pvid 110
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 100,110,120,200 tagged
exit
!
interface ethernet 1/g7
switchport mode general
switchport general pvid 200
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 100,110,120,200 tagged
exit
!
interface ethernet 1/g8
switchport access vlan 200
exit
!
interface ethernet 1/g9
switchport access vlan 200
exit
!
interface ethernet 1/g10
switchport access vlan 200
exit
!
interface ethernet 1/g11
switchport access vlan 200
exit
!
interface ethernet 1/g12
switchport access vlan 200
exit
!
interface ethernet 1/g13
switchport access vlan 200
exit
!
interface ethernet 1/g14
switchport access vlan 200
exit
!
interface ethernet 1/g15
switchport access vlan 200
exit
!
interface ethernet 1/g16
switchport access vlan 120
exit
!
interface ethernet 1/g17
switchport access vlan 120
exit
!
interface ethernet 1/g18
switchport access vlan 120
exit
!
interface ethernet 1/g19
switchport access vlan 110
exit
!
interface ethernet 1/g20
switchport access vlan 200
exit
!
interface ethernet 1/g21
switchport access vlan 200
exit
!
interface ethernet 1/g22
switchport access vlan 200
exit
!
interface ethernet 1/g23
switchport access vlan 100
exit
exit

I am having very similar issue as you posted. The only difference between our 6224 configuration and yours is that I only have g1 port configured as the trunk port (in general mode) connecting to SonicWall X2 interface but no other ports on 6224 configured as the trunk ports linking to other switches.

Just wondered if you have had the issue sorted out? Was it the Sonicwall issue or the 6224 issue? The lack of documentation on both Sonicwall and Dell sites makes this a bit difficult for me. 

Hope I could get some insights from you. Thanks for your time!

I posted a post yesterday but it looks like in wrong forum. I didn't know that PowerConnect has separate board. Anyway... I'm struggling with configuration Sonicwall with Powerconnect too. I'm just loosing my mind as I have tried so many configurations and none of them seemed to be working. Just a nightmare. I'm completely lost as I don't know if my understanding is poor or I just can't make it ... just because.

My issue is that I have to configure Sonicwall with 3 subnets on one interface. Let's say I've got 2 (ideally I need to have 4-5 networks) now 10.0.0.0/8 and 20.0.0.0/8. Just for tests. I've got a server and PC connected to both networks. They both have IPs from both networks so server has 10.0.0.20 and 20.0.0.20, PC has 10.0.0.222 and 20.0.0.222. Sonicwall has 10.0.0.1 and 20.0.0.1. So I configured VLANs on the switch assigned port 2 and 4 as a ACCESS port to VLAN 10. (Just for tests). I setup trunk at port 1 to firewall. Everything works perfect. But it's not the point of that installation. I have to be able to access both VLANs at the same time. So now is the question how to do it. I managed to get working routing between VLANs, so I could ping server from PC and PC from the server. But I couldn't ping Sonicwall interfaces 10.0.0.1 and 20.0.0.1. 

Here is my configuration. PC is connected to port 7 and server to port 11:

!Current Configuration:     

!System Description "Dell 24 Port Gigabit Ethernet, 2.2.0.3, VxWorks5.5.1"

!System Software Version 2.2.0.3                                          

!                                                                         

configure                                                                 

vlan database                                                             

vlan  10,20                                                             

exit                                                                      

stack                                                                     

member 2 1                                                                

member 4 1                                                                

exit                                                                      

ip address 192.168.0.235 255.255.255.0                                    

interface vlan 10                                                         

name "test"                                                               

routing                                                                   

ip address  10.0.0.254  255.0.0.0

exit                             

interface vlan 20                

name "test"                      

routing                          

ip address  20.0.0.254  255.0.0.0

exit                             

username "admin" password 0192023a7bbd73250516f069df18b500 level 15 encrypted                                                                                                                              

!                                                                                                                                                                                                          

interface ethernet 2/g1                                                                                                                                                                                    

spanning-tree portfast                                                                                                                                                                                     

switchport mode trunk                                                                                                                                                                                      

switchport trunk allowed vlan add 10,20                                                                                                                                                                    

switchport trunk allowed vlan remove 1                                                                                                                                                                     

exit                                                                                                                                                                                                       

!                                                                                                                                                                                                          

interface ethernet 2/g9

spanning-tree portfast

switchport mode general

switchport general pvid 20

no switchport general acceptable-frame-type tagged-only

switchport general allowed vlan add 10,20

exit

!

interface ethernet 2/g11

spanning-tree portfast

switchport mode general

no switchport general acceptable-frame-type tagged-only

switchport general allowed vlan add 10,20

exit

snmp-server community public rw ipaddress 192.168.0.232

exit

I know this is an old post but figured it might still help someone.  I was having a similar issue.  Thankfully in newer switches dell has moved to align more with cisco getting away from general trunks and pvids to normal trunks and native vlans

A pvid does equate to a native vlan, this vlan would then be untagged.

Having this untagged vlan as an allowed vlan tagged is actually redundant and the root of the issue.  You wouldn’t expect it to be an issue however when you to set you allowed tagged vlans it applies to all vlans in the list,  if this includes the native(pvid) vlan then it overrides the inherent untagged nature of the native vlan

It should look like this,

interface ethernet 1/g7

switchport mode general

switchport general pvid 200

switchport general allowed vlan add 200

switchport general allowed vlan add 100,110,120 tagged

exit

native untagged on vlan 200,  vlan 100,110, and 120 are tagged.  you can also exclude "switchport general allowed vlan add 200"  all together,  it will add it automatic, again because of the inherent nature of the native vlan

in the case of a host or sonicwall this will work fine.  If you were say connecting two switches you wouldn’t need a native vlan/pvid and should do a standard trunk