6500 trunk to Sonicwall not working

Unanswered Question
Apr 3rd, 2012

Trunk link not working between 6500 switch and Sonicwall TZ 210 firewall.  I'm trying to trunk 2 vlans from 6500 switch to port on sonicwall to allow Internet access to both vlans.  All vlans are allowed on trunk link currently and on the Sonicwall interface x0 has IP address 172.16.2.20 with a subinterface with vlan 4 tag and IP 172.16.4.2

Here are the details of what I am trying to configure on the 6500:

vlan 2

name Servers

!

vlan 4

name Workstations&Printers

interface Vlan2

ip address 172.16.2.1 255.255.255.0

!

interface Vlan4

ip address 172.16.4.1 255.255.255.0

interface GigabitEthernet2/1

no ip address

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

ip route 0.0.0.0 0.0.0.0 172.16.2.20  (IP of SonicWall)

Any help would be greatly appreciated,

Pete

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (9 ratings)
DuncanM2008 Tue, 04/03/2012 - 12:37

Hi Peter,

I've done similar configurations with SonicWalls and various Cisco switches, what exactly is not working?

Can you ping both SonicWall interfaces from the Cisco switch?

Thanks,

Sent from Cisco Technical Support iPhone App

petedachelet Tue, 04/03/2012 - 13:08

Hi Duncan,

Once the port is configured as a trunk I am unable to ping both Sonicwall interfaces from the switch.  All inter-vlan communication works on local LAN with no issues.  I have the switch setup with a temporary trunk link to the Sonicwall as a test and can switch back to the config I am trying to do in a few hours once it is after hours at the office.  Then I can confirm for sure what is pingable from switch and PC.

Thanks,

Pete

petedachelet Tue, 04/03/2012 - 13:52

Just tested pinging my test trunk from the switch and here are the results:

I am unable to ping the main Sonicwall interface IP address from the switch but I am able to ping the vlan sub-interface from the switch.

From a PC when I ping the main Sonicwall interface IP it responds Destination host unreachable and when I try pinging the vlan sub-interface it responds Request timed out.

Pete

NkiwaneMG Tue, 04/03/2012 - 14:21

I am thinking that you should change your static route to

ip route 0.0.0.0 0.0.0.0 172.16.4.2   (IP of SonicWall)

Reason being that is the next hop from your switch to the SonicWall, and your switch will know how to route this traffic over Vlan 4.

petedachelet Tue, 04/03/2012 - 17:10

Tried changing the static route to ip route 0.0.0.0 0.0.0.0 172.16.4.2 but didn't seem to help.

I tested connectivity again and it seems like both switch and PC can ping vlan 4 subinterface but not the ip 172.16.2.20 of the x0 interface on Sonicwall so basically vlan 4 works over trunk but no Internet and vlan 2 does not work over trunk.

DuncanM2008 Wed, 04/04/2012 - 00:09

Your interface on the sonicwall in 172.16.2.0/24, does it have any vlan tag?

Cheers,

Sent from Cisco Technical Support iPhone App

petedachelet Wed, 04/04/2012 - 07:53

The Interface on Sonicwall doesn't have a vlan tag.  Took a look and I don't see an option to specify a tag for that network.

See attached screeenshots to see the conig of the interfaces on Sonicwall and available options.

Thanks,

Pete

DuncanM2008 Wed, 04/04/2012 - 09:10

Hi Peter,

That explains part of the problem then, if the SonicWALL has no "vlan" tag defined then that interface IP (172.16.2.20) is for Vlan1 (default / Native).

You can rectify the configuration issue with the following command on the trunk, presuming you don't actively use Vlan1 on the trunk:

switchport trunk native vlan 2

This will then tell the switch to place all "untagged" frames into Vlan2 thus allowing you to ping the SonicWALL's interface IP 172.16.2.20 from the switch.

I suspect there may still be more to do before you get the configuration where you want it, but it's a good start.

Give that a try and let us know how you get on.

Thanks,

Duncan.

petedachelet Thu, 04/05/2012 - 11:33

Hi Duncan,

I changed the native vlan on the trunk interface to vlan 2 and was still not able to ping the 172.16.2.20 address from switch or PC. Also I enabled native vlan tagging globally to see if that would help using the command 'vlan dot1q tag native' but that didn't seem to make any difference.  I am still only able to ping the vlan subinterface of Sonicwall from switch and PC.

Any other thoughts or suggestions?

Thanks,

Pete

pierre.langevin Thu, 04/05/2012 - 12:16

Hi Peter,

Did you validate the Stp state on your trunk?

If all Vlan are FWD on it, do you see MAC of your Sonicwall on it?

Pierre

Sent from Cisco Technical Support iPad App

NkiwaneMG Thu, 04/05/2012 - 12:22

Lets start with one vlan......

Can you change your X0 interface to WAN for your zoning? and also you cannot use it as a part of your LAN, so it has to have a different IP address from your LAN subnets.

Once you have vlan 4 going out to the internet then we can look at adding other vlans

petedachelet Thu, 04/05/2012 - 13:30

Yeah X0 is assigned to LAN zone and cannot be changed.  I am able to change the zone of the sub-interface for vlan 4 to WAN though if need be.

NkiwaneMG Thu, 04/05/2012 - 13:40

So change X1 to WAN zone and have it connected to your external connection.

I am trying to understand what you mean by sub-interface for vlan 4?

I thought you only have 6 interfaces on the Sonicwall that can be zoned to LAN, WAN or DMZ and assigned IP addresses...?

petedachelet Thu, 04/05/2012 - 13:51

X1 is assigned to WAN zone and connected to external connection.

With the latest firmware update for Sonic OS it allows you to create vlan sub-interfaces with vlan tag that are part of any of the LAN interfaces.  I am using X0 which has the IP address 172.16.2.20 effectively making it part of vlan 2 and off of that is where the sub-interface for vlan 4 is.

See attached screenshot for a better picture.

Pete

NkiwaneMG Thu, 04/05/2012 - 14:00

Got it....

What I am thinking is that you need to remove the IP address on the XO interface and then create another sub-interface then for Vlan 2...if the sonicwall will allow you.

petedachelet Thu, 04/05/2012 - 14:27

The Sonicwall will allow me to remove the IP address for x0 interface essentially putting the interface into an Unassigned zone and then I can create another subinterface for Vlan 2. Both sub-interfaces fall into the LAN zone.

The question now is what should I use for my static default gateway? It was pointing to 172.16.2.20 before which we now have removed from Sonicwall. Wondering if I should put the sub interfaces into the WAN zone and then possibly static default route would not be needed. Not sure.

Pete

Sent from Cisco Technical Support iPhone App

NkiwaneMG Tue, 04/10/2012 - 08:15

Maybe you should change the static route to point to the interface instead:

ip route 0.0.0.0 0.0.0.0 GigabitEthernet2/1

Of which I am not comfortable with....

____________

DuncanM2008 Wed, 04/11/2012 - 02:47

Hi Pete,

Could you post the output of the following commands please:

show interface Gi2/1 trunk

show interface Gi2/1 switchport

show mac-address-table | inc GigabitEthernet2/1

or (depending on IOS Version)

show mac address-table | inc GigabitEthernet2/1

Have you also tried sourcing your pings?

ping 172.16.2.20 source Vlan2

ping 172.16.4.2 source Vlan4

Could you also post a screenshot of the SonicWALL's ARP cache?

Network -> ARP

Will give us some clues to how Layer 2 connectivity is fuctioning between the devices.

Thanks,

petedachelet Wed, 04/11/2012 - 20:09

Hi All,

I was able to get this issue resolved today with the help of SonicWall support.  Before contacting them I was able to get two separate host machines on the two different networks to be able to ping their respective sub-interface on the SonicWall but still no Internet connectivity to either host machine using the trunk from the switch.

Here is what was done to resolve the issue:

Instead of using a trunk from the switch to the SonicWall we changed the GigabitEthernet2/1 interface to a Layer 3 interface with an IP address on a separate network and then changed the x0 interface on SonicWall to be in the same network.  For my setup I used 172.16.1.1/30 and 172.16.1.2/30.  Then we removed the vlan sub-interfaces on the x0 interface and had to add address objects under the network settings on SonicWall.  Basically have to add a network type address object for each network (172.16.2.0 and 172.16.4.0) and also a host type address object for the switch IP 172.16.1.1.  Also under address objects we created a group address object and added the network objects we created to this group.  Last but not least we created a route policy that had the destination set to the group address object for the two networks and the gateway set to the switch host address object and interface set to x0.

In a nutshell this setup told the SonicWall what networks were on our switch and how to get there.

Thank you all for the help on this issue! Much apprecitated! 

Pete

Actions

Login or Register to take actions

This Discussion

Posted April 3, 2012 at 12:14 PM
Stats:
Replies:22 Avg. Rating:5
Views:1801 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 15,007
2 8,150
3 7,725
4 7,083
5 6,742
Rank Username Points
165
82
70
69
55