Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Trunk to SonicWall only carrying single VLAN

Hello All,

I have a 3750g configured with 2 vlans, 35 and 65. Vlan 35 has a subnet of 192.168.35.x and Vlan 65 has a subnet of 192.168.65.x. I configured a trunk connection to a Sonicwall NSA 3500 using subinterfaces. One for vlan 35 and one for vlan 65. The trunk port is configured in switchport mode trunk and dot1q encapsualtion. I am only allowing the 35 and 65 vlan through the trunk aloing with the native vlan.

The test machine on Vlan 65 connects to the firewall through the trunk and connects to the internet without issue. Vlan 35 hovever is blocked by the firewall as an IP spoof because the sonicwall is seeing the traffic from subnet 192.168.35.x as vlan 65 and not vlan 35 as it should be. I contacted sonicwall and had them check my config and they say the configuration is correct on the sonicwall.

Here is the error message on the sonicwall:

Intrusion Prevention      IP Spoof Dropped  192.168.35.11 X4:V65

I needs to be 192.168.35.11 x4:V35

                    192.168.65.11 x4:V65

According to this it seems like the 35.x subnet is being tagged by the trunk as Vlan 65. From my reading all vlan traffic through the trunk should be tagged so the sonicwall subinterfaces should be able to seperate the traffic.

The two test machine one the 35 and 65 vlans can ping each other, there DG's and the subinterfaces of the firewall

I would appreciate any insight you may have.

Thank You.

1 REPLY
Community Member

Trunk to SonicWall only carrying single VLAN

I believe that the NSA 3500 does not support trunking even if it does support vlans: hence 1 vlan per interface...

It should also depends on your sonicwall OS and the configuration options for the specified interface. I know it's GUI based but maybe you could clarify which options you have under the interface menu of the NSA?

It does not work with your current subnetting scheme, but another solution is to configure the NSA interface as a /23 to "aggregate" both VLANs IP ranges....

....bit of serious limitations...

regards

1926
Views
0
Helpful
1
Replies
CreatePlease to create content