Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
882
Views
5
Helpful
8
Replies

How to give a second network access to internet

Go to solution
orlguerra
Level 1
Level 1

‎08-19-2022 02:14 PM

 

Newbie here.

I have two vlans on a single cisco switch. Vlan 10 is is getting its ip address from the dhcp server and internet access from a sonicwall firewall.

I added Vlan 20 to that same switch. These two vlans will not or should not communicate with each other. Vlan 20 is getting  its ip address from the dhcp server. but i cannot get internet access.

Do i need to connect a separate ethernet cable and configure the internal interface X# on the sonicwall for Vlan 20?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to orlguerra

‎08-22-2022 10:05 AM

Thank you for the additional information. It is helpful to know that the connection from switch to firewall is a routed link and that the switch is doing some routing. Based on this I have these comments:

1) If the switch is routing then you do not need the command ip default-gateway. This is ignored when ip routing is enabled. Having the command does not hurt anything. But it is not doing any good and I suggest that you clean it up.

2) The command ip route 10.0.109.0 255.255.255.0 10.0.7.9 is not correct. This indicates that to get to the subnet you go to 10.0.7.9 (which I assume is the firewall). But that subnet is locally connected. If you do show ip route on the switch you will see that the subnet shows as locally connected and not static routed.

3) I am not clear what Gigibitethernet1/0/13 is and why it is configured as a trunk. The description indicates Guest WiFi. If this is going to WiFi and you do not want vlan 20 to communicate with vlan 10 then why is the trunk carrying vlan 10?

4)If the switch to firewall is a routed link then there are at least 2 things that you will need to do. You will need a route on the firewall that points subnet 10.0.109.0 as reachable with the switch as the next hop. You will need address translation for the new subnet. It may be possible that you also need some type of security policy on the firewall for the new subnet.

HTH

Rick

View solution in original post

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to orlguerra

‎08-22-2022 10:10 AM

router link in between that great 
you only need add 
dynamic NAT for new VLAN in FW and you can access the internet. 

View solution in original post

0 Helpful
8 Replies 8

Go to solution
MHM Cisco World
VIP
VIP

‎08-19-2022 02:19 PM

SonicWall config with subinterface ?
if Yes you dont need second link one link config as trunk. 
also be sure that FW have Dynamic NAT for this new VLAN 

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎08-21-2022 10:22 AM

We know only a little about this environment and that makes it difficult to give good advice. The original post describes a single switch connected to a firewall. And it describes van 10 on that switch successfully getting Internet access (which implies that the firewall knows about this subnet (either because the firewall is connected to a port in that vlan or because the firewall has some routing information about that subnet).

The original post describes vlan 20 on the switch which does get IP addresses from a DHCP server. Beyond that we do not know anything. So here are things that we need to know and some suggestions about what might be done:

1) is the connection from switch to firewall an access port in vlan 10? Or is it a trunk port which could carry both vlans? Or is it a routed (layer 3) link between switch and firewall? Or is it something else?

2) where is the DHCP server and how is it connected to both vlans?

3) Is the switch doing any routing or is all routing done on the firewall?

4) pretty clearly the firewall knows about the subnet for vlan 10, and is doing address translation for that vlan. And probably the firewall does not know about the subnet for vlan 20 and is not doing address translation for that vlan. So what needs to be done is to find a way for the firewall to route for the subnet of vlan 20 and to do address translation for that subnet.

HTH

Rick
0 Helpful

Go to solution
orlguerra
Level 1
Level 1
In response to Richard Burts

‎08-22-2022 06:58 AM

Richard,

1) Its a routed (layer 3) link between switch and firewall

2) DHCP server is on Vlan 10

3) the switch i doing some routing

4) I have not done this for years. I will look into it.

 

Go to solution
Georg Pauwen
VIP
VIP
In response to orlguerra

‎08-22-2022 08:54 AM

Hello,

can you post the full running config of the switch ? If the switch is doing the layer 3 routing, the SonicWall just needs to take care of the NAT. What does your NAT policy look like ?

0 Helpful

Go to solution
orlguerra
Level 1
Level 1
In response to Georg Pauwen

‎08-22-2022 09:13 AM

What i have is this i am not showing all the configuration for security purposes.

 interface Vlan20
description Guest WiFi
ip address 10.0.109.1 255.255.255.0
ip helper-address 10.0.7.201

ip default-gateway 10.0.7.9
ip route 0.0.0.0 0.0.0.0 10.0.7.9
ip route 10.0.109.0 255.255.255.0 10.0.7.9

Interface Gigibitethernet1/0/13
description Guest WiFi
switchport trunk native vlan 10
switchport trunk allowed vlan 20
switchport mode trunk
spanning-tree portfast

 

 

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to orlguerra

‎08-22-2022 10:05 AM

Thank you for the additional information. It is helpful to know that the connection from switch to firewall is a routed link and that the switch is doing some routing. Based on this I have these comments:

1) If the switch is routing then you do not need the command ip default-gateway. This is ignored when ip routing is enabled. Having the command does not hurt anything. But it is not doing any good and I suggest that you clean it up.

2) The command ip route 10.0.109.0 255.255.255.0 10.0.7.9 is not correct. This indicates that to get to the subnet you go to 10.0.7.9 (which I assume is the firewall). But that subnet is locally connected. If you do show ip route on the switch you will see that the subnet shows as locally connected and not static routed.

3) I am not clear what Gigibitethernet1/0/13 is and why it is configured as a trunk. The description indicates Guest WiFi. If this is going to WiFi and you do not want vlan 20 to communicate with vlan 10 then why is the trunk carrying vlan 10?

4)If the switch to firewall is a routed link then there are at least 2 things that you will need to do. You will need a route on the firewall that points subnet 10.0.109.0 as reachable with the switch as the next hop. You will need address translation for the new subnet. It may be possible that you also need some type of security policy on the firewall for the new subnet.

HTH

Rick
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to orlguerra

‎08-22-2022 10:10 AM

router link in between that great 
you only need add 
dynamic NAT for new VLAN in FW and you can access the internet. 

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎08-22-2022 02:28 PM

I am glad that our suggestions have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents