Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2175
Views
0
Helpful
2
Replies

Issue with Sonicwall in between Cisco 2960 L2 Trunkport

Go to solution
Dean Romanelli
Level 4
Level 4

‎04-07-2013 11:37 AM - edited ‎03-07-2019 12:41 PM

Hi Guys,

My department just purchased Sonicwall NSA 220 firewalls to integrate into our pure Cisco environment.  I have discovered that A) the Sonicwall doesn't appear to differentiate vlan tags if you set the Cisco ports to access mode, because the filter requires an encapsulated frame. So I built a small cisco lab employing trunk ports and putting the Sonicwall in between:

PC--------(VL4 Access)Cisco 2960(Trunk)-----(IN)Sonicwall NSA 220(OUT)-----(Trunk)Cisco 2960(Trunk)-----(dot1q -L3 port)871.

1.1.1.3/24                                                                                1.1.1.2/24                                                                             .1/24

Sonicwall has no rules set up and is in bridge mode.  VLAN 4 is the main vlan on the test lab. I am able to ping from my PC to the Cisco router (.1 gateway), and I am able to ping my PC from my Cisco router. 

However, I cannot ping or access the Sonicwall if vlan 4 is the main vlan on the test network.  If I change the access port facing my PC to vlan 1,however, I am able to ping and access the Sonicwall without an issue, as well as ping everything else.  I don't understand why the Sonicwall doesn't respond when traffic is sent across the trunk on vlan 4, but does respond when sent across vlan 1, and again, I am able to ping everything else on vlan 4, just not the Sonicwall unless the originating traffic hits it over the trunk on vlan 1.

Am I doing something wrong in the Cisco config?  The Sonicwall?  Any thoughts are most appreciated. 

Thanks.                                                                                                             

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni

‎04-07-2013 12:17 PM

Hey, All vlan 1 traffic is 'untagged' by default on a trunk - vlan 4 must be getting 'tagged' with an 802.1q header. It seems to me like the Sonicwall FW is not set up for trunking maybe, not too sure?

If you were to put the sonic FW in vlan 4 (as an access port) on both sides, it should work i think.

What you can do is set vlan 4 to be the native vlan i.e. 'untagged'. On your 2960 on the trunk port issue the command, 'switchport trunk native vlan 4' and see if you are able to ping. Should behave differently if I've understood your scenario correctly.

Coming to your point A)

My answer to this is:

If you have a switchport in access mode, the frames do not get tagged - therefore you wouldn't have been seeing tagged frames on the sonicwall FW coming from the 2960. (tagging only happens in a trunk)

I think it would be something to do on the FW.

Hope this helps

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni

‎04-07-2013 12:17 PM

Hey, All vlan 1 traffic is 'untagged' by default on a trunk - vlan 4 must be getting 'tagged' with an 802.1q header. It seems to me like the Sonicwall FW is not set up for trunking maybe, not too sure?

If you were to put the sonic FW in vlan 4 (as an access port) on both sides, it should work i think.

What you can do is set vlan 4 to be the native vlan i.e. 'untagged'. On your 2960 on the trunk port issue the command, 'switchport trunk native vlan 4' and see if you are able to ping. Should behave differently if I've understood your scenario correctly.

Coming to your point A)

My answer to this is:

If you have a switchport in access mode, the frames do not get tagged - therefore you wouldn't have been seeing tagged frames on the sonicwall FW coming from the 2960. (tagging only happens in a trunk)

I think it would be something to do on the FW.

Hope this helps

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

Go to solution
Dean Romanelli
Level 4
Level 4
In response to Bilal Nawaz

‎04-08-2013 06:56 AM

Bilal,

Yeah that did it. I set vlan 4 to be native and I was able to access it.  Definitely appears that the Sonicwall is not set up to reply to tagged traffic.

Thanks for your help.

0 Helpful
Customers Also Viewed These Support Documents