Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2620
Views
0
Helpful
1
Replies

Trunk to SonicWall only carrying single VLAN

jdtcipher
Level 1
Level 1

‎11-02-2011 12:27 PM - edited ‎03-07-2019 03:11 AM

Hello All,

I have a 3750g configured with 2 vlans, 35 and 65. Vlan 35 has a subnet of 192.168.35.x and Vlan 65 has a subnet of 192.168.65.x. I configured a trunk connection to a Sonicwall NSA 3500 using subinterfaces. One for vlan 35 and one for vlan 65. The trunk port is configured in switchport mode trunk and dot1q encapsualtion. I am only allowing the 35 and 65 vlan through the trunk aloing with the native vlan.

The test machine on Vlan 65 connects to the firewall through the trunk and connects to the internet without issue. Vlan 35 hovever is blocked by the firewall as an IP spoof because the sonicwall is seeing the traffic from subnet 192.168.35.x as vlan 65 and not vlan 35 as it should be. I contacted sonicwall and had them check my config and they say the configuration is correct on the sonicwall.

Here is the error message on the sonicwall:

Intrusion Prevention      IP Spoof Dropped  192.168.35.11 X4:V65

I needs to be 192.168.35.11 x4:V35

                    192.168.65.11 x4:V65

According to this it seems like the 35.x subnet is being tagged by the trunk as Vlan 65. From my reading all vlan traffic through the trunk should be tagged so the sonicwall subinterfaces should be able to seperate the traffic.

The two test machine one the 35 and 65 vlans can ping each other, there DG's and the subinterfaces of the firewall

I would appreciate any insight you may have.

Thank You.

Labels:
0 Helpful
1 Reply 1

wasmer_anne
Level 1
Level 1

‎11-03-2011 06:16 AM

I believe that the NSA 3500 does not support trunking even if it does support vlans: hence 1 vlan per interface...

It should also depends on your sonicwall OS and the configuration options for the specified interface. I know it's GUI based but maybe you could clarify which options you have under the interface menu of the NSA?

It does not work with your current subnetting scheme, but another solution is to configure the NSA interface as a /23 to "aggregate" both VLANs IP ranges....

....bit of serious limitations...

regards

0 Helpful
Customers Also Viewed These Support Documents