Sonicwall to Sonicpoints thru Netgear GS724tv3 switches.

I've done this multiple times.  It can get confusing if you as you must create sonicpoint virtual profiles in order to have two SSIDs (admin and guest).  Additionally, you must create a VLAN for each.  I can help you with this.  What have you configured thus far on the sonicwall?  Here is an article that I use regularly when setting up multiple virtual profiles.

http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5798

Which sonicpoints do you have?  The new ones do NOT come with a power supply so you must use a PoE switch or purchase a PoE injector.  If you have an injector, it might be easier to get an inexpensive swtich to connect the sonicpoints to the WLAN interface on the sonicwall.  If you don not, then you'll need to carve out a couple of ports that support the two VLANs (guest and admin) that you'll create on the sonicwall.  The key to the VLANs on the switch is to remove those ports from the default VLAN and tag them as members of both VLANs that you create on the switch.  When you get that far, I can help you set those up.

I've only configured the X5 interface on the 4060 for wireless and named the SSID and assigned it an IP address.   Which I know much more is needed to be done to get it going.

But my concern is the second Sonicpoint (they are the new ones -SonicpointNs with the power injector - can this be off a different Netgear switch in another part of the building?   Our concern is getting this second location in the same VLAN with the NetGear switch in the server room.

And thanks for the link.  I'm going to follow it thru and respond.   It looks like what I need (and now I wonder why Sonicwall support could not have just sent me this).  Thanks!

The link is top secret, so please share it with your friends!!

Do all your switches terminate in the same location?  You mentioned an uplink between your two switches.  Are the two switches not in the same area of the building?

If not, then what I think you'll need to do is make the uplink an untagged member of the sonicwall VLANs.  This way, they'll pass the traffic, but not let it mingle with the default VLAN traffic which is your LAN traffic.  We may just need to read through the netgear manual re: the VLAN stuff.

That's it - the second switch (and Sonicpoint) will be in the middle of the plant, and that's the one question I had - whether that switch could pass traffic to the VLAN to the Sonicwall/Sonicpoint setup on the switch in the server room.    And this is the only switch in this location, so it's first duty is the equipment in those offices, but needed to see if a single port on that switch would be able to be part of the VLAN on the first switch, leaving the other ports on our regular LAN.

In general, if a port is a tagged member of a VLAN, it will see that traffic.  If it's an untagged member of a VLAN, it'll just pass that traffic.  Check out page 74 of the manual to see how to configure a VLAN, membership and tagging for a port or multiple ports.  The VLAN section is on page 74 of the PDF.  I'm heading to lunch, but quickly looked at the manual and it's implementing a standard VLAN and not same crazy variation of it.

ftp://downloads.netgear.com/files/GS716Tv2_GS724Tv3_usermanual.pdf

Thanks - I haven't ventured that far out yet to the NetGear section.  I'm folowing the Sonic Wall info and believe I followed it point by point.   But while I'm now able to connect to the SonicpointN with my notebook and get an IP from it, I don't get anywhere, like internet access.   About to try local LAN resource to see if I get them (servers, printer, etc.).

I figured I'd setup the Sonicpoint seperately, check their performance, then add the NetGear VLANs and move the Sonicpoint out to their location after that.

make sure you get the firewall access rules setup properly...i can't remember if thats part of the instructions.  also, check the dns settings of the wlan dhcp scope and make sure the wireless host is getting a good dns server.

Not part of the instructions, but doing a search for the intructions now.   I gather this needs the outside DNS?  Not our internal DNS & WINS servers?

Perfect, exactly the information I needed to complete this - up and running now.

Great!  If you have questions about the VLAN stuff, just post back to this question.  Thanks for the points!

Ok, all weekend I tired do the VLANs on the Netgear, but no dice.   If I plug the SonicpointN's directly into the X5 interface, they work.  

OK...initially, you'll have two ports configured on the switch where the sonicwall and sonicpoint connect.  Create two VLANs naming them with the VLAN IDs you used on the sonicwall.  You want to make both ports "tagged" AND "members" of both VLANs.  You want to remove any tag or membership for these two ports from the default VLAN.  The idea here is you are making a virtual switch out of these ports using VLANs where, normally, you would have used a physical switch.

Configure this on the switch, connect the sonicwall's X5 port and the one Sonicpoint to the designated switch ports.  Let's get this working then we'll worry about the other sonicpoint on the other switch over the uplink...OK?

Ok, this is where I may have gone wrong - I created a single VLAN and placed all three ports on this switch that were to be for the Sonicwall.  Port 2, 3 & 4 on the Netgear were tagged as members of VLAN5.    Port 2 was coming in from the sonicwall, and then I had both sonicpoints in the other two (I will eventually have three sonicpoint - but third will be later and using this port).

So, I need seperate VLANs for each port for this?

You need a VLAN for each virtual sonicpoint that you create.  You want an Admin and a Guest.  In order to get the appropriate IP address for whichever you connect to, you need to have a VLAN assignment for each.  When you are viewing the Network > Interfaces, you'll add an interface to X5 (which should be assigned the WLAN zone).  When you do this, you'll give it a VLAN ID and the appropriate IP subnet assignment.  When you finish adding the new interface, the Sonicwall will create a new DHCP scope assigned to this VLAN interface.  If you want to assign a laptop to the guest network, then they merely authenticate to the guest virtual sonicpoint and will get an IP assigned by that respective DHCP server.  In order for the switch to allow assigning an IP on either the Admin or Guest, all the ports on the switch must be a member and tagged for both VLANs.

The VLAN IDs you assign the Guest and Admin interfaces, should be what you use when you create the VLANs on the switch.

It's confusing.  I've always used a separate physical switch for my sonicpoints, but I recently upgraded a client and installed a PoE switch.  I had to call Sonicwall support to get the VLAN configuration steps.

Ah, you're talking about the Sonicwall, while I am lost on the VLAN configuration on the Netgear switches.

For the Netgear - I only need to create a single VLAN and tag those three port I need on this VLAN in my server room, then worry about the one port on the remote switch.  Sound right?

Have you created the two VLANs on the sonicwall yet?  If so, you'll want to create those two not just the one.  See the screen shot below.

oops...forgot screen shot.
greenshot-2010-08-23-16-17-17.jpg

Ok, two VLANs done on the sonicwall.

OK...now, how are your sonicpoints configured?  do you have a VAP for guests and a VAP for Admin?

Yes, WLAN-Guest and WLAN-Corp

OK...what VLAN IDs have you assigned the two interfaces on your sonicwall?  Have you created any VLANs on your switch yet?

X5 is the WLAN
X5:V50 is WLAN-Corp
X5:V55 is WLAN-Guest

On the Netgear, I created VLAN5 and tagged ports 2,3, & 4 as VLAN5 members (I think)

On the netgear, you need to create two VLANs.  Name them 50 and 55.  Then, make ports 2, 3, and 4 tagged members of both VLANs 50 and 55.

I'm getting ready to head home for the day, so my responses my become spotty.

Ok, I'm grateful for all the help.

I think I should be able to do this on these switch, but would I create a port on the remote switch and then tag it to the same VLAN numbers from the server room switch?  i.e a single port on remote switch with both VLANs tagged to that port?

On the other switch, you'll create the same two VLANs and configure a single port as you have done with the other switch.  Additionally, the port that provides the uplink on both switches, you'll want to make the uplink ports UNTAGGED members of both VLANs.

Great, thank you so much.

you bet...talk to you soon and good luck!

100% up and running now, on both Sonicpoints.

I did discover there was another Netgear switch in between the IDF & MDF, so I configured that switch's uplink ports to be untagged in both of the VLANs.

Thank you very much!  

You're welcome!  These things can be complicated enough...glad I could help you sort it out.

Guess I spoke too soon.   The remote Sonicpoint, while it talks to the Sonicwall, it's not passing traffic from the notebooks, they'll connect but limited access (basically they connect then get no further).

I did swap the Sonicpoints, and the proble stays at the remote side, not with the Sonicpoint.

Weird - becuase the sonicpoint will boot, get an ip from the sonicwall, and then you can manage it from the sonicwall.  

It's got to be something on the sonicwall itself then?

Confirmed the Sonicwall & Sonicpoints are ok - all work off the same switch in the server room.

New thread/topic for this now?  It's solely a NetGear issue now.

yes...sorry, i'm back now.  it would be a netgear issue.  what ip do your sonicpoints get on the switch that connect via the uplink?

The sonicpoints themselves get an 172.16.31.247 & 172.16.31.248 as the WLAN interface on the Sonicwall is set for 172.16.31.1.

It has me wondering, as when I connect the Sonicpoint out on the remote switch, I can watch is boot on the Sonicwall and get an IP on the 172.16.31.XX scheme.   But just does not seem to work, but when I walk it bvack to the server room and connect into the extra port in the VLAN, it works just fine.   If I disco the other Sonicpoint and walk it back, I can also watch it boot up and connect on the Sonicwall, but again - no access after connecting to it with a notebook.

Ok...when you connect the sonicpoint to the WLAN interface, what IP address is it getting?

What I'm proposing is the two VLANs for admin and gues are NOT being routed properly over the uplink.  i'll need to review my switches here to confirm i've got the correct tag/untagged/membership combination right.  give me some time.  coming up on the end of the day and i have to finish some "job" related stuff....you know, the part of my life that pays the bills...>GRIN<!

LOL - I'm thinking - do I need three VLANs on the Netgear switches?   Once for the actual hardware (172.16.31.XX network), then the original other two VLANs for the Virtual VLANs (the corp 172.16.50.XX and the guest 172.16.55.XX)?

The sonicpoints themselves get a 172.16.31.XX address, from the X5 interface on the Sonicwall, which is set to 172.16.31.XX

Yes, you are correct sir.  I just reviewed my switch.  I have three VLANs configured.  I have attached a screen shot.  I created a VLAN 500 and made the designated ports untagged members of those ports.  Since I havn't marked the default WLAN traffic as VLAN 500, I don't want to tag it.  The other ports, I make them tagged members of my two VLANs, 21/22.  So, your uplink ports will need to untagged members of all the VLANs they need to pass traffic for.  On the uplink switch, you'll make your single port a tagged member of both VLANs and an untagged member of the default WLAN traffic.

oops...screen shot.
greenshot-2010-08-24-16-57-52.jpg

When you say uplink switch, you talking about the switch in the server room that connects to the Sonicwall X5 interface? (Sorry - long day - brain is about dead here:P)

no, it's the switch that the single sonicpoint will connect to that's located away from the server room...no worries, feel the same

MDF Switch:
      VLAN31-Sonicwall WLAN:

      Port02-Untagged      -goes to X5 interface on Sonicwall
      Port03-Untagged      -goes to Sonicpoint
      Port04-Untagged      -empty (future use Sonicpoint)
      Port05-Untagged      -goes out to Port01 on IDF-2 Switch

      VLAN50-WLAN-Corp:

      Port02-Untagged
      Port03-Tagged
      Port04-Tagged
      Port05-Untagged

      VLAN55-WLAN-Guest:

      Port02-Untagged
      Port03-Tagged
      Port04-Tagged
      Port05-Untagged

IDF-2 switch:

      VLAN31-Sonicwall WLAN:

      Port01-Untagged      -goes to MDF Switch Port05
      Port03-Untagged      -goes to IDF-4 Switch Port01

      VLAN50-WLAN-Corp:

      Port01-Untagged
      Port03-Untagged

      VLAN55-WLAN-Guest:

      Port01-Untagged
      Port03-Untagged

IDF-4 switch:

      VLAN31-Sonicwall WLAN:
      
      Port01-Untagged      -goes to IDF-2 Switch Port03
      Port02-Untagged      -goes to Sonicpoint

      VLAN50-WLAN-Corp:
      
      Port01-Untagged
      Port02-Tagged

      VLAN55-WLAN-Guest:
      
      Port01-Untagged
      Port02-Tagged

Should it look like this?   I'm still not working on the far end, but about to confirm these are the settings on all three switches.

Sorry - correction to the above - on MDF Switch VLAN50 & VLAN55 Port02 is tagged, not untagged.

This has the one sonicpoint on this switch up and out to the internet.   The sonicpoint on IDF-4 switch Port02 still not sending out to the internet, it just connects to the notebook and nothing else - yet I can see the connection on the sonicwall for this notebook.

So, your laptop is getting an IP address?  Which switch is routing the sonicpoint traffic properly?

Laptop is getting correct IP.  Sonicpoint in mdf switch works but not remote sonicpoint.   But each sonicpoint will issue good IP.

You've been referencing just two switches, but I see three switches in your VLAN configuration.  I'm getting confused by that.

So, laptops getting an IP on the MDF (main switch in the server room where the sonicwall is) can ping local hosts and get to the Internet, right?

Laptops that are connecting to sonicpoints on the remote switches are getting a proper IP address, but are not routing....essentially, they can't get to the Internet and are not able to ping local hosts, right?

Are all the switches the same model?

All the switches are NetGear GS724Tv3's.   I found the third switch while tracing the cabling (nothing was marked/labeled - and they have no map of anything here).

Everything wired in the MDF, and other IDFs, work just fine.   And the one Sonicpoint that connects in the MDF works as planned on the guest WiFi - they get out to the internet with no local access.   It's the remote Sonicpoint that while I can see it on the Sonicwall admin interface and see client notebooks connect to it - it does not let them out on the internet (or anywhere).

Yet I can disco the working Sonicpoint, walk it back to the remote IDF, swap it out with the other and see it bootup on the sonicwall and clients connect, but no internet.  I walk the remote sonicpoint up to the MDF, connect it to the switch in there, and can see it bootup and clients connect and get out on the internet.

Something in the way I have configured the VLANs is stopping this traffic on the 172.16.50.XX (corp) and 172.16.55.XX (guest) VLANs, but the 172.16.31.XX VLAN is working out to the remote side.  Which is why I can talk to the sonicpoint itself (on 31.XX), but the client notebooks can not pass traffic thru it to the MDF switch on those two VLANs (55.XX & 50.XX).

I got it now - was confused on the tagging vs untagging and had a few backwards.   Here is the correct
configuration that works for me now:

MDF Switch:
      VLAN31-Sonicwall WLAN:

      Port02-Untagged      -goes to X5 interface on Sonicwall
      Port03-Untagged      -goes to Sonicpoint
      Port04-Untagged      -empty (future use Sonicpoint)
      Port05-Untagged      -goes out to Port01 on IDF-2 Switch

      VLAN50-WLAN-Corp:

      Port02-Untagged
      Port03-Tagged
      Port04-Tagged
      Port05-Tagged

      VLAN55-WLAN-Guest:

      Port02-Untagged
      Port03-Tagged
      Port04-Tagged
      Port05-Tagged

IDF-2 switch:

      VLAN31-Sonicwall WLAN:

      Port01-Untagged      -goes to MDF Switch Port05
      Port03-Untagged      -goes to IDF-4 Switch Port01

      VLAN50-WLAN-Corp:

      Port01-Tagged
      Port03-Tagged

      VLAN55-WLAN-Guest:

      Port01-Tagged
      Port03-Tagged

IDF-4 switch:

      VLAN31-Sonicwall WLAN:
     
      Port01-Untagged      -goes to IDF-2 Switch Port03
      Port02-Untagged      -goes to Sonicpoint

      VLAN50-WLAN-Corp:
     
      Port01-Tagged
      Port02-Tagged

      VLAN55-WLAN-Guest:
     
      Port01-Tagged
      Port02-Tagged

Sorry...I didn't see your post on 8/25.  I thought you'd given up the quest all together...glad to see you stuck it out and got it working!  You're config looks perfect!

LOL - thanks for the help.  I had no choice but to make it work :)  

You gave me enough information, I just had to re-read it and think about it.

yes...VLANs can be complicated especially if you span multiple switches.