• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1512
  • Last Modified:

VLANs to work with Dell 54XX switches and SonicPoints via SonicWall NSA 3500

I've configured our SonicWall NSA 3500 to publish 2 Virtual Access Points and confirmed that it works by plugging a SonicPoint directly to the interface the VAPs are configured on.

However when I uplink the interface to a Dell 5448 and connect my SonicPoints to the same switch, I lose control of it from the SonicWall.  Currently wireless clients can connect to both Virtual Access Points as expected, but SonicWall doesn't show connections to this in SonicWall > SonicPoints > Station Status and as above, I cant control the SonicPoint.  E.g.  Cant reboot them.

Enclosed is a topology diagram to show how I've configured the VLANs.

The uplink port is configured as follows:

Port : g7
Port Mode: Trunk
Gvrp Status: disabled
Ingress Filtering: true
Acceptable Frame Type: admitAll
Ingress UnTagged VLAN ( NATIVE ): 1
Protected: Disabled

Port is member in:

Vlan   Name                 Egress rule Port Membership Type
 1                  1               Untagged       System
 3       Guest WLAN       Tagged           Static
 4       Corp WLAN         Tagged           Static

Ports 5 & 6 are configured as follows:

Port : g5 or g6
Port Mode: General
Gvrp Status: disabled
Ingress Filtering: true
Acceptable Frame Type: admitAll
Ingress UnTagged VLAN ( NATIVE ): 11
Protected: Disabled

Port is member in:

Vlan   Name                 Egress rule Port Membership Type
 3       Guest WLAN       Tagged           Static
 4       Corp WLAN         Tagged           Static
  • 8
  • 3
  • 3
1 Solution
Take a look at the following two items to insure that you have completed all the required steps and configured a WLAN interface.


FSIFMAuthor Commented:
Yes, that's all done.  As I said, it all works find if I plug a SonicPoint directly into an interface on the SonicWall.  Its only when I go through a switch.
Take a look at this technote, especially at the end where it mentions Dell

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

FSIFMAuthor Commented:
I have looked at that as well, but its made no difference.  However, the SonicPoint G router has changed its status to Non-responsive over night.

Here is the Spanning Tree info from the Switch.  The actual port numbers are different from my examples, so I've modified the port numbers below to reflect my enclosed diagram.

Spanning tree enabled mode RSTP
Default port cost method:  short

  Root ID    Priority    32768
             Address     00:25:64:15:40:09
             This switch is the root
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

  Number of topology changes 83 last change occurred 25:24:22 ago
  Times:  hold 1, topology change 35, notification 2
          hello 2, max age 20, forward delay 15

 Name   State   Prio.Nbr   Cost     Sts   Role PortFast       Type
------ -------- -------- --------- ------ ---- -------- -----------------
  g1   enabled   128.1       4        Frw   Desg   Yes       P2P (RSTP)
  g2   enabled   128.2      100     Frw   Desg   Yes       P2P (RSTP)
  g3   disabled  128.16     19      Dsbl  Dsbl    No            -
  g4   disabled  128.18      4       Dsbl  Dsbl    No            -
  g5   disabled  128.20      4       Dsbl  Dsbl    No            -
SonicWALL uses two proprietary protocols (SDP and SSPP) and both cannot be routed across any layer 3 device. Any SonicPoint that will be deployed must have an Ethernet connection back to the provisioning SonicWALL UTM appliance, in the same broadcast domain/network.

SonicWALL UTM appliance must have interface or sub-interface in same VLAN/broadcast domain as SonicPoint.

Do you have the same VLANs defined in the switches as in the NSA3500?
Which Sonicwall "X" interface have you assigned to WLAN?
Do the SonicPoints have the latest firmware updates?

You should use the following as a reference, if you have not already seen it.


Also, take a look at the following, which might be your solution.

FSIFMAuthor Commented:
Just realised the above Spanning Tree output is slightly wrong.  I was trying to edit it, but just before I clicked submit, your reply came through!

I suppose I should have kept to the same ports and VLANs for my examples to make it easier!

SonicWall is configured as such:

X0 = LAN                                 (In my example I'm referring to it as VLAN5)
X1 = WAN
X3:V10 = Guest                      (In my example I'm referring to it as VLAN3)
X3:V10 = WLAN for X0          (In my example I'm referring to it as VLAN4)
X4 = IT LAN                            (In my example I'm referring to it as VLAN1)

The switch is configured as follows:

VLAN 1 for the IT LAN which connects to a Cisco router
VLAN 2 which connect the Cisco and SonicWall together
VLAN 3 which is for ports on the LAN
VLAN 4 which is for SonicWall to connect to our ISP Router
VLAN 10 which is for the Wireless Guest network
VLAN 11 which is for the Wireless LAN network that allows access to the X0 network

The firmware on my SonicPoints is as follows:

All Operational SonicPoint units are upgraded to SonicPoint Firmware Version (sw_sp_eng_5.0.0.0_22.bin.sig).
 All Operational SonicPoint-N units are upgraded to SonicPointN Firmware Version (sw_spn_eng_5.6.0.1_14.bin.sig).  

I have also seen those links, but I will go through them a bit more thoroughly to see if it sheds more light on my issue.

Here is my setup to get the Sonicpoint working with powerconnect 55xx on NSA3500

X0 = LAN             (untag default vlan 1)            
X1 = WAN                     (wan ip)

X2 WLAN             Static 1000 Mbps Sonicpoint Provisioning.
X2:V20 WLAN      Static VLAN Sub-Interface WiFi Secure
X2:V30 WLAN-Public Static VLAN Sub-Interface  WiFi Public

On 5548 I setup TRUNK vlan 10, 20 & 30 on the port that connect to NSA and the port on other switch where I connect the Sonicpoint.

My problem provisioning and communicate with Sonicpoint was solved by changing NATIVE VLAN as 10 for the trunk This put vlan 10 untag on powerconnect but tell to use this vlan as default,

Rapid spaning tree RSTP + Fast Link enable

GUI left the default VLAN 1(inactive) in the NATIVE VLAN field.

All other 10G fiber SFP+ Trunk all vlan enable

Dont use GENERAL for vlan like 10U, 20T, 30T. Ths way it's not working because you can't set the native vlan because is not telling what is the default vlan as you can have more that one untag on General

Using TRUNK VLAN tag all vlan exept de native vlan that came untag and tell with native vlan witch one to use because TRUNK can only have one untag vlan. The native one.
FSIFMAuthor Commented:
Hi Praa,

To explain my scenario a bit more, this is how things are configured.

Ports 1-10 & 20 = VLAN 1 (All with VLAN Mode of Access, except Port 20 which is Trunk) - All VLAN memberships are U, including port 20, which auto assigns!
Ports 11-14 = VLAN 2 (All with VLAN Mode of Access) - All VLAN memberships are U
Ports 15-20 = VLAN 10 (All with VLAN Mode of General, except port 20 which is Trunk) - All VLAN membership is T
Ports 15-20 = VLAN 11 (All with VLAN Mode of General, except port 20 which is Trunk) - All VLAN membership is T
Ports 21-42 = VLAN 3 (All with VLAN Mode of Access) - All VLAN memberships are U
Ports 42-48 = VLAN 4 (All with VLAN Mode of Access) - All VLAN memberships are U

Port 20 connects to the firewall in X3.

Due to these switches having a fixed default VLAN of 1, it forces it to join the Trunk port.  I tried your suggesting of creating an extra VLAN (12) to make this the Trunk VLAN, but I cant remove the VLAN1 membership.  As VLAN 1 is connected to the IT LAN network it passes packets from VLAN 10 and 11 to VLAN, which I don't want. I want VLAN 10 to only have internet access and VLAN 11 to only access the X0 networks and the internet.

I'm thinking that I need to move the IT LAN to a new VLAN, but with the issues I'm getting with the WLANs talking, I'm not sure how I'll get the new VLAN to gain access to manage the switch!

VLAN 1 is the default untag for Dell switch but you can make port not part of this VLAN group if you put in the Native VLAN ID the Vlan number you want to get untag.

To be sure from GUI to get the Trunk correctly set put your port back to Access and click the save disk icon for runing config to startup config. This way the apply blue button will get back to make the new config.

Bug from lastest firmware not able to see Trunk VLAN group config when there is one already setup on the port and blue apply button disapear.

You can see in the image attach VLAN 1 is not part of group in truck if you remove all VLAN from default Trunk setup then put the VLAN ID you want back in the Trunk and Sonicpoint Provisioning VLAN in Native VLAN ID.

NSA X2 port WLAN connected to port 45 and sonicpoint connect to post 46 or other port config the same way on other switch.

Default VLAN Membership
Sonicpoint provisioning VLAN
VLAN Trunk setup with native VLAN - Example (port not related to above images)
WLAN NSA 3500 config
Wrong Trunk setup - Native VLAN ID as 1 show inactive make Sonicpoint not able to communicate
FSIFMAuthor Commented:
Hi Praa,

I think if I was configuring this on a 5548, I'd be ok, but I'm trying to do this on a 5448, which doesn't have the same GUI options.  For example, when configuring my VLAN ports, I see this.

Dell 5448 Switch VLAN Port options
We do have a 5548, which does show the options in your screenshots, but the 5548 switch has been assigned for something else.

I have same kind of interface on 2808 Powerconnect I just receive but with less option, cant set the Trunk or General on this switch.

I was also able to get my 5548 work in General VLAN Mode. For this you need to change the PVID (Port Default VLAN ID) to the VLAN you want to use to get Sonicpoint provisioning on. Changing it from VLAN 1 to 10 remote the VLAN 1 from port as you can see in the first image.

I think is what you need to do on your 5448 switch to make provisioning port working for sonicpoint.

Hope this will help to get it work.

2808 VLAN 1
2808 VLAN-10
2808 VLAN-20
2808 VLAN-30
Port 1-2808 connect to port 27-5548
Port 3 connect to Sonicpoint
Port 27-5548 connect to port 1-2808
FSIFMAuthor Commented:
My problem is that I cant change the PVID from anything other than 1 when the Port VLAN Mode is configured as Trunk.  I understand that it has to be configured this way if it is to be the Trunk port for the VLANS.

AS shown in  the screenshot in my previous post,
FSIFMAuthor Commented:
The solution in the end was as follows:

All ports in question attributed to the multi-VLAN were set to General Mode.
VLAN 13 which we used for the main SW interface was configured as U on all the ports in question
VLAN 10 which was the Guest WiFi sub-interface was configured as T on all the ports in question
VLAN 11 which was the WLAN WiFi sub-interface was configured as T on all the ports in question
All ports had the PVID set to 13, as this is the physical interface the presents the VLANs.
FSIFMAuthor Commented:
My solution was accepted as it was the one that worked.

Featured Post

[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

  • 8
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now