AXISHK
asked on
Routing question between wifi / firewall and switch
WiFi Controller has setup a Radius server 10.0.1.120 behind Sonicwall.
Wifi client assigned with VLAN30 need to authenticated through Radius 10.0.1.120.
For WiFi controller routing to network 10.0.1.0, it need to route through Fortigate and then to Sonicwall.
DHCP server on LAN 10.0.1.0 will subnet 10.0.99.0 will start DHCP negoitation with the wifi client,
through the trunk -> PoE Switch -> WiFi Controller -> Wifi client.
After DHCP negotiation, the PoE switch should have the MAC address Wifi client and the correct port (ie the port connecting to the controller) . Am I corect ?
When wifi client access any servers 10.0.1.0 behind Sonicwall, it will go through
wifi client -> Wifi Controller -> PoE Switch -> Fortigate -> PoE Switch Sonicwall, correct ?
How does server in network 10.0.1.0 return to the Wifi client (10.0.99.0) ? How does Sonicwall know that the client is behind the Controller ?
Thx
Diagram.png
Wifi client assigned with VLAN30 need to authenticated through Radius 10.0.1.120.
For WiFi controller routing to network 10.0.1.0, it need to route through Fortigate and then to Sonicwall.
DHCP server on LAN 10.0.1.0 will subnet 10.0.99.0 will start DHCP negoitation with the wifi client,
through the trunk -> PoE Switch -> WiFi Controller -> Wifi client.
After DHCP negotiation, the PoE switch should have the MAC address Wifi client and the correct port (ie the port connecting to the controller) . Am I corect ?
When wifi client access any servers 10.0.1.0 behind Sonicwall, it will go through
wifi client -> Wifi Controller -> PoE Switch -> Fortigate -> PoE Switch Sonicwall, correct ?
How does server in network 10.0.1.0 return to the Wifi client (10.0.99.0) ? How does Sonicwall know that the client is behind the Controller ?
Thx
Diagram.png
ASKER
The Window DHCP server on LAN subnet 10.0.1.0 can also provide IP leasing for 10.0.99.0. The intention of the design is to allow wifi client to access the LAN server through wireless network.
Sonicwall has defined 10.0.99.1 on X2 (VLAN 30). The return packet from server to wifi client will go to Sonicwall. Sonicwall know 10.0.99.0 subnet is connected to X2 and it will route the packet to the PoE switch. The PoE switch should have wif client mac address , which is the port connecting to the Wifi controller. Hence the MAC address table of PoE switch provide the information to route the packet from Sonicwall back to the Wifi controller and finally returns to the wifi client.
Am I correct ?
Thx
Sonicwall01.png
Sonicwall has defined 10.0.99.1 on X2 (VLAN 30). The return packet from server to wifi client will go to Sonicwall. Sonicwall know 10.0.99.0 subnet is connected to X2 and it will route the packet to the PoE switch. The PoE switch should have wif client mac address , which is the port connecting to the Wifi controller. Hence the MAC address table of PoE switch provide the information to route the packet from Sonicwall back to the Wifi controller and finally returns to the wifi client.
Am I correct ?
Thx
Sonicwall01.png
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have checked the route
1. Fortigate don't have any route for 10.0.99.0 subnet
2. In Sonicwall, there is no a route for 10.0.99.0 which is point to interface X2:30, which is connect the Sonicwall back to PoE Switch.
So, can I say that return packet is based on the PoE switch using the MAC-address table. I can see the MAC address of the wifi client (of course, not the IP address)..
Thx
1. Fortigate don't have any route for 10.0.99.0 subnet
2. In Sonicwall, there is no a route for 10.0.99.0 which is point to interface X2:30, which is connect the Sonicwall back to PoE Switch.
So, can I say that return packet is based on the PoE switch using the MAC-address table. I can see the MAC address of the wifi client (of course, not the IP address)..
Thx
Hi There,
Could you place the output of the below:
i)
#Sh ip route from the PoE switch
ii)
Routing table of the sonicwall and the fortigate
iii)
Trace from the client to Shoretel server and Vice versa.
Also confirm the significance of 10.0.99.x subnet.
Could you place the output of the below:
i)
#Sh ip route from the PoE switch
ii)
Routing table of the sonicwall and the fortigate
iii)
Trace from the client to Shoretel server and Vice versa.
Also confirm the significance of 10.0.99.x subnet.
There seems to be some misunderstanding. As I see things now (albeit with imperfect information):
1. Fortigate don't have any route for 10.0.99.0 subnetThat may be unfortunate. I don't see that it can hurt anything; so why not?
2. In Sonicwall, there is no a route for 10.0.99.0 which is point to interface X2:30, which is connect the Sonicwall back to PoE Switch.So the trunk VLAN 1,30 is on X2. Is that right? At any rate, if 10.0.99.0 is "known" by the Sonicwall then it must have a route. If all the route does is go to the gateway (via 0.0.0.0 the default route) . Is the gateway for the Sonicwall the Fortigate or the PoE Switch? You have still not said if the switch is Level2 or Level3 mode.... Once more, if there's no route in the Sonicwall for 10.0.99.0 AND no route in the gateway then there's no path and packets will be dropped. The MAC address instance in the switch is normal but won't help.
So, can I say that return packet is based on the PoE switch using the MAC-address table. I can see the MAC address of the wifi client (of course, not the IP address)..No.
ASKER
The switch is C2960X, guessing it is a L2. 172.16.172.254 is Fortigate IP.
POES1#sh ip route
Default gateway is 172.16.172.254
Host Gateway Last Use Total Uses Interface
ICMP redirect cache is empty
Y5POES1#
POES1#sh ip route
Default gateway is 172.16.172.254
Host Gateway Last Use Total Uses Interface
ICMP redirect cache is empty
Y5POES1#
Hi there,
Kindly share the remaining outputs as requested for in my previous post.
Kindly share the remaining outputs as requested for in my previous post.
The fact that the switch has a gateway entry may be fairly meaningless in this discussion if it's a Layer 2 switch. It's likely there to support things like firmware updates, etc.
Kindly share the outputs as requested by Ian Arakel.
Kindly share the outputs as requested by Ian Arakel.
ASKER
10.0.99.0 is the subnet for wifi client connecting to internal LAN server through Radius authentication, Thx
Dump1.txt
Dump2-Sonicwall.png
Dump3-Fortigate.png
dump4-tracert-to-Radius.txt
Dump1.txt
Dump2-Sonicwall.png
Dump3-Fortigate.png
dump4-tracert-to-Radius.txt
ASKER
Thx
I'm not clear what this means:
Does this mean:DHCP server on the Sonicwall / LAN 10.0.10.0 WITH subnet 10.0.99.0 ???? Well one might *presume* /24 but you don't say so maybe it's 10.0.9.0???
Whether the WiFi Controller has a DHCP server running is unclear. I suspect NOT, eh?
Yes. That sounds correct.
Yes. That sounds correct.
Since the 10.0.99.0 subnet is also on the Sonicwall, it seems that a route on the Sonicwall from 10.0.1.0 to 10.0.99.0 would do it. Imagine if there were wired clients on the Sonicwall on VLAN30 with subnet 10.0.99.0. And, imagine if you wanted them to talk to clients on 10.0.1.0? There would be a route between those two VLANs.
I may be missing something in the motivation here that leads to this architecture. It appears you're trying to provide wireless access to both 172.16.172.0 AND 10.0.99.0. Is that right?
I can understand that maybe you want the wireless clients to be isolated but then you don't seem to be intending to do that.
Tell us what the big picture objectives are and perhaps there can be a suggestion.