That is not a bad idea. Need to see what kinda of WAP’s Cisco has out now. Definitely won’t be getting any kind of WLC anytime soon, that would be one very expensive lab!

Hi, thanks for the tip, let me look into this as this sounds like a very important feature!!

Hey there,

You mentioned that the two buildings are connected as “though” they are on the same LAN. Can I get confirmation that they are utilizing the same IP addressing scheme on the LAN? Or is there routing in place somewhere that is sending two different LAN networks to each other? Basically, what’s the addressing at each location?

There are other methods to getting your SonicPoint to work on the LAN with or without utilizing VLAN’s and sub-interfaces. This article just touches up on one of the options.

If you could provide a little bit more info on your setup, we can look at resolving this issue for you.

Let me know what your ISP says regarding the VLAN tagging. Are you running 5.8 on your NSA240? I have spoken with SonicWALL engineers and development team and I believe that there are changes in the way they will handle SonicPoint’s SDP protocol in the near future. I think specifically to address these kinds of issues.

In any event, I’m sure we can devise a solution.

Good to hear! I was able to lab up a possible scenario for you but ran out of time to finish. I was able to get the SonicPoint to work through the sub-interface using VLAN ID 10. (like my lab above)
Then trunk the X0 interface to a switch.
Then take a port on that switch and assign it to VLAN 10 and put the SonicPoint on it. It will communicate with the SonicWALL. I was able to get a laptop to connect to the SonicPoint and even reboot the SonicPoint from the firewall, so communications is not a problem. I am also able to ping the SonicPoint from the LAN zone.

You should try this locally first within your LAN in the same building. Once you can confirm it works. Then make sure your switches between the two buildings are trunked together so that they can carry multiple VLAN’s.

Then assign a port to VLAN 10  (or whatever VLAN you gave the WLAN) to a port on the switch in the other building.

I need more time, perhaps this weekend to thoroughly go over it but hopefully what I wrote makes sense and you can try to give it a shot….

The key is creating the WLAN sub-interface off X0. Then trunk to your switch. Then edit your VAP configuration, choose the newly created VLAN ID.

Oh yes, the joys of level 1 support!! Hey, they are only trying to do their jobs, but to say it’s impossible is incorrect. That is where they need to draw the line if they are unsure….

What you are looking to do is doable, as my blog has shown. The issue probably lies more with the switch, and I’m going to have to go with the assumption that your Sonicwall is configured properly since Level 2/3 said so.

The switch configuration is a little odd, it says that you created a trunk on “ethernet g3″ I’m not sure how port g3 has any role in this since the only two ports I’m aware of are “g45″ and “g43″.

“g45″ is connected to your firewall, so that port needs to be in “trunk mode”. That will carry all your VLAN’s. Don’t worry about setting any “allowed vlan add 10″ type entries, just make it carry all VLAN’s.
When you start specifying which VLAN’s to add, you can run the risk of not properly including all VLAN’s.
So say you wanted VLAN’s 10 and 20 but you specified “add vlan 10″, it will only allow VLAN 10, which is what you may not want since VLAN 20 will not be included!!

In any event, “g43″ configuration looks correct.

I would start over by clearing the switch. Make “g45″ a trunk port and that’s it. Don’t specify any vlans.
Make “g43″ part of VLAN 10 which you did correctly.

Last but not least, I’m not familiar with the “switchport mode general” command but that doesn’t look correct so leave that part out.

In short, it should look something like this. (what kind of switch are you using?)

    interface ethernet g5
    switchport mode trunk
    exit
    vlan database
    vlan 10
    exit
    interface ethernet g43
    switchport access vlan 10
    exit
    interface vlan 10
    name Sonicpoint
    exit

Ok – It worked! I also discovered that the Sonicpoints would not connect to a port on the Dell Powerconnect 5448 that was set to autonegotiate – had to force to 100BaseT and then it all came up! Thanks a bunch

Hi,
Thanks for you article.
We use multiple SSID and VAP (on Sonicwall and Sonicpoint) quite a lot in my company, but actually, we are facing a problem in 2 different sites…
The configuration works perfectly when there is only one switch, but we have 2 cases where we have 2 switch (Dlink DGS3100-48) between a NSA2400 in a case and a 4500 in the other case, and the sonicpoints.

I spent hours on the phone with Dlink and Sonicwall supports, trying a lot of config, trunking Vlans, untrunking Vlans, tag or untag ports,… but it still not work and the sonicpoints which are after the second switch desesperatly cannot communicate with the Sonicwall…

depending of configurations, they are constantly rebooting or non-responsive…

If any one already got this problem and have a solution, or any clue, i’m interested.

Thanks.

Al.

Brandon, I was curious if you have run into the situation I am in and if you know the proper configuration. I am currently running a SW NSA 2400 attached to a Cisco Catalyst 3560 switch which as my SonicPoints connected to it. I have been charged by my betters to setup both a guest wireless and an internal wireless network without purchasing additional hardware. Unfortunately all 4 sonicPoints are required to cover the entire building. Is it possible to setup two SSIDs, one Internal and one for guest using the same Sonicpoints? I have setup the switch and sonicwall to the best of my knowledge but thus far have only been able to get one or the other working at the same time.

Brandon,

Thank you for your quick reply. Currently I have the 4 APs setup in a VAP group (VAP Group 1. I have both SSIDs setup (Corporate and Guest) but so far only the Corporate one will work. Both SSIDs are visibile to the client and I can connect toto the Corporate . However, when attempting to connect to the Guest wireless the client will acquire an IP. I’ve confirmed that DHCP is configured and enabled. Using packet monitor on the SonicWall for the VLAN which is vlan 20 for the guest shows no traffic via IP protocol.

The current configuration is as follows

The 4 APs (SonicPoints) are hooked into the Cisco switch in ports 24,26,28 and 30. Port 22 from the switch is setup up as a trunk and is going to X5 on my SonicWall.
 
-Aaron

Brandon,

The firewall is a SonicWall NSA2400 running 5.8.0.2-37o firmware.
The SonicPoints are AVC13-07C SonicPointNA

A show interface trunk results in

Port        Mode         Encapsulation  Status        Native vlan
Fa0/2       on           802.1q         trunking      1
Fa0/22      on           802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/2       1-4094
Fa0/22      1-4094

Port        Vlans allowed and active in management domain
Fa0/2       1-4,12,26,241
Fa0/22      1-4,12,26,241

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/2       1-4,12,26,241
Fa0/22      1-4,12,26,241
sw-sac-12#sw-sac-12#show interface trunk

Hey Aaron,

Sorry for the delay. I have been hammered the last week or so with some work.

I noticed that your switch has two trunks. One is on port 22 and the other is on port 2. What is port 2 all about, since I know that port 22 goes into your X5 interface.

Also, please run this command on all your 4 ports so I can see how they are configured.

“show run int fa0/24″
“show run int fa0/26″
“show run int fa0/28″
“show run int fa0/30″

 If I get some time this weekend I will see if I can replicate your setup.

First issue is that your ports aren’t assigned to any VLAN’s. What are the VLAN’s you created for your different wireless networks?

Exactly! Good job. That was why I wanted to see how your switchports were setup. Orginally they were not applied to any VLAN. But since the Sonicpoints were carrying different VLAN tags for each of your SSID’s, those ports would need to be trunked.

In any event, good job!
 

Above all the points are explained very clearly.You have done a great job by sharing this informative post. I would like to appreciate your good work and also would like to encourage you to keep it up.

Hi Brandon,

I came across your website as I’m trying to set up exactly what you’ve described here, and other of your pages have pointed me in the right direction. However, we use HP Procurve switches and I’m banging my head against a wall trying to getting the wireless working. Our firewall is an NSA3500 and I’m trying to deploy Sonicpoint Ne APs.

I’ve created two sub-interfaces of X0 on the Sonicwall: V50 for a guest WLAN and V100 for a private WLAN (I’ve also obviously set up the VAPs as well), and I’ve created two VLANs on the Procurve (50 & 100)

The X0 LAN interface from the NSA3500 connects to port B1 on the Procurve
B1 is ‘untagged’ in the default VLAN and ‘tagged’ in VLANs 50 & 100 (if I ‘tag’ it in the default VLAN, no-one can talk to the firewall).

For initial testing I’ve added one other port (F24) which is ‘tagged’ in VLANs 50 & 100. I’ve tried both tagged and untagged in the default VLAN, but whatever I try, I can’t seem to get the Sonicpoint to provision.

I nkow your blog is Cisco centric, but wondered if you can offer any comment as what I’m doing wrong. Any advice will be massively appreciated.

All the best,
Paul

Hello, I just discovered this — I am in exactly the same pickle.

Being quite new to SonicWalls etc. I don’t understand what IP I should give to the sub-interface since I cannot direct-connect the SonicPoint to the NSA3500 *except* like in your other blog article.

Should I follow the other blog article first and attach the SonicPoint to the NSA3500 first so it can get some sort of IP address??

Then for the HP switch upon which I created a VLAN #100 I should tag the X0 port with that VLAN??

Thank you, Tom

Hey Tom!

Because I’m not that proficient with HP switches and they tend to twist terminologies. Be careful of what they call “Trunking” as that is not what you want to do. Trunking to them is port aggregation.

Whatever setting is in the switch, you want to make sure it carries VLAN’s. I always try to simplify. First remove the Sonicpoints out of the equation and make sure that you have trunking and VLAN’s working properly. So make sure a switchport is applied to the proper VLAN and you can get out.

The sub-interface on the Sonicwall is just like any other interface (X2, X3) the only difference is that it hangs off X0. (if X0 is what you’re using)

Then when you replace your PC with your Sonicpoint, it will find your SonicWALL. The SDP protocol is what Sonicwall uses and unfortunately it is L2 based and is not routable. From what I hear, they are working on changing that, this way all of us won’t have to do what we are doing now in order to get the SonicPoint’s to provision.

Once the SP’s can see the firewall, they should automatically provision based on the profile that you’ve created…

So let’s say your VLAN is 101 off X0. It would look something like this:

X0:V101

The IP would be something like 172.16.1.1 /24.
With your trunk to the HP switch, you then plug your SonicPoint to any switchport, apply that switch port to VLAN 101. Make sure you create VLAN 101 on your HP switch as well.

Great post and definitely gets me headed in the right direction. I see in your example that you created your subinterface WLAN to belong to a different subnet than your LAN zone. If I were to make my WLAN zone the same subnet as my LAN, would my WLAN traffic be able to access my LAN resources?

Thanks for the quick reply and link! I have another quick question:

Would it be possible to add an uplink from the switch to another interface, lets say X6, and configure that switchport to trunk as well? So, you would trunk the X0 and the X6 off the same switch, thus eliminating the need to configure a sub-interface on the X0 port?

Hello, I did not see this reply till now…I will try this out soon.

I did more or less try the above approach with our SonicWall consultant and it did not seem to work so we went back to using X3 and the SP is not discovered…but we don’t want to test during the day since previous testing etc. caused a switch loop etc. and took down the network…

Am I correct that the VLAN ID # must be applied to all downstream network switches and ports that might possibly carry WLAN traffic?? — regardless where they are physically within the subnet??

Thank you, Tom

Hi Brandon,

I have my SonicPoint ‘piped’ directly to the X3 on my sonicwall TZ210 not the X0 (LAN), will this still work to have access to local resources on the LAN?