Corp & Guest WiFi on SonicPoint-NDR via Cisco Switches – Setup Guide

ciscosonicwallwireless

I have a Virtual Access Point (VAP) group properly set up with both the corporate and guest VAPs on our SonicWALL NSA 3500, but when I apply them to a SonicPoint-NDR I have the issue referred to in the diagram – I have Cisco switches in between the SonicWALL and SonicPoints (no way around that since this LAN spans miles and many buildings) and I can only assign one Access VLAN to the upstream Cisco port at a time. I tried trunking the Cisco port but nothing seemed to work, unless I granted one VLAN as a native trunk VLAN in which case only that VLAN would work. Is this impossible?

It should be possible according to Dell/SonicWALL documentation, and I have an open ticket with their support on it, but I haven't heard back in a day and their troubleshooting for this seems very limited.

In the diagram, VLAN 2 is our general corporate wired LAN, VLAN 802 is our corporate WiFi and VLAN 803 is our guest WiFi.

Network diagram: enter image description here

Best Answer

I'm not that familiar with SonicWALL wireless, but as I'm going through the docs of SonicOS 6.1, there are 3 modes of managing the AP's, 2 of which can apply to your situation. I'm quoting from the documentation.

The following three SonicPoint deployment scenarios are supported:

Local Layer 2 Management– When SonicPoints are deployed in the same Layer 2 network with SonicWALL network security appliance, the existing Layer 2 discovery protocol SDP is used to manage these access points.

Local Layer 3 Management – When SonicPoints are deployed outside of the Layer 2 network boundaries, but still within the same Intranet (for example when there is a thirdparty router between the firewall and the SonicPoints), Layer 3 management protocols can be used manage these access points.

I'm assuming you are using the "local layer 3 management" mode, as that would be the best fit for your network as it is most scalable. In that case, CAPWAP (an industry standard) is used, which makes every AP create a tunnel to the controller, and all traffic is processed at the controller. So as far as the switchports to the AP's are concerned, they would have to be in access mode, with a VLAN that can connect to the NSA's wireless management port.

If the above diagram is correct, you do not appear to have a wireless management VLAN or you've combined it VLAN 2 (the corporate wired LAN).

So what I would do: create a new VLAN (let's pick ID 88, name: ap-mgmt) to be used to connect the access points. Set up a DHCP scope on that VLAN that sets option 138 to the IP address of NSA on which wireless management is active. Set all switchports connecting to AP's to:

switchport mode access
switchport access vlan 88
spanning-tree portfast

(You might want to add some other stuff like bpduguard but that's beyond the scope of this question).

How to configure the NSA, that starts on page 389 of the Administrators guide (https://support.software.dell.com/download/downloads?id=5328574)

As the AP's will be doing DHCP, via CAPWAP they will connect to the NSA and set up a tunnel, through which all traffic will pass. When the AP's have successfully connected and the SSID's are visible, yet you cannot connect (DHCP doesn't work or DHCP does work but you can't reach outside the local network), firewall rules may be preventing communication, in which case we'd have to look further.

Best Answer

Related Solutions

SonicWALL HA w/ Dual WAN HSRP from two redundant switches

Routing – VPN Tunnel Only Passing Traffic One Way – Adtran to Sonicwall

Related Topic