Configurando o Sonicwall para rotear o tráfego da VLAN para a internet

Question

Configurando o Sonicwall para rotear o tráfego da VLAN para a internet

#1 resposta do (1 votos)

4

Eu tenho um Sonicwall NSA 2400 que teve sua configuração redefinida e estou com problemas para reconfigurá-lo.

A porta WAN do Sonicwall (X1) se conecta à internet. Sua porta LAN (X0) se conecta a um switch 4500G 3Com (Camada 3 habilitada) que eu conectei (trunked?) A outro switch 3Com 4500.

Os switches designam 3 VLANs:

VLAN1 - VLAN de dados - Não é usado para muita coisa, se houver

VLAN2 - VLAN de voz - Os telefones VoIP são conectados aqui. Os computadores estão conectados à rede por meio de seus telefones.

VLAN4094 - VLAN de roteamento - Parece ser usado para rotear o tráfego de rede para a Internet (?)

3Com 4500G

Este é o switch diretamente conectado ao Sonicwall NSA 2400

Configuração 4500G

#
 sysname #############
#
 dhcp relay server-group 0 ip 192.168.10.4
 dhcp relay server-group 0 ip 192.168.11.10
#
 domain default enable system
#
 local-server nas-ip 127.0.0.1 key 3com
#
 telnet server enable
#
 undo cluster enable
#
igmp-snooping
#
vlan 1
 description Data VLAN
 igmp-snooping enable
#
vlan 11
 description Voice VLAN
#
vlan 4094
 description Routing VLAN
#               
radius scheme system
 server-type extended
 primary authentication 127.0.0.1 1645
 primary accounting 127.0.0.1 1646
 user-name-format without-domain
#               
domain system   
 access-limit disable
 state active   
 idle-cut disable
 self-service-url disable
#               
local-user admin
 service-type telnet terminal
 level 3        
local-user manager
 password simple manager
 service-type telnet terminal
 level 2        
local-user monitor
 password simple monitor
 service-type telnet terminal
 level 1        
#               
interface NULL0 
#               
interface Vlan-interface1
 ip address 192.168.10.1 255.255.255.0
 dhcp select relay
 dhcp relay server-select 0
#               
interface Vlan-interface11
 ip address 192.168.11.1 255.255.255.0
 dhcp select relay
 dhcp relay server-select 0
#               
interface Vlan-interface4094
 ip address 192.168.255.2 255.255.255.0
 rip poison-reverse
 rip version 2 multicast
#               
interface GigabitEthernet1/0/1
 port access vlan 4094
 broadcast-suppression pps 3000
 undo jumboframe enable
 description Uplink to SonicWALL
 stp edged-port enable
#               
interface GigabitEthernet1/0/2
 broadcast-suppression pps 3000
 undo jumboframe enable
 stp edged-port enable
#               
interface GigabitEthernet1/0/3
 broadcast-suppression pps 3000
 undo jumboframe enable
 stp edged-port enable
#               
interface GigabitEthernet1/0/4
 broadcast-suppression pps 3000
 undo jumboframe enable
 stp edged-port enable
#               
interface GigabitEthernet1/0/5
 broadcast-suppression pps 3000
 undo jumboframe enable
 stp edged-port enable
#               
interface GigabitEthernet1/0/6
 broadcast-suppression pps 3000
 undo jumboframe enable
 stp edged-port enable
#               
interface GigabitEthernet1/0/7
 broadcast-suppression pps 3000
 undo jumboframe enable
 stp edged-port enable
#               
interface GigabitEthernet1/0/8
 broadcast-suppression pps 3000
 undo jumboframe enable
 stp edged-port enable
#               
interface GigabitEthernet1/0/9
 broadcast-suppression pps 3000
 undo jumboframe enable
 stp edged-port enable
#               
interface GigabitEthernet1/0/10
 broadcast-suppression pps 3000
 undo jumboframe enable
 stp edged-port enable
#               
interface GigabitEthernet1/0/11
 broadcast-suppression pps 3000
 undo jumboframe enable
 stp edged-port enable
#               
interface GigabitEthernet1/0/12
 port link-type trunk
 port trunk permit vlan all
 broadcast-suppression pps 3000
 undo jumboframe enable
 stp edged-port enable
#               
interface GigabitEthernet1/0/13
 port access vlan 11
 broadcast-suppression pps 3000
 undo jumboframe enable
 stp edged-port enable
#               
interface GigabitEthernet1/0/14
 broadcast-suppression pps 3000
 undo jumboframe enable
 stp edged-port enable
#               
interface GigabitEthernet1/0/15
 broadcast-suppression pps 3000
 undo jumboframe enable
 stp edged-port enable
#               
interface GigabitEthernet1/0/16
 broadcast-suppression pps 3000
 undo jumboframe enable
 stp edged-port enable
#               
interface GigabitEthernet1/0/17
 broadcast-suppression pps 3000
 undo jumboframe enable
 stp edged-port enable
#               
interface GigabitEthernet1/0/18
 broadcast-suppression pps 3000
 undo jumboframe enable
 stp edged-port enable
#               
interface GigabitEthernet1/0/19
 broadcast-suppression pps 3000
 undo jumboframe enable
 stp edged-port enable
#               
interface GigabitEthernet1/0/20
 broadcast-suppression pps 3000
 undo jumboframe enable
 stp edged-port enable
#               
interface GigabitEthernet1/0/21
 broadcast-suppression pps 3000
 undo jumboframe enable
 stp edged-port enable
#               
interface GigabitEthernet1/0/22
 broadcast-suppression pps 3000
 undo jumboframe enable
 stp edged-port enable
#               
interface GigabitEthernet1/0/23
 broadcast-suppression pps 3000
 undo jumboframe enable
 stp edged-port enable
#               
interface GigabitEthernet1/0/24
 port link-type trunk
 port trunk permit vlan all
 broadcast-suppression pps 3000
 undo jumboframe enable
 stp edged-port enable
#               
interface GigabitEthernet1/0/25
 broadcast-suppression pps 3000
 undo jumboframe enable
 shutdown       
 stp edged-port enable
#               
interface GigabitEthernet1/0/26
 broadcast-suppression pps 3000
 undo jumboframe enable
 shutdown       
 stp edged-port enable
#               
interface GigabitEthernet1/0/27
 broadcast-suppression pps 3000
 undo jumboframe enable
 shutdown       
 stp edged-port enable
#               
interface GigabitEthernet1/0/28
 broadcast-suppression pps 3000
 undo jumboframe enable
 shutdown       
 stp edged-port enable
#               
rip 1           
 undo summary   
 version 2      
 network 192.168.10.0
 network 192.168.11.0
 network 192.168.255.0
 import-route direct
#               
 snmp-agent     
 snmp-agent local-engineid 8000002B0300247310B641
 snmp-agent community read public
 snmp-agent community write private
 snmp-agent sys-info version all
#               
 dhcp enable    
#               
user-interface aux 0
 authentication-mode scheme
user-interface vty 0 4
 authentication-mode scheme
#               
return

Tabela de Roteamento 4500G

Routing Tables: Public
        Destinations : 8        Routes : 8

Destination/Mask    Proto  Pre  Cost         NextHop         Interface

127.0.0.0/8         Direct 0    0            127.0.0.1       InLoop0
127.0.0.1/32        Direct 0    0            127.0.0.1       InLoop0
192.168.10.0/24     Direct 0    0            192.168.10.1    Vlan1
192.168.10.1/32     Direct 0    0            127.0.0.1       InLoop0
192.168.11.0/24     Direct 0    0            192.168.11.1    Vlan11
192.168.11.1/32     Direct 0    0            127.0.0.1       InLoop0
192.168.255.0/24    Direct 0    0            192.168.255.2   Vlan4094
192.168.255.2/32    Direct 0    0            127.0.0.1       InLoop0

3Com 4500

Este é o comutador no qual o sistema VoIP está conectado

configuração 4500

#
 sysname ############
#
 local-server nas-ip 127.0.0.1 key 3com
#
 igmp-snooping enable
#
radius scheme system
#
domain system
#
local-user admin
 service-type ssh telnet terminal
 level 3
local-user manager
 password simple manager
 service-type ssh telnet terminal
 level 2
local-user monitor
 password simple monitor
 service-type ssh telnet terminal
 level 1
#                                         
acl number 4999                           
 rule 0 deny dest 0000-0000-0000 ffff-ffff-ffff
#                                         
vlan 1                                    
 igmp-snooping enable                     
#                                         
vlan 11                                   
 description Voice VLAN                   
#                                         
vlan 4094                                 
 description Routing VLAN                 
#                                         
interface Vlan-interface1                 
 description Data vlan                    
#                                         
interface Vlan-interface4094              
 ip address 192.168.255.3 255.255.255.0   
#                                         
interface Aux1/0/0                        
#                                         
interface Ethernet1/0/1                   
 poe enable                               
 stp edged-port enable                    
 broadcast-suppression pps 3000           
 port access vlan 11                      
 packet-filter inbound link-group 4999 rule 0
#                                         
interface Ethernet1/0/2                   
 poe enable                               
 stp edged-port enable                    
 port link-type hybrid                    
 port hybrid vlan 11 tagged               
 port hybrid vlan 1 untagged              
 broadcast-suppression pps 3000           
 packet-filter inbound link-group 4999 rule 0
#                                         
interface Ethernet1/0/3                   
 poe enable                               
 stp edged-port enable                    
 port link-type hybrid                    
 port hybrid vlan 11 tagged               
 port hybrid vlan 1 untagged              
 broadcast-suppression pps 3000           
 packet-filter inbound link-group 4999 rule 0
#                                         
interface Ethernet1/0/4                   
 poe enable                               
 stp edged-port enable                    
 port link-type hybrid                    
 port hybrid vlan 11 tagged               
 port hybrid vlan 1 untagged              
 broadcast-suppression pps 3000           
 packet-filter inbound link-group 4999 rule 0
#                                         
interface Ethernet1/0/5                   
 poe enable                               
 stp edged-port enable                    
 port link-type hybrid                    
 port hybrid vlan 11 tagged               
 port hybrid vlan 1 untagged              
 broadcast-suppression pps 3000           
 packet-filter inbound link-group 4999 rule 0
#                                         
interface Ethernet1/0/6                   
 poe enable                               
 stp edged-port enable                    
 port link-type hybrid                    
 port hybrid vlan 11 tagged               
 port hybrid vlan 1 untagged              
 broadcast-suppression pps 3000           
 packet-filter inbound link-group 4999 rule 0
#                                         
interface Ethernet1/0/7                   
 poe enable                               
 stp edged-port enable                    
 port link-type hybrid                    
 port hybrid vlan 11 tagged               
 port hybrid vlan 1 untagged              
 broadcast-suppression pps 3000           
 packet-filter inbound link-group 4999 rule 0
#                                         
interface Ethernet1/0/8                   
 poe enable                               
 stp edged-port enable                    
 port link-type hybrid                    
 port hybrid vlan 11 tagged               
 port hybrid vlan 1 untagged              
 broadcast-suppression pps 3000           
 packet-filter inbound link-group 4999 rule 0
#                                         
interface Ethernet1/0/9                   
 poe enable                               
 stp edged-port enable                    
 port link-type hybrid                    
 port hybrid vlan 11 tagged               
 port hybrid vlan 1 untagged              
 broadcast-suppression pps 3000           
 packet-filter inbound link-group 4999 rule 0
#                                         
interface Ethernet1/0/10                  
 poe enable                               
 stp edged-port enable                    
 port link-type hybrid                    
 port hybrid vlan 11 tagged               
 port hybrid vlan 1 untagged              
 broadcast-suppression pps 3000           
 packet-filter inbound link-group 4999 rule 0
#                                         
interface Ethernet1/0/11                  
 poe enable                               
 stp edged-port enable                    
 port link-type hybrid                    
 port hybrid vlan 11 tagged               
 port hybrid vlan 1 untagged              
 broadcast-suppression pps 3000           
 packet-filter inbound link-group 4999 rule 0
#                                         
interface Ethernet1/0/12                  
 poe enable                               
 stp edged-port enable                    
 port link-type hybrid                    
 port hybrid vlan 11 tagged               
 port hybrid vlan 1 untagged              
 broadcast-suppression pps 3000           
 packet-filter inbound link-group 4999 rule 0
#                                         
interface Ethernet1/0/13                  
 poe enable                               
 stp edged-port enable                    
 broadcast-suppression pps 3000           
 port access vlan 11                      
 packet-filter inbound link-group 4999 rule 0
#                                         
interface Ethernet1/0/14                  
 poe enable                               
 stp edged-port enable                    
 port link-type hybrid                    
 port hybrid vlan 11 tagged               
 port hybrid vlan 1 untagged              
 broadcast-suppression pps 3000           
 packet-filter inbound link-group 4999 rule 0
#                                         
interface Ethernet1/0/15                  
 poe enable                               
 stp edged-port enable                    
 port link-type hybrid                    
 port hybrid vlan 11 tagged               
 port hybrid vlan 1 untagged              
 broadcast-suppression pps 3000           
 packet-filter inbound link-group 4999 rule 0
#                                         
interface Ethernet1/0/16                  
 poe enable                               
 stp edged-port enable                    
 port link-type hybrid                    
 port hybrid vlan 11 tagged               
 port hybrid vlan 1 untagged              
 broadcast-suppression pps 3000           
 packet-filter inbound link-group 4999 rule 0
#                                         
interface Ethernet1/0/17                  
 poe enable                               
 stp edged-port enable                    
 port link-type hybrid                    
 port hybrid vlan 11 tagged               
 port hybrid vlan 1 untagged              
 broadcast-suppression pps 3000           
 packet-filter inbound link-group 4999 rule 0
#                                         
interface Ethernet1/0/18                  
 poe enable                               
 stp edged-port enable                    
 port link-type hybrid                    
 port hybrid vlan 11 tagged               
 port hybrid vlan 1 untagged              
 broadcast-suppression pps 3000           
 packet-filter inbound link-group 4999 rule 0
#                                         
interface Ethernet1/0/19                  
 poe enable                               
 stp edged-port enable                    
 port link-type hybrid                    
 port hybrid vlan 11 tagged               
 port hybrid vlan 1 untagged              
 broadcast-suppression pps 3000           
 packet-filter inbound link-group 4999 rule 0
#                                         
interface Ethernet1/0/20                  
 poe enable                               
 stp edged-port enable                    
 port link-type hybrid                    
 port hybrid vlan 11 tagged               
 port hybrid vlan 1 untagged              
 broadcast-suppression pps 3000           
 packet-filter inbound link-group 4999 rule 0
#                                         
interface Ethernet1/0/21                  
 poe enable                               
 stp edged-port enable                    
 port link-type hybrid                    
 port hybrid vlan 11 tagged               
 port hybrid vlan 1 untagged              
 broadcast-suppression pps 3000           
 packet-filter inbound link-group 4999 rule 0
#                                         
interface Ethernet1/0/22                  
 poe enable                               
 stp edged-port enable                    
 port link-type hybrid                    
 port hybrid vlan 11 tagged               
 port hybrid vlan 1 untagged              
 broadcast-suppression pps 3000           
 packet-filter inbound link-group 4999 rule 0
#                                         
interface Ethernet1/0/23                  
 poe enable                               
 stp edged-port enable                    
 port link-type hybrid                    
 port hybrid vlan 11 tagged               
 port hybrid vlan 1 untagged              
 broadcast-suppression pps 3000           
 packet-filter inbound link-group 4999 rule 0
#                                         
interface Ethernet1/0/24                  
 poe enable                               
 stp edged-port enable                    
 port link-type hybrid                    
 port hybrid vlan 11 tagged               
 port hybrid vlan 1 untagged              
 broadcast-suppression pps 3000           
 packet-filter inbound link-group 4999 rule 0
#                                         
interface GigabitEthernet1/0/25           
 port link-type trunk                     
 port trunk permit vlan all               
 shutdown                                 
#                                         
interface GigabitEthernet1/0/26           
 port link-type trunk                     
 port trunk permit vlan all               
 shutdown                                 
#                                         
interface GigabitEthernet1/0/27           
 port link-type trunk                     
 port trunk permit vlan all               
#                                         
interface GigabitEthernet1/0/28           
 port link-type trunk                     
 port trunk permit vlan all               
#                                         
 undo xrn-fabric authentication-mode      
#                                         
interface NULL0                           
#                                         
 voice vlan mac-address 0001-e300-0000 mask ffff-ff00-0000 description Siemens AG phone
 voice vlan mac-address 0004-0d00-0000 mask ffff-ff00-0000 description Avaya phone
 voice vlan mac-address 0013-1900-0000 mask ffff-ff00-0000 description Cisco 7960 phone
 voice vlan mac-address 0015-2b00-0000 mask ffff-ff00-0000 description Cisco 7940 phone
 voice vlan mac-address 0060-b900-0000 mask ffff-ff00-0000 description Philips and NEC AG phone
#                                         
 ip route-static 0.0.0.0 0.0.0.0 192.168.255.2 preference 60
#                                         
 snmp-agent                               
 snmp-agent local-engineid 8000002B00247373B0406877
 snmp-agent community read public         
 snmp-agent community write private       
 snmp-agent sys-info version all          
#                                         
user-interface aux 0 7                    
 authentication-mode scheme               
 screen-length 22                         
user-interface vty 0 4                    
 authentication-mode scheme               
#                                         
return

Tabela de roteamento 4500

Routing Table: public net
Destination/Mask   Protocol Pre  Cost        Nexthop         Interface
0.0.0.0/0          STATIC   60   0           192.168.255.2   Vlan-interface4094
127.0.0.0/8        DIRECT   0    0           127.0.0.1       InLoopBack0
127.0.0.1/32       DIRECT   0    0           127.0.0.1       InLoopBack0
192.168.255.0/24   DIRECT   0    0           192.168.255.3   Vlan-interface4094
192.168.255.3/32   DIRECT   0    0           127.0.0.1       InLoopBack0

Estado atual do Sonicwall

O Sonicwall está conectado à internet com sucesso.
A porta LAN da Sonicwall (X0) está configurada com:
```
IP: 192.168.255.1
Mask: 255.255.255.0
```

Duas sub-interfaces foram configuradas na porta LAN (X0)

X0:V1
IP: 192.168.10.1
Mask: 255.255.255.0

XO:V11
IP: 192.168.11.1
Mask: 255.255.255.0

O DHCP está habilitado no Sonicwall com cada interface X0 tendo um intervalo dentro de sua sub-rede
Um IP estático foi atribuído ao switch 4500G (não tenho certeza se isso é necessário): 192.168.255.2

Coisas tentadas com o Sonicwall

Endereços IP da sub-interface XO configurados para os endereços IP do servidor de retransmissão DHCP encontrados na configuração do switch 4500G: 192.168.10.4 e 192.168.11.10, respectivamente.
Configurando entradas ARP no Sonicwall para interceptar pacotes enviados a interfaces VLAN e encaminhá-los para o gateway Sonicwall

O que eu gostaria de realizar

Eu gostaria de ter a VLAN11 conectada à internet (VLAN1 também, se possível). Espero que o sistema telefônico continue funcionando, uma vez que isso seja feito.

Gostaria de manter as configurações do switch como estão, porque elas ainda devem ser configuradas da maneira como estavam quando a rede estava funcionando.

Pode ser bastante óbvio agora, mas eu sou um novato em VLANs e Firewalls. Alguém tem algum conselho sobre como colocar minhas VLANs conectadas à internet?

switch vlan sonicwall trunk

por losttime 05.10.2012 / 18:04

1 resposta

Tags switch vlan sonicwall trunk

IIS 7.5 truncando o corpo POST contendo dados JSON com o ASP.NET MVC 3 Como um grupo de disponibilidade do SQL Server decide qual secundário se tornará o novo primário quando um failover automático for acionado?

score 1 · Answer 1

Eu consegui trabalhar.

Primeiro, foi um problema de hardware

Eu tinha um switch Linksys barato conectado à porta LAN (X0) do Sonicwall. O switch 4500G da 3Com e meu laptop estavam conectados a um switch barato. Dessa forma, o switch e meu laptop podem estar conectados à porta LAN (X0) no Sonicwall.

Acontece que o switch 3Com foi conectado a uma porta ruim no switch cheap-o, tornando as configurações do software impossíveis de serem testadas adequadamente. Eu troquei o 3Com para outra porta no switch cheap-o.

Então eu só tive que configurar as rotas

No Sonicwall, configurei duas rotas, para que qualquer tráfego destinado a endereços IP VLAN 1 ou VLAN 11 seja roteado pela VLAN 4094.

Em seguida, no switch 3Com, configurei uma rota estática para o Sonicwall IP, efetivamente informando ao switch para enviar tráfego para o Sonicwall se ele não sabia para onde enviá-lo.

Com essa combinação, o tráfego começou a fluir corretamente para cima, para baixo e pela rede.

Observação: em vez de configurar a rota estática no switch, eu poderia ter habilitado o RIP no Sonicwall e transmitir o Sonicwall IP para o switch 3Com como uma rota padrão. Ele acabaria no mesmo lugar na mesa de roteamento de switches, supostamente fazendo a mesma coisa. Eu posso habilitar o RIP e desabilitar a rota estática atual eventualmente, mas está funcionando por enquanto, então vou deixar isso em paz por um tempo.