SonicWall NSA 240 to 6224 issue.

What is the sonic wall ip address?

When you say you can access the sonic wall from vlan 200, how are you accessing it?  what port?

When you say you cannot access the sonic wall from the other vlans, how are your trying to access it?

The SonicWall address is normally 192.168.100.254 (The 192.168.200.199 is the old firewall being used until the SW is up and working properly).

I can access the sonic wall from any vlan as long as I set the default route in the 6224 to the local interface of the SW on that vlan.  For example, if the sonic wall default XO interface is set to 192.168.100.254, and the sub-interface for VLAN 200 is set to 192.168.200.2, I can make VLAN 200 work correctly by setting the default route in the 6224 to point to 192.168.200.2.  Everything on the 200 Vlan works just fine, but I can't do anything with devices on VLAN 100, 110 or 120.  Ditto if I set the default route to point to the local SW address on one of the other vlans.  The SW is physically connected to 6224 switch port G1.

The most obvious is using ping, but all of the published systems on the various vlan only work if the default route is set to that specific VLAN.

I'm having the mirror conversations over on SonicWall's forum.  The problem seems to stem from how the trunk port is configured.  I initially configured this network using trunk ports between the seven managed switches, which seemed to work fine.  I was informed on the SW forum that the dell switch trunk port needed to be set to general in order for the firewall to work properly.  Once changed, the routing from the SonicWall worked correctly on all VLANS, but it was causing terminal applications to disconnect.  In response, I restored the sonicwall to factory defaults and reconfigured.  But, now it doesn't route correctly.  So that's why I'm asking here to see if anyone sees anything wrong with my 6224 configuration before I press the issue over at SW.

I hope that makes sense, and I do appreciate your time.

Some questions that may or may not help figure this out.

What are the default routes of the systems you are pinging from set to?  The default route of your systems needs to be the IP address of the appropriate vlan of the 6224.

 Why do you have the vlans set for "no ip proxy-arp"?  This will keep the router from responding to ARP requests for routing interfaces.

Why are you using the "vlan association" entries?  This seems odd since this will allow ingress untagged traffic on trunk/general ports to be put in the listed vlan, however on your general ports you are egressing only tagged traffic.

Are you trying to ping SW 192.168.100.254 address from the different vlans or are you pinging the SW x.x.x.2 address in the same vlan?

Have you checked the subnet masks on the SW and the stations?

Good questions. 

Each system uses the appropriate vlan address of the L3 switch as the gateway.  The subnet's are correct on the systems within each vlan. I don't have any troubles with routing between the various vlans on any of the switches.

Regarding no ip proxy-arp, that must be the default setting.  I haven't changed any settings on this.

The vlan association entries come from the Bind IP Subnet section on the GUI.

I am unable to ping the 192.168.100.254 address from any vlan besides the 100 vlan.  I can, however ping any other device on the 100 vlan from any other vlan.

Subnets and addressing are correct and double checked.

I took another look at the switch tonight and made some changes based on your observations.  Everything on the switch side still works great, but I'm still having problems with the SonicWall.  I did notice, however, that the on the SonicWall, I can ping all internal assets, but can't ping the sonicwall itself from any but the vlan the current default route is on.  Unless anyone see's anything of interest in this configuration, I'm going to move my attention to the SonicWall.

Thanks again for the assistance.

Steve

!Current Configuration:
!System Description "Dell 24 Port Gigabit Ethernet, 2.1.0.13, VxWorks5.5.1"
!System Software Version 2.1.0.13
!
configure
vlan database
vlan  100,110,120,200
exit
snmp-server location "MDF"
hostname "sw01"
stack
member 1 1
exit
ip address 192.168.10.1 255.255.255.0
ip default-gateway 192.168.10.254
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.200.2
interface vlan 100
name "Network Core"
routing
ip address  192.168.100.1  255.255.255.0
exit
interface vlan 110
name "Access Control"
routing
ip address  192.168.110.1  255.255.255.0
exit
interface vlan 120
name "Surveillance"
routing
ip address  192.168.120.1  255.255.255.0
exit
interface vlan 200
name "Data"
routing
ip address  192.168.200.1  255.255.255.0
exit
username "admin" password ########################## level 15 encrypted
!
interface ethernet 1/g1
no negotiation
description 'SonicWall'
spanning-tree cost 20000
spanning-tree portfast
switchport mode general
switchport general pvid 200
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 100,110,120,200 tagged
exit
!
interface ethernet 1/g2
switchport mode general
switchport general pvid 200
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 100,110,120,200 tagged
exit
!
interface ethernet 1/g3
switchport mode general
switchport general pvid 110
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 100,110,120,200 tagged
exit
!
interface ethernet 1/g4
switchport mode general
switchport general pvid 200
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 100,110,120,200 tagged
exit
!
interface ethernet 1/g5
switchport mode general
switchport general pvid 120
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 100,110,120,200 tagged
exit
!
interface ethernet 1/g6
switchport mode general
switchport general pvid 110
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 100,110,120,200 tagged
exit
!
interface ethernet 1/g7
switchport mode general
switchport general pvid 200
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 100,110,120,200 tagged
exit
!
interface ethernet 1/g8
switchport access vlan 200
exit
!
interface ethernet 1/g9
switchport access vlan 200
exit
!
interface ethernet 1/g10
switchport access vlan 200
exit
!
interface ethernet 1/g11
switchport access vlan 200
exit
!
interface ethernet 1/g12
switchport access vlan 200
exit
!
interface ethernet 1/g13
switchport access vlan 200
exit
!
interface ethernet 1/g14
switchport access vlan 200
exit
!
interface ethernet 1/g15
switchport access vlan 200
exit
!
interface ethernet 1/g16
switchport access vlan 120
exit
!
interface ethernet 1/g17
switchport access vlan 120
exit
!
interface ethernet 1/g18
switchport access vlan 120
exit
!
interface ethernet 1/g19
switchport access vlan 110
exit
!
interface ethernet 1/g20
switchport access vlan 200
exit
!
interface ethernet 1/g21
switchport access vlan 200
exit
!
interface ethernet 1/g22
switchport access vlan 200
exit
!
interface ethernet 1/g23
switchport access vlan 100
exit
exit