Solved: Switches and VLAN

Senbonzakura · ‎06-15-2022

Morning everyone,

I have a quick question and wanted to see if this would work before I tested it.

So I have a firewall which feeds a switch that has 2 VLANS on it. Let's say we have one trunk coming from the firewall and to the switch for both those vlans, perfect right?

So let's say I don't want both vlans to go through that one trunk and back to the firewall but instead we have two trunks going to two different ports on the firewall for two different vlans. Will this cause a broadcast storm and issues or will it be okay still as long as those ports are configured properly for the vlans?

balaji.bandi · ‎06-15-2022

On the switch we have port 1 for vlan 20 and port 2 on the switch for vlan 30, will this cause any type of storms or problems? Or will it not cause a broadcast storm because they're segmented?

as long as on the switch side you configure as access port with VLAN, i do not see any issue.

what i was suggesting, take example, if the Port1 go down ? so your VLAN 20 service down.

instead if your (FW support Link bundle or port-channel)

FW -Port1 --- Port-channel 1 ---switch port x/1

FW - Port2 --- Port-channel 1 ---switch port x/2

Port-channel 1 (2 Physical connection and 1 logical )

Example for reference :

https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Network/Interfaces/NetworkLinkAggregationGroupAdd/index.html

This will have high availability interms of any Links or Ethernet connection fails ?

Hope that make sense ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎06-15-2022

best approach is port-channel and allow the 2 VLAN in the port-channel - this will have high availability if one of the link fails, another one able to serve the purpose. each vlan have thier own broacast domain.

if you go single link Trunk, if that trunk fails, no more connectivity between FW and switch, so all the services will be down.

Hope that make clear ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Senbonzakura · ‎06-15-2022

That will help out quite a bit.

What I was wondering though is. So I have a Sophos firewall that is feeding one Cisco switch. If lets say I port 1 on the sophos firewall to be lets say vlan 20 and port 2 on the firewall for vlan 30.

On the switch we have port 1 for vlan 20 and port 2 on the switch for vlan 30, will this cause any type of storms or problems? Or will it not cause a broadcast storm because they're segmented?

I guess the main reason why I was thinking of doing it that way was to help with any type of bottlenecks, putting so much through that one trunk that is attached to the firewall. Or are you saying, configure port-channel and still have the two different lines going to the firewall?

balaji.bandi · ‎06-15-2022

On the switch we have port 1 for vlan 20 and port 2 on the switch for vlan 30, will this cause any type of storms or problems? Or will it not cause a broadcast storm because they're segmented?

as long as on the switch side you configure as access port with VLAN, i do not see any issue.

what i was suggesting, take example, if the Port1 go down ? so your VLAN 20 service down.

instead if your (FW support Link bundle or port-channel)

FW -Port1 --- Port-channel 1 ---switch port x/1

FW - Port2 --- Port-channel 1 ---switch port x/2

Port-channel 1 (2 Physical connection and 1 logical )

Example for reference :

https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Network/Interfaces/NetworkLinkAggregationGroupAdd/index.html

This will have high availability interms of any Links or Ethernet connection fails ?

Hope that make sense ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Senbonzakura · ‎06-15-2022

Makes sense!

Thank you very much! You're awesome as always.