VLAN configuration

00u1lhw70r4kNEWq65d7 · ‎08-27-2021

Hi Guys,

I have switch 1 and 2 and configured VLAN 10 for ports 1 to15 and VLAN20 for 16 to 24 on both switches.

1: Does it matter which port I use for the trunk between the 2?

2: Should the trunk port be a member of both VLANS?

3: If I use port 1 on switch 1 to connect to the firewall, how should I configure that port? should that be member of VLAN 10 or 20 or default VLAN 1?

Thank you

Richard Burts · ‎08-27-2021

We do not know much about your environment. But based on the limited information available these are my responses:

1) In general I think that it does not matter which interface you use to connect the 2 switches. If some of the interfaces are higher bandwidth (as is the case on some switches) it might be advisable to have the switch to switch connection on one of the higher capacity interfaces.

2) Not clear what you mean here. If you want the vlans to be shared between the switches the connection does need to be a trunk. The trunk would carry all of the vlans. But the trunk is not a "member" of either vlan.

You suggest that "VLAN 10 for ports 1 to15 and VLAN20 for 16 to 24 on both switches." This suggests that these are 24 port switches (each of the 24 ports has a switchport access vlan x). Is that correct? When you configure the interface for the trunk it will have switchport mode trunk and will not have switchport access vlan x.

3) Answering this really requires information that we do not have. Do these switches operate as layer 2/layer 3 switches (and do their own inter vlan routing) or are these switches just layer 2 and inter vlan routing is provided by the firewall? If these are L2/L3 switches the perhaps the interface connecting switch 1 to the firewall might be in a separate vlan with routing logic to send traffic for "outside" to the firewall. (and the firewall would have logic for routing the subnets of vlan 10 and 20 to the switch). If these switches are simply L2 switches then the connection of switch 1 to the firewall needs to be a trunk, carrying all vlans. (and the firewall needs to be configured to process tagged Ethernet frames for both vlans).

HTH

Rick

paul driver · ‎08-28-2021

Hello

Based on your OP, I would say use a spefic port on each switch for the switch-switch interconnection and make this a trunk to allow all vlans

As for the port connecting to the fw, then if the fw is perfroming the routing then i would make that also a trunk port, ohterwise assgin it as an access port in the specific vlan that is used for the switch-fw connection.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Joseph W. Doherty · ‎08-29-2021

#1 Logically, usually not. For performance, possibly. Much depends on the switch's architecture.

For example, assuming an interconnecting switch link will be "busy", besides possibly using a higher bandwidth port (as mentioned by Rick), not all ports, on all switches, are equal. For example, some switches have additional hardware resources behind the ports for their "uplinks". Or, some switches distribute hardware resources across banks of copper ports. On such a switch, rather than have VLAN 10 on ports 1..15 and VLAN 20 on ports 16..24, if switch "backed" ports per group of 12, (for 24 total) you might have VLAN 10 on odds ports and VLAN 20 on even ports. If switch "backed" ports per group of 4, you might have VLAN 10 on ports 1, 5, 13 . . ., VLAN 20 on ports 2, 6, 14 . . ., VLAN 10 ports 3, 7 . . ., etc. Or, if you know how busy your ports are in actual usage, you can round robin, per group, from most used to least used.

BTW, generally we don't go to such trouble (or often need to), but if you're trying to get the most performance out of your switch, doing something like the foregoing, is what you might need to do to obtain it.

#2 That generally depends on whether you want to "share" a particular VLAN across/between switches. If you do want to share, the answer is "yes", unless you want to "dedicate" a port or ports for a particular VLAN or VLANs.

#3 Another "it depends" answer which is derived whether FW is doing L2 or L3, but whether you also want to "share" those VLANs with the FW.