Firewall Upgrade - VPN Trunk ports

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
Post Reply
dnslynn
Member
Posts: 52
Joined: Tue Jan 26, 2010 8:56 pm
Location: Klamath Falls, OR, USA

Firewall Upgrade - VPN Trunk ports

#1

Post by dnslynn »

New VPN zones (as of 4/23 and in my stake at least) are making firewall port 2 a trunk port rather than an access port.

I finally got some time to visit my remote units and do their firewall upgrades. Since they all had FHCs, this involved configuring the VPN zone. One of the FHCs has the firewall and a Cisco 2950 switch in the FHC itself. The FHC was using 3 ports on the switch, another 3 ports were being used by APs and the clerk computer. Rather than arrange for a second switch to be installed, I decided I would partition the switch using a port based VLAN for the FHC ports with a patch cable from firewall port 2 to a switch port in the VLAN. Knowing this could be tricky, I had already tested the switch configuration out on a FHC that was more local. I found this would work if I configured the switch FHC ports as access ports in VLAN 80 (making it 80 matches the VLAN assigned to firewall port 2 and this avoids CDP "errors" showing up in the switch and firewall logs). However, when the remote unit's firewall was configured, the new configuration made firewall port2 a native VLAN 80 trunk port. The mismatch between the switch access port and the firewall trunk port wouldn't allow them to connect.

I corrected the switch configuration on the port connected to the firewall (made it a native VLAN 80 trunk port) to solve the problem, but now I wonder if the new configuration will show up in other FHCs that are setup with an access port in the VLAN connected to the firewall and shutdown the FHC.

When I asked why they had decided to change firewall port 2 to a trunk port in the VPN configuration, the Global support person indicated that the church was planning to move to a managed switch architecture and that this was part of the planning for that. I checked the two other FHC configurations that were done that day in TM, and they all got trunk ports on port 2. In both the other 2 cases, the FHCs had separate, non-cisco non-managed switches, so the trunk port didn't cause any issues.

I post this mainly as a heads-up for anyone who decided to partition a switch the way I did and also to see if anyone knows if global support might "upgrade" any of my other firewalls without notifying me first.

Thanks.
russellhltn
Community Administrator
Posts: 34422
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Firewall Upgrade - VPN Trunk ports

#2

Post by russellhltn »

dnslynn wrote:When I asked why they had decided to change firewall port 2 to a trunk port in the VPN configuration, the Global support person indicated that the church was planning to move to a managed switch architecture and that this was part of the planning for that.
How nice of them. According to the Help Center "Expensive managed switches are not required in meetinghouses." I thought the language was a little stronger back when FM got our switches.

This is the first I've heard of any unit having managed switches.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
rolandc
Member
Posts: 257
Joined: Tue May 15, 2012 8:20 pm

Re: Firewall Upgrade - VPN Trunk ports

#3

Post by rolandc »

Hopefully Gordon will chime in here, but its also the first I have heard too.

Would be an expensive nightmare to roll out, we just finished most of the firewall updates here in Florida. That was a pretty serious task getting all that in order.
Roland
rolandc
Member
Posts: 257
Joined: Tue May 15, 2012 8:20 pm

Re: Firewall Upgrade - VPN Trunk ports

#4

Post by rolandc »

Right now there are no managed switches of any kind on the eMarket. Must have been a locally sourced item.
Roland
CleggGP
Church Employee
Church Employee
Posts: 118
Joined: Mon Jul 28, 2014 1:55 pm

Re: Firewall Upgrade - VPN Trunk ports

#5

Post by CleggGP »

Meetinghouse networks are generally ummanaged, where unmanaged switches are used to connect network devices. Therefore statement above that "managed switches are not required in meetinghouses" is generally true.
CleggGP
Church Employee
Church Employee
Posts: 118
Joined: Mon Jul 28, 2014 1:55 pm

Re: Firewall Upgrade - VPN Trunk ports

#6

Post by CleggGP »

Most meetinghouses do not use (or need) managed switches. However if a need exists to add a managed switch to a meetinghouse network, then the switch port that connects to the firewall must be configured as a trunk port. This is only affects meetinghouse networks where the firewall was installed/updated/refreshed since April 2015. Meetinghouse firewalls that have been installed/updated/refreshed since that time will have firewall ports configured as trunk ports. This means that a managed switch connected to an updated/refreshed firewall (since April 2015) must have the port that connects to the firewall configured as a trunk port; all of the other ports of the managed switch should remain as access ports. Note that unmanaged switches connected to meetinghouse firewalls are not affected by the change.
rolandc
Member
Posts: 257
Joined: Tue May 15, 2012 8:20 pm

Re: Firewall Upgrade - VPN Trunk ports

#7

Post by rolandc »

Brother Clegg

Is this how we are going to expand the routers to have mappable ports with unique IP's?





CleggGP wrote:Most meetinghouses do not use (or need) managed switches. However if a need exists to add a managed switch to a meetinghouse network, then the switch port that connects to the firewall must be configured as a trunk port. This is only affects meetinghouse networks where the firewall was installed/updated/refreshed since April 2015. Meetinghouse firewalls that have been installed/updated/refreshed since that time will have firewall ports configured as trunk ports. This means that a managed switch connected to an updated/refreshed firewall (since April 2015) must have the port that connects to the firewall configured as a trunk port; all of the other ports of the managed switch should remain as access ports. Note that unmanaged switches connected to meetinghouse firewalls are not affected by the change.
Roland
Post Reply

Return to “Meetinghouse Internet”