Firewall Upgrade - VPN Trunk ports
Posted: Sun Apr 26, 2015 6:15 am
New VPN zones (as of 4/23 and in my stake at least) are making firewall port 2 a trunk port rather than an access port.
I finally got some time to visit my remote units and do their firewall upgrades. Since they all had FHCs, this involved configuring the VPN zone. One of the FHCs has the firewall and a Cisco 2950 switch in the FHC itself. The FHC was using 3 ports on the switch, another 3 ports were being used by APs and the clerk computer. Rather than arrange for a second switch to be installed, I decided I would partition the switch using a port based VLAN for the FHC ports with a patch cable from firewall port 2 to a switch port in the VLAN. Knowing this could be tricky, I had already tested the switch configuration out on a FHC that was more local. I found this would work if I configured the switch FHC ports as access ports in VLAN 80 (making it 80 matches the VLAN assigned to firewall port 2 and this avoids CDP "errors" showing up in the switch and firewall logs). However, when the remote unit's firewall was configured, the new configuration made firewall port2 a native VLAN 80 trunk port. The mismatch between the switch access port and the firewall trunk port wouldn't allow them to connect.
I corrected the switch configuration on the port connected to the firewall (made it a native VLAN 80 trunk port) to solve the problem, but now I wonder if the new configuration will show up in other FHCs that are setup with an access port in the VLAN connected to the firewall and shutdown the FHC.
When I asked why they had decided to change firewall port 2 to a trunk port in the VPN configuration, the Global support person indicated that the church was planning to move to a managed switch architecture and that this was part of the planning for that. I checked the two other FHC configurations that were done that day in TM, and they all got trunk ports on port 2. In both the other 2 cases, the FHCs had separate, non-cisco non-managed switches, so the trunk port didn't cause any issues.
I post this mainly as a heads-up for anyone who decided to partition a switch the way I did and also to see if anyone knows if global support might "upgrade" any of my other firewalls without notifying me first.
Thanks.
I finally got some time to visit my remote units and do their firewall upgrades. Since they all had FHCs, this involved configuring the VPN zone. One of the FHCs has the firewall and a Cisco 2950 switch in the FHC itself. The FHC was using 3 ports on the switch, another 3 ports were being used by APs and the clerk computer. Rather than arrange for a second switch to be installed, I decided I would partition the switch using a port based VLAN for the FHC ports with a patch cable from firewall port 2 to a switch port in the VLAN. Knowing this could be tricky, I had already tested the switch configuration out on a FHC that was more local. I found this would work if I configured the switch FHC ports as access ports in VLAN 80 (making it 80 matches the VLAN assigned to firewall port 2 and this avoids CDP "errors" showing up in the switch and firewall logs). However, when the remote unit's firewall was configured, the new configuration made firewall port2 a native VLAN 80 trunk port. The mismatch between the switch access port and the firewall trunk port wouldn't allow them to connect.
I corrected the switch configuration on the port connected to the firewall (made it a native VLAN 80 trunk port) to solve the problem, but now I wonder if the new configuration will show up in other FHCs that are setup with an access port in the VLAN connected to the firewall and shutdown the FHC.
When I asked why they had decided to change firewall port 2 to a trunk port in the VPN configuration, the Global support person indicated that the church was planning to move to a managed switch architecture and that this was part of the planning for that. I checked the two other FHC configurations that were done that day in TM, and they all got trunk ports on port 2. In both the other 2 cases, the FHCs had separate, non-cisco non-managed switches, so the trunk port didn't cause any issues.
I post this mainly as a heads-up for anyone who decided to partition a switch the way I did and also to see if anyone knows if global support might "upgrade" any of my other firewalls without notifying me first.
Thanks.