Tech Forum

New VPN zones (as of 4/23 and in my stake at least) are making firewall port 2 a trunk port rather than an access port.

I finally got some time to visit my remote units and do their firewall upgrades. Since they all had FHCs, this involved configuring the VPN zone. One of the FHCs has the firewall and a Cisco 2950 switch in the FHC itself. The FHC was using 3 ports on the switch, another 3 ports were being used by APs and the clerk computer. Rather than arrange for a second switch to be installed, I decided I would partition the switch using a port based VLAN for the FHC ports with a patch cable from firewall port 2 to a switch port in the VLAN. Knowing this could be tricky, I had already tested the switch configuration out on a FHC that was more local. I found this would work if I configured the switch FHC ports as access ports in VLAN 80 (making it 80 matches the VLAN assigned to firewall port 2 and this avoids CDP "errors" showing up in the switch and firewall logs). However, when the remote unit's firewall was configured, the new configuration made firewall port2 a native VLAN 80 trunk port. The mismatch between the switch access port and the firewall trunk port wouldn't allow them to connect.

I corrected the switch configuration on the port connected to the firewall (made it a native VLAN 80 trunk port) to solve the problem, but now I wonder if the new configuration will show up in other FHCs that are setup with an access port in the VLAN connected to the firewall and shutdown the FHC.

When I asked why they had decided to change firewall port 2 to a trunk port in the VPN configuration, the Global support person indicated that the church was planning to move to a managed switch architecture and that this was part of the planning for that. I checked the two other FHC configurations that were done that day in TM, and they all got trunk ports on port 2. In both the other 2 cases, the FHCs had separate, non-cisco non-managed switches, so the trunk port didn't cause any issues.

I post this mainly as a heads-up for anyone who decided to partition a switch the way I did and also to see if anyone knows if global support might "upgrade" any of my other firewalls without notifying me first.

Thanks.

dnslynn wrote:When I asked why they had decided to change firewall port 2 to a trunk port in the VPN configuration, the Global support person indicated that the church was planning to move to a managed switch architecture and that this was part of the planning for that.

How nice of them. According to the Help Center "Expensive managed switches are not required in meetinghouses." I thought the language was a little stronger back when FM got our switches.

This is the first I've heard of any unit having managed switches.

Hopefully Gordon will chime in here, but its also the first I have heard too.

Would be an expensive nightmare to roll out, we just finished most of the firewall updates here in Florida. That was a pretty serious task getting all that in order.

Right now there are no managed switches of any kind on the eMarket. Must have been a locally sourced item.

Meetinghouse networks are generally ummanaged, where unmanaged switches are used to connect network devices. Therefore statement above that "managed switches are not required in meetinghouses" is generally true.

Most meetinghouses do not use (or need) managed switches. However if a need exists to add a managed switch to a meetinghouse network, then the switch port that connects to the firewall must be configured as a trunk port. This is only affects meetinghouse networks where the firewall was installed/updated/refreshed since April 2015. Meetinghouse firewalls that have been installed/updated/refreshed since that time will have firewall ports configured as trunk ports. This means that a managed switch connected to an updated/refreshed firewall (since April 2015) must have the port that connects to the firewall configured as a trunk port; all of the other ports of the managed switch should remain as access ports. Note that unmanaged switches connected to meetinghouse firewalls are not affected by the change.

Brother Clegg

Is this how we are going to expand the routers to have mappable ports with unique IP's?

CleggGP wrote:Most meetinghouses do not use (or need) managed switches. However if a need exists to add a managed switch to a meetinghouse network, then the switch port that connects to the firewall must be configured as a trunk port. This is only affects meetinghouse networks where the firewall was installed/updated/refreshed since April 2015. Meetinghouse firewalls that have been installed/updated/refreshed since that time will have firewall ports configured as trunk ports. This means that a managed switch connected to an updated/refreshed firewall (since April 2015) must have the port that connects to the firewall configured as a trunk port; all of the other ports of the managed switch should remain as access ports. Note that unmanaged switches connected to meetinghouse firewalls are not affected by the change.