4 Replies Latest reply on Feb 5, 2018 4:32 PM by hogle

    5660 Bonding/Port channel two gig ports,  can this be done?

    brian_ctl New Member

      can you configure two gig port to be in a L2 network with the same L3 IP on both interfaces.

      customer wants two firewalls in the same L3 network attached to two ports on the 5660.

        • Re: 5660 Bonding/Port channel two gig ports,  can this be done?
          petetransitguy New Member

          It looks like you can - in theory. In this manual (http://portal.adtran.com/pub/Library/Data_Sheets/Default_Public/617005660F1-8_NV5660.pdf), it says "Supports 802.1q VLAN Trunking." In this manual (Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6 - Starting Interface Configuration (ASA 5505) [Cisc…), there is a section titled, "Configuring and Enabling Switch Ports as Trunk Ports." So, if your customer's firewall can support this configuration, if they have 2 available interfaces, and a competent technician, it should work. I'd also recommend starting support calls with Adtran and the other vendor prior to the maintenance window. Since we don't know the other vendor, this is impossible to answer. If it's a Cisco firewall, check out https://supportforums.cisco.com/, or check the support pages for that firewall manufacturer (Juniper. SonicWall, Barracuda, etc.) - or even reddit: the front page of the internet.

          • Re: 5660 Bonding/Port channel two gig ports,  can this be done?
            jayh Hall_of_Fame

            brian_ctl wrote:

             

            can you configure two gig port to be in a L2 network with the same L3 IP on both interfaces.

            customer wants two firewalls in the same L3 network attached to two ports on the 5660.

             

            I don't think you want/need trunking for this.

             

            Technically the L3 IP isn't configured to the port. You can put two (or more, or all by default) ports in the same VLAN to allow two or more L3 devices on the same subnet to communicate. 

             

            Make the ports access ports in the same VLAN and that's all set. By default, all ports on the switch are on VLAN 1, but you can configure two (or more) ports to be access ports on a different VLAN.

             

            If you also want the switch itself to be reachable via an IP on the subnet of the firewalls, then create a "vlan interface" for that VLAN number. This is a logical interface and not a physical port. Assign an IP to the vlan interface and all ports on that VLAN can reach it (and each other).

             

            CAUTION: If you have more than one VLAN interface with an IP address and you have "ip routing" enabled, then traffic between the VLANs will be layer 3 routed. If you don't want this, only have one VLAN interface with an assigned IP, or turn off IP routing, or use the firewall function to block it. Easiest to turn off IP routing if you don't need it.

             

            Small technical nit to pick: In an L3 network, IP addresses must be unique. Other than RFC1918, they're supposed to be globally unique. So you can't have the same IP address on two switch ports. You can have several ports in a VLAN with an IP assigned to the VLAN.

              • Re: 5660 Bonding/Port channel two gig ports,  can this be done?
                hogle New Member

                My NV5660 experience disagrees. I do agree it works as jayh describes on other NV3xxx platforms.

                Taken from a working config, NV3458, router this would be:

                 

                interface switchport 0/4

                  no shutdown

                  switchport mode trunk

                  switchport trunk allowed vlan 126-127

                !

                interface switchport 0/5

                  no shutdown

                  switchport access vlan 127

                !

                interface switchport 0/6

                  no shutdown

                  switchport access vlan 127

                !

                interface vlan 127

                  description DMZ1 zone

                  ip address  192.168.127.1  255.255.255.0

                  ip access-policy DmzVlan127

                  no shutdown

                 

                However, in the NV5660 the command "interface vlan 127" is absent in the latest OS version R13.1.0.HA.E. While I agree with jayh for other NV routers, this does not work in the NV5660 unless there is a different version of AOS for the NV5660 that allows VLANs to be instantiated as described, globally. I don't know of one. The only way I know to specify VLANs in the NV5660 is with "ce-vlan-id", usually a gigabit-eth sub-interface. But, that by itself does not seem to allow same VLAN traffic to pass between different interfaces. I have the same original question that I believe is still unanswered?

                 

                How can the same VLAN on two or more interfaces have the same IP and same access-policy (firewall)?

                 

                BTW, Another difference from standard NV3xxx routers and the NV5660, and presumably NV4660; layer 3 including "ce-vlan-id" is is required to be specified on sub-interfaces, unlike the NV3458 switchport example above.