2 Replies Latest reply on Mar 25, 2016 12:59 AM by jayh

    5660 Bonding/Port channel two gig ports,  can this be done?

    brian_ctl New Member

      can you configure two gig port to be in a L2 network with the same L3 IP on both interfaces.

      customer wants two firewalls in the same L3 network attached to two ports on the 5660.

        • Re: 5660 Bonding/Port channel two gig ports,  can this be done?
          petetransitguy New Member

          It looks like you can - in theory. In this manual (http://portal.adtran.com/pub/Library/Data_Sheets/Default_Public/617005660F1-8_NV5660.pdf), it says "Supports 802.1q VLAN Trunking." In this manual (Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6 - Starting Interface Configuration (ASA 5505) [Cisc…), there is a section titled, "Configuring and Enabling Switch Ports as Trunk Ports." So, if your customer's firewall can support this configuration, if they have 2 available interfaces, and a competent technician, it should work. I'd also recommend starting support calls with Adtran and the other vendor prior to the maintenance window. Since we don't know the other vendor, this is impossible to answer. If it's a Cisco firewall, check out https://supportforums.cisco.com/, or check the support pages for that firewall manufacturer (Juniper. SonicWall, Barracuda, etc.) - or even reddit: the front page of the internet.

          • Re: 5660 Bonding/Port channel two gig ports,  can this be done?
            jayh Hall_of_Fame

            brian_ctl wrote:

             

            can you configure two gig port to be in a L2 network with the same L3 IP on both interfaces.

            customer wants two firewalls in the same L3 network attached to two ports on the 5660.

             

            I don't think you want/need trunking for this.

             

            Technically the L3 IP isn't configured to the port. You can put two (or more, or all by default) ports in the same VLAN to allow two or more L3 devices on the same subnet to communicate. 

             

            Make the ports access ports in the same VLAN and that's all set. By default, all ports on the switch are on VLAN 1, but you can configure two (or more) ports to be access ports on a different VLAN.

             

            If you also want the switch itself to be reachable via an IP on the subnet of the firewalls, then create a "vlan interface" for that VLAN number. This is a logical interface and not a physical port. Assign an IP to the vlan interface and all ports on that VLAN can reach it (and each other).

             

            CAUTION: If you have more than one VLAN interface with an IP address and you have "ip routing" enabled, then traffic between the VLANs will be layer 3 routed. If you don't want this, only have one VLAN interface with an assigned IP, or turn off IP routing, or use the firewall function to block it. Easiest to turn off IP routing if you don't need it.

             

            Small technical nit to pick: In an L3 network, IP addresses must be unique. Other than RFC1918, they're supposed to be globally unique. So you can't have the same IP address on two switch ports. You can have several ports in a VLAN with an IP assigned to the VLAN.