So tag ports 3 & 4 with both 10 and 20?
Main Topics
Browse All TopicsWe need some help with this VLAN config.
We have 2 separate WAN connections -- A & B
Each plugged into the switch
There are 2 (redundant) firewalls plugged into the switch
Each firewall only has 2 (TWO) Nics- 1 for WAN and 1 for LAN
Here's a quick table of the Switch Ports
WAN A (PVID 10) Port1
WAN B (PVID 20) Port2
Firewall 1 WAN - Port 3
Firewall 2 WAN - Port 4
The firewalls will use VLANs to communicate with the 2 WANs through 1 NIC
We're confused about the TAGGING
Do we use TAG or UNTAG for the WAN links (Port 1 & 2) ?
And do we TAG or UNTAG for the firewall WAN ports 3 & 4?
THANKS!
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Here is how I read what you want to do:
FW1 --> ISP1
FW2 --> ISP2
Here is how its done.
Use access vlan 10 on port 1 and port 3 and no tagging on fw1 next use access vlan 20 on port 2 and port 4 and no tagging on fw2.
Access vlan = no tagging.
If this is not what you trying to accomplish please elaborate a bit.
The firewalls are meant to be redundant and can tag/otherwise deal with vlans as additional interfaces
BOTH firewalls will need access to BOTH WANs
I'm afraid I am going to be the "stick in the mud" here.
First the whole VLAN thing is not relevant,...it doesn't matter if it is VLANs involved or just straight physical segments,..it really changes nothing.
You have a flawed premise,..a flawed concept. It just ain't gonna happen. The firewalls are just not going to be "falut tolerant" (redundant). That just ain't gonna happen.
You are also confusing to completely differnt concepts together. Redundant Lines and Redundant Firewall are two completely different things that are done completely separate from each other.
The idea of redundant Lines needs to be handled "upstream" of the firewall using the Routers associated with the Line by using Dynamic Routing Protocols (like IGRP). It also has to be handled in such a way that the Public IP#(s) that are used do not change if the traffic fails-over to another Line. If the Public IP#(s) change during the fail-over then all the connection sessions are broken and have to be re-established. Generally you have to get both Lines from the same ISP and the whole mechnism is created and maintained byt he ISP.
The idea of redundant firewall has to be built on the concept of a firewall "array". In an array the array is identified by a single IP# (one on each side) that is the Virtual Array IP#. So you no longer "target" a specific firewall by its IP#, instead you target the "array" as a single entity via its Array IP#. Traffic is sent to the Array as a single entity (not a specific firewall). In the diagram I attached you would replace the "Edge Firewall" with a "Firewall Array" that would also be aknowledged as a single entity just as if there was only one firewall.
Business Accounts
Answer for Membership
by: atlas_shudderedPosted on 2009-06-19 at 12:18:29ID: 24669171
Don't tag on the WAN side of the link, only on the LAN side. Your WAN side only cares about IPs (layer 3).