layer 2 connection to a firewall

Unanswered Question
Sep 10th, 2007

We have a firewall downstream from our Layer3 switch. If I were to define a port on the switch as a layer 2 port (switchport) and connect one of the fw int to that port, would the IP address of the int on the fw and the IP address of the vlan that the port belongs to have to be on the same subnet?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
JORGE RODRIGUEZ Mon, 09/10/2007 - 16:42

Hi Greg,

If you were to connect the fw interface to a layer 2 port whether is a L2 or L3 switch you must create a vlan in the switch and place that port in that new vlan for the switchport to reference the fw layer 3 interface-subnet, this is only if that port is currently in a vlan-subnet different from the fw interface subnet.

Remember, access ports operate at layer 2, once you make a switch port a member of a particular vlan is when you have layer 3 interfaces-subnets with their respective vlans defined.



axfalk Mon, 09/10/2007 - 17:12

Thanks for your response. So, what you're saying is that a switchport has to belong to a vlan whose subnet is the same as the one on the fw int....

Thanks again...

axfalk Tue, 09/11/2007 - 13:42

Thanks. Is this generally true for all the connections from a layer 3 swithchport to a router?


JORGE RODRIGUEZ Tue, 09/11/2007 - 15:48

when you use " switchport mode access" or

"switchport access vlan # " on the port it is no longer a layer 3 port, once you introduce the " no switchport mode access " and introduce and IP address on the port it becomes a routed port and is no longer a layer 2 port.


This Discussion