Firewall Interfaces...Portfast or Trunk?

Unanswered Question
Oct 8th, 2007

I'm installing 2 new 3560 switches to replace 4 2950 switches. The firewall is current doing all the routing and will continue, I will not be using the new switches for any routing.

My question is do I setup the ports that connect my firewall interfaces as PortFast or Trunk? I know I use Truck on the ports that connect to the other switch, but wasn't sure about the interfaces that would do the routing. I believe its PortFast, but wanted to confirm.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Mon, 10/08/2007 - 19:34

Hi Bob

The answer is it depends. If you only have one subnet and the L3 interface for the subnet is on the firewall then use set it up as an access port and use portfast.

If however you have multiple internal subnets and your are running 802.1q between your firewall and your switch then the firewall port needs to be a trunk.

From the sounds of what you say i would guess you are using just one subnet ?


bob.mckinley Mon, 10/08/2007 - 19:39

Hey Jon,

Yes and No, I have multiple subnets but only one subnet is configured per interface of the FW.

So it sounds like I do set it as PortFast.


Francois Tallet Mon, 10/08/2007 - 20:54

There seems to be two orthogonal issues here:

-1- trunk vs access: this depend on whether you have more than one vlan on the links between the switch and the firewall. Here, it seems that you want an access port.

-2- porfast vs no portfast on the switch ports. If the firewall is doing L3 (which is the case here), then portfast is appropriate. Else, there should be no portfast.

OK, my post is not of great use, as it just repeats what you have already concluded;-) But I just wanted to say that "trunk and portfast" could have been a valid solution in some scenarios;-)




This Discussion