Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Trunk to Firewalls

Hi, could someone please explain what are the advantages of trunking to the firewall. I am referring to a stand alone hardware firewall and not a FWSM module. The reason for this question is that it seems many folks are using this method to basically use the firewall as a default gateway for services however it seems that this might be more of a administrative burden for the firewall administrator.

The obvious benefits are that since traffic from your hosts goes to teh firewall to route as it is the default gateway you can explicitly permit/deny.

As opposed to when the default gateway is on the switch than to prevent inter-vlan traffic you have to configure ACL's.

Besides the above mentioned I cannot seem to understand any other benefits and would appreciate if someone could possibly point out some more benefits as well as give a small design scenario where this might be used. Thx

Hall of Fame Super Blue

Re: Trunk to Firewalls


Well you have pretty much summed it up really. I can think of 3 major reasons why you might want to trunk to your firewall from a switch

1) Your switch is Layer 2 only and you cannot afford another device

2) You are in a relatively high security environment and you have a requirement to firewall between internal vlans.

3) You have run out of physical interfaces on your firewall but need to create another DMZ.



New Member

Re: Trunk to Firewalls

Hi Jon,

Thx for your response. I do have a few questions as I cannot seem to think why this design would be deployed. Thx for helping

Is this design considered best practice? If cost is a reason why not make the outside switch an L3 switch(most switches deployed on the outside are capable of L3). Connect the firewall to an access port in the same vlan as the switch. All the outside vendors connect to the switch in their own vlan's and those vlan's terminate on the switch. Let the L3 switch handles the routing towards the firewall.

It seems moving the routing functionality to the firewall is just shifting the responsibility on the firewall. Will the firewall run a routing protocol with external vendors directly? I can see why this might be deployed in a high security environment but that would be it.

One more question. Why would a design be deployed in which the outside switch is limited to a L2. Are there any benefits to doing it this way?


CreatePlease to create content