cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
brian_ctl
Contributor
Contributor

5660 Bonding/Port channel two gig ports, can this be done?

can you configure two gig port to be in a L2 network with the same L3 IP on both interfaces.

customer wants two firewalls in the same L3 network attached to two ports on the 5660.

Labels (1)
0 Kudos
4 Replies
petetransitguy
New Contributor III

Re: 5660 Bonding/Port channel two gig ports, can this be done?

It looks like you can - in theory. In this manual (http://portal.adtran.com/pub/Library/Data_Sheets/Default_Public/617005660F1-8_NV5660.pdf), it says "Supports 802.1q VLAN Trunking." In this manual (Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6 - Starting Interface Configurat...), there is a section titled, "Configuring and Enabling Switch Ports as Trunk Ports." So, if your customer's firewall can support this configuration, if they have 2 available interfaces, and a competent technician, it should work. I'd also recommend starting support calls with Adtran and the other vendor prior to the maintenance window. Since we don't know the other vendor, this is impossible to answer. If it's a Cisco firewall, check out https://supportforums.cisco.com/, or check the support pages for that firewall manufacturer (Juniper. SonicWall, Barracuda, etc.) - or even reddit: the front page of the internet.

jayh
Honored Contributor
Honored Contributor

Re: 5660 Bonding/Port channel two gig ports, can this be done?


brian_ctl wrote:



can you configure two gig port to be in a L2 network with the same L3 IP on both interfaces.


customer wants two firewalls in the same L3 network attached to two ports on the 5660.


I don't think you want/need trunking for this.

Technically the L3 IP isn't configured to the port. You can put two (or more, or all by default) ports in the same VLAN to allow two or more L3 devices on the same subnet to communicate. 

Make the ports access ports in the same VLAN and that's all set. By default, all ports on the switch are on VLAN 1, but you can configure two (or more) ports to be access ports on a different VLAN.

If you also want the switch itself to be reachable via an IP on the subnet of the firewalls, then create a "vlan interface" for that VLAN number. This is a logical interface and not a physical port. Assign an IP to the vlan interface and all ports on that VLAN can reach it (and each other).

CAUTION: If you have more than one VLAN interface with an IP address and you have "ip routing" enabled, then traffic between the VLANs will be layer 3 routed. If you don't want this, only have one VLAN interface with an assigned IP, or turn off IP routing, or use the firewall function to block it. Easiest to turn off IP routing if you don't need it.

Small technical nit to pick: In an L3 network, IP addresses must be unique. Other than RFC1918, they're supposed to be globally unique. So you can't have the same IP address on two switch ports. You can have several ports in a VLAN with an IP assigned to the VLAN.

hogle
New Contributor III

Re: 5660 Bonding/Port channel two gig ports, can this be done?

My NV5660 experience disagrees. I do agree it works as jayh describes on other NV3xxx platforms.

Taken from a working config, NV3458, router this would be:

interface switchport 0/4

  no shutdown

  switchport mode trunk

  switchport trunk allowed vlan 126-127

!

interface switchport 0/5

  no shutdown

  switchport access vlan 127

!

interface switchport 0/6

  no shutdown

  switchport access vlan 127

!

interface vlan 127

  description DMZ1 zone

  ip address  192.168.127.1  255.255.255.0

  ip access-policy DmzVlan127

  no shutdown

However, in the NV5660 the command "interface vlan 127" is absent in the latest OS version R13.1.0.HA.E. While I agree with jayh for other NV routers, this does not work in the NV5660 unless there is a different version of AOS for the NV5660 that allows VLANs to be instantiated as described, globally. I don't know of one. The only way I know to specify VLANs in the NV5660 is with "ce-vlan-id", usually a gigabit-eth sub-interface. But, that by itself does not seem to allow same VLAN traffic to pass between different interfaces. I have the same original question that I believe is still unanswered?

How can the same VLAN on two or more interfaces have the same IP and same access-policy (firewall)?

BTW, Another difference from standard NV3xxx routers and the NV5660, and presumably NV4660; layer 3 including "ce-vlan-id" is is required to be specified on sub-interfaces, unlike the NV3458 switchport example above.

hogle
New Contributor III

Re: 5660 Bonding/Port channel two gig ports, can this be done?

This thread is essentially the question asked in a different way as this thread:

Migrating from NV3458 to NV5660 configuring VLANs

I believe the solution is the same: Aggregate the interfaces of each VLAN external to the NV5660 or NV4660. This can easily be accomplished with a layer 2 switch. Given the few ports on these routers, it actually makes practical sense to only bring each VLAN into the NV5660 router once.  This is probably better use of router and switch resources.

This solved both questions for me.