I am designing a network consisting of close 60 ports, via a managed switch. I intend to deploy multiple VLANs: one for servers, one for desktops, one for guests, etc.
I intend to use the firewall to route between VLANs. (Yes, that's expensive, but in our case, we want to do it).
Does each VLAN need its own dedicated uplink port on the switch and firewall (acting as a router)? That is, if I want 6 VLANs, do I need to configure one port on the switch for each VLAN, and connect each to a different port on the firewall? Or should I use trunking, and send them all to the firewall on the same port? How do I enforce different security for those VLANs (ideally, I'd like physically distinct ports, not just VLAN tagging).
Also, do I need to create management VLANs (for the switch and firewall themselves)?
Best Answer
You need to start by evaluating the capacity of your firewall. If you firewall is only good for a several hundred megabits of throughput, then I would trunk all 6 vlans on one interface with 802.1q tagging to the firewall. (You mention you want physical ports, not just vlan tagging, but technically there is no security difference between the two, and physical ports is just wasteful.)
If, however, your firewall can do more than a gigabit of throughput, then it makes sense to take a couple ports and port-channel them together, and make that into a 802.1q trunk. Then, you'll be able to take advantage of more throughput capacity on the firewall.
To reiterate, using separate ports in different vlans is exactly the same as trunking multiple vlans over a single port. The 802.1q tags keep the traffic in their correct vlans.
Regarding management vlans, you're opening a religious discussion. I would suggest just managing the devices in-band, but there are a lot of people who will vehemently argue for using a dedicated management vlan. To each his own!