Firewall connected to a switch using 2 ports (LAN & DMZ), but switch management talks on DMZ port

firewallnetworkingportroutingswitch

Someone let me know if I'm off track here.

I'm setting up a firewall with 3 ports configured (WAN, LAN, and DMZ). The LAN and DMZ ports both connect to the same switch, on which I will configure a VLAN to segregate LAN and DMZ traffic.

I've got a bit of an issue in that the switch insists on its web-management interface talking to the firewall over the port designated to the DMZ (for the moment I've reconfigured that port to be a LAN so I can get on the switch to configure it).

If I've done everything correctly to this point, can someone point me in the right direction on forcing the switch to communicate it's management data over another physical port?

The firewall packet captures clearly showed the traffic going to it on X0 port and being received to the X2 port by default.

Best Answer

You probably have the DMZ set up as VLAN 1 and the management interface is configured for VLAN 1.

Not sure what kind of switch, so no specific directions, but basically you need to set the VLAN for the management interface to match the VLAN of your LAN ports (or vice versa).

Some examples:

  • For Cisco enterprise switches, you need to create a new SVI for the new VLAN and on some Cisco switches, you may need to disable the SVI VLAN 1 before creating the new SVI.
  • Other switches I have seen a VLAN selection field where you configure the IP address for the management interface.
  • It has been awhile but I know I came across a switch or two that the management interface could only be on VLAN 1, and in this case you would need to reverse your LAN and DMZ port assignments.
Related Topic