Can anyone give me some advice on the following config and which is\nthe preferred way.\n\nPlease note the 48-port module discussed below is installed into an\nexisting 6509 and for security reasons no routing can take place at\nthe 6509. It all would be done at the local site or via the Firewall.\n\nOption 1\nEach port on the 48-port module in the Cat 6509 (central site) would\nbe assigned to a VLAN, with 1 port configured as a trunk to the\nFirewall to carry all VLANs. At the remote site port 1 of the Cat 3550\nwould connect into the LES circuit (link to the central site), this\nwould be in the same VLAN as the core. Therefore the IP addressing\nwould be as follows:-\n\nIP Address of Firewall - 172.25.100.10 mask 255.255.255.252\nIP Address of 3550 VLAN - 172.25.100.11 mask 255.255.255.252\n\nThis would be replicated for every site, which would create 41 point\nto point links.\nThe concern seems to be the Management of the switches. Should I\ncreate a management subnet on top of the network addressing (as\ndetailed above) e.g. The firewall would have an IP address in the\nmanagement network and each switch would have a VLAN that was in the\nmanagement network. IP addressing as follows: -\n\nIP Address of Firewall - 192.168.100.1 mask 255.255.255.0\nIP Address of 3550 VLAN - 192.168.100.2 mask 255.255.255.0\n\nThe Other Option\nUse the network addressing i.e. the 172.25.100.11 address for\nmanagement as well as the network, in my option that it is perceived\nto be a bad practise. Assign an IP address to the physical interface\nof the 3550, instead of a VLAN. The management netowrk would be set up\nas a sub-interface on the 3550 (with a 192.168.100.2 address and\nprobably a full /32 mask) and route the management traffic back to\nFirewall via the 172.25.100.10 network.\n\nAny comments.\n\ncheers\n\nPaul.