We have an MS220-24 as our Internet edge switch in order to have enough ports for dual redundant Ecessa PL-600 load blancers, an untangle box for guest wifi, and two ISP handoffs.
Each port is on a vlan designated for what it needs, which could be any of the following:
vlan 10 - Winstream internet handoff
vlan9 - AT&T LTE internet handoff from a cradlepoint
vlan11 - MDM network (like apple devices)
vlan12 Guest network inside
vlan66 - Windstream internet outside ip's
vlan 67 - Comcast internet handoff
vlan 68 Comcast internet outside ip's
Port 1 is a trunk with allowed vlans 11-12,66,68 which goes through to our internet IDS box and onto our Cisco 3750x switch stack with the same allowed vlans on its trunk. That Cisco switch stack is the core and devices are in their appropriate vlans, such as firewalls on vlans 66 and 68, Cisco WLC putting people in mdm network or guest network on vlan 11 or 12 depending on the SSID, and of course there are numerous internal vlans as well.
We have an internal IDS interface which unfortunately has only one input and one output. However the issue is that we have two ASA5525x firewalls... a primary and a secondary. So we had a spare Cisco 3750x 48 port poe switch laying around during implementation and all it does is use 3 ports for this purpose. It has the Primary firewall LAN, Secondary firewall LAN, and IDS outside interface plugged in. 45 other ports not being used at all. Well we have better uses for this switch and would like to re purpose it elsewhere. So we created a new vlan 15, which is not on ANY OTHER PORTS on the MS220, and assigned it to ports 22,23,24. Last night we moved the cables from our firewall LAN interfaces and our IDS to these three ports, but guess what... internet access completely stopped. The ports all linked at 1 gig, but we lost connection to the world. Meraki switch even lost connection to its servers and I could not access the port configuration using my iphone app.
So we reverted everything back to the way it is... totally using the overkill, and separate Cisco 3750x switch to accommodate for our IDS providers deficiencies in not having enough interfaces to accommodate a secondary firewall.
What I find weird is that in the MS220, these last 3 ports were the only ports in vlan 15, and they were set as access ports. So to me, it should have behaved like it was a separate dumb 3 port switch (IMO).
I have a ticket open with the IDS/IPS provider to see what other solutions they have, and also if they marry or pair the mac address of the switch it connects to (and maybe it just needed a power cycle to re-pair).
Any insight would be appreciated.