That was what I was trying to do in the beginning but couldn't seem to get the static routing to work properly between the MX and the MS320.  Create each VLAN on the MX with a corresponding port on the MX, then tagging that port to a corresponding port on the MS.  That's essentially how we have it today with the firewall interfaces on the Watchguard and then it has the static routes back to the layer 3 switch.  Then it just shoots traffic to the trusted interface to the Watchguard.     Here's what I have today on the switch (MS320):     Then the firebox has this:     With these routes in the Firebox:     I did these in the MX as a test.  I figured I could do the 192.0.0.3 as a test and then when cutover happens change it to 192.0.0.254.   Then using a SPF port as an uplink from the switch to the MX with each tagged native VLAN 1 with all vlans.  This kind of matches the Watchguard but the static routes are what's throwing me off.         I'm not opposed to restructuring just want to get it right from the get go so to speak.   Thanks for all the help!         ... View more