Do I Need A Layer 3 Core Switch?
- 
 
- 
 All wireless traffic ingresses the Sophos and egresses the LAN or WAN 
- 
 From a quick look an L3 or an L2+ core switch makes sense. You don't want the firewall handling that duty if you can avoid it. 
- 
 @dafyre Since I am replacing all the switches, I want to see if it is better practice to move the wifi traffic from the firewall to a layer 3 switch. 
- 
 Something to keep in mind, your firewall is currently able to keep all traffic on those VLANs out of the normal network. I'm not sure if L3 or L2+ switches have firewall like features to prevent cross VLAN communications. 
- 
 @Dashrender Really? I thought that was the point of a VLAN. 
- 
 @wrx7m said: @Dashrender Really? I thought that was the point of a VLAN. Well, no. A VLAN is just a LAN, it's not a thing on its own. If you connect them all together through a router or switch, by default you've joined them all into a single thing. Just routed between them, rather than switched. VLANs are not "for" anything specific. You have to build in the functionality that you want from them. 
- 
 @scottalanmiller Sure, I meant that I thought the whole point of a VLAN was to segregate traffic/keep broadcasts domains smaller while utilizing the same physical switches. 
- 
 @wrx7m said: @scottalanmiller Sure, I meant that I thought the whole point of a VLAN was to segregate traffic/keep broadcasts domains smaller while utilizing the same physical switches. Segregating traffic to broadcast domains for layer 2 doesn't imply that L3 isn't wide open between the subnets. In a typical network, you'd be wide open between them. 
- 
 @scottalanmiller That is true, however, I am running in access mode to prevent cross communication and would like it to remain that way. Would a Layer 3 switch have the features to create ACLs for traffic on multiple VLANs across the same ports? 
- 
 @wrx7m said: @scottalanmiller That is true, however, I am running in access mode to prevent cross communication and would like it to remain that way. Would a Layer 3 switch have the features to create ACLs for traffic on multiple VLANs across the same ports? Generally they will, but that was @Dashrender concern, that it would not. 
- 
 OK. Got it. So since that is the goal, based on the size of the network and addition of 10GE for virtual hosts, I should consider a Layer 3 switch? 
- 
 The 10 Gb in this case doesn't play a part in the decision making process, as far as I can see. 
- 
 @Dashrender The layer 3 portion was for the inter-vlan traffic but the core aspect would be to provide the backbone bandwidth 
- 
 What switch do you have in mind? 
 How many 10 Gb ports do you need? Will you run two for whichever r word will make Scott happier? 
- 
 @Dashrender Ha! It would be a single as a core and I am not sure which switch I would use yet. I am still trying to see if all of it will be within my budget. For my virtual hosts I currently need 6 10GE (which I am leaning toward 2 switches to create some redundancy) and then I would ideally be stacking the switches with the others so I am not sure how it will all go together with the introduction of a core switch, stacking-wise. 
- 
 I've never been responsible for a network that was large enough to have a core switch. I have a HP 2824 (L3 switch) 1 GB switch with 4 ports that will take GBICs that I use for fiber. connected to that I have two 2650-PWR switches for phones and endpoints. I am planning on upgrading the 2824 to a UBNT Edgeswitch 48 which has two SPF +1 ports (10 Gbe) and two SPF 1 ports (1 Gb fiber) I will eventually replace the 2650-pwr with 1 Gb switches in the future. 
- 
 For the TOR switches for all my servers and virtual hosts and NAS, I am looking at using 2 of the Extreme Summit X460-G2-24t-10GE4. 24 ports of copper 1Gb and 4 ports of 10GE SPF+ and additional stacking ports on the back. For the edge switches for things like the access points, IP phones and desktops, I was looking at the Extreme Summit X450-G2-48P-10GE4 or the Extreme Summit X450-G2-48P-GE4. 
- 
 wow, $3800/ea for the TOR switches... 
- 
 Yeah, that is kind of why I was asking. Is this enough to warrant the consideration of something designed to be a core? 


