Do I Need A Layer 3 Core Switch?



  • I am going to completely refresh the hardware for my Ethernet infrastructure because most of the hardware is over 8 years old, I need more ports for edge devices and need to add 10GE. I have the following diagram for my switches, wireless APs and controller and firewall. I am keeping the firewall and wireless equipment. So far, I am planning on using Extreme Summit Series stackable switches for edge and TOR (a mix of POE and non-POE 1Gb and several 10GE for virtual hosts) switching and am wondering if I should look at a Layer 3 Core switch and move my WiFi traffic through it, instead. I have several SSIDs and each of those is on its own VLAN with the firewall having several virtual interfaces and respective firewall rules to allow/deny traffic and RADIUS authentication for some, provided by a Windows server on VLAN 1. The firewall is also the DHCP server for all wireless VLAN virtual interfaces.

    What would you do?

    EXISTING NETWORK TOPOLOGY
    0_1455830601774_Network Only Physical Topology 02-18-16.png



  • after only reading the title - no.



  • 3 wireless VLANs - non of the wireless is on VLAN1?



  • @Dashrender Correct. The reason I did this is because I needed to effectively split the existing POE switch into 2 switches. Half the ports are on VLAN 1, for various devices like phones and desktops and the other half was exclusively for the WiFi network.



  • @wrx7m said:

    I am going to completely refresh the hardware for my Ethernet infrastructure because most of the hardware is over 8 years old, I need more ports for edge devices and need to add 10GE. I have the following diagram for my switches, wireless APs and controller and firewall. I am keeping the firewall and wireless equipment. So far, I am planning on using Extreme Summit Series stackable switches for edge and TOR (a mix of POE and non-POE 1Gb and several 10GE for virtual hosts) switching and am wondering if I should look at a Layer 3 Core switch and move my WiFi traffic through it, instead. I have several SSIDs and each of those is on its own VLAN with the firewall having several virtual interfaces and respective firewall rules to allow/deny traffic and RADIUS authentication for some, provided by a Windows server on VLAN 1. The firewall is also the DHCP server for all wireless VLAN virtual interfaces.

    What would you do?

    EXISTING NETWORK TOPOLOGY
    0_1455830601774_Network Only Physical Topology 02-18-16.png

    Is the Firewall currently doing all of your routing now?



  • @dafyre Yes it is currently handling all routing.



  • @wrx7m said:

    @dafyre Yes it is currently handling all routing.

    What drives you to consider a L3 Switch?



  • All wireless traffic ingresses the Sophos and egresses the LAN or WAN



  • From a quick look an L3 or an L2+ core switch makes sense. You don't want the firewall handling that duty if you can avoid it.



  • @dafyre Since I am replacing all the switches, I want to see if it is better practice to move the wifi traffic from the firewall to a layer 3 switch.



  • Something to keep in mind, your firewall is currently able to keep all traffic on those VLANs out of the normal network.

    I'm not sure if L3 or L2+ switches have firewall like features to prevent cross VLAN communications.



  • @Dashrender Really? I thought that was the point of a VLAN.



  • @wrx7m said:

    @Dashrender Really? I thought that was the point of a VLAN.

    Well, no. A VLAN is just a LAN, it's not a thing on its own. If you connect them all together through a router or switch, by default you've joined them all into a single thing. Just routed between them, rather than switched. VLANs are not "for" anything specific. You have to build in the functionality that you want from them.



  • @scottalanmiller Sure, I meant that I thought the whole point of a VLAN was to segregate traffic/keep broadcasts domains smaller while utilizing the same physical switches.



  • @wrx7m said:

    @scottalanmiller Sure, I meant that I thought the whole point of a VLAN was to segregate traffic/keep broadcasts domains smaller while utilizing the same physical switches.

    Segregating traffic to broadcast domains for layer 2 doesn't imply that L3 isn't wide open between the subnets. In a typical network, you'd be wide open between them.



  • @scottalanmiller That is true, however, I am running in access mode to prevent cross communication and would like it to remain that way. Would a Layer 3 switch have the features to create ACLs for traffic on multiple VLANs across the same ports?



  • @wrx7m said:

    @scottalanmiller That is true, however, I am running in access mode to prevent cross communication and would like it to remain that way. Would a Layer 3 switch have the features to create ACLs for traffic on multiple VLANs across the same ports?

    Generally they will, but that was @Dashrender concern, that it would not.



  • OK. Got it. So since that is the goal, based on the size of the network and addition of 10GE for virtual hosts, I should consider a Layer 3 switch?



  • The 10 Gb in this case doesn't play a part in the decision making process, as far as I can see.



  • @Dashrender The layer 3 portion was for the inter-vlan traffic but the core aspect would be to provide the backbone bandwidth



  • What switch do you have in mind?
    How many 10 Gb ports do you need? Will you run two for whichever r word will make Scott happier? 😛



  • @Dashrender Ha! It would be a single as a core and I am not sure which switch I would use yet. I am still trying to see if all of it will be within my budget. For my virtual hosts I currently need 6 10GE (which I am leaning toward 2 switches to create some redundancy) and then I would ideally be stacking the switches with the others so I am not sure how it will all go together with the introduction of a core switch, stacking-wise.



  • I've never been responsible for a network that was large enough to have a core switch.

    I have a HP 2824 (L3 switch) 1 GB switch with 4 ports that will take GBICs that I use for fiber.

    connected to that I have two 2650-PWR switches for phones and endpoints.

    I am planning on upgrading the 2824 to a UBNT Edgeswitch 48 which has two SPF +1 ports (10 Gbe) and two SPF 1 ports (1 Gb fiber)

    I will eventually replace the 2650-pwr with 1 Gb switches in the future.



  • For the TOR switches for all my servers and virtual hosts and NAS, I am looking at using 2 of the Extreme Summit X460-G2-24t-10GE4. 24 ports of copper 1Gb and 4 ports of 10GE SPF+ and additional stacking ports on the back. For the edge switches for things like the access points, IP phones and desktops, I was looking at the Extreme Summit X450-G2-48P-10GE4 or the Extreme Summit X450-G2-48P-GE4.



  • wow, $3800/ea for the TOR switches...



  • Yeah, that is kind of why I was asking. Is this enough to warrant the consideration of something designed to be a core?



  • @Dashrender Don't forget to add the PSU(s)



  • I suppose that I could always get the TOR and Edge switches first and see how well it works and if I need to get better throughput from the LAN to the WIFI and vice versa, then I could add the "core" switch into the mix. Anyone have thoughts on this?



  • Not that it means anything - but I've never heard of Extreme Summit.

    Any reason not to find a solution that has six 10 Gbe ports on a single switch?



  • @Dashrender said:

    Not that it means anything - but I've never heard of Extreme Summit.

    Not SMB gear. It's good stuff. Way better than Cisco.


Log in to reply