Do I Need A Layer 3 Core Switch?
-
I am going to completely refresh the hardware for my Ethernet infrastructure because most of the hardware is over 8 years old, I need more ports for edge devices and need to add 10GE. I have the following diagram for my switches, wireless APs and controller and firewall. I am keeping the firewall and wireless equipment. So far, I am planning on using Extreme Summit Series stackable switches for edge and TOR (a mix of POE and non-POE 1Gb and several 10GE for virtual hosts) switching and am wondering if I should look at a Layer 3 Core switch and move my WiFi traffic through it, instead. I have several SSIDs and each of those is on its own VLAN with the firewall having several virtual interfaces and respective firewall rules to allow/deny traffic and RADIUS authentication for some, provided by a Windows server on VLAN 1. The firewall is also the DHCP server for all wireless VLAN virtual interfaces.
What would you do?
EXISTING NETWORK TOPOLOGY
-
after only reading the title - no.
-
3 wireless VLANs - non of the wireless is on VLAN1?
-
@Dashrender Correct. The reason I did this is because I needed to effectively split the existing POE switch into 2 switches. Half the ports are on VLAN 1, for various devices like phones and desktops and the other half was exclusively for the WiFi network.
-
@wrx7m said:
I am going to completely refresh the hardware for my Ethernet infrastructure because most of the hardware is over 8 years old, I need more ports for edge devices and need to add 10GE. I have the following diagram for my switches, wireless APs and controller and firewall. I am keeping the firewall and wireless equipment. So far, I am planning on using Extreme Summit Series stackable switches for edge and TOR (a mix of POE and non-POE 1Gb and several 10GE for virtual hosts) switching and am wondering if I should look at a Layer 3 Core switch and move my WiFi traffic through it, instead. I have several SSIDs and each of those is on its own VLAN with the firewall having several virtual interfaces and respective firewall rules to allow/deny traffic and RADIUS authentication for some, provided by a Windows server on VLAN 1. The firewall is also the DHCP server for all wireless VLAN virtual interfaces.
What would you do?
EXISTING NETWORK TOPOLOGY
Is the Firewall currently doing all of your routing now?
-
@dafyre Yes it is currently handling all routing.
-
@wrx7m said:
@dafyre Yes it is currently handling all routing.
What drives you to consider a L3 Switch?
-
All wireless traffic ingresses the Sophos and egresses the LAN or WAN
-
From a quick look an L3 or an L2+ core switch makes sense. You don't want the firewall handling that duty if you can avoid it.
-
@dafyre Since I am replacing all the switches, I want to see if it is better practice to move the wifi traffic from the firewall to a layer 3 switch.
-
Something to keep in mind, your firewall is currently able to keep all traffic on those VLANs out of the normal network.
I'm not sure if L3 or L2+ switches have firewall like features to prevent cross VLAN communications.
-
@Dashrender Really? I thought that was the point of a VLAN.
-
@wrx7m said:
@Dashrender Really? I thought that was the point of a VLAN.
Well, no. A VLAN is just a LAN, it's not a thing on its own. If you connect them all together through a router or switch, by default you've joined them all into a single thing. Just routed between them, rather than switched. VLANs are not "for" anything specific. You have to build in the functionality that you want from them.
-
@scottalanmiller Sure, I meant that I thought the whole point of a VLAN was to segregate traffic/keep broadcasts domains smaller while utilizing the same physical switches.
-
@wrx7m said:
@scottalanmiller Sure, I meant that I thought the whole point of a VLAN was to segregate traffic/keep broadcasts domains smaller while utilizing the same physical switches.
Segregating traffic to broadcast domains for layer 2 doesn't imply that L3 isn't wide open between the subnets. In a typical network, you'd be wide open between them.
-
@scottalanmiller That is true, however, I am running in access mode to prevent cross communication and would like it to remain that way. Would a Layer 3 switch have the features to create ACLs for traffic on multiple VLANs across the same ports?
-
@wrx7m said:
@scottalanmiller That is true, however, I am running in access mode to prevent cross communication and would like it to remain that way. Would a Layer 3 switch have the features to create ACLs for traffic on multiple VLANs across the same ports?
Generally they will, but that was @Dashrender concern, that it would not.
-
OK. Got it. So since that is the goal, based on the size of the network and addition of 10GE for virtual hosts, I should consider a Layer 3 switch?
-
The 10 Gb in this case doesn't play a part in the decision making process, as far as I can see.
-
@Dashrender The layer 3 portion was for the inter-vlan traffic but the core aspect would be to provide the backbone bandwidth
