02-07-2010 12:50 PM - edited 03-06-2019 09:37 AM
Currently am using redundant PIX firewalls to manage approx 7 subnets with about 40 servers and Layer 2 switches. Or is it a better topology in this small environment to use a L3 router with vlan segmentation and trunking and why? I am looking for best practice.
02-07-2010 01:07 PM
jasonlees wrote:
Currently am using redundant PIX firewalls to manage approx 7 subnets with about 40 servers and Layer 2 switches. Or is it a better topology in this small environment to use a L3 router with vlan segmentation and trunking and why? I am looking for best practice.
Jason
If you used a router then with 7 subnets you would need to use subinterfaces which i'm assuming you are doing at the moment on the pix ?
Personally if i was looking to migrate the vlan routing off the pix firewalls i would go with a L3 switch such as the 3560 in your case. This is primarily what L3 switches are designed for ie. routing between vlans within a LAN. There are limitations to L3 switches ie. QOS is not as full featured as on a router, NAT is not supported unless you go for a 6500 and that would definitely be overkill for your scenario. So you do need to fully identify all your requirements and ensure that the device you are using has that functionality.
So should the pix firewalls be used for inter-vlan routing ? In a small setup this is fine but again this is a personal opinion, i am not a big fan of routing off firewalls. They are not really designed for that and having multiple subinterfaces on the firewall and the added complexity of the configuration should be avoided if at all possible. You want to keep your firewalls doing what they were designed to ie. protecting your internal LAN.
Having said this, best practice and cost often don't necessarily go hand in hand If your network works and you have no performance issues at present and no need for functionality that the firewalls can't provide then it might be hard to justify the extra cost of a L3 switch. Best practice is all well and good but it is not a set of rules, it is a set of guidelines that can help with your design but should not necessarily be followed slavishly.
If you anticipate an expansion of your network in the near future then i would definitely consider looking at an internal device(s) to do the inter-vlan routing.
Jon
02-07-2010 02:53 PM
The network is growing, there are some performance issues but not extremely bad, probably will get worse with growth though. Really, just using a separate L2 switch for each subnet, nothing very complex but not a good configuration either. Using a 3560, that seems to be more in the cost range than some of the higher end switches. Would you think multilayer switching is overkill?
02-07-2010 03:17 PM
jasonlees wrote:
The network is growing, there are some performance issues but not extremely bad, probably will get worse with growth though. Really, just using a separate L2 switch for each subnet, nothing very complex but not a good configuration either. Using a 3560, that seems to be more in the cost range than some of the higher end switches. Would you think multilayer switching is overkill?
No, i don't think multilayer switching is overkill for a LAN. Yes you could buy a router instead but the forwarding rates on comparable switches are far better than routers because L3 switches forward packets in hardware. a 6500/4500 solution would be overkill but that's why there is also the 3560/3750 for smaller environments.
With 7 subnets currently + more if your network is growing a router is not really a good answer because of the limitation of the number of interfaces. An option for you may be to consider something like an ISR router with a switch module but the switch module is based on a 3750 so you still end up with a multilayer switch. And if you just buy a router you are going to be using subinterfaces without the additional modules. You are then limiting inter-vlan throughput because you are carving up a single interface for multiple vlans.
Using subinterfaces on a router to route between multiple vlans is called "routing-on-a-stick" and was really primarily used before the advent of L3 switches. If i was designing a LAN now and i needed inter-vlan routing i would not consider routing-on-a-stick. I would be looking at 2 options really -
1) ISR with inbuilt switch module. This could be a full blown L3 switch module as mentioned above or a L2 type switch module where you create vlan interfaces on the router.
2) A L3 switch such as the 3560.
Which one i would go for would be based on a number of factors but if a L3 switch did everything i needed for a LAN environment that is more often than not what i would go for.
Jon
02-07-2010 04:01 PM
Will the 3560 do trunking?
02-07-2010 06:09 PM
802.1Q Trunking? Yes, all Cisco switches (except the Catalyst 1900) support 802.1Q.
02-07-2010 03:12 PM
I do see this topology example: PIX ------ 3560's ------ LAYER 2 Switches, I guess multi-layer switching would also be a better topology?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide