SG300 - Best VLANs configuration?

sebastien.morin58 · ‎12-11-2014

Hello everyone,

I'm planning to split my existing network into VLANs. I've red a lot of informations about layer 2 and layer 3 VLANs but there are still some things obscurs to me.

What I would like:

- 1 VLAN per department (about 10 departments)

- 1 VLAN for the servers

- 1 VLAN for guests

All the VLANs will have access to the Internet (via a Netasq firewall)

All the VLANs (except guests) must communicate with the servers

My interrogation is about which type of VLANs should I used. Layer 2 or layer 3?

I've attached a scheme of the different configurations

If I use layer 2 VLANs all the routing will be done by the Netasq, am I right? I don't want this because I will have a lot of traffic between the departments VLANs and the Servers VLAN.

If I use layer 3 VLANs the routing will be done by the SG300. My Netasq won't be impacted by the traffic. Am I also right?

The problem I see with this configuration is that when the switch will route traffic to the Netasq (for the Internet traffic), the Netasq will only see the IP adress of the VLAN and not the IP of the client. I won't be able to use my firewall rules correctly.

I don't know if I'm completly wrong.. Some help would be appreciated.

Thanks in advance

Brandon Svec · ‎12-11-2014

Your diagrams look spot on to me and I think your understanding is accurate.

L3 mode will allow VLAN routing between all your VLANs by default and at "wire speed". In practice, the speed difference is probably not noticeable between routing on the switch or the firewall, so I would just consider it your choice if you prefer to manage inter-VLAN routing in the firewall or the switch. If you use L3 routing on the switch and you want to prevent VLANs from seeing each other you will need to create ACLs. I am not familiar with Netasq, but most firewalls will be the opposite and not allow traffic between VLANs until you create a policy to allow it.

Good luck.

-- please remember to rate and mark answered helpful posts --

sebastien.morin58 · ‎12-12-2014

Thank you for your answer.

I prefer managing inter-VLAN routing in the swtich. My firewall already has a lot of jobs to do (authentification, URL filtering, SSL filtering, etc...), so I don't really want to give it another job.

The main problem is that I need to present the IP addresses of the clients to the firewall (not the VAN IP address).

Is there any way to do some IP address conservation in the SG300 switch?

Brandon Svec · ‎12-12-2014

I'm not sure I understand what you mean by, "present the IP addresses of the clients to the firewall " but it sounds like maybe you do want to route through firewall after all if you need to apply policies, etc based on individual clients.

One thing that would clarify your diagram is on the right for the layer 3 example you need another VLAN, say VLAN 3 for 192.168.2.0/24 and interface on switch could be 192.168.2.2. On the firewall you would need static routes for 192.168.1.0/24 and 192.168.0.0/24 via 192.168.2.2. Does this make sense? A switch in layer 3 mode essentially becomes a router and now you have two routers connected together.

-- please remember to rate and mark answered helpful posts --

SG300 - Best VLANs configuration?

Cisco Business Product Family

Cisco Switching Product Family