Solved

L3 switch (VLAN routing, ACL and failover)

Posted on 2013-02-07
6
477 Views
Last Modified: 2013-10-28
Hi,

In LAN now we have 9 VLANs and traffic between VLANs is controlled by an router (actually is an Astaro UTM).
Because of performance problems we a thinking to move VLAN routing and access control (between VLANs) load on a switch.

So, I'm looking for some recommendations for switch model and configuration.

In short out needs are:
- switch must be capable of VLAN routing
- must have an option to control traffic between VLANs
- option for switch failover
- 24 1GB ports will be enough
- easy accessible support (brandname should be widely used - Cisco?)
- not to costly
- no stacking, PoE, uplink needs

If you need any additional data let me know.
Thanks for your help.
0
Comment
Question by:davorin
  • 3
  • 2
6 Comments
 
LVL 11

Accepted Solution

by:
rharland2009 earned 332 total points
ID: 38864137
If you purchase Cisco, you will pay somewhat of a premium for a per-port cost and annual Smartnet maintenance. However, their support is indeed easily accessible and quite good.

A good Cisco model that would not be terribly pricey would be the SG500X-24. This is a stackable workgroup switch with full layer 3 capabilities, as well as gig ports (and some 10 gig as well). It's fixed, so 24+4 is as many ports as you'll get. It is stackable, but if you don't need it then you don't.

As far as failover.....not sure what you mean here. With a truly robust infrastructure, this would mean that you have redundancy in your switch links in the core and as far out to the access switch as possible. If this is what your users will be plugging directly into, then switch failover's not really part of the picture.
0
 
LVL 27

Author Comment

by:davorin
ID: 38864503
About failover:
We are hosting some services, that are not heavily used they but needs to be online all the time.
We have two internet links to two different ISP providers connected to two Cisco C3800 series routers (own C class network of public IP adresses, BGP), connected to two Astaro 200 UMT in HA. Servers are located on fully redundant equipment (hyper-v cluster on HP Blades and EVA4400 storage).
If I don't count servers, there are around 60 devices on LAN, but their connectivity is not essential and they will remain connected to a couple of managed L2 "workgroup" switches.
If one L3 switch dies, then the other must take all the job automatically.
I don't know if SG500X belongs to Linksys series of Cisco switches, but I have really bad experience with Linksys. One SGE2000 I'm using now like flowers stand ;)
0
 
LVL 11

Assisted Solution

by:rharland2009
rharland2009 earned 332 total points
ID: 38864602
I'd say, then, that you're looking for something a little more robust than a simple workgroup switch. Buy a couple of 3750-x or similar chassis and run HSRP.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 18

Assisted Solution

by:Akinsd
Akinsd earned 168 total points
ID: 38865386
You also have options of GLBP on the switch which I always recommend. This gives you ability to use both uplinks while providing automatic failover in case one link goes down. The additional advantage is is load balances thereby easing process cycles. GLBP - Gateway Load Balance Protocol. It does everything HSRP does and more but only available in high end newer models.

Additional advice is to turn IP routing on the distribution switches and enable IP CEF.

Finally, take advantage of ether channels (bundle multiple ports together).

You will receive a Grammy for such implementation as described above

All the best
0
 
LVL 27

Author Comment

by:davorin
ID: 38881602
Thanks both of you for answers. I was waiting for some additional comments/ideas but I guess the question is to old to be seen by anybody else.

HSRP and GLBP are great ideas and also the type of ideas I was looking for.
Unfortunately GLBP is not supported on 3560X or 3750x.

My first choice before posting the question was 3560X, because I don't need stacking. From what I have seen it can suite our needs. Am I right?
Would you consider any other brand? HP? I have contacted some other brand representatives, but presales technical support was not so "impressive".
0
 
LVL 27

Author Closing Comment

by:davorin
ID: 39606411
Thank you for your help. Sorry for closing the question so late.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now