Firewall as Core Device

NightShade03

Currently the design at work has a checkpoint firewall also acting as a L3 switch. It provides inter vlan routing, plus dhcp address assignment. Would it be beneficial to use L3 Cisco switches as my core routers instead (would I gain a performance increase)?

burbankmarc

Just check the throughput of each, and if it's substantially higher for the L3 switch then I'd say go for it if you can afford it.

mgeorge

As a general rule of network architecture you typically want to let the switches do the switching and the firewalls do the security.

There is a reason for this. Mainly cost, licenses, performance, management and monitoring.

notgoing2fail

I'd like to know the size of his network and see what kind of traffic is flowing through.

I mean, if his network is small, it's ok to consolidate.....

NightShade03

notgoing2fail wrote: »

I'd like to know the size of his network and see what kind of traffic is flowing through.

I mean, if his network is small, it's ok to consolidate.....

Not by any means is it small. It's probably about 100 servers at the moment, but we handle a truck load of data 24 hrs a data....and we are growing too. This is the primary reason I wanted to separate out the switch "functions" into a core network layer and let the firewall just deal with security.

notgoing2fail

NightShade03 wrote: »

Not by any means is it small. It's probably about 100 servers at the moment, but we handle a truck load of data 24 hrs a data....and we are growing too. This is the primary reason I wanted to separate out the switch "functions" into a core network layer and let the firewall just deal with security.

Sounds like a very fun project! The number of host devices is important as well as the traffic flow and type.

So 10 hosts that do major amounts of BW utilization shouldn't be considered small.

Cisco's definition for small network is up to 200 devices though just to let you know. That's just a rule of thumb though and as I said, traffic flow is just as important if not more.....

If you are expecting growth, I'd definitely start to think about separating them.

What do you have in mind for your switch? 6509?

NightShade03

I would *like* a 6500 series however I've also been looking at doing something like 2 x 3750's at the core to keep costs down. This is the first time I'm doing a project of this size so I'm trying to do as much research as possible before jumping over to one particular switch setup.

notgoing2fail

NightShade03 wrote: »

I would *like* a 6500 series however I've also been looking at doing something like 2 x 3750's at the core to keep costs down. This is the first time I'm doing a project of this size so I'm trying to do as much research as possible before jumping over to one particular switch setup.

Sure that would work too, you'd stack the 3750's together. Utilize their L3 routing features as well as any ACL's, QoS'ing etc etc...and then leave your firewall alone to do it's security thing and offload it's CPU from doing switching.

ColbyG

I'd never want a firewall as my core switch/router.

NightShade03

notgoing2fail wrote: »

Sure that would work too, you'd stack the 3750's together. Utilize their L3 routing features as well as any ACL's, QoS'ing etc etc...and then leave your firewall alone to do it's security thing and offload it's CPU from doing switching.

Exactly. Pretty excited to be doing some real Cisco work for a change.

burbankmarc

NightShade03 wrote: »

Exactly. Pretty excited to be doing some real Cisco work for a change.

Wouldn't you want 2 stacks for redundancy purposes?

notgoing2fail

NightShade03 wrote: »

Exactly. Pretty excited to be doing some real Cisco work for a change.

Good luck with it, let us know if you have any other questions. These are the types of projects you don't read in books.

NightShade03

burbankmarc wrote: »

Wouldn't you want 2 stacks for redundancy purposes?

Yes there would be two stacks of two.

DPG

If power isn't too expensive where you are, a couple 6500's would be cheaper.

You could probably get them full of modules for less than $1k each. You don't need an expensive SUP-720 to do basic switching.

NightShade03

Thanks for the support guys I'll let you know how the project turns out.

chmorin

I would say opt to separate services when the budget allows. If you consolidate all of your productivity in one high end device and it goes down, you are SOL until you get that device fixed.

EDIT: Oh I see you have some redundancy planned. Nevermind.

chrisone

NightShade03 wrote: »

I would *like* a 6500 series however I've also been looking at doing something like 2 x 3750's at the core to keep costs down. This is the first time I'm doing a project of this size so I'm trying to do as much research as possible before jumping over to one particular switch setup.

Yes the two 3750's would be perfect for a core. Also look into how you will be designing your network. As of now it seems you are migrating from a 1 tier design to a two-tier design. From small to medium, a third tier would be a much larger network, you might be in this category, i dont know your organizations business requirements though.

You dont always need a 6500 series switch for a medium or a large sized network. Depending on your throughput of DATA between the components(networking devices) in your network will decide if you need a 6500. Remember the 6500 is modular, so the reason why they do this is because if you need your router, firewalls, WISMs, LAN, WAN, to all have fast switching/communications between each other, then with a backplane of like 24 to 32Gbs from a 4500/6500 switch will provide all the data backplane between all your device. However this is very expensive, the modules are expensive, and you need to buy two of everything for redundancy!

If possible you could have 2 firewalls for the security if that specific brand can run a paired redundancy. If budget is very strict then i understand you have to do your L3 and security in one device. If you can squeeze in 2 routers says 2800 series for your edge routing, pair them with HSRP, that would be a pretty nice design.

NightShade03

chrisone wrote: »

Yes the two 3750's would be perfect for a core. Also look into how you will be designing your network. As of now it seems you are migrating from a 1 tier design to a two-tier design. From small to medium, a third tier would be a much larger network, you might be in this category, i dont know your organizations business requirements though.

You dont always need a 6500 series switch for a medium or a large sized network. Depending on your throughput of DATA between the components(networking devices) in your network will decide if you need a 6500. Remember the 6500 is modular, so the reason why they do this is because if you need your router, firewalls, WISMs, LAN, WAN, to all have fast switching/communications between each other, then with a backplane of like 24 to 32Gbs from a 4500/6500 switch will provide all the data backplane between all your device. However this is very expensive, the modules are expensive, and you need to buy two of everything for redundancy!

If possible you could have 2 firewalls for the security if that specific brand can run a paired redundancy. If budget is very strict then i understand you have to do your L3 and security in one device. If you can squeeze in 2 routers says 2800 series for your edge routing, pair them with HSRP, that would be a pretty nice design.

Understandably the 6500 route would be expensive, but allows for growth due to it being a modular solution. That being said I could also add more 3750's at probably a cheaper cost than the modules would cost.

@all - Money is not an issue as we are planning to implement this next year and do it right. However I don't want to blow all my budget on switching equipment because I still need to buy servers, software, etc for the rest of the year.

Routers won't be needed. This is in a data center where the DC provides two feeds into their network so they take care of all the routing. Having their 2 1Gbps lines come into our network I want to make sure I take advantage of the 1Gbps. I'm still in design mode at the moment, but it's coming along well.

burbankmarc

Actually Dell has a stackable L3 switch which, according to it's specs, has a better throughput than the 3750. It supports a bevy of features too.

I can't personally recommend them because I've never used them, but a non-Cisco IT friend of mine says they're pretty good. But he has never used a 3750...so I dunno, just throwing it out there.

link