Ideas for network reorganization (move routing to a Layer 3 switch)

Hello everybody,

I'm trying to find the best way to optimize our college network setup. Not that the current setup is bad, but we want more flexibility.

We have several a Fortinet Firewall, which currently does routing between several VLANs. It only has a few 1gbps ports and most of the network traffic is sent through a single 1gbps trunk. The trunk is connected to a packetshaper, which shapes traffic for students and some employees

The packetshaper is connected to a distribution switch, HP ProCurve 5406zl. This switch connects all buildings together with fiber and copper.

As of now, the switch is only performing layer 2 switching, but we would like it to perform Layer-3 routing as well. Sounds easy, just type "ip routing", create a few static routes and change some settings in DHCP, but... We still would like the firewall and packetshaper to have different policies for different VLANs.

So, here is what I want to do (see the picture)

Let's say we have VLAN 10 and 20. I would like the switch to perform routing between these VLANs, but send all Internet traffic to the packetshaper and firewall. Both devices are VLAN-aware, so they should be able to apply different policies based on VLANs.

I read about Policy Based Routing on some Cisco Switches and also found that some higher end HP switches can do it as well. Is this what I should be looking for?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Shanman

If it were me I would create the vlans and SVIs on the layer 3 switch. Write ACLs for each vlan and make a default route up to the firewall. Maybe I am over simplifying things but seems easy enough. There would be no redundancy for this design but would get the job done.

sratakhin

This is what I want to do, but there is a problem... Can the switch have a different default route for each VLAN?

networker050184

You can set up vrf-lite for something like that if your switch supports it. You could also do PBR. Why is it that you want the switch doing the routing?

sratakhin

We want to increase bandwidth between different VLANs.
For example, we limit Internet bandwidth to students to xx mbps, but not only it affects the Internet bandwidth, but the inter-VLAN configuration as well.

it_consultant

Depending on how you tag the ports up, you don't need to pass the VLANs up too the packet shaper. The switch, acting as a router, can simply route the traffic up to the shaper on a different VLAN, like VLAN 40 or something. Then, you can apply policies on the packet shaper on the basis of source network or something. That way your intervlan traffic will route at speed but your internet traffic will still be shaped.

sratakhin

Can the switch route the Internet traffic on several VLANs? The whole purpose of doing this is to be able to apply different policies to students and staff. I could probably accomplish similar things by using QoS and ACLs, but the Packet Shaper has better controls and capabilities.

I guess we'll just try to change the config when we have a winter break. In the worst case scenario, we can undo it in just a few minutes.

it_consultant

The switch can route something like 4000 VLANs. Don't pass VLAN 10 and 20 up to the packet shaper. Pass 2 different VLANs up to the packet shaper. Then, route the traffic from VLAN 10 to hypothetical VLAN 30 (tagged up to the shaper) and apply appropriate policies. Route VLAN 20 to hypothetical VLAN 40 (tagged up to the shaper) and apply appropriate policies at the shaper. On the shaper, you would apply the policy to VLAN 30 and 40. You would route from the other 2 VLANs depending on which policy you wanted.

sratakhin

Thanks, I'll try to post a sample config when I have a chance

I'm afraid I won't be able to apply it until the winter break, but we'll see.

Lizano

sratakhin wrote: »

We want to increase bandwidth between different VLANs.
For example, we limit Internet bandwidth to students to xx mbps, but not only it affects the Internet bandwidth, but the inter-VLAN configuration as well.

Just curious, how are you limiting the internet bandwidth for students ? The Fortinet Firewall is your edge right?

sratakhin

We have two devices that can act as a traffic shaper. One is Fortinet firewall (can't remember the model) and the other is Packeteer PacketShaper 7500, which is what we use to throttle bandwidth and block some content.

Lizano

sratakhin wrote: »

We have two devices that can act as a traffic shaper. One is Fortinet firewall (can't remember the model) and the other is Packeteer PacketShaper 7500, which is what we use to throttle bandwidth and block some content.

Isnt it simpler if you just do all the content block and bandwidth limiting at the Fortigate?

sratakhin

It is, but that's the way it was set up before me.

Lizano

sratakhin wrote: »

It is, but that's the way it was set up before me.

I know what you mean, been there.