Layer 3 Switch "Q"'s

D

dashpuppy

Supreme [H]ardness
Joined
May 5, 2010
Messages
6,163
I'm looking to buy a layer 3 switch. I've tried doing vlans on my TZ210 and it works but if yuo transfer a big file across a vlan it shits the bed and the cpu sits at 100% till its finished the transfer.

I was reading maybe / probably miss understood how a layer 3 switch works, since i only have a layer 2.

So if i was to get a layer 3 does all the traffic go through the sonicwall / other firewall for vlans ?

The issue i see with layer 2 is that the firewall still has to process it, thus going in and through the firewall then back out..

Will layer 3 resolve this or should i shoot my TZ210 :0 and use astaro :)
 
A Layer 3 will support routing so it can do the routing between VLANs. You can then still route 0.0.0.0 to your Sonicwall.
 
/usr/home said:
A Layer 3 will support routing so it can do the routing between VLANs. You can then still route 0.0.0.0 to your Sonicwall.
Click to expand...

will all the traffic from each vlan still pass through the sonicwall or ?


Currently with layer 2 and vlans if i go from 192.168.10.x to 192.168.25.x from one to the other it passes through the sonicwall and it goes to 100% cpu thus what im trying to avoid.

Still on right path ?
 
You setup a route on the switch for all the VLANs and it'll route them. The sonicwall would then route all other networks that aren't available via the switch.
 
It works like this.

You create an interface for each VLAN on your switch. 192.168.10.1 and 192.168.25.1, you also create a default route, such that any traffic destined for any other network is forwarded to the firewall.

When the switch receives a packet, it looks at the destination address, and forwards it to the proper VLAN, either 192.168.10.0/24 or 192.168.25.0/24. If the destination isn't known, it forwards it to the sonicwall.

So any traffic between 192.168.10.0 and 192.168.25.0 would go on the switch.
 
jjeff1 said:
It works like this.

You create an interface for each VLAN on your switch. 192.168.10.1 and 192.168.25.1, you also create a default route, such that any traffic destined for any other network is forwarded to the firewall.

When the switch receives a packet, it looks at the destination address, and forwards it to the proper VLAN, either 192.168.10.0/24 or 192.168.25.0/24. If the destination isn't known, it forwards it to the sonicwall.

So any traffic between 192.168.10.0 and 192.168.25.0 would go on the switch.
Click to expand...

ie less load on the sonic wall unless going in and out of the network ( outside www )
 
Yes but your devices need to have the switches IP for that vlan as the default gateway, not the sonic wall.
 
Last edited:
Eickst said:
Yes but your devices need to have the switches IP for that vlan as the default gateway, not the sonic wall.
Click to expand...

so if i set sonicwall to 192.168.1.1

and use 2 vlans 192.168.10.1
and use 192.168.25.1

then default gateway would be ? 1.1 ?

Has any one had issues with Netgear layer 3 switches for home ?
 
your default gateway on those vlans would be 10.1 and 25.1.
ex:
host 192.168.10.5 will have the 10.1 gateway
host 192.168.25.5 will have the 25.1 gateway

on your l3 switch, 1.1 would be your default route to the interwebz.
 
Just to be clear here.

Your switch will have 3 vlans with these interfaces; each will be the default gateway for anything attached to the associated VLAN
- 192.168.10.1
- 192.168.25.1
- 192.168.1.1

Your sonicwall will be attached to the 192.168.1.0 vlan and will have an IP address of 192.168.1.2

On the layer 3 switch, you make a default route to 192.168.1.2; or a route statement like
ip route 0.0.0.0 0.0.0.0 192.168.1.2

On the sonicwall, you'll have 2 route statements (destination network, subnet mask, gateway) as follows:
192.168.10.0 255.255.255.0 192.168.1.1
192.168.25.0 255.255.255.0 192.168.1.1

Draw out a diagram for yourself, label each interface, and it should make a bit more sense.
 
The problem is I think that will still end up sending all of this inter-vlan traffic (say from .1.100 to .10.100) through the sonic wall, which is what he wanted to avoid. He wouldn't need 3 NICs on the sonicwall any more but all the traffic would pass through a single NIC instead...
 
Code: 
Gateway of last resort is 10.0.9.130 to network 0.0.0.0

     10.0.0.0/8 is variably subnetted, 12 subnets, 7 masks
C       10.0.10.0/24 is directly connected, Vlan999
C       10.0.11.0/30 is directly connected, GigabitEthernet0/2
C       10.0.8.0/24 is directly connected, Vlan208
C       10.0.9.0/25 is directly connected, Vlan309
C       10.0.2.0/23 is directly connected, Vlan102
C       10.0.0.0/23 is directly connected, Vlan100
C       10.0.6.0/23 is directly connected, Vlan106
C       10.0.4.0/23 is directly connected, Vlan104
D       10.0.10.100/32 [90/130816] via 10.0.9.130, 04:34:38, Vlan409
C       10.0.9.128/26 is directly connected, Vlan409
C       10.0.9.192/27 is directly connected, Vlan509
C       10.0.9.224/27 is directly connected, Vlan519
     x.x.x.x/32 is subnetted, 1 subnets
D EX    x.x.x.x [170/28416] via 10.0.9.130, 04:34:39, Vlan409
D*EX 0.0.0.0/0 [170/28416] via 10.0.9.130, 04:34:39, Vlan409

If it helps, here is the routing table of one of my L3 core switches in my home lab.

Basically, if a switch recieves a frame whose destination MAC address is a mac address belonging to an interface on the switch which would be a clients default gateway. It strips the L2 frame and reads the L3 information, then it forwards the traffic out of the appropriate interface after rewriting the L2 source and destination and recalculating the L2 FCS. If the MAC address is present in a the same VLAN it is handled the same as normal L2 traffic.

just search for Cisco CEF, it is an interesting read I guarantee.
 
I'm kinda following this :) its making good sense, now to find a 24 port layer 3 switch.

If i can't i might try Astaro and do the routing through it since it will have plenty of power..

I was watching a layer 3 netgear on ebay, but it went for 154$ :( and i missed out on the time !
 
I don't think that will help your firewall utilization problem though dash because all VLANs will still be routing to your firewall which will have static routes to route them back out to the switches gateway, so really you gain nothing in reducing overhead there. I think it might be possible to static route certain IPs to scopes and stay internal but I'll have to play around with mine some tomorrow to see if I can get it working the way you (and I) would want it to.
 
If you can do with limited Gigabit ethernet I would snag a 3550 off eBay for <$100. Most can support at least 2 GBIC's.
 
-Dragon- said:
I don't think that will help your firewall utilization problem though dash because all VLANs will still be routing to your firewall which will have static routes to route them back out to the switches gateway, so really you gain nothing in reducing overhead there. I think it might be possible to static route certain IPs to scopes and stay internal but I'll have to play around with mine some tomorrow to see if I can get it working the way you (and I) would want it to.
Click to expand...

it works perfectly on the sonicwall when i have it setup, however copying files from vlan to vlan pegs the cpu @ 100% so if i moved to a different firewall distro with WAY more cpu power i should be fine ?

One would think ?

I can't live with 10/100 :( that would be horrible :(

24 port gig layer 3 switches Dell 6224's start at around 700$....
 
-Dragon- said:
I don't think that will help your firewall utilization problem though dash because all VLANs will still be routing to your firewall which will have static routes to route them back out to the switches gateway, so really you gain nothing in reducing overhead there. I think it might be possible to static route certain IPs to scopes and stay internal but I'll have to play around with mine some tomorrow to see if I can get it working the way you (and I) would want it to.
Click to expand...

A layer 3 switch is just like a router, minus the WAN interfaces. So traffic between the VLANs will not reach the Sonicwall if there is a routing table with those VLANs in it. The L3 switch will perform inter-VLAN routing. Only traffic that doesn't have a destination in the routing table for the directly connected networks will be sent to the Sonicwall if a last resort route is configured.
 
-Dragon- said:
I don't think that will help your firewall utilization problem though dash because all VLANs will still be routing to your firewall which will have static routes to route them back out to the switches gateway, so really you gain nothing in reducing overhead there. I think it might be possible to static route certain IPs to scopes and stay internal but I'll have to play around with mine some tomorrow to see if I can get it working the way you (and I) would want it to.
Click to expand...

Any local traffic won't need to touch the Sonicwall... everything local will be routed through the switch... only external traffic (internet) should need to use the Sonicwall.
 
Dash- I have to honestly say, I think if you "Cheap out" here, IE go for the cheapest route, your going to end up buying more gear later to redo this. 700 bucks seems like a lot, but just wait and save for it?

I have heard bad stories about the netgear switches going out after a while, I would save and either go Dell (An OK switch.) or save for a higher quality HP or Cisco setup. The price reflects lifetime and performance as far as I can say. I myself am either going Cisco 800 or something like that, we have them at work and they are nice.
 
Don't you use VLANs to separate networks? Don't you need a packet filter to properly separate them? If all hosts can freely talk to each other why use VLANs in the first place?

Edit: Or do L3 switches have packet filters by default? I know my L2+ Zyxel ES-3124 has basic ACLs and can do routing, though I rather pipe everything through pf(4).
 
Last edited:
TCM said:
Don't you use VLANs to separate networks? Don't you need a packet filter to properly separate them? If all hosts can freely talk to each other why use VLANs in the first place?
Click to expand...

He didn't say if he was using an ACL or not, but I assume he will be. There are several reasons why you would want to separate hosts to different broadcast domains such as an organizational reason. An inbound ACL closest to the source can help reduce traffic from getting to further devices.
 
I wouldn't go down the cheap route on a L3 switch even for home because you will end up scrapping the cheap switch and buying a decent one in no time at all.

Intervlan routing is really quite simple

You create 2 VLANS

VLAN 1 Range = 192.168.0.x /24

VLAN 2 Range = 192.168.1.x /24

VLAN 1 IP = 192.168.0.1

VLAN 2 IP = 192.168.1.1

Anything on VLAN 1 needs a default gateway of 192.168.0.1

Anything on VLAN 2 needs a default gateway of 192.168.1.1

default route goes out to your firewall

The switch then looks at the packets, if it sees an internal IP it knows exists on a VLAN it routes it there if it sees an IP request it doesn't know it passes it to the firewall as it assums its not on the same LAN. No VLAN traffic then hits your firewall.
 
Last edited:
Yep, i'm going to save $$ for a layer 3 switch, that way I can use any firewall i want. Untangle Astaro Sonicwall Pfsense etc etc.

Looking at a Dell 6224, I have $4 now, just need to sell my SG200 ( brand new still ) unit.
 
Build a decent pfsense box is my vote, remember without spending big bucks you have no filtering ability between the vlans using a l3 switch.

As long as is has pci-e nics pfsense can do gigabit wirespeed easily with all the other features you get with it. I have an SG300 for my "core" switch and built the pfsense box over using that, i'd wager it'll cost lest to build one than a decent l3 switch too.
 
bmh.01 said:
Build a decent pfsense box is my vote, remember without spending big bucks you have no filtering ability between the vlans using a l3 switch.

As long as is has pci-e nics pfsense can do gigabit wirespeed easily with all the other features you get with it. I have an SG300 for my "core" switch and built the pfsense box over using that, i'd wager it'll cost lest to build one than a decent l3 switch too.
Click to expand...

I've been spending lots of time with astaro, got the vlans up nd running on the spare hp layer 2 switch I have and astaro handing out deco on each vlan, now to figure out why I can't get out onto the www through the astaro etc etc..
 
Well, spent some time lastnight and today and got vlans running through a 10/100 HP 2626 switch and Astaro 9.00-8 with vlans :)


Test setup,


Vlan 50 is 192.168.5.x
Vlan 60 is 192.168.6.x

Plugged in my spare dlink nas and copied 500 mb's across the vlans..

result

Started at 3% cpu and went up a little bit,

Untitled1.png


CPU @ 24%

Untitled2.png
 
dashpuppy said:
I've been spending lots of time with astaro, got the vlans up nd running on the spare hp layer 2 switch I have and astaro handing out deco on each vlan, now to figure out why I can't get out onto the www through the astaro etc etc..
Click to expand...

Make sure the switch port connected to your modem is untagged, as most modems do not support Tags.
 
dashpuppy said:
Well, spent some time lastnight and today and got vlans running through a 10/100 HP 2626 switch and Astaro 9.00-8 with vlans :)


Test setup,


Vlan 50 is 192.168.5.x
Vlan 60 is 192.168.6.x

Plugged in my spare dlink nas and copied 500 mb's across the vlans..

result

Started at 3% cpu and went up a little bit,

Untitled1.png


CPU @ 24%

Untitled2.png
Click to expand...

That's not very good... only 6 MB/s and you're hitting 25% CPU.
 
if its a 100mbps switch and or NIC its not bad, if its gig all around then that is poor.
 
You must log in or register to reply here.
Back
Top