SG-4860 in DC - VLANs/config recommendation
-
Working with the SG-4860 in a data center environment. Diagram will follow if discussion requests/requires it.
My thoughts are:
1 x port (1) on 4860 connected to internet (several remote sites connected via persistent VPN connection & users randomly connected from PCs)
1 x port (2) on 4860 connected to dedicated switch for DC devices that have a management port (servers, switches (Brocade), tape library, etc.)
1 x port (3) on 4860 to stack of L3 switches (Brocade) for rest of DC networkMy request for a recommendation is regarding the port (3) to the stack of L3 switches. I can make port (3) a "trunk" port with all the VLANs on the stack of switches. Or, I can make the port (3) a "General/LAN" port and let the stack of switches do all the routing back to port (3) if the traffic needs to head off to the internet/VPN connections.
Should port (3) be a separate VLAN on the SG-4860 or just a "trunk" port with all the VLANs?
If replying, please explain why your recommendation is the "best" (IYHO) method.
Thanks,
Frank -
If the Brocades have decent ACLs/ PBR AND are truely stacked, then it makes more sense to simply route internal networks on the switches (you get native HA on the internal routing through the stack as well).
If your switches aren't stacked (single IP to manage all units) or at the very least manageable as a group, then it may make sense to let pfSense (assuming you have enough power to route internally) be the aggregation router as well since it gives you a single point to manage all your policies.
Alternatively, you can do a hybrid - certain VLANs are routed by the Brocade stack which uses pfSense as the NAT router and certain VLANs that simply need internet access only and/ or remote VPN access will be connected to pfSense directly on VLAN interfaces. -
You're asking for some forum poster to tell you how to design your network without stating what the desired outcome/goals are.
What is this network supposed to do?
-
If the Brocades have decent ACLs/ PBR AND are truely stacked, then it makes more sense to simply route internal networks on the switches (you get native HA on the internal routing through the stack as well).
The switches are Brocade 6450s. They are already owned. I haven't had my hands on them yet, but all of the documentation I've read indicate they are a true stack, linked by 2 x SFP+ 10Gb. I expect HA from what I've read in the documentation.
-
What is this network supposed to do?
The network is for a new colocation for a small-medium, but growing company. It includes a pair of Brocade 6450 switches stacked (true stacking - not just managed as a group). From the documentation, the Brocades seem to be strong regarding routing, ACL, etc. HA is expected from the pair of switches.
The first project at the DC will be a PLM system with three (3) servers. But it needs to be planned for their AD, e-mail, etc. to eventually be moved to DC.
VLANs for the following have been discussed/planned:
Management network
SAN (nonexistent currently, for future ESXi environment)
OpenVPN/IPSec - persistent connections from some sites, and some end-user connections while traveling
Engineering (PDM/PLM system)
E-Mail (currently hosted externally)
VOIP (nonexistent currently, but being discussed/planned)Thanks for your feedback. I thought my question was more "generic" is why I didn't include more details. The question was meant to ask why, in general, one method might be better than the other (trunking VLAN's to pfSense vs. separate VLAN to pfSense/).
Thanks,
Frank -
The Brocade ICX6450s are solid switches. Yes, you can stack them 8 deep with 2x 10G with an additional 2x 10G as licensed add-ons.
You probably do not want to put your NAS traffic through your firewall.
You probably do not want to put networks that require more firewalling (like guest networks) on your layer 3 switch.
Note that you do not have to do one or ther other. You can have layer 2-only networks on your switch with the firewall providing layer 3 and, at the same time, have a transit network to the Layer 3 switch with it providing layer 3 routing and switching for certain VLANs. The same tagged port to the firewall can do both.
-
Thanks for your feedback. I thought my question was more "generic" is why I didn't include more details. The question was meant to ask why, in general, one method might be better than the other (trunking VLAN's to pfSense vs. separate VLAN to pfSense/).
Thanks,
FrankThen you'll want a hybrid approach as I mentioned.
You don't want to try and route very high bandwidth traffic use cases through the pfSense box if the Brocade can help route it.
E.g. Servers to networked storage. Let the Brocade do VLAN (L3 routing) and apply ACLs accordingly there.
For traffic that needs more isolation/ protection, let pfSense handle the firewalling with a VLAN interface (so called trunked to pfSense).
Note that certain networks don't even need to be routed in many cases. Typically, your SAN will ride on iSCSI and those networks don't actually need an internet gateway of any sort.
If you do actually need internet access on those networks for any reason (obtaining firmware updates etc), then add a pfSense VLAN interface on that network and apply firewall rules + NAT.
I don't recommend this approach though. You should always download and check the updates onto a system that is direct attached to the storage networks and use it to apply the updates to the units.