Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SG-4860 in DC - VLANs/config recommendation

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nicholfd
      last edited by

      Working with the SG-4860 in a data center environment.  Diagram will follow if discussion requests/requires it.

      My thoughts are:
      1 x port (1) on 4860 connected to internet (several remote sites connected via persistent VPN connection & users randomly connected from PCs)
      1 x port (2) on 4860 connected to dedicated switch for DC devices that have a management port (servers, switches (Brocade), tape library, etc.)
      1 x port (3) on 4860 to stack of L3 switches (Brocade) for rest of DC network

      My request for a recommendation is regarding the port (3) to the stack of L3 switches.  I can make port (3) a "trunk" port with all the VLANs on the stack of switches.  Or, I can make the port (3) a "General/LAN" port and let the stack of switches do all the routing back to port (3) if the traffic needs to head off to the internet/VPN connections.

      Should port (3) be a separate VLAN on the SG-4860 or just a "trunk" port with all the VLANs?

      If replying, please explain why your recommendation is the "best" (IYHO) method.

      Thanks,
      Frank

      1 Reply Last reply Reply Quote 0
      • D
        dreamslacker
        last edited by

        If the Brocades have decent ACLs/ PBR AND are truely stacked, then it makes more sense to simply route internal networks on the switches (you get native HA on the internal routing through the stack as well).
        If your switches aren't stacked (single IP to manage all units) or at the very least manageable as a group, then it may make sense to let pfSense (assuming you have enough power to route internally) be the aggregation router as well since it gives you a single point to manage all your policies.
        Alternatively, you can do a hybrid - certain VLANs are routed by the Brocade stack which uses pfSense as the NAT router and certain VLANs that simply need internet access only and/ or remote VPN access will be connected to pfSense directly on VLAN interfaces.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          You're asking for some forum poster to tell you how to design your network without stating what the desired outcome/goals are.

          What is this network supposed to do?

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • N
            nicholfd
            last edited by

            @dreamslacker:

            If the Brocades have decent ACLs/ PBR AND are truely stacked, then it makes more sense to simply route internal networks on the switches (you get native HA on the internal routing through the stack as well).

            The switches are Brocade 6450s.  They are already owned.  I haven't had my hands on them yet, but all of the documentation I've read indicate they are a true stack, linked by 2 x SFP+ 10Gb.  I expect HA from what I've read in the documentation.

            1 Reply Last reply Reply Quote 0
            • N
              nicholfd
              last edited by

              @Derelict:

              What is this network supposed to do?

              The network is for a new colocation for a small-medium, but growing company.  It includes a pair of Brocade 6450 switches stacked (true stacking - not just managed as a group).  From the documentation, the Brocades seem to be strong regarding routing, ACL, etc.  HA is expected from the pair of switches.

              The first project at the DC will be a PLM system with three (3) servers.  But it needs to be planned for their AD, e-mail, etc. to eventually be moved to DC.

              VLANs for the following have been discussed/planned:
              Management network
              SAN (nonexistent currently, for future ESXi environment)
              OpenVPN/IPSec - persistent connections from some sites, and some end-user connections while traveling
              Engineering (PDM/PLM system)
              E-Mail (currently hosted externally)
              VOIP (nonexistent currently, but being discussed/planned)

              Thanks for your feedback. I thought my question was more "generic" is why I didn't include more details.  The question was meant to ask why, in general, one method might be better than the other (trunking VLAN's to pfSense vs. separate VLAN to pfSense/).

              Thanks,
              Frank

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                The Brocade ICX6450s are solid switches. Yes, you can stack them 8 deep with 2x 10G with an additional 2x 10G as licensed add-ons.

                You probably do not want to put your NAS traffic through your firewall.

                You probably do not want to put networks that require more firewalling (like guest networks) on your layer 3 switch.

                Note that you do not have to do one or ther other. You can have layer 2-only networks on your switch with the firewall providing layer 3 and, at the same time, have a transit network to the Layer 3 switch with it providing layer 3 routing and switching for certain VLANs. The same tagged port to the firewall can do both.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • D
                  dreamslacker
                  last edited by

                  @nicholfd:

                  Thanks for your feedback. I thought my question was more "generic" is why I didn't include more details.  The question was meant to ask why, in general, one method might be better than the other (trunking VLAN's to pfSense vs. separate VLAN to pfSense/).

                  Thanks,
                  Frank

                  Then you'll want a hybrid approach as I mentioned.

                  You don't want to try and route very high bandwidth traffic use cases through the pfSense box if the Brocade can help route it.

                  E.g. Servers to networked storage. Let the Brocade do VLAN (L3 routing) and apply ACLs accordingly there.

                  For traffic that needs more isolation/ protection, let pfSense handle the firewalling with a VLAN interface (so called trunked to pfSense).

                  Note that certain networks don't even need to be routed in many cases. Typically, your SAN will ride on iSCSI and those networks don't actually need an internet gateway of any sort.
                  If you do actually need internet access on those networks for any reason (obtaining firmware updates etc), then add a pfSense VLAN interface on that network and apply firewall rules + NAT.
                  I don't recommend this approach though. You should always download and check the updates onto a system that is direct attached to the storage networks and use it to apply the updates to the units.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.