VLAN layer 2 or 3 switch?
-
Hello
What will happen if I use layer 2 switch for VLAN`s and pfSense as router and pfSense goes down, will there be any security issues?
Is it better for security to use layer 3 switch if pfSense goes down?Thanks
-
I see no security problem.
-
Ok
So the layer 2 switch will just stop working until pfSense is up and running again?
Thanks
-
there will be no network connectivity between vlans but switch will work normally.
clients in the same VLAN will still be able to communicate between no matter if pfsense in working or not. -
The layer 2 switch will keep working for the various VLANs it has - e.g. if port 2,3,4 are in VLAN42 then devices on port 2,3,4 will keep talking to each other. So you lose no functionality of each (V)LAN itself.
Routing and firewalling between VLANs (and to the internet, of course) stops - obviously there is no pfSense to do that.
The VLANs effectively have a "block all" firewall between them, because that is what a layer 2 VLAN switch is - it isolates traffic in separate broadcast domains (VLANs). So there is no breach of security - if anything the security gets tighter/better ;) -
I personally have no need for a layer 3 switch and layer 2 is easy and not a problem if pfsense is down.
-
If you have the option to get a layer 3 switch over a layer 2, I personally would choose the layer 3 switch. Think about it, all thing being equal the layer 3 switch can do more. You don't have to have it working in layer 3 if you want PfSense to do the routing across vlans, but later on if you want that capability then you have it. You never said if this was for home or work, but in a home environment could be good for lab purposes as well. Other than that I ditto what everyone said.
-
Since Cisco SG300 Gb switches have become ridiculously cheap it's more a question of which mode to configure them than to decide buying L2 or L3.
Personally I haven't been a friend of Cisco switches until I was forced to use them in an install 2 years ago. Haven't looked back since… -
10x more expensive than what I'd budget for home.
-
Was it mentioned already if it is for a home or commercial install?
Other than that I use Cisco (and TP-Link) switches extensively in my house now. As a student an el-cheapo switch was sufficient but I moved out of my tent many moons ago. Always depends.
-
I'm still in my tent - Will probably die in my tent. Kids will do that. haha.
-
Cisco SG300 Gb is $550 from NewEgg right now. I purchase my HP1810-24g(26 ports total) for only $220. I wouldn't spend 150% extra for layer 3, especially since most inter-vlan communications should be filtered in my case.
-
What what are you looking at of the sg300 that is 550$
The 10 porter is $168
http://www.newegg.com/Product/Product.aspx?Item=9SIA1EA1YB6736&cm_re=sg300--33-150-087--ProductI see a 28 port POE version for 563$
Where is this going to be used? Home or business? I got a sg300-10 a while back for home use, and it ROCKS!! Can not beat the price - I don't use it for layer 3, but its nice to know its there if do need it. Pfsense is my layer 3
-
… HP1810-24g ...
You can't really compare that to a Cisco SG300.
The HP neither has a CLI for management (web only) nor a serial console. That's fine for initial setup and probably some VLANs but that's about it.
And this does not account for all the other features and benefits.Recently we had to track down an IGMP issue with Cisco Catalyst 2960 switches (made a runner limp every 5s on IP-TV). Turned out to be the switch's firmware. You don't have the necessary tools from a web-gui for such an analysis.
That said, part of my office still runs a rather old HP 1800-24g just fine but it's years old already. And that's only basic office switching, nothing fancy.
-
Hello
What will happen if I use layer 2 switch for VLAN`s and pfSense as router and pfSense goes down, will there be any security issues?
Is it better for security to use layer 3 switch if pfSense goes down?Thanks
If this was your only concern, why not build a second firewall, for fail over? It's pretty easy, and in 2.2 you don't necessarily need 3 WAN IP's to make it work right.
-
Hello
Thanks to all of you.
I will think about what soulution I go for.
Thanks
