Where to route!

[GDS]

Hi All!

I have a business decision to make so I am looking at it from cost perspective as well as technical. My field is not networking and I'm going on what the networking team is telling me.

The question is to route on the switch(s) or on a router and get L2 switches. The project will start off small and only include a Firewall(Fortigate) and a switch. A couple of VLAN(About 10) there will be some routing between some of the vlan but not all.

The question is do I pay 35K + for a L3 switch and if the environment grows I need another 35K + switch to act as failover for routing if the "core" fails? Or do I

Do the routing low spec( pre-owned ) Cisco device and get a bunch of L2 switches which can be easily replaced.

I know FortiNet has a complete solution on this but the routing still happens on the Firewall/Router and not on the switch.

So the question is to go L3(All in one) or let a router route and the switches switch?

The budget does not allow all Cisco equipment and I am looking at Dell and if I can Aruba/HP

Thanks in advance.....

 

[Thor]

Unifi all the way

 

[GDS]

Thank you. But should the routing be done on the switch or router? I always though Unifi is mainly wireless equipment?

 

[gregmcc]

How many devices are you going to be connecting?

I would do the routing on the switches. Get some L2 switches to for the access layer and then a L3 switch for aggregation/core.

 

[infscrtyrisk]

Key to the solution to this network security architectural decision is the size of the current environment, projected growth and service levels (including redundancy) as well as geolocation.

A good rule of thumb is to do firewalling on firewalls, routing on routers and switching on switches, but these rules may be "bent" depending on whether there are multiple physically separated sites (requiring the use of a specific interior gateway routing protocol), site security requirements and strategy (exactly what needs to be protected (asset definition and business asset value), against what (threats, and attack trees), and where assets are located. Additional considerations include the type of network traffic, the authentication strategy (device, network and application level, including whether any form of FIAM is necessary), whether tunneling (GRE, IPSeC etc.) of any sort is required, and 3rd party / external integration requirements (and 3rd party security strategy).

You have provided far too little information for a good answer, particularly for a business decision.

 

[irBosOtter]

What Fortigate model are you getting?
If it's a entry level one rather get L3 switch and setup routing on it between the vlans and L2 switches at the access layer.

 

[syntax]

use the fortigate as the layer 3 termination.
you can then secure access between the VLANS as well if needed.
Even if you dont want to now, you will likely want to secure some if not all your VLANS and control access between them.

 

[GDS]

Thank you all. I will be getting a FG100E. I've done some research I will be going with the a complete Fotinet solution. From all the feedback/advise I got regarding my question it comes down to preference. So no right or wrong on around 500 client/device. If you will be handling more, then the advice infscrtyrisk gave about let a router route and a switch switch is a must.

And this will be for only one location if that changes anything please advise.

 

[irBosOtter]

You can use that Fortigate model for the L3 routing, so no L3 switch needed in your case then.

I am about to put a proposal together for my manager to rip out all Cisco switches (core, dist and access layer) and replace with fortigates

 

[syntax]

Thank you all. I will be getting a FG100E. I've done some research I will be going with the a complete Fotinet solution. From all the feedback/advise I got regarding my question it comes down to preference. So no right or wrong on around 500 client/device. If you will be handling more, then the advice infscrtyrisk gave about let a router route and a switch switch is a must.

And this will be for only one location if that changes anything please advise.

I sometimes think it is old school thinking to say routers route and firewalls firewall. We run stacks of solutions where it is a requirement for firewalls to run IGP(s) / BGP.
Sure, if there are huge amounts of routes then you might want to rethink having this on the firewall only, but for enterprises this is almost never the case, and if so, you can filter appropriately. Some firewalls can handle multiple protocols and have fairly large FIB/RIB tables so as long as you know what you are expecting the device to do and spec it accordingly, you should be ok. Functionality may vary, but again that comes down to a design / needs requirement.

The problem on enterprises with having a layer 3 core is security. How do you stop VLANS connecting to each other? You would need to add ACL's and the inspection and security is limited.

 

[infscrtyrisk]

I sometimes think it is old school thinking to say routers route and firewalls firewall. We run stacks of solutions where it is a requirement for firewalls to run IGP(s) / BGP.
Sure, if there are huge amounts of routes then you might want to rethink having this on the firewall only, but for enterprises this is almost never the case, and if so, you can filter appropriately. Some firewalls can handle multiple protocols and have fairly large FIB/RIB tables so as long as you know what you are expecting the device to do and spec it accordingly, you should be ok. Functionality may vary, but again that comes down to a design / needs requirement.

The problem on enterprises with having a layer 3 core is security. How do you stop VLANS connecting to each other? You would need to add ACL's and the inspection and security is limited.

You are right -- we always need to challenge the "old school" ways of thinking -- I have no problem with it.
Reality sometimes provides us with challenges where the consumer (or corporate client) wants everything to work as per vendor's *marketing* dept's claims -- "Christmas tree" mode, high throughput, no packet drops (as per [insert your favourite vendor bashing Bell-Pottinger firm's name] report here).