Solved: Hi

joel75941 · ‎06-19-2016

Hello gurus,

I'm hoping you can help me with a conceptual understanding, as I'm trying to wrap my head around the pros and cons of both. I have an older cisco 1700 router that is not gigabit, and a 3560g switch that is fully gigabit. I'm not sure if my assumptions on the following are correct:

Scenario A: (Switch does the L3 routing)

- vlans can communicate with eachother with full gigabit capacity since the router is not needed.

- there is more work placed on the switch cpu to do this, could slow down communications?

- less secure

- if I want to setup dhcp, it looks like it must be done on the switch (can't seem to get it to work via the router) so that adds more overhead to the switch to handle

Scenario B: (Router does the routing)

- inter vlan communication is bottlenecked by the 100 mbit cap

- more secure

- can handle dhcp configurations, and overall less work for the switch

Please tell me if I'm missing any other key details, and/or if what I've stated so far is wrong. Right now I'm leaning towards going the L3 switch path, because available bandwidth is more of a concern. I appreciate any feedback you all can provide, thanks.

Francesco Molino · ‎06-19-2016

Hi

It depends really of the design you want to implement. Actually, usually we implement Layer 3 switches as core switch with access switches running layer 2 (some customers do L3 at access too).

All WAN facing is handled by router.

For some customers that have only layer 2 switches with ISP router, the inter-vlan could be done on the router itself to avoid to by new L3 switch (this 1 of many examples).

If you intend to use both, I would suggest to keep all inter-vlan routing within your L3 switch and default route to internet point to router.

On this router, you can easily active ZBF (firewall capabilities) to protect your inside LAN. (Even some IPS feature on compatible router)

If you want to protect communication between your different vlan, you can use ACL (simple) or split with VRFs (more complex if you never used them).

Hope I've answered your question.

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎06-19-2016

Hi

Intervlan routing on switch isn't less secure than router if we talk just for simple intervlan with acls. CPU consumption is minimal.

In your case you have 1G on switch where you have 100Mb on router. Secondly, on router to do inter-vlan routing, you need:

- to connect 1 cable per vlan to have 100Mb per vlan (a lot of ports needed and not best design)

- to connect 1 cable as trunk for all vlan (100Mb for all vlan- design called router on a stick).

DHCP server configuration is working the same way on router and switch.

The difference with router is that you have more capabilities on router for other stuff if you really want to protect your traffic (inspect, zbf, NAT)

Router has WAN links where switch doesn't have. Usually for nat to access internet, router is better because some standard access switches doesn't support natting.

You can use both on your LAN design, I mean:

- switch for all LAN stuff

- Router for the WAN side (internet facing, nat, firewalling)

Hope this is more clear.

PS: Please don't forget rate and mark as correct answer if this solved your issue.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

joel75941 · ‎06-19-2016

Sorry I should have clarified a little bit. I have no intention of using "only" the router "or" the switch (I read somewhere that technically it's possible to do this, but I need to NAT anyway), I fully intend to keep the configuration "Internet <---> Router <---> Switch"

I'm just trying to understand why switches have Layer 3 routing capabilities, if they're supposed to be Layer 2 devices. Maybe the textbook I'm reading is too old, but that was my general understanding so why the hybrid mix? If what you say is true, it sounds like the L3 switch can pretty much cover everything short of a few services such as Natting that the router would handle. When would it make sense then to route LAN traffic through the router?

Francesco Molino · ‎06-19-2016

Hi

It depends really of the design you want to implement. Actually, usually we implement Layer 3 switches as core switch with access switches running layer 2 (some customers do L3 at access too).

All WAN facing is handled by router.

For some customers that have only layer 2 switches with ISP router, the inter-vlan could be done on the router itself to avoid to by new L3 switch (this 1 of many examples).

If you intend to use both, I would suggest to keep all inter-vlan routing within your L3 switch and default route to internet point to router.

On this router, you can easily active ZBF (firewall capabilities) to protect your inside LAN. (Even some IPS feature on compatible router)

If you want to protect communication between your different vlan, you can use ACL (simple) or split with VRFs (more complex if you never used them).

Hope I've answered your question.

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

joel75941 · ‎06-20-2016

I appreciate the response, thank you.

Francesco Molino · ‎06-20-2016

You're very welcome

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

InterVLAN routing via router vs switch