Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 28 subscribers
  • Views 511 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Which is better, connect POE switch (for APs) direct to firewall port? Or to Cisco switch, then from Cisco to firewall?

jang430

Currently, I created Vlans for my each SSID of my Unifi APs.  I have 4 APs, all connected to my TP-Link poe switch, which is Vlan aware also.  The poe switch is plugged to my Cisco switch e.g. port 10 (Vlan aware).  All other desktops (not in Vlans), NAS (also not in Vlans), also connected to the same Cisco switch.  Port 1 in the Cisco switch is also tagged with all these Vlans.  Port 1 of Cisco switch is plugged into Sophos firewall.  Assuming there is still no bottleneck on the single Port 1 that connects to Sophos firewall port (I don't know how to check if there's bottleneck or not), which is the best practice?  Connect poe for APs directly to firewall?  Or to Cisco switch then firewall?  Same thing for the NAS, that is being accessed by wireless and wired users, where will it be best connected, and why?  

This is a home setup by the way.  The Cisco switch is already there.  So cost is not the issue except for which is a better design.  Although if there are enough ports on my Sophos firewall, removing the Cisco switch will save some electricity.



This thread was automatically locked due to age.
Parents
  • 0

    I would avoid connecting multiple switches with the same VLANs to the firewall. Port-Bridging often causes problems.
    If more bandwidth is required, LACP can be used. Most "small" switches can now do that too.
    I would also only consider cascading switches if there is a lack of ports.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    So you're saying as much as possible, connect poe switch for APs, poe switch for CCTV, NAS on to the Cisco switch, and have 1 port connect to firewall?  If needed, use 2 or more ports to lag, and connect to firewall?

    Is Port-Bridging the only way to do this?  

  • 0 in reply to jang430

    Seperate your CCTV into a different network. Try to separate the IoT devices onto a different network and use more ports on the XG.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Wired CCTV using Vlan 20, on it's own POE switch (I only have 5-port poes).  IOT on Vlan 30, but connecting to Unifi APs (it's own POE switch (another 5 port).  Unifi APs have SSID1 (Vlan1- or no Vlan, whatever it's called), SSID2 (Vlan20), and SSID3 (Vlan30).  

    Better to connect poe switch 1 and poe switch 2 to ports in XG rather than connect to Cisco switch?  

    I'm using XG135 appliance, it has 8 ports.

  • +1 in reply to jang430

    Hi,

    yes, better to use multiple ports for your devices, provides better isolation. The daisy chained switches only becomes a requirement if you run out of ports on your first switch.VLAN 1 on the XG is the default and is not recommended for use as a VLAN for normal use.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Agree.  Vlan1 is not proper Vlan.  My home wifi users is on this Vlan, so when all else fails, the SSID Vlan1 will work, as it is basically not a proper Vlan.  I can just plug the poe switch with 4 APs to any cheap router and get internet asap.  

Reply
  • 0 in reply to rfcat_vk

    Agree.  Vlan1 is not proper Vlan.  My home wifi users is on this Vlan, so when all else fails, the SSID Vlan1 will work, as it is basically not a proper Vlan.  I can just plug the poe switch with 4 APs to any cheap router and get internet asap.  

Children
No Data
Unfiltered HTML