Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 444 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG and Layer 3 Switch

SophosNewby

Good day everyone,

I have been asked to update our network so our data demands can be met. Currently, we run a conventional flat network and our Sophos XG is routing all the traffic. THru my research I think the best solution is to design the network around a Layer 3 switch, and some switch equipment capable of higher speeds or lets say its switching fabric is much higher than currently. 

However, I have never worked within a Layer3 network, let alone maanage one. Pretty sure the ocmpany is going to end up upgrading to some Ubiquiti equipemtn to accomplish this upgrade due to budget. My biggest questions are does the Layer 3 switch then also become the DHCP server for the various VLANS and what does this look like to the XG.

Scenario: Create a VLAN on the Layer3 switch VLAN50 with a subnet 192.168.50.0/24 and the XG is on 192.168.10.0/24 do I then have to add the VLANS to the XG plus add a static route for each VLAN? The bad part we have a production network that runs 24/7 so getting things is obviously critical but I do have access to second XG that I can play with and do a mock setup. Will the 2 subnets auotmatically talk to one another as well, inter-vlan communication.

Any advice , greatly apprecaited.



This thread was automatically locked due to age.
Parents
  • 0

    Essentially this is an outdated scenario. L3 Switches were build in a time of "you need high switching capabilities". But nowadays, Firewall hardware is able to compete in those throughput numbers, making the switching job a job for the FW instead. 

    In the old days, you basically did not care about ACLs or anything "security relevant", instead you needed the speed and essentially build up a flat network. Nowadays, in times of "i want to inspect or block traffic in my network" you need a firewall as a L3 Router in your network. 

    So i would highly recommend not to fallback to the old pattern, instead creating all VLANs on the the firewall and do the routing on the firewall. (given you have a firewall which meets your needs). 

    __________________________________________________________________________________________________________________

Reply
  • 0

    Essentially this is an outdated scenario. L3 Switches were build in a time of "you need high switching capabilities". But nowadays, Firewall hardware is able to compete in those throughput numbers, making the switching job a job for the FW instead. 

    In the old days, you basically did not care about ACLs or anything "security relevant", instead you needed the speed and essentially build up a flat network. Nowadays, in times of "i want to inspect or block traffic in my network" you need a firewall as a L3 Router in your network. 

    So i would highly recommend not to fallback to the old pattern, instead creating all VLANs on the the firewall and do the routing on the firewall. (given you have a firewall which meets your needs). 

    __________________________________________________________________________________________________________________

Children
  • 0 in reply to LuCar Toni

    Oh really, I did not know that, that is really helpful information. Thank you so much. I actually was watching a video where the person was setting up a Unifi Layer 3 switch and a Pfsense firewall and when he demonstrated network speeds on various ports, he didnt achieve the full speeds on each interface till he set the switch to Layer 3, so now I am bit confused. And the reason was the traffic was flowing thru the firewall instead of just being routed to the appropriate switch. We only have a XG210 with a 1GB interface but I don't know if it has throughput.

  • 0 in reply to SophosNewby

    Think about the "recent" attacks like wannacry or other attack vectors. They used lateral movement to expand. If you network is simply segmented by VLAN but you can reach "everything" without any kind of blocking or IPS, it could become dangerous. 

    Looking at the recent development of XGS Hardware, you can see the upcoming throughput, which can likely met the needs of customers even in high scale setups. 

    __________________________________________________________________________________________________________________

Unfiltered HTML