[WBEL-users] Layer 3 - Managed Switch Advice pls...

Dan Geist dan.geist at cox.com
Fri Jul 29 12:18:06 CDT 2005 

Hi, Andrew. A couple thoughts on the issue:

1) If you expect anyone to actually try to circumvent them, Vlans can be
made to bleed packets. For example, if you have a public-facing DMZ, I
wouldn't put it on a switch with the internal file and mail servers,
even on different vlans. Just so you know.

2) IMHO, layer3 functions are useful on switches for one reason,
management, i.e. ssh and snmp into the switch. You have a relatively
small network and a small dedicated firewall/router  on
linux/freebsd/whatever between the "security zones" would serve you much
better than ACLs on any layer3 switch. I don't know what you're planning
for the routing, but I've yet to see a router that does switching really
well or a switch that does routing really well, including the
enterprise-class Ciso 7600 series, etc.

3) if you're going to use interface mirroring for traffic monitoring,
you may want to ask the vendors how many they support concurrently. Most
devices use the CPU to replicate the packets, so they do have limits.
Also, a physical tap will get you fragmented packets and other non-
mirror-able packets that a switch mirror cannot. Taps are an added cost,
though, so that depends on your budget.

4) if you have several vlans with similar security requirements, you may
want to aggregate the vlans onto one larger pipe (perhaps a copper gig
port with vlan tagging enabled). Most decent routers (including the
linux and freebsd kernels) are saavy to subinterface tagging and you'll
also save on mirroring, as you can mirror them as a physical port and
simply run an IDS that understands vlan tagging. You'll get a similar
effect to the Cisco Span port function, but it's an open standard where
I'm not sure Cisco's is (call me slightly cisco-challanged).

Dan

On Fri, 2005-07-29 at 15:33 +0800, Andrew Vong wrote:
> Dear Systems & Network Gurus,
> 
> This question is related to networking so it's not entirely Linux-related 
> but my final solution (i.e. inclusive of servers) will be runnning Linux. I 
> hope to hear from anyone out there who have had experience with the 
> equipment listed below and if possible help provide me with some feedback. 
> Thanks. :)
> 
> I am looking into purchasing a Layer 3 Managed Switch. I am implmenting 
> this for a fairly small company with about 60 - 70 nodes (PCs + Servers). I 
> am planning on using the Layer 3 Managed Switch as the core switch with 
> about 10 VLANs.
> 
> Requirements
> --------------------
> - 1 VLAN for the servers
> - Separate VLANs for different workgroups
> - Workgroup VLANs are not allowed to communicate with each other - so, no 
> routing between them.
> - All Workgroup VLANs are ONLY allowed TCP 80, 110, 22, 25, maybe a few 
> others (depending on which workgroup VLAN) traffic to the Server VLAN.
> - Port mirroring (i.e. like Cisco's SPAN port) of all VLANs into a single 
> port so I can stick an IDS to monitor internal traffic.
> 
> Question
> -------------
> 1) Is such a setup possible with Layer 3 Managed Switches (i.e. I would 
> like to limit the type of traffic allowed between VLANs) ?
> 2) For my IDS to monitor all 10 VLANs' traffic, do I need a special NIC to 
> do it? Or will the standard Fast Ethernet NIC that comes with a server suffice?
> 
> 
> Layer 3 Managed Switches
> ---------------------------------------
> 
> Here are the switches I am thinking of going for. I don't think we can 
> afford the Cisco one but I'm putting it in anyway to give an idea of what 
> I'm looking for but with a more affordable price tag:-
> 
> 1) Cisco - Catalyst 3560 24-port 10/100 (Model no. - WS-C3560-24TS-E)
> 2) 3Com - SuperStack 3 (Model no. - 3326 or 3350)
> 3) SMC - TigerSwitch 6724L3 (Model no. - SMC6724L3)
> 4) Dell - PowerConnect (Model no. - 5324 or 3448)
> 
> 
> I would appreciate any feedback.
> 
> Thanks in advance.
> 
> Best Regards,
> Andrew
> 
> 
> _______________________________________________
> Whitebox-users mailing list
> Whitebox-users at beau.org
> http://beau.org/mailman/listinfo/whitebox-users
-- 
Dan Geist | dan.geist at cox.com | (404) 269-6822
Cox Communications - Engineering Security

More information about the Whitebox-users mailing list