Should my Switch do the routing & let Firewall/Router just do firewall?

[iHeartMacs]

Hi I've been reading some threads and I'm wondering if I should let me switch do all the routing and dhcp and let my router/Firewall just be a firewall.

I have a Watchguard Firebox M200 (Routing DHCP / firewall ) and Unifi Managed 10G Switch.

 

[Ericloewe]

Make sure to use the right terminology for "switch" and "router". You don't want to use them interchangeably and confuse their roles.

 

[iHeartMacs]

Thanks I was thinking about layer 3 switches and all that so It might be out of my area of expertise. I had thought those switches can do some more advanced networking and take the load off of the router.

 

[Snow]

Most Managed Switches do not do to much, You can Set up QOS & Packet Priority to work with a router on them. You can set up Link Aggregation or LAGG for sort and Stacking for redundancy. Most of all switches have some sort of Intrusion prevention depending on the brand. What I would do is get Your Model Number and Model Name and look up and download the Manual. It will have in there what you can do and can not do with this brand/type.

 

[Zredwire]

Usually it does not make sense to use switches for routing. This can change, though, if you have a large network as often times Layer 3 switches can do basic routing at wire speed where a router may bog down (depending on the router, connection, and total throughput needed). It makes your network more complicated, though, to have routing done at different locations (like on switches and at the firewall). Personally for home and small networks I would not use a switch to route.

 

[HeloJunkie]

Completely depends on the switches you are talking about. Some "switches" can absolutely do routing just fine. In my old life, I had 15 x Cisco 6509/13s with 3BXL engines that did 100% of our routing (even edge) as well as our switching. We ran BGP, iBGP, OSPF, HSRP and provided handoffs to DC clients.

These days, I routinely use the Cisco 3560G series in L3 mode, do all of my inter-vlan routing, VLAN management, DHCP and access control with them and then have a routed /30 mininet back to a firewall.

This might be overkill, but it is a great setup and you can get used 3560Gs for ~$200! The ability to segregate your traffic via VLANs and route between them without having to hit another firewall/router device is a great solution.

 

[Chris Moore]

I have a Watchguard Firebox M200 (Routing DHCP / firewall ) and Unifi Managed 10G Switch.

If you can prevent internal network traffic from needing to bother the M200, it should make it faster. Setting it up properly is not always simple.
Traffic that exits the local network is throttled by the ISP connection.

 

[iHeartMacs]

Completely depends on the switches you are talking about. Some "switches" can absolutely do routing just fine. In my old life, I had 15 x Cisco 6509/13s with 3BXL engines that did 100% of our routing (even edge) as well as our switching. We ran BGP, iBGP, OSPF, HSRP and provided handoffs to DC clients.

These days, I routinely use the Cisco 3560G series in L3 mode, do all of my inter-vlan routing, VLAN management, DHCP and access control with them and then have a routed /30 mininet back to a firewall.

This might be overkill, but it is a great setup and you can get used 3560Gs for ~$200! The ability to segregate your traffic via VLANs and route between them without having to hit another firewall/router device is a great solution.

I'm getting a Unifi 48-port 10GBE Layer 3 Switch. I want my LAN on VLAN1 to communicate and share files without the need to go through the Firewall/Router. I had originally thought this was done automatically but I was reading about taking the load off the Firewall/Router and how you can have the switch do the routing and it made me second guess myself. I've asked this question on another forum and got the answer that the Local traffic doesn't hit the Firewall/Router but that could be wrong is what I'm thinking and I trust this forum's knowledge much more so I'm asking again. Seems like you know your stuff because I had to look up half of what you posted. Ha!;)

 

[iHeartMacs]

Completely depends on the switches you are talking about. Some "switches" can absolutely do routing just fine. In my old life, I had 15 x Cisco 6509/13s with 3BXL engines that did 100% of our routing (even edge) as well as our switching. We ran BGP, iBGP, OSPF, HSRP and provided handoffs to DC clients.

These days, I routinely use the Cisco 3560G series in L3 mode, do all of my inter-vlan routing, VLAN management, DHCP and access control with them and then have a routed /30 mininet back to a firewall.

This might be overkill, but it is a great setup and you can get used 3560Gs for ~$200! The ability to segregate your traffic via VLANs and route between them without having to hit another firewall/router device is a great solution.

I'm getting a Unifi 48-port 10GBE Layer 3 Switch. I want my LAN on VLAN1 to communicate and share files without the need to go through the Firewall/Router. I had originally thought this was done automatically but I was reading about taking the load off the Firewall/Router and how you can have the switch do the routing and it made me second guess myself. I've asked this question on another forum and got the answer that the Local traffic doesn't hit the Firewall/Router but that could be wrong is what I'm thinking and I trust this forum's knowledge much more so I'm asking again. Seems like you know your stuff because I had to look up half of what you posted. Ha!;)

All I'm doing is creating a VLAN for VOIP phones and a VLAN for the LAN on the switch. There is also a 10GBE fiber going from Unifi Switch to Freenas that is just barebones with a plex server. So I might not need it too complicated. Just wanted to utilize my hardware in the best possible way and if splitting up some of the responsibilities makes the Firewall work better in terms of speed - wear and tear and the sort then why not?

 

[Zredwire]

I've asked this question on another forum and got the answer that the Local traffic doesn't hit the Firewall/Router but that could be wrong is what I'm thinking and I trust this forum's knowledge much more so I'm asking again.

This is true for all local traffic in the same subnet and VLAN. If you have more than one subnet you need a router of some sort (firewall router, or Layer3 routing switch).

 

[HeloJunkie]

^^^^ What he said.....

So long as everything is on the SAME VLAN and the SAME subnet, you do not need a router or firewall for all of those things to talk since they are in the same broadcast domain. When you start to want to subnet your network (usually for administrative reasons - for me VLAN5 is my VOIP vlan, VLAN10 is my computers, VLAN20 is my media vlan, etc) then you have to have something that can act as a traffic cop to get traffic between that various networks. While they are connected to the same physical switch, they could be across the country for all the good it does you without a Layer3 device. If the Unifi is L3, you are completely covered in any case!