Thursday, December 26, 2019

ELI5: Layer 3 switch, but Router Firewall over TCP Ports on Layer 4?

I get Layer 2 mac routing, and I get Layer 3 IP routing in switches. I also understand Layer 4 TCP port routing, usually reserved for router devices instead of layer 4 switches (but could be in the L4 switches too).

What I'm having trouble with designing a school's network is: what kind of router do i need to firewall/filter Layer 4 traffic, if I have 10 Gbps links to multiple servers across 4 VLANs?

E.g. If the Layer 3 switches are offloading the 10 Gbps VLANs and IP subnets routing within its hardware at wire speed, but I want to restrict certain ports on certain IP devices, does this mean I need to route those VLANs on the "trunk" all to the single router to allow/deny the ports across the VLANs?

Wouldn't that mean the router is now my bottleneck across those VLANs for the TCP port restrictions? Say I had only a single 1 Gbps link between the router and the switch(es)/VLANs: that would mean all cross-VLAN traffic that i want to limit TCP ports for must go through the router's interface.

I have 2 Brocade L3 switches I am starting to run drops for and program - but haven't decided on a router yet. Was thinking of a Mirotik RouterBoard.

So... Is this why we want multiple inputs into a single router? So with 4 VLANs, I'd want 4 links into my router, so each VLAN gets its own dedicated uplink/trunk for bandwidth.

With that said, am I correct in assuming that to keep 10 Gbps bandwidth between VLANs, I'd need a router with multiple 10 Gbps ports?

Was actually thinking of the Mirotik RB4011 series with a single 10 Gbps port for the single trunk uplink from the switches. That would be better than 4x1 Gbps links (and easier to program).

Thanks for your time!



No comments:

Post a Comment