Saturday, February 22, 2020

Gateways on Core Switch vs Firewall

I’m struggling with some design options for a network redesign I’m planning at my company.

The background: Today I’m running a relatively simple network topology. Firewall/Router on a stick. All layer 2 switching, no layer 3 switching at all. All inter-VLAN/L3 routing happens on my firewall.

I recently purchased (2) Nexus 93180YC. I’d like to make these my redundant core switches.

My internal debate is this: Keep my gateways on the firewall/router and continue to do inter-VLAN routing there OR create SVIs on the Nexus switches, make those my gateways and have them handle all L3 routing.

Both approaches have pros and cons…

Today my current firewall/router on a stick model is fine as we don’t have speed issues for most traffic. The main issue is I want to give all VLANs high speed access to a few NAS storage devices. If the NAS traffic has to flow through my FW it would not be fast enough for users to do their work (video editors).

With all of that said, is there another approach I’m missing here? Maybe something to do with VRFs (admittedly I haven’t dealt much with VRFs previously) Is there a way to keep the best of both worlds… i.e. still manage the vast majority of inter-VLAN rules on my FW instead of using ACLs while still being able to provide devices in all VLANs high speed NAS access.

Perhaps a way to tell the Nexus route table to route all traffic except for the NAS traffic to my FW?

I’m open to any and all ideas!

Thanks!



No comments:

Post a Comment