Hello, i'm a little sysdadmin/netadmin for a small/med company (100 users) and i'm here to ask an advice.
I have a small datacenter with 3 esxi hosts at work, about 30 VMs in total. Actually i have 5 vlans (1 server/ 1 workstation / 1 wifi / 1 guest and 1 voip phones) with about 100 devices (printers, ap, workstations ecc) and all vlan routing is done via an HP 2920 48 port Layer 3 switch (no ACL rules). As firewall/router for internet connection and vpn we use a virtual applicance called Kerio Control in router on a stick configuration (hp switch send evertything execpt vlans traffic to kerio vm via a dedicated vlan trunk isolated from all other vlans,i have simply disabled layer 3 routing on that trunk vlan).
I have this question: now we are changing kerio with a sophos XG 210. I'm thinking on redesign it becouse our sophos vendor told me that a router on stick design could limit Sophos XG capability to intercept and block malicious traffic on the lan network, so the sophos should be in charge of the routing.
I'm a little afraid to leave all the routing to the xg 210 becouse in case of update/reboot/ change in internet configuration i will loose all routing capabilities, opposite to have them managed by a switch that i will update every year or so, so i can consider it as an always on system. And with this configuration i've resolved also the traffic problem: on the trunk to kerio i have only the internet traffic and nothing else. We doesn't have sfp+ modules so the best i could do is to create a LAG of 5 ethernet porrts between the xg210 and the switch to increase bandwidth (i don't have this problem now becouse all the routing is done by the HP 2920 internally). We transfer pretty large CAD files (from 5mb to 500mb) from and PDM archive VM to 20 workstation (3d cad, solidworks).
We have also on an esxi host exchange 2013 and other appliances that rely on some iscsi mapped drive, so if i loose routing i will loose those drive, and if i forgot to dismount for example some exchange db that are on those iscsi volumes before rebooting the xg210, bad thing could happen...
Any idea or advice or else? thank you!
No comments:
Post a Comment