Our network will consist of 5 access switches connected to a layer 3 core switch connected to a SG430. We will have several VLANS consisting of computers, VoIP phones, security cameras and card access readers. Total users will be around 100. We are fully cloud and no longer have any servers so no DHCP or DNS server. It appears my options are to use the core switch as layer 2 and let the SG430 handle the routing, DHCP and DNS or use the core switch as layer 3 and let the switch handle DHCP. Does anyone have a recommendation as to which setup will give the best performance? Am I missing any other option?
With 100 users only, you should not have performance problems.With DHCP/DNS/Routing at the firewall, you have a usable GUI to configure this.Network segmentation may not be the primary goal ... without servers ...
Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum PartnerSophos Solution Partner since 2003 If a post solves your question, click the 'Verify Answer' link at this post.
Depends on the brand of your switches. Better ones (i.e. HPE) have a routing engine in ASIC which is capable to route in wirespeed (even at 10/40G).Routing on the UTM might be fast (depending on model) but will be software anyways. Useful only if you want to enforce Firewall rules between the subnets.DHCP / DNS is better manageable on the UTM, you just have to configure DHCP relay agents on the switch for the other VLANs.
I prefer to put routing on firewalls and switching on switches.
It is also easier to manage DHCP on two SGs in HA (active-passive).
BERGMANN engineering & consulting GmbH, Wien/Austria
Valid point, but if you do so you definitely don't need to invest in "Layer 3 Switches". L2/L2+ will do.
I had the same decision to make when we overhauled our network. I decided to let the core switch do the VLAN-routing because:
I then created a static route under "Interfaces > Static Routing" for the voice VLAN so the UTM can forward the voice packets to the core switch.
I would definitely let the UTM handle DHCP & DNS.