Primrose's Blog

Earlier this week, I moved my VLANs off of my firewall, which had been handling them since I first set this network up, over to my Cisco SG300-52 switch, operating in layer 3 mode which I got earlier this year.

The process to get my VLANs moved over was not too difficult. Just to be sure of what I was doing, I set up some test VLANs on the switch beforehand just to play around with the layer 3 VLANs, and get a better understanding of how to set this up.

I spent the weekend doing this, and slowly throughout this week, I moved over my VLANs from my firewall to the switch, and I just moved the last one over on Wednesday.

You might be wondering why I would move my VLANs to my switch, instead of keeping them on my firewall, and my reasoning for this is because I wanted to achieve wirespeed transfers between my VLANs, because I do a lot of inter-VLAN communication.

The firewall was a bit of a bottleneck when it came to this communication, and I noticed that when the network was under load, I got around 80-90 megs a second between VLANs, which is still pretty good, but not wirespeed. This is because the firewall is not designed to handle VLANs, but rather route traffic in and out from the internet.

The switch on the other hand, has a specially designed switch chip which is designed for fast switching between VLANs on it, so if I wanted wirespeed transfers between VLANs, this was the way to go.

After I moved all my VLANs to my switch, I got a stable 110 megs a second to my NAS no matter what, so i'd call this a success.

The only downside to this in my opinion is the fact that I had to move away from stateful firewall rules between VLANs, and had to water down a lot of my rules for them to work out in an access control list on the switch. But, security between VLANs is still good enough, so I think I'll survive.

The Cisco SG300 series of switches can't do IPv6 routing unfortunately, so I had to drop IPv6 connectivity to make this happen, but I am planning to replace it with a Mikrotik switch that can, so you'll hear about that in about two months.

Signed,

Primrose