I’m setting up VLANs to segment our network for better organization and security:
VLAN 10: Main Network
VLAN 20: Guest Network
VLAN 30: Secondary Main Network
VLAN 40: Secondary Guest Network
VLAN 50: VOIP
VLAN 99: Management
I plan to assign DHCP scopes to each VLAN and ensure proper routing. Given our limited resources, should I configure VLANs and inter-VLAN routing on our dinky little Cisco C1300 switch or the SonicWall firewall? What are the performance and security implications of each approach?
Any advice is appreciated! I’m relatively new to networking, and our team is small with limited expertise.
I’m always a firewall guy for L3. You might get a little performance boost when doing the routing on the switch itself, but not significant. I like to manage all the rules and routing in one place rather than multiple switches.
Of course it depends on the horse power of the firewall to handle multi gigabit speeds.
Performance-wise, I think it depends on how much inter-VLAN routing your will do. I would try to design your VLANs in such a way that youneed as little inter-VLAN routing as possible. In my home network, I have the following VLANs: Main, Guest, IoT, Televisions, Server, and server management. There is absolutely NO inter-VLAN routing for Guest, IoT and Televisions.Otherwise the majority of my inter-VLAN traffic is from my main network to services on the server network, and even then I have servers/services that sit in my Main VLAN. Server is reserved only for stuff that reaches the internet (Nextcloud, Wordpress, Cloudflared).
Thank ya’ll for your input and suggestions. Starting to clear things up for me. We will have very minimal inter-VLAN routing and of course none for guest networks.
Just trying to navigate how to handle DNS across the VLANs but I’m getting there.
I second what @xMAXIMUSx said here, doing L3 stuff on the firewall is almost always the way to go.
Exceptions to this are typically for really big scale routing where a single firewall just can’t do it all, that’s kinda why L3 switches exist, it’s supplemental for high performance environments.
I will say one other exception might be if you have a central management setup for it like Unifi, their L3 ACL stuff leaves a lot to be desired, but having it all in the same management plane is easier to organize and make sure you aren’t doing something wrong/allowing traffic you don’t want to allow.
DNS wise, your sonicwall should be able to provide DNS to all the VLANs you setup for it.
your DNS server(s) need to be in a VLAN that can be reached from all clients. If you have some fully segregated VLANs then you need extra DNS servers there. You then use DHCP to let the clients know which DNS server(s) to use.
It is not necessary to run the DNS server on a central router, but it simplifies things.