Can I make use of a L3 switch in my home network?

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

crazyj

Member
Nov 19, 2015
78
2
8
49
Hi, not a networking guy at all. Sort of fumbling my way through all this, but I'm sure someone here can answer this easily with the volume of experience on these forums.

My current setup is an L2 switch (1810-24g & 4 vlans) connected to a napp-it all-in-one (filer, mediabox, surveillance cameras) also using a small POE switch for the cameras. other end of this connects to a freshtomato router with a separate VLAN per port, and any inter-vlan occurring in the router/firewall. There's also another R520 in there as a backup napp-it server, just doing some replications.

For whatever reason, the setup is ok, but nothing to write home about, and occasionally, when my wife connects to it with her laptop, it completely loses its brains, and the 1810 needs to be restarted. I suspect something in there to do with STP, but again, not expert enough to go digging through that - well, given a few months maybe I'd find the motivation, but not right now.

I picked up a Brocade 6450 poe version, so I thought at least I'd ditch the small POE switch and clean things up a bit. But got me thinking, is there any point to using its L3 capabilities? Is there any low hanging fruit I'm missing? How would you approach connecting all this?
 

j_h_o

Active Member
Apr 21, 2015
666
187
43
California, US
Yes, you can use the 6450.

This is the concept...

Say you have a few VLANs as follows:
  1. VLAN10
    Switch would have IP at 10.0.10.1/24
  2. VLAN20
    Switch would have IP at 10.0.20.1/24
  3. VLAN30
    Switch would have IP at 10.0.30.1/24
  4. VLAN40
    Switch would have IP at 10.0.40.1/24
  5. VLAN50 - Firewall
    Switch would be at 10.0.50.1/24
    Your NAT/firewall/Tomato would be at 10.0.50.254/24 (for example)
In each case, a client connected to VLAN10 would hit the switch's IP, which could either a) forward the traffic to an internal VLAN, or b) forward it to the firewall if it doesn't know how to reach the destination (i.e. the internet).
In addition to this, you can configure ACLs for VLAN10 to not be able to access VLAN20, in the switch ACLs.

You'd also need to set a DHCP forwarder on each VLAN, that would forward traffic to the DHCP server(s), wherever they are located.

Do you have other requirements?

Once we settle the design, then we can translate this into commands you enter into the switch :)
 

crazyj

Member
Nov 19, 2015
78
2
8
49
I guess i dont really know what my requirements should be. How does this really differ from a L2 switch with the same vlan setup? Just that it doesnt need to access the router? How would you construct the management network (thinking brocade management port, and each server has its own dedicated idrac, plus can the esxi vswitch management portion be accessed in a similar way)
 

Midvalley

New Member
Aug 30, 2023
13
6
3
I guess i dont really know what my requirements should be. How does this really differ from a L2 switch with the same vlan setup? Just that it doesnt need to access the router? How would you construct the management network (thinking brocade management port, and each server has its own dedicated idrac, plus can the esxi vswitch management portion be accessed in a similar way)
I muddled through this recently, my solution for a management network was to do a separate vlan with a non-contiguous address space from the rest (if using 10.0.x0.0 from the example above then use 172.16.0.0 or 192.168.0.0) and adding a deny ACL to each vlan preventing it from reaching that segment. I use a vlan trunk port set to dual-mode with my PC vlan and mgmt vlan to my desktop, and then keep a dedicated VM to access that network via the tagged vlan.

You can defintely do the same at L2, but the Brocade can do line-speed switching between VLANs and offload that traffic from your firewall.
 

86turbodsl

Active Member
Feb 24, 2020
110
35
28
I am in the same boat as OP, i think doing L3 stuff on the brocade will probably result in a big boost in performance rather than doing all the L3 stuff on the router right? If it just becomes a firewall it can focus on that.
 

crazyj

Member
Nov 19, 2015
78
2
8
49
I muddled through this recently, my solution for a management network was to do a separate vlan with a non-contiguous address space from the rest (if using 10.0.x0.0 from the example above then use 172.16.0.0 or 192.168.0.0) and adding a deny ACL to each vlan preventing it from reaching that segment. I use a vlan trunk port set to dual-mode with my PC vlan and mgmt vlan to my desktop, and then keep a dedicated VM to access that network via the tagged vlan.

You can defintely do the same at L2, but the Brocade can do line-speed switching between VLANs and offload that traffic from your firewall.
I recall someone saying to jumper the brocade mgmt port into that vlan.

I’ve got a dual Ethernet PC so I probably don’t need a trunk port.
 

kapone

Well-Known Member
May 23, 2015
1,112
653
113
It's 2024. Are we still debating whether L3 routing is beneficial or not? Seriously?

There's probably 100 threads on STH alone (and I wrote a few of them) that explain almost every single aspect of L3 routing and How-tos.

Edit: That big Brocade ICX thread? @fohdeesha and I got it going way back when, the 6610s were still selling for a pretty penny. (I actually shipped a 6610 to Fohdeesha to get the license thing going!)
 

86turbodsl

Active Member
Feb 24, 2020
110
35
28
Maybe so, but i suspect a lot of us are new here and not exhaustively looking through thousands of threads. At least i haven't. I still have a day job...

Edit: And i did see that portion of the big Brocade thread where you were trying to help one of the posters set up this exact idea and unfortunately it never completed. So count me amongst the people that want to do this but haven't reached a point where we feel comfortable doing it yet. The absolute last thing i want to do is break my internet at home with a house full of users and not know how to fix it.
 
Last edited:
  • Wow
  • Like
Reactions: Sprint8 and itronin

Midvalley

New Member
Aug 30, 2023
13
6
3
I recall someone saying to jumper the brocade mgmt port into that vlan.

I’ve got a dual Ethernet PC so I probably don’t need a trunk port.
It's been awhile, but I believe there was some limitation on the management port that made me choose to do a dedicated VLAN and control connections with ACLs. You'll need to do some ACLs anyway as ssh/webgui is exposed on the VE(s) (if layer 3) or switch IP (if layer 2) address and you need to control that otherwise it defeats the purpose of the management setup.

It was a bit of work to setup, but if you write/maintain your ACLs in a text file it's super easy to update/duplicate them and just paste into your terminal app of choice.
 

Midvalley

New Member
Aug 30, 2023
13
6
3
I am in the same boat as OP, i think doing L3 stuff on the brocade will probably result in a big boost in performance rather than doing all the L3 stuff on the router right? If it just becomes a firewall it can focus on that.
The best answer is "it depends". The more services/devices you have on your network talking across routed interfaces (vLANs), the more load you are placing on your firewall to pass that traffic. Maybe that matters in your network, maybe not. If your firewall utilization numbers never exceed 50-70% and you never see any sort of degraded performance, then it's moot and probably not worth risking the ire of your users.

If you're not getting linespeed due to overutilization somewhere, then a full L3 setup could help as the switch will gate traffic between it's known routes internally without needing the firewall to inspect.

You do need to get creative with how you do the security on your network, as I am guessing if we're discussing multiple vLANs they have a segmentation purpose to put boundaries around certain endpoints/traffic. That's far easier to maintain at the firewall level for the most part, but as long as you can boil your needs down to simplified rules (Ex, no access to subnet1 from subnet2, or subnet3 can (or cannot) <insert protocol here> to subnet1/specific IP) that are fairly static in nature then you can accomplish that with ACLs associated with your vLANs.

My home network has all the usual nerdy stuff like IPCams writing to an NVR, VoIP phones, virtualization hosts, along with the normal assortment of PCs, phones, smart devices, printers, etc all chattering amongst themselves; but the normal utilization on my OPNSense VM (4 core, 8G RAM; so not that beefy) is less than 15% (Note: I don't bother with IDS/IPS for a home network, just CrowdSec) as it's mainly just doing internet firewall/Unbound/Kea. If I max my 1.5/1 gbps connection I can probably get that to 50%.
 

RuckusVol

New Member
Jul 2, 2024
10
7
3
It's 2024. Are we still debating whether L3 routing is beneficial or not? Seriously?

There's probably 100 threads on STH alone (and I wrote a few of them) that explain almost every single aspect of L3 routing and How-tos.

Edit: That big Brocade ICX thread? @fohdeesha and I got it going way back when, the 6610s were still selling for a pretty penny. (I actually shipped a 6610 to Fohdeesha to get the license thing going!)
This is extremely helpful and I'm sure many people are appreciative for the time you and others take to help people. But the challenge we run into on the learning side is finding the really good posts/articles with that info without reading hundreds of pages. I'm weird (in a lot of ways but this is one) in that I'm extremely proficient in some areas and entirely green in others. Far more disparity in both directions than most.

Sometimes when I'm trying to learn, I just have a really hard time finding the highest quality content. Or I'll read something that seems good to by beginner eyes, and a couple pages later see several people explaining why that was a bad idea in ways that make a lot of sense. In an ideal world there would be an easy way to upvote and find stuff on given topics, sorted by helpfulness.

Regardless, most people here get nothing for the help they give and the community sense is amazing. But it would be very helpful to get a link or be shown a better way to search for quality content. I'd love to use the L3 capability of my ICX7250, but I keep swimming in circles on where to start.
 

kapone

Well-Known Member
May 23, 2015
1,112
653
113
This is extremely helpful and I'm sure many people are appreciative for the time you and others take to help people. But the challenge we run into on the learning side is finding the really good posts/articles with that info without reading hundreds of pages. I'm weird (in a lot of ways but this is one) in that I'm extremely proficient in some areas and entirely green in others. Far more disparity in both directions than most.

Sometimes when I'm trying to learn, I just have a really hard time finding the highest quality content. Or I'll read something that seems good to by beginner eyes, and a couple pages later see several people explaining why that was a bad idea in ways that make a lot of sense. In an ideal world there would be an easy way to upvote and find stuff on given topics, sorted by helpfulness.

Regardless, most people here get nothing for the help they give and the community sense is amazing. But it would be very helpful to get a link or be shown a better way to search for quality content. I'd love to use the L3 capability of my ICX7250, but I keep swimming in circles on where to start.
https://forums.servethehome.com/index.php?threads/layer-3-switch-w-pfsense.23236/post-216621
 
  • Like
Reactions: RuckusVol