Router vs. Switch – Choosing Between ISP and Firewall

Architecturedesignrouterswitch

I have always used a "dumb" (unmanaged) switch as the entry point and distribution to my LAN network. ISP's copper goes into the switch and about six or 8 other connections come out of the switch to various devices ("main" firewall, a few other firewalls/routers protecting different networks, a "public" wireless network, etc.)

Whenever I see a network schema for a network similar to mine, it typically shows a router at the edge of the network as opposed to a switch like I'm using. Is a switch poor form? Why would I need a router? Are there any other alternatives to distributing my WAN connection?

Best Answer

In your case, you don't need a router. The most common reason for having one is to convert from one kind of network media to another. Your ISP may use DOCSIS (cable), DSL, T1, or something else to connect you to the Internet, while your internal media is Ethernet. In your particular case, since your ISP provides an Ethernet handoff, you don't need a router.

Related Solutions

Switch – Redundancy between router and servers

I agree with @network_ninja but will extend it a bit.

How I'd solve this

Router1--L3--Router2
|              |
|              |
Switch1--L2--Switch2
|    |         |
|    |         |
PC1 PC2--------+

Router1 and Router2 are running VRRP, HSRP, GLBP or CARP to produce virtual default-GW IP address to the LAN.
This protocol will converse over the Switch core to agree which of the routers is owning the default-GW IP address at any given time.

PC2 is redundant linux server, which is using 'bonding' to redundantly connect to the Switches, it should be configured so that if the the virtual default-gw IP address stops responding to ARP WHO HAS, it'll switch to backup connection. IP address itself is not on the physical interfaces, but on the virtual bonding interface.
Equivalent solution is available to other OS, but often not included in base OS package.

PC1 is non-redundant server.

Switches are not running anything special, no spanning tree (as there is no L2 loop) and no LACP. They can be from different vendors and can be taken down for maintenance separately.

Routers are not running any switching, IP addresses are configured directly in the L3 interfaces facing the switches.
If you choose VRRP as your first-hop-redundancy-protocols, routers can be from different vendor. Each router can be taken down for maintenance separately, by gracefully switching VRRP priority before work on the primary.

Routing with a firewall vs L3 switches

You certainly could use a L2 switch, and it would probably work just fine. But here are a few reasons why a L3 switch might be a better choice:

You may want to segregate your servers into different VLANs to simplify access control, apply QoS, limit failure domains, etc. An L3 switch will make this much easier.
While Firewalls can run routing protocols, they don't seem to do it as well as routers, except in the most simplest of cases.
Network management features are usually more mature on routers than firewalls.
In many organizations, firewalls are administered by the security team (a bad idea, IMO), so they need to get involved if routing changes are needed. It's better if network routing is controlled by a single administrative group.

In the simple diagram you presented, there aren't many routing decisions to be made (there is only one data path), so static routes would probably suffice. but if you start adding redundant switches with redundant paths, then you need devices that can detect and respond to topology changes -- i.e. run routing protocols. "Daisy-chaining" routers is not going to cause problems unless the network is very large.

Best Answer

Related Solutions

Switch – Redundancy between router and servers

Routing with a firewall vs L3 switches

Related Topic