Home
Join

16 Replies

  • I can't talk for this model of Sonicwall, but in general 'real' switches have FAR higher throughput between ports than firewalls.

    Usually a firewall will be used as the router between different subnets or VLANs - when a L3 switch is not providing the filtering required or when we only have L2 switches and the firewall has good enough throughput capabilities.

    However It would be pretty unusual to have computers directly connected to a firewall, like you would connect them to a switch.

    I guess, you did not want to use the firewall in this kind of scenario, but as the router that connects L2 switches. As long as you don't have high throughput demands between different subnets, the firewall should do a good job. And when you want to do some real traffic filtering, than it will be far better than any switch.

    Pepper graySpice (5) flagReport
    1 found this helpful thumb_up thumb_down
  • I think you understand the dis-advantage - reboot or outage of firewall = outage of entire office network.
    So you just need to determine what is best.

    If there are 80 users - do you not need more that the 24 lan ports on the firewall? You mention hypervisor servers so my gut feel is that there are local lan resources, so I would suggest a separate LAN switch, then these lan resources will continue to work when the firewall reboots or fails.

    I was going to suggest comparing cost but I see that in the mid-enterprise range (to which the 4700 belongs) all come with inbuilt switches. So the real question is do you need that model? I note it has 9.5Gbps of threat prevention/IPS throughput - that is high !. What about a lower spec model and a LAN switch? A good layer 2 10 gig switch is not too expensive.

    Pepper graySpice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • Hi,

    I too, would suggest a smaller Sonicwall and a separate switch. We have a pair of TZ600s for our 125 users plus our guest wlan and they works fine as a run and standby pair.

    Just my thoughts.

    Ian

    Pepper graySpice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • Personally I do not like the single point of failure approach.  Unless you have an extremely tight budget, I would recommend against this.

    Separate Firewall and Switch solutions are best, I always believe.

    Pepper graySpice (5) flagReport
    Was this post helpful? thumb_up thumb_down
  • Hi,

    Do you really need the 18 Gbps throughput of the NSa 4700?
    If 5.2 Gbps is sufficient, you can try to go with the NSa 2700 which is cheaper and has less ports.

    I also wouldn't use the integrated switch and get separate ones like the others recommended
    Was this post helpful? thumb_up thumb_down
  • Just to play Devil's Advocate if the Firewall is down the network is effectively down regardless of if there is a separate upstream switch. Most people cannot function without the internet connection these days and it likely won't matter that they still have local LAN.

    Plus without Internet windows is going to report the Network down or impaired anyway

    Pepper graySpice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • molan wrote:

    Just to play Devil's Advocate if the Firewall is down the network is effectively down regardless of if there is a separate upstream switch. Most people cannot function without the internet connection these days and it likely won't matter that they still have local LAN.

    Plus without Internet windows is going to report the Network down or impaired anyway

    true if mainly cloud. but not if local apps/data. Hence Op needs to determine this. 4 local hypervisors indicates possible significant on prem.

    It will be customer/use case specific. As an example I support a business with manufacturing. 40 office staff can't do much without the internet - but critically the factory can produce all its output so long as the local server and 1 PC can communicate. In this scenario they would go bust in days without the lan. internet - meh, some folks could go home, use mobile etc.

    Pepper graySpice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • m@ttshaw wrote:

    molan wrote:

    Just to play Devil's Advocate if the Firewall is down the network is effectively down regardless of if there is a separate upstream switch. Most people cannot function without the internet connection these days and it likely won't matter that they still have local LAN.

    Plus without Internet windows is going to report the Network down or impaired anyway

    true if mainly cloud. but not if local apps/data. Hence Op needs to determine this. 4 local hypervisors indicates possible significant on prem.

    It will be customer/use case specific. As an example I support a business with manufacturing. 40 office staff can't do much without the internet - but critically the factory can produce all its output so long as the local server and 1 PC can communicate. In this scenario they would go bust in days without the lan. internet - meh, some folks could go home, use mobile etc.

    Most people don't differentiate these days between WAN or LAN most employees would report the network down as soon as they can't reach their favorite internet site.

    I had this call yesterday because someone had misspelled an email address and got a bounce back message.  Internet is down!! 

    Also the OP doesn't mention where they run DHCP and DNS if those services are on the firewall then a firewall outage would effectively cripple local LAN too.

    Not saying the OP should go one way or the other, Just pointing out there are a lot of unknown factors (to us Spiceheads) about the OP's network that should influence this decision.  It could be perfectly reasonable for the OP to run his network off the SonicWall's built in switch depending on setup and needs.

    Pepper graySpice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • It depends on the environment. Using the firewall also as the main switch is a common setup in smaller environments, but a core switch is more ideal in larger setups.

    Was this post helpful? thumb_up thumb_down
  • Foe really small environments I'll combine them if I can. But most SMB firewalls don't have enough ports for systems and workstations so I typically have to add some kind of switch.

    Was this post helpful? thumb_up thumb_down
  • My offices run a 4700 and a multiple 2700's and TZ's. You might be better off with a 2700 but it's VPN has a slower through put compared to the 4700 but it's not bad by any means. You can still have the same level of protection despite a model difference. Look into getting the HA as well to create some redundancy. I recommend getting a switch to run your servers as running off a firewall (even a next gen) would be frowned upon. Ubiquty has some good switches that with a cloudkey gen 2 you can manage seamlessly and they won't break your budget. Good luck.

    Was this post helpful? thumb_up thumb_down
  • m@ttshaw wrote:

    I think you understand the dis-advantage - reboot or outage of firewall = outage of entire office network.
    So you just need to determine what is best.

    I thought about that. It's not too often for me to power-cycle my current SonicWALL NSA 2600 - maybe 2-3 times a year - planned

    m@ttshaw wrote:

    If there are 80 users - do you not need more that the 24 lan ports on the firewall? You mention hypervisor servers so my gut feel is that there are local lan resources, so I would suggest a separate LAN switch, then these lan resources will continue to work when the firewall reboots or fails.

    Servers are connected to my main un-managed switch. I do have other un-managed switches that are up-linked to my users.

    m@ttshaw wrote:

    I was going to suggest comparing cost but I see that in the mid-enterprise range (to which the 4700 belongs) all come with inbuilt switches. So the real question is do you need that model? I note it has 9.5Gbps of threat prevention/IPS throughput - that is high !. What about a lower spec model and a LAN switch? A good layer 2 10 gig switch is not too expensive.
    What I like about the NSA 4700 it has 6 SFP plus ports. Currently, I do not have 10GBE devices, but next year I will start looking into a server refresh on my network, that will involves 10GBEs - future proof it.
    Was this post helpful? thumb_up thumb_down
  • m@ttshaw wrote:

    molan wrote:

    Just to play Devil's Advocate if the Firewall is down the network is effectively down regardless of if there is a separate upstream switch. Most people cannot function without the internet connection these days and it likely won't matter that they still have local LAN.

    Plus without Internet windows is going to report the Network down or impaired anyway

    true if mainly cloud. but not if local apps/data. Hence Op needs to determine this. 4 local hypervisors indicates possible significant on prem.

    It will be customer/use case specific. As an example I support a business with manufacturing. 40 office staff can't do much without the internet - but critically the factory can produce all its output so long as the local server and 1 PC can communicate. In this scenario they would go bust in days without the lan. internet - meh, some folks could go home, use mobile etc.

    That is true. I do run an on-premises ERP, DCs, File server, Print Server, but I need to take in consideration the pros and cons, running a core switch - I'm not to savvy with CLI. Having the firewall to be my core managed switch, SonicWALL support will help me with the first initial setup at no additional cost.

    Was this post helpful? thumb_up thumb_down
  • molan wrote:

    Also the OP doesn't mention where they run DHCP and DNS if those services are on the firewall then a firewall outage would effectively cripple local LAN too.

    DHCP/DNS services runs on my DCs

    molan wrote:

    Not saying the OP should go one way or the other, Just pointing out there are a lot of unknown factors (to us Spiceheads) about the OP's network that should influence this decision.  It could be perfectly reasonable for the OP to run his network off the SonicWall's built in switch depending on setup and needs.
    Thanks. That is encouraging that I can use a firewall as my main server switch.
    Was this post helpful? thumb_up thumb_down
  • theitguy107 wrote:

    It depends on the environment. Using the firewall also as the main switch is a common setup in smaller environments, but a core switch is more ideal in larger setups.

    What would you consider to be smaller environments?

    Was this post helpful? thumb_up thumb_down
  • I would think even an ebay switch would be better than using the firewall for lan networking. The throughput on a dedicated lan switch would be much higher then a firewall could provide. 

    Was this post helpful? thumb_up thumb_down

Read these next...

  • Simple command to monitor Windows 10 temperature?

    Simple command to monitor Windows 10 temperature?

    Hardware

    I feel like this has probably been address before, although I was wondering if someone is aware of a simple command I can run to report the internal temperature of a Windows 10 PC?I think all computers monitor the temperature, although I've only found thi...

  • Remote access to DVR?

    Remote access to DVR?

    Security

    Hi!I have an older Hikvision DVR that I need to provide remote access to. The users would be mainly accessing it from their smartphones. I tested their software, iVMS, by assigning one of my public IP's to the DVR and it worked fine. However the issue is ...

  • Snap! -- Survival Kits, Forest Bubble on Mars, AI Movie Plots, Leprosy & Livers

    Snap! -- Survival Kits, Forest Bubble on Mars, AI Movie Plots, Leprosy & Livers

    Spiceworks Originals

    Your daily dose of tech news, in brief. Welcome to the Snap! Flashback: Back on December 6, 1907, Mathematical Logician J. Barkley Rosser Born (Read more HERE.) Bonus Flashback: Back on December 6, 1998, International Space Station assemb...

  • Spark! Pro Series - 6 December 2022

    Spark! Pro Series - 6 December 2022

    Spiceworks Originals

    Today in History: 6 December 1240 – Mongols led by Batu Khan occupy and destroy Kyiv after an 8 day siege; out of 50,000 people in the city only 2,000 survive 1849 – Harriet Tubman escapes from slavery in Maryl...

  • The most boring but interesting Phishing Attempt I've seen

    The most boring but interesting Phishing Attempt I've seen

    Security

    Hello There,We've recently had a phishy email come through to one of our employees with an attachment to something work related. But here's the interesting part: The email was spoofed. When checked, the address was that of our own domain, however the emai...