So let's talk about layer 3 switches for just a minute many vendors use the term layer 3 switch notice these are contradictory terms layer 3 is routing switching is layer 2. when you say layer 3 switch you're saying layer three layer two which really is contradictory term what most vendors mean is that this is a device that can be configured as a router or as a switch or possibly both at the same time we want to caution you that while it's possible to make very complex and very difficult or very difficult to understand configurations we would encourage you to use a layer three switch as a router that's fine turn it into a router use a layer three switch as a switch that's fine using them as both in intermixing of where these two ports are routed and those two ports are switched all of a sudden uh becomes very difficult because as you're standing in front of the switch trying to plug something in you have to know the internal configuration of that switch to successfully plug things into the right place as we think about where to put servers in large institutions you will have some department maybe it's your bursar's office or it's your admissions office and they have a server that has financial aid financial software or student information software and they want to put it underneath their desk because well it's their server and they want to see it every morning and greet it every morning and say hello server i'm happy to see you this is not a proper design because that means the server is out in some random building and what do you do about good power to it what do you do about good air conditioning and how do you provide reliable service to that so the right place to put your servers are in your core location servers should never be on the same subnet as any user and so it needs to be a separate subnet off the core router and again they need to be in that same room as your core router where you have good power and good air conditioning a typical design is simply to have an interface off your core router that goes to a switch that has your servers the next topic is where to put firewalls this design is a very typical design many many campuses use this including campuses at the u.s all over the world we will talk about an alternative design a little bit but the firewall in this position will protect all of campus from that nasty mean outside world and that probably works in a corporate environment to where every computer and every device on the campus network is controlled managed and uh you know people don't have administrator rights they can't install things there's all kinds of fancy antivirus software but campuses are not like that people bring computers from home students are on wireless people have phones so the challenge with the this border firewall placement as you saw in the previous diagram is that you're not protecting users from each other and the reality is firewalls don't protect users from getting viruses it used to be back in the windows xp days that if you turned a windows xp machine on on the internet and started to install patches on it you would almost immediately get a virus that's not the way viruses happen because ever since windows xp service pack 2 windows automatically comes default with its own firewall so firewalls aren't preventing you from getting viruses how do you get viruses on pcs well people are web browsing and they get a little pop-up that says hey we notice you have a virus click here to clean it well if you click there then that well you open that uh attachment and guess what now you have a virus both of these activities are encrypted you know if if that was a gmail attachment that is running over ssl a firewall is not going to protect you and thus you know through your firewall that you think is protecting you you're getting no protection at all so you know viruses again come with click links while web browsing and email attachments firewall isn't going to help as your bandwidth increases as you go from the 10 megs to 100 to 1000 and heaven's sake maybe even as many as 10 gigabit uh external connections firewalls have trouble scaling up to those kinds of speeds so we want to have you think about an alternative strategy since the firewalls don't protect users from viruses and if you have the border firewall placement it can't protect users from each other so if somebody brings a virus infected computer in the border firewall case and plugs that computer into your network you're in the soft inside middle of your network where there is no firewall between you and other users there is no firewall between you and your servers where your you know your bursar's office your payroll office all the student records are and guess what if somebody breaks into your payroll office server that's a bad thing and so we want you to think about this alternative firewall placement of placing the firewall between your campus network which now is somewhat hostile it's almost as hostile as the internet and the servers that you want to protect so another thing you want to consider is that not all servers are created equal so for example some servers are dedicated to primarily student use for example moodle if you are running your own local moodle instance every student has an account there well i personally would not put a moodle server on the same ipsubnet as my payroll and financial systems because i care about getting a paycheck you might even want to segment your servers to where you have more public servers and more private servers. Put different classes of servers on different subnets.

© Produced by Philip Smith and the Network Startup Resource Center, through the University of Oregon.

Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
This is a human-readable summary of (and not a substitute for) the license. Disclaimer. You are free to: Share — copy and redistribute the material in any medium or format Adapt — remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial — You may not use the material for commercial purposes. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.