Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts
0

L3 Switches Recommendations for

I am looking to purchase quality L3 switches with 4x QFP+ ports, 24/48 Gb one 48 port with multiple 24 port modern switches with GRE, BGP or OSPF routing protocols, modern security, monitoring features and other modern features like stacking on the backend from $2,000 to $5,000 each from popular vendors like Cisco or Juniper (Cisco would be preferred, so we can more easily hire network engineers at other locations). Any suggestions or personal experience on switches that haven't let you down? If the $ range is too low it can be increased, especially for the single 48 port switch.

28 comments
38% Upvoted
What are your thoughts? Log in or Sign uplog insign up
level 1
2 points · 7 days ago

When you say VPN, what are you looking for?

level 2
Original Poster1 point · 7 days ago

Possibility of running IPSec over a GRE tunnel to each site.

level 3

L3 VPN in form of IPSEC over GRE is something no vendor L3 switches I know of does. This is something routers or firewalls does, but at substantial lower performance as IPSEC is computational heavy.

level 4
Original Poster1 point · 7 days ago · edited 7 days ago

This can be done using a L3 Cisco switch using GRE to tunnel the IPSEC traffic - https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_IPSec/P2P_GRE/2_p2pGRE_Phase2.html

For the older switches, IP Services with the K9 capability image is required.

level 5

Absolutely, if you use a Catalyst 6500 with a VPN SPA, but that is not anywhere near the price range you do mention. A Catalyst 6800 might also do this. I will also call these boxes routers and not L3 switches. Care to tell what box you think supports IPSEC in the typical 1 rack unit size the rest of your requirements fits into?

level 6
Original Poster-2 points · 7 days ago

If you have the right license, IP Advanced Services you can normally do this if you are doing a small amount of IPSEC over GRE tunnels (using Catalyst 3850s). Previous place we used to spend several hundred thousands on switch and router upgrades and do a refresh every three to five years.

Though the new place I am at now was looking for a lower cost solution that is still reliable (1x48, possibly 5x24 port switches to start). I did let them know the 48 port switch with all the security and routing features would be around $8,000-$13,000 with a 24 port switch half the cost, but would reach out to the internet to see if others have run into anything different for lower to insure I was still in the ballpark (have to pay to get all the bells and whistles).

If I can get them on something reliable and more well known like Cisco we can hire more engineers that know the tech and add more switches for redundancy. I am hoping they will work with the higher cost of the premium Cisco gear in return for reliability, more technical experts availability and breadth of options, especially if we go with the newer 9000 series switches.

level 7
5 points · 7 days ago

Mmmmm, no.

Catalyst 3850s do not support IPSec (they also don't have a license level called "IP Advanced Services.") They support MACSEC, but only directly adjacent. They do not have "WAN MACSEC" and thus cannot do multihop encryption.

Catalyst 3850s CAN do GRE, but it is unencrypted.

Catalyst 9300s are in the same boat.

level 8
Original Poster-2 points · 7 days ago · edited 7 days ago

True, 3850s run IOS XE not the older IOS, I should have noted 3750s Series switches with the upgrade IOS version.

level 9
3 points · 7 days ago

3750s also did not have a license level called "IP Advanced Services" and could not deliver IPSec tunnels and also could not run GRE tunnels.

You can stop now.

level 10

Correction, they *CAN* run GRE tunnels, so long as the endpoint on the other side appears to be a Cisco ROUTER. (Switch to switch is out). Also, PPS is abysmal. An employer had dreams of GRE tunneling phones without a router. If I remember right, three concurrent conversations was enough to crush the cpu.

Labbing it up and letting management experience the headaches of the test environment was the only way to end that one.

level 10
Original Poster0 points · 7 days ago

The 3750s have the option to order an upgrade of the image to c3750-ADVIPSERVICESK9-M for the 12.x version of the software.

Seems other individuals have setup GRE tunnels on the 3750s. Though I have another device that will be doing the encryption of traffic so IPSec on the switch will not be needed.

https://community.cisco.com/t5/switching/cisco-catalyst-3750-gre-tunnel-keepalive-retry-count-cannot-be/td-p/2525258

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_25_seb/release/notes/OL7189.html?referring_site=RE&pos=1&page=https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/64898-upgrade-3750-stack.html

level 4

Don't some of the newer HPE Aruba jobs do it? I believe the 3810's and 2930's are both designed to support a scenario where they're the only device at a remote office forming a tunnel back to a central wifi controller. (The-procurve/aruba merger is creating some weird options)

level 3
1 point · 6 days ago

Arista’s 7020 has a sku that does IPSec. 24x1/10G base-t, 2xQSFP28 100G. Not sure the IPSec version is orderable yet though.

level 1

i like the aruba line up of switches but for your price range look at some whitebox vendors like fs.com, but even then youll be hard pressed at 5k.

level 2
Original Poster1 point · 7 days ago

Good point on the 5k, I have edited the original post. I would like to have the ability to install trusted, well known brand hardware that will just keep running that will last a good time until the next refresh cycle of 3-5 years. Along with using gear that top tier networking engineers would be familiar with so they can use their experience to the maximum potential without having to learn a less known vendors tech that may or may not have all the features they need to manage a multi-site network reliably as it grows.

level 3

if you dont need poe the aruba 8320 would fit the bill ...

JL581A

level 1

If you don't mind refurbs, Cisco 4948Es match most of your requirements (save the VPN stuff) and can be had for $250 or so. Bonus is that they're so cheap you can keep a bunch of spares on the shelf.

level 2
Original Poster1 point · 7 days ago

Thanks,

Refurbs are fine, I would just need to insure I can get a warranty on them from the vendor.

level 3

If you find the right vendor I'm sure you can. I just self warrantee with cold spares. 15 minutes to pull off my shelf beats next business day service any day of the week.

level 4
Original Poster1 point · 7 days ago

You are right about that, at my previous job we were always 2+2 (2 in production with 2 spares) which saved us big time when Cisco said there would be a delay in shipping out replacements due to a shortage at their vendor factory for the ASICs and a few other components (took a few weeks), but since we had spares it was a quick test, update and swap with no downtime.

I might end up getting some of the recommended switches above and use one of the newer 4000 series routers for routing traffic between sites.

Thank you all for the help and quick responses.

level 2

Damn 250.00 for a 4948e, not a bad deal.

level 1
DRINK-IE and LINKSYS-IE1 point · 7 days ago

If Juniper, why not EX4300 with the AFL license?

level 1

OP, I mentioned that some of the ProCurve/Aruba switches can do this. Found a doc. Yes it's harder to track down qualified ProCurve experts, but they shouldn't baffle experienced network engineers, and Aruba Central eliminates a lot of the need for remote hands.

ftp://ftp.hp.com/pub/networking/software/ProCurve-SR-dl-GRE-Config-Guide.pdf

level 2
Original Poster1 point · 6 days ago

Thank you for the suggestion.

level 1
level 1

Go Cat9300s.

You can get these to support GRE, OSPF, and BGP. Not sure that you should be running VPNs that are terminated on your switches though. Do yourself a favor and use firewalls and\or routers for this function. With a stack of switches, you'd save enough on a 3-4 stack switch stack in licensing to buy yourself a pair of ISRs or ASAs or whatever to terminate those.

Again, don't terminate VPNs on your LAN switching.

level 2
Original Poster1 point · 7 days ago

You do make a good point, just checked and we do have other devices that we can use to terminate VPNs outside of the switch.

Community Details

127k

Subscribers

1.1k

Online

###Enterprise Networking Routers, switches and firewalls. Network blogs, news and network management articles. Cisco, Juniper, Brocade and more all welcome.

Create Post
r/networking Rules
1.
Rule #1: No Home Networking.
2.
Rule #2: No Certification Brain Dumps / Cheating.
3.
Rule #3: No BlogSpam / Traffic re-direction.
4.
Rule #4: No Low Quality Posts.
5.
Rule #5: No Early Career Advice.
6.
Rule #6: Educational Questions must show effort.
Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.