My dilemma may be a bit unusual. I administer a network for a facility existing in a university campus network environment. The network I administer is that for my own unit, the campus organization that provides various physical facilities maintenance, design and project services. A separate central university networking group has the responsibility for providing network connections across campus and out to the Internet, as well as various infrastructure services (DHCP, DNS, routing, VLAN configuration across the campus network, etc.).
At my building boundary a campus networking group provisioned switch connects my building network to the campus backbone. I have half a dozen VLANs inside my building that provide separate network spaces for internal servers, public facing servers, internal workstations. All subnets on these VLANs (as provisioned by the campus central networking personnel) are /24. Routing traffic between these subnets is performed by campus networking provided centralized routing services (refer to the network diagram). Consequently the traffic for a workstation user in my building who is accessing an application on one of our servers (in a computer room in my building) is switched off premises on to the campus backbone where it is subsequently routed back by the campus networking provided routers.
The campus network folks actually have done a pretty fair job of designing and deploying a robust and redundant network. Nonetheless, the possibility remains that some sort of event could result in the loss of the campus network services. In this event users in my building would be unable to access applications hosted on servers in my building because routing services would be lost, despite the fact that all of my internal switched network infrastructure could be functioning just fine.
My management wanted me to come up with a mechanism to provide routing services in the event of a catastrophic network failure so our users could continue to work with our internal apps. My solution was a MikroTik 1100AHx2 router - needed capabilities, plenty of performance to meet requirements, and a great price. I have configured, deployed and tested this solution. In the event of campus network failure someone simply powers up the RB1100AHx2, unplugs the feed from the campus provisioned switch into port 1 of my top level switch, then plugs the feed from port 1 of the RB1100AHx2 into port 1 of my top level switch. Bingo - my internal users have full access to all networked resources within our building. When campus network services are restored the process is simply reversed.
So what’s the problem? Well, I’d like to have one port on the RB1100AHx2 dedicated as a network device management endpoint port so that I could perform management and configuration functions on the router by powering it up when the campus network is functioning, but leaving the emergency standby feed disconnected. This router port would connect into a port on one of my switches that would be configured as an untagged member of the network management VLAN (I could just as easily provided the traffic as tagged if that somehow provided a solution). I could power up the router, then work from my workstation to perform necessary config/mgmt functions via telnet/ssh/ftp. But I can’t figure out if 1) this is doable, and 2) if it is, how to go about it.
First, I need to configure one port (interface) dedicated to this function. I would assign this interface a unique network management IP on my network mgmt VLAN, e.g. 172.200.100.50 . But I’m stuck on routing, among other things. When the router is activated it presents the IPs for the default gateways that are no longer available via campus networking. So default gateway 172.200.100.1 for my network management network is routed by the campus provided routers when the campus network is functioning normally. The RB1100AHx2 is configured so that when it is activated it becomes the default gateway of 172.200.100.1. So there’s already a gateway entry in the RouterOS config for network 172.200.100.0/24 of 172.200.100.1 . If I configure a separate port on the router when the router is not providing routing services for my building network, how do I force routing to direct to the campus router gateway of 172.200.100.1 on this port instead of the RouterOS configured gateway 172.200.100.1 (which won’t work)?
I have no problem disconnecting this ‘network management feed’ as a part of the process to activate the standby routing if doing so facilitates a solution.
Any ideas here? I realize that this is a quite non-standard router thing I’m trying to do (kind of a route, but don’t route scenario), and maybe it can’t be done. But maybe it can. I’m open to ideas.
