Hello all,
I am planning a network for a community service providing emergency medical services. One of our duties is providing the control room for a big annual festival (we have a building on the location, the network will be installed there permanently). Due to the nature of this service there are some specific requirements to our network.
There will basically be 4 subnets internally (lan) and 1-2 externally (wan) that shall be routed via a RouterOS/RouterBoard device:
-
Subnet 1: Goes to VLAN2 of a L2 managed switch. Provides connection to all pcs and a server inside the control room (5 PCs plus radio server)
-
Subnet 2: Goes to VLAN3 of a L2 managed switch. Provides connection to the other ethernet cabling inside the building
-
Subnet 3: Goes to VLAN4 holding an Wireless Access Point (infrastructure with multiple APs and roaming to be set up). Provides connection to different Laptops, and also Devices of the voluntary helpers
-
Subnet 4: Goes to VLAN5 of a L2 managed switch. This provides connection to shared servers (accessible from Subnet 1, 2 and 3, with different restrictions)
-
WAN 1: standard internet connection (currently we have only one available, shall be upgraded). PPPoE client capability needed. 16MBit line
-
WAN 2: secondary internet connection to be set up. PPPoE client would be nice, but not necessary. max. 50MBit line, not yet sure
Services that will be needed:
- Routing and firewalling between all the subnets
- VPN Server to access from externally (we also have an internal fileserver on the site which is used as general file storage for all our organization)
- potentially radius authentification for the devices
- very important: bandwidth shaping (via queues). Subnet 1 must have a guaranteed minimum bandwidth towards and from WAN1 and WAN2, as well as another minimum bandwidth towards and from Subnet 4 (Shared server segment). Additionally, Subnet 3 gets a hard maximum bandwidth towards/from WAN. → This is to ensure operation of the control room is not disturbed by anny side-traffic. We are booked into the servers of the coordination center of the county via VPN (VPN client capability not to be done by the RouterBoard) which needs to be stable
All subnets should be Gigabit interfaces
Questions that arise here:
I see that there are devices that feature many GBit ports, but that are not directly connected to the CPU, but to a “Switch chip”. Do I see it right that I cannot do routing/firewalling between those, but only between “first level” eth interfaces that are directly controlled by the CPU? I’m confused about how to interprete the block diagrams shown…
If this is the case, I think that the smallest possible solution is a CCR1009-8G-1S-1S+, do I see this right or am I getting something wrong here? It features 5 GigabitPorts at the CPU, the sixth one could be used from the SFP. I guess the performance of this device would also be sufficient?
Alternatively, there would also be the possiblity to make use of the VLANs to reduce the routed physical ports by feeding a trunk port from the L2 VLAN switch to the RouterBoard. But this we want to avoid, as this will limit the internal throughput between shared servers and control room or other subnets to half (switch to router for firewalling, and back again on the same link…). Anyway, to be sure: this operational mode (routing between tagged VLANs on a trunk port) is supported?
I would be glad to hear some recommendations here 
If some more detail to specific points is needed I can concretize!
Best Regards,
Peter
) for what we want to do with it? Thanks in advance!