I am playing with the idea to use my CRS317 as two completely independent machines.
as managed switch (the main goal of the switch)
as small firewall (as emergency firewall / router)
Setting up the Switch is not the problem and I will probably manage to setup a firewall as well. The problem is that I do not manage to define the two functions independent from each other. I am not even sure if it is possible!
So if you take the CRS317 the setup I have in mind is:
As mini firewall
SFP+_1 = internet connection / connection to the providers fiber-switch
SFP+_2 = is the output trunk of the firewall
I defined an extra bridge 'the firewall-bridge
As managed switch
SFP+_3 … SF+_16
the switch is assigned to the main bridge
Switch and Firewall are using identical address ranges etc, however it are separate networks.
A dhcp server defined for the FW with range 192.168.A.0/24 should not have any impact on 192.168.A.0/24 on the Managed switch
The FW should only work related to the FW-bridge and not on the Managed switch part.
In case and only in case of outage of my normal firewall, I would interconnect the local mini firewall with the switch part of the CRS.
Be aware I am not sure this is possible, however if this works I would have an emergency Firewall/Router without having to invest in a separate machine
Just remove SFP+1 and SFP+2 as ports from the bridge, and if you need to attach a management address to the bridge interface that fits to the subnet attached to SFP+2, create a VRF that will contain the bridge as its only interface. This will make the IP address attached to the bridge “invisible” to the “default VRF” where SFP+1 and SFP+2 live unless you connect SFP+2 with some port of the bridge using a cable.
I think its illogical to do both at the same time, but given that its wholly possible, due to flexibility of RoS, then why on earth would you want to create additional subnets (on the router acting part) that have the same address on subnets traversing through the switch part ???
I have been thinking in that direction. However if you take the dhcp server and the firewall as examples, than as far as I can, you can not tell the dhcp server or the firewall that thew should exclusively work for vrf2.
In fact I did define thinks like
vlanA on bridge2 and I also have vlanA’ on the main bridge.
address range B on bridge2 and B’ on the main bridge.
and did assign address range B to vlanA FW-bridge etc
I did become problems, so I was thinking in the same direction, but did encounter issues
I use pfSense as my normal firewall. Having the vlan gateways and related dhcp-servers and rules. The emergency router I have in mind should mimic a small part of my normal pfSense router, including the same address ranges etc.
The intention is just to have an operational network (some internet access etc) for the case my pfSense router is temporarily not available for some reason.
Ahh okay,
So normally the router trunk from the CRS that contains the subnet would not be used but sort of sitting there waiting?? ) and I note that if pFS is not working there are no subnets coming in on the switch side trunk.
You’ve said before that the switch part should be just a switch. DHCP server is something I would run on the pfSense during normal times and therefore I would attach it to SFP+2 on the “emergency router/firewall”, not to the bridge.
The only reason why the bridge even needs an IP address is that it could be managed during normal times when the “emergency” part is completely disconnected from the network, but now as writing it, I realize that I forgot to write that the management services (ssh, www, winbox) have to be attached to that VRF as well.
So when you remove the cable from SFP+2 and connect it to pfSense, you can manage the CRS using that address, including configuring the router+firewall part. When you remove the cable from pfSense and connect it to SFP+2, the DHCP server running in the default VRF will be reachable through the switch, all devices connected to the switch will communicate via the default VRF, etc. The cable will make a “short circuit” between the two VRFs in terms that the own address of the CRS in the auxiliary VRF will be accessible for hosts connected to the switch.
SFP1 = connection to fiber switch in case pfSense is not available
SFP2 = output trunk of the local mini firewall containing a selection of the normal vlans
SFP3 = is a trunk to the Managed Switch part of the CRS normally connected to pfSense
The emergency switch over I have in mind is:
connect the fiber switch normally connected to pfSense to SFP1
connect SFP2 to SFP3 so that the mini FW takes over from pfSense
So with this action the mini FW should take over all functions normally provided by pfSense
including the dhcp server for the selected vlan’s
The CRS as a whole is normally managed via the managment vlan as provided by pfSense. To make that possible the bridge has an IP on that vlan. All other vlans do not have an IP on the CRS.
This is what you probably expected, but I thought it is good to explicitly describe it here.
PS.
Additional but not relevant here, I can also manage the CRS via ether1.
(Using a third bridge having its own IP and just one port ether1)