What i want to achieve:
I am currently building out a quite unique setup using two CRS112-8G-4S-IN Switches with the goal of giving 6 downstream Routers / Firewalls access to 3 ISPs / Upstream Routers with the least amount of cabling while having HA. The different ISPs should be available on different VLANs to the downstream Routers (VLAN 401, 402…). One for each ISP Router.
All the routing / dhcp / ip stuff would be fully handled by the upstream / isp routers, the two mikrotik Switches would only deal with L2 stuff (except for their management interface)
The upstream routers would be setup to hand out local ip addresses located in the first /25 of its range to all client firewall interfaces connected via the first switch and ips in the second /25 for all interfaces connected via switch 2. Meaning each downstream router will receive two local ips (one for each Interface) from each ISP Router (so a total of six ips across three vlans).
The switch Port running untagged vlan 400 would be connected to a management Network and the mikrotik webui should only be available on that interface and NOT on any of the other VLANs.
Topology of the entire setup:
Questions:
Where would you configure those vlans?
- In the Switch / VLAN Section
- Directly on the Interfaces
- Create a bridge with all the physical interfaces and then create VLANs on that bridge - from what i learned so far probably the best, right?
How can i ensure that the mikrotik management site / winbox is not available except on the port running vlan 400, without running all traffic of vlan 401, 402, 403 through the cpu / firewall?
Is not assigning an IP to the switches on those VLANs enough? (Asking bc they show up in winbox via MAC)
What do you think of this setup?
Is there something you would improve?
Thanks for any suggestions 