What is the best methodology to build this from the ground up?
The sort of input I am looking for is like this : on device ABC configure these ports raw with VLAN trunking, on those ports make a bridge because blah blah. This device and that device should share a subnet between X and Y because blah blah. Use this MT feature here because blammo.
I have the following Network elements and am looking for some help in the best way to put it all together including Network addressing scheme. What is the best approach to build it from the ground up including whether or not to use bridges, how best to use VLANS, etc. I should note I want to configure everything manually and do not want to use CAPSMAN for the APs
RB5009UPr+S+, HAP AC3, CAP Current Gen x 2, CAP Previous Gen x 1, 24 Port L2 Switch
I want the last ethernet port on each device configured as a dedicated management port that is out of band. And ideally I’d have them all connect back to an out of band switch. That way I always have management access to fix anything if I screw up a configuration. I will also have an in-band management VLAN.
Everything is mikrotik
RB5009 router with the leftmost port being an SPF plus that I do not have a module for so it is currently unused. Then 8 regular ethernet ports, the first of which is 2.5 GB and the rest are 1 GB. Most of these ports are dedicated to connecting to a specific device, and I want to have VLANS shared amongst all devices. But I might want to have a different set of VLANs exposed to each of these ports mainly for security reasons. So I am thinking that a bridge is not appropriate here but not sure.
P1 - WAN
P2 - free - will probably be used for an Eero mesh - for reasons
P3 - L2 switch
P4 - Access Point
P4 - Access Point
P6 - Access Point
P7 - Wifi Router
P8 - Management
HAP AC3 wifi router x 1 - on Port 7
Then I have two ethernet cables going up to my desk. Those go to Port 7 and Port 8 so that I always have direct management access at my desk if required. Port 7 goes to a Wi-Fi router with five ethernet ports. The wifi router is located at my desk.
This is the router at my desk FWIW https://help.mikrotik.com/docs/spaces/UM/pages/39059457/hAP+ac3
I want to keep the right-most port on the router as a dedicated management port as well.
CAP access point - 2 x current version, 1 x previous release
The switch is located in the basement on the rack with the rest of the internet gear
The three access points are located around the house and have cables running to them already. It is a large house and yes 3 x APs plus 1 x Wifi Router are justified.
I want mostly everything to be VLAN based with the following VLANS currently in mind.
IP range - vl-name - description
10.2.11.0/24 - vl-mgmt - in-band management network
10.2.22.0/24 - vl-server - servers - might want to subdivide for server zones
10.2.33.0/24 - vl-kids-wifi - kids wifi
10.2.44.0/24 - vl-kids-wired - kids wired
10.2.55.0/24 - vl-iot - IOT
10.2.66.0/24 - vl-guest-wifi - Guest Wifi
10.2.77.0/24 - vl-guest-wired - Guest Wired
10.2.88.0/24 - vl-tr-wifi - Trusted wifi (adult residents)
10.2.99.0/24 - vl-tr-wired - Trusted wired
I am looking for recommendations on the best way to design my IP network for this
I want mostly everything to be VLANed except for the . But there is also the out-of-band 10.0.254.0/24 physical management network too as described above. I also will have a separate in-band management network.
I am guessing all of the hardware devices should be on the same /24 Network at least on the management side but not sure what do configure on the data-path side. And then just configuring vlans on individual ports from there.
Building out the devices hanging off the RB5009 - I know MT folks seem to like bridges all over the place but to me this looks like each port should just be bare VLAN Trunking and configured to send the desired VLANs to the device on the port. Because I might want to have different VLANs go to different devices. In fact I know I do - all the wired VLANs should not be going to the APs. Well, I might daisy chain a switch off one to my kid’s room and make an exception with the kids wired VLAN.
The Wifi router that will be at my desk will have the right-most port management and the left-most port uplink to the RB5009 - the rest of the ports probably just a bridge / LAN. But we’ll see I might decide to have a server at my desk rather than in the basement.
Management Network IPs
Here I am thinking the IP of each device on the OOB (out of band) management network would correspond to the port number it plugs into to make it easy to remember. Sort of a pattern. Since Port 1 goes to the WAN it will not introduce a conflict having the RB5009 as the .1.
10.0.254.1 - RB5009
10.0.254.2 - currently unused
10.0.254.3 - MT switch 24 port L2
10.0.254.4 - CAP current gen
10.0.254.5 - CAP current gen
10.0.254.6 - CAP previous gen
10.0.254.7 - HAP AC3 wifi router