Have a small office network with two companies and a guest network sharing the same physical infrastructure and a single WAN link.
The network consists of 3 HP V1810-48G switches, 5 Ubiquiti Unifi AP’s, a Ubiquiti ToughSwitch 8 Pro, the RB1100AHx2 and the WAN cable modem. I’d like to use the RB1100AHx2 as my core switch, which should easily be doable as I only have 4 links to the HP and Ubiquiti switches. One of the two 5 port switch-chips gives me room to add a 4th HP switch down the road. Right now the HP switches are on ethernet 1-3, ToughSwitch is on ethernet 4 and WAN is on ethernet 12. I have ethernet 2-5 slaved to ethernet 1 which as I understand it builds a virtual switch on ethernet 1-5 with a virtual link to the router also on ethernet 1.
With no VLAN’s configured, DHCP running on a Windows server, and everything linked up it’s all working beautifully without any isolation and everything running on VLAN 1. I want to isolate traffic between the two companies and guest network using 3 VLAN’s configured on the switches and Ubiquiti network. I also want to maximize throughput for LAN traffic moving across the router which means I want to keep as much traffic as possible within the switch chip unless it absolutely has to hit the router CPU.
I know I need to trunk my VLAN’s to the switches on each of the ports, that’s all conceptually simple.
My big questions are these:
Does the traffic coming in on ethernet 1 and the virtual CPU port for the switch chip share a single port’s gigabit bandwidth, or is the virtual port to the router its own internal link? I assume the second scenario, but I’d like to know for sure.
I’ve seen several different suggestions on how to create and bridge VLAN’s between the ports. Is there a method that will keep the majority of my inter-switch LAN traffic in the switch chip and out of routing functions?
Is it possible to use switch-level rules to accomplish VLAN isolation, or is there some way to disable the default inter-VLAN routing so that only specifically routed inter-VLAN traffic flows and the firewall doesn’t need to be engaged to keep the networks isolated?
I think I’ve got a decent handle on the RB configuration via Winbox, I can setup the VLAN subnets, necessary DHCP Servers and assign things to where my Ubiquiti networks hand out the proper addressing to clients, but I’m not entirely certain I approached it in the most efficient manner and not all of my networks could reach the internet. My company networks were on 192.168.100.0/24 and 192.168.101.0/24. the guest network was in a completely different range at 10.1.50.0/24. The default NAT rule appeared to handle traffic on the 192. subnets but not the 10. subnet.
Any suggestions on general configuration tasks to accomplish the highest throughput would be helpful and appreciated.