RB4011 - best setup

Hello all

I would appreciate your input to help me configure an RB4011 (new version, if that matters) to work as efficiently as possible.

See drawing for what I had in mind.

W1 is a static public IP
W2 is a dynamic public IP
W3 is a static public IP

I understand the RB4011 has two fairly powerful switch chips, one dedicated for p1-5, the second on for p6-10.

p10 on the RB4011 will be a dedicated management port.

I was thinking of making p2 a trunk port as illustrated and route all this ports’ traffic out p1 (W1)
Then use p5 for a separate VLAN, and route its traffic out p4 (W2)
Lastly, I would put the PBX on p7 and route the traffic out on p6 (W3) (side note, I don’t have IP phones, only a handful of digital sets, so I only need one NIC on the routing/switching hardware)

Looking at my drawing, I have questions, and it’s highly likely I’m overthinking this.

1/ If I make p2 a trunk port without setting up a bridge, am I still using the switch chip?
2/ Same question if I treat p5 the same way
3/ Does it even make sense to split VLAN 40 off from the other trunk (bridge?) on p2?
4/ With respect to routing the traffic from VLAN40 to a different WAN than the other VLANs, I “thought” it would be simpler to keep VLAN40 on its own trunk port. Correct, or incorrect?
5/ Related to p2 and p5 setup, would you expect a (noticeable) performance difference for VLAN40 by putting all VLANs on one bridge, vs. keeping VLAN40 separate?

I hope my questions make sense. And I hope someone can chime in and help me understand/guide me to the most practical solution.

Last note, in case you were wondering - the VLAN trunk ports will come off a managed switch.
If I keep VLAN40 separate from the other VLANs, I will give it its own trunk port on the switch. (or even give it its own small managed switch)
The PBX will not go through the switch as there is no point in that.

RB4011 is an old router, what do you mean by new version?

Just to make things clear: switch chip only really kicks in when switching (that’s L2 operation) between ports, controlled by same switch chip. Example would be if you use ports ether8-ether10 as parts of LAN switch and device, connected to ether8, would communicate with device, connected to ether10.

Any other port role (mainly routing between ports) excludes use of switch chip accelerations. Unlike some switch chips, found in “serious devices” (CRS, CCR), which support L3 (IP routing, firewalling) offload, switch chips in RB4011 don’t.

So the only issue, which you have to care about in RB4011 and with your (main) use case, is to evenly distribute traffic between both port groups due to throughput limitation of CPU-switch chip interconnects (which are 2.5Gbps full duplex each), but that shouldn’t be a big problem either.

When it comes to L3 design (VLAN interfaces are L3 entities) it doesn’t really matter how exactly they are constructed (port->vlan or port->bridge->vlan), everything will be handled by CPU anyway. It doesn’t make any sense to use bridge with single port because (as described in first paragraph of this post) nothing will be offloaded to switch chip anyway and adding bridge only adds (a tiny amount of) overhead.

Brand new in the box for me. The label says “new version”, and password is on the sticker.

Thank you for the detailed explanation. Based on what I know and you confirmed, I will stick with my plan, then.

Thanks, Id be curious as to see a pic of the label that says new version.

See pic. I must have confused myself. I see now it says “new” on the SKU label. Previously I read that newer/later models of routers had a password, as opposed to a generic “admin”, and I blended “new” and “ newer model”.

You can see the picture for what I have. The “/r2” after the serial perhaps indicates a “revision 2”? Idk