I have a CRS125-24G-1S-IN configured to work as router and switch in my home network.
I upgraded my bandwidth and will configure a VPN to access my network externally. So I bought a RB3011UiAS-RM to work as router and leave the CRS125 only as a switch.
I use 4 subnets with firewall rules to allow/block communications between them.
My question is about the best way to connect the router and switch:
Option 1:
Create 4 bridges in the switch and connect each one to the router (4 cables).
Option 2:
Create 1 bridge in the switch and 4 VLANs and connect only one cable (trunk) to the router.
Obviously in the Option 2 I’ll use less ports (one versus four ports used in each device), but that is not relevant because I’ll not need to use that ports in my network.
Adding and stripping VLAN tags costs some small amount of CPU time, so that’s one reason to use one cable per VLAN. Another thing to bear in mind is the internal architecture of the 3011. Hence you have to think about the traffic volumes between VLANs in each pair and between the internet uplink and each VLAN, and distribute the interconnections between the 3011 and the CRS in such a way that you ideally don’t exceed the 2 Gbit/s capacity of each link between the switch chip and the CPU on the 3011 (if you use the SFP port of the 3011, there is only 1 Gbit/s link to the switch chip 2). On yet another hand, check the Ethernet test results of the 3011, it won’t route full 4 Gbit/s in real life deployment (firewall, shorter-than-1500 byte packets).
So I’ll not use VLAN at all, but configure 4 bridges in the switch and connect one cable for each. The two subnets with more traffic I connect in separate switch chip of the RB3011 (eth5 and eth6, for example).
Is there any reason to use 1 bridge with 4 VLANs instead of 4 separated bridges?
On a CRS1xx the VLAN handling is done in hardware even if configured using the /interface bridge configuration tree, so it doesn’t cause any CPU load. So yes, I’d use a single bridge with vlan-filtering=yes with access ports for the individual VLANs as I’m not sure whether all of the individual bridges would get the “hardware acceleration”, which means direct forwarding between switch chip ports without CPU even seeing the frames.
The wiki says that only CRS3xx can do that (https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_Hardware_Offloading): Note: Currently only CRS3xx series devices are capable of using bridge VLAN filtering and hardware offloading at the same time, other devices will not be able to use the benefits of a built-in switch chip when bridge VLAN filtering is enabled.
I’m using 4 separated bridges in the CRS1xx with hardware offloading activated, with no problems.
