I have two CRS309 switches. The goal is to connect them via a single ethernet cable that goes from a wiring closet on an upper floor to a lower floor basement. That connection is trunked and carries two VLANS:
- VLAN 10 brings the WAN connection from the ISPs modem from the wiring closet to the basement where the router and other networking gear are
- VLAN 20 brings the LAN-side connection from the router back up to the wiring closet, from where it fans out to the rooms
So the main goal is to securely combine the WAN and LAN traffic over that single ethernet cable.
The ports on the two CRS309 switches are assigned as follows:
- SFP+1: tagged, trunk to the other switch (VLANS 10,20)
- SFP+2: untagged, WAN connection, on the upper floor switch to ISP modem, on the lower floor switch to the router's WAN port (VLAN 10)
- SFP+3-8: untagged, LAN (VLAN 20)
- On the lower floor switch from the router's LAN port into one of these and then some other equipment that needs to be on the LAN side into the others.
- On the upper floor fanning out using the wiring closet patch panel to the various rooms.
The switches each get an IP address on the LAN (VLAN 20) subnet for management access. There is no separate management VLAN for that, I want to be able to reach them on all ports that are mapped to the LAN VLAN.
Below is what I came up with. Does this look reasonable and will it meet the goals listed above? Is it secure regarding preventing any kind of malicious access from the WAN side to the switches, before the packets get to the router port where the firewall/NAT will run?
Side note: the reason for not terminating the VLAN trunk in the router and instead running two separate ethernet cables between the switch and the router is to preserve the full ISP connection bandwidth. The router is older and it only has 1gbit ports. The ISP service is 1gbit. The switches are 10gbit.
If I'm understanding correctly, the proposed setup should preserve the full 1gbit ISP bandwidth for a client on the upper floor (assuming the router can keep up with NAT/firewall etc.). If I were to terminate the trunk in the router, then the WAN and LAN traffic would have to share the same 1gbit ethernet port, cutting throughput in half for a LAN client.
Code: Select all
/system/identity/set name=switch-crs309-b
/user/add group=full name=somename password=somepassword
/user/ssh-keys/add user=somename key="ssh-rsa xxxx"
/user/remove 0
/interface/bridge/port
set [find where interface=sfp-sfpplus1] frame-types=admit-only-vlan-tagged
set [find where interface=sfp-sfpplus2] pvid=10 frame-types=admit-only-untagged-and-priority-tagged
set [find where interface~"(sfp-sfpplus[3-8]|ether1)"] pvid=20 frame-types=admit-only-untagged-and-priority-tagged
/interface/bridge/vlan
add bridge=bridge tagged=sfp-sfpplus1 vlan-ids=10
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=20
/interface/vlan/add interface=bridge vlan-id=20 name=lan-mgmt
# do these in one operation so we don't lose connectivity
/ip/address/set [find where address="192.168.88.1/24"] interface=lan-mgmt ; /interface/bridge/set bridge vlan-filtering=yes
/interface/bridge/set bridge frame-types=admit-only-vlan-tagged
# switch to final management IP
/ip/address/set [find where address="192.168.88.1/24"] address=192.168.20.2/24 network=192.168.20.0