Hello all.
I am considering moving to RouterOS 7 to help remove a single point of failure I have currently and wanted to see if anyone could shed some thought on my proposed solution.
I currently have a Pair of Fortinet firewalls that are in an Active/Standby pair Those each have a lag to CSS326-24G-2S+. The CSS326-24G-2S+ then has two lags one each to a pair of RB4011 that are running VRRP. Each RB4011 is then hooked up to a different CRS309-1G-8S+ via 10G the CRS309-1G-8S+ then host esxs host that connect to both CRS309-1G-8S+ providing fault tolerance, and then I have two CRS328-24P-4S+RM connected to the CRS309-1G-8S+ for my lan access. So right now I have redundancy every where but on that CSS326-24G-2S+
So in my mind I have two options and Option #1 is what I am hoping will work. Now I think from reading the docs both will work but my question is about VLAN's and maybe I just don't fully understand. Today the VLAN from the Firewall to the CSS326-24G-2S+ is vlan#10 then that vlan#10 also go to teh RB4011 via a lag on copper, and then to the CRS309-1G-8S+ via single copper. The connection to the Rb4011 on vlan#10 is the default gateway to the internet so all my LAN vlans use the 4011 as their gateway and the 4011 sends internet traffic out vlan10. The connection on the CRS309-1G-8S+ on vlan#10 allows my esx host to have vm's in the dmz to host applications.
Drawing of what I think option #1 would look like, I have also attached a text file of all the interface command print outputs
Thank you for your time and help.
Option #1
Pull out the CSS326-24G-2S+ and upgrade both Rb4011 to RouterOS 7 create an MLAG and with each RB4011 having 2 links to the firewall creating a 4gb lag, this way if I loose an RB4011 I still maintain the needed 1gb+ connection to my firewalls.
#If I go this route can I assign vlan#10 to both the lag connecting to the firewall and the 10g sfp? will that mess up anything like my vrrp? I have only used switchOS for switching where I have one vlan on multiple ports.
Option #2
Pull out the CSS326-24G-2S+ and replace it with two CRS326-24G-2S+RM upgrade those to RouterOS 7 and create an Mlag to the firewall with four 1gb connections like above and then run a single 10g connection from each of the CRS326-24G-2S+RM to one of the CRS309-1G-8S+
#I feel like this will of course work because there is no vrrp and maybe not even a need for IP except for one to manage it. But this means buying more switches.