Community discussions

MikroTik App
 
nfored
just joined
Topic Author
Posts: 22
Joined: Fri Sep 06, 2019 4:41 pm

Question about redundant connections.

Thu Oct 07, 2021 10:27 pm

Hello all.

I am considering moving to RouterOS 7 to help remove a single point of failure I have currently and wanted to see if anyone could shed some thought on my proposed solution.

I currently have a Pair of Fortinet firewalls that are in an Active/Standby pair Those each have a lag to CSS326-24G-2S+. The CSS326-24G-2S+ then has two lags one each to a pair of RB4011 that are running VRRP. Each RB4011 is then hooked up to a different CRS309-1G-8S+ via 10G the CRS309-1G-8S+ then host esxs host that connect to both CRS309-1G-8S+ providing fault tolerance, and then I have two CRS328-24P-4S+RM connected to the CRS309-1G-8S+ for my lan access. So right now I have redundancy every where but on that CSS326-24G-2S+

So in my mind I have two options and Option #1 is what I am hoping will work. Now I think from reading the docs both will work but my question is about VLAN's and maybe I just don't fully understand. Today the VLAN from the Firewall to the CSS326-24G-2S+ is vlan#10 then that vlan#10 also go to teh RB4011 via a lag on copper, and then to the CRS309-1G-8S+ via single copper. The connection to the Rb4011 on vlan#10 is the default gateway to the internet so all my LAN vlans use the 4011 as their gateway and the 4011 sends internet traffic out vlan10. The connection on the CRS309-1G-8S+ on vlan#10 allows my esx host to have vm's in the dmz to host applications.

Drawing of what I think option #1 would look like, I have also attached a text file of all the interface command print outputs

Thank you for your time and help.
20211007_135853.jpg
Option #1
Pull out the CSS326-24G-2S+ and upgrade both Rb4011 to RouterOS 7 create an MLAG and with each RB4011 having 2 links to the firewall creating a 4gb lag, this way if I loose an RB4011 I still maintain the needed 1gb+ connection to my firewalls.

#If I go this route can I assign vlan#10 to both the lag connecting to the firewall and the 10g sfp? will that mess up anything like my vrrp? I have only used switchOS for switching where I have one vlan on multiple ports.

Option #2
Pull out the CSS326-24G-2S+ and replace it with two CRS326-24G-2S+RM upgrade those to RouterOS 7 and create an Mlag to the firewall with four 1gb connections like above and then run a single 10g connection from each of the CRS326-24G-2S+RM to one of the CRS309-1G-8S+

#I feel like this will of course work because there is no vrrp and maybe not even a need for IP except for one to manage it. But this means buying more switches.
You do not have the required permissions to view the files attached to this post.
 
nfored
just joined
Topic Author
Posts: 22
Joined: Fri Sep 06, 2019 4:41 pm

Re: Question about redundant connections.

Fri Oct 08, 2021 2:23 am

Well seems only the CRS units support MLAG so I wouldn't be able to create an MLAG from the RB4011 so I guess option #2 it is.

Who is online

Users browsing this forum: No registered users and 11 guests