Community discussions

MikroTik App
 
Alexandepz
just joined
Topic Author
Posts: 4
Joined: Fri Dec 13, 2019 6:07 am

Asking for VLAN setup advices

Wed Oct 20, 2021 7:35 am

Hello good people.

There is a small network of ~50 devices (20 workstations, 3 servers, 15 SIP phones and an internal SIP server, some MFDs and printers, some security and CCTV equipment) within a single L3 subnet (10.0.10.x) and a single L2 segment without any VLANing whatsoever. I plan to segment this bad boy into 8-10 VLANs and corresponding IP subnets with 1:1 mapping. Of course, there will be some inter-VLAN routing.

So far nothing special, but here's the crux of the matter: the main router in this network is hex S (RB760iGS) with a flimsy MT7621 switch chip which, as far as I understood it from Mikrotik wiki, doesn't support any kind of hardware-level rounting between VLANs and throws everything onto its' CPU. Ufortunately, this absolutely will not cut it, because some of the data moving between some of those VLANs (especially hourly and large daily backups between endpoint devices, servers and a backup server) will require nearly the full wire-speed bandwidth of Gigabit Ethernet connection in order to be completed in a reasonable amount of time and not completely destroying the router's poor CPU during the process.

Fortunately, this network also uses cAP ac as a single wireless access point and an HPE OfficeConnect 1920S series switch, specifically the JL386A 48-port model. As far as I understand, cAP ac has Atheros8327 switch chip onboard, which supports VLAN tables and some other switching features that MT7621 does not. The HPE switch isn't bad either: it has some helpful L2 and L3 features, namely 802.1q VLANs, static and inter-VLAN routing, DHCP relay, and, the most important of all, hardware-level IPv4-based and MAC-based ACLs for interfaces and VLANs.

(Note: I have no official confirmation that the ACL feature on the switch is hardware-offloaded, but I really hope that it is, probably ASIC-based or even more likely FPGA-based, because otherwise why the hell would the official manual mention that the switch that comes with a pathetic dual-core 400MHz ARM CPU, that can freak out if you move around in Web GUI too fast, supports up to 50 ACLs in total and up to 10 ACL rules per individual interface/VLAN).

With all that said, I believe that there are only two reasonable options:
1) either configure everything that concerns VLANing (VLANs themselves, IP subnets for VLANs, inter-VLAN routing and VLAN-aware firewall) on the aforementioned cAP ac unit, in which case the hex S will serve only as a default gateway to the Internet and a VPN server, while the switch will still function pretty much as a dumb switch; essenially, it will be traditional router-on-a-stick configuration, but with cAP ac stealing most roles from hex S.

2) or configure VLANs, subnets and ACLs on the switch, enable DHCP relay and passthrough DHCP servers from the router for those VLANs (yes, the switch has this specific option specifically for VLAN routing).

So, here is my question: what is my best bet in this situation? Both options initially seem viable, but maybe I am missing something important.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11437
Joined: Thu Mar 03, 2016 10:23 pm

Re: Asking for VLAN setup advices

Wed Oct 20, 2021 8:24 am

For the network size you mentioned IMO the proper direction would be to invest into a decent router. While cAP ac is not bad at all, a more capable unit is my recommendation. RB4011 should have enough power to comfortably perform all the necessary routing.
RB4011 uses RTL8367 switch chips (two of them) and in ROS v6 it doesn't support HW offloaded VLAN stuff, ROS v7 brings that support (so the device is future-proof). If you're to use router in a router-on-a-stick scenario, HW offload support for VLANs doesn't matter at all, but in future those extra 9 ethernet ports might come handy.
 
Alexandepz
just joined
Topic Author
Posts: 4
Joined: Fri Dec 13, 2019 6:07 am

Re: Asking for VLAN setup advices

Wed Oct 20, 2021 9:16 am

The manual mentions though that RTL8367 doesn't support VLAN tables, and bridge VLAN filtering by extension. Or that's what will change in ROS7?

Either way, investing in a better hardware is always a good idea, but currently it will be cut down at the door because of the "we had bought this router 2 years ago, which is practically yesterday, and now we need a new 3 times more expensive one?" reason. Later, maybe, when ROS7 will be released in the long-term release tree, but not today. And speaking ROS7 support and future-proofing, the new RB5009 seems like a better variant than 4011 just for $20 more.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Asking for VLAN setup advices

Wed Oct 20, 2021 3:36 pm

The point is that the hex was purchased in error then as it does not fulful the requirements.........
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Asking for VLAN setup advices

Wed Oct 20, 2021 8:09 pm

The manual mentions though that RTL8367 doesn't support VLAN tables, and bridge VLAN filtering by extension. Or that's what will change in ROS7?
Limited VLAN switching for RTL8367 was added in 7.1rc1. In general hardware offloading on Mikrotiks refers to layer2 traffic between ports on the same switch chip, all routing between VLANs is carried out by the CPU. Only some of the CRS3xx devices will support hardware offloaded layer3 routing.

HP have historically used custom switch chips or ASICs in their switches, AFAIK the performance of the basic layer3 functionality on the lower end models isn't specified.

Who is online

Users browsing this forum: Cr4shOnPc, patrikg and 83 guests