Community discussions

MikroTik App
 
nmazzoletti
just joined
Topic Author
Posts: 8
Joined: Sat May 29, 2021 5:24 pm

One interface for 2 Switch

Sun Nov 28, 2021 9:49 pm

Good afternoon,
I am trying to set up a redundant Router on a Stick network but I a problem on understanding how to implement this solution.
What I have is 2x Routers and 2x Switches(CRS3XX) and they are connected to each others as in the image in attachments.
The 2 switches have different VLANs and they communicate with each others with a router on a stick method.

Currently, I have set up the connection between SW1 and RT1 and everything works fine, VLANs can communicate, etc
What I did is:
R1:
/interface vlan
add interface=eth2 name=VLAN10 vlan-id=10
add interface=eth2 name=VLAN20 vlan-id=20
/ip address
add address=X.X.X.X/XX interface=VLAN10 network=X.X.X.X
add address=Y.Y.Y.Y/YY interface=VLAN20 network=Y.Y.Y.Y

SW1:
/interface bridge
add mac=A:B:C auto-mac=no  frame-types=admit-only-vlan-tagged ingress-filtering=yes name=bridge  pvid=99 vlan-filtering=yes
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ethX pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ethY pvid=20
add bridge=bridge  frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=eth1
/interface bridge vlan
add bridge=bridge tagged=eth1 untagged=ethX vlan-ids=10
add bridge=bridge tagged=eth1 untagged=ethY vlan-ids=20
Now, my problem is that I can't understand how to implement this solution when I have 2 switches connected, what Interface should I set for the VLAN Interface on the R1 instead of eth2?
From my understanding, I should create a bridge and then put the 2 physical interfaces (eth2&eth3) in it. After that I should be able to set the VLANs gateway IP to the bridge and switches should communicate with that.
Is there any settings that need to be applied to the bridge?
Anything that can point me in the right direction is well accepted.

Thanks for your time
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: One interface for 2 Switch  [SOLVED]

Sun Nov 28, 2021 10:18 pm

Strictly speaking it's not a Router on a Stick scenario as you have the WAN direction there.

As you say the switches host non-overlapping sets of VLANs, there is actually no need that you bridge together their connections to the routers at the router end, you can connect SW1 to eth2 of RT1 and SW2 to eth3 of RT1, and attach the vlan "subinterfaces" for VLANs handled by SW1 to eth2 and the vlan "subinterfaces" for VLANs handled by SW2 to eth3.

The situation would be different if you wanted to connect also some LAN hosts to the same VLAN on two different switches for redundancy purposes - in that case, you'd have to bridge the eth2 and eth3 together at each router, and use STP to prevent L2 loops.

Is the above an answer to your question?

The biggest issue with this kind of setup is if the routers should also act as stateful firewalls - you can use VRRP at the LAN side, but synchronisation of connection tracking is only available in RouterOS 7.x, which is still far from production-grade stability. As an alternative, there's the High Availability setup by @nathan1 which takes a completely different approach, where the complete configuration is mirrored between the two routers (which must be identical models).
 
nmazzoletti
just joined
Topic Author
Posts: 8
Joined: Sat May 29, 2021 5:24 pm

Re: One interface for 2 Switch

Mon Nov 29, 2021 6:49 pm

Thanks for the reply, really appreciate that.

Yes, what you said is the answer that I was looking for.
I wanted to do this setup to have redundancy, both switches will have same VLANs.

What do you mean on "synchronization of connection tracking"? Can you give me more context?
Is it about the fact that in case one router goes down, the other one doesn't know the state of the connection that the master had?
Can I resolve this if I put 2 firewall capable of that in the middle of the routers and ISP?

Thank you again
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: One interface for 2 Switch

Mon Nov 29, 2021 9:06 pm

I wanted to do this setup to have redundancy, both switches will have same VLANs.
This differs from the statement in the OP where you wrote "The 2 switches have different VLANs". Did it mean that there are multiple VLANs on the switches, but not that they differ between the switches? If so, the second part of my suggestion applies, you'd need to bridge the two interfaces together on the routers.

What do you mean on "synchronization of connection tracking"? Can you give me more context?
Is it about the fact that in case one router goes down, the other one doesn't know the state of the connection that the master had?
Can I resolve this if I put 2 firewall capable of that in the middle of the routers and ISP?
Connection tracking is the cornerstone of stateful firewall, which basically takes an accept/reject decision when handling an initial packet of a connection, and allows all packets belonging to connections whose initial packet has been accepted. It is also a cornerstone of NAT.

So two firewalls, no matter whether standalone ones or running on the routers, need to synchronize the state of tracked connections in order that e.g. the outgoing traffic from a client was NATed to the same public IP when it fails over to another firewall.
 
nmazzoletti
just joined
Topic Author
Posts: 8
Joined: Sat May 29, 2021 5:24 pm

Re: One interface for 2 Switch

Mon Nov 29, 2021 11:01 pm

Sorry, my bad, I meant multiple VLANs but equal on both switch.
Okay thanks for the rest of the answer.
I understood what I need.

Thanks again

Who is online

Users browsing this forum: Bing [Bot], EmuAGR, stefhapx6 and 78 guests