Community discussions

MikroTik App
 
liyanage
just joined
Topic Author
Posts: 6
Joined: Mon Feb 20, 2023 4:00 am

Verify my VLAN switching config

Fri Feb 24, 2023 7:39 am

I'm new to MikroTik and interested in feedback on this config I came up with for my use case. I asked this earlier on reddit but was hoping for more feedback than what I got there.

I have two CRS309 switches. The goal is to connect them via a single ethernet cable that goes from a wiring closet on an upper floor to a lower floor basement. That connection is trunked and carries two VLANS:
  • VLAN 10 brings the WAN connection from the ISPs modem from the wiring closet to the basement where the router and other networking gear are
  • VLAN 20 brings the LAN-side connection from the router back up to the wiring closet, from where it fans out to the rooms

So the main goal is to securely combine the WAN and LAN traffic over that single ethernet cable.

The ports on the two CRS309 switches are assigned as follows:
  • SFP+1: tagged, trunk to the other switch (VLANS 10,20)
  • SFP+2: untagged, WAN connection, on the upper floor switch to ISP modem, on the lower floor switch to the router's WAN port (VLAN 10)
  • SFP+3-8: untagged, LAN (VLAN 20)
    • On the lower floor switch from the router's LAN port into one of these and then some other equipment that needs to be on the LAN side into the others.
    • On the upper floor fanning out using the wiring closet patch panel to the various rooms.

The switches each get an IP address on the LAN (VLAN 20) subnet for management access. There is no separate management VLAN for that, I want to be able to reach them on all ports that are mapped to the LAN VLAN.

Below is what I came up with. Does this look reasonable and will it meet the goals listed above? Is it secure regarding preventing any kind of malicious access from the WAN side to the switches, before the packets get to the router port where the firewall/NAT will run?

Side note: the reason for not terminating the VLAN trunk in the router and instead running two separate ethernet cables between the switch and the router is to preserve the full ISP connection bandwidth. The router is older and it only has 1gbit ports. The ISP service is 1gbit. The switches are 10gbit.
If I'm understanding correctly, the proposed setup should preserve the full 1gbit ISP bandwidth for a client on the upper floor (assuming the router can keep up with NAT/firewall etc.). If I were to terminate the trunk in the router, then the WAN and LAN traffic would have to share the same 1gbit ethernet port, cutting throughput in half for a LAN client.

/system/identity/set name=switch-crs309-b

/user/add group=full name=somename password=somepassword
/user/ssh-keys/add user=somename  key="ssh-rsa xxxx"
/user/remove 0

/interface/bridge/port
set [find where interface=sfp-sfpplus1] frame-types=admit-only-vlan-tagged 
set [find where interface=sfp-sfpplus2] pvid=10 frame-types=admit-only-untagged-and-priority-tagged
set [find where interface~"(sfp-sfpplus[3-8]|ether1)"] pvid=20 frame-types=admit-only-untagged-and-priority-tagged

/interface/bridge/vlan
add bridge=bridge tagged=sfp-sfpplus1 vlan-ids=10
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=20

/interface/vlan/add interface=bridge vlan-id=20 name=lan-mgmt

# do these in one operation so we don't lose connectivity
/ip/address/set [find where address="192.168.88.1/24"] interface=lan-mgmt ; /interface/bridge/set bridge vlan-filtering=yes

/interface/bridge/set bridge frame-types=admit-only-vlan-tagged 

# switch to final management IP
/ip/address/set [find where address="192.168.88.1/24"] address=192.168.20.2/24 network=192.168.20.0

Who is online

Users browsing this forum: Guntis, Happyrob, mogiretony, phascogale and 74 guests