a) Based on my default config which is slightly modified it shows the followinga) you can use default config as a starting point for your changes. And whatever you change, changes are saved permanently unless you do it while safe mode is enabled.
b) depends. If you have a router (which will handle traffic between VLANs), then you shoukd keep using CRS as switch. If you don't have a router, then you can use CRS as router ... but beware that CRS has low routing capacity unless you make sure that your config can utilize L3HW offload
c) nothing is automatic in ROS, you'll have to configure device appropriately. Not a big deal though ...
d) where did you get the Atheros8227 idea? There's a single switch chip in CRS324.
e) if you omit ether1 interface from bridge ports and configure management IP address on it, then it'll be isolated from "traffic VLANs" just fine. It is quite usual to also have a management VLAN as well (as in-band management) and the (external) firewall ensures enforcement of access policy.
Bridge:
0 R ;;; defconf
name="bridge" mtu=auto actual-mtu=1500 l2mtu=1584 arp=enabled arp-timeout=auto mac-address=18:FD:74:3F:15:B7 protocol-mode=rstp
fast-forward=yes igmp-snooping=no auto-mac=no admin-mac=18:FD:74:3F:15:B7 ageing-time=5m priority=0x8000 max-message-age=20s
forward-delay=15s transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no port-cost-mode=short
Switches:
# NAME TYPE L3-HW-OFFLOADING QOS-HW-OFFLOADING
0 switch1 Marvell-98DX8332 no no
1 switch2 Atheros-8227 no no
All Switch Ports are currently connected to the bridge:
Ether1
qsfpplus1(1-4)
qsfpplus2(1-4)
sfp-sfplus(1-24)
Afer reading the docs for L3-HW-OFFLOADING it seems that you can only have one bridge as anymore and they are not able to be HW offloaded so i guess that is what will stay
b) I bought the CRS326 as a router/switch because i don't have a router and even if I did it would not route at wire speead with the cpu offloading.
Inter-VLAN Routing
From what i can tell here i may be able to use the switch mode with VLANs and leverage the FW rules also offloaded as i see:
FW - the feature requires l3-hw-offloading=no for a given switch port. On the switch level, l3-hw-offloading=yes.
viewtopic.php?t=183142# - this post shows a nice config i can use to build off of as well as some answers I was looking for.
I am not going to be doing any NAT or IPV6 as this is a home network and i don't need it as this Switch will hang off a Firewalla Gold which will be my firewall to the internet.
c) I am just looking to lock down IPV4 traffic internally on some segmented VLANS for stuff like Roku, Nest/August/Ring, Video Streaming from NAS, etc..
I will have to test but i think it should work out fine and should support both FW and VLAN Routing HW offloading at wire speeds.
I will be using one qfspplus1(1) port to dedicate to the uplink to the Firewalla Gold Firwall port @2.5gb.
q1) I assume i will use the DHCP server from the Firewalla Gold to seed all DHCP to each VLAN - any recommendations?
I will be dedicating serveral sfp-sfplus(1-x) ports per VLAN segment with tagging
There are several work laptops that i use which will be on the CRS326 and those will need wire-speed to the Internet
The ROKU streaming devices will also require wire speed to the Internet.
Internally I will be using PLEX to stream video off NAS devices at wire speed between one VLAN
However, most other traffic will be minimal Internet and between VLANS
d) see table above as each CPU is dedicated to a switch
e) I will add a Managment VLAN as well
I shall try to start building my configuration as I go and post questions as I need to going forward.
Thanks
Statistics: Posted by tdampier — Sun Dec 31, 2023 11:45 pm