MakerFLOSS_Mikrotik/docs/makerspace-switch-fieldguide.md

166 lines
6.4 KiB
Markdown
Raw Permalink Normal View History

# Makerspace Field Guide — Preparing the CRS310 Switch
**Print this and bring it.** This is the exact, on-site procedure to get the MikroTik
**CRS310-8G+2S+IN** ready so Ansible can take over. Total time: ~3045 min (most of it
the firmware upgrade). Work on a **bench/isolated network** — do **not** plug the switch
into the live makerspace network until VLANs are configured later (avoids loops and
DHCP/IP conflicts).
When you're done, you'll have: the switch on a known firmware, wiped to a clean slate,
reachable over SSH at a temporary IP, and a few facts written down for me to drop into
`host_vars`.
---
## Bring with you
- [ ] The CRS310 + its PSU.
- [ ] A laptop with **WinBox** (download from mikrotik.com/download) — or just a browser for WebFig.
- [ ] One Ethernet cable (laptop ↔ a 2.5G port).
- [ ] Internet for the switch during the upgrade (a cable from an existing LAN/uplink, **temporarily**, with DHCP — unplug it again before the final steps).
- [ ] The **SFP+ module or DAC** for the 10G uplink (to fit physically; we don't cable the real uplink yet).
- [ ] This guide + something to write the recorded facts on (or a phone note).
---
## Step 1 — Power on and get in
1. Power the switch. Wait ~1 min for it to boot RouterOS.
2. Connect your laptop to **ether1** (a 2.5G port).
3. Open **WinBox → Neighbors tab**. The switch appears (by IP `192.168.88.1` and/or by MAC).
- **Tip:** click the **MAC address** (not the IP) to connect — this works even when the
switch has no IP, which matters in Step 5.
4. Log in: user `admin`, password **blank** (just press Enter). RouterOS 7 may ask you to
set a password — you can set a temporary one or skip; Ansible will set the real one later.
> No WinBox? Browse to `http://192.168.88.1` (WebFig) instead. The CLI commands below are
> typed in **WinBox/WebFig → New Terminal**.
---
## Step 2 — Confirm it's running RouterOS (not SwOS)
The CRS310 can dual-boot SwOS, but we need **RouterOS** for VLAN filtering + Ansible.
- In terminal: `/system/routerboard/print`
- It should report RouterOS. If the device booted **SwOS** (different, simpler web UI),
switch the boot OS: in SwOS go to the **System** page and set boot to RouterOS, or use
the reset/boot-OS toggle, then reboot. (You want the full RouterOS interface.)
---
## Step 3 — Upgrade and pin the firmware
This needs internet for the switch. Plug a DHCP uplink into **ether8** temporarily.
1. Give the switch internet briefly: it should pull a DHCP lease on the uplink port, or in
terminal: `/ip/dhcp-client/add interface=ether8 disabled=no`
2. Update RouterOS:
```
/system/package/update/set channel=stable
/system/package/update/check-for-updates
/system/package/update/download
/system/reboot
```
(Or WinBox: **System → Packages → Check For Updates → Download & Install**.)
3. After reboot, upgrade the bootloader (RouterBOOT) to match:
```
/system/routerboard/upgrade
/system/reboot
```
4. **Write down the final version:** `/system/resource/print` → the `version` line.
**Record as `RouterOS version: ______`** (this becomes `switch_firmware_target`).
5. **Unplug the temporary internet uplink** and remove the DHCP client:
`/ip/dhcp-client/remove [find]`
---
## Step 4 — Record the device facts
Run `/system/routerboard/print` and `/system/resource/print` and write down:
- [ ] **Model:** ____________________ (should be CRS310-8G+2S+IN)
- [ ] **Serial:** ____________________ (also on the sticker underneath)
- [ ] **Base MAC:** ____________________
- [ ] **RouterOS version:** ____________________ (from Step 3.4)
---
## Step 5 — Wipe to a clean slate (no default config)
This makes Ansible the single owner of the whole configuration.
1. In terminal:
```
/system/reset-configuration no-defaults=yes skip-backup=yes
```
(Or WinBox: **System → Reset Configuration** → tick **No Default Configuration** and
**Do Not Backup****Reset**.)
2. The switch reboots. It now has **no IP and no services** — WinBox-by-IP won't find it.
3. Reconnect using **WinBox → Neighbors → click the MAC address** (this is why we use MAC).
Log in as `admin` with a **blank** password.
---
## Step 6 — Give it a temporary IP + enable SSH (so Ansible can reach it)
In the terminal (laptop still on **ether1**):
```
/ip/address/add address=192.168.88.1/24 interface=ether1
/ip/service/enable ssh
/ip/service/print
```
Then on your laptop, set a static IP `192.168.88.2` / `255.255.255.0` and confirm SSH:
```
ssh admin@192.168.88.1
```
If that logs in, **you're done** — leave the switch powered and on the bench.
> ⚠️ Keep a **WinBox MAC session** open as your lifeline whenever you change network
> settings. If you ever lock yourself out, MAC-telnet/WinBox-by-MAC still works; a full
> **Netinstall** (mikrotik.com/download) is the last-resort recovery.
---
## Step 7 — Decide the real addressing (write it down for me)
I need these to fill in `host_vars/crs310-maker.yml`. Decide with whatever the makerspace
network plan is (or we can finalize together):
- [ ] **Management IP + mask** (real, not the temp one): ____________________
- [ ] **Management VLAN ID:** ____________________
- [ ] **Default gateway:** ____________________
- [ ] **Upstream uplink port** (which SFP+ / port goes to the OPNsense/router): ____________________
- [ ] **DNS / NTP server IP** (usually the gateway): ____________________
(If the makerspace VLAN plan isn't settled yet, that's fine — we ship a placeholder and
fill these in later. The switch just needs to be reachable per Step 6.)
---
## Step 8 — Physical finish
- [ ] Fit the **SFP+ module/DAC** into `sfp-sfpplus1` (don't cable the live uplink yet).
- [ ] Mount/label the switch.
---
## When you're back
Bring me:
1. The recorded facts (Step 4) and addressing decisions (Step 7).
2. Confirmation that `ssh admin@192.168.88.1` (or your temp IP) works.
Then I'll: create the empty `MakerFLOSS_Mikrotik` repo on `forgejo.makerfloss.eu`, drop
your facts into `host_vars`, and run **`play_bootstrap.yml`** — which creates your named
admin user, imports your SSH key, and hands the switch over to Ansible. After that,
`play_switch.yml` configures identity, services, VLANs, and backups.
> **Do not connect the switch to the live makerspace network** until VLANs are configured
> (Task 7 in the implementation plan) — an unconfigured switch on the live net can cause
> loops or hand out the wrong VLAN.