MakerFLOSS_Mikrotik/host_vars/crs310-maker.yml

66 lines
2.9 KiB
YAML
Raw Permalink Normal View History

---
# Device facts (recorded on-site 2026-06-08):
# model: CRS310-8G+2S+IN
# serial: HM40B8TDNDD
# base MAC (ether1): D0:EA:11:24:F4:AA
# RouterOS: 7.19.6 stable (bootloader already current) -> pinned target below
#
# Topology (decided 2026-06-09, see docs/superpowers/specs/
# 2026-06-09-crs310-flat-mgmtvlan-design.md): the switch is a FLAT L2 switch on the
# makerspace 10.2.30.0/24 network with its management isolated on a dedicated VLAN.
# - ether1 is the copper UPLINK (SFP+ deferred until connectors arrive).
# - DATA VLAN 30: flat 10.2.30.0/24 bridged through; the switch does NO routing/DHCP
# and the CPU is not a member (no switch presence on the user network).
# - MGMT VLAN 99: isolated; switch mgmt IP 192.168.88.1/24 on vlan-mgmt, reachable
# only from the dedicated mgmt port ether8. No gateway, no NTP/DNS (no internet).
# Day-2 connection: key auth as the named admin user (overrides the bootstrap
# default ansible_user=admin in group_vars/mikrotik.yml).
ansible_user: sjat
switch_identity_name: "crs310-maker"
# ----- Management (isolated VLAN 99) -----
switch_mgmt_vlan_id: 99
switch_mgmt_address: "192.168.88.1/24"
switch_mgmt_gateway: "" # isolated mgmt -> no default route
switch_dns_servers: "" # no DNS on an isolated mgmt plane
switch_ntp_enabled: false # no internet on mgmt -> NTP would only error
# Makerspace experiment: make the mgmt port low-friction. Serve DHCP on the mgmt VLAN
# and enable the web UI so anyone plugging into ether8 can reach the admin (still a
# login; default `admin` stays disabled). mamba keeps its static .2 (outside the pool).
switch_web_enabled: true
switch_disabled_services: # same as the role default but WITHOUT www (web UI on)
- telnet
- ftp
- www-ssl
- api
- api-ssl
switch_mgmt_dhcp_enabled: true
switch_mgmt_dhcp_pool: "192.168.88.10-192.168.88.254"
switch_mgmt_dhcp_network: "192.168.88.0/24"
switch_admin_user: "sjat"
# ----- VLANs + per-port map (all untagged access; no trunks) -----
# DATA = flat 10.2.30.0/24 (uplink + device ports); MGMT = isolated admin VLAN.
switch_vlans:
- {id: 30, name: "data"}
- {id: 99, name: "mgmt"}
switch_bridge_ports:
- {interface: "ether1", pvid: 30, mode: access} # copper uplink
- {interface: "ether2", pvid: 30, mode: access}
- {interface: "ether3", pvid: 30, mode: access}
- {interface: "ether4", pvid: 30, mode: access}
- {interface: "ether5", pvid: 30, mode: access}
- {interface: "ether6", pvid: 30, mode: access}
- {interface: "ether7", pvid: 30, mode: access}
- {interface: "sfp-sfpplus1", pvid: 30, mode: access}
- {interface: "sfp-sfpplus2", pvid: 30, mode: access}
- {interface: "ether8", pvid: 99, mode: access} # dedicated mgmt port
# Firmware: pinned at the version already installed (no upgrade planned now).
switch_firmware_target: "7.19.6"
# switch_firmware_enabled: true # opt-in only when you actually want to upgrade