I want to keep broadcast traffic global (but not sure this is
possible) as it's a single subnet for each VLAN
Not happening. The entire purpose of VLANs is to separate L2 broadcast domains.
how else could I structure this network to allow for inter-vlan
routing to occur at the nearest L3 router/switch
You simply enable routing on the switches.
- Assume VLAN 10 and 20 are both present on the 328. With routing enabled the switch will route between directly connected VLANs w/o sending traffic to the router
- Assume VLAN 10 is on the 328 and VLAN 20 is on the 309. When traffic is sent from VLAN 10 to VLAN 20, if the 328 already knows 309 has the route to this subnet it will route the traffic directly there. If not, it will query which neighboring router knows the route, 309 will respond and 328 will know how the subnet is reached. In either case no inter-VLAN traffic is sent to the router.
Is it possible to have each L3 switch "block" their upstream DHCP
servers and then publish as a relay
Mikrotik 300-series switches know DHCP option 82, so they can act as DHCP relay agents.
to complicate things there is a wireless AP under each switch that I
would want to enable roaming between)
Whether this complicates things depends on the APs. To allow roaming both APs must bcast the same SSID(s). If they're dot1Q capable, you should be able to configure them to drop the Wi-Fi traffic on SSID 10 to VLAN 10, and SSID 20 to VLAN 20 etc.
How to do this in practice:
- Configure inter-switch and switch-AP links to be trunked so they can pass traffic on multiple VLANs
- Put the router on its own subnet - switch-router links don't need trunking
- Connect both switches directly to the router so traffic intended outside of the VLANs can be directly forwarded to the router w/o passing the inter-switch link
- Enable routing on the switches
- Point the switches' default route to the router
- Configure the router to provide DHCP service on all VLANs
- Set the client default GW to be a switch
- The clients will always send the traffic destined outside their own network towards the DGW. If the DGW is set to be the router, the switch will forward the traffic to the router whether or not IP routing is enabled on the switch.
- If the router is only capable of providing DHCP service on a single subnet, you need to set up a DHCP server elsewhere in the network. I'd put this to the same VLAN with the router so it doesn't receive any other client traffic but DHCP.
- Configure DHCP option 82 (DHCP Relay) on the switch VLANs
- Configure SSIDs you need on the APs
- Configure the APs to forward the traffic received on a specific SSID to the appropriate VLAN
An example as a pic is worth 1000:
For detailed instructions refer to Mikrotik documentation and the documentation of your APs.
WoL packets are normally sent to the L2 bcast address. That means that by default they cannot be forwarded across VLANs. One way to get around this is to configure the WoL source system's physical interface to have subinterfaces on each VLAN. On Linux / UNIX systems (incl. MacOS) you'd configure for example eth0.10 for VLAN 10, eth0.20 for VLAN 20 etc. On Windows systems it's a bit more complicted. The switch interface connecting to this system needs to be trunked for each VLAN. This way a single system can send WoL to each VLAN separately.
There may be also other solutions. Searching for mikrotik wol across vlans brings a few results with possible solutions / workarounds from Mikrotik forums.
