Bridge Ethernet1 Port can set 2 pvid

chua · September 6, 2023, 1:00pm

Hi everyone, ethernet port i set 2 vlan id 10, 20. In bridge, can set 2 pvid for ethenet1. Or how to configure to allowed ethernet1 port (1 port) can set 2 pvid in bridge? anyone can assist me.

Exampl commande:
[admin@SWITCH2] > interface bridge add name=BR_Ether
[admin@SWITCH2] > interface bridge port add bridge=BR_Ether interface=ether1 pvid=1025
[admin@SWITCH2] > interface bridge port add bridge=BR_Ether interface=ether1 pvid=1026

ConradPino · September 6, 2023, 1:27pm

PVID is the VLAN id

assigned to untagged ingress packets
allowed to egress as untagged packets

Bridge ports have one and only one PVID.
Second statement is just overriding the first.

chua · September 6, 2023, 2:47pm

Bridge pvid need to put the pvid same as ethernet port pvid ?

Example: bridge pvid using default 1, how to filter pvid ehternet pvid 10, 20?

anav · September 6, 2023, 3:59pm

You lost me at using pvid=1, just dont…
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
http://forum.mikrotik.com/t/routeros-bridge-mysteries-explained/147832/1

Guscht · September 6, 2023, 4:31pm

You cannot have 2 PVIDs for a single port. The PVID classifies packets without VLAN-tag to the set VID.

The IEEE 802.1q mentions a PPVID, but most vendors do not implement the PPVID cocept. This would allow to define a single PVID + multiple PPVIDs (per protocol). But I have never seen that on MT hardware.

There is nothing wrong with VID1, but if you are not 100% confident with VLANing, its more simple to avoid VID1.

anav · September 6, 2023, 8:25pm

PVID is used mainly for access ports, as stated any port can only have one untagged port ( access ports or hybrid ports ).

Vlan1 usage is a dumb idea unless one really knows what they are doing and there is a specific need for it… otherwise avoid.

mkx · September 6, 2023, 9:02pm

The second statement is not entirely true in ROS. The first statement about ingress is true.

So for the sake of completeness: for egress, pvid setting is not important. For egress, only settings under /interface bridge vlan matter, if a port is configured as untagged member of certain VID, then frames from that VLAN will exit the port untagged.

And there are some creative things possible due to that:

ROS automatically adds port as untagged member of certain VLAN if it has pvid set to that VID (this automaticism might mislead @ConradPino into writing the second statement in the quote above)
port can be untagged member of multiple VLANs (but that’s only valid for egress … it is possible to strip VLAN tag with any value but it’s only possible to add VLAN header with one VID value, the only criteria available for bridge ports in ROS is pvid setting; other drivers may offer other possibilities, such as MAC-based VLANs in wireless driver)
due to bullet above it’s possible to create “asymmetrical VLANs”, meaning that untagged port is member of one VLAN on ingress and another VLAN on egress. This kind of config is not fully supported in ROS due to first bullet in this list.
etc.

And yes, beware of VID 1 … there’s a holy war going on regarding it’s use