Hi,
I have setup like this (CCR1016)
One bridge with port members sfp1-sfp6
3 VLANs, 111,199,200
sfp1 is trunk port with tagged vlans 111,199
sfp6 is trunk port with tagged vlans 111,200
Ports sfp2-sfp5 must be in access vlan 111
I used new way of bridging vlans, router os 6.42.x, it seems to me that everything is working but in host table ports sfp2-sfp5 are belong to both vlans, default pvid 1 and pvid 111
how to put those ports sfp2-sfp5 to be member only of vlan 111 (untagged/access)
Can someone copy/pase example of configuration for above scenario?
CZFAN didnt forget anything he was simply answering the OPs pointed question on how to get spf2-5 setup properly!!
Also your bridge port config is incorrect here is what it should be
/interface bridge port
add bridge=bridge1 frame-types=admit-all interface=sfp1 (ingress filtering is not set on trunk ports)
add bridge=bridge1 frame-types=admit-all ingress-filtering=yes interface=sfp2 pvid=111
add bridge=bridge1 frame-types=admit-all ingress-filtering=yes interface=sfp3 pvid=111
add bridge=bridge1 frame-types=admit-all ingress-filtering=yes interface=sfp4 pvid=111
add bridge=bridge1 frame-types=admit-all ingress-filtering=yes interface=sfp5 pvid=111
add bridge=bridge1 frame-types=admit-all interface=sfp6 (ingress filtering is not set on trunk ports)
The bridgle vlan configuration is interesting. I think what you have is correct!
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,sfp1,sfp6 untagged=sfp2,sfp3,sfp4,sfp5 vlan-ids=111
add bridge=bridge1 tagged=bridge1,sfp1 vlan-ids=199
add bridge=bridge1 tagged=bridge1,sfp6 vlan-ids=200
But I am sorely tempted to also suggest
/interface bridge vlan
add bridge=bridge1 tagged=bridge1, untagged=sfp2,sfp3,sfp4,sfp5 vlan-ids=111
add bridge=bridge1 tagged=bridge1,sfp1 vlan-ids=111,199
add bridge=bridge1 tagged=bridge1,sfp6 vlan-ids=111, 200
Im sure mKX would say ensure separation for vlans as you have done.
Note: I am also intrigued by the nuance in CZfans post regarding tagging of bridge not required in case of no DHCP or router services. Seem similar to no tagging of bridge required on my Cap AC setups (when acting as access points).
If you connect to an ISP and you only need vlan 10 and vlan 11 trunked.
The ISP also sends out vlan 12, vlan 13 etc.
Would not ingress filtering block all trunked vlan not need?
My post also referee to “Can someone copy/pase example of configuration for above scenario?”.
So I included all above
Jotne, I dont see anywhere that indicates the ISP (WAN) is part of the bridge??
I dont ingress filter any of my trunk ports on switches or routers or APs.
No worries, just clarifying that CZFan didn’t miss anything, simply you added extra for completeness.
Not performing ingress filtering implies that the other side of cable is trustworthy.
Usually one trusts himself (or herself), but sometimes that trust has poor foundation. Myself included
Understand MKX, but what would be the point of some nefarious device sending vlan XXX from a device as the traffic has nowhere to go?
From the PVID devices, the untagged traffic is provided a vlan tag and all other vlan traffic is blocked.
Also you didnt answer the bridge vlan question regarding what is a viable setup…
Nor address the nuance on not tagging the bridge necessarily that CZFAN noted.
thus forcing me to pose the questions again LOL.
I can also cross post re-ask the questions to infinity, relentless tenacity is my middle name.
Ahh the burden of being a real expert, glad its not me>
anav, once we started an argument about performance vs. paranoia … and I bailed out. Ingress filtering is on a verge of paranoia if you wish to call it that way. For me it’s from the “better safe than sorry” category. Why do some attackers spoof src IP address when sending traffic to your router when traffic has nowhere to go?
And no, you’re wrong about pvid devices: setting pvid does not prevent other VLANs from ingressing, it only tags the untagged ingress packets. You still need to configure ingress filtering to be safe.
I’m not sure about which questions about bridge vlans I didn’t answer?
Okay, no worries, I get it! There is no harm no signicant CPU load on assigning ingress filtering to trunk ports and thus its good safe practice.
As for the vlan bridge question it was which is a better setup for the OP.
The bridgle vlan configuration is interesting. I think what you have is correct! (and what mkx likes in terms of separating vlans per line)
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,sfp1,sfp6 untagged=sfp2,sfp3,sfp4,sfp5 vlan-ids=111
add bridge=bridge1 tagged=bridge1,sfp1 vlan-ids=199
add bridge=bridge1 tagged=bridge1,sfp6 vlan-ids=200
But I am sorely tempted to also suggest the following so I need to know what is wrong with this approach?
/interface bridge vlan
add bridge=bridge1 tagged=bridge1, untagged=sfp2,sfp3,sfp4,sfp5 vlan-ids=111
add bridge=bridge1 tagged=bridge1,sfp1 vlan-ids=111,199
add bridge=bridge1 tagged=bridge1,sfp6 vlan-ids=111, 200
or for that matter combining the last two lines
add bridge=bridge1 tagged=bridge1,sfp6,sfp1 vlan-ids=111, 200,199
Both ways of setting things up are fine with me … as long as they only contain needed VLANs.
If I understand things right, then at least with HW VLAN filtering (as configured on switch chip), VLAN mappings end up in a table (similar to what you see in SwOS if I’m not much mistaken … I don’t use SwOS) and it doesn’t matter how many lines of configuration are used to achieve it. I guess similar approach is used with bridge vlan filtering …
However, when assigning multiple VLAN IDs in sigle configuration line (as per your second suggestion or even the last one), it is quite easy to end up assigning VLAN id to a port where it’s not needed and then ingress filtering can’t do its job properly.
Darn, I’m being paranoid again
Regarding adding bridge port to the list of tagged members of VLAN: as I wrote in a post regarding cAPs, bridge has twin personality (a “switch” and a port) and when configuring VLAN membership, it’s the port personality being configured. If there’s no vlan interface on bridge port with said VLAN ID, then there’s no need to include bridge port as member of said VLAN (neither tagged nor untagged).
I may be wrong here
With this setup, you would allow VLAN 200 enter on port sfp1 that is not the OP intention.
If for some reason a loop is made and VLAN 200 enters both sfp1 and sfp6 you may create a loop.
That if I assume correct.
So I will not add more than one VLAN to each /interface bridge vlan and use ingress filter on all port.
