We have a ccr router set up for our ISP. I am new joining the org and need to set up a layer2 bridge.
We have sfp port one set up with public ip and sfp port 2 also has a public on it.
We the use it as a router to route a /24 subnet for internet access.
We want to bridge vlan 10 between ports 1 and 2 to pass our mgmt traffic back to the data center.
Port 1 is a layer 2 link back to the colo and port 2 is facing our cisco switch and the vlans are trunked on the cisco switch.
Any help on this would be great.
CCR1072 doesn’t have a switch chip. So from performance point of view there are two ways of doing it, the quick (and possibly troublesome) and the correct.
The quick would be to create two vlan interfaces with vlan-id=10, anchored to sfpplus1 and sfpplus2 respectively. Then create bridge and add these two vlan interfaces as bridge ports. And disable xSTP on this bridge, running it has potential to upset any of your ISPs. Add IP setup, necessary for this VLAN, to newly constructed bridge. This option might cause some minor glitches as VLANs are not properly filtered between different parts in your router (e.g. interface sfpplus1 you’re currently using for traffic towards ISP1 will still see the VLAN-tagged frames but in principle it will ignore them but who knows.
The correct option is to create bridge with vlan-filtering=yes (and xSTP disabled), then add both sfpplusX as bridge pirts. Make them hybrid ports, tagged for VID 10 and access for additional VLAN, one per ISP (e.g. pvid=100 on sfpplus1 and pvid=200 on sfpplus2). Then create 3 vlan interfaces, one for each VID used in previously mentioned bridge config. Use vlan interface with VID set to 10 in same manner as bridge in previous paragraph (the quick way). Use vlan interface with VID matching pvid used on sfpplus1 to configure connection towards ISP1 (effectively move all IP config from sfpplus1 to this vlan interface) and similarly for the vlan interface with VID matching vid of sfpplus2 for connection towards ISP2. Bridge will properly isolate ISP1 from ISP2 on L2 … the L3 setup you have will mostly be fine, you just have to replace sfpplusX interfaces with corresponding vlan interfaces in all firewall rules (and interface lists).
In principle you’d add any interfaces, used for LAN, as access ports of yet another VLAN to this (now grand unified) bridge and use the fourth (fifth, …) vlan interface as LAN interface in router config. If there will be multiple ports members of same L2 subnet, then xSTP has to be enabled (use MSTP if the rest of gear supports it), but set ISP-bound ports as edge ports.
While this way requires more work, it ensures proper handling tagged vs. untagged frames. And is, BTW, future proof if you devide to replace CCR1072 with some more modern router (e.g. latest-gen CCR2xxx) with capable switch ASIC built in (which can do inter-VLAN routing at wirespeed while firewall still does its job), conceptually you’ll be ready for it.
Don’t forget to add appropriate firewall rules, after all your VLAN 10 is still going via “enemy area”. Personally I’d consider to run some sort of encrypted tunnel between your sites (wireguard, IPsec, …) depending on what options are supported on different endpoints.