Hi all. I’m racking my brain to see what’s wrong with a config I have
PBP with a single cable to a NP16. PBP eth1 to NP16 eth1. All ports on the NP16 are in the bridge.
I’m configuring the PBP with VLANs 102,103,104 and so on as sub interfaces to PBP-eth1
On the NP16 I’m creating VLANs in bridge/vlan and configuring these as tagged NP16-eth1 and untagged NP16 port#. Then I’m setting bridge/port 16 as PVID16.
So VLAN 116 is set UNTAGGED NP16-eth16 and TAGGED NP16eth1 and PBP-eth1-VLAN16
Can someone help me with what I should be doing for ingress filtering on the NP16 (currently unchecked and set to admin all) as well as on the PBP (bridge has no special configuration, ie it’s ‘stock’)
Ultimate goal is to have a VLAN on the PBP interface trunked to the NP16’s ports in a router-on-a-stick design with no leaky VLANs.
Post actual configuration of both devices, it’s not really possible to know what exactly you configured from your description. Possibly it’s not what you think you configured but what you actually configured.
So if I re-word it: on the NP16, each port except ether1 should be an access port to a single VLAN (ether2 - VLAN 102 through to ether16 - VLAN 116).
Ingress filtering doesn’t care about particular VLAN ID. It only distinguishes between two types of ingress frames:
ones tagged with a non-0 VLAN ID
ones not tagged at all or tagged with VLAN ID 0, which is a way to indicate that from the VLAN point of view, such frame should be treated as an untagged one, but deliver the to transport the 802.1p priority field (as a single tag bears both the VLAN ID and the priority field)
Hence to prevent frames tagged with any non-0 VLAN ID from being accepted at ether2…ether16, you set ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged under /interface bridge port for all ports except ether1.
Filtering ON and ‘admit-only*’ for the ‘access’ ports that will receive untagged traffic and ADD the tag assigned to PVID.
Filtering OFF and set to ‘all’ for the trunk port(s)
In VLANs, set the access port to untagged and the trunk ports to tagged.
If you are configuring for a hybrid port, lets say vlans,10,11 trunked and 66 untagged.
Ether1 is from router, ether2 is the hybrid port, ether 3 is a trunk port (10,11,12) , ether4 is an access port (66)
/bridge port
add bridge=bridge-new interface=ether1 ingress filtering=yes, allow only vlan tagged frames
add bridge=bridge-new interface=ether2 (admit all) pvid=66
add bridge=bridge-new interface=ether3 ingress filtering=yes, allow only vlan tagged frames
add bridge=bridge-new interface=ether4 ingress-filtering=yes allow only priority and untagged frames pvid=66
note for bridge vlans I like to put untagged interfaces as it helps me map out what I am doing.