Hi folks, im somewhat at a loss here, I am intending to use a HEX-S as a media converter for Fiber services. A management interface is configured on Vlan 3049, which works. It seems am unable to get vlan 3050 (internet to client) passed thru to ether port 1 or 2. DHCP doesn’t pass, nor do I get internet when I hardcode the laptop with an IP on a subnet on that vlan. The trunk port works, because if I change the vlan on the management interface to 3050, the dhcp client grabs an ip from that subnet. My access ports (vlan3050) on ether 1 and 2 do not.
Adding to post by @itimo01 above: the other thing is the bug about handling VLANs between switch chip and CPU, addressed by 7.20beta:
*) bridge - added dynamic tagged entry named “switch-cpu” in scenarios where the same VLAN spans multiple switch chips or is used on both HW and SW ports;
Doesn’t mention this exact scenario but I’m pretty sure it does apply: SFP port is not on same switch chip as RJ45 ports.
You can try with a manual work-around: set bridge interface as tagged member of VLAN 3050 … without creating corresponding VLAN interface.
Be warned that this is not a recommended configuration, as all bridge traffic will be passed on to cpu. Depending on the volume of the traffic that might become a bottleneck.
I turned off bridge filtering at one point because it locked me out of winbox on the lan side. When enabled, behavior was the same.
I ended up just creating vlan interfaces and adding them to the bridge (with hardware offload). It seems to work good enough even tho cpu hits about 20-30% when doing 1 gbps.
That seems to work ok. We have just enough grunt to rate limit at 500mbps when everything goes over the CPU on these little units.
Yes, my typical advice to combat frustrating bridge vlan setups is…
Also to work on vlans as it can get sticky when applying vlans or trying to change from default to your stetup, its best to do so from a safe spot. Saves much grief!
So use an off bridge port for the configuration and also as an emerg access port on the switch at any time…
Associated config entries ( remove ETHER5 from the bridge in /interface bridge port settings) :
/interface ethernet
set [ find default-name=ether5] name=OffBridge5
/ip address
add address=192.168.77.1/30 interface=OffBridge5 network=192.168.77.0 comment=“Offbridge and Emerg access”
/interface list member
add interface=VLAN10-Home list=TRUSTED
add interface=OffBridge5 list=TRUSTED
Note: to access the router simply configure your PC/laptop with IPV4 settings of 192.168.77.2 and via username and password you should have access.
Assumes
/interface list
add name=WAN
add name=LAN
add name=TRUSTED
Additionally
/ip neighbour discovery-setting
set discovery-interface-list=TRUSTED
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
In this case, 1gbps is all we need.
In our other use cases, we need all the traffic hitting the CPU to do simple queue rate limiting per port.
Ive gone down a bit of a rabbit hole in regards to vlan filtering today. Ill probably review my concept once i’m local to the production environment Tho in our use cases, im not sure if its required as they are basically being used as smart media converters.
Ill see if I can lab this with the SFP in the mix, current config is full hardware offload 0% cpu usage (according to the telnet session from the tik upstream of this cpe)
