I have a question regarding using 2 bridges. My setup is a CRS328 as the main switch, and I have 3 CRS109s attached to it as downstream routers. I have a number of VLANs, but the VLANs must be strictly segregated, so SFP 3,5 & 7 are trunking VLans 600, 630 and 710 on CRS328 Master Bridge. But because I need VL710 to be in the upstream gateway too, I was told to create a separate bridge, put the WAN uplink port on it along with the downstream interfaces.
Cap seems to point the individual interfaces onto the correct bridges and this works just fine, but as sfp3 5 and 7 are trunks (VL600 is management) I would need to specifiy the individual portsd on the CRS109s and assign them to the correct bridge or… I’m lost.
sfp3 5 and 7 need to be able to handle separate VLANS and assign them to separate bridges. how?
IMO this is bad advice. Properly configured VLANs offer enough separation even within same bridge. The only thing you may have to configure on WAN port is to disable xSTP on it (set edge=yes on that port).
Remember, only one bridge can be HW offloaded to one switch chip, others are handled by CPU.
You’re correct by the way - I only want one bridge. I am running a 5G network and the timing requirements of components that traverse the CRS are very tight. Any delay due to 2 and more bridges loading the CPU is not acceptable.
The WAN associated VLAN is distinct and separate from data vlans behind the router.
One only assigns the ISP vlan to either an etherport (which is used in IP DHCP client or pppoe settings) / or less likely some fixed IP address on the VLAN.
It has nothing to do with the LAN-BRIDGE so to speak.
There are some cases where the WAN VLAN is sharing a port with other vlans, in which case a bridge may be used, but the VLAN is terminated at either DHCP Client, PPPOE settings or fixed address.
I think the edge port comment, applies here.
Yes. If it’s possible to physically connect WAN line directly to router’s port. Sometimes it’s not, instead WAN line is connected to a port of managed switch, from where traffic is passed towards router using trunk ports. And proper VLAN config maintains separation of WAN “VLAN” throughout the network infrastructure up to router. All that with single bridge on each of device. After all, WAN is only just another subnet (yeah, it’s larger and more evil, but that’s about it when it comes to VLANs).
Just to be clear, what sits above the CRS is a PFSense firewall with 8 ports on it. On one of those ports sites my HomeAssistant instance. Putting an upstream VLAN connection is not a security concern.
If you connect two ports of same bridge to same upstream device, even if those ports are set as access ports to different VLANs, there might be problems with loop detection (xSTP). Because xSTP (except MSTP) are not VLAN aware, they detect loops on L2 layer (physical ethernet). So it’s down to how exactly those 8 ports are treated in PFSense. AFAIK setting ports as edge=yes on MT (together with setting different PVID and/or different set of tagged VLANs if applicable) should be enough to avoid the problems.
Personally I’d look into VLANization of PFsense (I’m not sure if that’s possible).
