I am using hAp ac. Switch type: QCA 8337. ROS v 6.48.
I have bridge configured with 4 “LAN” ports - eth2,3,4,5 - with hw off-loading “on”. eth1 port is “WAN”, not part of the bridge. Switch config is empty (nothing added). Also no any VLANs are used.
Question:
Correct - in this case, RouterOS configures the switch chip to send all packets from ether1 only to CPU port. You don’t need to set up any /interface ethernet switch rule items to ensure this. Another situation would be if you wanted to prevent e.g. frames from ether2 to be forwarded to ether3, which are configured as member ports of the same bridge - in this case, you would have to set up an /interface ethernet switch rule.
How is it implemented? Does it use Switch Port Membership based on VLANs internally?
Is this setup protected from attacks that are using packets with VLAN tags? WAN > LAN
I didn’t write that code nor I’ve got a datasheet of this particular switch chip model (I guess the NDAs are too expensive to break so you cannot find the datasheets on the internet), but the instruction to forward received frames only to the CPU port is “stronger” than any VLAN tags.
These chips (8227, 8237, 8337) use a proprietary tag to identify the particular ingress port in ethernet->cpu direction and the required egress port in cpu->ethernet direction. This proprietary tag can be used regardless whether a regular VLAN tag is present in the frame.