RB960PGS sfp1 port and vlans

pod · June 25, 2019, 12:47pm

Hi!
I have a problem with my RB960PGS. I want to use sfp1 interface as uplink port with vlans and ether2 and ether3 as untagged ports in certain vlan.

Uplink ----->(vlan10, vlan11 tag) -----> sfp1(vlan11 as management)—>ether2,ether3( vlan10 untag)

But when I config it as usual: vlan10-sfp and vlan11-sfp vlan interfaces on sfp1, bridge-vlan10 and vlan10-sfp,ether2,ether3 in this bridge I get loop and loopback detection on upper switch works. And I cannot use switch interface because sfp1 does not belong to internal switch(QCA8337 (ether1-ether5) in wiki). So how can I make my setup work?

mkx · June 25, 2019, 1:27pm

Modern way of doing it is using single bridge and vlan-filtering. This would be L2 config for your case:

/interface bridge
add name=bridge vlan-filtering=yes
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes  interface=sfp1 
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes  interface=ether2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes  interface=ether3 pvid=10
/interface bridge vlan
add bridge=bridge tagged=sfp1 untagged=ether2,ether3 vlan-ids=10
add bridge=bridge tagged=sfp1,bridge vlan-ids=11
/interface vlan
add name=vlan-11 interface=bridge vlan-id=11 comment="MGMT interface of routerboard"

This config does everything on CPU, so any traffic between ether2 and ether3 will hit CPU as well.

But be careful … vlan-filtering on bridge should be enabled only after you configure everything else … and do use safe mode most of the time.

It might be benefitial to set protocol-mode=none on bridge if you’re entirely sure that loop is not possible through this device.