Hello, I am stuck with problem of setting up VLAN config for switch HA, so that it works. My router is CCR-1009 - CPU usage is not a consideration, security is. I have 2 directly connected HP Aruba 2530 switches in a mesh setup for HA and two more, which are not directly connected. I can setup router using sigle port guides, so that I am able to tag/untag packets and direct them to their VLANs. I have not found, how to setup my router, so that I have bridges for tagged and untagged VLAN traffic, connected to physical ports, between which I would be able to setup firewall rules for inter VLAN communication. Rough sketch is in the attached picture.
If your CCR doesn’t have switch chip (I read that the oldest versions did have one while later versions don’t have one), then you should follow the ‘new’ vlan-filtering=yes bridge setup. Which allows you to have both tagged and untagged traffic running between bridge ports (such bridge acts as a smart switch). There are numerous official sources, but many people find this tutorial worth reading.
Basically you’d create a bridge, make interfaces eth7 and eth8 its member and then use this bridge for any L2/L3 operations (similarly as you do now directly with eth interface).
As tutorial hints, when using VLANs, the untagged part can be considered as just another VLAN but a special one because it doesn’t have tags and thus has to be configured slightly differently. In theory tagging and untagging frames consumes some time (CPU cycles) but IMHO this is neglectable while configuring it as another tagged VLAN on bridge (all ports belonging to it have PVID set … just choose ID not used for any tagged VLAN) makes configuration uniform. And, BTW, using VLAN ID=1 can cause some unexpected behaviour as it’s default PVID in default configuration.
