Apologies if this has been asked before, I tried to search but could not find something similar, I am using CRS326-24G-2S+, using a switch chip to isolate the ports, but since I added some vlan to 10G port, the CPU has gone high. Is there a way I can pass traffic via switch and not CPU.
You are essentially creating a CPU bridge and plopping the 3 physicals and the 3 VLANs into one ‘broadcast’ bridge together - this requires CPU access and is more a router functionality (of which the CRS series has very basic routing power)
You want to only add the physical interfaces to a single bridge that will then detect and become the hardware bridge - then use the VLANs option under the Bridge menu, not under Interfaces, where you can tag/untag VLANs on the different physical ports in the bridge
Thank you, yes the CSR is kind of already coming to its knees with just 200mb of traffic.
I would have actually used port isolation if it was port, but this being VLAN i cannot use that.
I want to test the VLAN under bridge, is there any example related to what I want, I tried looking but nothing similar.
Maybe you actually want a normal thing but the wording and implementation is unfortunate? I.e. if I rephrase what you wrote into a table below, does it express what you actually want?
VLAN | sfpplus1 | ether1 | ether2 | ether3 | ether4
30 | Y | Y | Y | Y | N
31 | Y | Y | Y | Y | N
35 | Y | Y | Y | Y | N
40 | Y | N | N | N | Y
You can do VLAN tagging/filtering under hardware switch using bridge vlan menu.
You can not bridge 2 or more tagged VLANs together on hardware though, this requires CPU.
Switching is about taking packet in, and forwarding by ARP based on the network it came in on i.e. listening to VLAN tag, not about forwarding into other networks/VLANs - thats where a router comes in.
If you give a rundown on what you are trying to achieve, then we may be able to help more.
This tutorial describes how to do VLANs properly under ROS … and this method enables HW acceleration (i.e. donw by switch) on CRS3xx series of switches.
OK, so it’s a normal use after all. The tutorial suggested by @mkx describes exactly that.
Assuming that you manage the device via some other port, remove everything from /interface vlan and from /interface bridge port, and add the following:
That’s all unless you want the switch itself to have an IP address in some of these four VLANs.
And remember that only one bridge can use the hardware acceleration, so for any serious volume of other bridged traffic, you have to use additional VLANs on BR1 rather than adding another bridge.
horizon is a software feature configured under /interface bridge port and its activation on a port deactivates hardware forwarding on that port. If you need port isolation in terms that ether1, ether2, ether3 could only forward traffic to/from sfpplus1 but not to/from each other, use the corresponding setting at the switch chip level. Otherwise, the VLAN filtering is sufficient to prevent traffic from being forwarded between ether1..ether3 and ether4.
Sorry, I don’t understand what means that “ether1 would talk to vlan 30”. In your original description, there was a group of ports (ether1..ether3) and a group of VLANs, so I was expecting all three VLANs should be accessible on all three ports, which would thus be trunk ports, like sfpplus1.
Do you instead want ether1 to be an access port to VLAN 30, i.e. if a tagless packet arrives to ether1 through the connected cable, it has to be tagged with VID 30? If so, specify which VLAN should pass through which port in trunk (tagged on the wire) mode and which VLAN should pass through which port in access (tagless, or “untagged”, on the wire) mode.
Apologies for not being clear, I have tried to attach a simple diag, I have 3 OLT, connected to the switch. The old OLT were just delivering traffic without VLAN. The new one has VLAN for each service. I had port isolation, so Ether 1 and 2 would only see Ether 3 and 4, and not each other. But when the VLAN came in, all got messed up.
PPPoE Traffic (port isolation) Each port should just see Ether 3.
VLAN 30,
VLAN 31,
Ether 1
Ether 2 == Ether 3
IP Traffic, Port isolation, so each port should only see ether 4
VLAN 35,
Ether 1
Ether 2 === Ether 4
I just see what I want might not be simple, any pointers on how to achieve this?
So after all, my table did not express what you wanted, because you really want something unusual. You need a kind of protocol-based VLAN for the old OLTs, where you need to forward PPPoE and friends to the CCR via ether3, and to forward IP and friends to the CCR via ether4.
And on the new OLT, you have two categories of PPPoE traffic, in two different VLANs, 30 and 31, but you then want to deliver traffic from both these VLANs to the CCR via ether3, probably untagged? And then there is the IP traffic in VLAN 35, which you want to deliver to the CCR via ether4.
This time you say nothing about VLAN 40.
I have a rough idea how to achieve what you want using switch chip rules, i.e. in hardware, but I’m afraid there is no way to ensure that ingress traffic from ether3 would get tagged with the proper VLAN ID on egress via sfpplus1 as there is no stateful VLAN ID translation, making sure that responses to frames that came in via VLAN 30 would be tagged with VLAN 30 on egress, whilst responses to frames that came in via VLAN 31 would be tagged with VLAN 31. You can only merge the VLANs at the CCR (where everything is done by the CPU anyway and the CPU is much more powerful than the one of the CRS), but what’s the reason behind having two VLANs for PPPoE traffic but terminating both of them at the same PPPoE server? Can it be changed? And where’s the VLAN 40 gone?
I just removed VLAN 40, as i wanted to keep it simple, vlan 40 goes direct to an ethernet port. Which would be easy to manage.
30 and 31, cause of design of the OLT, traffic from device the CPE, 30 and VLAN 31 is if the customer uses their own router. but all that goes to PPPoE. As there is VPLS circuit from CCR to server.
Adding this new OLT and VLAN has made things get complicated.
OK. What you definitely cannot do in hardware on the CRS is to merge the VLANs 30 and 31. This has to be done either on the CCR or nowhere at all, meaning that you’d have to use a separate PPPoE server for each of these VLANs.
So I’d try the following, but it’s pure theory, I have no possibility to test it:
on the CCR:
attach three /interface vlan, for vlan-id=30, vlan-id=31, and vlan-id=2222, to ether3
remove ether3 from the bridge to which it is currently connected, and instead make all the three /interface vlan member ports of this bridge. This will merge those VLANs together on the bridge.
create another bridge, bridge-ip, and replicate the above setup for /interface vlan for vlan-id=35 and vlan-id=2222 and ether 4. Move whatever IP configuration is attached to ether4 to bridge-ip.
on the CRS:
allow VLANs 30, 31 and 35, all of them tagged, on sfpplus1
allow VLANs 30, 31, and 2222, all of them tagged, on ether3 of the CRS
allow VLANs 35 and 2222, both tagged, on ether4 of the CRS
allow VLAN 2222, untagged, on ether1 and ether2 of the CRS:
