No understanding on why I should created two bridges versus just one.
I currently do not understand why two will be needed and would like to understand why.
…
I am still reading and am still unclear on the “create two bridges” directive.
Is there are reason that two are needed?
…
I never did need to create two bridges at all so I’m not really sure what that was about unless that somehow was under some expectation I was going to try to use both switch chips.
This is the actual MikroTik’s recommendation for devices like the RB3011 (with multiple built-in switch chips), as you can read from one of the “warnings” under this section:
For devices that have multiple switch chips (for example, RB2011, > RB3011> , RB1100), each switch chip is only able to switch VLAN traffic between ports that are on the same switch chip, VLAN filtering > will not work on a hardware level between ports that are on different switch chips> , this means you > should not add all ports to a single bridge > if you are intending to use VLAN filtering using the switch chip, VLANs between switch chips will not get filtered. You can connect a single cable between both switch chips to work around this hardware limitation, another option is to use Bridge VLAN Filtering, but it disables hardware offloading (and lowers the total throughput).
Even if you are not using VLAN at all and only use the bridge, it’s still recommended to setup one bridge per available switch chip, and have no bridges span multiple switch chip, if you want the most efficiency. Think of a bridge as being a switch+layer 3 functionalities. You would prefer to have the switching part (layer 2 functionalities) completely handled by the switching hardware (the switch chip). And that only works if the whole bridge uses only one switch chip. Because otherwise, even if your devices on port 5 do not directly connect to devices on port 6, for instance, if your bridge spans the two switch chips, every time there are some broadcast or multicast traffics the ethernet frames will need to go from one switch chip to the other one by transiting through the main CPU, consuming its resources while not being hardware offloaded anymore.
But currently in RouterOS, if you create multiple bridges on one same switch chip, then only one of the bridges can be hardware offloaded, the rest of the bridges configured on that switch chip will be software only and processed by the CPU. If we combine the two information, then it’s most efficient when you create one and only one bridge per available switch chip, with the ports mapped accordingly.
Bride vlan filtering did not need this ( I realize that may be irrelevant) but it just add s to the confusion.
Even when you configure VLANs on newer devices with Bridge VLAN Filtering, if your device has multiple switch chips, for instance the CCR2004-16G-2S+ has two 88E6191X switch chips, and you want 100% of the layer 2 part of the bridge to be handled by hardware, it’s still recommended that you create two bridges, one per chips. If you have only one bridge, then any layer 2 traffic (normal switching) spanning the ports of different chips will have to involve the main CPU and not hardware offloaded. If you only have one bridge, everything still works, and the CCR2004 has a powerful enough CPU so you won’t notice the different at all when only switching traffic between the 1Gbps ports, but you are still losing efficiency and are not getting the most out of the L2 hardware and are not minimizing the main CPU’s usage. You can follow the conversion in this thread for more discussions:
http://forum.mikrotik.com/t/ccr2004-16g-2s-multiple-bridges-or-not/172985/1
Continuing at it here and trying the examples..
And as to be expected nothing is working, no traffic is yet passing or working.
The examples are:
/interface ethernet switch port
set ether2 vlan-mode=secure vlan-header=add-if-missing
set ether3 vlan-mode=secure vlan-header=always-strip default-vlan-id=200
set ether4 vlan-mode=secure vlan-header=always-strip default-vlan-id=300
set ether5 vlan-mode=secure vlan-header=always-strip default-vlan-id=400But then there’s a special note:
Does this mean that I absolutely have to use only "leave-as-is " for ALL settings as shown in the example (without these setting but other settings).
It’s thing like this that can really trip me up when it’s nto working.
Especially when I go and set them all to “leave-as-is” as the mote for my switch chip seems to imply and then it STILL is not passing traffic.
Making it harder to trace my mistakes.
Normally before changing
vlan-mode=secure
for the entries under /interface ethernet switch port, you should populate the vlan configuration under /interface ethernet switch vlan first because the secure mode require information from the switch vlan table.
You can think of /interface ethernet switch vlan being somewhat similar to /interface bridge vlan where you specify the ports the VLAN ID can be used with (including the similarity that for layer 3 you need to add the bridge to the tagged list for Bridge VLAN Filtering, and for the swich chip you have to add the switchX-cpu, because the bridge represents the CPU-port, see this post http://forum.mikrotik.com/t/routeros-bridge-mysteries-explained/147832/1). The difference is that under /interface ethernet switch vlan you don’t include the tagged/untagged information like with Bridge VLAN Filtering.
As for the settings under /interface ethernet switch port it’s where you specify the PVID of the access and hybrid ports (similar to /interface bridge port). But it’s also where you explicitly turn on VLAN filtering for ingress traffics for the port (with Bridge VLAN Filtering you turn it on at the bridge level) with vlan-mode. The other difference is that under /interface bridge port you change the frame-type for Access/Trunk/Hybrid configuration and this is for ingress, and with /interface ethernet switch port the
vlan-header
setting is used for Access/Trunk/Hybrid configuration but it is a setting for egress traffic. Normally you set vlan-header like this according to the type of port (quoted from the documentation)
Sets action which is performed on the port for egress traffic.
add-if-missing - adds a VLAN tag on egress traffic and uses default-vlan-id from the ingress port. Should be used for trunk ports.
always-strip - removes a VLAN tag on egress traffic. Should be used for access ports.
leave-as-is - does not add nor remove a VLAN tag on egress traffic. Should be used for hybrid ports.
But for the QCA8337 and Atheros8327 (used in hAP ac² for instance) the type (Access/Trunk/Hybrid) can be infer by the switch chip from the other information provided (default-vlan-id as well as how many vlan id are enabled on the port) so
vlan-header=leave-as-is
should be used in all cases.