Hello,
I have a very simple setup but cannot get it to work.
So, a CRS309 with 3 ports used in a single bridge with vlan filtering
sfp1 is a trunk port for vlans 10 and 20
sfp2 gets traffic passed trough to a router where vlan 10 is configured
sfp3 is an access port for vlan 20
No. For ingress it’s enough as long as you don’t have ingress-filtering=yes set. But for egress, you have to properly populate the /interface bridge vlan configuration subtree.
Alas, the PVID stuff won’t work until you set vlan-filtering=yes on bridge. Any you might loose management access to CRS … bridge interface is not set to be member if any of mentioned VLANs …
So in short: the VLAN setup is very much incomplete. This tutorial explains VLANs nicely, you should read it and understand it. This thread explains different personalities of bridge in ROS.
I just want to pass vlan 10 to the router and the port with vlan 20 to make it as access port for a server in a single bridge.
Cannot get the bridge on the switch to pass traffic when I enable vlan filtering.
Only considering 3 SFP+ ports and according to your initial post, this would be minimum L2 config:
/interface bridge
add name=bridge vlan-filtering=yes
/interface bridge port
add bridge=bridge interface=sfp1 # this will be your trunk port
add bridge=bridge interface=sfp2 # tagged port towards router
add bridge=bridge interface=sfp3 pvid=20 # access port towards server
/interface bridge vlan
add bridge=bridge tagged=sfp1,sfp2 vlan-ids=10
add bridge=bridge tagged=sfp1 untagged=sfp3 vlan-ids=20
# for security reasons it's wise to apply the following, for basic functioning that's not necessary
/interface bridge
set [ find interface=sfp1 ] ingress-filtering=yes frame-types=admit-only-vlan-tagged
set [ find interface=sfp2 ] ingress-filtering=yes frame-types=admit-only-vlan-tagged
set [ find interface=sfp3 ] ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
Beware that the above configuration snippet (if it would be only configuration applied) would very likely block management access to switch via involved sfp ports. Management access via the RJ45 port, at least WinBox MAC connectons, should be fine though.
There are a few differences between this config and yours (shown in original post). One is explicit configuration of VLAN 10 on appropriate ports.The thing is that without ingress-filtering=yes switch will accept frames tagged with any VLAN ID on ingress. But on egress it will always filter according to port VLAN membership. And your original configuration nowhere mentions VID 10, which means that switch will accept VLAN 10 frames but won’t deliver any of them through any of ports.
It is possible to make wildcard configuration (like /interface bridge vlan add bridge=bridge tagged=sfp1,sfp2 vlan-ids=2-19,21-4094), but it’s not really recommended, things are likely to break if you’d want to specifically configure another VID (in similar manner to how VID 20 is now). Namely it is not possible to have multiple lines touching same VID, neither explicitly nor in range.