Community discussions

MikroTik App
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 268
Joined: Tue Sep 29, 2020 6:05 pm

VLAN Filter - how do ingress and egress rules work?

Sun Apr 04, 2021 10:16 pm

Hello,
I read Bridge VLAN Table - RouterOS - MikroTik Documentation and was able to get my VLAN running with 10 intercom devices. Some of them come with VLAN support and the others are integrated doing Port Based VLAN tagging.


Have been reading endless sources about how VLAN is configured and so on but still don't get it what happens when. UPDATED ON 12.Arp2021

  1. INgress and Egress at Port, Bridge -> Ports -> Bridge Port -> VLAN PVID (priority tagged not specifically considered):
    1. UNtagged traffic INCOMING:
      1. frame-types=admit all & ingress filtering=off.
        VLAN tagging is added according to PVID, traffic goes in.
      2. frame-types=admit only VLAN tagged all & Ingress Filtering=off
        dropped, because no VLAN tag in traffic
      3. frame-types=admit only untagged and priority tagged & Ingress Filtering=off
        The VLAN tag is added according to the PVID, traffic goes in.
      4. frame-types=any & Ingress Filtering=ON
        The above rules are applied, subsequently, it is checked whether the VLAN ID is stored as a rule in the egress, VLAN filter (see below), means whether this VLAN ID is available on this port. If so, traffic is leaving the bridge otherwise traffic is dropped.
    2. tagged traffic INCOMING:
      1. frame-types=admit all & Ingress Filtering=off
        the VLAN tag is read but not changed, traffic goes in.
      2. frame-types=admit only VLAN tagged all & Ingress Filtering=off
        the VLAN tagging is read but not changed, traffic goes in.
      3. frame-types=admit only untagged and priority tagged & Ingress Filtering=off
        dropped, because VLAN tag is present
      4. frame-types=any & Ingress Filtering=ON
        The above rules are applied, then it is checked whether the VLAN ID is stored as a rule in the egress, VLAN filter (see below), port is allowed. If so, traffic goes in, otherwise dropped (same as in 1.A.iv)
    3. UNtagged traffic OUTGOING (e.g origins from CPU Port/Bridge):
      The VLAN-Tag/ID is added according to the PVID, the traffic leaves the devices
    4. Tagged traffic OUTGOING
      1. VLAN ID and PVID are not identical:
        traffic remains unchanged, the traffic leaves the devices
      2. VLAN ID and PVID are identical:
        the VLAN ID is removed from the traffic, the traffic leaves the devices
  2. egress at the bridge, Bridge -> VLAN -> Bridge VLAN:
    1. Untagged traffic outgoing: traffic dropped. This does not exist because default VLAN1 is assigned if it has no VLAN tag, by the ingress rule above. This results in other implications when I read through Wiki etc., that then becomes too much here (?)
    2. tagged traffic outgoing, VLAN ID is checked:
      1. There is no filter rule for this VLAN ID: traffic dropped
      2. Rule for VLAN ID exists:
        1. Port, where traffic occurs, is listed as Tagged: VLAN ID is not changed
        2. Port, where traffic occurs, is listed as untagged: VLAN ID is removed
        3. Port, where traffic occurs, is not listed: traffic dropped

any help around this mystery will be greatly appreciated
Stefan
Last edited by PackElend on Mon Apr 12, 2021 4:31 pm, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18960
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN Filter - how do ingress and egress rules work?

Sun Apr 04, 2021 11:09 pm

The best guide for vlans, is
viewtopic.php?f=23&t=143620
If you are having issues please post your config
/export hide-sensitive file=anynameyouwish

and stop using multiple posts for basically the same questions.
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 268
Joined: Tue Sep 29, 2020 6:05 pm

Re: VLAN Filter - how do ingress and egress rules work?

Mon Apr 05, 2021 2:08 pm

The best guide for vlans, is
viewtopic.php?f=23&t=143620
I have read that one before I created this topic.
I'm clear with the first posts but then broadens the topic, what is could but you losing the overview.
ingress and egress are mentioned several times but there is not a clear and simple overview of what actually happens there.
So any simple confirmation or correction of my bullet point list would be appreciated.

If you are having issues please post your config
/export hide-sensitive file=anynameyouwish
not currently, just trying to understand what is happening on the bridge

and stop using multiple posts for basically the same questions.
IMHO it is not the same question, this refers to ingress and egress rules the other one refers to what is shown in the GUI, which is something different.
I admit it all goes under the VLAN umbrella but there is so much that simply could be done the same way, but if you are seeking an answer to very specific detail, it will get easily lost in all the other post.
I'm hoping I giving some delighting to others as well, by keeping thins split as it makes easier to be found again.

cheers
stefan
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18960
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN Filter - how do ingress and egress rules work?

Mon Apr 05, 2021 2:22 pm

Suggest an overall approach then.............
https://www.youtube.com/watch?v=Wlg5iNU3UvM
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN Filter - how do ingress and egress rules work?

Mon Apr 05, 2021 3:45 pm

I dare to say the setting Bridge -> Ports -> Bridge Port -> VLAN PVID is clear to me. I assume this is the ingress rule:
  1. Untagged traffic incoming: The VLAN tag is added according to the PVID.
  2. tagged traffic incoming: the VLAN tag is read but not changed.

Yes, your asumptions are correct. However there's more to it, there are two more ingress settings which affect the way frames are treated on ingress:
  • frame-types ... this sets ingress filter which then (according to settings) drops certain frames. If e.g. frame-types=admit-only-vlan-tagged frames without VLAN tags are dropped.
  • ingress-filtering ... if set, only frames belonging to VLANs set in egress table are allowed on ingress. If this is not set (but frame-types is set as in previous bullet), any tagged frame will be allowed on ingress. If this is set, then only frames with VIDs allowed for egress will pass on ingress.
    N.b. untagged frames are affected by this rule as well, seems like PVID is applied first, ingress filtering is done later.



But what happens in Bridge -> VLAN -> Bridge VLAN?
I assume this is the egress rule. Is the following assumption right?
  1. Untagged traffic outgoing: traffic dropped
  2. tagged traffic outgoing: VLAN ID is checked:
    1. There is no filter rule for this VLAN ID: traffic dropped
    2. Rule exists:
      1. Port is listed as Tagged: VLAN ID is not changed
      2. Port is listed as untagged: VLAN ID is removed
      3. Port is not listed: traffic dropped

It is not exactly clear whether any untagged frame is actually passing bridge when vlan-filtering=yes, I like to think only tagged frames live on bridge (and here the implicit MT default of PVID=1 on all bridge ports kicks in). So rule #1 doesn't apply at all.
The rest seems quite right to me.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18960
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN Filter - how do ingress and egress rules work?

Mon Apr 05, 2021 5:29 pm

So you mean this is correct.......
https://networkdirection.net/articles/n ... tivevlans/
https://networkengineering.stackexchang ... ans-tagged
http://www.firewall.cx/networking-topic ... gging.html
and of course, the version I can understand
https://www.dummies.com/programming/net ... lans-work/

If you have a problem with your config
/export hide-sensitive file=anynameyouwish.

Vlan tagging courses is another forum.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN Filter - how do ingress and egress rules work?

Mon Apr 05, 2021 6:16 pm

What beats me is that in Cisco world there are two names for frames without 802.1q headers: untagged VLANs and native VLANs. I'm not fluent in ciscoish so I guess that there can only be single native VLAN per switch/stack/CDP domain while every untagged VLAN port can belong to different VLAN. To me concept of native VLAN (as opposed to hybrid ports in MT world) is total nonsense.
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: VLAN Filter - how do ingress and egress rules work?

Mon Apr 05, 2021 7:31 pm

I tend to avoid Cisco stuff, my understanding (which may be incorrect) for their interfaces is:

Access ports are untagged.
Trunk ports with no native VLAN are tagged only.
Trunk ports with a native VLAN are hybrid, you can have a differing native VLANs on different interfaces.

Both Cisco and Mikrotik VLAN configuration and naming schemes are confusing compared to those used by HP....
 
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 268
Joined: Tue Sep 29, 2020 6:05 pm

Re: VLAN Filter - how do ingress and egress rules work?

Tue Apr 06, 2021 4:55 pm

Yes, your asumptions are correct. However there's more to it, there are two more ingress settings which affect the way frames are treated on ingress
...
The rest seems quite right to me.
thx a lot, I updated the OP accordingly.
I was so focused on my VLAN100 that I forgot the other possible settings.
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 268
Joined: Tue Sep 29, 2020 6:05 pm

Re: VLAN Filter - how do ingress and egress rules work?

Mon Apr 12, 2021 4:24 pm

looks like that I need to update my OP once again.
Recently I have learned that PVID acts on outgoing and incoming traffic, which means this will be added as rules:
  1. UNtagged traffic EGRESS (e.g origins from CPU Port/Bridge):
    The VLAN-Tag/ID is added according to the PVID, the traffic leaves the devices
  2. Tagged traffic EGRESS
    1. VLAN ID and PVID are not identical:
      traffic remains unchanged, the traffic leaves the devices
    2. VLAN ID and PVID are identical:
      the VLAN ID is removed from the traffic, the traffic leaves the devices
This properly the same as mentioned in Post 2 of Bridge VLAN Filter : not possible to use tagged traffic with VLAN ID = 1 - MikroTik but now as structured rule-set

Do you confirm guys?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN Filter - how do ingress and egress rules work?

Mon Apr 12, 2021 4:31 pm

looks like that I need to update my OP once again.

Not really. What you're missing is that bridge has two or three personalities (depends how you count). When you consider those personalities separately, you don't have to change your explanation.
This topic explains bridge and its personalities nicely.
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 268
Joined: Tue Sep 29, 2020 6:05 pm

Re: VLAN Filter - how do ingress and egress rules work?

Mon Apr 12, 2021 4:41 pm

Not really.
but it does not tell you that the PVID setting is acting on ingress and egress. This caused, at least to me, some confusion due to how WinBox shows tagged/untagged in the Bridge VLAN overview, as described here Why is there "Current Tag" & "Current Untagged" in each VLAN.
At least that solved my mystery (still need to post that in the other topic).
As a beginner, I would love to see this mentioned somewhere. I'm open to suggestion on how to structure the rule-set otherwise :).

p.s reading now through RouterOS bridge mysteries explained what hopefully clarifies some question raised in Bridge VLAN Filter : not possible to use tagged traffic with VLAN ID = 1 - MikroTik and helps me to get my Management VLAN eventually running
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN Filter - how do ingress and egress rules work?

Mon Apr 12, 2021 4:49 pm

Not really.
but it does not tell you that the PVID setting is acting on ingress and egress.
IMO you already covered this case under 2.B.ii.b ... because when bridge interface has PVID set (and it always has it set, if not other the hidden default PVID=1), again all frames pass bridge the switch like entity tagged. As soon as frame enters bridge (the switch-like ...), it doesn't matter through which port it entered (apart from the rule that frame never egresses the same port it ingressed, but that doesn't relate to VLANs specifically).
Setting PVID on bridge port adds that port as untagged to the egress list of VLANs. Which means PVID itself doesn't affect egress behaviour.
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 268
Joined: Tue Sep 29, 2020 6:05 pm

Re: VLAN Filter - how do ingress and egress rules work?

Mon Apr 12, 2021 4:56 pm

Not really.
but it does not tell you that the PVID setting is acting on ingress and egress.
IMO you already covered this case under 2.B.ii.b ...
ok got it but I said Bridge -> VLAN -> Bridge VLAN by splitting in 1. ... Bridge -> Ports -> Bridge Port -> VLAN PVID and 2. Bridge -> VLAN -> Bridge VLAN tells a novice that both settings have a influence how things are shown in the GUI.
This cost me a lot of headaches.
I will try to have your words added to the OP (but don't know yet how).
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN Filter - how do ingress and egress rules work?

Mon Apr 12, 2021 5:07 pm

I can only agree that bridge in MT world is a mess because it's not explicitly clear which settings are about bridge (the switch-like stuff) and which settings are about bridge (the interface). It's confusing and hence the article by @sindy (it took some time for all of us to find out all of the dark corners).

But then, if you explicitly consider bridge as a port, and think of settings related to it the same way as settings related to other member ports, then you don't need any more explanations other than those already present in your OP.
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 268
Joined: Tue Sep 29, 2020 6:05 pm

Re: VLAN Filter - how do ingress and egress rules work?

Wed Apr 14, 2021 10:55 pm

@mkx thx for being that patient with me and not giving up hope :)

I will try to answer the other topic within the next couple of days before I go for the complete overview/VLAN-design of my entire network

Who is online

Users browsing this forum: FranMercedesG and 51 guests