I have a problem with the mentioned Switch. My scenario is as followed:
1Gbit Uplink Port is "combo1"
Switch is connected per "combo1" to a Router with PPPoE Server. Therefore I'm using vlan number 266, with tagged traffic between pppoeserver and switch-uplink.
the normal sfp ports are in the vlan group 266 but untagged. These are customers' edge ports.
the uplink port is also part of vlan group 1337 for management.
Some of the costumer ports are in an own vlan group 5xx. Those costumers don't use pppoe but static routing....
This configuration is working besides the filter... I want to always allow arp, and in the vlan group 266 only pppoe in addition. The 5xx vlan groups should be allowd to use IP and no pppoe. All other frame types have to be dropped! But the packet/byte counters stay either "0" or they show strange values (negative value for packets or billions of GB for Bytes)
So here is an export of the bridge configuration:
Code: Select all
/interface bridge
add name=bridge_local protocol-mode=none vlan-filtering=yes
/interface bridge filter
add action=accept chain=forward mac-protocol=arp
add action=accept chain=input mac-protocol=arp
add action=accept chain=output mac-protocol=arp
add action=accept chain=forward mac-protocol=vlan vlan-encap=pppoe-discovery vlan-id=266
add action=accept chain=forward mac-protocol=vlan vlan-encap=pppoe vlan-id=266
add action=accept chain=output mac-protocol=vlan vlan-encap=pppoe-discovery vlan-id=266
add action=accept chain=output mac-protocol=vlan vlan-encap=pppoe vlan-id=266
add action=accept chain=input mac-protocol=vlan vlan-encap=pppoe-discovery vlan-id=266
add action=accept chain=input mac-protocol=vlan vlan-encap=pppoe vlan-id=266
add action=accept chain=forward log=yes mac-protocol=vlan vlan-encap=ip vlan-id=558
add action=accept chain=output mac-protocol=vlan vlan-encap=ip vlan-id=558
add action=accept chain=input mac-protocol=vlan vlan-encap=ip vlan-id=558
add action=accept chain=forward mac-protocol=vlan vlan-encap=ip vlan-id=504
add action=accept chain=input mac-protocol=vlan vlan-encap=ip vlan-id=504
add action=accept chain=output mac-protocol=vlan vlan-encap=ip vlan-id=504
add action=accept chain=forward mac-protocol=vlan vlan-encap=ip vlan-id=503
add action=accept chain=output mac-protocol=vlan vlan-encap=ip vlan-id=503
add action=accept chain=input mac-protocol=vlan vlan-encap=ip vlan-id=503
add action=accept chain=forward mac-protocol=vlan vlan-encap=ip vlan-id=501
add action=accept chain=output mac-protocol=vlan vlan-encap=ip vlan-id=501
add action=accept chain=input mac-protocol=vlan vlan-encap=ip vlan-id=501
add action=accept chain=forward mac-protocol=vlan vlan-id=1337
add action=drop chain=input log=yes
add action=drop chain=forward
add action=drop chain=output log=yes
/interface bridge port
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp1 pvid=266
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp2 pvid=266
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp3 pvid=266
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp4 pvid=266
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp5 pvid=266
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp6 pvid=266
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp7 pvid=558
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp8 pvid=504
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp9 pvid=266
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp10 pvid=266
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp11 pvid=503
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp12 pvid=501
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp13 pvid=266
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp14 pvid=266
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp15 pvid=266
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp16 pvid=266
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp17 pvid=266
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp18 pvid=266
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp19 pvid=266
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp20 pvid=266
add bridge=bridge_local interface=combo1 pvid=266
add bridge=bridge_local interface=sfp-sfpplus1
/interface bridge vlan
add bridge=bridge_local comment=CA tagged=sfp-sfpplus1,combo1 untagged=sfp1,sfp2,sfp3,sfp4,sfp5,sfp6,sfp9,sfp10,sfp13,sfp14,sfp15,sfp16,sfp17,sfp18,sfp19,sfp20 vlan-ids=266
add bridge=bridge_local comment=MGMT tagged=sfp-sfpplus1,combo1 vlan-ids=1337
add bridge=bridge_local comment="cStatic xxxxxxx" tagged=combo1,sfp-sfpplus1 untagged=sfp7 vlan-ids=558
add bridge=bridge_local comment="cStatic xxxxxxx" tagged=combo1,sfp-sfpplus1 untagged=sfp8 vlan-ids=504
add bridge=bridge_local comment="cStatic xxxxxxx" tagged=combo1,sfp-sfpplus1 untagged=sfp11 vlan-ids=503
add bridge=bridge_local comment="cStatic xxxxxxx" tagged=sfp-sfpplus1,combo1 untagged=sfp12 vlan-ids=501
Michael