Community discussions

 
solelunauno
Member Candidate
Member Candidate
Topic Author
Posts: 109
Joined: Mon Jul 16, 2012 7:00 pm
Location: Roseto Capo Spulico CS Italy
Contact:

vlan on a bridge in a bridge

Mon Jun 24, 2019 5:11 pm

Dear forum members, I finally decided to write here about the difficult and huge problem of vlan and bridge in RouterOS.
Yes, a thing that I thought (for years) that was a simple topic, and instead now I'm getting crazy with it.
This is the beginning of my headache: https://wiki.mikrotik.com/wiki/Manual:L ... n_a_bridge .
This page, which believes to teach us what to do and what not to do with vlans and bridges, and ideed convert a simple topic in a complete mess.
Let's talk about this mess.
Suppose you have a device, for example an RB1100, to manage a network.
You have some very different services on this network, and you want to keep well separated those services.
For example you have a surveillance network with some remote cameras and one (or two... and so the problem arise...) NVR;
You have an hotspot network with an hotspot server (suppose an RB750Gr3 for example) and some remote hotspot access points;
You have some pppoe clients here and there;
You have a Lan network in the office;
You have a voip network with a dedicated vlan;
And so on, any other service your customer needs.
So, if you need the hotspot service only over a single ethernet port, there isn't any problem: you put a vlan on that interface (suppose valn-id=10 on ether3),
and you put that vlan on the hotspot bridge; all done.
And if you want also distribute voip over the same ethernet port? Same thing, you put a vlan on that interface (suppose vlan-id=15 on ether3),
and you put that vlan on the voip bridge; all done.
But, and if you want also the hotspot service on another interface (for example ether4)?
The problem arises...
Because according to "Layer2 misconfiguration" you can't make a bridge of ether3 and ether4 and simply put over it a vlan used as a port of the hotspot bridge.
And, going on, if you want hotspot service also on an access port (suppose ether5) because there is a consumer access point unable to use vlan tagging?
The same: you violate "Layer2 misconfiguration" with a "VLAN in bridge with a physical interface".
And if you have an vpls interface (for example vpls1) and you want also distribute voip over it?
Same thing, you can't simply add vpls1 at the same bridge previously composed by ether3 and ether4, because it is still a violation of "VLAN on a bridge in a bridge"!
So, according to https://wiki.mikrotik.com/wiki/Manual:L ... n_a_bridge , anything you will do with you RB1100, you have
to use always one single big bridge and work with "bridge vlan tagging", because if you make two bridges, they can't share anything that is layer 2!
If you have two bridges, you only can route something between them (layer 3), and no layer 2 communication of any kind!
If you make a configuration over your customer's RB1100 and you planned to use one port for a service, you cannot simply decide later to extend this service
to another port, without restart all thing and make this big bridge with bridge vlan filtering enabled!
Eventually you could add another device to act simply as a switch... so you have a good 13 port RB1100 (capable of sniffing and help in tecnical support...)
and you need another external switch only to extend your services on other ports...
And what about hardware offloading?
Returning to the bridge with ether3 and ether4 with voip and hotspot vlans on it: your customer could ask you that he wants wire speed between ether3 and ether4,
independently from the hotspot and voip speed...
So, with the "VLAN on a bridge in a bridge" you have at least hardware offloading on the bridge with ether3 and ether4.
If you make the big bridge with all interfaces on it and bridge vlan filter, you simply lose hardware offload completely!
So, isn't this a mess? what do you think? about it?
SL1 Systems srl MTCNA MTCRE
 
mkx
Forum Guru
Forum Guru
Posts: 3184
Joined: Thu Mar 03, 2016 10:23 pm

Re: vlan on a bridge in a bridge

Mon Jun 24, 2019 5:45 pm

My thought about it: bridge on bridge on vlan on whatever is a mess while single bridge with vlan filtering is simple and beautiful.

It is a pitty, though, that "single bridge" stuff is not HW offloaded on majority if devices (RB1100 included).

The last time I checked the old way of using gazzillion of bridges with vlan configured on switch chip was still available in ROS 6.44 ... at this time only documentation tries to persuade device admins to switch over to new single bridge concept.
BR,
Metod
 
solelunauno
Member Candidate
Member Candidate
Topic Author
Posts: 109
Joined: Mon Jul 16, 2012 7:00 pm
Location: Roseto Capo Spulico CS Italy
Contact:

Re: vlan on a bridge in a bridge

Mon Jun 24, 2019 6:59 pm

The last time I checked the old way of using gazzillion of bridges with vlan configured on switch chip was still available in ROS 6.44 ... at this time only documentation tries to persuade device admins to switch over to new single bridge concept.
Could you explain what you mean?
Do you know that with the "gazzillion of bridges" you can always reach a device using mac telnet from a near (layer 2) other device?
Do you know that if you make a mistake with bridge vlan filtering (don't put vlan-id 1 in the correct places), you need an hardware reset or a serial cable?
Do you know that you could make an eoip or a vpls and put it on a the bridge you want in seconds without risk of mistake, to put your computer in a layer2 remote network?
Do you know how many steps are needed to make the same thing with bridge vlan filtering (ad if you make a mistake...)?
And, at the end, do you know a way to use RB2011 as a managed switch with hardware offload (at least) between the first 5 gigabit ports with the "bridge vlan filtering" metod, instead of use the "VLAN on a bridge in a bridge" (which makes the goal...)?
SL1 Systems srl MTCNA MTCRE
 
mkx
Forum Guru
Forum Guru
Posts: 3184
Joined: Thu Mar 03, 2016 10:23 pm

Re: vlan on a bridge in a bridge

Mon Jun 24, 2019 10:29 pm

I'm sure you, with all of those MTCertifications, know all of that. And I have my own opinion (and you won't believe this: mostly I agree with my own opinions) which I wrote in my previous post.
Sure, you can do many things with cascaded bridges, but that kind of config is not readable/understandable by anyone who's not into cascaded bridges as you might be. On the other hand, configuration with VLANs on single bridge is plain & straight. And I'm pretty sure it's possible to lock one self from the device when config is not right whichever way of configuration is done.
BR,
Metod
 
solelunauno
Member Candidate
Member Candidate
Topic Author
Posts: 109
Joined: Mon Jul 16, 2012 7:00 pm
Location: Roseto Capo Spulico CS Italy
Contact:

Re: vlan on a bridge in a bridge

Tue Jun 25, 2019 10:59 am

I'm sure you, with all of those MTCertifications, know all of that. And I have my own opinion (and you won't believe this: mostly I agree with my own opinions) which I wrote in my previous post.
Sure, you can do many things with cascaded bridges, but that kind of config is not readable/understandable by anyone who's not into cascaded bridges as you might be. On the other hand, configuration with VLANs on single bridge is plain & straight. And I'm pretty sure it's possible to lock one self from the device when config is not right whichever way of configuration is done.
You are wrong. I don't know a way to use RB2011 as a managed switch. I tried with switch menu because with bridge vlan filtering I lose hardware offload. I don't understand how to manage vlans in a device with two separate switch chips and bridge vlan filtering: if you manage vlans with switch chips, you have two separate switches, and if you manage vlans with bridge vlan, you don't have hardware offload also in the same switch (5 ports); so, what to do? Do We need a CRS326-24G also for 6-7 ports?
SL1 Systems srl MTCNA MTCRE
 
mkx
Forum Guru
Forum Guru
Posts: 3184
Joined: Thu Mar 03, 2016 10:23 pm

Re: vlan on a bridge in a bridge

Tue Jun 25, 2019 1:58 pm

If you use switch-chip config for VLANs then you only use bridge as a dumb switch without any fancy config. If there are other interfaces members of such bridge, you have to use other means of enforcing proper VLAN ID. E.g. wlan interfaces have vlan-mode=... vlan-id=... settings. For other interfaces (e.g. PtP interfaces) you might indeed have to revert to "bridge over vlan over bridge" concept (as ugly as it may be) ... Personally I prefer to have remote locations separated in distinct L3 subnets and have routing between them, so no need to play with VLANs over PtP interfaces.


BTW, I locked myself out of device while configuring VLANs on switch chip far more often than I locked myself out while configuring VLANs on bridge. I guess difference in amount of experience gained betwern the two periods of time contributed to tgat as well ...
BR,
Metod
 
solelunauno
Member Candidate
Member Candidate
Topic Author
Posts: 109
Joined: Mon Jul 16, 2012 7:00 pm
Location: Roseto Capo Spulico CS Italy
Contact:

Re: vlan on a bridge in a bridge

Tue Jun 25, 2019 4:30 pm

Ok, I understand that L3 is better than L2. But if you make wired networks for hotels and other enterprises, you have to play with vlans.
So because enterprises uses various kinds of softwares and services that need (generally) layer 2 connection, as they were all in the same office.
For this reasons there are "managed switches" and vlans: if we could always use layer 3 (also between single computers and printers in different locals of the same enterprise), managed switches would not exist, don't you?
And, going on, some of those layer 2 applications expect wire speed, for example gigabit, that would need high CPU routers here and there to use layer 3!
So, as it's impractical to use CCRs here and there in an enterprise network, we need something more reliable to trasport different services (phone, computer, wifi for employes, wifi for guests, home automation vlan, etc) using one single couple of fiber or one single copper cat5 wire between locations.
And, as I like Mikrotik routeros (at least before the mess of bridge vlan filtering and switch chip vlans all differents from device to device...), I would use Mikrotik devices to deploy enterprise networks.
So I used lot of CRS326 and CRS328 (which have a decent layer 2 hardware offload programming interface...), but I also need something suitable for small locations here and there (for example a swimming pool tecnical room with automation controls, a bar with cash, phone and printer, one or more offices, a star center to connect 3-4 fibers, etc) where only 3-7 ports for each place are needed.
And for this application I thought to RB750GR3, RB2011 and CRS112...
Do you know what a mess is layer 2 configuration over those 3 Mikrotik devices?
I managed to configure switch vlans correctly on the RB750Gr3, I approximately managed the same configuration on RB2011 (but there are still issues, because for example the manegement of Routeros is possible from a trunk port on the first switch, but not from a trunk port on the second switch, although forwarded traffic between twos passes), and I completely lost my hopes on the CRS112!
So, I understand that you, mkx, love "bridge vlan filtering" (I not!), but you at least will agree with me that this heterogeneity of configuring vlans from device to device is a disaster, don't you?
SL1 Systems srl MTCNA MTCRE
 
mkx
Forum Guru
Forum Guru
Posts: 3184
Joined: Thu Mar 03, 2016 10:23 pm

Re: vlan on a bridge in a bridge

Tue Jun 25, 2019 5:20 pm

I nowhere said L3 should be used everywhere, I said I prefer L3 for PtP links and by those I was talking about WAN links (tunelled connections, such as VPN). If there's available a proper connection (e.g. a dark fibre or metro ethernet or ...), then sure it's fine to use L2 setup.
I managed to configure switch vlans correctly on the RB750Gr3,...
Good for you. According to specifications RB750Gr3 doesn't have any VLAN capabilities whatsoever, everything remotely connected to VLAN needs to pass CPU.
So, I understand that you, mkx, love "bridge vlan filtering" (I not!), but you at least will agree with me that this heterogeneity of configuring vlans from device to device is a disaster, don't you?
On the contrary, the bridge vlan filtering brings uniform way of configuring various bridge functions (VLANs included) on all ROS devices. So if you actually dug into, you'd see that the nightmare ended a year or two ago.

I'll write it again: unfortunately this configuration beauty and simplicity comes with performance hit: on most devices all traffic has to pass device's CPU (except for CRS3xx which has things HW offloaded, and most CCRs which fon't have switch chips and traffic passes CPU anyway). On newer devices with small number of ether ports things are not too bad (CPUs are powerful enough to do wire-speed switching), older devices with larger number of ports (such as 2011) are hit hard.
Switches, such as CRS1xx and CRS2xx, should be configured to use hardware and bridge-on-bridge-on... concept is overkill for those anyway).


Anyway, I'd like to see one concrete example where you can't get around without using bridge-on-bridge-on...
BR,
Metod
 
solelunauno
Member Candidate
Member Candidate
Topic Author
Posts: 109
Joined: Mon Jul 16, 2012 7:00 pm
Location: Roseto Capo Spulico CS Italy
Contact:

Re: vlan on a bridge in a bridge

Tue Jun 25, 2019 7:08 pm

First, you're right about the RB750Gr3. It's a RB750G (the old version...) , so I got confused when writing, I'm sorry.
You asked for a real example.
Well, all this story has begun trying to configure a CRS112 as a switch and not with the bridges as I usually do.
So because CRS112 has a very slow MIPSBE cpu, and it's capability of bridge traffic through CPU is very poor .
For example a RB750G (the device I'm using for tests, old RB750G with switch chip, tested also with cpu bridge) is capable of handle about 400Mbps of UDP (1500 size packets), instead CRS112 only 200Mbps and the cpu goes 100%.
I've already a CRS112 in production, as a 4 fiber trunk node with some ethernet trunks and also some access ports used by ip phone networks and home automation (different vlans).
So, to make CRS112 handle 1Gbps among the trunk ports, it's configured simply ad a master bridge with the trunk ports (hardware offload on) , vlan on this master bridge, and some other bridges that handle the single vlans with their access ports.
This configuration works because cpu handles only the phone and automation networks, that are slow devices, and the trunk traffic (which contains office computer traffic ad 100 and more IP cameras on their specific vlans not needed as access ports on this node) passes through switch chip.
But the CPU is however too much slow and often goes to 100%, so I was interested to move towards a better configuration as a manged switch.
After this, I discovered (in another site, other customer, etc) the big problem know as "Traffic is flooded to all ports", that affects the master trunk bridge with vlans over it.
This problem strangely affects only the master bridges that haven't hardware offload active (I don't know why), so I hadn't noticed it so often, because usually I try to configure the master bridge in a way to use hardware offload.
So, sum the two situations which I described, and you can realize why I'm looking to find a more reliable configuration, although I'm very worried about migrate all my personal ISP network (all mikrotik) from bridges configuration to bridge vlan filtering or switch chip vlan configuration.
Add that recently I made an hotel network with about 80 CRS326/328 interconnectd by fibers, and I used always bridge vlan filtering as it is the correct way to configure managed switches CRS3XX; but, in this structure, when I used some small devices (RB750Gr2 and also RB750Gr3, to reach tecnical rooms, bars, cash and offices detached and far from the near CRS326) , I used the usual "bridges of vlans" metod because "bridge vlan filtering" isn't capable to do hardware offload (on those devices) even among the two trunk ports used to cascade trunk network towards anothe location...
SL1 Systems srl MTCNA MTCRE
 
anav
Forum Guru
Forum Guru
Posts: 3114
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: vlan on a bridge in a bridge

Tue Jun 25, 2019 8:33 pm

Good day.
Why be frustrated, you have access to the most amazing cheap but high quality vino, delicious coffee etc..
Let MT wait and enjoy life!
While sipping,either liquid suggest you read this most excellent reference on setting up vlans.........
viewtopic.php?f=13&t=143620

Concur the MT wiki's often leave one grasping at straws but probably in response to the above thread they did improve this ref...
https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mkx
Forum Guru
Forum Guru
Posts: 3184
Joined: Thu Mar 03, 2016 10:23 pm

Re: vlan on a bridge in a bridge

Tue Jun 25, 2019 11:46 pm

I've already a CRS112 in production, as a 4 fiber trunk node with some ethernet trunks and also some access ports used by ip phone networks and home automation (different vlans).
So, to make CRS112 handle 1Gbps among the trunk ports, it's configured simply ad a master bridge with the trunk ports (hardware offload on) , vlan on this master bridge, and some other bridges that handle the single vlans with their access ports.
This configuration works because cpu handles only the phone and automation networks, that are slow devices, and the trunk traffic (which contains office computer traffic ad 100 and more IP cameras on their specific vlans not needed as access ports on this node) passes through switch chip.
But the CPU is however too much slow and often goes to 100%, so I was interested to move towards a better configuration as a manged switch.
You didn't give a very concrete example, but anyways: CRS (both 1xx and 2xx) should be capable of doing what you described in hardware, VLANs cofigured through /interface ethernet switch. This way, all VLANs (tagged or "native") can be switched wire-speed, none of packets are actually dealt with by CPU.
Some scenarios, such as switch segmentation, call for innovative use of VLANs, but can allow full hardware offload of all needed functions.

I guess that frame leakage can happen but if device is configured properly it shouldn't happen. Indeed bridge is not VLAN-aware and will emit certain frames to all of its member ports. If those ports are properly configured for both ingress and egress filtering (it is possible to misconfigure this part or to omit some filtering settings and things still seemingly work), probability for some frame escaping through wrong port is small. There are some switch chip types that don't observe settings "to the point", so some weird things can happen on devices equiped with those switch chips.


So, sum the two situations which I described, and you can realize why I'm looking to find a more reliable configuration, although I'm very worried about migrate all my personal ISP network (all mikrotik) from bridges configuration to bridge vlan filtering or switch chip vlan configuration.
I think you should try the switch-chip way of configuring VLANs on devices where bridge vlan-filtering doesn't allow good performance. You might get pleasantly surprised.
BR,
Metod
 
solelunauno
Member Candidate
Member Candidate
Topic Author
Posts: 109
Joined: Mon Jul 16, 2012 7:00 pm
Location: Roseto Capo Spulico CS Italy
Contact:

Re: vlan on a bridge in a bridge

Fri Jun 28, 2019 7:25 pm

So, let's see my "hybrid" configuration of a RB2011. It's the better configuration I found to obtain:
1) 1 gigabit trunk port with hardware offload and packet sniffer capability (with switch rules added when needed);
2) 4 gigabit access ports with hardware offload and packet sniffer capability (with switch rules added when needed, as done for ether5);
3) 5 100M access port without hardware offload (no needed for only 100Mbps) and packet sniffer capability.
As you can see, the first 5 ports are configured on the switch chip (8327), there is a vlan on bridge (trunk) to tap the access network with vlan id=2000 (vlan-uffici), and there is another bridge (bridge uffici) with vlan-uffici and ether6-ether10 as members (the plain old bridges configuration that I loved but I cant' use anymore, perhaps).
In this configuration we don't see the known harmful effects of "vlan on a bridge in a bridge", because:
1) the trunk port has only one trunk interface hardware configured;
2) the trunk bridge is hardware offloaded, and for some reason (I don't know why) in this scenario (trunk bridge hardware offloaded) packets are not flooded to each port of the trunk bridge.
192.168.87.0/24 is the trunk management network.
Perhaps you don't like the management network on vlan id=1, but in large networks I prefer this metod because 1) if I put my computer in the trunk network, I can easily see all devices with both winbox (for mikrotiks) and other vendors applications; 2) if my wolrkers put on the network some new devices, I can easily find them and start programming them with the same pc on the same port, that often is a remote bridged port from my office to the customer.
# jun/28/2019 15:40:29 by RouterOS 6.44.1
# model = 2011iL
/interface bridge
add name=bridge protocol-mode=none
add name=bridge-uffici protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] comment="PC cassa"
set [ find default-name=ether2 ] comment="Dorsale verso Mareluna 2011"
set [ find default-name=ether5 ] comment="stampante test"
set [ find default-name=ether7 ] comment=\
    "xp80 stampante fiscale 100M 192.168.0.69"
set [ find default-name=ether8 ] comment=\
    "epson stampante cucina sala 100M 192.168.0.231"
set [ find default-name=ether9 ] comment=\
    "xprinter stampante cucina ristorante 100M 192.168.0.229"
set [ find default-name=ether10 ] comment=\
    "epson stampante comande bar 100M 192.168.0.230"
/interface vlan
add comment="vlan on bridge" \
    interface=bridge name=vlan-uffici vlan-id=2000
/interface ethernet switch port
set 0 default-vlan-id=2000 vlan-header=always-strip vlan-mode=secure
set 1 default-vlan-id=1 vlan-header=add-if-missing vlan-mode=fallback
set 2 default-vlan-id=2000 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=2000 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=2000 vlan-header=always-strip vlan-mode=secure
set 5 default-vlan-id=1
set 6 default-vlan-id=1
set 7 default-vlan-id=1
set 8 default-vlan-id=1
set 9 default-vlan-id=1
set 10 default-vlan-id=1 vlan-mode=fallback
set 11 default-vlan-id=1
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge-uffici interface=ether6
add bridge=bridge-uffici interface=ether7
add bridge=bridge-uffici interface=ether8
add bridge=bridge-uffici interface=ether9
add bridge=bridge-uffici interface=ether10
add bridge=bridge-uffici interface=vlan-uffici
/interface ethernet switch rule
add copy-to-cpu=yes ports=ether5 switch=switch1
/interface ethernet switch vlan
add independent-learning=no ports=ether2,switch1-cpu switch=switch1 vlan-id=1
add independent-learning=no ports=\
    ether1,ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=\
    2000
/ip address
add address=192.168.87.47/24 interface=bridge network=192.168.87.0
/ip dns
set servers=192.168.87.1
/ip route
add distance=1 gateway=192.168.87.1
/ip ssh
set allow-none-crypto=yes
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=Mareluna-cassa-2011
/system ntp client
set enabled=yes primary-ntp=192.168.87.1
/tool sniffer
set filter-interface=ether5
SL1 Systems srl MTCNA MTCRE
 
mkx
Forum Guru
Forum Guru
Posts: 3184
Joined: Thu Mar 03, 2016 10:23 pm

Re: vlan on a bridge in a bridge

Fri Jun 28, 2019 11:04 pm

There isn't much odd in your config apart from configuring one bridge (the 100Mbps one) without VLANs while configuring the other one (the 1Gbps one) with VLANs but then use vlan interface to bridge them both together.

My guess is that both bridges could be HW offloaded (they use distinct switch chips), it is possible to verify by running /interface bridge port print - actual HW offload status is indicated in the status column for each port. But then it's been said that only single bridge per RB device can be HW offloaded and it could well be design decission and nothing to do with actual hardware.

From the description it's not clear whether ether2 actually needs to be nember of bridge as it seems to be configured exclusively for RB2011 management. So it could be pulled out of bridge and IP config could be bound directly to ether2 interface. Which would enable to use the rest of gigabit ports without VLAN config. Probably you could actually configure RB with single bridge, add all ether ports (less ether2) to it and optionally set hw=no on ports ether6-ether10 if it turns out that only ports from one of switch chips can be HW offloaded and HW enabled is preferred on gigabit ports.

I'll just say it again: your setup is completely valid in recent ROS versions (also your export says the same, you're running 6.44), for now bridge vlan-filtering is not mandatory. I still don't undersrand your bad mood from original post in this thread.
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 3114
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: vlan on a bridge in a bridge

Sat Jun 29, 2019 4:45 pm


Perhaps you don't like the management network on vlan id=1, but in large networks I prefer this metod because 1) if I put my computer in the trunk network, I can easily see all devices with both winbox (for mikrotiks) and other vendors applications; 2) if my wolrkers put on the network some new devices, I can easily find them and start programming them with the same pc on the same port, that often is a remote bridged port from my office to the customer.
As long as you keep the default pvid of vlan1 on all devices (not as a management vlan per se but as a default) at least on the MT devices and what I have discovered between a mix of vendors, I can still see and control my managed devices. On the other hand I am a big proponent of it works DONT FIX IT!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
solelunauno
Member Candidate
Member Candidate
Topic Author
Posts: 109
Joined: Mon Jul 16, 2012 7:00 pm
Location: Roseto Capo Spulico CS Italy
Contact:

Re: vlan on a bridge in a bridge

Sun Jun 30, 2019 11:35 am

There isn't much odd in your config apart from configuring one bridge (the 100Mbps one) without VLANs while configuring the other one (the 1Gbps one) with VLANs but then use vlan interface to bridge them both together.

My guess is that both bridges could be HW offloaded (they use distinct switch chips), it is possible to verify by running /interface bridge port print - actual HW offload status is indicated in the status column for each port. But then it's been said that only single bridge per RB device can be HW offloaded and it could well be design decission and nothing to do with actual hardware.

From the description it's not clear whether ether2 actually needs to be nember of bridge as it seems to be configured exclusively for RB2011 management. So it could be pulled out of bridge and IP config could be bound directly to ether2 interface. Which would enable to use the rest of gigabit ports without VLAN config. Probably you could actually configure RB with single bridge, add all ether ports (less ether2) to it and optionally set hw=no on ports ether6-ether10 if it turns out that only ports from one of switch chips can be HW offloaded and HW enabled is preferred on gigabit ports.

I'll just say it again: your setup is completely valid in recent ROS versions (also your export says the same, you're running 6.44), for now bridge vlan-filtering is not mandatory. I still don't undersrand your bad mood from original post in this thread.
Ether2 is the trunk port connected to the rest of network.
If you exclude ether2, there will be no main network connection for this switch.
If you dont't use my second bridge to connect the vlan-uffici to the second switch (The 100Mbps one), you have to fight with the 8227 switch chip on the second switch, that isn't capable of any switch rule to allow packet sniffing from the cpu, so you obtain a stupid 5 ports 100M switch that does not justify the cost of Mikrotik RB2011!
And If you use bridge vlan filtering, you lose hardware offload also for the gigabit switch.
So, you need an hybrid way, that shows the limitations of this new way (bridge vlan filtering) to do those things.
SL1 Systems srl MTCNA MTCRE
 
mkx
Forum Guru
Forum Guru
Posts: 3184
Joined: Thu Mar 03, 2016 10:23 pm

Re: vlan on a bridge in a bridge

Sun Jun 30, 2019 2:32 pm

So, you need an hybrid way, that shows the limitations of this new way (bridge vlan filtering) to do those things.

I'll just write this post and retreat from this thread ...

I agree that MT should have made step further implementing HW offload for the new bridge vlan-filtering for any device that supports (at least part of) functionallity in hardware (not only for CRS3xx). And that more than one bridge should be HW offloaded. The fact that the old way of configuring it remains shows that MT is aware of this problem (and makes your anger less understandable)

But the above doesn't change the fact, that the new way is way simpler and portable over different devices. At this aspect I strongly disagree with you.
BR,
Metod
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 648
Joined: Fri Nov 10, 2017 8:19 am

Re: vlan on a bridge in a bridge

Sun Jun 30, 2019 11:04 pm

One thing that nobody mentioned: vlan interfaces are "dumb" tag injectors. They don't implement any logic. Just inject tag or strip tag, depending on the direction and that pose a risk of tagging already tagged frames. And I am not talking about QinQ. I am talking about 3, 4 or even 5 layers of tags. Tag stacking may be useful in some special cases but it is against RFC and not many other devices will be able to chew it. If you are not careful, this might happen and then good luck finding out why your Alcatel PABX keeps restarting (yep, I had the pleasure)

On the other hand, modern way of setting VLANs in a bridge is as unintuitive as it can be. Amount of questions and troubles shared on this forum proves the fact. I am not surprised that so many people want to stick with the old way.
 
solelunauno
Member Candidate
Member Candidate
Topic Author
Posts: 109
Joined: Mon Jul 16, 2012 7:00 pm
Location: Roseto Capo Spulico CS Italy
Contact:

Re: vlan on a bridge in a bridge

Mon Jul 01, 2019 10:51 am

One thing that nobody mentioned: vlan interfaces are "dumb" tag injectors. They don't implement any logic. Just inject tag or strip tag, depending on the direction and that pose a risk of tagging already tagged frames. And I am not talking about QinQ. I am talking about 3, 4 or even 5 layers of tags.
I simply don't understand the issue you talk about. Probably you have some tagged packets coming from some access interfaces; in this case, I think it's normale that tagged packets will be re-tagged in a Q in Q way.
SL1 Systems srl MTCNA MTCRE

Who is online

Users browsing this forum: No registered users and 78 guests