Community discussions

MikroTik App
 
syadnom
Forum Veteran
Forum Veteran
Topic Author
Posts: 794
Joined: Thu Jan 27, 2011 7:29 am

help fix leaky vlans, NP16 + PBP

Tue Mar 23, 2021 1:44 am

Hi all. I'm racking my brain to see what's wrong with a config I have

PBP with a single cable to a NP16. PBP eth1 to NP16 eth1. All ports on the NP16 are in the bridge.

I'm configuring the PBP with VLANs 102,103,104 and so on as sub interfaces to PBP-eth1
On the NP16 I'm creating VLANs in bridge/vlan and configuring these as tagged NP16-eth1 and untagged NP16 port#. Then I'm setting bridge/port 16 as PVID16.
So VLAN 116 is set UNTAGGED NP16-eth16 and TAGGED NP16eth1 and PBP-eth1-VLAN16

Can someone help me with what I should be doing for ingress filtering on the NP16 (currently unchecked and set to admin all) as well as on the PBP (bridge has no special configuration, ie it's 'stock')

Ultimate goal is to have a VLAN on the PBP interface trunked to the NP16's ports in a router-on-a-stick design with no leaky VLANs.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: help fix leaky vlans, NP16 + PBP

Tue Mar 23, 2021 2:14 am

No idea what all the acronyms means thus please provide a network diagram.
Also post config
/export hide-sensitive file=anynameyouwish
 
syadnom
Forum Veteran
Forum Veteran
Topic Author
Posts: 794
Joined: Thu Jan 27, 2011 7:29 am

Re: help fix leaky vlans, NP16 + PBP

Tue Mar 23, 2021 4:27 am

PBP=Powerbox Pro
NP16=Netpower 16.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11444
Joined: Thu Mar 03, 2016 10:23 pm

Re: help fix leaky vlans, NP16 + PBP

Tue Mar 23, 2021 11:04 am

Post actual configuration of both devices, it's not really possible to know what exactly you configured from your description. Possibly it's not what you think you configured but what you actually configured.
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: help fix leaky vlans, NP16 + PBP

Tue Mar 23, 2021 1:02 pm

So if I re-word it: on the NP16, each port except ether1 should be an access port to a single VLAN (ether2 - VLAN 102 through to ether16 - VLAN 116).
Ingress filtering doesn't care about particular VLAN ID. It only distinguishes between two types of ingress frames:
ones tagged with a non-0 VLAN ID
ones not tagged at all or tagged with VLAN ID 0, which is a way to indicate that from the VLAN point of view, such frame should be treated as an untagged one, but deliver the to transport the 802.1p priority field (as a single tag bears both the VLAN ID and the priority field)

Hence to prevent frames tagged with any non-0 VLAN ID from being accepted at ether2...ether16, you set ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged under /interface bridge port for all ports except ether1.

Is this the answer to your actual question?
 
syadnom
Forum Veteran
Forum Veteran
Topic Author
Posts: 794
Joined: Thu Jan 27, 2011 7:29 am

Re: help fix leaky vlans, NP16 + PBP

Wed Mar 24, 2021 10:37 pm

So if I re-word it: on the NP16, each port except ether1 should be an access port to a single VLAN (ether2 - VLAN 102 through to ether16 - VLAN 116).
Ingress filtering doesn't care about particular VLAN ID. It only distinguishes between two types of ingress frames:
ones tagged with a non-0 VLAN ID
ones not tagged at all or tagged with VLAN ID 0, which is a way to indicate that from the VLAN point of view, such frame should be treated as an untagged one, but deliver the to transport the 802.1p priority field (as a single tag bears both the VLAN ID and the priority field)

Hence to prevent frames tagged with any non-0 VLAN ID from being accepted at ether2...ether16, you set ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged under /interface bridge port for all ports except ether1.

Is this the answer to your actual question?
I believe so.

Filtering ON and 'admit-only*' for the 'access' ports that will receive untagged traffic and ADD the tag assigned to PVID.
Filtering OFF and set to 'all' for the trunk port(s)
In VLANs, set the access port to untagged and the trunk ports to tagged.
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: help fix leaky vlans, NP16 + PBP

Wed Mar 24, 2021 11:20 pm

Filtering ON and 'admit-only*' for the 'access' ports that will receive untagged traffic and ADD the tag assigned to PVID.
admit-only-untagged-and-priority-tagged

Filtering OFF and set to 'all' for the trunk port(s)
when ingress-filtering=no, it doesn't matter what you set as frame-types

In VLANs, set the access port to untagged and the trunk ports to tagged.
It is actually enough to set the tagged port(s) to the tagged list. The untagged list gets populated dynamically by ports with corresponding pvid.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: help fix leaky vlans, NP16 + PBP

Thu Mar 25, 2021 9:11 pm

If you are configuring for a hybrid port, lets say vlans,10,11 trunked and 66 untagged.
Ether1 is from router, ether2 is the hybrid port, ether 3 is a trunk port (10,11,12) , ether4 is an access port (66)

/bridge port
add bridge=bridge-new interface=ether1 ingress filtering=yes, allow only vlan tagged frames
add bridge=bridge-new interface=ether2 (admit all) pvid=66
add bridge=bridge-new interface=ether3 ingress filtering=yes, allow only vlan tagged frames
add bridge=bridge-new interface=ether4 ingress-filtering=yes allow only priority and untagged frames pvid=66

note for bridge vlans I like to put untagged interfaces as it helps me map out what I am doing.

/bridge vlan
add bridge=bridge-new tagged=bridge-new,ether1,ether2,ether3 vlan-ids=10,11
add bridge=bridge-new tagged=bridge-new,ether1,ether3 vlan-id=12
add bridge=bridge-new tagged=ether1 untagged=ether2,ether4 vlan-ids=66

Who is online

Users browsing this forum: DimoSK, migod, mtkvvv, sinisa, tangent and 96 guests