Community discussions

MikroTik App
 
Spirch
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat May 03, 2014 5:04 am

moving bridge vlan to switch vlan to use hw offload

Wed May 11, 2022 9:06 pm

I have a hAP AC2 which use Atheros 8327 chip

I currently have (after struggling a few hours, thanks for the safe button) bridge vlan working. I am sure if you look at this config, you will say: it all wrong. And I am sure you right, even after watching a few video / tutorial I am not sure how to properly do vlan.

My goal was to manage traffic of my d-link switch, making sure all traffic goes through the router and by what I am seeing and with my test I was successful.
I can now use the firewall of the hAP AC2 to block traffic that happen in my dlink.

This is what I have done, nothing else;
added vlan-filtering=yes to my bridge
added use-ip-firewall-for-vlan=yes to my bridge settings

/interface vlan
add interface=LAN4 name=vlan1 vlan-id=20
add interface=LAN4 name=vlan2 vlan-id=30
add interface=LAN4 name=vlan3 vlan-id=40

and

/interface bridge port
add bridge=LAN interface=vlan1
add bridge=LAN interface=vlan2
add bridge=LAN interface=vlan3

The issue that I was not aware of is that using bridge vlan also disable hardware offloading of the whole bridge and while reading about this issue I saw that switch vlan should let me re-enable it on some interface on my bridge, if I read it right, right? (if not just let me know)

After looking at switch vlan, it look like way more complicated and I would like to ask: seeing what I have done, how would you move this config from bridge vlan to switch vlan?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: moving bridge vlan to switch vlan to use hw offload

Wed May 11, 2022 10:31 pm

Yeah its not optimal try this as a guide........
viewtopic.php?t=143620

as for mt docs....
https://help.mikrotik.com/docs/display/ ... VLAN+Table
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: moving bridge vlan to switch vlan to use hw offload

Wed May 11, 2022 10:33 pm

Correct, on Atheros8327 you can not offload your VLANs on the Switch Chip using Bridge VLAN Filtering.
The only way to offload them is to use VLANs on the Switch chip.
how would you move this config from bridge vlan to switch vlan?
This is how you can configure your VLANs on the switch chip:
https://help.mikrotik.com/docs/display/ ... switchchip
 
Spirch
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat May 03, 2014 5:04 am

Re: moving bridge vlan to switch vlan to use hw offload

Thu May 12, 2022 12:39 am

Yeah its not optimal try this as a guide........
viewtopic.php?t=143620

as for mt docs....
https://help.mikrotik.com/docs/display/ ... VLAN+Table
both link only talk about bridge vlan, not switch vlan :(
I have tried this and I keep losing access to my dlink device, the moment that I enable vlan mode secure on the port
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: moving bridge vlan to switch vlan to use hw offload

Thu May 12, 2022 1:17 am

Yes but bridge vlan is easy and if you cant to that mode what makes you think switch chip will be easier LOL.

In any case no use beating your head against two walls, see if these switch chip links work for you.
Check out the switch chips links at Para O. here ---> viewtopic.php?t=182373
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11434
Joined: Thu Mar 03, 2016 10:23 pm

Re: moving bridge vlan to switch vlan to use hw offload

Thu May 12, 2022 7:58 am

... how would you move this config from bridge vlan to switch vlan?
I wouldn't as your config presented seems wrong. Hard to tell if it is indeed as you posted some pseudo-code of changes made, not the actual resulting config. But as others noted, until you get VLAN settings right, I wouldn't care for performance.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: moving bridge vlan to switch vlan to use hw offload

Thu May 12, 2022 9:45 pm

I have tried this and I keep losing access to my dlink device, the moment that I enable vlan mode secure on the port
Can we see an export of your Switch configuration ?
 
Spirch
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat May 03, 2014 5:04 am

Re: moving bridge vlan to switch vlan to use hw offload

Thu May 12, 2022 10:21 pm

I think I found my issue (i should know more later today, when i have time to play around)

if you use the terminal and follow the guide

/interface ethernet switch vlan
add ports=ether1,ether2 switch=switch1 vlan-id=20

this will also set independent-learning=true

if you use winbox, default value is independent-learning=false

i am using winbox.

the guide is not "explicit" enough and/or there is a bug with winbox, default value should be the same as terminal?
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: moving bridge vlan to switch vlan to use hw offload

Sat May 14, 2022 10:47 am

if you use the terminal ... this will also set independent-learning=true

if you use winbox, default value is independent-learning=false

i am using winbox.

the guide is not "explicit" enough and/or there is a bug with winbox, default value should be the same as terminal?
While I agree that winbox should do the same thing by default that the command line does, I would guess that in most cases the results would be the same, unless I am not understanding what "independent-learning" means in ROS.

My understanding is that IVL vs SVL works the same in the majority of cases, e.g. when a port only outputting a single vlan as untagged from a port, and all mac addresses are unique. When both of those are true, the behavior should be identical.

Here is a case where IVL is a requirement: You have two devices with identical mac addresses but they are on different vlans. Example a router that is "cloning a mac" address, and has both interfaces connected to the same switch but in different vlans. With IVL, what must be unique is the mac+vlanid.

Here is a case where SVL is a requirement, at least for good performance: Asymmetric vlans. This is used by some vendors to provide "layer 2 isolation" for untagged devices. This is where all frames ingressing and egressing the port are untagged, but internally, the frames received from the wire are classified into a different vlan (specified by the pvid) than frames put onto the wire were sent from. Since the mac always be on the same port, but associated with different vlans, having a shared mac-table prevents the continuous flooding of frames as would happen if the mac+vlan have to be unique.

Edit: for an example of using asymmetric vlans on a low end "smart switch" see this for explanation, and this for implementation on TL-SG108E

So in your case, why would IVL vs SVL make a difference?

Who is online

Users browsing this forum: davidhirka, mtkvvv and 34 guests