Page 1 of 1

CRS hw vlan-filtering problem

Posted: Thu Sep 23, 2021 1:02 pm
by Erik81
Hi, i try to configure ACL for MAC per VLAN on L2 bridge. When vlan-filtering is disabled all works without limit pvid=1 and vlan=456, but after enabling pvid=1 works without limit and vlan=456 don't. I try to create universal allow rule, but vlan don't work. Please have you idea what is wrong ?
# model = CRS309-1G-8S+
/interface bridge
add name=bridge1 protocol-mode=mstp vlan-filtering=yes
/interface list
add name=WAN
add name=LAN
/interface bridge filter
add action=accept chain=forward in-bridge=bridge1 log=yes
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1 learn=yes
add bridge=bridge1 interface=sfp-sfpplus2 learn=yes
add bridge=bridge1 interface=sfp-sfpplus3 learn=yes
/interface ethernet switch rule
add comment="accept all" mac-protocol=vlan ports=sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3 switch=switch1
add mac-protocol=vlan ports=sfp-sfpplus3 src-mac-address=DE:E1:69:1C:90:88/FF:FF:FF:FF:FF:FF switch=switch1 vlan-id=456
add mac-protocol=vlan ports=sfp-sfpplus2 src-mac-address=36:86:B0:A4:AA:93/FF:FF:FF:FF:FF:FF switch=switch1 vlan-id=456
add mac-protocol=vlan new-dst-ports="" ports=sfp-sfpplus3,sfp-sfpplus2 switch=switch1 vlan-id=456
add dst-mac-address=DE:E1:69:1C:90:88/FF:FF:FF:FF:FF:FF mac-protocol=vlan new-dst-ports=sfp-sfpplus3 ports=switch1-cpu,sfp-sfpplus2,sfp-sfpplus1 switch=switch1 vlan-id=456
add dst-mac-address=36:86:B0:A4:AA:93/FF:FF:FF:FF:FF:FF mac-protocol=vlan new-dst-ports=sfp-sfpplus2 ports=switch1-cpu,sfp-sfpplus3,sfp-sfpplus1 switch=switch1 vlan-id=456
/interface list member
add interface=ether1 list=WAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
/ip address
add address= comment=defconf interface=ether1 network=
/ip dns
set servers=
/ip route
add distance=1 gateway=
/system identity
set name=sw1
/system routerboard settings
set boot-os=router-os
/system swos
set address-acquisition-mode=static allow-from-ports=p9 identity=sw1 static-ip-address=