Community discussions

MikroTik App
 
User avatar
Kentzo
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Hybrid VLAN port on Atheros8227

Thu Jan 06, 2022 9:10 pm

The documentation says:
VLAN Hybrid ports which can forward both tagged and untagged traffic are supported only by some Gigabit switch chips (QCA8337, Atheros8327)

Should I interpret it as:
  • An attempt to configure switch port as Hybrid on Atheros8227 will cause undefined behavior
  • It will work but all the VLAN work will be done on CPU without hardware offloading on this port

I need to allow both tagged and untagged traffic on the port since only part of my network is currently on VLAN (in process of migration / experimentation).
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: Hybrid VLAN port on Atheros8227

Thu Jan 06, 2022 9:26 pm

Using Bridge VLAN filter on 8227 disables hardware off-loading.
.
It will work but all the VLAN work will be done on CPU without hardware offloading
.
.
If Bridge VLAN filtering is not enabled all untagged and all VLAN tagged traffic goes to all ports (no filtering/dumb switch).
You still have the VLAN functionality, and may even use Switch-VLAN-Filtering for filtering in HW as alternative VLAN-filtering.
.
REF:
Below is a list of devices and feature that supports hardware offloading (+) or disables hardware offloading (-):
.
https://wiki.mikrotik.com/wiki/Manual:I ... Offloading
Last edited by bpwl on Thu Jan 06, 2022 10:42 pm, edited 3 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hybrid VLAN port on Atheros8227

Thu Jan 06, 2022 9:35 pm

If you want to to bridge vlan filtering, hybrid ports are easy peasy.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11436
Joined: Thu Mar 03, 2016 10:23 pm

Re: Hybrid VLAN port on Atheros8227

Thu Jan 06, 2022 9:55 pm

Should I interpret it as:
  • An attempt to configure switch port as Hybrid on Atheros8227 will cause undefined behavior
  • It will work but all the VLAN work will be done on CPU without hardware offloading on this port

The linked document is about configuring stuff directly on switch-chip ... and the answer to the dilemma is: the former.

The later interpretation has nothing to do with linked document, it is about bridge vlan stuff (document linked by @bpwl) which is alternative to the way of doing it described in document from your link.
 
User avatar
Kentzo
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: Hybrid VLAN port on Atheros8227

Thu Jan 06, 2022 11:38 pm

Based on my takeway from When would I want vlan-filtering turned off on a router? I can use switch-chip (Atheros8227) and CAPsMAN for properly configured VLAN (no L2 leaks). Unless I overestimate cpu load of vlan-filtering.

My current setup is VLAN-less and I would prefer adding VLANs one by one while keeping my current VLAN-less configuration in working order (temporary routing issues between VLAN-less and VLANs can be disregarded).

To give you a better view of my situation:

On R1 (CAPsMAN) and R2 (CAP which is effectively a switch, no IP services, no firewall etc) which are connected over ethernet I have CAPsMAN managed VLAN-less wlans. I also added a VLAN-tagged virtual-AP wlan which is deployed on both R1 and R2 via CAPsMAN. In other words on both R1 and R2 I have VLAN and VLAN-less wlan interfaces.
Thus, if my understanding is correct, ethernet ports that connect R1 and R2 are supposed to be Hybrid. At this moment I have neither vlan-filtering nor vlan-on-a-switch; it all works because dumb switches leak all packets as is.

Could you give me an advice on how to proceed with configuration so that at the end I have vlan-on-a-switch configuration? Temporary using vlan-filtering as means to this goal is fine.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Hybrid VLAN port on Atheros8227  [SOLVED]

Fri Jan 07, 2022 1:01 am

First, VLAN filtering on the switch chip only handles traffic passing from one Ethernet port to another. Frames bridged between a wired Ethernet port and a wireless interface are always handled by the CPU, so VLAN filtering on the switch chip brings no performance improvement as compared to vlan filtering on the software bridge in this case. So in your example case, it is useless; for a larger network it may make sense.

Second, I've checked in the past that you can do "kind of" hybrid ports on the 8227 chip; "kind of" means that you cannot choose the VLAN to be tagged on each port freely - the same VLAN must be tagless on all ports, you must set it as VLAN 0 on the switch chip, and you get it tagless on the software bridge. The thing is that these switch chips are unable to remove the VLAN tag of a "native" VLAN of the hybrid port on egress, so you have to set the vlan-header=leave-as-is mode for the ports.
 
User avatar
Kentzo
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: Hybrid VLAN port on Atheros8227

Fri Jan 07, 2022 1:45 am

Do you have a ballpark estimate of the minimum kpps to start considering doing vlan-on-switch-chip instead of vlan-filtering on cpu?
 
User avatar
Kentzo
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: Hybrid VLAN port on Atheros8227

Fri Jan 07, 2022 2:05 am

Second, I've checked in the past that you can do "kind of" hybrid ports on the 8227 chip; "kind of" means that you cannot choose the VLAN to be tagged on each port freely - the same VLAN must be tagless on all ports, you must set it as VLAN 0 on the switch chip, and you get it tagless on the software bridge. The thing is that these switch chips are unable to remove the VLAN tag of a "native" VLAN of the hybrid port on egress, so you have to set the vlan-header=leave-as-is mode for the ports.
I believe I read something like this in one of the manuals. However, I'm puzzled at how it's supposed to work.

Do you suggest doing `/interface switch port set <vlan-less port> default-vlan-id=0` for all VLAN-less ports? But doesn't it also means that all connected devices will receive packets with VLAN headers?
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: Hybrid VLAN port on Atheros8227

Fri Jan 07, 2022 3:23 am

im using hybrid port in my network , you can see from my basic config.
I need the vlan (vlan22) to be tagged on the routers(+20), and untaget on all antennas (+40)

/interface bridge
add name=br-vlan priority=0x6000 vlan-filtering=yes
/interface bridge port
add bridge=br-vlan interface=ether2 pvid=22
/interface bridge vlan
add bridge=br-vlan tagged=br-vlan,ether2 vlan-ids=22
add bridge=br-vlan tagged=br-vlan untagged=ether2 vlan-ids=22
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Hybrid VLAN port on Atheros8227

Fri Jan 07, 2022 2:36 pm

It just means that frames that are tagless at ingress stay tagless and are allowed to egress, still tagless, through any member port of VLAN 0, including the CPU port. And all the frames that are tagged at ingress are allowed to egress through any member port of the VLAN they are tagged with. I.e. a similar behavior to the software bridge with vlan-filtering=no, except that you can exclude ports from individual VLANs, and of course that it is done in hardware.

This was useful for a case where someone had an uplink where internet connectivity was tagless and IPTV was in a VLAN, and the traffic of the IPTV was maxing out the CPU of the hAP lite or a similar mipsbe&Ar8227-based model. I don't remember whether vlan filtering was allowed on the bridge, though. I'd say the best way to test this is to create a wireless interface that is not a member of any bridge, attach an IP subnet, DHCP server etc. to it and use it to manage the device - it is almost inevitable to lose access to the device via Ethernet ports when tampering with vlan filtering on the switch chip.
 
User avatar
Kentzo
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: Hybrid VLAN port on Atheros8227

Sat Jan 08, 2022 1:04 am

Thank you! Allow me re-confirm this: it should be a vlan 0 and not vlan 1? I cannot seem to understand the difference, perhaps there is a mikrotik document explaining it?

Is this behavior relevant to RouterOS in general or only for a small subset of switch chips?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Hybrid VLAN port on Atheros8227

Sat Jan 08, 2022 3:31 pm

it should be a vlan 0 and not vlan 1? I cannot seem to understand the difference, perhaps there is a mikrotik document explaining it?
Mikrotik documentation rarely explains standards or chip manufacturer documentation.

In 802.1Q, VID 0 means "treat the frame as it was taggless except that you respect the priority field of the tag" - the tag has a fixed format so 0 is the way to say the VID part of it is "unused". That's why one of the values of the admit-frames parameter of /interface bridge port row is admit-only-untagged-and-priority-tagged.

Similarly, VID 4095 (all 1s) seems to have some reserved meaning, various vendors treat it differently.

The fact that the 8227 switch chip accepts 0 as a valid VID when it comes to indicating which port belongs to which VLAN, as specified in the /interface ethernet switch vlan branch of the configuration tree, seems rather like an anomaly/side effect than an intention to me.

VID 1 is just a regular VID like any other in the 1-4094 range, except many manufacturers make it the "native VLAN" of hybrid ports, which means it is not shown in default configurations. And thanks to their poor understanding, many people think VLAN 1 is some kind of black magic and avoid treating it as a VLAN.

Is this behavior relevant to RouterOS in general or only for a small subset of switch chips?
I had no reason to try this on any other switch chip than the 8227 as all the other chips either do not support VLAN filtering in hardware at all (at least in RouterOS 6, some do in RouterOS 7) or hybrid ports can be configured on them without crazy workarounds.

Who is online

Users browsing this forum: Google [Bot], patrikg, xristostsilis and 72 guests