By setting tag-stacking=yes on a bridge port, you will add another VLAN tag with the PVID value on top of any other tag for all ingress packets.īelow you can find a very common diagram for a very typical type of setup that consists of a trunk port and multiple access ports:
EtherType - By default, a VLAN aware bridge will filter VLANs by checking the C-TAG (0x8100), all other VLAN tags are considered as untagged packets (without a VLAN tag).frame-type - You can filter out packets whether they have a VLAN tag or not, this is useful to add an extra layer of security for your bridge ports.This port is mostly used to create management access but can be used for other purposes as well, for example, to route traffic between VLANs, to mark packets and apply queues. For devices that support VLAN filtering with hardware offloading, this port is the bridge interface itself. CPU port - Every device with a switch chip has a special purpose port called CPU port and it is used to communicate with the device's CPU.For devices that support VLAN Filtering with hardware offloading, It is also related to the CPU port of a bridge. Management access is a great way to add another layer of security when accessing the device through a bridge port, this type of access is sometimes called the management port. With bridge VLAN filtering you can limit which packets are allowed to access the device that has the bridge configured, the most common practice is to allow access to the device only by using a very specific VLAN ID, but there are other ways you can grant access to the device. Management access - The bridge is supposed to simply forward packets between bridge ports and it would seem to other devices that there is simply a wire between them.Ingress filtering - By default, VLANs that don't exist in the bridge VLAN table are dropped before they are sent out (egress), but this property allows you to drop the packets when they are received (ingress).A dynamic entry is added in the bridge VLAN table for every PVID used, the port is automatically added as an untagged port.
PVID - The Port VLAN ID is used for access ports to tag all ingress traffic with a specific VLAN ID.If the packet contains a VLAN ID that does not exist in the bridge VLAN table for the egress port, then the packet is dropped before it gets sent out. VLAN-ids - Under /interface bridge vlan menu, you can specify an entry in which certain VLANs are allowed on specific ports.By specifying an untagged port the bridge will always remove the VLAN tag from egress packets. By specifying a tagged port the bridge will always set a VLAN tag for packets that are being sent out through this port (egress). In general, tagged ports should be your trunk ports and untagged ports should be your access ports. Tagged/Untagged - Under /interface bridge vlan menu, you can specify an entry that contains tagged and untagged ports.Backgroundīefore explaining bridge VLAN filtering in-depth, you should understand a few basic concepts that are involved in bridge VLAN filtering. The most important part of the bridge VLAN filtering feature is the bridge VLAN table, which specifies which VLANs are allowed on each port, but configuring it might get quite complex if you are trying to make a more advanced setup, for generic setups you should be able to configure your device using the Trunk and Access ports example, but the purpose of this guide is to provide in-depth explanation and point out some of the behavior characteristics when using bridge VLAN Filtering. This feature should be used instead of many known VLAN misconfigurations that are most likely causing you either performance issues or connectivity issues, you can read about one of the most popular misconfigurations in the VLAN in a bridge with a physical interface section. To achieve this, you should use the Bridge VLAN Filtering feature. Since RouterOS v6.41 it is possible to use a bridge to filter out VLANs in your network.
0 kommentar(er)
