Does tagged VLAN traffic on the ingress + egress of a switch ignore PVID number of a port ?
For example
Tagged VLAN20 ports 1 + 2 with PVID 1 on both ports
Tagged VLAN30 port 1 + 3 with PVID 1 on both ports
Tagged VLAN40 port 1 + 4 with PVID 1 on both ports
Re: Tagged VLANs + PVID
Depends how things are configured. In principle PVID will tag frames on ingress ... unless other settings prevent it. PVID in principle does nothing on egress, however in ROS setting PVID automatically adds port as untagged member ... and all untagged members will have tags stripped on egress. However, if port is explicitly set as tagged member, then tag will not be stripped.
So it really depends on many settings.
So it really depends on many settings.
-
-
Gombeen666
Member Candidate
- Posts: 224
- Joined:
Re: Tagged VLANs + PVID
@mkx Can I explain further when the Ingress and Egress ports have only tagged VLANs and no untagged VLAN's on them ?
Example
port 1 has VLAN10, VLAN20, VLAN30, VLAN35 VLAN40, VLAN50, VLAN55, VLAN60, VLAN70, VLAN80, VLAN90, VLAN100
port 2 has VLAN10, VLAN40,
port 3 has VLAN20,VLAN50,VLAN55
port 4 has VLAN30, VLAN35,VLAN60,
port 5 has VLAN70, VLAN80, VLAN90, VLAN100
Do I have to set a different PVID number for each port when only tagged VLANs are connected to the port
Example
port 1 has VLAN10, VLAN20, VLAN30, VLAN35 VLAN40, VLAN50, VLAN55, VLAN60, VLAN70, VLAN80, VLAN90, VLAN100
port 2 has VLAN10, VLAN40,
port 3 has VLAN20,VLAN50,VLAN55
port 4 has VLAN30, VLAN35,VLAN60,
port 5 has VLAN70, VLAN80, VLAN90, VLAN100
Do I have to set a different PVID number for each port when only tagged VLANs are connected to the port
Re: Tagged VLANs + PVID
You didn't show actual config ...
But anyway. If you set port like this:
then (implicitly set) PVID=1 won't have any effect and all untagged frames will be dropped on ingress. If ingress-filtering was not set, then frames tagged with any VID would be allowed on ingress. With property set as in example, bridge consults egress table and drops frames, tagged with VIDs other than 100 or 200. So this is a security feature, it blocks attempts to inject frames with invalid VIDs.
If port is not set as member of a VLAN (either tagged or untagged), then frame tagged with such VID won't be allowed through that port on egress. If port is set as untagged member, VLAN tag will be stripped on egress.
VLAN-related settings under /interface bridge port are about ingress behaviour. Settings under /interface bridge vlan are about egress behaviour. This barrier is only "broken" if ingress-filtering is set to yes (as explained earlier).
It is possible to configure a port as untagged on egress for multiple VIDs ... but port can only have single PVID set on ingress.
It is always good to check ouput of command /interface bridge vlan print ... which shows actual running values ... including (implicit) default settings of PVID ... this way one can verify that PVID setting doesn't have effect if frame-types is set to accept only tagged frames. If port is set as untagged member of a VLAN explicitly, then setting frame types to tagged only doesn't remove port from the list.
But anyway. If you set port like this:
Code: Select all
/interface bridge port
add bridge=... interface=etherX frame-types=admit-only-vlan-tagged ingress-filtering=yes
/interface bridge vlan
add bridge=... vlan-ids=100 tagged=etherX,...
add bridge=... vlan-ids=200 tagged=etherX,...
then (implicitly set) PVID=1 won't have any effect and all untagged frames will be dropped on ingress. If ingress-filtering was not set, then frames tagged with any VID would be allowed on ingress. With property set as in example, bridge consults egress table and drops frames, tagged with VIDs other than 100 or 200. So this is a security feature, it blocks attempts to inject frames with invalid VIDs.
If port is not set as member of a VLAN (either tagged or untagged), then frame tagged with such VID won't be allowed through that port on egress. If port is set as untagged member, VLAN tag will be stripped on egress.
VLAN-related settings under /interface bridge port are about ingress behaviour. Settings under /interface bridge vlan are about egress behaviour. This barrier is only "broken" if ingress-filtering is set to yes (as explained earlier).
It is possible to configure a port as untagged on egress for multiple VIDs ... but port can only have single PVID set on ingress.
It is always good to check ouput of command /interface bridge vlan print ... which shows actual running values ... including (implicit) default settings of PVID ... this way one can verify that PVID setting doesn't have effect if frame-types is set to accept only tagged frames. If port is set as untagged member of a VLAN explicitly, then setting frame types to tagged only doesn't remove port from the list.
Who is online
Users browsing this forum: LexNet and 32 guests