Like many others I am confused if a PVID setting is needed in certain configurations, my understanding is PVID will give a tag to untagged packet coming into that port, if the PVID is set at PVID=200
then untagged packets will be given a VLAN tag=200,
Here is my questions,
(1) If a port on the switch has only tagged VLAN's assigned to it, do i need to change the default PVID on that port ?
(2) Should I set that port to "Tagged Only" in "Acceptable Frames Types" from default "Admin All" when all the VLANS are tagged going through that port,
(3) If for example PVID ID=3999 has no ports assigned to it , will this PVID simply drop untagged packets coming into that port
(4) if for example PVID ID=3990 on port 5 of the switch has 10 tagged VLAN's assigned, can the PVID=3990 be also used on port 6 which is STP failover for port 5, or should a different PVID ID be used with the same 10 tagged VLAN's
(5) Is the PVID ID number unique to that switch and can the same PVID ID number be on another switch on the network - for example if PVID ID=3999 is used on switch A, can PVID ID=3999 be used on switch B and switch C ?
Re: PVID confusion
A port always has a PVID unless frame-types=admit-only-vlan-tagged, when this is set pvid= is ignored.(1) If a port on the switch has only tagged VLAN's assigned to it, do i need to change the default PVID on that port ?
(2) Should I set that port to "Tagged Only" in "Acceptable Frames Types" from default "Admin All" when all the VLANS are tagged going through that port,
That is not possible, a PVID is only associated with a port.(3) If for example PVID ID=3999 has no ports assigned to it , will this PVID simply drop untagged packets coming into that port
As mentioned above the PVID is ignored if frame-types=admit-only-vlan-tagged and you can leave it set to the default (1), otherwise it depends on your network topology.(4) if for example PVID ID=3990 on port 5 of the switch has 10 tagged VLAN's assigned, can the PVID=3990 be also used on port 6 which is STP failover for port 5, or should a different PVID ID be used with the same 10 tagged VLAN's
(5) Is the PVID ID number unique to that switch and can the same PVID ID number be on another switch on the network - for example if PVID ID=3999 is used on switch A, can PVID ID=3999 be used on switch B and switch C ?
Re: PVID confusion
Frame of reference?
Are you talking about Bridge Vlan Filtering use of PVID or
Switch chip etc.
Or are you referring to SwOS and not RoS.
Are you talking about Bridge Vlan Filtering use of PVID or
Switch chip etc.
Or are you referring to SwOS and not RoS.
Re: PVID confusion
Are you talking about Bridge Vlan Filtering use of PVID or
Switch chip etc.
Here's the difference:
Code: Select all
/interface bridge port
set 0 pvid=666
versus
Code: Select all
/interface ethernet switch port
set 0 default-vlan-id=666
So when talking about PVID in context of ROS, it's bridge filtering.
Dunno about SwOS context though.
Re: PVID confusion
Essentially there are two sections of configuration:
Interesting properties of ingress section:
Interesting properties of egress section:
With explanation above it's easier understand:
The bridge has to deal with the frame. If ingress port is the lone member of VLAN, then bridge can't find any egress port (frame is never sent out through ingress port), so bridge drops the frame.
- ingress section under /interface bridge port
- egress section under /interface bridge vlan
Interesting properties of ingress section:
- pvid=
sets VLAN ID with which untagged frames are tagged on ingress - frame-types=
security property, which sets (part of) ingress filtering ... frames of wrong type are dropped on ingress. - ingress-filtering=
security propery which ties ingress section with egress section of configuration. If this property is set, then frames with VLAN IDs not in the list of allowed VLANs for egress are dropped.
The list of allowed VLAN IDs is derived from properties described in the next paragraph.
Interesting properties of egress section:
- tagged=
frames tagged with VLAN ID will be allowed to egress through ports members of this list and will remain tagged on egress - untagged=
frames tagged with this VLAN ID will be allowed to egress through ports members of this list and will get untagged on egress
If a bridge port has pvid property set (see previous paragraph), then it's automatically added to this list. Doesn't hurt to add it explicitly though, it makes configuration export more self-descriptive.
With explanation above it's easier understand:
Bridge ports don't care about other ports members of bridge. Port simply tags ingress frame with PVID value (or untags it on egress) and applies appropriate filters. Then port hands off frame to bridge.(3) If for example PVID ID=3999 has no ports assigned to it , will this PVID simply drop untagged packets coming into that port
The bridge has to deal with the frame. If ingress port is the lone member of VLAN, then bridge can't find any egress port (frame is never sent out through ingress port), so bridge drops the frame.
-
-
Gombeen666
Member Candidate
- Posts: 224
- Joined:
Re: PVID confusion
First many thanks for the detailed replies received so far!
I should have mentioned that the current network is L2 bridged using Mikrotik CCR's - TP-Link L2 managed 24port switches - RB960 - RBM11G!
And I just wanted to ensure that the current configuration was optimal,
I think the Mikrotik's are using the old method of creating of VLAN for each interface and adding that interface to a bridge port , is there a better method ?
Then if PVID ID=3999 is also used on port11 with frame-types="admit all" this set port 11 to also have the 20 VLAN's rather than manually setting each of the 20 VLAN's to also use port11,
Is this a good or bad method?
With the above example of port 10 and 11 using frame-types="admit all" and using PVID ID=3999 should the ports of the next switch also use the same PVID=3999 to avoid VLAN mismatch?
Does this also apply when connecting from the TP-Link switches to Mikrotik devices
To further expand, connecting from a CCR (frame-types=!!!!!!!! ) to TP-Link Switches (frame-types="Tagged Only" to another Mikrotik device (frame-types=admit-only-vlan-tagged )
I should have mentioned that the current network is L2 bridged using Mikrotik CCR's - TP-Link L2 managed 24port switches - RB960 - RBM11G!
And I just wanted to ensure that the current configuration was optimal,
I think the Mikrotik's are using the old method of creating of VLAN for each interface and adding that interface to a bridge port , is there a better method ?
When PVID ID was used ports that had only tagged VLAN's really confused, so i should set these ports to frame-types=admit-only-vlan-tagged and for TP-Link =Tagged Only(1) If a port on the switch has only tagged VLAN's assigned to it, do i need to change the default PVID on that port ?
(2) Should I set that port to "Tagged Only" in "Acceptable Frames Types" from default "Admin All" when all the VLANS are tagged going through that port,
A port always has a PVID unless frame-types=admit-only-vlan-tagged, when this is set pvid= is ignored.
If I understand correctly using an example of say port 10 with frame-types="admit all" having 20 VLAN's with PVID ID=3999 (which has no ports assigned to VLAN3999) ,With explanation above it's easier understand:
(3) If for example PVID ID=3999 has no ports assigned to it , will this PVID simply drop untagged packets coming into that port
Bridge ports don't care about other ports members of bridge. Port simply tags ingress frame with PVID value (or untags it on egress) and applies appropriate filters. Then port hands off frame to bridge.
The bridge has to deal with the frame. If ingress port is the lone member of VLAN, then bridge can't find any egress port (frame is never sent out through ingress port), so bridge drops the frame.
Then if PVID ID=3999 is also used on port11 with frame-types="admit all" this set port 11 to also have the 20 VLAN's rather than manually setting each of the 20 VLAN's to also use port11,
Is this a good or bad method?
With the above example of port 10 and 11 using frame-types="admit all" and using PVID ID=3999 should the ports of the next switch also use the same PVID=3999 to avoid VLAN mismatch?
Does this also apply when connecting from the TP-Link switches to Mikrotik devices
To further expand, connecting from a CCR (frame-types=!!!!!!!! ) to TP-Link Switches (frame-types="Tagged Only" to another Mikrotik device (frame-types=admit-only-vlan-tagged )
Re: PVID confusion
The method of having one bridge per VLAN is a convoluted method which had to be used on ROS previous to 6.40. On versions later tgan that one should use single VLAN-aware bridge. Read and understand this tutorial.I think the Mikrotik's are using the old method of creating of VLAN for each interface and adding that interface to a bridge port , is there a better method ?
Actually I omitted one explanation: port with pvid set will tag on ingress frames which don't already have 802.1q headers with TPID[*] matching bridge's ether-type property (default is 0x8100 a.k.a. C-tag). Or if frames do have 802.1q header but with VID set to 0.If I understand correctly using an example of say port 10 with frame-types="admit all" having 20 VLAN's with PVID ID=3999 (which has no ports assigned to VLAN3999) ,With explanation above it's easier understand:
Bridge ports don't care about other ports members of bridge. Port simply tags ingress frame with PVID value (or untags it on egress) and applies appropriate filters. Then port hands off frame to bridge.
The bridge has to deal with the frame. If ingress port is the lone member of VLAN, then bridge can't find any egress port (frame is never sent out through ingress port), so bridge drops the frame.
Then if PVID ID=3999 is also used on port11 with frame-types="admit all" this set port 11 to also have the 20 VLAN's rather than manually setting each of the 20 VLAN's to also use port11,
Is this a good or bad method?
[*] TPID is a 16-bit field which makes half of 802.1q header, there are a few standard values (e.g. 0x8100 and 0x88a8) and many non-standard ones.
So if you want to "tunnel" a bunch of "normal" VLANs between two ports using this method, you'd have to set ether-type to 0x88a8 (a.k.a. S-tag) on bridge ... in this case S-tags with PVID would be stacked to the existing C-tags on ingress and removed on egress (which would keep the previous C-tags). This is usually called Q-in-Q. Beware that with this configuration device wouldn't be able to interact with any of those 20 VLANs. And bridge can only have single ether-type set (so likely more than one bridge would be needed and only one bridge can be HW offloaded).
Keep in mind that if there is a port with pvid set, that port is automatically added to the list of ports members of that VLAN (as untagged) ...
Not necessarily ... untagged frames don't have any tags so on ingress they can be tagged with any VID. Usually it's good to use same VID as "native" VID on whole network (all hybrid links) to avoid potential confusion. But this can also be used on purpose if VLAN tag has to be changed for any reason (some switch chips can change VID so this "gym" is not necessary).With the above example of port 10 and 11 using frame-types="admit all" and using PVID ID=3999 should the ports of the next switch also use the same PVID=3999 to avoid VLAN mismatch?
IMO it's wise to use trunk (tagged only) links between LAN infrastructure devices, e.g. between mikrotik and tp-link ... having single VLAN untagged on link while having it tagged on ingress on both sides is confusing.