Bridging two VLans of the switch (TPLink Archer C60 v2)

Hello,

I wanted to bridge two VLans of the switch - i.e. Config the Switch that Port 3 is VLan3 and Port 4 is VLan4 and then add the resultig eth1.3 and eth1.4 to a bridgedevice. But the bridging never worked. (Background: I wanted to do some filtering with ebtables between this ports.)

Finaly I found an old bugreport here:

https://dev.archive.openwrt.org/ticket/8701

There is said: The problem cannot be solved expect on switches having multiple forward tables.

For switches which are able to do deal with this an extra FID has to be set for each VLan.

But is this realy true for the Archer C60? And why?

First question: What switch is build in the Archer C60 v2?

The doku says Qualcomm Atheros QCA9561

https://openwrt.org/toh/hwdata/tp-link/tp-link_archer_c60_v2
https://openwrt.org/toh/tp-link/tp-link_archer_c60_v2
https://wikidevi.wi-cat.ru/TP-LINK_Archer_C60_v2.0

OpenWrt 18.06.5, r7897-9d401013fc says: AR934X built-in switch

Summary
in dmesg:
[    2.272240] ag71xx-mdio.1: Found an AR934X built-in switch

root@OpenWrt:~# swconfig dev switch0 help
switch0: eth1(AR934X built-in switch), ports: 5 (cpu @ 0), vlans: 16
     --switch
        Attribute 1 (int): enable_vlan (Enable VLAN mode)
        Attribute 2 (int): mirror_monitor_port (Mirror monitor port)
        Attribute 3 (none): apply (Activate changes in the hardware)
        Attribute 4 (none): reset (Reset the switch)
     --vlan
        Attribute 1 (int): vid (VLAN ID)
        Attribute 2 (ports): ports (VLAN port mapping)
     --port
        Attribute 1 (int): enable_mirror_rx (Enable mirroring of RX packets)
        Attribute 2 (int): enable_mirror_tx (Enable mirroring of TX packets)
        Attribute 3 (int): pvid (Primary VLAN ID)
        Attribute 4 (unknown): link (Get port link information)

OpenWrt 19.07.1, r10911-c155900f66 says: switch0: Atheros AR8229 rev. 1 switch

Summary
in dmesg:
[    1.498404] switch0: Atheros AR8229 rev. 1 switch registered on mdio-bus.0

root@OpenWrt:~# swconfig dev switch0 help
switch0: mdio-bus.0:1f(Atheros AR8229), ports: 5 (cpu @ 0), vlans: 16
     --switch
        Attribute 1 (int): enable_vlan (Enable VLAN mode)
        Attribute 2 (none): reset_mibs (Reset all MIB counters)
        Attribute 3 (int): ar8xxx_mib_poll_interval (MIB polling interval in msecs (0 to disable))
        Attribute 4 (int): ar8xxx_mib_type (MIB type (0=basic 1=extended))
        Attribute 5 (int): enable_mirror_rx (Enable mirroring of RX packets)
        Attribute 6 (int): enable_mirror_tx (Enable mirroring of TX packets)
        Attribute 7 (int): mirror_monitor_port (Mirror monitor port)
        Attribute 8 (int): mirror_source_port (Mirror source port)
        Attribute 9 (string): arl_table (Get ARL table)
        Attribute 10 (none): flush_arl_table (Flush ARL table)
        Attribute 11 (none): apply (Activate changes in the hardware)
        Attribute 12 (none): reset (Reset the switch)
     --vlan
        Attribute 1 (int): vid (VLAN ID (0-4094))
        Attribute 2 (ports): ports (VLAN port mapping)
     --port
        Attribute 1 (none): reset_mib (Reset single port MIB counters)
        Attribute 2 (string): mib (Get port's MIB counters)
        Attribute 3 (none): flush_arl_table (Flush port's ARL table entries)
        Attribute 4 (int): pvid (Primary VLAN ID)
        Attribute 5 (unknown): link (Get port link information)

So this switch seams to hear to very different names? Anyway I only found a datasheet for AR8229:

There you can read:
Full VLAN support including QinQ and VLAN tag insertion and removal

Sounds not like a limited VLan support...

In the bugreport there was said that there may be only one forwarding table.

As far as I understand: A normal VLan Switch has for each VLan a Table with Port and Mac of the connected Devices. i.e.:

Vid3:
Port  Mac
-----  -----
0      aaffee-eeffaa

Vid4:
Port  mac
-----  ------
0      beef00-beef11

Then there exists a special thing called "asymmetrical cross-vlan". There one Port can have more than one untagged VIDs. i.e. to connect there a gateway which shoud be reachable from all VLans. Normaly only very new VLan swithches may have this option. To make this VLan cossing possible there is only one tabel with three colums.

Port  VID  Mac
-----  -----  -----
0        3    aaffee-eeffaa
0        4    beef00-beef11

But I haven't found anything that two tagged VLans are not allowed on one Port. There seams no reason to this. Sorting the table by VID results to something very similar to the multible tables.

So does someone know which switch exactly is build in the Archer C60v2 and have more backgroundinformation how the VLan is imlemented and what configuration is allowed and which does not work.

Thank you very much!

It should be very straightforward. Post your /etc/config/network. Make sure you are clear on which logical switch ports correspond to the physical Ethernet ports. The manufacturer's numbering on the case often does not match how the ports are wired to the switch chip.

Each of the two VLANs should have the CPU port tagged, and one Ethernet port untagged. The Ethernet ports should only be in one VLAN.

3 Likes

Thank you for your answer! But no with this switch it is currently not possible. I'm sure that the mac table is shared over all VLans. And yes I know that the port numbering is invers (Port 4 = Port 1 and Port 3 = Port 2 ...) I thought that the descripted example is easy enouth to understand and follow it, but if you need a config/network you can have it of course:

etc/config/network

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fdbf:f2e9:bf0f::/48'

config interface 'wan'
option ifname 'eth1'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'

config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'

config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '2 1 0t'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '3 0t'
option vid '3'

config switch_vlan
option device 'switch0'
option vlan '3'
option ports '4 0t'
option vid '4'

config interface 'lan2'
option proto 'none'
option ifname 'eth0.3 eth0.4'
option type 'bridge'

You can also have the resulting ifconfig:

ifconfig

root@OpenWrt:~# ifconfig
br-lan Link encap:Ethernet HWaddr B0:BE:76:89:DE:00
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::b2be:76ff:fe89:de00/64 Scope:Link
inet6 addr: fdbf:f2e9:bf0f::1/60 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:2422 (2.3 KiB)

br-lan2 Link encap:Ethernet HWaddr B0:BE:76:89:DE:00
inet6 addr: fe80::b2be:76ff:fe89:de00/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:47 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3582 (3.4 KiB) TX bytes:746 (746.0 B)

eth0 Link encap:Ethernet HWaddr B0:BE:76:89:DE:00
inet6 addr: fe80::b2be:76ff:fe89:de00/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:140 errors:0 dropped:0 overruns:0 frame:0
TX packets:170 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11432 (11.1 KiB) TX bytes:15882 (15.5 KiB)
Interrupt:5

eth0.1 Link encap:Ethernet HWaddr B0:BE:76:89:DE:00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:2422 (2.3 KiB)

eth0.3 Link encap:Ethernet HWaddr B0:BE:76:89:DE:00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:57 errors:0 dropped:0 overruns:0 frame:0
TX packets:69 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4336 (4.2 KiB) TX bytes:5008 (4.8 KiB)

eth0.4 Link encap:Ethernet HWaddr B0:BE:76:89:DE:00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:62 errors:0 dropped:0 overruns:0 frame:0
TX packets:64 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3394 (3.3 KiB) TX bytes:5880 (5.7 KiB)

eth1 Link encap:Ethernet HWaddr B0:BE:76:89:DE:FF
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::b2be:76ff:fe89:deff/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2450 errors:0 dropped:0 overruns:0 frame:0
TX packets:2540 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:294254 (287.3 KiB) TX bytes:1748683 (1.6 MiB)
Interrupt:4

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:512 errors:0 dropped:0 overruns:0 frame:0
TX packets:512 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:37403 (36.5 KiB) TX bytes:37403 (36.5 KiB)

and the resulting bridge:

brctl

root@OpenWrt:~# brctl show
bridge name bridge id STP enabled interfaces
br-lan 7fff.b0be7689de00 no eth0.1
br-lan2 7fff.b0be7689de00 no eth0.3
eth0.4

and of course the resulting swconfig:

swconfig with bridge

root@OpenWrt:~# swconfig dev switch0 show
Global attributes:
enable_vlan: 1
ar8xxx_mib_poll_interval: 500
ar8xxx_mib_type: 0
enable_mirror_rx: 0
enable_mirror_tx: 0
mirror_monitor_port: 0
mirror_source_port: 0
arl_table: address resolution table
Port 0: MAC b0:be:76:89:de:00
Port 0: MAC 00:16:d3:37:92:ab
Port 0: MAC 00:08:74:48:99:3e

Port 0:
mib: MIB counters
RxGoodByte : 16484 (16.0 KiB)
TxByte : 11914 (11.6 KiB)

    pvid: 0
    link: port:0 link:up speed:1000baseT full-duplex txflow rxflow

Port 1:
mib: No MIB data
pvid: 1
link: port:1 link:down
Port 2:
mib: No MIB data
pvid: 1
link: port:2 link:down
Port 3:
mib: MIB counters
RxGoodByte : 6346 (6.1 KiB)
TxByte : 2822 (2.7 KiB)

    pvid: 2
    link: port:3 link:up speed:100baseT full-duplex auto

Port 4:
mib: MIB counters
RxGoodByte : 5012 (4.8 KiB)
TxByte : 3080 (3.0 KiB)

    pvid: 3
    link: port:4 link:up speed:100baseT full-duplex auto

VLAN 1:
vid: 1
ports: 0t 1 2
VLAN 2:
vid: 3
ports: 0t 3
VLAN 3:
vid: 4
ports: 0t 4

If you look to that you can find the mac addresses of the two pc's connected on port 3 and 4 now in the arl-table on port 0.

In contrast to that right bevore I added the bridgeinterface you coud see them on port 3 and 4

swconfig without bridge

root@OpenWrt:~# swconfig dev switch0 show
Global attributes:
enable_vlan: 1
ar8xxx_mib_poll_interval: 500
ar8xxx_mib_type: 0
enable_mirror_rx: 0
enable_mirror_tx: 0
mirror_monitor_port: 0
mirror_source_port: 0
arl_table: address resolution table
Port 0: MAC b0:be:76:89:de:00
Port 3: MAC 00:16:d3:37:92:ab
Port 4: MAC 00:08:74:48:99:3e

Port 0:
mib: MIB counters
RxGoodByte : 4192 (4.0 KiB)
TxByte : 1566 (1.5 KiB)

    pvid: 0
    link: port:0 link:up speed:1000baseT full-duplex txflow rxflow

Port 1:
mib: No MIB data
pvid: 1
link: port:1 link:down
Port 2:
mib: No MIB data
pvid: 1
link: port:2 link:down
Port 3:
mib: MIB counters
RxGoodByte : 910
TxByte : 0

    pvid: 2
    link: port:3 link:up speed:100baseT full-duplex auto

Port 4:
mib: MIB counters
RxGoodByte : 576
TxByte : 0

    pvid: 3
    link: port:4 link:up speed:100baseT full-duplex auto

VLAN 1:
vid: 1
ports: 0t 1 2
VLAN 2:
vid: 3
ports: 0t 3
VLAN 3:
vid: 4
ports: 0t 4

Ah and to be complete: There is no option to set an fid.

swconfig options

swconfig dev switch0 help
switch0: mdio-bus.0:1f(Atheros AR8229), ports: 5 (cpu @ 0), vlans: 16
--switch
Attribute 1 (int): enable_vlan (Enable VLAN mode)
Attribute 2 (none): reset_mibs (Reset all MIB counters)
Attribute 3 (int): ar8xxx_mib_poll_interval (MIB polling interval in msecs (0 to disable))
Attribute 4 (int): ar8xxx_mib_type (MIB type (0=basic 1=extended))
Attribute 5 (int): enable_mirror_rx (Enable mirroring of RX packets)
Attribute 6 (int): enable_mirror_tx (Enable mirroring of TX packets)
Attribute 7 (int): mirror_monitor_port (Mirror monitor port)
Attribute 8 (int): mirror_source_port (Mirror source port)
Attribute 9 (string): arl_table (Get ARL table)
Attribute 10 (none): flush_arl_table (Flush ARL table)
Attribute 11 (none): apply (Activate changes in the hardware)
Attribute 12 (none): reset (Reset the switch)
--vlan
Attribute 1 (int): vid (VLAN ID (0-4094))
Attribute 2 (ports): ports (VLAN port mapping)
--port
Attribute 1 (none): reset_mib (Reset single port MIB counters)
Attribute 2 (string): mib (Get port's MIB counters)
Attribute 3 (none): flush_arl_table (Flush port's ARL table entries)
Attribute 4 (int): pvid (Primary VLAN ID)
Attribute 5 (unknown): link (Get port link information)

In then case that the correct name of the switch is AR8229 (what sadly nobody answered) I found here a full (internal) Datasheet:

https://datasheetspdf.com/pdf-file/811449/Atheros/AR8229/1

Here you can read on page 31:

2.8.2 802.1Q VLANs
The AR8229/AR8228 supports a maximum
of 4096 entries in the VLAN table. The
device supports 4096 VLAN ID range from
0 to 4095. The AR8229/AR8228 only
supports shared VLAN learning (SVL).
This means that forwarding decisions are
based on the frame’s destination MAC
address, which should be unique among all
VLANs.

On page 35 in figure 2-4 there might be an example how to work arround this limitation, but I don't understand this fully. Maybe this works only with Port 5 which seams to be not connected on the Archer C60.

So it is a bit a cracy implementation in my eys, but to support 4k vlans and only 1k mac is also not understandable.

If it is true that the Archer C7 (v4,v5) has the QCA8337N

https://openwrt.org/toh/tp-link/archer-c7-1750

then you may find a datasheet here:

https://e2echina.ti.com/cfs-file/__key/telligent-evolution-components-attachments/00-25-01-00-00-20-73-71%2FQCA8337N_5F00_Data_5F00_Sheet_5F00_MKG_2D00_17793_5F00_v1.0.pdf

On page 42 you can read:

3.3.2 802.1q VLANs
The QCA8337N supports a maximum of 4096 entries in the VLAN table. The device supports
4096 VLAN ID, ranging from 0 to 4095. The QCA8337N supports both shared and independent
VLAN learning (SVL and IVL). This means that forwarding decisions are based on the frame's
destination MAC address, which should be unique among all VLANs.

The first sentence sounds good, but again the MAC have to be unique among all VLans? I hope that is a copy paste error....

I guess you're saying that someone could cheat the VLAN isolation of these switches by spoofing their MAC to duplicate one that is active on another VLAN.

As far as a network that is not under attack, everything is supposed to have a unique MAC in the first place.