DSA and PVID usage examples

Installing and Using OpenWrt Network and Wireless Configuration
1

After some frustration in trying to figure out what exactly PVID means
in relation to vlans and trunk usage in openwrt.

Thanx to jow in pointing out what it actually means ,

So I decided to poke further and find a use case where it can actually apply it in openwrt .

I decided to replicate and test a basic concept from cisco of Private vlans .
Having multiple layer 2 domains with restrictions on who they can talk to.

And now the ability to create multiple untagged vlans on a port without complaints
from luci is starting to make sense.

PVID concept In openwrt (and other switches?)
means an untagged ingress takes precedence over other existing untagged vlans on the port.

here is a basic Layer 2 setup.

Screenshot from 2021-09-14 22-07-06
Screenshot from 2021-09-14 22-07-061214×369 26.1 KB

I have not assigned any layer3 interfaces to these vlans. so 3 computers connected to
those 3 ports had ips set manualy just to test the layer2 concept.

port2 exists in both vlan101 , vlan102 and vlan103 but its ingress of untagged frames will always be
steered to PVID of 102.

port1 ingress will steer to vlan101
port3 ingress will steer to vlan103

and since port1 and port3 also exist in vlan102 untagged but not as PVID now they will
only receive frames in vlan102 but send on PVID defined vlan.

so now we have basic selective layer2 communication between port1 and port2,
and port3 and port2. but not between port1 and port3.

Intended usage of this setup could be access to a common resource such
as a server within the same subnet without the need for going trough firewall and
intervlan routing yet still segregating traffic
(and hopefully doing so at fastest switching speed possible without using cpu)

PS: It would be nice to hear of any other use cases of where PVID can be used.

thanx

9 Likes
2

Brilliant. PVID has always confused me.This is a very good example for its use.

3

how can we config private vlans in openwrt

4

AFAIK, this term is not an industry standard one, but rather one specific to a single vendor.

Can you explain specifically what it is that you hope to achieve?

5

I am working with a Realtek-based switch and would like to implement a Cisco-style Private VLAN (PVLAN) setup similar to the lab available here: Cisco Private VLAN Switching Lab

The desired configuration is as follows:

VLAN 30 configured as the Primary VLAN.

VLAN 31 configured as the Community VLAN.

VLAN 32 configured as the Isolated VLAN.

Port assignments will be:

lan1 configured as a Promiscuous port, mapped to both VLAN 31 and VLAN 32.

lan2 and lan3 configured as Isolated Host Ports, assigned to VLAN 31.

lan4 and lan5 configured as Community Host Ports, assigned to VLAN 32.

All VLANs will operate within the same IP subnet, with DHCP services provided by VLAN 30.

I am seeking guidance on how to achieve this setup using Realtek switch capabilities.

6

That is not how most systems work. Does Cisco do this???

1 Like
7

Why?!

Just just 3 VLAN.

Set a lan port either as an access port aka switch port aka untagged.

If you need a trunk, then setup a trunk aka all tagged.

Do not mix tagged and untagged on the same port.

Never ever! Try to use multiple untagged vlan and pvid. It just screams for headaches.

And why do you want to use the same layer 3 for all 3 vlan?

This looks so broken even for an eve ng / Cisco Lab.

Sorry for the rant, but what do want to do in the end? Or what's the goal you want to study/test?

8

yes, Cisco switch have this feature.
Ref : https://networklessons.com/switching/private-vlan-pvlan-cisco-catalyst-switch

9

want to set it up similar to Cisco’s Private VLAN feature. The goal is:

* All ports should be in the same VLAN and subnet.

* Some ports (Isolated ports) should only communicate with the gateway.

* Other ports (Community ports) should be able to communicate with both the gateway and certain other ports(not with Isolated ports).

This setup helps control which devices can talk to each other while keeping them in the same network.

10

This link I think would be more helpful: https://networklessons.com/switching/protected-port-cisco-catalyst-switch

Nonetheless, OpenWrt doesn't have the ability to setup Protected Ports [by default]. Furthermore, since separate VLANs imply routing by default, using the same IP range/subnet on different interfaces is a no go. I see above you now desire the same VLAN.

I believe there are ways to firewall a bridge, but as a reminder, it's not common practice to bridge VLANs that were already separated.

You're describing a proprietary Ci$co feature.

1 Like
11

thanks for guide.
as you said openwrt doesn’t have Protected Ports [by default].
just want to know what this is ‘Port isolation‘ in luci.

image
image1303×555 69.4 KB

promiscuous mode .

image
image1302×241 26.8 KB

just want to know what they do .

1 Like
12

Aaah (that's right, DSA)!

Have you tested this already?

1 Like
13

not tested, just need to understand what it does.

14

I believe it does what you desire. :wink:

(i.e., the OpenWrt)

That's why I asked if you tested it.

15

It can by a bit hard to find the documentation for all the bridge port knobs since they aren’t documented in the kernel. I believe the bridge(8) man page is the authoritative guide. E.g

3 Likes
16

Thank-you.

but the issue is port isolation is not supported in openwrt’s relatek switch. i hope they add soon.

root@OpenWrt:~# echo 1 > /sys/class/net/lan6/brport/isolated
[13236.224289] rtl83xx-switch switch@1b000000 lan6: bridge: bridge flag offload is not supported
ash: write error: Not supported

there was some progress with this commit but need to test https://github.com/openwrt/openwrt/commit/6ded091081251cc37ca2aab0f43b809005342865

1 Like
17

@bmork thanks you port isolation is working on lan’s by using this commit : https://github.com/openwrt/openwrt/commit/6ded091081251cc37ca2aab0f43b809005342865

now is it possible to apply on interface’s(vlans).

1 Like