DSA VLAN configurations for dumb router | PVID | "u" vs "u*"

anon_openwrt · January 31, 2022, 6:39pm

I'm trying to recreate my swconfig VLAN layout for a dumb AP in SWA.

Original swconfig:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'ddc2:9aea:19b1::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.30'
	option gateway '192.168.1.1'
	option broadcast '192.168.1.255'
	list dns '192.168.1.1'
	option ip6hint '30'
	option ip6ifaceid '::1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option description 'lan'
	option ports '0t 1 4'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option description 'vpn'
	option ports '0t 1t 2 3'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option description 'dmz'
	option ports '0t 1t'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '4'
	option description 'iot'
	option ports '0t 1t'

config device
	option type 'bridge'
	option name 'br-vpn'
	list ports 'eth0.2'

config device
	option type 'bridge'
	option name 'br-iot'
	list ports 'eth0.4'

config interface 'vpn'
	option proto 'none'
	option device 'br-vpn'

config interface 'iot'
	option proto 'none'
	option device 'br-iot'

My current DSA attempt:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'ddc2:9aea:19b1::/48'

config device
    option type 'bridge'
	option name 'br0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

config interface 'lan'
	option device 'br0'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.30'
	option gateway '192.168.1.1'
	option broadcast '192.168.1.255'
	list dns '192.168.1.1'
	option ip6hint '30'
	option ip6ifaceid '::1'
	
config interface 'vpn'
	option proto 'none'
	option device 'br0.2'
	
config interface 'dmz'
	option proto 'none'
	option device 'br0.3'

config interface 'iot'
	option proto 'none'
	option device 'br0.4'
	
config bridge-vlan
    option device 'br0'
    option vlan '1'
    list ports 'lan1:u'
    list ports 'lan3:u'
    list ports 'lan4:u'
	
config bridge-vlan
    option device 'br0'
    option vlan '2'
    list ports 'lan1:t'
    list ports 'lan2:u'

config bridge-vlan
    option device 'br0'
    option vlan '3'
	list ports 'lan1:t'
	
config bridge-vlan
    option device 'br0'
    option vlan '4'
	list ports 'lan1:t'

Is this PVID block strictly necessary or is this handled automatically now by DSA? In swconfig we had to untag the egress port manually for the trunk port (in this case, lan1):

config bridge-vlan
    option device 'br0'
    option vlan '1'
    list ports 'lan1:u'
    list ports 'lan3:u'
    list ports 'lan4:u'

I am also curious about the difference between setting a port as "u*" vs "u" -- this is a difficult term to search for.

anomeome · January 31, 2022, 7:12pm

untagged PVID vs untagged, example

mk24 · January 31, 2022, 8:44pm

Since everything inside the bridge br0 is now tagged, you have to break out to CPU networks using the proper tag number, for example the lan network is option device br0.1. It ends up looking a lot like swconfig in that you have to assign a unique VLAN number for everything, even those that are just internally switched.

I think the star is necessary if you're also going to have a tagged VLAN on the same port (which is generally not a good practice, do it only if you have to attach to an existing network that works that way). Otherwise just u is fine for a simple access port with only one VLAN. It sets the PVID so that untagged packets arriving default to the VLAN associated with the u*.

anon_openwrt · February 1, 2022, 3:24am

Unfortunately the bridge VLAN filtering LUCI tab isn't working on my device yet so I need to know how to write the DSA configs (plus this device is in the middle of my network so it is difficult to diagnose switch port configs without losing connectivity). My question is more about DSA nomenclature than network design.

anon_openwrt · February 1, 2022, 3:28am

But do I still need to untag VLAN 1 on trunk? This is how the rest of my network is configured (LAN is untagged, VLAN 2 is VPN, VLAN 3 is DMZ, etc). Therefore trunk (untagged VLAN 1) should be assigned u* since everything else needs to be tagged on trunk? My misunderstanding is whether trunk is still handled the same way on DSA, perhaps a sample configuration (of untagging VLAN 1 (lan) for trunk) would be of help here.

mk24 · February 1, 2022, 3:44am

It would be best to tag every VLAN on a trunk port, and configure the device at the other end of the cable to match.

anon_openwrt · February 1, 2022, 3:49am

So in other words, the identical configuration as swconfig?