Yet another DSA-"I still have questions"-thread

_bernd · August 11, 2022, 12:55pm

Given the fact that current "How to use DSA on OpenWRT"-documentation is a little bit sparse, and information in the wiki is mostly a compilation of (incomplete) LUCI screen shots
I have the need to ask myself, too.

I have a DGS-1210 running with a recent snapshot build and so far my current network config works.

Note:

lan1 is my psuedo out-of-band IPv6 LLA-Only interface
lan8 is used as an uplink trunk-port to another OpenWRT router

# cat /etc/config/network

config interface                'loopback'
        option  device          'lo'
        option  proto           'static'
        list    ipaddr          '127.0.0.1/8'

config device
        option  name            'switch'
        option  type            'bridge'
        list    ports           'lan1'
        list    ports           'lan2'
        list    ports           'lan3'
        list    ports           'lan4'
        list    ports           'lan5'
        list    ports           'lan6'
        list    ports           'lan7'
        list    ports           'lan8'
        list    ports           'lan9'
        list    ports           'lan10'
        option  macaddr         '08:5a:11:a2:7f:10'

##############################################################################

config bridge-vlan
        option  device          'switch'
        option  vlan            '1'
        list    ports           'lan2:u*'
        list    ports           'lan3:u*'
        list    ports           'lan4:u*'
        list    ports           'lan5:u*'
        list    ports           'lan6:u*'
        list    ports           'lan7:u*'

config bridge-vlan
        option  device          'switch'
        option  vlan            '16'
        list    ports           'lan8:t'

config bridge-vlan
        option  device          'switch'
        option  vlan            '17'
        list    ports           'lan8:t'

config bridge-vlan
        option  device          'switch'
        option  vlan            '64'
        list    ports           'lan8:t'

config bridge-vlan
        option  device          'switch'
        option  vlan            '65'
        list    ports           'lan8:t'

config bridge-vlan
        option  device          'switch'
        option  vlan            '66'
        list    ports           'lan8:t'

config bridge-vlan
        option  device          'switch'
        option  vlan            '67'
        list    ports           'lan8:t'

config bridge-vlan
        option  device          'switch'
        option  vlan            '4094'
        list    ports           'lan1:u*'

##############################################################################

config interface 'vlan1'
        option  device          'switch.1'
        option  proto           'none'

config interface 'vlan16'
        option  device          'switch.16'
        option  proto           'dhcp'

config interface 'vlan16_v6'
        option  device          'switch.16'
        option  proto           'dhcpv6'

config interface 'vlan17'
        option  device          'switch.17'
        option  proto           'none'

config interface 'vlan64'
        option  device          'switch.64'
        option  proto           'none'

config interface 'vlan65'
        option  device          'switch.65'
        option  proto           'none'

config interface 'vlan66'
        option  device          'switch.66'
        option  proto           'none'

config interface 'vlan67'
        option  device          'switch.67'
        option  proto           'none'

config interface 'vlan4094'
        option  device          'switch.4094'
        option  proto           'static'
        option  ip6class        'local'
        option  ip6assign       '64'

# bridge vlan
port              vlan-id  
lan1              4094 PVID Egress Untagged
lan2              1 PVID Egress Untagged
lan3              1 PVID Egress Untagged
lan4              1 PVID Egress Untagged
lan5              1 PVID Egress Untagged
lan6              1 PVID Egress Untagged
lan7              1 PVID Egress Untagged
lan8              16
                  17
                  64
                  65
                  66
                  67
switch            1
                  16
                  17
                  64
                  65
                  66
                  67
                  4094

My questions are:

list ports lan<n>:u* sets a port as untagged and it sets the PVID explicit? Right?
- When do I need this? Does this come from chips with limited VLAN support?
- Wouldn't just list ports lan<n> be enough?
How do I set up a hybrid-port? list ports lan<n>:t for tagged, and list ports lan<n>:u* for untagged; or just using list ports lan<n> for untagged?
See bridge-vlan for vlan 4094: Do I need :u* or not? As far as I know if you configure an access port to be part of a VLAN, then the PVID is implicit, except for some "broken" platforms and their software. I see no difference in bridge vlan output when I either use lan1:u* or just lan1.
Is my assumption correct that I just want a single vlan-aware bridge device? Why would I want to create multiple bridge interfaces out of the switch device?
(See https://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial#multiple_bridged_networks vs https://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial#multiple_networks_using_vlans & https://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial#multiple_networks_using_vlan_tagging)
What is the reasoning that every now and then people using asymmetric VLAN-ID and PVID, like setting VLAN 3 but then PVID 15? In my option this just leads to unnecessary confusion.
It is not possible to combine config bridge-vlan with options from config interface, correct? Like:

config bridge-vlan                                                            
        option  device          'switch'                                      
        option  vlan            '16'                                          
        list    ports           'lan8:t'
        option  proto           'dhcp'

Thanks for hints and tips...

PS: Do I really still need two interfaces to get DHCP and DHCPv6 on a single interface?

jow · August 11, 2022, 1:04pm

Yes

In practice likely never. If no port specifies any PVID, the PVID should default to the ID of the VLAN containing the port as untagged. Yes, just specifying the netdev should be sufficient.

Both should work.

As above, buggy implementations aside, <portname> == <portname>:u*.

The only use case for multiple bridges I can think of is either "retagging" (e.g. lan1 tagged with VID 10 bridged to lan2 tagged with VID 20), in this case you'd create a bridge over switch.10 and switch.20 or involving other netdevs (tap devices etc.) not being part of the bridge. In practice I found the single vlan aware bridge approach to be the most reliable/widely supported one.

Probably due to a lack of understanding. Personally I didn't yet encounter a practical use case for it

Correct, layer 2 (bridge) and 3 (IP config) are strictly separated

Yes.

_bernd · August 11, 2022, 1:14pm

Thanks a lot!

That is/was my impression, too. Not quiet sure how the influence of Cumulus Linux was back in the days of making vlan-aware bridges possible and useful, but if my memory serves me well, then they pushed it heavily. Mostly because "things become easier and cleaner".

Yeah... thanks for pointing out the obvious for me

Even it is off-topic, but could you spend a few more words why we still need to configure two interface to configure IPv4 and IPv6 with the current UCI?
I have something in my mind like

config interface 'vlan16'                  
        option  device          'switch.16'  
        list    proto           'dhcp'     
        list    proto           'dhcpv6'

But maybe chances are high that there are config options available for both proto and then they collide?

Thanks again!

jow · August 11, 2022, 1:16pm

It does not align with netifd's internal architecture where one protocol = one process/agent instance managing the addresses. We also use busybox udhcpc for IPv4 but custom odhcp6c for IPv6. I guess we could theoretically make odhcp6c IPv4 aware and implement a hybrid DHCP proto but as of today that hasn't been done.

slh · August 12, 2022, 2:33am

There are use cases for this, some switch drivers (especially older ones) only supported a limited number of VLANs or require them within a rather small consecutive window (e.g. VLAN 1-16) - here the VID might differ from the VLAN number.

_bernd · August 12, 2022, 9:15am

I got another questions not related to the architecture or setup, but about the using and handling:

If I move ports from one bridge-vlan to another, lets say by editing one or more bridge-vlan in /etc/config/network. How can I apply these changes only to these bridge/switch-devices and/or ports without using /etc/init.d/network restart?

The other (non persistent) option would be using bridge vlan set vid <new VID> dev <lanN>, right?

Edit: (First thinking then writing... sorry :/)

# I'm unable to use `set`
root@sw1:~# bridge vlan set vid 64 dev lan2
RTNETLINK answers: No such file or directory

# But `add` and `del` works...
root@sw1:~# bridge vlan
port              vlan-id  
lan1              4094 PVID Egress Untagged
lan2              64 PVID Egress Untagged
lan3              64 PVID Egress Untagged
lan4              1 PVID Egress Untagged
lan5              1 PVID Egress Untagged
lan6              1 PVID Egress Untagged
lan7              1 PVID Egress Untagged
lan8              16
                  17
                  64
                  65
                  66
                  67
switch            1
                  16
                  17
                  64
                  65
                  66
                  67
                  4094

root@sw1:~# bridge vlan add vid 65 dev lan2 pvid untagged
root@sw1:~# bridge vlan 
port              vlan-id  
lan1              4094 PVID Egress Untagged
lan2              64 Egress Untagged
                  65 PVID Egress Untagged
lan3              64 PVID Egress Untagged
lan4              1 PVID Egress Untagged
lan5              1 PVID Egress Untagged
lan6              1 PVID Egress Untagged
lan7              1 PVID Egress Untagged
lan8              16
                  17
                  64
                  65
                  66
                  67
switch            1
                  16
                  17
                  64
                  65
                  66
                  67
                  4094

root@sw1:~# bridge vlan del vid 64 dev lan2 
root@sw1:~# bridge vlan 
port              vlan-id  
lan1              4094 PVID Egress Untagged
lan2              65 PVID Egress Untagged
lan3              64 PVID Egress Untagged
lan4              1 PVID Egress Untagged
lan5              1 PVID Egress Untagged
lan6              1 PVID Egress Untagged
lan7              1 PVID Egress Untagged
lan8              16
                  17
                  64
                  65
                  66
                  67
switch            1
                  16
                  17
                  64
                  65
                  66
                  67
                  4094

jow · August 12, 2022, 9:35am

ubus call network reload or ifup -a - both should incrementally apply changes