Veteran Member
Posts: 5,456
Registered: ‎03-12-2011
Kudos: 2746
Solutions: 129

Tagged and Untagged VLANs on the same port

After banging my head on the wall for a while trying to figure out why this wouldn't work, I ended up discovering that mixing tagged VLAN traffic on a port along with untagged traffic (in this case my management network) seems to result in VLAN traffic just not working.

I did have the untagged traffic set to go to a bridge, so this may or may not have an effect on things.

Hopefully this saves someone else a bit of head desking trying to work out why things aren't working as they should. Wish the EdgeRouters had a management port like the TOUGHSwitches do, ah well.
SuperUser
Posts: 21,761
Registered: ‎11-20-2011
Kudos: 7932
Solutions: 233

Re: Tagged and Untagged VLANs on the same port

After banging my head on the wall for a while trying to figure out why this wouldn't work, I ended up discovering that mixing tagged VLAN traffic on a port along with untagged traffic (in this case my management network) seems to result in VLAN traffic just not working.

I did have the untagged traffic set to go to a bridge, so this may or may not have an effect on things.

Hopefully this saves someone else a bit of head desking trying to work out why things aren't working as they should. Wish the EdgeRouters had a management port like the TOUGHSwitches do, ah well.


They have a console port? Man Happy get a USB -> serial adapter and grab a cheap cisco console cable.


isp builder | linux sorcerer | datacenter automation conjurer | blog: blog.engineered.online
link to our slack channel on the blog
Veteran Member
Posts: 5,456
Registered: ‎03-12-2011
Kudos: 2746
Solutions: 129

Re: Tagged and Untagged VLANs on the same port

They have a console port? Man Happy get a USB -> serial adapter and grab a cheap cisco console cable.


Yeah, I do appreciate the real console port on it more than I miss the lack of a management port, but it would be sexy if it had both. Definitely wouldn't lose the console port for it though.

Management port is useful to scp files across though. I wonder if one could zmodem stuff across the serial port... *ponders*
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3141
Solutions: 945
Contributions: 16

Re: Tagged and Untagged VLANs on the same port

After banging my head on the wall for a while trying to figure out why this wouldn't work, I ended up discovering that mixing tagged VLAN traffic on a port along with untagged traffic (in this case my management network) seems to result in VLAN traffic just not working.

I did have the untagged traffic set to go to a bridge, so this may or may not have an effect on things.

Hopefully this saves someone else a bit of head desking trying to work out why things aren't working as they should. Wish the EdgeRouters had a management port like the TOUGHSwitches do, ah well.
Mixing tagged and untagged shouldn't be any problem (we use different vlans for wlan internal/guess and untagged for LAN.) Could be an issue with bridging? Could I see your config?
EdgeMAX Router Software Development
Veteran Member
Posts: 5,456
Registered: ‎03-12-2011
Kudos: 2746
Solutions: 129

Re: Tagged and Untagged VLANs on the same port

Mixing tagged and untagged shouldn't be any problem (we use different vlans for wlan internal/guess and untagged for LAN.) Could be an issue with bridging? Could I see your config?

I don't have the exact config handy, but something equivalent to this:

bridge br230 {
address 172.18.30.254/24
aging 300
description "Management LAN"
hello-time 2
max-age 20
priority 0
stp false
}
bridge br300 {
address 192.168.0.90/24
aging 300
hello-time 2
max-age 20
priority 0
stp false
}
ethernet eth0 {
bridge-group {
bridge br230
}
vif 300 {
bridge-group {
bridge br300
}
}
}

Duplicate the eth0 block for eth1 and eth2 then try to ping the device via vlan300
SuperUser
Posts: 21,761
Registered: ‎11-20-2011
Kudos: 7932
Solutions: 233

Re: Tagged and Untagged VLANs on the same port

Do you have a route setup for those?


isp builder | linux sorcerer | datacenter automation conjurer | blog: blog.engineered.online
link to our slack channel on the blog
Veteran Member
Posts: 5,456
Registered: ‎03-12-2011
Kudos: 2746
Solutions: 129

Re: Tagged and Untagged VLANs on the same port

Do you have a route setup for those?


I was pinging from another host within the /24 so the following route would have applied

192.168.0.0/24 dev br300 proto kernel scope link src 192.168.0.90
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3141
Solutions: 945
Contributions: 16

Re: Tagged and Untagged VLANs on the same port

Hmm, I did a quick test with 3 devices:

H1 eth1 ---- eth0 RTR eth1 ---- eth1 H2

Config for H1:

ubnt@H1# show interfaces ethernet eth1                                      
address 172.18.30.1/24
vif 300 {
address 192.168.0.1/24
}


Config for RTR:
ubnt@RTR# show interfaces          
bridge br300 {
address 192.168.0.90/24
}
bridge br320 {
address 172.18.30.254/24
}
ethernet eth0 {
bridge-group {
bridge br320
}
vif 300 {
bridge-group {
bridge br300
}
}
}
ethernet eth1 {
bridge-group {
bridge br320
}
vif 300 {
bridge-group {
bridge br300
}
}
}
ethernet eth2 {
bridge-group {
bridge br320
}
vif 300 {
bridge-group {
bridge br300
}
}
}


Config for H2:
ubnt@H2# show interfaces ethernet eth1
address 172.18.30.2/24
vif 300 {
address 192.168.0.2/24
}


With this I can ping both the tagged and untagged interfaces.
EdgeMAX Router Software Development
Veteran Member
Posts: 5,456
Registered: ‎03-12-2011
Kudos: 2746
Solutions: 129

Re: Tagged and Untagged VLANs on the same port

Hrm, might have to try again and see if I can reproduce it.

The only thing that I can think of that's different between the two setups is the machine that the connectivity was trying to be done between only had access to the router via vlan300, not via the untagged network and that only two devices were involved (pinging to/from the router to the other device - which went from a linux box with a vlan configured, and then to rule out i hadn't done something silly on the linux box, to a vmware esx machine - nuking the untagged network made it start working)
Regular Member
Posts: 590
Registered: ‎09-10-2012
Kudos: 381
Solutions: 35

Re: Tagged and Untagged VLANs on the same port

I have a similar issue (probably exactly the same). It seems that as soon as two interfaces are bridged, all tagged vlan traffic no longer arrives at the vlan interfaces but at the bridged interface.

 

my config was this:

bridge br0 {
     address 192.168.0.1/24
     aging 300
     hello-time 2
     max-age 20
     priority 0
     stp false
 }
 ethernet eth1 {
     bridge-group {
         bridge br0
     }
     duplex auto
     speed auto
 }
 ethernet eth2 {
     bridge-group {
         bridge br0
     }
     description "br0 member 1"
     duplex auto
     speed auto
     vif 2 {
         address 192.168.2.1/24
     }
 }

 The problem is that packages tagged with vlan id 2 arrive at br0 instead of eth2.2. This can be checked with 

sudo tcpdump -ni br0 vlan 2

 (this filters all the packages that arrive or are sent from br0 with vlan id 2). This tcpdump should by default be empty because all those packages should arrive on eth2.2 (assuming noone sends some via eth1), however, I can see incoming packages on that interface from my vlan 2. Running tcpdump against eth2.2 however gives me no packages at all.

 

Note that this is default debian/linux behaviour as can be read here:

http://serverfault.com/questions/414115/linux-vlans-over-bridge

 

 

The solution would be to add vlan interfaces to the bridge instead. Unfortunately, this is not supported by edgemax as it seems.

[edit]
user@host# set interfaces bridge br0
address              dhcpv6-options       firewall             ip                   priority
aging                disable              forwarding-delay     ipv6                 stp
description          disable-link-detect  hello-time           max-age              traffic-policy

 

Conslusion: Please add vlan support for bridged interfaces.

Veteran Member
Posts: 5,456
Registered: ‎03-12-2011
Kudos: 2746
Solutions: 129

Re: Tagged and Untagged VLANs on the same port

FTR I never got around to re-testing this, everything on my EdgeMAX's ethernet ports is either 100% tagged, or 100% untagged, regardless of any bridge configs.

Ubiquiti Employee
Posts: 2,991
Registered: ‎02-04-2013
Kudos: 354
Solutions: 289

Re: Tagged and Untagged VLANs on the same port

Might there be a different solution? What's the full topology you have?

Regular Member
Posts: 590
Registered: ‎09-10-2012
Kudos: 381
Solutions: 35

Re: Tagged and Untagged VLANs on the same port

[ Edited ]

I think for my topology, the solution is to throw in another vlan capeable switch. My setup (or what I'm trying to achieve) is relatively complex, I hope my description here will give you an overview:

 

EdgeMAX:

eth0: Internet GW

eth1: unmanaged switch (192.168.0.0/24 subnet, no vlan support)

eth2: ToughSwitch

 

ToughSwitch:

port1: EdgeMAX

port2: 192.168.1.0/24 subnet

port3: 192.168.2.0/24 subnet

port4: 192.168.0.0/24 subnet device(s)

 

My goal is to tell the ToughSwitch to give all packages from port2 and 3 a separate vlan id (i.e. like the port numbers, 2 and 3) and send them as vlan tagged to the EdgeMax, which then should do the routing between the three subnets and the internet.

 

Because my "main" LAN Switch, which is right next to the EdgeMAX router has no vlan support, I need to patch the ToughSwitch (which is located two floors away) directly into the EdgeMAX router in order for the vlan tagged traffic to arrive (the unmanaged switch would probably strip them out I guess?). But because the ToughSwitch has also 192.168.0.0/24 devices connected, I also need a bridge for those devices so that they can communicate with the rest of the subnet connected over the unmanaged lan switch.

 

This is why I wanted to bridge eth1 and eth2 on the EdgeMax to have that "Switch" for my local devices, and then add two vlan interfaces eth2.2 and eth2.3 for the vlan tagged traffic from the ToughSwitch.

 

My current solution is to buy another switch that is vlan capeable and hang it between the ToughSwitch, the EdgeMAX and my unmanaged lan switch. This switch will then route vlan tagged traffic to the EdgeMAX and untagged traffic to the unmanaged lan switch.

 

I hope this is somewhat clear - I'm about to draw a diagram anyway and will attach it later.

 

Cheers

network_topology.png
Ubiquiti Employee
Posts: 2,991
Registered: ‎02-04-2013
Kudos: 354
Solutions: 289

Re: Tagged and Untagged VLANs on the same port

Because the unmanaged switch doesn't have enough ports, so tough switch connects to the same subnet 192.168.0.0/24?
Regular Member
Posts: 590
Registered: ‎09-10-2012
Kudos: 381
Solutions: 35

Re: Tagged and Untagged VLANs on the same port

nope, that is for geographic reasons. I only have one wire going from the unmanaged switch to the toughswitch, and they're two floors apart - but I also have other 192.168.0.0/24-devices where the tough switch is, not only the "inbound ports" of the foreign subnets.

Ubiquiti Employee
Posts: 2,991
Registered: ‎02-04-2013
Kudos: 354
Solutions: 289

Re: Tagged and Untagged VLANs on the same port


@final wrote:

nope, that is for geographic reasons. I only have one wire going from the unmanaged switch to the toughswitch, and they're two floors apart - but I also have other 192.168.0.0/24-devices where the tough switch is, not only the "inbound ports" of the foreign subnets.


It looks there's no need to connect the umanaged switch to the ERL directly if there's no bandwidth concern. Could you try 1) disconnect the ERL/eth1 and the umanaged switch; 2) delete bridge-group bridge br0 under eth1 and eth2, commit; delete address 192.168.0.1/24 under br0, commit; and then set address 192.168.0.1/24 under eth2, commit? (No change on the tough switch)

 

Regular Member
Posts: 590
Registered: ‎09-10-2012
Kudos: 381
Solutions: 35

Re: Tagged and Untagged VLANs on the same port

sorry, I haven't been clear enough. My lan's "main server room" is in the cellar, where both the ERL and the unmanaged switch are located. Then I have the thoughswitch two floors up. There is only one wire between the two locations. Disconnecting the unmanaged switch from the ERL would essentially shut it out from the ERL altogether - the two systems would be separated.

Ubiquiti Employee
Posts: 2,991
Registered: ‎02-04-2013
Kudos: 354
Solutions: 289

Re: Tagged and Untagged VLANs on the same port

Could you try some changes -

 

Assuming VLAN10 isn't used yet, on the EdgeMAX, delete "bridge-group bridge br0" under eth2, set "vif 10 bridge-group bridge br0" under eth2; on the ToughSwitch, add VLAN10, tag VLAN10 on port1(make sure all VLANs are tagged on port1), untag VLAN10 on port4.

Highlighted
Regular Member
Posts: 590
Registered: ‎09-10-2012
Kudos: 381
Solutions: 35

Re: Tagged and Untagged VLANs on the same port

[ Edited ]

Sorry for my late replay, only got around to test it now.

 

And that did indeed work! Granted, it's a bit of a work-around since the config I have now is a little different than the one I originally expected, but it does exactly what I need.

 

For the record, here is my running config on the ERL:

 bridge br0 {
     address 192.168.0.1/24
 }
 ethernet eth1 {
     bridge-group {
         bridge br0
     }
     description "LAN port"
 }
 ethernet eth2 {
     description "connection to ToughSwitch"
     vif 10 {
         bridge-group {
             bridge br0
         }
         description "dummy VLAN to get regular LAN-traffic from ToughSwitch when interfaces is bridged with eth1"
     }
     vif 40 {
         address 192.168.1.1/24
         description "actual remote site traffic"
     }
 }
 loopback lo {
 }

 

and attached is the VLAN overview on my ToughSwitch. Note again that ERL eth2 and ToughSwitch Port1 are directly connected with each other.

 

For the future reader's understanding: the bridge br0 has two members, eth1 and eth2.10. eth2.10 only receives traffic that is tagged with vlan id 10 and will also send vlan id 10 tagged traffic to the toughswitch. the bridge dynamically tags or untags traffic, depending from which to which interface it's flowing.

toughswitchconfig.png