Thanks for clarification. I was experimenting with setting other vlans as I had some strange behaviour with one of the switches being unreachable through management net as long as it had another vlan set as untagged on one of the SFP ports. Actually, 192.168.251.0/24 is exactly meant to be set manually on computer's interface to access all the switches - by connecting to separate Management (ether49) port on CRS354 and ether24 on CRS326. I didn't remove it from bridge since it makes me able to reach all switches from one of them without having to walk kilometers and numerous stairs ![:)]( "Smile")
Thanks for other suggestions on bridge ports. Actually ingress-filtering=yes is set, I should have done "verbose" export. But "frame-types=admit-only-priority-and-untagged" on access ports was not set and it is a good idea! Do I assume correctly, that without this a hacker could connect to any access port and by setting VLAN 251 tagged would be able to access management network?
Greetings,
--
Jacek
Thanks for other suggestions on bridge ports. Actually ingress-filtering=yes is set, I should have done "verbose" export. But "frame-types=admit-only-priority-and-untagged" on access ports was not set and it is a good idea! Do I assume correctly, that without this a hacker could connect to any access port and by setting VLAN 251 tagged would be able to access management network?
Greetings,
--
Jacek
Statistics: Posted by joshuapl — Mon Mar 18, 2024 1:36 pm