I'm kind of trying to achieve an embarrassingly simple thing here, if you think about it in terms of tags.
Think of it as adding 3 more symbols to all MAC addresses on the network, with two main rules: (1) the network equipment assigns these 3 symbols and (2) you can make firewall rules based on what these 3 symbols are. Everything gets bridged by default, but you can make adjustments here or there where it's needed. It's convenient.
In terms of tags, I need to separate packets into a few VLAN interfaces on ingress based on tag (or its absence) and bridge all those interfaces as though none of the tags were ever there, and also strip the tag on egress from any of the native-VLAN-related interfaces.
I know for a fact that this would be quite simple to do with the help of two (or even one, but for simplicity's sake let's say two) additional 802.1q-supporting switches:
1. Let's say there are two interfaces on the first switch, eth10 and eth11, two on the router, eth20 and eth21, and two on the second switch, eth30 and eth31.
2. Let's say eth11 is connected to eth20 and eth21 is connected to eth30.
3. We can configure the first switch to add a VLAN tag with id 10, if it's missing, on ingress on eth10, and set up forwarding from eth10 to eth11. We can also configure an additional VLAN, let's say with id 20, so that eth10 can receive tagged packets with that VLAN tag and forward it to eth11 if need be. Thus, eth10 is a hybrid port, and eth11 is a trunk.
4. We can configure two VLAN interfaces with ids 10 and 20 on eth20. We can do the same for eth21. Then we can put these VLAN interfaces in a bridge.
5. We can mirror the configuration of the first switch on the second switch by stripping the vlan tag with id 10 on egress from eth31. Thus, eth30 is a trunk and eth31 is a hybrid port.
6. Et voila. The thing can now be mirrored the other way around, and we have what I wanted.
Problem is, it seems to me like that 4 core 1.8 GHz CPU of an ax3 should be able to handle all of that on its own, without the need for two additional switches.
Think of it as adding 3 more symbols to all MAC addresses on the network, with two main rules: (1) the network equipment assigns these 3 symbols and (2) you can make firewall rules based on what these 3 symbols are. Everything gets bridged by default, but you can make adjustments here or there where it's needed. It's convenient.
In terms of tags, I need to separate packets into a few VLAN interfaces on ingress based on tag (or its absence) and bridge all those interfaces as though none of the tags were ever there, and also strip the tag on egress from any of the native-VLAN-related interfaces.
I know for a fact that this would be quite simple to do with the help of two (or even one, but for simplicity's sake let's say two) additional 802.1q-supporting switches:
1. Let's say there are two interfaces on the first switch, eth10 and eth11, two on the router, eth20 and eth21, and two on the second switch, eth30 and eth31.
2. Let's say eth11 is connected to eth20 and eth21 is connected to eth30.
3. We can configure the first switch to add a VLAN tag with id 10, if it's missing, on ingress on eth10, and set up forwarding from eth10 to eth11. We can also configure an additional VLAN, let's say with id 20, so that eth10 can receive tagged packets with that VLAN tag and forward it to eth11 if need be. Thus, eth10 is a hybrid port, and eth11 is a trunk.
4. We can configure two VLAN interfaces with ids 10 and 20 on eth20. We can do the same for eth21. Then we can put these VLAN interfaces in a bridge.
5. We can mirror the configuration of the first switch on the second switch by stripping the vlan tag with id 10 on egress from eth31. Thus, eth30 is a trunk and eth31 is a hybrid port.
6. Et voila. The thing can now be mirrored the other way around, and we have what I wanted.
Problem is, it seems to me like that 4 core 1.8 GHz CPU of an ax3 should be able to handle all of that on its own, without the need for two additional switches.
Statistics: Posted by Nullcaller — Wed Apr 03, 2024 4:42 pm