1 files changed, 96 insertions, 0 deletions

diff --git a/content/2023-05-24-openwrt-migrate-to-dsa/index.md b/content/2023-05-24-openwrt-migrate-to-dsa/index.md
new file mode 100644
index 0000000..89259ba
--- /dev/null
+++ b/content/2023-05-24-openwrt-migrate-to-dsa/index.md
@@ -0,0 +1,96 @@
++++
+title = "openwrt: Migrating to DSA"
+
+[taxonomies]
+tags = ["openwrt", "dsa", "vlan", "linux"]
++++
+
+After upgrading the routers in my home network to the latest `openwrt-22.03`
+version, one of my routers, the [avm 7360sl][avm-7360sl], moved to the new
+[distributed switch architecture][linux-dsa] (`DSA`).
+
+In my home network I currently run two separate networks each with their own
+`VLANs` and an additional access point (**archer c7**) to extend the wifi
+range. The access point and the **avm** router are connected via tagged ports
+transferring tagged ethernet packets (VLAN trunk).
+In the figure below the network setup is shown.
+
+<img src="home-nw.svg">
+
+Since the **avm** box moved from `swconfig` to `DSA` I had to migrate my
+current `VLAN` setup on the **avm** box.
+
+The description below documents this setup, and may be of help to anybody :^)
+
+## AVM 7360SL
+
+With `DSA` the switch ports appear as own devices, here the `lanX` devices.
+
+<img src="portal-devices.png">
+
+VLANs are directly configured on the `bridge` devices and appear as sub-devices
+of the bridge. See above, the `br-lan.10` and `br-lan.20` which correspond to
+the VLANs 10 and 20.
+The **Local** setting of the VLAN controls if the corresponding sub-device is
+created or not.
+
+The **lan1** port is configured as **tagged (T)** for our VLANs. This means for
+outgoing packets the VLAN tag is not removed and incoming packets should be
+tagged. Additionally, we configured that incoming packets that are untagged
+should be tagged with VLAN 99 **primary VLAN (U|*)**. This port is used as VLAN
+trunk to connect the access point.
+
+<img src="portal-vlan-dsa.png">
+
+For the configuration nothing has changed, besides using the new bridge
+sub-devices.
+
+<img src="portal-interfaces.png">
+
+## Archer C7
+
+For completeness of the setup, the following shows the configuration of the
+access point.
+
+The access point defines two networks `lan` and `guest` similar to the networks
+defined on the router above. The interfaces bridge the following devices
+together:
+- **br-lan**: eth0.10 + home wifi
+- **br-guest**: eth0.20 + guest wifi
+
+<img src="archer-interfaces.png">
+
+> NOTE: The `guest` interface is setup as `unmanaged` because it does not need
+> an IP address, since nobody connected to the guest network should be able to
+> connect to the access point. The access point also does not define any
+> firewall rules, as all firewall rules are centrally defined on the **avm**
+> box.
+
+The switch is configured as shown below. The two interesting configurations are
+that the **CPU (eth0)** interface is tagged for all VLANs and that the **LAN1**
+port is tagged as well.
+
+<img src="archer-vlan-swconfig.png">
+
+Similar to the avm setup above, the **LAN1** port is tagged for our VLANs and
+hence used as VLAN trunk to connect to the avm router.
+
+The **eth0** port is tagged, such that we get sub-devices **eth0.10** and
+**eth0.20** for use in our different networks.
+
+<img src="archer-devices.png">
+
+## References
+
+- [DSA Mini-Tutorial][openwrt-dsa]
+- [VLAN switch configuration][openwrt-vlan]
+- [Switch documentation][openwrt-vlan]
+- [AVM 7360SL][avm-7360sl]
+- [TP-Link Archer C7][archer-c7]
+
+[linux-dsa]: https://www.kernel.org/doc/html/latest/networking/dsa/dsa.html
+[avm-7360sl]: https://openwrt.org/toh/avm/fritz.box.wlan.7360
+[archer-c7]: https://openwrt.org/toh/tp-link/archer_c7
+[openwrt-dsa]: https://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial
+[openwrt-vlan]: https://openwrt.org/docs/guide-user/network/vlan/switch_configuration
+[openwrt-swconf]: https://openwrt.org/docs/guide-user/network/vlan/switch