On Tue, Apr 13, 2021 at 01:54, Marek Behun <marek.be...@nic.cz> wrote: > On Tue, 13 Apr 2021 01:13:53 +0200 > Tobias Waldekranz <tob...@waldekranz.com> wrote: > >> > ...you could get the isolation in place. But you will still lookup the >> > DA in the ATU, and there you will find a destination of either cpu0 or >> > cpu1. So for one of the ports, the destination will be outside of its >> > port based VLAN. Once the vectors are ANDed together, it is left with no >> > valid port to egress through, and the packet is dropped. >> > >> >> Am I wrong? I confess that I did not understand this into the most fine >> >> details, so it is entirely possible that I am missing something >> >> important and am completely wrong. Maybe this cannot be done. >> > >> > I really doubt that it can be done. Not in any robust way at >> > least. Happy to be proven wrong though! :) >> >> I think I figured out why it "works" for you. Since the CPU address is >> never added to the ATU, traffic for it is treated as unknown. Thanks to >> that, it flooded and the isolation brings it together. As soon as >> mv88e6xxx starts making use of Vladimirs offloading of host addresses >> though, I suspect this will fall apart. > > Hmm :( This is bad news. I would really like to make it balance via > input ports. The LAG balancing for this usecase is simply unacceptable, > since the switch puts so little information into the hash function.
If you have the ports in standalone mode, you could imagine having each port use its own FID. But then you cannot to L2 forwarding between the LAN ports in hardware. If you have a chip with a TCAM, you could theoretically use that to get policy switching to the preferred CPU port. But since that would likely run on top of TC flower or something, it is not obvious to my how to would describe that kind of action. Barring something like that, I think you will have to accept the unacceptable :) > I will look into this, maybe ask some follow-up questions. > > Marek
