VLAN Config difference AR 8227 & QCA 8337
Posted: Wed Jul 11, 2018 8:07 pm
Hi All,
I've been banging my head on this for a while and hoped someone could enlighten me.
I've got a hAP AC that I can't get to play nicely, but when I drop a spare hAP AC Lite in with essentially the same configuration it seems to my understanding at least to work perfectly.
I've come to the conclusion that there is a difference somehow with how I need to configure the switch chips that doesn't seem obvious to me. I believe the hAP AC Lite has an AR 8227 where the hAP AC has a QCA 8337, but I haven't found any fundamental differences in how to configure them called out in the Wiki.
The issue I get is that when I drop the following code to secure against invalid VLAN's in to my CRS that is the core switch, the hAP AP management address disapears off of the network, when the other 5 hAP AP Lite's (all running the same config) don't.
I found buried in the Wiki somewhere a statement that says
This lead me to change any access switch ports that were "secure" and "always-strip" to "check" and "always-strip" to ensure that the tag got stripped before going to the access device, but I can't find any other obvious differences.
I can however access the hAP ac through it's mac and it is able to ping other devices on the main bridge, but not through the vlan interfaces under the bridge. Again, no such problem on the hAP AC Lite.
Config for the working hAP AC Lite (AR8227) looks like this
Config for the misbehaving hAP AC looks like this
I know I probably shouldn't add switch1-cpu to all three VLAN's, but I'm in testing mode at the moment.
Anyone got any ideas what I'm doing wrong?
Thanks in advance
I've been banging my head on this for a while and hoped someone could enlighten me.
I've got a hAP AC that I can't get to play nicely, but when I drop a spare hAP AC Lite in with essentially the same configuration it seems to my understanding at least to work perfectly.
I've come to the conclusion that there is a difference somehow with how I need to configure the switch chips that doesn't seem obvious to me. I believe the hAP AC Lite has an AR 8227 where the hAP AC has a QCA 8337, but I haven't found any fundamental differences in how to configure them called out in the Wiki.
The issue I get is that when I drop the following code to secure against invalid VLAN's in to my CRS that is the core switch, the hAP AP management address disapears off of the network, when the other 5 hAP AP Lite's (all running the same config) don't.
Code: Select all
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether1,ether2,ether3,ether4\
,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13\
,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24"In Gigabit switch chips when "vlan-mode=secure", it ignores switch port "vlan-header" options. VLAN table entries handle all the egress tagging/untagging and works as "vlan-header=leave-as-is" on all ports.
It means what comes in tagged, goes out tagged as well, only "default-vlan-id" frames are untagged at the egress of port.
This lead me to change any access switch ports that were "secure" and "always-strip" to "check" and "always-strip" to ensure that the tag got stripped before going to the access device, but I can't find any other obvious differences.
I can however access the hAP ac through it's mac and it is able to ping other devices on the main bridge, but not through the vlan interfaces under the bridge. Again, no such problem on the hAP AC Lite.
Config for the working hAP AC Lite (AR8227) looks like this
Code: Select all
# jul/11/2018 17:33:16 by RouterOS 6.42.5
# software id = R2EG-0GVA
#
# model = RouterBOARD 952Ui-5ac2nD
/interface bridge
add name=bridge-wireless protocol-mode=none
/interface vlan
add interface=bridge-wireless name=bridge-wireless-vlan-100 vlan-id=100
add interface=bridge-wireless name=bridge-wireless-vlan-200 vlan-id=200
add interface=bridge-wireless name=bridge-wireless-vlan-300 vlan-id=300
/interface ethernet switch port
set 0 default-vlan-id=100 vlan-mode=secure
set 1 default-vlan-id=100 vlan-mode=secure
set 2 default-vlan-id=100 vlan-mode=secure
set 3 default-vlan-id=100 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=100 vlan-header=always-strip vlan-mode=secure
set 5 default-vlan-id=100 vlan-mode=secure
/interface bridge port
add bridge=bridge-wireless interface=ether1
add bridge=bridge-wireless interface=ether2
add bridge=bridge-wireless interface=ether3
add bridge=bridge-wireless interface=ether4
add bridge=bridge-wireless interface=ether5
add bridge=bridge-wireless interface=Master2
add bridge=bridge-wireless interface=Master5
/interface ethernet switch vlan
add ports=switch1-cpu,ether1,ether2,ether3,ether4,ether5 switch=switch1 \
vlan-id=100
add ports=switch1-cpu,ether1,ether2,ether3 switch=switch1 vlan-id=200
add ports=switch1-cpu,ether1,ether2,ether3 switch=switch1 vlan-id=300
/ip address
add address=192.168.0.33/24 interface=bridge-wireless-vlan-100 network=\
192.168.0.0
/ip dns
set servers=192.168.0.3,192.168.0.4
/ip route
add distance=1 gateway=192.168.0.1Code: Select all
# jul/11/2018 17:32:32 by RouterOS 6.42.5
# software id = TVYK-8DEQ
#
# model = RouterBOARD 962UiGS-5HacT2HnT
/interface bridge
add name=bridge-wireless protocol-mode=none
/interface vlan
add interface=bridge-wireless name=bridge-wireless-vlan-100 vlan-id=100
add interface=bridge-wireless name=bridge-wireless-vlan-200 vlan-id=200
add interface=bridge-wireless name=bridge-wireless-vlan-300 vlan-id=300
/interface ethernet switch port
set 0 default-vlan-id=100 vlan-mode=secure
set 1 default-vlan-id=100 vlan-mode=secure
set 2 default-vlan-id=100 vlan-mode=secure
set 3 default-vlan-id=100 vlan-header=always-strip vlan-mode=check
set 4 default-vlan-id=100 vlan-header=always-strip vlan-mode=check
set 5 default-vlan-id=100 vlan-mode=secure
/interface bridge port
add bridge=bridge-wireless interface=ether1
add bridge=bridge-wireless interface=ether2
add bridge=bridge-wireless interface=ether3
add bridge=bridge-wireless interface=ether4
add bridge=bridge-wireless interface=ether5
add bridge=bridge-wireless interface=Master2
add bridge=bridge-wireless interface=Master5
/interface ethernet switch vlan
add independent-learning=no ports=\
switch1-cpu,ether1,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=100
add independent-learning=no ports=switch1-cpu,ether1,ether2,ether3 switch=\
switch1 vlan-id=200
add independent-learning=no ports=switch1-cpu,ether1,ether2,ether3 switch=\
switch1 vlan-id=300
/ip address
add address=192.168.0.31/24 interface=bridge-wireless-vlan-100 network=\
192.168.0.0
/ip dns
set servers=192.168.0.3,192.168.0.4
/ip route
add distance=1 gateway=192.168.0.1Anyone got any ideas what I'm doing wrong?
Thanks in advance