Hi,

Hopefully someone can shed some light on this issue. I have a small setup consisting of a HEXs (RB760iGS), CSS106 (RB260GSP) and a cAP ac (RBcAPGi-5acD2ND).

There is a trunk uplink carrying four VLANs from the HEXs > CSS106. This is implemented using bridge VLAN filtering and specific VLAN interfaces and works perfectly. On the CSS I am able to lock down the port to only accept tagged traffic with;

VLAN Tab
Ingress
VLAN Mode: Strict
VLAN Receive: Only tagged
Default VLAN ID: 1
Force VLAN ID: no

Egress
VLAN Header: Leave as is

VLANs Tab
'Add if missing' on all ports for the all VLANs

Now for the cAP ac I set up VLANs on a bridge with VLAN filtering just the same. One VLAN interface in each VLAN and with the DHCP client running on each. See below config;


But in this case if I set the trunk port from the CSS106 accordingly as above I can now longer reach the device. It seems frames are being dropped. But if I set VLAN Receive Mode to 'any' it works fine. I know frames are landing on the correct VLANs as the DHCP IPs are allocated correctly on the VLANs.

I understand the cAP ac has a switch chip and it can be configured under /interface/ethernet/switch/ to gain hardware support, but I find the software bridge more logical and simpler to manage/configure. Plus, requirements in this case dictate hardware support isn't going to add much.

I've seen advice here as;

Basic rule of thumb Trunk----> enabled/any/1/leave as is (for port membership leave as is for all applicable ports on incoming trunk and all applicable tagged ports)
Basic rule of thumb Access--->strict/only untagged/pvid#/always strip (for port membership, not a member except for applicable port(s))

And also the manual says;

VLAN Receive: Defines the type of allowed packets on ingress port: any / only tagged / only untagged (only supported on RB260GS)

But can anyone explain why it works in the first case? I can't understand it.

NOTE: I know there are no wireless interfaces and such. This is quick test setup to isolate this issue. I will be using CAPsMAN to manage/provision the AP.

Thanks,
t04s

What do you mean "you can not access the device anymore" ?
How are your trying to access ? Using which device going over which VLAN ?

Have you set a route for whatever you use as base VLAN or management VLAN on cAP AC ?
That part of the config is not being shown.

Sorry, a bit more information. Omitted some obvious stuff.

I'm trying to access via an access port on the switch CSS106 on VLAN10 which is the management VLAN. But there are no restrictions in the firewall or anything so it could easily be VLAN 12, 13 or 14 that I was testing. I'm just connecting into an access port to test on that VLAN. The point is when I change the switch config on the trunk port as explained I can no longer connect over the switch to the cAP ac. The access port config is fine as I can get over the other trunk referred to in order to access the router.

There should be no need for any routes as this is access from within a VLAN. I'm not routing anything.

Thanks,
t04s

Has to be one of the differences in VLAN handling on ROS and SWOS.

Just checked some other sources, there also trunk on SWOS is defined as any.
Why ? Can't help you there.

It's odd isn't it? I have seen many examples showing trunk defined as 'any' but in what seems like a newer doc here it defines a trunk as 'only untagged'. It does say though;

CSS106 devices running SwOS version 2.12 can filter RSTP BPDU packets when enabling VLAN filtering on ports (VLAN Mode enabled or strict). With SwOS version 2.13, it is recommended to set VLAN Receive to any on trunk ports.

But that's about BPDU packets so not directly related.

The HEXs and cAP ac are both running ROS which is why I can't understand the difference. How the HEXs running ROS connected to a trunk on SWOS works with the VLAN receive mode set to 'only untagged'. Yet, the cAP ac running ROS connected to a trunk on the switch in the same mode doesn't.

Either I'm doing something wrong (but that's why I stripped the config right back to basics) which I still can't see, or it's something the cAP ac does differently, or it's a bug.

Thanks,
t04s

I assume connecting Hex to cAP AC (using power injector) it works as expected ?

I haven't tried connecting them directly and bypassing the switch. I assume that will work but I can try and report back.

Thanks,
t04s

I have tried connecting the trunk ports directly from the HEXs > cAP ac and traffic is passed normally. It works fine.

So it looks to be an issue with the switch and some subtle combination of how the HEXs is passing traffic to it versus the cAP ac.

Thanks,
t04s