Is it possible to configure the switch (Atheros 8327 in a RB2011) in such a way that a port always adds
a tag on input and removes that same tag on output, independently of other tags?
I have the switch chip configured to use 2 VLAN tags, on ether2 inside these two are configured as VLAN
interfaces, on outside port 3 they are passed on (trunk), on outside port 2 one of these VLANs is sent
untagged to the outside. This port is configured as VLAN mode secure, VLAN header always strip, default
VLAN ID 44. This works OK.
However, now I want to send and receive traffic over that port tagged with VLAN ID 20.
So I configured a new VLAN interface ether2.vlan44.vlan20 which has parent ether2.vlan44, I think this
normally works OK (nested VLAN headers). I expect on output the switch will strip the VLAN 44 header
and output the packet with only VLAN 20 header.
However, on input it sees the VLAN 20 header, and no new VLAN 44 header is added (secure implies this).
I also tried “fallback” mode but it does not work either.
How should the switch be configured?
/interface ethernet switch port
set 2 default-vlan-id=44 vlan-header=always-strip vlan-mode=secure
set 3 vlan-mode=secure
set 4 default-vlan-id=58 vlan-header=always-strip vlan-mode=secure
set 5 default-vlan-id=58 vlan-header=always-strip vlan-mode=secure