Hello,
I have purchased a CSS326-24G-2S+ and I’m trying to configure it in the following way:
Ports 1-16 + SFP2 “access”
Ingress: accept untagged traffic only, tag with ID=10
Egress: only ID=10 traffic, untag before egress
Ports 17-20 + SFP1 “trunk”
Ingress: accept only tagged traffic with ID=10, 20, 30 or 40, leave tag alone
Egress: only ID=10, 20, 30, 40, leave tag alone
Ports 21-24 “access”
Ingress: accept untagged traffic only, tag with ID=40
Egress: only ID=40 traffic, untag before egress
I have read the manual and the example.
A part from the obvious (set correct VLAN membership in “VLANs” tab, and correct Receive mode in “VLAN” tab), I don’t fully understand the “VLAN mode” option.
From the manual, I think I should set it to “disabled” for access ports (so only traffic with ID=default VLAN ID is egressed, untagged), but in the example it sets it to “enabled” which from what I understand doesn’t remove the tags upon egress.
Also, for the “enabled” option it says “Default VLAN ID must be specified for access ports since it will be used to tag traffic from a certain port, enabled VLAN filtering”. What does that mean, exactly? For example, I would think a default VLAN ID would not be needed if I have receive mode to “tagged only”, but this seems to indicate otherwise. And is VLAN filtering applied in ingress or egress direction? And what is it based upon, the VLAN memberships or something else?
An access port configuration, I think means you have a device attached to the port that is unable to tag or read tagged data packets.
If you want this device on vlan333 for example, then you will need to assign PVID:333 to this port. I believe this needs to be done in conjunction with ingress filtering as if one doesnt apply it, I have no clue what the outcome will be??
By enabling ingress filtering, the following should happen, on ingress from the dummy device, all packets will be tagged with pvid333.
The router/switch will check if there are any other ports on the switch that are associated with vlan333 and if not will then drop the packets.
Assuming return traffic to the dummy device on vlan33 will occur (as simple as getting a dchp address for example), the router/switch upon egress will remove the vlan33 tag so that there are no tags when the packets hit the dummy device. The other thing about ingress filtering is that by chance any other vlantags were on the packets from the dummy device (or source), since they do not match the pvid:333 they would be dropped on ingress.
Sorry I have a 260GS that is giving me fits as I am finally understanding RoS and vlans LOL. I have managed to program a D-Stink and NetGit managed switches but am failing with mikrotik SwOs.
IF I WAS IN CHARGE, I would first at least give Normis a red BUS to live in, as a car is a tad small for a home. :-0
Secondly I would program SwOS such that it appeared in the software menus exactly or as close to RouterOS, such that slow folks like me after learning RoS vlans could then transparently move to SwOS and program switches. The SwOS would translate the RoS type commands into SwOS commands and thus transparent to the user.
This is the direction they should move to IMHO, would be a nice xmas present.
