Many people (around here as well) are making conceptual error by thinking that "native vlan" has to have some "magical" VLAN ID. Native VLAN is internal VLAN ID for frames which are tagless on the connection (UTP or fiber) ... and it is done per port and per device. If certain equipment requires VID 1 for "native VLAN", that's fine ... but this doesn't mean that the whole LAN infrastructure has to use same VID for untagged frames. Not even on both side of same link. Because, again, "native VLAN" frames are tagless on links and thus loose information about VLAN "affiliation" when passing untagged or hybrid ("trunk with native VLAN") port and has to be re-established upon entering such port on ingress (and rules - PVID settings - are in principle independent of port/device combo).
Yes, it does help if same VID is used on all devices because it makes probability of misconfiguration lower. But in case one wants to have it differently (e.g. management VLAN with VID 99 ... except for Ubnt which requires management untagged and using VID 1 internally), it can be done just fine.
mkx is correct, vlanid=1 is what I call native for many devices including MT.
It has nothing to do necessarily with the management vlan.
Just like for vlan bridge filtering we dont touch vlan1 assigned to the bridge, its simply a glue in the background. We assign our vlans and management vlan as always without worrying about vlan1.
The only slight nuance when using different vendors equipement is to ensure that vlan1 untagged is not able to leak to the router, (rare but could happen) and thus the final step to ensure this is to only allow vlan tagged on the bridge itself.
As for ubiquiti, the only difference is that they must be an Australian company and like things backwards aka their toilets also flush in the opposite direction.
Simply put, they come default assuming managmenet vlan untagged, rest of vlans tagged so their connectivity port with other smart devices has to be a hybrid port. All very manageable and you can also change the default so that it acts like every other managed switch.
I believe the Ubilquiti access points don't let you change the "vlan" associated with the untagged frames, and it also reserves vlan 1 (not allowing you to specify a vlan of 1).
Hence generlc Rules #1 and #2 for Mikrotik devices appear to be appropriate also when they are connected to such access points: The twelve Rules of Mikrotik Club
Yes, you absolutely can change the management VLAN on Ubiquiti Access Points to a tagged VLAN
, but it requires a specific process: the AP must first be adopted on the default untagged VLAN (usually VLAN 1 or your primary LAN), and then you change the management VLAN in the device's settings to a tagged VLAN, ensuring the connecting switch port is configured as a trunk allowing that tagged VLAN. The key is that the AP's management traffic must be untagged during initial adoption, then can be set to tagged for data traffic separation.
The ability to add a management VLAN to an AP was added in 5.8.3 (beta).802.1x MAC-Auth-Bypass is in UniFi settings > Profiles > Switchports (create new) > advanced options > MAC-based in current stable controller versions (5.7.20).
