Community discussions

MikroTik App
 
diddie17
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 69
Joined: Thu Sep 14, 2017 8:53 pm
Location: UK

VLAN Config difference AR 8227 & QCA 8337

Wed Jul 11, 2018 8:07 pm

Hi All,

I've been banging my head on this for a while and hoped someone could enlighten me.

I've got a hAP AC that I can't get to play nicely, but when I drop a spare hAP AC Lite in with essentially the same configuration it seems to my understanding at least to work perfectly.

I've come to the conclusion that there is a difference somehow with how I need to configure the switch chips that doesn't seem obvious to me. I believe the hAP AC Lite has an AR 8227 where the hAP AC has a QCA 8337, but I haven't found any fundamental differences in how to configure them called out in the Wiki.

The issue I get is that when I drop the following code to secure against invalid VLAN's in to my CRS that is the core switch, the hAP AP management address disapears off of the network, when the other 5 hAP AP Lite's (all running the same config) don't.
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether1,ether2,ether3,ether4\
,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13\
,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24"
I found buried in the Wiki somewhere a statement that says
In Gigabit switch chips when "vlan-mode=secure", it ignores switch port "vlan-header" options. VLAN table entries handle all the egress tagging/untagging and works as "vlan-header=leave-as-is" on all ports.
It means what comes in tagged, goes out tagged as well, only "default-vlan-id" frames are untagged at the egress of port.

This lead me to change any access switch ports that were "secure" and "always-strip" to "check" and "always-strip" to ensure that the tag got stripped before going to the access device, but I can't find any other obvious differences.

I can however access the hAP ac through it's mac and it is able to ping other devices on the main bridge, but not through the vlan interfaces under the bridge. Again, no such problem on the hAP AC Lite.

Config for the working hAP AC Lite (AR8227) looks like this
# jul/11/2018 17:33:16 by RouterOS 6.42.5
# software id = R2EG-0GVA
#
# model = RouterBOARD 952Ui-5ac2nD

/interface bridge
add name=bridge-wireless protocol-mode=none

/interface vlan
add interface=bridge-wireless name=bridge-wireless-vlan-100 vlan-id=100
add interface=bridge-wireless name=bridge-wireless-vlan-200 vlan-id=200
add interface=bridge-wireless name=bridge-wireless-vlan-300 vlan-id=300

/interface ethernet switch port
set 0 default-vlan-id=100 vlan-mode=secure
set 1 default-vlan-id=100 vlan-mode=secure
set 2 default-vlan-id=100 vlan-mode=secure
set 3 default-vlan-id=100 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=100 vlan-header=always-strip vlan-mode=secure
set 5 default-vlan-id=100 vlan-mode=secure

/interface bridge port
add bridge=bridge-wireless interface=ether1

add bridge=bridge-wireless interface=ether2
add bridge=bridge-wireless interface=ether3
add bridge=bridge-wireless interface=ether4
add bridge=bridge-wireless interface=ether5
add bridge=bridge-wireless interface=Master2
add bridge=bridge-wireless interface=Master5

/interface ethernet switch vlan
add ports=switch1-cpu,ether1,ether2,ether3,ether4,ether5 switch=switch1 \
    vlan-id=100
add ports=switch1-cpu,ether1,ether2,ether3 switch=switch1 vlan-id=200
add ports=switch1-cpu,ether1,ether2,ether3 switch=switch1 vlan-id=300

/ip address
add address=192.168.0.33/24 interface=bridge-wireless-vlan-100 network=\
    192.168.0.0

/ip dns
set servers=192.168.0.3,192.168.0.4

/ip route
add distance=1 gateway=192.168.0.1
Config for the misbehaving hAP AC looks like this
# jul/11/2018 17:32:32 by RouterOS 6.42.5
# software id = TVYK-8DEQ
#
# model = RouterBOARD 962UiGS-5HacT2HnT

/interface bridge
add name=bridge-wireless protocol-mode=none

/interface vlan
add interface=bridge-wireless name=bridge-wireless-vlan-100 vlan-id=100
add interface=bridge-wireless name=bridge-wireless-vlan-200 vlan-id=200
add interface=bridge-wireless name=bridge-wireless-vlan-300 vlan-id=300

/interface ethernet switch port
set 0 default-vlan-id=100 vlan-mode=secure
set 1 default-vlan-id=100 vlan-mode=secure
set 2 default-vlan-id=100 vlan-mode=secure
set 3 default-vlan-id=100 vlan-header=always-strip vlan-mode=check
set 4 default-vlan-id=100 vlan-header=always-strip vlan-mode=check
set 5 default-vlan-id=100 vlan-mode=secure

/interface bridge port
add bridge=bridge-wireless interface=ether1
add bridge=bridge-wireless interface=ether2
add bridge=bridge-wireless interface=ether3
add bridge=bridge-wireless interface=ether4
add bridge=bridge-wireless interface=ether5
add bridge=bridge-wireless interface=Master2
add bridge=bridge-wireless interface=Master5

/interface ethernet switch vlan
add independent-learning=no ports=\
    switch1-cpu,ether1,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=100
add independent-learning=no ports=switch1-cpu,ether1,ether2,ether3 switch=\
    switch1 vlan-id=200
add independent-learning=no ports=switch1-cpu,ether1,ether2,ether3 switch=\
    switch1 vlan-id=300

/ip address
add address=192.168.0.31/24 interface=bridge-wireless-vlan-100 network=\
    192.168.0.0

/ip dns
set servers=192.168.0.3,192.168.0.4

/ip route
add distance=1 gateway=192.168.0.1
I know I probably shouldn't add switch1-cpu to all three VLAN's, but I'm in testing mode at the moment.

Anyone got any ideas what I'm doing wrong?

Thanks in advance
 
diddie17
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 69
Joined: Thu Sep 14, 2017 8:53 pm
Location: UK

Re: VLAN Config difference AR 8227 & QCA 8337  [SOLVED]

Tue Jul 17, 2018 4:54 am

For anyone followign on behind that can't get the QCA8337 working, I did finally work this out.

It seems to be to do with the fact that the QCA8337 supports hybrib tagging. From the Wiki -
VLAN Hybrid ports which can forward both tagged and untagged traffic are supported only by some Gigabit switch chips (QCA8337, AR8327)
As a result, you have to be careful setting the default VLAN. With Ports Ether1 to 3 as Trnuks ports and 4 and 5 as access ports, the following worked for me.
/interface ethernet switch port
set 0 vlan-mode=secure
set 1 vlan-mode=secure
set 2 vlan-mode=secure
set 3 default-vlan-id=100 vlan-header=always-strip vlan-mode=check
set 4 default-vlan-id=100 vlan-header=always-strip vlan-mode=check
Whereas on the AR8227, this is what works for me -
/interface ethernet switch port
set 0 default-vlan-id=100 vlan-mode=secure
set 1 default-vlan-id=100 vlan-mode=secure
set 2 default-vlan-id=100 vlan-mode=secure
set 3 default-vlan-id=100 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=100 vlan-header=always-strip vlan-mode=secure
set 5 default-vlan-id=100 vlan-mode=secure

Who is online

Users browsing this forum: sebus46, xrlls and 40 guests