I recently picked up a CSS610-8G-2S+ to replace an ageing box of shortening for my edge switch, and am having some problems with its interaction with one of my ISPs: Quantum Fibre (formerly CenturyLink).

I have the ISP ONT connected to port 8, and it's configured with vlan 200 as default, and vlan 201 tagged; my upstream switch is connected via LACP on ports SFP1 and SFP2, which both have vlan 201 tagged on them.


When I put the CSS in place, my CHR is unable to connect via PPPoE to the ISP. I have this identical configuration working on the current Cisco, and have tested it works on a couple other switches I have lying around, so I am assuming I am missing some detail with SwOS configuration. I would appreciate any insight!

The way you describe ONT's expectations (XXX vlan as default, 201 as tagged) mostly means that vlan 200 (as identified in ONT and possibly on ONT's upstream interface) will come out on ONT downstream interface as untagged. So on CSS you could tag it (back) to any VLAN ID, but it's sensible to keep using VLAN ID 200 (if that doesn't clash with other VLANs in your network) just to keep things simpler.

Now, on CSS, this means that ether8 is hybrid which is Mikrotik parlance for port which carries both untagged and (one or more) tagged VLANs. Port settings should be thus: "Default VLAN ID" set to 200 (or whatever you decide to use in your network) and "VLAN receive" set to "any" ... "VLAN mode" set to strict is fine. On the other config screen, you have to add VLAN 200 also to LACP bond (sfp1 and sfp2) where it will be transferred as tagged.

The other possibility is to pass frames, which are members of VLAN 200 in ONT (and upstream), as untagged. In this case you'd have to set "Default VLAN ID" on ether8 to 1 and "VLAN Receive" to any. But then you have to make ether8 a member of VLAN 1 (on the other configuration screen).

I'm all against the second option, IMO when one starts messing with VLANs, all frames inside LAN infrastructure should be tagged. CSS is your edge switch and on edge ports (ether8 in your case) you have to deal with specifics, required by "the alien side" (ONT), on the internal side (bond of sfp1 and sfp2) should hence be all tagged. Your router (CHR?) would then be confiugred with tagged VLAN 200 and would run PPPoE on top of it. The whole setup (between any of switches and CHR) would have to be configured with L2MTU larger than 12 (standard 1500 byte frames + 8 bytes for PPPoE headers + 4 bytes for VLAN headers) which is more down to VM hypervisor settings than to anything else.

Confirming that the ONT is expecting that all traffic between it and whatever connected device is VLAN tagged with VLAN 201. Also confirm that the VLAN 200 is simply a dummy number that does not exist anywhere (except SwitchOS requires you to put SOMETHING there). I do that on ports that are VLAN trunks that are VLAN tagged only. If that is the case, you don't even need to include it on the VLANs tab.
I'm suspecting that mkx miss understood what VLAN 200 is - note that it does not go anywhere.

The untagged VLAN on the ISP ONT doesn't matter - the current switch uses VLAN 1023; the test ones used various ones, including 200, to confirm. The traffic from/to the ISP is all on tagged VLAN 201, so I maintain that in my infrastructure - though I have tested that I don't need to, so long as the frames actually destined for the ISP enter the ONT tagged on 201.

I specifically want any traffic that isn't tagged 201 from the ONT to be dropped - and I don't want any traffic that isn't tagged 201 leaving that port.

Removing VLAN 200 from the configuration doesn't change anything.

I'll have to configure port mirroring and see if I can sniff the traffic; I'm suspicious the switch isn't forwarding the frames like it should be, and I am confused why.

I don't see any major issues with your configuration. I do have an old recollection about LAGs having issues in some situations with VLANs. As a test, drop one of the connections in the LACP and see if that changes anything - you may need to remove the LACP, not just kill one of the ports.
.