Switch Port Configuration
Properties in this menu are used to configure switching and VLAN filtering parameters for switch chips that support the VLAN table. These properties are only available for switch chips with VLAN table support. Check the switch chip feature table to ensure your device supports this functionality.
Ingress traffic is traffic that comes INTO a specific port, this port is sometimes called the ingress port. Egress traffic is traffic that is sent OUT OF a specific port, this port is sometimes called the egress port. Distinguishing them is very important for proper VLAN filtering configuration, as some properties apply only to ingress or egress traffic.
Submenu: /interface ethernet switch port
Properties
| Property | Description |
|---|---|
vlan-modecheck | disabled | fallback | secureDefault: disabled | Changes the VLAN lookup mechanism in the VLAN table for ingress traffic. |
vlan-headeradd-if-missing | always-strip | leave-as-isDefault: leave-as-is | Sets the action performed on the port for egress traffic. |
default-vlan-idauto | integer: 0..4095Default: auto | Adds a VLAN tag with the specified VLAN ID to all untagged ingress traffic on the port. |
vlan-mode modes
disabled
Disables VLAN table checking completely for ingress traffic. No traffic is dropped when set on the ingress port.
fallback
Checks tagged traffic against the VLAN table for ingress traffic, forwards all untagged traffic. If ingress traffic is tagged and the egress port is not found in the VLAN table for the corresponding VLAN ID, the traffic is dropped. If the VLAN ID is not found in the VLAN table, the traffic is forwarded. Used to allow only known VLANs on specific ports.
check
Checks tagged traffic against the VLAN table for ingress traffic, drops all untagged traffic. If ingress traffic is tagged and the egress port is not found in the VLAN table for the corresponding VLAN ID, the traffic is dropped.
secure
Checks tagged traffic against the VLAN table for ingress traffic, drops all untagged traffic. Both ingress and egress ports must be found in the VLAN table for the corresponding VLAN ID, otherwise the traffic is dropped.
vlan-header modes
add-if-missing
Adds a VLAN tag to egress traffic and uses default-vlan-id from the ingress port. Should be used for trunk ports.
always-strip
Removes the VLAN tag from egress traffic. Should be used for access ports.
leave-as-is
Does not add or remove VLAN tags from egress traffic. Should be used for hybrid ports.
default-vlan-id configuration
Adds a VLAN tag with the specified VLAN ID to all untagged ingress traffic on the port. Should be used with vlan-header set to always-strip on the port to configure the port as an access port. For hybrid ports, default-vlan-id is used to tag untagged traffic. If two ports have the same default-vlan-id, the VLAN tag is not added, as the switch chip assumes traffic is forwarded between access ports.
QCA8337 and Atheros8327 switch chips ignore the vlan-header property and use the default-vlan-id property to determine which ports are access ports. vlan-header is set to leave-as-is and cannot be changed, while the default-vlan-id property should only be used on access ports to tag all ingress traffic.