Business Community > Wireless > EAP650-Desktop Ethernet ports – are they full 802.1Q switch ports or policy-limited access ports?
< Wireless

EAP650-Desktop Ethernet ports – are they full 802.1Q switch ports or policy-limited access ports?

EAP650-Desktop Ethernet ports – are they full 802.1Q switch ports or policy-limited access ports?

EAP650-Desktop Ethernet ports – are they full 802.1Q switch ports or policy-limited access ports?
EAP650-Desktop Ethernet ports – are they full 802.1Q switch ports or policy-limited access ports?
Yesterday
Tags: #VLAN & Multi-Networks #Network Connectivity
Model: EAP650-Desktop  
Hardware Version: V1
Firmware Version: 1.0.2 Build 20250123 Rel. 43117

Hi everyone!

 

I am troubleshooting a reproducible L2 issue involving EAP650-Desktop and would like to clarify the intended and actual behavior of its Ethernet ports.

More than asking for a workaround, I want to learn how configurable these ports really are and whether they can be used as full 802.1Q switch ports. That is important to me as I planned to use ESP650-DESKTOP instead of a basic AP + dedicated switch.

 

My topology (simplified)

 

  • VLANs:
    • 10, 20, 30
    • 42 - default/management

  • EAP650-Desktop

    • EAP650-Desktop(EU) v1.0, 1.0.2 Build 20250123 Rel. 43117

    • Uplink (ETH0): trunk to Omada gateway (ER7206 v2.20, 2.2.3 Build 20250723 Rel.05551)

    • Downlink ports used for wired clients

  • PC – wired, VLAN 10

  • Server (Linux) – wired, multi-VLAN (VLAN 10 + 20 + 42), Linux bridge + VLAN subinterfaces

    • server has IPs from VLANs 10 and 42

    • VM inside, linked to the bridge, which is linked to VLAN 20

  • TV – wired, VLAN 20

  • Mobile phone – Wi-Fi, VLAN 10

 

All devices are connected to the same EAP650-Desktop.

 

For the purpose of debugging, I disabled all custom ACL rules in the network, so basically everyone should see everyone.

 

Observed behavior

 

What works

  • all devices have internet connectivity

  • VLAN 10 works in general:

    • PC ↔ router ✔

    • PC ↔ Wi-Fi VLAN 10 clients ✔

    • Server ↔ Wi-Fi VLAN 10 clients ✔

  • Inter-VLAN routing generally works:

    • Mobile (Wi-Fi, VLAN 10) → VM (VLAN 20) ✔

    • Router → VM (VLAN 20) ✔

  • VLAN 20 on wired port works:

    • TV (VLAN 20) is reachable from (most) devices ✔

 

Disclaimer: I didn't test two wired pure-VLAN10 devices against each other. But I strongly believe that will just work. (I can verify that later if needed.)

 

What does NOT work

  • PC ↔ Server (both wired, both wired VLAN 10)

  • TV ↔ VM (VM inside server, both VLAN 20) ❌

 

Problem details

 

On the server, I captured traffic directly on the physical NIC (enp7s0):

 

sudo tcpdump -eni enp7s0 arp

 

The server does send correctly tagged ARP requests into VLAN 10 (.11 is the server, .13 is the PC)

 

22:cd:9d:b0:6f:83 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), vlan 10, ARP, Request who-has 192.168.10.13 tell 192.168.10.11

 

So:

  • ARP leaves the server

  • VLAN tagging seems correct

  • Linux bridge / netplan / VLAN configuration seems correct

 

However, on the PC, even while this capture is running, the ARP never appears! The PC never learns the server’s MAC address and vice versa.

At the same time:

  • The PC does see ARP from other VLAN 10 devices

  • Other devices do see the server

 

This IMO proves that the ARP frame leaves the server NIC but is dropped somewhere between the two wired ports of the same EAP650-Desktop.

 

Additional important test

 

When I temporarily set the server’s AP port to a specific VLAN (e.g. VLAN 30) instead of “Default”:

  • The server receives only that VLAN

  • All other VLANs disappear immediately

  • Netplan configuration unchanged

This behavior is consistent with an access-style port, not a transparent trunk. Which is OK, I guess?

 

What this rules out

 

Based on the above:

  • ❌ Linux bridge / VLAN misconfiguration (verified by tcpdump)

  • ❌ Router / inter-VLAN ACLs (mobile client works)

  • ❌ VLAN 10 in general (other clients work)

  • ❌ PC issue (PC communicates with others in VLAN 10)

 

The problem seems to be isolated to wired port ↔ wired port forwarding inside EAP650-Desktop, between "access" and "trunk" ports.

 

The core questions

 

How are Ethernet ports on EAP650-Desktop actually implemented?

Specifically:

  1. Are ETH1-3 ports:

    • full IEEE 802.1Q transparent switch ports, or

    • policy-based / access-only ports with limited VLAN handling?

  2. Is it supported to connect a multi-VLAN endpoint (e.g. a server with tagged VLANs) to an EAP650-Desktop port and expect:

    • full L2 forwarding (ARP, broadcast, unicast)

    • symmetric behavior between wired ports?

  3. If not:

    • what are the documented limitations?

    • is this behavior by design, or a bug?

 

The Omada Controller UI exposes “Native VLAN” per port, but based on observed behavior and real traffic capture, it does not match a classical managed switch model - having there "Default" causes trunk-like behavior, while choosing "Custom" with VLAN ID causes access-like behavior.

 

Thanks for the answer!

 

 

  0      
 
  0      
 
#1
Options
7 Reply
Re:EAP650-Desktop Ethernet ports – are they full 802.1Q switch ports or policy-limited access ports?
Yesterday
BTW; the port settings (regarding VLANs) seem to be the same on ER7206, where it's also... confusing. To me at least. Is it documented somewhere? 🙏
  0  
  0  
#2
Options
Re:EAP650-Desktop Ethernet ports – are they full 802.1Q switch ports or policy-limited access ports?
Yesterday

  @jendakol 

 

A similar question to your first core question was asked in another forum some three months ago. After reading it and out of curiosity, I decided to do a quick test as I do not use the additional ports on the three units that I have here. I plugged a laptop into one of the extra ports and the laptop received an IP address from the default network. I then configured the laptop's network adapter to use a VLAN ID. After the laptop reconfigured the connection, it then received an IP address from the new VLAN. This means the tagged VLANs appear on the ports and the ports can be used as trunk ports. If you use a controller, you can also configure the ports as access ports with a PVID.

 

My conclusion was that the ETH1-ETH3 ports are either configured as a trunk port (default untagged VLAN + tagged VLANs) or an access port (untagged VLAN) from whatever comes in on ETH0. I never found any documentation on this nor did I do any further testing to determine how well any downstream devices might behave. It will be interesting to see what the moderators have to say on this.

 

1x ER7406 1x OC300 4x SG2008 1x EAP610 3x EAP650-Desktop
  0  
  0  
#3
Options
Re:EAP650-Desktop Ethernet ports – are they full 802.1Q switch ports or policy-limited access ports?
Yesterday
Hi, I actually found the topic and your response there :), but decided to open a new topic to discuss this explicitly - besides other reasons, exactly because your response is one of the very few information available on this topic. I can confirm what you say, I *can* get IP from all VLANs available on that port. The problem comes after that... And IMO to be fully 802.11Q compatible, it needs to be possible to set the VLANs in a more detailed way, not just ACCESS or "TRUNK with everything and management as PVID". Just the way Omada switches offer. Of course, correct me if I'm wrong...
  0  
  0  
#4
Options
Re:EAP650-Desktop Ethernet ports – are they full 802.1Q switch ports or policy-limited access ports?
Yesterday

  @jendakol 

 

When we get an answer from the moderators, I expect to hear that the EAP's port switching is an "all or nothing" function when it comes to VLAN tagging as opposed to the capabilities of an Easy Smart or an L2+ Omada switch. Most likely, it will be due to hardware limitations.

 

1x ER7406 1x OC300 4x SG2008 1x EAP610 3x EAP650-Desktop
  0  
  0  
#5
Options
Re:EAP650-Desktop Ethernet ports – are they full 802.1Q switch ports or policy-limited access ports?
Yesterday
This is very possible. Still, I'd love to read that in the device specifications beforehand, and not find out after I have it at home and spent hours debugging 😅 Because as I wrote in the OP, I've chosen this device to replace AP + switch, and if it can't work that way, I may replace it with some other simpler AP...
  0  
  0  
#6
Options
Re:EAP650-Desktop Ethernet ports – are they full 802.1Q switch ports or policy-limited access ports?
Yesterday

  @jendakol 

 

The ports on it are driven by a very basic switch chip.  Without specifically setting a PVID on them in the controller, they will effectively replicate the trunked port coming into the device over the uplink, like an unmanaged switch.

 

you can set a port PVID on them in the controller, which will change them to a native access ports, but thats about all you can do.  No QoS, No 802.1X.  I dont *think* they support ACLs either (the EAP does on the wireless side, dont think it does on the ports side)

  1  
  1  
#7
Options
Re:EAP650-Desktop Ethernet ports – are they full 802.1Q switch ports or policy-limited access ports?
Yesterday

  @GRL 

 

Exactly what I observed, yes. Thanks.

Still it doesn't say anything about why my devices don't see each other (or does it?). 

 

And even admitting that this is how you say makes me asking what is the purpose of that device then, because from price PoV, it's EAP65x + ES205G, but those two together would work better, it seems. But maybe I'm just missing something. 

  0  
  0  
#8
Options

Information

Helpful: 0

Views: 67

Replies: 7

Tags

VLAN & Multi-Networks Network Connectivity
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.