cnMatrix System Software 4.1.1-r2 / 25-Aug-21 BUG


I tested cnmatrix for my future project.
I found an issue (or feature by design which is wrong!).

When using switchport mode trunk command on some interface that interface automagically becomes member of VLAN1 (and members of all other VLANS which are configured manually and that is fine.
If I put command no port all under vlan 1, switch accepts commands but that trunk interface is still member of VLAN 1.


If I put that interface to hybrid automagically that interface is not member of VLAN 1.

I can configure on the other side a hybrid port and use mgmt vlan as pvid / untagged (Mikrotik) and also on cnmatrix but I want all VLAN are passing as tagged.

So, what do I need to config on interface which is configure as a trunk to not become member of VLAN 1?

Please any answer, yes, no?
Trunk port feature is 30 years old and on cnmatrix is not working as it should be (VLAN 1 can’t be excluded).

Ignoring the problem is not a solution!
Ubnt, tplink, cisco, mikrotik, huawei, they all working as expected regarding trunk port mode.

cnmatrix as enterprise switch, unlikely


My apology for the delayed response. Somehow I did not receive you earlier post. Please find the description below for different port mode on cnMatrix.

Each port on a cnMatrix switch can be configured as access, trunk, or hybrid port. Here’s a description of these port types:

Access Mode

A port that can be assigned to a single VLAN. It accepts and transmits only untagged frames. Access port is typically connected to desktop PC or devices incapable of handling tagged frames.

Trunk Mode

A port that is auto associated to ALL VLANs. It accepts both tagged and untagged frames, but only transmits tagged frames, including the pvid. Trunk port is typically connected to another switch or router.

Hybrid Mode

Default mode. A port that can be assigned to multiple VLANs. Unlike a trunk port, user must manually assign hybrid port to selected VLANs. It accepts and transmits both tagged and untagged frames. By default, hybrid port transmits untagged frames for the pvid. Hybrid port is typically connected to servers, APs, IP Phones etc.

Our implementation of trunk port is equivalent to Cisco’s trunk mode with ‘Allowed All’, and hence the port carries traffic for ALL VLANs.


Hi, my ccnp is telling me that I know difference between access and trunk ports and your statement is not true, on cisco switches you CAN EXCLUDE VLAN 1 or any other VLAN on trunk port and I as admin dont want to use VLAN1at all.

Example from real life, imagine you have ip phones which are configured for vlan 10 only (tagged) and no other VLANs must be sent to ip phone.
With cn matrix also there is VLAN1 tagged on that trunk port where the phone is connected, why would I want that?

Admin decide which VLAN will be added to trunk port.
I am OK if switch add VLAN1 to trunk port by it self but I am not OK whit no possibility to remove that VLAN1 manually.


cnMatrix’s switchport mode configuration does not exactly follow Cisco’s syntax.

Our trunk mode is equivalent to executing cisco’s command: “switchport trunk allowed vlan all”

To exclude VLAN 1 from a port, you want to use hybrid mode which can carry traffic for multiple vlans (similar to trunk). The vlan membership is flexible, but has to be configured manually.
In your example of the IP phone, you don’t want the port to be in ALL VLANs, so a trunk port would not work. In this case, you want to configure the port in hybrid mode, and assign it to the voice and data VLANs. The data vlan can be the port’s pvid so data traffic can egress untagged.

Please let me know if you need help with configuring the VLANs for hybrid port.


Dear support, I am testing your switches from beta software and report too many bugs to you, for free, many hours spent because i want to and i like networking.

Hybrid port is what i did as workaround, I have no problems with configuration, I just want use trunk port withou vlan1.

In my example in post before, where did I mention abut data vlan on pc port of the phone? I didnt…

Sometimes customers want tagged only voice traffic on the phone, means 1 vlan, same must be on the switch (possible on any vendor except cnmatrix).

P.s. another bug, not possible to use domain name ntp via web (for those who are using web, not cli).

Over and out. Thanks