Bug: CRS317 cuts off C-tag in qinq packets

TestCRS · May 15, 2018, 2:45pm

That is what i was referring to, according to the documentation for QinQ to work you will have 1 vlan(17/27 c-tag) inside another vlan(11 s-tag) and it to ethernet trunk which will be the ethernet port from ISP with vlan11. That is why i was saying for that to work it’d require layer3 which won’t be hw-offloaded.
/interface vlan
add interface=bridge1 name=vlan11 use-service-tag=yes vlan-id=11
add interface=vlan11 name=vlan17 vlan-id=17
add interface=vlan11 name=vlan27 vlan-id=27

/interface bridge port
add bridge=bridge1 ingress-filtering=yes interface=t01 pvid=11
add bridge=bridge1 interface=vlan17 ingress-filtering=yes pvid=17
add bridge=bridge1 interface=vlan27 ingress-filtering=yes pvid=27

/interface bridge vlan
add bridge=bridge1 tagged=bridge, t01 vlan-ids=11 #Assuming t01 is ISP and t02 is internal with vlans coming in tagged already
add bridge=bridge1 tagged=vlan11, t02 vlan-ids=17
add bridge=bridge1 tagged=vlan11, t02 vlan-ids=27
This might and probably is bs but hey this is after all a forum and after re-reading the documentation as i was suggested is the conlusion i came to, i tried his on a CRS112 and it doesn’t work don’t know the reason wasn’t able to do a packet capture of the output on isp port to see if anything was tagged.

I will add to understand: tags 17 and 27, as it should be applied only if a packet arrives without the label. Ports t01 and t02 are transit, in cisco qinq terms they must be NNI. the task of the switch is simply to pass a packet with a double label through itself from port t01 to port t02 (and backward). internal C-tag labels can be any, they should not be known to the switch.

RoadkillX · May 15, 2018, 2:48pm

Ok so this switch is the middle switch then It doesn’t have to add a c-tag only switch based on service vlan instead if user vlan.

/interface bridge
add name=bridge0 igmp-snooping=no  protocol-mode=none
/interface bridge port
add bridge=bridge0 interface=t01 hw=yes
add bridge=bridge0 interface=t02 hw=yes

/interface ethernet switch
set bridge-type=service-vid-used-as-lookup-vid

Nothing to lose with trying.

TestCRS · May 17, 2018, 4:26am

Ok so this switch is the middle switch then It doesn’t have to add a c-tag only switch based on service vlan instead if user vlan.
/interface bridge
add name=bridge0 igmp-snooping=no  protocol-mode=none
/interface bridge port
add bridge=bridge0 interface=t01 hw=yes
add bridge=bridge0 interface=t02 hw=yes

/interface ethernet switch
set bridge-type=service-vid-used-as-lookup-vid
Nothing to lose with trying.

yes, nothing to lose, but all vlans packets transmitted over all ports.
I tested this option in practice. If you remove the vlan-filtering=yes option, the switch turns into a hub ). Think you read the https://wiki.mikrotik.com/wiki/Manual:CRS3xx_series_switches#VLAN.

artz · May 17, 2018, 10:01am

Currently RouterOS bridge is only 802.1Q aware, support for 802.1ad is planned (with hardware offloading for CRS3xx).
RouterOS checks the outer tag and checks if the tag is 802.1Q (0x8100), but in case of SVID it sees 802.1ad (0x88A8) and assumes it as an untagged frame since a tagged frame is considered when a 802.1Q aware bridge receives a 802.1Q tag, inner tags are ignored. The same principal can be applied to a 802.1ad aware bridges.

If you add an entry to the bridge VLAN table for VLAN ID that matches the port PVID and specify the port as untagged, then the bridge will not change the VLAN tag and will allow the packet to be forwarded, but SVID or CVID filtering is not possible since a 802.1Q bridge is looking for and changing only 802.1Q tags right after the Ethernet header.

If you do want for some very odd reasons to make SVID and CVID packets to be forwarded (but without filtering) while VLAN filtering is enabled, then here is an example:

/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=yes
/interface bridge port
add bridge=bridge1 hw=no interface=t01 pvid=17
add bridge=bridge1 hw=no interface=t02 pvid=27
/interface bridge vlan
add bridge=bridge1 untagged=t01,t02 vlan-ids=17,27

RoadkillX · May 17, 2018, 3:50pm

I don’t know the inner workings of CRS3xx but on CRS1xx/2xx you can add all ports to a bridge and do all your vlans and qinq in /interface ethernet switch so the switch will not be working as a hub even though bridge vlan-filtering is not enabled because the switch chip is doing all the tagging work and the effect of the above rule would be that incoming packets on an interface would be switched based on service-vid which in your case would be 11 s-tag instead of the default which is to switch based on customer-vid since there is no qinq been done.

hknet · May 17, 2018, 6:35pm

q.e.d.

RoadkillX · May 17, 2018, 8:50pm

You want a cookie or a tap on the back? …

Chupaka · May 18, 2018, 1:14pm

Version 6.43rc14 has been released.

*) bridge - added initial Q-in-Q support (CLI only);
*) crs3xx - added initial Q-in-Q hardware offloading support (CLI only);