Cannot get gbit switch performance on RB2011

Spe · August 5, 2020, 5:58pm

I’ve recently bought an RB2011 and so far I’m pretty happy with it. Considering the flexibility of RouterOS, I’m wondering if I configured my router correctly: I only get ~800MBit switch performance with CPU loaded to 80%. I have the idea that the CPU is doing more than it should, how can I diagnose and solve this? I’m using VLANs and understand some VLAN configurations are hardware accelerated while others are not (http://forum.mikrotik.com/t/vlan-bridge-new-way-hw-offload-and-performance/132317/23), however I’m not sure how to check or fix this. Does anyone have an idea?

RB2011 CPU usage during transfer:

[admin@rb2011] > /tool profile
NAME CPU USAGE
ethernet 26.5%
console 0%
flash 0%
ssh 0.5%
dns 0%
firewall 0%
networking 32.5%
logging 0.5%
management 1.5%
profiling 3.5%
queuing 0%
bridging 11.5%
unclassified 7%
total 83.5%

>

iperf3 summary:

> ```text
[ ID] Interval           Transfer     Bitrate
[  7]   0.00-10.00  sec   983 MBytes   825 Mbits/sec                  sender
[  7]   0.00-10.00  sec   983 MBytes   824 Mbits/sec                  receiver

I documented my configuration here: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/136

Spe · August 9, 2020, 1:07pm

I’ve read up on different VLAN methods and I think I understand I’ve been using CPU VLAN-filtering in a bridge, instead of using switch VLAN-filtering in the ethernet interfaces, but to be honest I’m quite confused about it.

What I found:

This post explains there are two methods VLAN methods: http://forum.mikrotik.com/t/vlan-bridge-new-way-hw-offload-and-performance/132317/1 and recommends to use https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Port_Switching for VLAN filtering.

This wiki page mentions that my switches (RB2011 with Atheros8327 and Atheros8337) do have ‘VLAN table’ capabilities, good news! https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Introduction such that I can do some VLAN switching.

However, here it’s mentioned that there is a ‘new method’ since 6.41: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_Hardware_Offloading however, my switches don’t support ‘Bridge VLAN Filtering’.

I also read that devices with two switches (like RB2011) cannot do switch-level VLAN filtering: https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration#VLAN_filtering_with_multiple_switch_chips

Finally I used the ‘new’ recommended bridge-based method to configure my VLANs (I think), based on the guidance in topic http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 however no port has hw-offload enabled (in spite that all ports have ‘HW=yes’ set):

[admin@rb2011] /interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE      BRIDGE         HW  PVID PR  PATH-COST INTERNA...    HORIZON
 0     ether1         bridge1        yes   99 0x         10         10       none
 1 I   ether3         bridge1        yes   10 0x         10         10       none
 2 I   ether4         bridge1        yes   10 0x         10         10       none
 3 I   ether7         bridge1        yes   99 0x         10         10       none
 4 I   ether9         bridge1        yes   99 0x         10         10       none
 5 I   ether2         bridge1        yes   99 0x         10         10       none
 6     ether5         bridge1        yes   99 0x         10         10       none
 7     ether8         bridge1        yes   99 0x         10         10       none
 8 I   ether10        bridge1        yes   99 0x         10         10       none
 9     ether6         bridge1        yes   99 0x         10         10       none

How can I use hardware-accelerated VLAN switching on my RB2011 using two switches? I’m somewhat confused by the documentation and changes since 6.41 that are not listed everywhere. Hope somebody can help

tdw · August 9, 2020, 1:47pm

The only solution is presented in the Wiki pages you have been looking at https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration#Solution_10 - you have to configure the two switch chips with separate bridges and sacrifice two ports to link them together.

Spe · August 12, 2020, 6:37pm

Thanks for your reply tdw . Is there no way that I can get hardware performance on traffic within one switch, and only use the bridge for inter-switch traffic? That would already be a great solution. More specifically, what goes wrong in the example on https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration#Configuration_10? Of the issues listed (Packets being dropped, Low throughput), I already have low throughput (because ALL traffic goes over CPU), and why are packets be dropped? Hope somebody can help!

CZFan · August 12, 2020, 9:11pm

You can configure vlan on the switch chip directly via menu–>switch item, see link below.

https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features

Also keep in mind, any “routing” will have to be done via CPU, so if any routing between vlans the above will not make any difference

tdw · August 12, 2020, 9:43pm

It would be, but I suspect the issue is due to the underlying mechanisms copying the switch hardware FDB tables to the bridge FDB which, given that Mikrotik suggest the external hardware connection, is unlikely to be fixed.

It depends on your use case - if the devices connected to the switch ports are communicating with devices on other switch ports, or the internet, then the traffic is being routed by the CPU anyway so using a software VLAN-aware bridge has little additional effect on throughput. If you have some devices on the same VLAN which you wish to have wire-speed traffic between then either the solution Mikrotik suggest in the Wiki, or an additional switch.

If you are using different VLANs on ports1-5 than on ports6-10 (e.g. VLANs 10,11,12 on ports1-5 and VLANs 20,21 on ports6-10, for example) you may be able to use two non-VLAN-aware bridges and switch chip setup as the FDB tables are completely unrelated, but I’ve not tested this.