CCR2216 CPU Problem

ourplan · March 1, 2023, 10:36am

Hello friends.
We have a CCR2216 device and Bonding, BGP is used in our device. Fasttrack is active. Our active traffic is around 15Gbps and CPU is over 70%. I’m posting the main settings on the device below. Can you help with the cause and solution?

/interface bridge
add name=NASBridge
/interface ethernet
set [ find default-name=sfp28-1 ] auto-negotiation=no name=sfp-sfpplus1 \
    speed=10Gbps
set [ find default-name=sfp28-2 ] auto-negotiation=no comment=CCR02 name=\
    sfp-sfpplus2 speed=10Gbps
set [ find default-name=sfp28-3 ] auto-negotiation=no comment=CCR03 \
    speed=10Gbps
set [ find default-name=sfp28-4 ] auto-negotiation=no comment=CCR04 \
    speed=10Gbps
set [ find default-name=sfp28-5 ] auto-negotiation=no comment=CCR05 \
    speed=10Gbps
set [ find default-name=sfp28-6 ] auto-negotiation=no comment=CCR06 \
    speed=10Gbps
set [ find default-name=sfp28-7 ] auto-negotiation=no comment=CCR07 \
    speed=10Gbps
set [ find default-name=sfp28-11 ] auto-negotiation=no comment=\
    Internet1_Bonding speed=10Gbps
set [ find default-name=sfp28-12 ] auto-negotiation=no comment=\
    Internet2_Bonding speed=10Gbps
/interface vlan
add interface=sfp-sfpplus2 name=NasVlan2 vlan-id=301
add interface=sfp28-3 name=NasVlan3 vlan-id=301
add interface=sfp28-4 name=NasVlan4 vlan-id=301
add interface=sfp28-5 name=NasVlan5 vlan-id=301
add interface=sfp28-6 name=NasVlan6 vlan-id=301
add interface=sfp28-7 name=NasVlan7 vlan-id=301
/interface bonding
add mode=802.3ad name=TT_Bonding slaves=sfp28-12,sfp28-11 \
    transmit-hash-policy=layer-2-and-3
/interface vlan
add interface=TT_Bonding name=TT_VlanBonding vlan-id=302
/interface ethernet switch
set 0 l3-hw-offloading=yes
/routing bgp template
set default as=xxxxx disabled=no routing-table=main
/interface bridge port
add bridge=NASBridge interface=NasVlan3
add bridge=NASBridge interface=NasVlan4
add bridge=NASBridge interface=NasVlan5
add bridge=NASBridge interface=NasVlan6
add bridge=NASBridge interface=NasVlan7
add bridge=NASBridge interface=NasVlan2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set rp-filter=loose tcp-syncookies=yes
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
/routing bgp connection
add address-families=ip as=xxxx connect=yes disabled=no listen=yes \
    local.address=x.x.x.x .role=ebgp multihop=yes name=BGP \
    output.network=bgp_network remote.address=x.x.x.x/32 .as=xxxx \
    router-id=x.x.x.x routing-table=main
/routing filter community-list
add communities=9121:666 disabled=no list=set1
/routing filter rule
add chain="" disabled=no rule=""

erlinden · March 1, 2023, 10:49am

Should look more closely…why don’t you add the VLAN on the bridge? Or better, what is the purpose of the VLAN? Or even “more” better, can you draw a diagram of how this device is supposed to work?

For reference:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

StubArea51 · March 1, 2023, 12:49pm

If you’re doing fw offload (as opposed to hw offload) then all of the ports need to be disabled for hw offload in the switch menu and it doesn’t look like that’s configured.

Hw offload still needs to be enabled globally.

ourplan · March 1, 2023, 2:31pm

Thanks for the answer.
First of all, 10Gbps two separate entrances are combined with bonding and the internet is covered with Vlan. There are sub-vlans defined on the provided internet, and we direct them to NAS. In addition, we meet our IP addresses defined with BGP. There is no other building. My guess is CPU spikes due to bonding, but I'm not entirely sure.

ourplan · March 1, 2023, 2:31pm

Thanks for the answer.
As you stated, Hw offload is disabled. When we activate it, nothing changes on the CPU side.

StubArea51 · March 1, 2023, 2:39pm

fw offload has some limitations that hw offload does not have - if you’re trying to run connection tracking or NAT, then fw offload is what you’re trying to do.

Here is more detailed info:

http://forum.mikrotik.com/t/l3hw-firewall-offloading-doesnt-offload-inter-vlan-traffic/164575/12

@MikroTik any idea if the limitations in that thread from 7.6 are still relevant?

blacksnow · March 1, 2023, 3:25pm

L3HW Offload (FW - specific) doesn’t work with VLANs. Submit a ticket, maybe we can get this pushed to high priority to get fixed.

http://forum.mikrotik.com/t/l3hw-firewall-offloading-doesnt-offload-inter-vlan-traffic/164575/1

ourplan · March 2, 2023, 2:37pm

As you mentioned, there is hw operation with the bonding interface, but hw does not appear to be active for the vlan interface ports.
In fact, I think the main reason for this high cpu may be something other than l3hw. Networking and ethernet usage is high in CPU usage. In fact, it shouldn’t be that low for 15Gbps traffic and less than 2 billion instant packets.

chechito · March 2, 2023, 3:38pm

looks like you are using vlan interfaces as ports inside the bridge, i am correct?

ourplan · March 2, 2023, 5:32pm

I direct the wan connection I get with bonding to the sub-devices with the bridge as a vlan.

chechito · March 2, 2023, 7:19pm

the point is that using vlan interfaces as ports inside the bridge since 6.41 are considered Layer2 misconfiguration

Similar to this
VLAN in a bridge with a physical interface
https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration#Layer2misconfiguration-VLANinabridgewithaphysicalinterface

Solution
To avoid compatibility issues you should use bridge VLAN filtering

ourplan · March 3, 2023, 7:44am

Thank you for the reply and information.
But as you mentioned, we also tried the vlan filtering process, but the cpu still seems to be at the same level.

blacksnow · March 3, 2023, 1:58pm

I recently solved my issue with VLAN filtering and it may be the same for you. Please check this thread → http://forum.mikrotik.com/t/l3hw-firewall-offloading-doesnt-offload-inter-vlan-traffic/164575/1

ourplan · March 4, 2023, 11:53am

Thanks for your reply and support. We have provided the controls as you stated, but the CPU usage is still high. If you can share your current settings, let’s check if you see fit. In addition, can you see that l3hw is running on the bridge?

chechito · March 4, 2023, 3:58pm

Try using tools profile to obtain info About the CPU usage

Sometimes is better to use the setting “all” to see each core usage separately

Clicking on usage column header, allows You to sort by usage and see tasks with most usage at the top

ourplan · March 4, 2023, 6:47pm

Thanks for your suggestion. I have previously informed that it is used by network and ethernet. In addition, I will send a screenshot of the CPU usage rates.

chechito · March 6, 2023, 4:10pm

by the way your configuration is build it will only works running by CPU, you must reconfigure using only bridge vlan filtering to be able to have the benefits of offloading

if you already do that please post your “bridge vlan filtering” config and profile usage with it deployed

additionally if you dont do NAT you can do without FW offload, going straigth to L3 Offload (no fasttráck etc)