Hi, CRS-125 works as a hub, sending all packets to all ports. Command that recommend to apply does not work on the latest firmware.
/interface ethernet switch port set [find] learn-restricted-unknown-sa=yes
This command does not work. Recommend any hack? Please.
Running 6.12? Post your export. Reset your configuration to defaults and test it.
Yes, 6.12. Any problems are solved by resetting the Mikrotik? Every time? Device in other city ~6000 km. I have only remote access…
[ivn@yakut1-gtw01] /interface ethernet switch port> print
Flags: I - invalid
0 name="ISP1" egress-customer-tpid=0x8100 egress-service-tpid=0x88A8 learn=no allow-unicast-loopback=no allow-multicast-loopback=no action-on-static-station-move=forward drop-when-ufdb-entry-src-drop=yes isolation-leakage-profile=30 vlan-type=network-port allow-fdb-based-vlan-translate=no allow-mac-based-service-vlan-assignment-for=all
allow-mac-based-customer-vlan-assignment-for=all filter-untagged-frame=no filter-priority-tagged-frame=no filter-tagged-frame=no egress-vlan-tag-table-lookup-key=egress-vid egress-vlan-mode=unmodified ingress-mirror-to=none ingress-mirroring-according-to-vlan=no egress-mirror-to=none
qos-scheme-precedence=ingress-acl-based,sa-based,da-based,dscp-based,protocol-based,vlan-based,pcp-based default-customer-pcp=0 default-service-pcp=0 pcp-propagation-for-initial-pcp=no egress-pcp-propagation=no dscp-based-qos-dscp-to-dscp-mapping=no pcp-or-dscp-based-qos-change-dei=no pcp-or-dscp-based-qos-change-pcp=no
pcp-or-dscp-based-qos-change-dscp=no pcp-based-qos-drop-precedence-mapping=0-15:green pcp-based-qos-dscp-mapping=0-15:0 pcp-based-qos-dei-mapping=0-15:0 pcp-based-qos-pcp-mapping=0-15:0 pcp-based-qos-priority-mapping=0-15:0 priority-to-queue=0-15:0,1:1,2:2,3:3
per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128 custom-drop-counter-includes="" queue-custom-drop-counter0-includes="" queue-custom-drop-counter1-includes="" policy-drop-counter-includes=""
1 name="ISP2" egress-customer-tpid=0x8100 egress-service-tpid=0x88A8 learn=no allow-unicast-loopback=no allow-multicast-loopback=no action-on-static-station-move=forward drop-when-ufdb-entry-src-drop=yes isolation-leakage-profile=30 vlan-type=network-port allow-fdb-based-vlan-translate=no allow-mac-based-service-vlan-assignment-for=all
allow-mac-based-customer-vlan-assignment-for=all filter-untagged-frame=no filter-priority-tagged-frame=no filter-tagged-frame=no egress-vlan-tag-table-lookup-key=egress-vid egress-vlan-mode=unmodified ingress-mirror-to=none ingress-mirroring-according-to-vlan=no egress-mirror-to=none
qos-scheme-precedence=ingress-acl-based,sa-based,da-based,dscp-based,protocol-based,vlan-based,pcp-based default-customer-pcp=0 default-service-pcp=0 pcp-propagation-for-initial-pcp=no egress-pcp-propagation=no dscp-based-qos-dscp-to-dscp-mapping=no pcp-or-dscp-based-qos-change-dei=no pcp-or-dscp-based-qos-change-pcp=no
pcp-or-dscp-based-qos-change-dscp=no pcp-based-qos-drop-precedence-mapping=0-15:green pcp-based-qos-dscp-mapping=0-15:0 pcp-based-qos-dei-mapping=0-15:0 pcp-based-qos-pcp-mapping=0-15:0 pcp-based-qos-priority-mapping=0-15:0 priority-to-queue=0-15:0,1:1,2:2,3:3
per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128 custom-drop-counter-includes="" queue-custom-drop-counter0-includes="" queue-custom-drop-counter1-includes="" policy-drop-counter-includes=""
2 name="ether03-master" ingress-customer-tpid=0x8100 egress-customer-tpid=0x8100 ingress-service-tpid=0x88A8 egress-service-tpid=0x88A8 learn=yes allow-unicast-loopback=no allow-multicast-loopback=no action-on-static-station-move=forward drop-when-ufdb-entry-src-drop=yes isolation-leakage-profile=29 vlan-type=network-port
allow-fdb-based-vlan-translate=no allow-mac-based-service-vlan-assignment-for=all allow-mac-based-customer-vlan-assignment-for=all filter-untagged-frame=no filter-priority-tagged-frame=no filter-tagged-frame=no egress-vlan-tag-table-lookup-key=egress-vid egress-vlan-mode=unmodified ingress-mirror-to=none
ingress-mirroring-according-to-vlan=no egress-mirror-to=none qos-scheme-precedence=ingress-acl-based,sa-based,da-based,dscp-based,protocol-based,vlan-based,pcp-based default-customer-pcp=0 default-service-pcp=0 pcp-propagation-for-initial-pcp=no egress-pcp-propagation=no dscp-based-qos-dscp-to-dscp-mapping=no
pcp-or-dscp-based-qos-change-dei=no pcp-or-dscp-based-qos-change-pcp=no pcp-or-dscp-based-qos-change-dscp=no pcp-based-qos-drop-precedence-mapping=0-15:green pcp-based-qos-dscp-mapping=0-15:0 pcp-based-qos-dei-mapping=0-15:0 pcp-based-qos-pcp-mapping=0-15:0 pcp-based-qos-priority-mapping=0-15:0 priority-to-queue=0-15:0,1:1,2:2,3:3
per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128 custom-drop-counter-includes="" queue-custom-drop-counter0-includes="" queue-custom-drop-counter1-includes="" policy-drop-counter-includes=""
3 name="ether04-slave" ingress-customer-tpid=0x8100 egress-customer-tpid=0x8100 ingress-service-tpid=0x88A8 egress-service-tpid=0x88A8 learn=yes allow-unicast-loopback=no allow-multicast-loopback=no action-on-static-station-move=forward drop-when-ufdb-entry-src-drop=yes isolation-leakage-profile=29 vlan-type=network-port
allow-fdb-based-vlan-translate=no allow-mac-based-service-vlan-assignment-for=all allow-mac-based-customer-vlan-assignment-for=all filter-untagged-frame=no filter-priority-tagged-frame=no filter-tagged-frame=no egress-vlan-tag-table-lookup-key=egress-vid egress-vlan-mode=unmodified ingress-mirror-to=none
ingress-mirroring-according-to-vlan=no egress-mirror-to=none qos-scheme-precedence=ingress-acl-based,sa-based,da-based,dscp-based,protocol-based,vlan-based,pcp-based default-customer-pcp=0 default-service-pcp=0 pcp-propagation-for-initial-pcp=no egress-pcp-propagation=no dscp-based-qos-dscp-to-dscp-mapping=no
pcp-or-dscp-based-qos-change-dei=no pcp-or-dscp-based-qos-change-pcp=no pcp-or-dscp-based-qos-change-dscp=no pcp-based-qos-drop-precedence-mapping=0-15:green pcp-based-qos-dscp-mapping=0-15:0 pcp-based-qos-dei-mapping=0-15:0 pcp-based-qos-pcp-mapping=0-15:0 pcp-based-qos-priority-mapping=0-15:0 priority-to-queue=0-15:0,1:1,2:2,3:3
per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128 custom-drop-counter-includes="" queue-custom-drop-counter0-includes="" queue-custom-drop-counter1-includes="" policy-drop-counter-includes=""
4 name="ether05-slave" ingress-customer-tpid=0x8100 egress-customer-tpid=0x8100 ingress-service-tpid=0x88A8 egress-service-tpid=0x88A8 learn=yes allow-unicast-loopback=no allow-multicast-loopback=no action-on-static-station-move=forward drop-when-ufdb-entry-src-drop=yes isolation-leakage-profile=29 vlan-type=network-port
allow-fdb-based-vlan-translate=no allow-mac-based-service-vlan-assignment-for=all allow-mac-based-customer-vlan-assignment-for=all filter-untagged-frame=no filter-priority-tagged-frame=no filter-tagged-frame=no egress-vlan-tag-table-lookup-key=egress-vid egress-vlan-mode=unmodified ingress-mirror-to=none
ingress-mirroring-according-to-vlan=no egress-mirror-to=none qos-scheme-precedence=ingress-acl-based,sa-based,da-based,dscp-based,protocol-based,vlan-based,pcp-based default-customer-pcp=0 default-service-pcp=0 pcp-propagation-for-initial-pcp=no egress-pcp-propagation=no dscp-based-qos-dscp-to-dscp-mapping=no
pcp-or-dscp-based-qos-change-dei=no pcp-or-dscp-based-qos-change-pcp=no pcp-or-dscp-based-qos-change-dscp=no pcp-based-qos-drop-precedence-mapping=0-15:green pcp-based-qos-dscp-mapping=0-15:0 pcp-based-qos-dei-mapping=0-15:0 pcp-based-qos-pcp-mapping=0-15:0 pcp-based-qos-priority-mapping=0-15:0 priority-to-queue=0-15:0,1:1,2:2,3:3
per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128 custom-drop-counter-includes="" queue-custom-drop-counter0-includes="" queue-custom-drop-counter1-includes="" policy-drop-counter-includes=""
Post your actual export. Not a print.
Personally I’d reset it and reconfigure it. NOT restore it from a backup. I have three of them and after that procedure it works fine.
Hello Folks!
I tried all that, reset to factory default, netinstall, reconfigure from scratch.
Nothing works, it still leaks traffic, you can see traffic from all vlans.
Anyone who have any real working ways fixing it.
We tried to make a trunk and attach access ports to various vlans coming in from the trunk, it works in a way but it leaks.
So I am out of any clues how to fix this.
You, probably, need to configure invalid VLAN filtering to block broadcasts from unwanted VLANs.
Sample configuration is in the last section of this CRS example:
http://wiki.mikrotik.com/wiki/Manual:CRS_examples#InterVLAN_Routing_with_unknown_VLAN_filtering
I do not fully understand invalid vlan filtering, I tried to follow the example but it differs we do not have intervlan routing and do not desire to have it in the switch either.
That configuration did not work at all, if I connect a server to the switch it becomes fully unavailable.
Can you please come up with a “normal switch with vlan and trunks example connected to cisco/hp trunk” or something similar.
Downgrade to 6.10, apply the fix you posted in the first post and upgrade back to 6.12…
Okey, I got support from my Mikrotik vendor, he says, basically use example “InterVLAN Routing with unknown VLAN filtering”:
The tip from vendor did not work at all, the device now hangs forever starting services, device is bricked…
There’s a known bug in 6.12, adding some VLAN options causes the switch to hang on reboot. It’s probably not bricked, you can probably reset the config using a serial cable or holding the reset button. Here’s the bug:
http://forum.mikrotik.com/viewtopic.php?f=2&t=84044&start=50#p421493
Hello Folks!
Tested ROS6.13 today (full reset without defaults and updated it, no netinstall yet).
The same CRS port based vlans and inter vlan routing examples same results all fail, no traffic at all is passed through the device to any ports, and yes we tried using both ether1 and ether2 as master port.
Positive is that CRS does not hang anymore, and it was not bricket a reset helped out.
If it works, with some other settings, then I start to feel we do not have that deep competence to deal with ingress/outgress tagging and policy groups I have seen people discussing here and there but never saw anyone coming up with some working results that I could understand, so maybe CRS as a switch is not for us after all. It has also started to consume lot of time doing all those tests when a new RoS is rolled out.
However, the device is usful as a plain switch, without using any vlans and such stuff, and we do use some for that here since months back.
We did never try using it as a router due to it’s weak CPU, it might work in some small SOHO network which yet has not got 100Mbit/s internet.
We finally got it working in LAB, thanks to MT support: http://forum.mikrotik.com/t/crs-documentation/71458/1 see bottom of link.
Could you please post the solution?
On the link you gave are a lot of configurations, a lot of tests, but where is the solution to the problem described?
Something like: do this command and that command and it’s done. If possible without decorations of any kind…
Absolutely, I put in all the steps because I have had so much struggles with it that I dont know if it will work if leaving one of the steps below out. So I am sorry, it will be relaitively much text, hopefully it helps you out.
Daisy chanied Cisco2960, CRS A, CRS B
Cisco 2960 <--TRUNK vlans:20,100,200,220,300,400 --> ether1 [CRS A] ether13 <--TRUNK vlans:20,100,200,220,300,400 --> ether1 [CRS B]
Configuration CRS A = CRS B, two access ports on vlan 20, one access port to each one of the other vlans and vlan trunk on ether1 and ether13
CRS A is set to have admin ip on vlan200: 172.16.1.111
CRS B is set to have admin ip on vlan200: 172.16.1.112
There are some more ip settings like default gw 172.16.1.1 and dns settings plus some route to another network 192.168.1.0/24 as well.
Also I did set passwords for admin, when done using winbox.
Preparing the CRS, fully reset and netinstall RoS6.14 (all steps from console port):
Connecting my laptop to the console port through USB to RS232 dongle.
Reset the switch fully:
/system reset-configuration no-defaults=yes skip-backup=yes
Power off by plugging cable out and in.
Netinstall CRS the ususal way by holding in the reset button whilst putting in the power cable in and same time have netinstal running on pc.
Here is how that is done: http://wiki.mikrotik.com/wiki/Manual:Netinstall
Upgrade to firmware 3.14:
/system routerboard upgrade
system reboot
Reset the switch fully again:
/system reset-configuration no-defaults=yes skip-backup=yes
Power off by plugging cable out and in.
Note!
On the second CRS I did simply skipped netinstall and simply upgrate to RoS6.14 and resetted + power cycled afterwards, and it worked, but hang in starting services first boot, a new power cycle and it hang in export compact, a new power cycle and then no more problems.
Configuring the switch CRS A from the console:
/interface ethernet
set [ find default-name=ether6 ] master-port=ether1
set [ find default-name=ether7 ] master-port=ether1
set [ find default-name=ether8 ] master-port=ether1
set [ find default-name=ether9 ] master-port=ether1
set [ find default-name=ether10 ] master-port=ether1
set [ find default-name=ether11 ] master-port=ether1
set [ find default-name=ether12 ] master-port=ether1
set [ find default-name=ether13 ] master-port=ether1
\
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1,ether13 vlan-id=20
add tagged-ports=ether1,ether13 vlan-id=100
add tagged-ports=ether1,ether13,switch1-cpu vlan-id=200
add tagged-ports=ether1,ether13 vlan-id=220
add tagged-ports=ether1,ether13 vlan-id=300
add tagged-ports=ether1,ether13 vlan-id=400
/interface ethernet switch ingress-vlan-translation
add new-customer-vid=20 ports=ether6 sa-learning=yes
add new-customer-vid=100 ports=ether7 sa-learning=yes
add new-customer-vid=200 ports=ether8 sa-learning=yes
add new-customer-vid=220 ports=ether9 sa-learning=yes
add new-customer-vid=300 ports=ether10 sa-learning=yes
add new-customer-vid=400 ports=ether11 sa-learning=yes
add new-customer-vid=20 ports=ether12 sa-learning=yes
/interface ethernet switch vlan
add ports=ether1,ether6,ether12,ether13 vlan-id=20
add ports=ether1,ether7,ether13 vlan-id=100
add ports=ether1,ether8,ether13,switch1-cpu vlan-id=200
add ports=ether1,ether9,ether13 vlan-id=220
add ports=ether1,ether10,ether13 vlan-id=300
add ports=ether1,ether11,ether13 vlan-id=400
/interface vlan
add interface=ether1 l2mtu=1584 name=vlan200 vlan-id=200
/ip address
add address=172.16.1.111/24 interface=vlan200 network=172.16.1.0
/interface ethernet switch
set forward-unknown-vlan=yes
/ip dns
set servers=172.16.1.1
/ip dns static
add address=172.16.1.111 name=mikrotiksw1
/ip route
add distance=1 gateway=172.16.1.1
add distance=1 dst-address=192.168.0.0/16 gateway=172.16.1.253
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api-ssl disabled=yes
/lcd
set backlight-timeout=15m
/snmp
set contact="Peter Steen" enabled=yes location="Some Place" trap-community=public
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name="MikroTik SW1"
/system ntp client
set enabled=yes mode=unicast primary-ntp=10.30.0.5 secondary-ntp=172.16.1.11
The do some tests:
Connect CRS A to Cisco, try pinging it's IP 172.16.1.111 and then access from winbox and try ping default gateway, and check that time is right and DNS is working.
Connect some device at ether6 (vlan 20) and see if it accessable and so on.
If all works, go on and configure CRS B!
Now we are done with CRS A, we configured CRS B the same way, exept IP, move the console cable to CRS B
/interface ethernet
set [ find default-name=ether6 ] master-port=ether1
set [ find default-name=ether7 ] master-port=ether1
set [ find default-name=ether8 ] master-port=ether1
set [ find default-name=ether9 ] master-port=ether1
set [ find default-name=ether10 ] master-port=ether1
set [ find default-name=ether11 ] master-port=ether1
set [ find default-name=ether12 ] master-port=ether1
set [ find default-name=ether13 ] master-port=ether1
\
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1,ether13 vlan-id=20
add tagged-ports=ether1,ether13 vlan-id=100
add tagged-ports=ether1,ether13,switch1-cpu vlan-id=200
add tagged-ports=ether1,ether13 vlan-id=220
add tagged-ports=ether1,ether13 vlan-id=300
add tagged-ports=ether1,ether13 vlan-id=400
/interface ethernet switch ingress-vlan-translation
add new-customer-vid=20 ports=ether6 sa-learning=yes
add new-customer-vid=100 ports=ether7 sa-learning=yes
add new-customer-vid=200 ports=ether8 sa-learning=yes
add new-customer-vid=220 ports=ether9 sa-learning=yes
add new-customer-vid=300 ports=ether10 sa-learning=yes
add new-customer-vid=400 ports=ether11 sa-learning=yes
add new-customer-vid=20 ports=ether12 sa-learning=yes
/interface ethernet switch vlan
add ports=ether1,ether6,ether12,ether13 vlan-id=20
add ports=ether1,ether7,ether13 vlan-id=100
add ports=ether1,ether8,ether13,switch1-cpu vlan-id=200
add ports=ether1,ether9,ether13 vlan-id=220
add ports=ether1,ether10,ether13 vlan-id=300
add ports=ether1,ether11,ether13 vlan-id=400
/interface vlan
add interface=ether1 l2mtu=1584 name=vlan200 vlan-id=200
/ip address
add address=172.16.1.112/24 interface=vlan200 network=172.16.1.0
/interface ethernet switch
set forward-unknown-vlan=yes
/ip dns
set servers=172.16.1.1
/ip dns static
add address=172.16.1.112 name=mikrotiksw2
/ip route
add distance=1 gateway=172.16.1.1
add distance=1 dst-address=192.168.0.0/16 gateway=172.16.1.253
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api-ssl disabled=yes
/lcd
set backlight-timeout=15m
/snmp
set contact="Peter Steen" enabled=yes location="Some Place" trap-community=public
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name="MikroTik SW1"
/system ntp client
set enabled=yes mode=unicast primary-ntp=10.30.0.5 secondary-ntp=172.16.1.11
Now connecto CRS A ether13 to CRS A ether1!
Try ping CRS B(172.16.1.112) from CRS A or any pc in vlan200.
Login using winbox to CRS B, and try ping default gw and the other switch and some else device, check the time and other stuff like DNS.
Hello Folks!
I now got the forward-unknows-vlan=no working, before it locked CRS up fully and it did not pass any traffic, now it does.
“/interface ethernet switch set forward-unknown-vlan=no”
How I did it, MT Support again:
Observation!
Every time the CRS is rebooted, a autosupout file is generated, dont know why.
Beside from that all seems to work.
Trying to flip the no to a yes did not have any effect on our CRS, like the flag had no meaning, but in our lab setup the cisco 2960 only trunk the vlans specified in CRS, so that can be one reason.
No leakage has been observed either.
We will postpone to put them in production till the problem with autosupout file has been solved, well I can disable it manually, but it must come there for some reason also, so we wait.
Hope this helped some of you.