In my setup i have a WAN router which provides my VLAN to my network, however this is only a 1gbit link therefore i have purchased a CRS317-1G-16S+ to have between my ESXi hosts providing
10gbit vlan routing. Im new to Mikrotik but do i understand this correctly.
Should i create a VLAN interface on the CRS or just a VLAN on the bridge? My assumption is that if i only create a bridge then the routing will fall back on rt-core01 not on the new CRS? Is this correct or am i totally wrong here?
And … CRS devices are switches with L3 functionality. They are capable of routing (e.g. between VLANs), but nowhere wirespeed. Official test results, together with my own interpretation[*] indicate that your unit of choice can route with speeds around 500Mbps.
[*] My experience goes that the number most relevant to real-life cases in that result table is under “Routing, 25 ip filter rules, [packet size] 512 byte”. If you do your best (no firewall filter rules), you might get near 1Gbps.
It can switch at wire speed or close to it (see the ‘Switching’ results). It just can’t route that fast. And yes, if you want it to route, you need RouterOS; SwOS will not let you do that.
However with this setup, when i ping two hosts which are on the CRS switch on different vlans, the CRS doesnt route them it falls back to rt-core-01.. i can see ICMP packets on my core 1 router, and my intention was that the core 2 (CRS) would route them, thus providing a 10gbit routing link
so sfp-sfpplus1 pvid=100 with ip 10.10.10.106 tries to ping sfp-sfpplus2 pvid=1 192.168.1.228 and those boths both have the gatway 10.10.10.5 and 192.168.1.5 respectively, yet the ICMP packets travel outside of this router.
First one: bridge interface has implicit default setting pvid=1 … so in your case where you use VLAN 1 tagged on bridge you either have to set bridge pvid to some unused value or set frame-types=admit-only-vlan-tagged on /interface bridge
Second: CRS is a switch with some low-capacity L3 (IP) capabilities … already mentioned above. So inter-VLAN routing will peak at half a Gbps (combined over all interfaces).
however i still get ICMP traffic past the CRS, this means the Mikrotik is not routing vlan traffic as it should for some reason. What could i be doing wrong here?
It seems i wont be able to get what i need out of this switch in terms on speed, so as long as the traffic is routed properly on this device and not sent back to the rt-core-01 that would suffice until i can find a device that can do what i need.
What does traceroute between those test hosts show?
What does /ip route print show?
Just noticed: there’s missing config detail in /interface bridge vlan: sfp-sfpplus1 should be declared as untagged member of VLAN 100, setting interface with pvid is not sufficient
With this configuration, (i re-ordered the ports so they make more sense) not only do my vlans route to the wrong router, but when pinging within the same vlan, in this case vlan100 from port spf3 to spf1 it goes through ethernet1, meaning this link is 1gbit max. not the 10gbit it should be
[admin@MikroTik] /interface bridge vlan> /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 10.10.10.1 1
1 S 0.0.0.0/0 192.168.1.1 1
2 S 0.0.0.0/0 192.168.10.1 1
3 S 0.0.0.0/0 192.168.10.1 1
4 S 0.0.0.0/0 192.168.2.1 1
5 ADC 10.10.10.0/24 10.10.10.5 VLAN-100-SERVER 0
6 ADC 192.168.1.0/24 192.168.1.5 VLAN-001-DEFAULT 0
7 ADC 192.168.2.0/24 192.168.2.5 VLAN-2-WIFI 0
8 ADC 192.168.10.0/24 192.168.10.5 VLAN-010-MGMT 0
I think im a bit confused right now as to how these vlans are routed.
I’d first remove all those default routes under /ip route … for purpose of testing inter-vlan routing you don’t need any of them. You’ll need one to provide internet access (that’s one for all VLANs) but your main router will have to be aware of it …
If it doesn’t start to behave, I’d save exported config (to management PC) and perform full reset (possibly doing netinstall), after that transfer saved config back to the unit. Could be that there’s some lost config lurking behind the scenes and it’s hard to get rid of it in any other way.
In this setup, would ethernet1 need to be apart of the bridge? i will eventually replace ethernet1 to a sfp+ port to uplink to the switch.
Here is a diagram to better try and explain what i am doing.
As you can see, when linux01 and linux02 try to use iperf3, it uses all the bandwidth on ether1, which is not what i want. The idea is that all traffic on these hosts gets routed or switched by sw-core-02
traceroute to 192.168.10.182 (192.168.10.182), 30 hops max, 60 byte packets
1 10.10.10.5 (10.10.10.5) 0.515 ms 0.374 ms 0.224 ms
2 192.168.1.1 (192.168.1.1) 0.274 ms 0.237 ms 0.210 ms
3 192.168.10.182 (192.168.10.182) 0.429 ms 0.467 ms 0.495 ms
Here you can see linux01 trying to reach nas01 (currently set to 192.168.10.182) both have their default gw 10.10.10.5, but then the traffic goes back to 192.168.1.1 .
[admin@sw-core-02] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 192.168.1.1 1
1 ADC 10.10.10.0/24 10.10.10.5 VLAN-100-SERVER 0
2 ADC 192.168.1.0/24 192.168.1.214 bridge 0
3 ADC 196.168.10.0/24 196.168.10.5 VLAN-10-MGMT 0
I have done a full configuration reset a few time already, and have fallen to the same issue. I have however just done an upgrade to the latest firmware, so i guess i can try that.
I mean if you cannot see anything wrong with my configuration (the latest is attached below) then could it be a defective device?
