CRS112 and RSTP

mada3k · March 26, 2023, 10:18am

We use CRS112’s as “CPE” like nodes in our network, to terminate customer services. On some occations we daisy-chain two switches with optical or RJ45 between.

We usually setup switching under /interface ethernet switch section and no use multiple bridges. One management-VLAN and others for customer services. However, we recently discovered that the (R)STP is not working at all between the switches in this fashion. Both switches operate as individual bridge-root’s.

Since RouterOS doesn’t do Per-VLAN-RSTP, does RouterOS RSTP operate on a certiain VLAN-ID or what is required to the switches to “find” each-other?

Thanks,

tdw · March 26, 2023, 1:09pm

STP/RSTP/MSTP traffic is untagged. If you have multiple paths in your topology they must all be configured with the same set of VLANs as STP/RSTP is unaware of them.

mada3k · March 26, 2023, 4:07pm

What is untagged in a CRS112 then, VLAN ID 0 or 1?

That means that I need to allow it on all trunks I guess? on edge/accesses also?

There seems to be a lack of examples how to set this up in the wiki/help

tdw · March 26, 2023, 4:59pm

The firmware should handle untagged ethernet management frames (including spanning tree and the so-called slow protocols) regardless of the port settings. I currently don’t have a CRS112 to check but in the past have not had an issue using configurations per the examples https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples#Port_Based_VLAN. As the CRS1xx/2xx switches expose a lot of the underlying switch chip settings it is possible there may be other configurations which unintentionally block management frames.

aidanonym · July 8, 2023, 9:03am

Howdy. I found this post because I had this or a similar issue (spanning tree “not working” when VLANs were enabled on the CRS112).

I ended up port mirroring traffic to/from the CPU and one of the ethernet ports to figure it out. Examining the traffic with tcpdump showed that the spanning tree frames transmitted out the ethernet ports were being encapsulated in a VLAN tag (I had configured an admin vlan).

The cause was a configuration error tagging traffic from the switch CPU port with the admin VLAN 99 (as in the snippet below). Removing switch1-cpu fixed it and now RSTP is working for me.

# ingress - map untagged (i.e. VLAN=0) received packets to VLANs
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=22 ports=$ethNames
add customer-vid=0 new-customer-vid=99 ports=($sfpNames,"switch1-cpu")

In response to the original poster, R/STP frames should be untagged. Conceptually, packets without a VLAN header are vlan-id=0. I would expect the switch CPU to be using a switch-specific encapsulation to send untagged spanning tree packets out specific ports and that the switch CPU port and all the switch ports are members of the default vlan-id=1. If you want to secure/isolate your admin port, you need to ensure VLAN 1 doesn’t enter the switch via a trunk or a port in the default configuration.