CRS125 w/ ROS 6.33 - access vlan issue

Hi all,

Scratching my head considerably over this one (remote support for a customer)- can someone please advise on why we are experiencing no connectivity between two hosts on two particular access vlans. This should be really straight forward stuff…

Working unicast, broadcast and layer 2 multicast communication as expected between hosts in VLANs.
VLAN 10: ether3-14
VLAN 11: ether15-17
VLAN 12: ether18-20

Non-working unicast communication; host on ether21 cannot communicate with host on ether22. host on ether23 cannot communicate with host on ether24. Broadcast and layer 2 multicast seemingly unaffected though…
VLAN 21: ether21,ether22
VLAN 22: ether23,ether24

/interface ethernet switch
set bridge-type=customer-vid-used-as-lookup-vid
bypass-ingress-port-policing-for=“” bypass-l2-security-check-filter-for=
“” bypass-vlan-ingress-filter-for=“”
drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=“”
drop-if-no-vlan-assignment-on-ports=“” egress-mirror-ratio=1/1
egress-mirror0=switch1-cpu,modified egress-mirror1=switch1-cpu,modified
fdb-uses=mirror0 forward-unknown-vlan=yes ingress-mirror-ratio=1/1
ingress-mirror0=switch1-cpu,unmodified ingress-mirror1=
switch1-cpu,unmodified mac-level-isolation=yes
mirror-egress-if-ingress-mirrored=no mirror-tx-on-mirror-port=no
mirrored-packet-drop-precedence=green mirrored-packet-qos-priority=0
multicast-lookup-mode=dst-ip-and-vid-for-ipv4 name=switch1
override-existing-when-ufdb-full=no unicast-fdb-timeout=5m
unknown-vlan-lookup-mode=svl use-cvid-in-one2one-vlan-lookup=yes
use-svid-in-one2one-vlan-lookup=no vlan-uses=mirror0
/interface ethernet switch egress-vlan-tag
add disabled=no tagged-ports=eth3-Switch-Master-Port,switch1-cpu vlan-id=10
/interface ethernet switch ingress-vlan-translation
add !customer-dei !customer-pcp !customer-vid customer-vlan-format=any
disabled=no new-customer-vid=10 !new-service-vid pcp-propagation=no
ports=“eth3-Switch-Master-Port,ether4-slave-local,ether5-slave-local,ether
6-slave-local,ether7-slave-local,ether8-slave-local,ether9-slave-local,eth
er10-slave-local,ether11-slave-local,ether12-slave-local,ether13-slave-loc
al,ether14-slave-local” !protocol sa-learning=yes !service-dei
!service-pcp !service-vid service-vlan-format=any
add !customer-dei !customer-pcp !customer-vid customer-vlan-format=any
disabled=no new-customer-vid=11 !new-service-vid pcp-propagation=no
ports=ether15-slave-local,ether16-slave-local,ether17-slave-local
!protocol sa-learning=yes !service-dei !service-pcp !service-vid
service-vlan-format=any
add !customer-dei !customer-pcp !customer-vid customer-vlan-format=any
disabled=no new-customer-vid=12 !new-service-vid pcp-propagation=no
ports=ether18-slave-local,ether19-slave-local,ether20-slave-local
!protocol sa-learning=yes !service-dei !service-pcp !service-vid
service-vlan-format=any
add !customer-dei !customer-pcp !customer-vid customer-vlan-format=any
disabled=no new-customer-vid=21 !new-service-vid pcp-propagation=no
ports=ether21-slave-local,ether22-slave-local !protocol sa-learning=yes
!service-dei !service-pcp !service-vid service-vlan-format=any
add !customer-dei !customer-pcp !customer-vid customer-vlan-format=any
disabled=no new-customer-vid=22 !new-service-vid pcp-propagation=no
ports=ether23-slave-local,ether24-slave-local !protocol sa-learning=yes
!service-dei !service-pcp !service-vid service-vlan-format=any
/interface ethernet switch vlan
add disabled=no flood=no ingress-mirror=no learn=yes ports=“eth3-Switch-Master
-Port,ether4-slave-local,ether5-slave-local,ether6-slave-local,ether7-slav
e-local,ether8-slave-local,ether9-slave-local,ether10-slave-local,ether11-
slave-local,ether12-slave-local,ether13-slave-local,ether14-slave-local,sw
itch1-cpu” qos-group=none svl=no vlan-id=10
add disabled=no flood=no ingress-mirror=no learn=yes ports=
ether15-slave-local,ether16-slave-local,ether17-slave-local qos-group=
none svl=no vlan-id=11
add disabled=no flood=no ingress-mirror=no learn=yes ports=
ether18-slave-local,ether19-slave-local,ether20-slave-local qos-group=
none svl=no vlan-id=12
add disabled=no flood=no ingress-mirror=no learn=yes ports=
ether21-slave-local,ether22-slave-local qos-group=none svl=no vlan-id=21
add disabled=no flood=no ingress-mirror=no learn=yes ports=
ether23-slave-local,ether24-slave-local qos-group=none svl=no vlan-id=22

Thank you in advance for your thoughts!

Please make sure the CRS does not have multiple master-ports configured in “/interface ethernet” menu.

H, thanks for the reply. I figured it out in the end- it wasn’t this (there is only a single master port configured).

The problem was actually due to the affected VLANs not having an entry in /interface ethernet switch egress-vlan-tag:

Broken config:
/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu vlan-id=10

Fixed config:
/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu vlan-id=10
add vlan-id=22
add vlan-id=21
add vlan-id=11
add vlan-id=12

Note that the additional VLANs have been added, yet with no tagged-ports defined in this case, as the intention is only to have a group of local untagged access ports in each VLAN.
I feel that the CRS documentation is unclear as to the importance of VLAN ID entries (even with no tagged-ports defined) being defined under egress-vlan-tag. The fact that VLAN10 access port to access port forwarding was working was pure fluke as I had to add switch1-cpu as a tagged-port for VLAN10 to reach the CPU for routing via a vlan interface etc. From my extensive research I finally found another forum post which mentioned that the tags being added to egress-vlan-tag is mandatory, however it does not appear to be in the documentation. Please review this support!