Hi guy
I have a CRS 317 configuring as core for my system, on that we do not do much just create DHCP for 4 VLAN and enable CAPsMan to manager about 70 Hap ac 2 APs.
For nearly one week back hear I noticed that the traffic is drop randomly. After some checking I see our CRS 317 have quite high CPU usage.
So should I enable CAPsMAN on CRS 317, what is the cause of high CPU?
Thanks.
CRS devices are intended to be L2 switches with some L3 functionality, such as providing DHCP, but NOT wire-speed L3 routing/firewalling as they performance-limited by the CPU.
If you use CAPsMAN manager forwarding it imposes a significant CPU load on the CAPsMAN controller, so with a CRS as the controller you should be using CAPsMAN local forwarding so the hAP ac2 WLAN - ethernet traffic is handled in the hAP.
This is true. At least with non beta ROS. With V7 beta CRS317 is able to do HW Layer3.
The /tool profile doesn’t suggest that CAPsMAN is the biggest CPU hog. The 32 % CPU spent on ethernet would bother me much more. So I’d assume that there is either a lot of inter-VLAN traffic routed by the 317, or hardware L2 forwarding has been disabled by mistake.
EDIT: indeed the Ethernet traffic may be the encapsulated wireless packets coming from the CAPs. So still possible it’s the cause.
Also the OP only provided CPU ustilisation for one core. AFAIK not all processes utilise multiple CPU cores well.
Hi guys
“So with a CRS as the controller you should be using CAPsMAN local forwarding so the hAP ac2 WLAN - ethernet traffic is handled in the hAP.” Do you have any guide for that please share to me.
For the RouterOs: Currently my CRS317 running v6.48.1 the newest one.
For Hardware offloading: The status display it still running on our bridge.
I noticed that the overall traffic is not high. I wonder whether some computer in my network cause this problem? And how can I troubleshoot it.
Thanks
The guide is as follows:
- on each CAP:
- make sure that a VLAN for each SSID you use on a given CAP is available on its uplink interface,
- make the uplink interface a member port of bridge X (you can reuse the default bridge or create a new one, and take care not to lose management access to the CAP; if you need a more detailed guide on this, I need the current configuration of the CAP)
- set the bridge item under /interface wireless cap to X
- on the CRS317: on each /caps-man datapath row used by the individual SSID, set local-fowarding=yes vlan-mode=use-tag vlan-id=the-VID-for-that-SSID
This will move the conversion of wireless frames into VLAN-tagged Ethernet ones, and vice versa, from the CRS317 to the CAPs.
That computer would have to flood the CRS with a traffic its CPU would have to handle (packets to be routed, ARP requests to be responded, …). Depending on the number of your wireless clients (not so much the number of CAPs), this traffic may be the encrypted and encapsulated wireless frames coming from the wireless clients, which the CPU of the CRS has to convert into plain Ethernet frames (and the opposite of course). So first implement the local forwarding on CAPs, and only if that doesn’t help, start looking for other possibilities.
Hi Sindy
Here is my config on Hap Ac2
/interface bridge
add name=Bridge vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2432/20-Ce/gn(18dBm), SSID: Avana Retreat, CAPsMAN forwarding
set [ find default-name=wlan1 ] ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(15dBm), SSID: Avana Retreat, CAPsMAN forwarding
set [ find default-name=wlan2 ] ssid=MikroTik
/interface vlan
add interface=Bridge name=MGMT_99 vlan-id=99
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=Bridge interface=ether1
add bridge=Bridge interface=ether2
add bridge=Bridge interface=ether3
add bridge=Bridge interface=ether4
/interface bridge vlan
add bridge=Bridge tagged=Bridge,ether1 vlan-ids=99
/interface wireless cap
#
set discovery-interfaces=Bridge enabled=yes interfaces=wlan1,wlan2
/ip address
add address=172.16.99.249/24 interface=MGMT_99 network=172.16.99.0
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=172.16.99.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name=WF-NhaSo11
and here is datapath config on Crs317
Will follow your guide.
Thanks
OK, so first on each CAP, use just
/interface bridge vlan add bridge=Bridge tagged=ether1 vlan-ids=20
to permit VLAN 20 tagged on ether1, and
/interface wireless cap set bridge=Bridge
to define to which local bridge the local wireless interfaces under CAPsMAN control will be connected once switched to local forwarding mode.
Of course it assumes that VLAN 20 is permitted all the way through the L2 network from the CAPs to the router, and that CAPs are connected using ether1 to the L2 network, as seems to be the case. As you do that, still nothing changes about the actual operation.
Once you finish the above on all CAPs, set local-forwarding=yes on the datapath row on the CAPsMAN, and that’s it (assuming that all interfaces use the same datapath item).
Setting local-forwarding=yes makes the bridge item on the datapath row irrelevant, because it refers to a bridge on the CAPsMAN, which is only used when local-forwarding=no (i.e. CAPsMAN forwarding).
Hi Sindy
Today I just configured some APs for test first but I have some questions hope you will explain it,
- When local forwarding is enable How can I know it is working or not on each APs?
- Is there anyway to track the number and the traffic of client connect to each AP?
Thanks
Just for the case - if you configure just some APs into local forwarding mode, you have to use a dedicated /caps-man datapath row for them.
You can see the bytes/packets Tx/Rx per client in CAPsMAN → Registration Table in Winbox, or using caps-man registration-table print stats on command line. Just be aware that these data are only valid as long as the client is associated to a given interface; once they roam to another one, the statistics from the previous association of the same client is lost.
If the data volumes shown as per above are reasonably high, you know that the local forwarding works.
/caps-man actual-interface-configuration print will show you the actual configuration parameters, assembled from channel, configuration, datapath, and security items.
With 70 APs, did you use the /caps-man provisioning?
Yes, I have already created a new datapath for test APs and also see the client on CapsMan now.
With 70 APs, did you use the /caps-man provisioning?: Yes, I do.
After configuring new datapath I see one interface with this error “possible regulatory info mismatch with CAP” do you know what cause of this? I did not configure the channel just make it auto.
The channel profile aggregates various parameters related to radio characteristics of the interface. But permitted frequency channels as well as their Tx power limits differ country by country, and for some reason I don’t understand, the country choice itself is a parameter of the configuration profile, not of the channel one.
So check that the correct country is set in the configuration profile used for that CAP, and check the country setting on the wireless physical interface on that CAP while it is exempted from CAPsMAN control, as the only possible reasons of this warning to come to my mind are
- a combination of channel.frequency=auto and configuration.country=no_country_set,
- different settings of the configuration.country used for that CAP and the country parameter of the /interface wireless row on the CAP itself.
Hi Sindy
After checking I found that the issue maybe was not from our CRS317 switch. Packet dropped on only wireless clients, sometime there is no traffic on wireless (Can not ping to our gateway)
I wonder whether it is the Capsman issue?
Thanks
Hard to say. There might be some wireless protocol incompatibility with certain client models (this forum mostly mentions Apple devices to suffer from this but I assume it’s just because they are the most ubiquitous ones among those experiencing those problems), but if so, it should affect both CAPsMAN-controlled and locally controlled wireless interfaces of the cAPs, as the wireless stack is the same in both cases, it is just its configuration method that differs.
It would require to identify a particular client device suffering from this and do some sniffing of its traffic - whether it has got an IP address via DHCP, whether the ping requests do not make it through or the responses, etc.
Hi Sindy
I have created channels for 2.4Ghz and 5Ghz as code below, but I noticed that nearly all the CAPs choosing 2412 for 2.4 and 5745 for 5Ghz.
Reboot CAPs to renew channel did not take affect.
Do you have any recommend for auto channel?
Thanks
/caps-man channel
add band=2ghz-g/n extension-channel=Ce frequency=2412,2437,2462 name=Channels2.4Ghz tx-power=23
add band=5ghz-n/ac extension-channel=Ceee frequency=5745,5765,5785,5805 name=Channels5Ghz tx-power=25
If I remember right, the APs look for the channel with least interference among those permitted by the channel configuration; try /caps-man interface scan to check what you can really see in the air.
Plus I’m not an expert here and the manual is silent about this, but as you have specified Ce for the 2.4 GHz, I’m afraid you may have effectively permitted only use of two 40-MHz channel groups, 2412+2432 or 2437+2457 (as 2482 is not a permitted channel frequency), or maybe even just 20 MHz channels if exact match for the extension channel frequency is required; for 5 GHz, Ceee means just a single 80-MHz channel group, 5745+5765+5785+6805.
Hi Sindy
After following your recommendation setup all the ap to local forwarding. My crs317 still have really high cpu. So I want to ask you for 80 Cap what mikrotik router should I use to setup Capsman
Why did you put something like this on a switch, beats me.
Any router instead of a switch should do the job, right?
Please show the typical output of /tool profile cpu=all on the CRS317, and also the typical output of /interface monitor-traffic interface=aggregate and /interface monitor-traffic interface=the-wan-interface-name.
And the question is not how many cAPs but how many clients, and what you ask the router in the CRS317 to do with their traffic.
So add the configuration export of the 317 as well.
It will either lead to a suggestion what to change in the configuration or to a suggestion whether to add an ARM-based device (a 4011 or maybe a 1100AHx4) or a TILE based one (CCR1009-7G-1C-1S+PC) as an external router.