CRS317-1g-16S+ on RoS 7.22.2 - heavy CPU after MLAG + bonding for Proxmox server

I’ve got 2 of these things. Its a pretty simple setup, inter VLAN routing is handled by my internet gateway.

They are connected to each other using 1 x 10gbps link (on port sfp-sfppplus16). I am aware that this is not ideal but this is all I’ve got to work with.

I added a proxmox server that will use NFS/iSCSI to connected to my storage system - I figured using a 802.3ad trunk between the two switches and the server (one port from the server going into each switch) will make my life easier for firmware upgrades or switch reboots etc

However, when I set all this up per the documentation my problems started - CPU spiking. I see 2/3+ gbps of traffic on the port where the proxmox server is plugged in. The CPU also went from 1-2% usage up to 40% and the network is of course noticbaly slower, and the log has no buffer space available for fdb notify in it occasionally.

I’m not sure what I’ve done wrong. Can anyone take a look at my config below?

The bonding config / status commands:

[admin@coreswitch1] > interface/bonding/print
Flags: X - DISABLED; R - RUNNING
0 R name="bond-proxmox" mtu=1500 mac-address=08:55:31:10:32:E3 arp=enabled arp-timeout=auto
slaves=sfp-sfpplus14 | proxmox - storage/vm traffic mode=802.3ad primary=none link-monitoring=mii arp-interval=100ms
arp-ip-targets="" mii-interval=100ms down-delay=0ms up-delay=0ms lacp-rate=1sec transmit-hash-policy=layer-2-and-3 min-links=0
mlag-id=1 lacp-mode=active lacp-system-priority=65535

[admin@coreswitch1] > /interface bonding print detail
Flags: X - DISABLED; R - RUNNING
0 R name="bond-proxmox" mtu=1500 mac-address=08:55:31:10:32:E3 arp=enabled arp-timeout=auto
slaves=sfp-sfpplus14 | proxmox- storage/vm traffic mode=802.3ad primary=none link-monitoring=mii arp-interval=100ms
arp-ip-targets="" mii-interval=100ms down-delay=0ms up-delay=0ms lacp-rate=1sec transmit-hash-policy=layer-2-and-3 min-links=0
mlag-id=1 lacp-mode=active lacp-system-priority=65535

[admin@coreswitch2] > interface/bonding/print
Flags: X - DISABLED; R - RUNNING
0 R name="bond-proxmox" mtu=1500 mac-address=08:55:31:10:34:D0 arp=enabled arp-timeout=auto
slaves=sfp-sfpplus14 | proxmox - storage/vm traffic mode=802.3ad primary=none link-monitoring=mii arp-interval=100ms
arp-ip-targets="" mii-interval=100ms down-delay=0ms up-delay=0ms lacp-rate=1sec transmit-hash-policy=layer-2-and-3 min-links=0
mlag-id=1 lacp-mode=active lacp-system-priority=65535

[admin@coreswitch2] > /interface bonding print detail
Flags: X - DISABLED; R - RUNNING
0 R name="bond-proxmox" mtu=1500 mac-address=08:55:31:10:34:D0 arp=enabled arp-timeout=auto
slaves=sfp-sfpplus14 | proxmox - storage/vm traffic mode=802.3ad primary=none link-monitoring=mii arp-interval=100ms
arp-ip-targets="" mii-interval=100ms down-delay=0ms up-delay=0ms lacp-rate=1sec transmit-hash-policy=layer-2-and-3 min-links=0
mlag-id=1 lacp-mode=active lacp-system-priority=65535

Bridge Switch config (same on both switches… these should be defaults.)

interface/bridge/print
Flags: Y - MANAGED; D - DYNAMIC; X - DISABLED, R - RUNNING
0 R ;;; defconf
name="bridge" mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto mac-address=08:55:31:10:34:D3 protocol-mode=rstp
fast-forward=yes igmp-snooping=no auto-mac=no admin-mac=08:55:31:10:34:D3 ageing-time=5m priority=0x8000 max-message-age=20s
forward-delay=15s transmit-hold-count=6 vlan-filtering=yes ether-type=0x8100 pvid=1 frame-types=admit-all ingress-filtering=no
dhcp-snooping=no ra-guard=no port-cost-mode=short mvrp=no max-learned-entries=auto
mlag-peer-port=sfp-sfpplus16 (Uplink to coresw1) mlag-priority=128 mlag-heartbeat=5s

Config of the uplink port between the two mikrotiks (again only from one switch, but identical on both)

add bridge=bridge comment=defconf ingress-filtering=no interface="sfp-sfpplus16 (Uplink to coresw1)" internal-path-cost=10 path-cost=10
pvid=4094

The Bridge → MLAG on both switches is like so (obviously priority is different) and it shows as “primary” or “secondary”, and “connected”.

/interface bridge
add admin-mac=08:55:31:10:32:E6 auto-mac=no comment=defconf ingress-filtering=no mlag-peer-port="sfp-sfpplus16 (Uplink to coresw2)"
mlag-priority=127 name=bridge port-cost-mode=short vlan-filtering=yes

The strange thing is, after I rolled back the configs (and shut down my proxmox server), I’m still seeing a ton of traffic on the switch es - normally it’s not very busy, but I’m seeing it idle at 8+ gbps aggregate traffic.

This is making no sense to me at all.. anyone have any ideas what is going on with this? It feels like I might have a switching loop somewhere else but this was all running perfect before I added the new proxmox server & tried to configure the mlag + 802.3ad trunk…

Dissolving the MLAG resolved this. Removing the MLAG was painful. I was connected (remotely) to the first switch, then port 16 of that switch is connected into port 16 on the second switch. I first disabled MLAG on the furthest switch from me (i.e the second one by setting the port to “none”) and then did the same on the first. I then lost access to the second switch, and they didn’t come back until I rebooted the first switch

Now CPU usage is back to normal (1-2%) and aggregate traffic is back up over 10gbps where previously it was barely at 1 gbps

I’ve submitted a ticket to support along with my config files, I’ll update this thread if we find the resolution.

I do want mlag working because I’d like redundant uplinks between my servers/storage systems. Having to shut everything down just to do a firmware update is really painful otherwise.

Also seeing this - I moved to 7.23rc2 which seems more stable

FYI, it would be easier for our human brains to parse your config if you did an /export of each section instead of a print. (And adding the extra print detail didn’t provide any additional info, in this case.)

Also, there’s an “ros” formatter you can assign to the code block to help make it quick and easy to read.

Have you tried running 7.19.6 on the switches? I’m running that on at least six MLAG stacks with great success.

Also, since you didn’t include your VLAN section, are you tagging the native VLAN across the MLAG peer link (presuming you’re using the native VLAN for the server to the rest of the network)?

Here are the configs for the switches. I sanitized them a little bit, the only major thing I removed is my statically configured IPv6 address but I trust that shouldn't make a difference. I’d be interested to see if anything jumps out at you.

No I didn’t have time to run v7.19 - this being a production setup it has to be (mostly) working all the time.

To answer your question, I had all VLANs tagged over the MLAG interface, and the PVID for those ports were set to 4094 (this VLAN isn’t used anywhere else).

Edit, please note that the below config doesn’t even include the 802.3ad LAG to my server, I removed that to see if it would fix things. It didn’t. In the below state, the CPU usage jumps from 20-80%, I see crazy amounts of traffic on ports that shouldn't have that much (in hindsight, I should have tired a packet capture). And the network is all but unusable.

first switch:

# 2026-04-28 17:20:23 by RouterOS 7.22.2
# software id = <REDACTED>
#
# model = CRS317-1G-16S+
# serial number = <REDACTED>
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1592 name="ether1 (onsite mgt)"
set [ find default-name=sfp-sfpplus1 ] l2mtu=1592 name="sfp-sfpplus1 (firewall - internal5)"
set [ find default-name=sfp-sfpplus2 ] l2mtu=1592 name="sfp-sfpplus2 (winsrv1 NIC2 - data/mgt)"
set [ find default-name=sfp-sfpplus3 ] l2mtu=1592 name="sfp-sfpplus3 (nas1 - nic1 - mgt)"
set [ find default-name=sfp-sfpplus4 ] l2mtu=1592 name="sfp-sfpplus4 (nas2 - nic1 - mgt)"
set [ find default-name=sfp-sfpplus5 ] l2mtu=1592 name="sfp-sfpplus5 (esxi1 vmnic0 - mgt/vm traffic)"
set [ find default-name=sfp-sfpplus6 ] l2mtu=1592 name="sfp-sfpplus6 (esxi1 IPMI)"
set [ find default-name=sfp-sfpplus7 ] l2mtu=1592 name="sfp-sfpplus7 (proxmox1 IPMI)"
set [ find default-name=sfp-sfpplus8 ] disabled=yes l2mtu=1592
set [ find default-name=sfp-sfpplus9 ] l2mtu=1592
set [ find default-name=sfp-sfpplus10 ] l2mtu=1592 name="sfp-sfpplus10 | nas1 - lower - storage"
set [ find default-name=sfp-sfpplus11 ] l2mtu=1592 name="sfp-sfpplus11 | nas2 - upper - storage"
set [ find default-name=sfp-sfpplus12 ] l2mtu=1592 name="sfp-sfpplus12 | winsrv1 - 10gb nic1 - storage"
set [ find default-name=sfp-sfpplus13 ] l2mtu=1592 name="sfp-sfpplus13 | esxi1 - vmnic2 - storage"
set [ find default-name=sfp-sfpplus14 ] l2mtu=1592 name="sfp-sfpplus14 | proxmox1 - storage/vm traffic"
set [ find default-name=sfp-sfpplus15 ] l2mtu=1592
set [ find default-name=sfp-sfpplus16 ] l2mtu=1592 name="sfp-sfpplus16 (Uplink to coresw2)"
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip smb users
set [ find default=yes ] disabled=yes
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge
add admin-mac=08:55:31:AB:AB:AB auto-mac=no comment=defconf ingress-filtering=no mlag-peer-port="sfp-sfpplus16 (Uplink to coresw2)" mlag-priority=127 name=bridge port-cost-mode=short vlan-filtering=yes
/interface vlan
add interface=bridge name=STORAGE vlan-id=16
add interface=bridge name=MANAGEMENT vlan-id=130
add interface=bridge name=SERVERS vlan-id=131
add interface=bridge name=INTERNAL vlan-id=132
add interface=bridge name=ISOLATED vlan-id=666
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface="ether1 (onsite mgt)" internal-path-cost=10 path-cost=10 pvid=130
add bridge=bridge comment=defconf ingress-filtering=no interface="sfp-sfpplus1 (firewall - internal5)" internal-path-cost=10 path-cost=10 pvid=130
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface="sfp-sfpplus2 (winsrv1 NIC2 - data/mgt)" internal-path-cost=10 path-cost=10 pvid=131
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface="sfp-sfpplus3 (nas1 - nic1 - mgt)" internal-path-cost=10 path-cost=10 pvid=130
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface="sfp-sfpplus4 (nas2 - nic1 - mgt)" internal-path-cost=10 path-cost=10 pvid=130
add bridge=bridge comment=defconf ingress-filtering=no interface="sfp-sfpplus5 (esxi1 vmnic0 - mgt/vm traffic)" internal-path-cost=10 path-cost=10 pvid=130
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface="sfp-sfpplus6 (esxi1 IPMI)" internal-path-cost=10 path-cost=10 pvid=130
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface="sfp-sfpplus7 (proxmox1 IPMI)" internal-path-cost=10 path-cost=10 pvid=130
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=sfp-sfpplus8 internal-path-cost=10 path-cost=10 pvid=666
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus9 internal-path-cost=10 path-cost=10 pvid=16
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface="sfp-sfpplus10 | nas1 - lower - storage" internal-path-cost=10 path-cost=10 pvid=16
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface="sfp-sfpplus11 | nas2 - upper - storage" internal-path-cost=10 path-cost=10 pvid=16
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface="sfp-sfpplus12 | winsrv1 - 10gb nic1 - storage" internal-path-cost=10 path-cost=10 pvid=16
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface="sfp-sfpplus13 | esxi1 - vmnic2 - storage" internal-path-cost=10 path-cost=10 pvid=16
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus15 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface="sfp-sfpplus16 (Uplink to coresw2)" internal-path-cost=10 path-cost=10 pvid=4094
add bridge=bridge ingress-filtering=no interface="sfp-sfpplus14 | proxmox1 - storage/vm traffic" pvid=130
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192 soft-max-neighbor-entries=8191
/interface bridge vlan
add bridge=bridge tagged="sfp-sfpplus1 (firewall - internal5),sfp-sfpplus5 (esxi1 vmnic0 - mgt/vm traffic),sfp-sfpplus16 (Uplink to coresw2),sfp-sfpplus14 | proxmox1 - storage/vm traffic" untagged="sfp-sfpplus2 (winsrv1 NIC2 - data/mgt)" vlan-ids=131
add bridge=bridge tagged="sfp-sfpplus5 (esxi1 vmnic0 - mgt/vm traffic),sfp-sfpplus16 (Uplink to coresw2),sfp-sfpplus14 | proxmox1 - storage/vm traffic" untagged="sfp-sfpplus10 | nas1 - lower - storage,sfp-sfpplus11 | nas2 - upper - storage,sfp-sfpplus12 | winsrv1 - 10gb nic1 - storage,sfp-sfpplus13 | esxi1 - vmnic2 - storage" vlan-ids=16
add bridge=bridge tagged="sfp-sfpplus16 (Uplink to coresw2),bridge,sfp-sfpplus14 | proxmox1 - storage/vm traffic" untagged="sfp-sfpplus1 (firewall - internal5),sfp-sfpplus3 (nas1 - nic1 - mgt),sfp-sfpplus4 (nas2 - nic1 - mgt),sfp-sfpplus5 (esxi1 vmnic0 - mgt/vm traffic),sfp-sfpplus6 (esxi1 IPMI),sfp-sfpplus7 (proxmox1 IPMI)" vlan-ids=130
add bridge=bridge tagged="sfp-sfpplus1 (firewall - internal5),sfp-sfpplus16 (Uplink to coresw2),sfp-sfpplus5 (esxi1 vmnic0 - mgt/vm traffic),sfp-sfpplus14 | proxmox1 - storage/vm traffic" vlan-ids=132
/interface list member
add interface="ether1 (onsite mgt)" list=WAN
add interface="sfp-sfpplus1 (firewall - internal5)" list=LAN
add interface="sfp-sfpplus2 (winsrv1 NIC2 - data/mgt)" list=LAN
add interface="sfp-sfpplus3 (nas1 - nic1 - mgt)" list=LAN
add interface="sfp-sfpplus4 (nas2 - nic1 - mgt)" list=LAN
add interface="sfp-sfpplus5 (esxi1 vmnic0 - mgt/vm traffic)" list=LAN
add interface="sfp-sfpplus6 (esxi1 IPMI)" list=LAN
add interface="sfp-sfpplus7 (proxmox1 IPMI)" list=LAN
add interface=sfp-sfpplus8 list=LAN
add interface=sfp-sfpplus9 list=LAN
add interface="sfp-sfpplus10 | nas1 - lower - storage" list=LAN
add interface="sfp-sfpplus11 | nas2 - upper - storage" list=LAN
add interface="sfp-sfpplus12 | winsrv1 - 10gb nic1 - storage" list=LAN
add interface="sfp-sfpplus13 | esxi1 - vmnic2 - storage" list=LAN
add interface="sfp-sfpplus14 | proxmox1 - storage/vm traffic" list=LAN
add interface=sfp-sfpplus15 list=LAN
add interface="sfp-sfpplus16 (Uplink to coresw2)" list=LAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:64:44:BA:BA:BA name=ovpn-server1
/ip dhcp-client
add interface=MANAGEMENT name=MANAGEMENT-MGT
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set ftp disabled=yes
set telnet disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system identity
set name=coreswitch1

second switch:

# 2026-04-28 17:20:31 by RouterOS 7.22.2
# software id = <REDACTED>
#
# model = CRS317-1G-16S+
# serial number = <REDACTED>
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1592 name="ether1 (onsite mgt)"
set [ find default-name=sfp-sfpplus1 ] l2mtu=1592 name="sfp-sfpplus1 (firewall - internal4)"
set [ find default-name=sfp-sfpplus2 ] l2mtu=1592 name="sfp-sfpplus2 (winsrv1 NIC1 - data/mgt)"
set [ find default-name=sfp-sfpplus3 ] l2mtu=1592 name="sfp-sfpplus3 (nas1 - nic2 - mgt)"
set [ find default-name=sfp-sfpplus4 ] l2mtu=1592 name="sfp-sfpplus4 (nas2 - nic2 - mgt)"
set [ find default-name=sfp-sfpplus5 ] disabled=yes l2mtu=1592 name="sfp-sfpplus5 (esxi1 vmnic1 - mgt/vm traffic)"
set [ find default-name=sfp-sfpplus6 ] l2mtu=1592 name="sfp-sfpplus6 (winsrv1 IPMI)"
set [ find default-name=sfp-sfpplus7 ] l2mtu=1592
set [ find default-name=sfp-sfpplus8 ] disabled=yes l2mtu=1592
set [ find default-name=sfp-sfpplus9 ] l2mtu=1592
set [ find default-name=sfp-sfpplus10 ] l2mtu=1592 name="sfp-sfpplus10 | nas1 - lower - storage"
set [ find default-name=sfp-sfpplus11 ] l2mtu=1592 name="sfp-sfpplus11 | nas2 - upper - storage"
set [ find default-name=sfp-sfpplus12 ] l2mtu=1592 name="sfp-sfpplus12 | winsrv1 - 10gb nic2 - storage"
set [ find default-name=sfp-sfpplus13 ] l2mtu=1592 name="sfp-sfpplus13 | esxi1 - vmnic3 - storage"
set [ find default-name=sfp-sfpplus14 ] l2mtu=1592 name="sfp-sfpplus14 | proxmox1 - storage/vm traffic"
set [ find default-name=sfp-sfpplus15 ] l2mtu=1592
set [ find default-name=sfp-sfpplus16 ] l2mtu=1592 name="sfp-sfpplus16 (Uplink to coresw1)"
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip smb users
set [ find default=yes ] disabled=yes
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge
add admin-mac=08:55:31:CD:CD:CD auto-mac=no comment=defconf ingress-filtering=no mlag-peer-port="sfp-sfpplus16 (Uplink to coresw1)" name=bridge port-cost-mode=short vlan-filtering=yes
/interface vlan
add interface=bridge name=STORAGE vlan-id=16
add interface=bridge name=MANAGEMENT vlan-id=130
add interface=bridge name=SERVERS vlan-id=131
add interface=bridge name=INTERNAL vlan-id=132
add interface=bridge name=ISOLATED vlan-id=666
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface="ether1 (onsite mgt)" internal-path-cost=10 path-cost=10 pvid=130
add bridge=bridge comment=defconf ingress-filtering=no interface="sfp-sfpplus1 (firewall - internal4)" internal-path-cost=10 path-cost=10 pvid=130
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface="sfp-sfpplus2 (winsrv1 NIC1 - data/mgt)" internal-path-cost=10 path-cost=10 pvid=131
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface="sfp-sfpplus3 (nas1 - nic2 - mgt)" internal-path-cost=10 path-cost=10 pvid=130
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface="sfp-sfpplus4 (nas2 - nic2 - mgt)" internal-path-cost=10 path-cost=10 pvid=130
add bridge=bridge comment=defconf ingress-filtering=no interface="sfp-sfpplus5 (esxi1 vmnic1 - mgt/vm traffic)" internal-path-cost=10 path-cost=10 pvid=130
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface="sfp-sfpplus6 (winsrv1 IPMI)" internal-path-cost=10 path-cost=10 pvid=130
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged ingress-filtering=no interface=sfp-sfpplus7 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=sfp-sfpplus8 internal-path-cost=10 path-cost=10 pvid=666
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus9 internal-path-cost=10 path-cost=10 pvid=16
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface="sfp-sfpplus10 | nas1 - lower - storage" internal-path-cost=10 path-cost=10 pvid=16
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface="sfp-sfpplus11 | nas2 - upper - storage" internal-path-cost=10 path-cost=10 pvid=16
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface="sfp-sfpplus12 | winsrv1 - 10gb nic2 - storage" internal-path-cost=10 path-cost=10 pvid=16
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface="sfp-sfpplus13 | esxi1 - vmnic3 - storage" internal-path-cost=10 path-cost=10 pvid=16
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus15 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface="sfp-sfpplus16 (Uplink to coresw1)" internal-path-cost=10 path-cost=10 pvid=4094
add bridge=bridge ingress-filtering=no interface="sfp-sfpplus14 | proxmox1 - storage/vm traffic" pvid=130
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192 soft-max-neighbor-entries=8191
/interface bridge vlan
add bridge=bridge tagged="sfp-sfpplus1 (firewall - internal4),sfp-sfpplus5 (esxi1 vmnic1 - mgt/vm traffic),sfp-sfpplus16 (Uplink to coresw1),sfp-sfpplus14 | proxmox1 - storage/vm traffic" untagged="sfp-sfpplus2 (winsrv1 NIC1 - data/mgt)" vlan-ids=131
add bridge=bridge tagged="sfp-sfpplus16 (Uplink to coresw1),sfp-sfpplus14 | proxmox1 - storage/vm traffic" untagged="sfp-sfpplus10 | nas1 - lower - storage,sfp-sfpplus11 | nas2 - upper - storage,sfp-sfpplus13 | esxi1 -\_vmnic3 - storage,sfp-sfpplus12 | winsrv1 - 10gb nic2 - storage" vlan-ids=16
add bridge=bridge tagged="sfp-sfpplus2 (winsrv1 NIC1 - data/mgt),sfp-sfpplus16 (Uplink to coresw1),bridge" untagged="sfp-sfpplus1 (firewall - internal4),sfp-sfpplus3 (nas1 - nic2 - mgt),sfp-sfpplus4 (nas2 - nic2 - mgt),sfp-sfpplus5 (esxi1 vmnic1 - mgt/vm traffic),sfp-sfpplus6 (winsrv1 IPMI),sfp-sfpplus14 | proxmox1 - storage/vm traffic" vlan-ids=130
add bridge=bridge tagged="sfp-sfpplus16 (Uplink to coresw1),sfp-sfpplus1 (firewall - internal4),sfp-sfpplus14 | proxmox1 - storage/vm traffic" vlan-ids=132
/interface list member
add interface="ether1 (onsite mgt)" list=WAN
add interface="sfp-sfpplus1 (firewall - internal4)" list=LAN
add interface="sfp-sfpplus2 (winsrv1 NIC1 - data/mgt)" list=LAN
add interface="sfp-sfpplus3 (nas1 - nic2 - mgt)" list=LAN
add interface="sfp-sfpplus4 (nas2 - nic2 - mgt)" list=LAN
add interface="sfp-sfpplus5 (esxi1 vmnic1 - mgt/vm traffic)" list=LAN
add interface="sfp-sfpplus6 (winsrv1 IPMI)" list=LAN
add interface=sfp-sfpplus7 list=LAN
add interface=sfp-sfpplus8 list=LAN
add interface=sfp-sfpplus9 list=LAN
add interface="sfp-sfpplus10 | nas1 - lower - storage" list=LAN
add interface="sfp-sfpplus11 | nas2 - upper - storage" list=LAN
add interface="sfp-sfpplus12 | winsrv1 - 10gb nic2 - storage" list=LAN
add interface="sfp-sfpplus13 | esxi1 - vmnic3 - storage" list=LAN
add interface="sfp-sfpplus14 | proxmox1 - storage/vm traffic" list=LAN
add interface=sfp-sfpplus15 list=LAN
add interface="sfp-sfpplus16 (Uplink to coresw1)" list=LAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:F8:F5:EF:EF:EF name=ovpn-server1
/ip dhcp-client
add interface=MANAGEMENT name=MANAGEMENT-MGT
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system identity
set name=coreswitch2
/system package update
set channel=long-term

The only thing that I see “missing” (i.e. that’s different than my config) is you don’t have vlan 4094 marked as “untagged’ to your two mlag-peer ports in the Bridge/VLAN config. Yes, it’s supposed to be automatic, so it may or not make a difference, but that’s what I have.

Also, if you have an MLAG bond, add only the bond interface to the bridge, not the bond slave. I don’t know that it would let you (it should complain), but weird things sometimes happen.

I’ve included the pieces relevant to MLAG that are on my switch (in this case a CRS326-24S+2Q+).

/interface bridge
add admin-mac=F4:1E:57:12:34:56 auto-mac=no name=bridge vlan-filtering=yes

/interface ethernet
set [ find default-name=qsfpplus1-1 ] l2mtu=10218 name=mlag-peer

# This line has been consolidated with bridge settings in newer releases
/interface bridge mlag
set bridge=bridge peer-port=mlag-peer

/interface bridge port
add bridge=bridge interface=mlag-peer pvid=2

/interface bridge vlan
add bridge=bridge tagged=mlag-peer vlan-ids=1
# I'm not seeing a similar 'untagged' line in your config for VLAN 4094 
# It may or may not make a difference, since it's supposed to be automatic now
add bridge=bridge untagged=mlag-peer vlan-ids=2

Also, I see you’ve created Layer 3 interfaces on each VLAN. Is there a reason for this? This gives the CPU visibility into the VLANs, which is OK for discovery and necessary for management (VLAN 130), but is unnecessary (and potentially undesirable from a security standpoint) on the other VLANs.

/interface vlan
# this is OK to keep
add interface=bridge name=MANAGEMENT vlan-id=130 
# others unnecessary
add interface=bridge name=STORAGE vlan-id=16
add interface=bridge name=SERVERS vlan-id=131
add interface=bridge name=INTERNAL vlan-id=132
add interface=bridge name=ISOLATED vlan-id=666

Do you have redacted IP addresses associated with these VLAN interfaces?

Also, I see remnants of router configuration, like this was copied from another device or set up as a router at one time. None of the following needs to be (or should be) on a device dedicated as a switch, let alone an MLAG stack. Routing + MLAG do not work together (specifically L3HW offload and MLAG) at this time. So if you have any routing going on, it’s punting some work to the CPU.

# Lists can be useful on a switch, but these two don't make sense in your case;
# it isn't routing
/interface list
add name=WAN
add name=LAN

/interface list member
add interface="ether1 (onsite mgt)" list=WAN
add interface="sfp-sfpplus1 (firewall - internal5)" list=LAN
add interface="sfp-sfpplus2 (winsrv1 NIC2 - data/mgt)" list=LAN
add interface="sfp-sfpplus3 (nas1 - nic1 - mgt)" list=LAN
add interface="sfp-sfpplus4 (nas2 - nic1 - mgt)" list=LAN
add interface="sfp-sfpplus5 (esxi1 vmnic0 - mgt/vm traffic)" list=LAN
add interface="sfp-sfpplus6 (esxi1 IPMI)" list=LAN
add interface="sfp-sfpplus7 (proxmox1 IPMI)" list=LAN
add interface=sfp-sfpplus8 list=LAN
add interface=sfp-sfpplus9 list=LAN
add interface="sfp-sfpplus10 | nas1 - lower - storage" list=LAN
add interface="sfp-sfpplus11 | nas2 - upper - storage" list=LAN
add interface="sfp-sfpplus12 | winsrv1 - 10gb nic1 - storage" list=LAN
add interface="sfp-sfpplus13 | esxi1 - vmnic2 - storage" list=LAN
add interface="sfp-sfpplus14 | proxmox1 - storage/vm traffic" list=LAN
add interface=sfp-sfpplus15 list=LAN
add interface="sfp-sfpplus16 (Uplink to coresw2)" list=LAN


# These are common defaults on RouterOS, but I'm not seeing them on my CRS326 on 7.19.4
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip smb users
set [ find default=yes ] disabled=yes

# Also shouldn't be on a switch
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/ip firewall connection tracking
set udp-timeout=10s
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5

Thanks for the response - those layer 3 addresses on each VLANs are leftover - they’re not currently in use so I’ll remove them.

Also the reason for VLAN 4094 PVID on both sides of the MLAG was to prevent any traffic spilling into VLAN 1.

I have no MLAG bond - it’s just port sfp-sfpplus16 on each switch directly defined as the be MLAG member. I expected it was working and I did it right - because the port on switch 1 showed “primary” and the second showed “secondary”.

I’m not sure re the leftover RoS-adjacent config - that stuff has been there from out of the box. I edited a minimum amount of settings to get this switch to a working state, with the reasoning or “don’t fix what’s not broken”. When I get a chance I’ll remove all that and see if it makes a difference.

But for now, without the MLAG setup, things are back to normal. Still nothing from support. Will update if I hear back.