CRS326-24S+2Q high cpu usage throttling network. Probably user config error

neopike · October 25, 2022, 7:30am

Hi

I’m new to MikroTik and more used to cisco, mellanox etc. So I’m fairly certain I’m missing something fundamental here, like fully understanding the concept of bridges. I did look at a guide at youtube when configuring this and since thrown pretty much everything I have at it. But there’s something wrong and something I’m missing.

The setup is:

This CRS326-24S+2Q+ connects with 10GbE to a Cisco nexus switch. This over a transit network, 10.0.254.120/30.
One single VLAN on the Switch with (when fully configured) <5 clients of which 1 is 10GbE.

The issues

First when I had hardware offload on clients bridge ports the performance between 2 test 10GbE clients on vlan132 was limited to sub 40MB/sec (iperf tests) and the CPU usage was at 80%
When I disabled Hardware offload I got 10GbE iperf-performance beetween the clients
When traffic goes over the transit network CPU usage again goes to 80% and performance drops to sub 40MB/sec
You will see remains of a bridge for the transit network in the config, atm not in use.

I am most likely missing something obvious here and I appreciate any pointers in the right direction.

Thanks

# oct/25/2022 06:39:09 by RouterOS 7.5
# software id = 4RZJ-MY29
#
# model = CRS326-24S+2Q+
/interface bridge
add comment="*** TRANSIT BRIDGE ***" disabled=yes fast-forward=no name=\
    BR-TRANSIT protocol-mode=none
add comment="*** VLAN132 BRIDGE ***" fast-forward=no name=BR-VLAN132 \
    protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=qsfpplus1-1 ] disabled=yes
set [ find default-name=qsfpplus1-2 ] disabled=yes
set [ find default-name=qsfpplus1-3 ] disabled=yes
set [ find default-name=qsfpplus1-4 ] disabled=yes
set [ find default-name=qsfpplus2-1 ] disabled=yes
set [ find default-name=qsfpplus2-2 ] disabled=yes
set [ find default-name=qsfpplus2-3 ] disabled=yes
set [ find default-name=qsfpplus2-4 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
set [ find default-name=sfp-sfpplus2 ] disabled=yes
set [ find default-name=sfp-sfpplus3 ] disabled=yes
set [ find default-name=sfp-sfpplus4 ] disabled=yes
set [ find default-name=sfp-sfpplus5 ] disabled=yes
set [ find default-name=sfp-sfpplus6 ] disabled=yes
set [ find default-name=sfp-sfpplus7 ] disabled=yes
set [ find default-name=sfp-sfpplus8 ] disabled=yes
set [ find default-name=sfp-sfpplus9 ] disabled=yes
set [ find default-name=sfp-sfpplus10 ] disabled=yes
set [ find default-name=sfp-sfpplus11 ] disabled=yes
set [ find default-name=sfp-sfpplus12 ] disabled=yes
set [ find default-name=sfp-sfpplus13 ] disabled=yes
set [ find default-name=sfp-sfpplus14 ] auto-negotiation=no comment=\
    "*** client dac test ***" speed=10Gbps
set [ find default-name=sfp-sfpplus15 ] disabled=yes
set [ find default-name=sfp-sfpplus16 ] disabled=yes
set [ find default-name=sfp-sfpplus17 ] disabled=yes
set [ find default-name=sfp-sfpplus18 ] disabled=yes
set [ find default-name=sfp-sfpplus19 ] disabled=yes
set [ find default-name=sfp-sfpplus20 ] disabled=yes
set [ find default-name=sfp-sfpplus21 ] disabled=yes
set [ find default-name=sfp-sfpplus22 ] disabled=yes
set [ find default-name=sfp-sfpplus23 ] disabled=yes
set [ find default-name=sfp-sfpplus24 ] auto-negotiation=no comment=\
    "*** IP TRANSIT - 10.0.254.120/30 ***" speed=10Gbps
/interface vlan
add comment="*** VLAN132 ***" interface=BR-VLAN132 name=vlan132 vlan-id=132
/interface ethernet switch
set 1 cpu-flow-control=no
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
/routing ospf area
add disabled=no instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=BR-VLAN132 comment="*** CLIENT ***" hw=no ingress-filtering=no \
    interface=sfp-sfpplus14 pvid=132
add bridge=BR-VLAN132 comment="*** TEMP 10G client ***" disabled=yes \
    ingress-filtering=no interface=sfp-sfpplus16 pvid=132
add bridge=BR-VLAN132 disabled=yes ingress-filtering=no interface=\
    sfp-sfpplus18 pvid=132
add bridge=BR-TRANSIT comment="*** IP TRANSIT - 10.0.254.120/30 ***" \
    disabled=yes ingress-filtering=no interface=sfp-sfpplus24
add bridge=BR-VLAN132 comment="*** BRIDGE PORT PVID VLAN132 ***" \
    ingress-filtering=no interface=vlan132 pvid=132
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=BR-VLAN132 comment="*** VLAN132 ***" untagged=\
    sfp-sfpplus18,sfp-sfpplus16,sfp-sfpplus14 vlan-ids=132
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=10.0.254.122/30 interface=sfp-sfpplus24 network=\
    10.0.254.120
add address=192.168.1.33/27 comment="*** test test ***" interface=BR-VLAN132 \
    network=192.168.1.32
/ip cloud
set update-time=no
/ip dhcp-server network
add address=192.168.1.32/27 gateway=192.168.1.33
/ip dns
set servers=x.x.x.x,x.x.x.x
/ip dns static
add address=159.148.147.204 comment=\
    "*** mikrotik upgrade ***" name=upgrade.mikrotik.com
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.0.254.121
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no
/ip smb shares
set [ find default=yes ] disabled=yes
/system routerboard settings
set boot-os=router-os

chechito · October 25, 2022, 2:31pm

is beeter to use a single bridge

neopike · October 25, 2022, 2:32pm

And without HW offload it’s normal for the device to use 80% of the CPU and that this limits a 10GbE connection to 40MByte/sec…?

chechito · October 25, 2022, 2:35pm

looks like you need to enable L3 Hardware offload

https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading

neopike · October 25, 2022, 2:37pm

Aah. Thanks. I tried that from winbox earlier today without any luck. Will try again from console and see what happens. Will report back. Thanks!

BrateloSlava · October 25, 2022, 2:46pm

IMHO, one bridge is not the “best” solution. This is - the “only” solution. Only in single bridge mode will hardware offloading start working.

This CPU has poor performance for such tasks, so the entire load must be handled by the switching chip. Plus - it is advisable not to monitor the switch (via Winbox or Dude) itself at the time of the test of the exchange rate between clients.

neopike · October 25, 2022, 2:51pm

Will have to think about the ‘one bridge’ comment. Not sure that’s really feasible here with the transit link.

But to enable the offloading in the current setup did not help.

[admin@swname] > /interface/ethernet/switch/ print
Columns: NAME, TYPE, L3-HW-OFFLOADING
# NAME     TYPE              L3-HW-OFFLOADING
0 switch1  Marvell-98DX8332  yes
1 switch2  Atheros-8227      no


[admin@swname] > /interface/ethernet/switch/port print
Flags: I - INVALID
Columns: NAME, SWITCH, L3-HW-OFFLOADING, STORM-RATE
 #   NAME           SWITCH   L3-HW-OFFLOADING  STORM-RATE
 0   sfp-sfpplus1   switch1  yes                      100
 1   sfp-sfpplus2   switch1  yes                      100
 2   sfp-sfpplus3   switch1  yes                      100
 3   sfp-sfpplus4   switch1  yes                      100
 4   sfp-sfpplus5   switch1  yes                      100
 5   sfp-sfpplus6   switch1  yes                      100
 6   sfp-sfpplus7   switch1  yes                      100
 7   sfp-sfpplus8   switch1  yes                      100
 8   sfp-sfpplus9   switch1  yes                      100
 9   sfp-sfpplus10  switch1  yes                      100
10   sfp-sfpplus11  switch1  yes                      100
11   sfp-sfpplus12  switch1  yes                      100
12   sfp-sfpplus13  switch1  yes                      100
13   sfp-sfpplus14  switch1  yes                      100
14   sfp-sfpplus15  switch1  yes                      100
15   sfp-sfpplus16  switch1  yes                      100
16   sfp-sfpplus17  switch1  yes                      100
17   sfp-sfpplus18  switch1  yes                      100
18   sfp-sfpplus19  switch1  yes                      100
19   sfp-sfpplus20  switch1  yes                      100
20   sfp-sfpplus21  switch1  yes                      100
21   sfp-sfpplus22  switch1  yes                      100
22   sfp-sfpplus23  switch1  yes                      100
23   sfp-sfpplus24  switch1  yes                      100
24   qsfpplus1-1    switch1  yes                      100
25   qsfpplus1-2    switch1  yes                      100
26   qsfpplus1-3    switch1  yes                      100
27   qsfpplus1-4    switch1  yes                      100
28   qsfpplus2-1    switch1  yes                      100
29   qsfpplus2-2    switch1  yes                      100
30   qsfpplus2-3    switch1  yes                      100
31   qsfpplus2-4    switch1  yes                      100
32 I ether1         switch2
33   switch1-cpu    switch1                           100
34 I switch2-cpu    switch2

BrateloSlava · October 25, 2022, 2:55pm

Show

/interface/bridge/port/print

Look - Layer2 misconfiguration

Bridges on a single switch chip

neopike · October 25, 2022, 3:18pm

Hmm. So when looking at using only one bridge I lost ability to ping the other end of the transit net. Couldn’t get it to work even after reverting config. rebooted the unit but still didn’t work. I then disabled ‘l3-hw-offloading’ on switch1 and instantly got ping to work. Enabled it again and it still works… Something feels fishy here?

 /interface/bridge/port/print
Flags: X, I - INACTIVE
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, PATH-COST, INTERNAL-PATH-COST, HORIZON
#   INTERFACE      BRIDGE      HW  PVID  PRIORITY  PATH-COST  INTERNAL-PATH-COST  HORIZON
;;; *** CLIENT ***
0   sfp-sfpplus14  BR-VLAN132  no   132  0x80             10                  10  none   
;;; *** TEMP 10G client ***
1 X sfp-sfpplus16  BR-VLAN132       132  0x80             10                  10  none   
2 X sfp-sfpplus18  BR-VLAN132       132  0x80             10                  10  none   
;;; *** IP TRANSIT - 10.0.254.120/30 ***
3 X sfp-sfpplus24  BR-TRANSIT       132  0x80             10                  10  none   
;;; *** BRIDGE PORT PVID VLAN132 ***
4   vlan132        BR-VLAN132       132  0x80             10                  10  none   
[admin@swname] >

BrateloSlava · October 25, 2022, 3:39pm

I looked at your configuration from the first post. It has errors. For example, you have enabled VLAN as a port in a bridge.

Draw a diagram of how you would like the network to work and how you would like to configure your switch.

neopike · October 25, 2022, 3:41pm

That was in the tutorial I followed. But sure, give me a minute and I’ll toss up a diagram.

I have tried with and without that vlan though, no difference.

neopike · October 25, 2022, 4:09pm

Screenshot 2022-10-25 at 18.07.27.png

BrateloSlava · October 25, 2022, 6:24pm

If you need to route traffic from one network to another, then a switch is not the best choice. You just need a router.

/interface list add name=LAN
/interface list add name=WAN

/interface vlan add comment="*** VLAN132 ***" interface=sfp-sfpplus24 name=vlan132 vlan-id=132

/ip address add address=10.0.254.122/30 interface=vlan132

/ip route add disabled=no dst-address=0.0.0.0/0 gateway=10.0.254.121

/interface list member add interface=vlan132 list=WAN

/ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN

/interface bridge add disabled=no name=BR-LAN protocol-mode=none

/ip address add address=192.168.1.33/27 interface=BR-LAN

/interface bridge port add bridge=BR-LAN hw=yes interface=xxxx

If you need to transit traffic to another device using this switch. And the rest of the ports of this switch to use to connect devices on the local network - is another option.

/interface bridge add disabled=no name=BR-LAN protocol-mode=none

### Isolate transit ports
/interface ethernet switch port-isolation set qsfpplus1-1 forwarding-override=qsfpplus1-2
/interface ethernet switch port-isolation set qsfpplus1-2 forwarding-override=qsfpplus1-1

### Input from Cisco (trunk port)
/interface bridge port add bridge=BR-LAN hw=yes interface=qsfpplus1-1 pvid=1

### Output to other switch (trunk port)
/interface bridge port add bridge=BR-LAN hw=yes interface=qsfpplus1-2 pvid=1

### Access port
/interface bridge port add bridge=BR-LAN hw=yes interface=xxx

/interface bridge vlan add bridge=BR-LAN tagged=qsfpplus1-1,qsfpplus1-2 vlan-ids=132

/interface bridge set BR-LAN vlan-filtering=yes

neopike · October 25, 2022, 6:27pm

Tanks a bunch! I’ll look at this tomorrow and I’ll report back then.

neopike · October 25, 2022, 7:24pm

Quick follow up q before I look at this. This still doesn’t explain the high CPU usage? What in the current config is so wrong that it causes this? And in what way is it wrong?

BrateloSlava · October 25, 2022, 8:20pm

I’m not sure exactly what you want to achieve from this switch.
Low CPU load + maximum performance is only possible if properly configured.

You need to carefully read the documentation for possible errors in the settings - Layer2 misconfiguration

In order for your switch to work “correctly”, its ports must be in the hardware offload state. Bridge Hardware Offloading

felixrains · May 29, 2024, 9:43pm

is it normal though? to get 30 percent just by opening winbox and monitor the traffic, it seems so bad. but the performance is fine, its just bothering me sometimes to open the winbox just to see the usage is high