CRS326-24S+2Q+RM CPU usage and poor performance

mstam · December 18, 2025, 12:12pm

We are facing serious performance issues with our two core switches. Even with a simple speedtest at 150Mbs from a machine, the CPU spikes to 100%.

Can someone verify below configuration please?

# 2025-12-18 17:02:52 by RouterOS 7.16.1
# software id = 30DV-NK70
#
# model = CRS326-24S+2Q+
# serial number = HHH0A9V9AD7
/interface bridge
add ageing-time=3m name=Core-bridge priority=0x2000 vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] loop-protect=on
set [ find default-name=sfp-sfpplus2 ] loop-protect=on
set [ find default-name=sfp-sfpplus3 ] loop-protect=on
set [ find default-name=sfp-sfpplus4 ] loop-protect=on
set [ find default-name=sfp-sfpplus5 ] loop-protect=on
set [ find default-name=sfp-sfpplus24 ] loop-protect=on
/interface vlan
add interface=Core-bridge name=vlan150 vlan-id=150
add interface=Core-bridge name=vlan151 vlan-id=151
add interface=Core-bridge name=vlan152 vlan-id=152
add interface=Core-bridge loop-protect=on name=vlan153 vlan-id=153
add interface=Core-bridge name=vlan154 vlan-id=154
add interface=Core-bridge loop-protect=on name=vlan155 vlan-id=155
add interface=Core-bridge name=vlan156 vlan-id=156
/interface bonding
add lacp-rate=1sec mode=802.3ad name=bond-syn slaves=\
    sfp-sfpplus9,sfp-sfpplus10,sfp-sfpplus11 transmit-hash-policy=\
    layer-2-and-3
/interface vrrp
add comment="VRRP 150" interface=vlan150 name=VRRP150 priority=150 vrid=150
add comment=VRRP151 interface=vlan151 name=VRRP151 priority=150 vrid=151
add comment=VRRP152 interface=vlan152 name=VRRP152 priority=150 vrid=152
add comment=VRRP153 interface=vlan153 name=VRRP153 priority=150 vrid=153
add comment=VRRP154 interface=vlan154 name=VRRP154 priority=150 vrid=154
add comment=VRRP155 interface=vlan155 name=VRRP155 priority=150 vrid=155
add comment=VRRP156 interface=vlan156 name=VRRP156 priority=150 vrid=156
/interface list
add name=WAN
add name=LAN
add name=VRRP
/ip dhcp-server option
add code=119 name=domain-search value=\
    "0x04'froq'0x03'lan'0x0004'corp'0x04'froq'0x02'nl'0x00"
/ip dhcp-server option sets
add name=domain-search-set options=domain-search
/ip pool
add name=dhcp_pool2 ranges=10.10.151.20-10.10.151.254
add name=dhcp_pool3 ranges=10.10.154.50-10.10.154.254
add name=dhcp_pool4 ranges=10.10.156.10-10.10.156.254
add name=dhcp_pool5 ranges=10.10.155.10-10.10.155.254
add name=dhcp_pool6 ranges=10.10.150.10-10.10.150.253
add name=dhcp_pool7 ranges=10.10.152.10-10.10.152.254
add name=dhcp_pool8 ranges=10.10.153.10-10.10.153.254
/ip dhcp-server
add address-pool=dhcp_pool2 dhcp-option-set=domain-search-set interface=\
    vlan151 name=dhcp1
add address-pool=dhcp_pool3 dhcp-option-set=domain-search-set interface=\
    vlan154 name=dhcp2
add address-pool=dhcp_pool4 interface=vlan156 name=dhcp4
add address-pool=dhcp_pool5 dhcp-option-set=domain-search-set interface=\
    vlan155 name=dhcp3
add address-pool=dhcp_pool6 interface=vlan150 name=dhcp5
add address-pool=dhcp_pool7 dhcp-option-set=domain-search-set interface=\
    vlan152 name=dhcp6
add address-pool=dhcp_pool8 dhcp-option-set=domain-search-set interface=\
    vlan153 name=dhcp7
/port
set 0 name=serial0
/interface bridge port
add bridge=Core-bridge comment=defconf edge=no frame-types=\
    admit-only-vlan-tagged interface=qsfpplus1-1
add bridge=Core-bridge comment=defconf interface=qsfpplus1-2
add bridge=Core-bridge comment=defconf interface=qsfpplus1-3
add bridge=Core-bridge comment=defconf interface=qsfpplus1-4
add bridge=Core-bridge comment=defconf interface=qsfpplus2-1
add bridge=Core-bridge comment=defconf interface=qsfpplus2-2
add bridge=Core-bridge comment=defconf interface=qsfpplus2-3
add bridge=Core-bridge comment=defconf interface=qsfpplus2-4
add bridge=Core-bridge comment=defconf edge=no interface=sfp-sfpplus12
add bridge=Core-bridge comment=defconf edge=no interface=sfp-sfpplus16
add bridge=Core-bridge comment=defconf edge=no interface=sfp-sfpplus18
add bridge=Core-bridge comment=defconf edge=no interface=sfp-sfpplus19
add bridge=Core-bridge comment=defconf edge=no interface=sfp-sfpplus20
add bridge=Core-bridge comment=defconf edge=no interface=sfp-sfpplus21
add bridge=Core-bridge comment=defconf edge=no interface=sfp-sfpplus22
add bridge=Core-bridge comment=defconf edge=no interface=sfp-sfpplus23
add bridge=Core-bridge interface=sfp-sfpplus3 point-to-point=yes
add bridge=Core-bridge interface=sfp-sfpplus4 point-to-point=yes
add bridge=Core-bridge interface=sfp-sfpplus5
add bridge=Core-bridge interface=sfp-sfpplus6
add bridge=Core-bridge edge=no interface=sfp-sfpplus1 point-to-point=yes
add bridge=Core-bridge interface=sfp-sfpplus2 point-to-point=yes
add bridge=Core-bridge interface=sfp-sfpplus7
add bridge=Core-bridge interface=sfp-sfpplus24 pvid=150
add bridge=Core-bridge interface=bond-syn pvid=151
/interface ethernet switch l3hw-settings
set icmp-reply-on-error=no ipv6-hw=yes
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
# sfp-sfpplus9,sfp-sfpplus10,sfp-sfpplus11 not a bridge port
add bridge=Core-bridge tagged="Core-bridge,sfp-sfpplus5,sfp-sfpplus4,sfp-sfppl\
    us1,sfp-sfpplus2,sfp-sfpplus3" untagged=\
    sfp-sfpplus9,sfp-sfpplus10,sfp-sfpplus11 vlan-ids=151
add bridge=Core-bridge tagged="Core-bridge,sfp-sfpplus4,sfp-sfpplus3,sfp-sfppl\
    us1,sfp-sfpplus2,sfp-sfpplus5" vlan-ids=152
add bridge=Core-bridge tagged="Core-bridge,sfp-sfpplus5,sfp-sfpplus4,sfp-sfppl\
    us1,sfp-sfpplus2,sfp-sfpplus3" vlan-ids=153
add bridge=Core-bridge tagged="Core-bridge,sfp-sfpplus5,sfp-sfpplus4,sfp-sfppl\
    us1,sfp-sfpplus2,sfp-sfpplus3" vlan-ids=154
add bridge=Core-bridge tagged="Core-bridge,sfp-sfpplus5,sfp-sfpplus4,sfp-sfppl\
    us3,sfp-sfpplus1,sfp-sfpplus2" vlan-ids=155
add bridge=Core-bridge tagged=Core-bridge,sfp-sfpplus5,sfp-sfpplus3 vlan-ids=\
    156
add bridge=Core-bridge tagged="Core-bridge,sfp-sfpplus4,sfp-sfpplus3,sfp-sfppl\
    us1,sfp-sfpplus2,sfp-sfpplus5,sfp-sfpplus6" untagged=sfp-sfpplus24 \
    vlan-ids=150
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface list member
add interface=ether1 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
add interface=sfp-sfpplus5 list=LAN
add interface=sfp-sfpplus6 list=LAN
add interface=sfp-sfpplus7 list=LAN
add interface=sfp-sfpplus8 list=LAN
add interface=sfp-sfpplus9 list=LAN
add interface=sfp-sfpplus10 list=LAN
add interface=sfp-sfpplus11 list=LAN
add interface=sfp-sfpplus12 list=LAN
add interface=sfp-sfpplus13 list=LAN
add interface=sfp-sfpplus14 list=LAN
add interface=sfp-sfpplus15 list=LAN
add interface=sfp-sfpplus16 list=LAN
add interface=sfp-sfpplus17 list=LAN
add interface=sfp-sfpplus18 list=LAN
add interface=sfp-sfpplus19 list=LAN
add interface=sfp-sfpplus20 list=LAN
add interface=sfp-sfpplus21 list=LAN
add interface=sfp-sfpplus22 list=LAN
add interface=sfp-sfpplus23 list=LAN
add interface=sfp-sfpplus24 list=WAN
add interface=qsfpplus1-1 list=LAN
add interface=qsfpplus1-2 list=LAN
add interface=qsfpplus1-3 list=LAN
add interface=qsfpplus1-4 list=LAN
add interface=qsfpplus2-1 list=LAN
add interface=qsfpplus2-2 list=LAN
add interface=qsfpplus2-3 list=LAN
add interface=qsfpplus2-4 list=LAN
add interface=vlan150 list=LAN
add interface=vlan151 list=LAN
add interface=vlan152 list=LAN
add interface=vlan153 list=LAN
add interface=vlan154 list=LAN
add interface=vlan155 list=LAN
add interface=vlan156 list=LAN
add interface=VRRP151 list=LAN
add interface=VRRP152 list=LAN
add interface=VRRP153 list=LAN
add interface=VRRP154 list=LAN
add interface=VRRP155 list=LAN
add interface=VRRP156 list=LAN
/ip address
add address=10.10.151.2/24 comment="GW VLAN151" interface=vlan151 network=\
    10.10.151.0
add address=10.10.152.2/24 comment="GW VLAN152" interface=vlan152 network=\
    10.10.152.0
add address=10.10.153.2/24 comment="GW VLAN153" interface=vlan153 network=\
    10.10.153.0
add address=10.10.154.2/24 comment="GW VLAN154" interface=vlan154 network=\
    10.10.154.0
add address=10.10.155.2/24 comment="GW VLAN155" interface=vlan155 network=\
    10.10.155.0
add address=10.10.156.2/24 comment="GW VLAN156" interface=vlan156 network=\
    10.10.156.0
add address=10.10.151.1/24 comment=VRRP151 interface=VRRP151 network=\
    10.10.151.0
add address=10.10.152.1/24 comment=VRRP152 interface=VRRP152 network=\
    10.10.152.0
add address=10.10.153.1/24 comment=VRRP153 interface=VRRP153 network=\
    10.10.153.0
add address=10.10.154.1/24 comment=VRRP154 interface=VRRP154 network=\
    10.10.154.0
add address=10.10.155.1/24 comment=VRRP155 interface=VRRP155 network=\
    10.10.155.0
add address=10.10.156.1/24 comment=VRRP156 interface=VRRP156 network=\
    10.10.156.0
add address=10.10.150.3/24 comment=VLAN150-MGMT interface=vlan150 network=\
    10.10.150.0
add address=10.10.150.254/24 comment="VRRP 150" interface=VRRP150 network=\
    10.10.150.0
/ip dhcp-client
add disabled=yes interface=*3A
/ip dhcp-server network
add address=10.10.150.0/24 dns-server=10.10.151.11 gateway=10.10.150.254
add address=10.10.151.0/24 dns-server=10.10.151.11 gateway=10.10.151.1
add address=10.10.152.0/24 dns-server=10.10.151.11 gateway=10.10.152.1
add address=10.10.153.0/24 dns-server=10.10.151.11 gateway=10.10.153.1
add address=10.10.154.0/24 dns-server=10.10.151.11 gateway=10.10.154.1
add address=10.10.155.0/24 dns-server=10.10.151.11 gateway=10.10.155.1
add address=10.10.156.0/24 dns-server=10.10.151.11 gateway=10.10.156.1
/ip dns
set servers=202.56.230.2
/ip firewall filter
add action=fasttrack-connection chain=forward comment="fasttrack established" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward connection-state=established,related \
    disabled=yes
add action=accept chain=forward comment="IT to Any" disabled=yes src-address=\
    10.10.152.0/24
add action=accept chain=forward comment="HR to any" disabled=yes src-address=\
    10.10.153.0/24
add action=accept chain=forward comment="Prod to servers" disabled=yes \
    dst-address=10.10.151.0/24 src-address=10.10.154.0/24
add action=accept chain=forward comment="Prod to Core GW" disabled=yes \
    dst-address=10.10.150.1 src-address=10.10.154.0/24
add action=accept chain=forward comment="Wifi to Core GW" disabled=yes \
    dst-address=10.10.150.1 src-address=10.10.155.0/24
add action=accept chain=forward comment="Peri to server" disabled=yes \
    dst-address=10.10.151.0/24 src-address=10.10.156.0/24
add action=accept chain=forward comment="Server to ANy" connection-state=\
    established,related disabled=yes src-address=10.10.151.0/24
add action=accept chain=input comment="Allow VRRP (proto 112)" disabled=yes \
    in-interface-list=VRRP protocol=vrrp
add action=accept chain=forward comment="Allow WiFi to Printers" disabled=yes \
    dst-address=10.10.156.0/24 src-address=10.10.155.0/24
add action=accept chain=forward comment="Allow Synology Server to Camera" \
    disabled=yes dst-address=10.10.156.0/24 src-address=10.10.151.0/24
add action=accept chain=forward comment="DHCP relay  server" disabled=yes \
    dst-port=67,68 protocol=udp
add action=accept chain=forward comment="DHCP server  relay" disabled=yes \
    protocol=udp src-port=67,68
add action=accept chain=forward comment="Default drop" disabled=yes
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.150.1
/ip service
set ssh address=10.10.200.0/24
set api disabled=yes
set winbox address=10.10.200.0/24,192.168.100.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Kolkata
/system identity
set name="Core 1"
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key
/tool e-mail
set from=<mikrotik@corp.froq.nl> server=10.10.151.11 tls=starttls user=\
    ict.nl@corp.froq.nl
/tool graphing
set page-refresh=never
/tool graphing interface
add interface=Core-bridge
add
add interface=vlan150
add interface=vlan151
add interface=vlan151
add interface=vlan153
add interface=vlan152
add interface=vlan154
add interface=vlan155
add interface=vlan155
add interface=vlan156
/tool graphing queue
add
/tool graphing resource
add
/tool sniffer
set file-name=corearp1 filter-interface=sfp-sfpplus24

Sc0tty · December 18, 2025, 1:42pm

I’m fairly new to MikroTik but I decided to have a go with your problem and test my knowledge.

I read your config and the only two things I noted were that all your firewall rules, including the Fastrack rule, are disabled as well at there being a sniffer active on sfp+ port. Whether these are the culprits or not i can’t be certain.

Does the profile tool show which process is using the CPU? Also is the 150 Mbps figure you quoted the WAN speed and is that the maximum speed you’re expecting?

Also noted that you are running RouterOS 7.16. Has this router been in service for some time? If so, has this issue just started to happen?

tangent · December 18, 2025, 1:48pm

Switches Switch, Routers Route

ivicask · December 18, 2025, 1:53pm

You created vlans wrong, its going thru CPU and not thru offloaded switch chip.

patrlind · December 18, 2025, 1:57pm

I’m just a random passer-by, but it looks like you are running the switch as an all-in-one router.
While it can do firewalls and routing, it’s primary purpose is to be a switch. A core switch in your case, maybe not a core router, unless your routing requirements are somewhat limited. The switch only has 1 CPU core at a nominal 650 MHz. According to the specs the max it can route thru the CPU is about 400-450 Mbit.
For some direct routing without firewall you might be able to use the hardware assisted L3 offload, probably at wire speed. But this will probably only work for inter-VLAN routing without firewall rules. As soon as the traffic hits the CPU performance will tank.

I would recommend you to get a separate router. For example the RB5009 will be able to route at maybe 5-10 Gbit depending on how you set it up.
If you need more than 10 Gbit routing, take a look at CCR2004 or CCR2116.

mstam · December 18, 2025, 6:26pm

We disabled some rules to reduce load.

mstam · December 18, 2025, 6:42pm

I see VLAN offloading is available in 7.21RC2 only? Do you have an example configuration please?

ivicask · December 18, 2025, 8:33pm

Forget about that, usually wrong vlan confing is causing high cpu load on switches now I see you are using this switch as router with firewall and all?? It’s not ment for that and you won’t get much more perfomance from it like that..

mstam · December 18, 2025, 8:59pm

I see HW offloading is not enabled on the VLANs

CGGXANNX · December 20, 2025, 6:02am

Of course it's not available, take a look that this table:

Without hardware offload and without fasttrack, this is the expected routing (not switching) throughput:

mstam · December 20, 2025, 8:25am

Thanks we already figured that out. We intend to put all load like servers and users in the same VLAN, purchase a small router for internet access and such.

jaclaz · December 20, 2025, 10:25am

mstam:

/interface bridge vlan
# sfp-sfpplus9,sfp-sfpplus10,sfp-sfpplus11 not a bridge port
add bridge=Core-bridge tagged="Core-bridge,sfp-sfpplus5,sfp-sfpplus4,sfp-sfppl\
    us1,sfp-sfpplus2,sfp-sfpplus3" untagged=\
    sfp-sfpplus9,sfp-sfpplus10,sfp-sfpplus11 vlan-ids=151

Whenever a line in export begins with #, it is not a configuration setting, but the device trying to tell you something.