CRS3xx Fasttrack on VLANs not working.

jaykay2342 · July 1, 2018, 7:38pm

I got my first couple of CRS3xx devices and playing around with them in my lab.

I ran into the first problem. Following setup
CRS317

Using a bridge, as you need to with the CRS3xx series, with vlan-filtering.

/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus2 pvid=123
add bridge=bridge1 interface=sfp-sfpplus4
add bridge=bridge1 interface=sfp-sfpplus5
add bridge=bridge1 interface=sfp-sfpplus6
add bridge=bridge1 interface=sfp-sfpplus7
add bridge=bridge1 interface=sfp-sfpplus8
add bridge=bridge1 interface=sfp-sfpplus9
add bridge=bridge1 interface=sfp-sfpplus10
add bridge=bridge1 interface=sfp-sfpplus11
add bridge=bridge1 interface=sfp-sfpplus12
add bridge=bridge1 interface=sfp-sfpplus13
add bridge=bridge1 interface=sfp-sfpplus14
add bridge=bridge1 interface=sfp-sfpplus15
add bridge=bridge1 interface=sfp-sfpplus16 pvid=13
add bridge=bridge1 edge=yes frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp-sfpplus3 pvid=13
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,sfp-sfpplus16 untagged=sfp-sfpplus1,sfp-sfpplus2 vlan-ids=123
add bridge=bridge1 tagged=bridge1 untagged=sfp-sfpplus3,sfp-sfpplus16 vlan-ids=13

vlan inteface on top of the bridge

/interface vlan
add interface=bridge1 name=vlan13 vlan-id=13
add interface=bridge1 name=vlan123 vlan-id=123

simple Fast track configured.

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related

When traffic is flowing from vlan13 ( host at port sfp-sfpplus3 ) towards the network on sfp-sfpplus1 ( not bridged, no vlan ) it’s not fasttracked
Although the connection is marked as fasttracked. But the bytecounter of the fasttrack dummy rule is not increasing.
The CPU is hitting 100% ( one core ) at ~500mbit/s

Traffic the other way around is fasttracked as expected. 1Gbit/s linespeed and CPU Is far away from 100%

It seems the problem is traffic coming in on a vlan interface on top of a bridge.

Is this a known limitation? And if so, why?

CZFan · July 1, 2018, 9:52pm

You say sfp-sfpplus1 is not a member of bridge1 and no vlan on it, but it is configured as untagged for vlan-id = 123?

chechito · July 2, 2018, 3:51am

CRS s a switch

the better way to do what you want to do is using a router + switch

jaykay2342 · July 2, 2018, 6:06am

that’s just a left from previous tests.

jaykay2342 · July 2, 2018, 6:11am

I know that it’s main purpose is switching. But with fasttrack the cpu has no problem to route 1Gbps. So why using a separate device for that? And it’s an CRS not a CCS

chechito · July 2, 2018, 6:49am

fast-track is for routing, if you are bridging check fast-path counters and status on bridge (i dont see any ip address in your config)

check using tools->profile the culprit of CPU usage

jaykay2342 · July 2, 2018, 7:21am

Yes i’m routing here. The routeros receives the traffic on a VLAN interface that is on top of the bridge. I’m talking about the routed traffic not the bridged traffic. The bridged ( switched) traffic works fine, it’s hardware offloaded as it should be.

chechito · July 2, 2018, 6:05pm

i think mikrotik will end killing CRS line because of situations like this

I think The fact CRS switch have routeros dont imply you have to do routing on it, i think a switch is a switch, and must be used like that, the advantages of having routeros on it comes from management perspective, you have a very powerfull and versatile winbox graphical user interface, integrated graphs…

that’s my personal opinion

jaykay2342 · July 2, 2018, 7:43pm

it’s called cloud router switch. That does not imply that it’s a switch only either. I’m fully aware that it has not the CPU power for line speed routing. But for the 3xx series they have a CPU that has more power than some of the “routers”. And why not utilize those CPU cycles? whats the point of a 2core cpu if you use only the hardware offloaded switching function and the cpu idles at 1%?

Those switches fit perfect where you have a need for a fast local network and you have a somewhat slower internet connection. Putting an OLD RB2011 next to a CRS317 just to route 500Mbps internet connection ( with fasttrack ) is somehow stupid as the CPU much slower.

that’s my opinion. What i would like to know is whether the limitation i run into has a technical reason or they just forgot of the scenario of a vlan on top of the (hardware offloaded) bridge and that they need to add a few lines of code to get such traffic handled by the fast-tracked path.

CZFan · July 2, 2018, 11:21pm

Can you post full config, there might be a misconfigured rule creating unexpected symptoms that we might not think about, but seeing the config might ring some bells

chechito · July 3, 2018, 12:56am

yes very difficult to help with incomplete config access

ToBeFrank · July 26, 2018, 1:02am

I’m seeing the same thing on a CCR1009. Did you get any resolution to this?