High cpu-load for CRS305-1G-4S+ switch even though traffic is less than 1 Gbit/s

lakritspulver · June 5, 2025, 8:19pm

I recently purchased a CRS305-1G-4S+ switch, it is running RouterOS 7.19.1.

The switch has four 10Gbit ports and I was hoping that it could handle a few Gbit/s without problems, but I seem to get performance problems already at an amount of traffic that is less than 1 Gbit/s per port. There is high packet loss and ping rtt times much higher than normal.

The system/resource/print command shows the following:
uptime: 6d2h55m57s
version: 7.19.1 (stable)
build-time: 2025-05-23 14:27:17
factory-software: 6.49.10
free-memory: 440.8MiB
total-memory: 512.0MiB
cpu: ARM
cpu-count: 2
cpu-frequency: 800MHz
cpu-load: 94%
free-hdd-space: 3204.0KiB
total-hdd-space: 16.0MiB
write-sect-since-reboot: 1227
write-sect-total: 1227
architecture-name: arm
board-name: CRS305-1G-4S+
platform: MikroTik

The “tool/profile” command gives this:
Columns: NAME, USAGE
NAME USAGE
networking 34.2%
management 10%
ethernet 5.5%
console 0.5%
crypto 0%
routing 2.7%
bridging 28.2%
neighbor-discovery 0%
profiling 0%
kernel 5.2%
prestera_dx_mac 11.5%
8021q 0.2%
led 0.7%
ssh 0.2%
total 98.9%

So the cpu-load is above 90%, but why, when the amount of traffic is so small compared to what the switch should be able to handle?

My configuration is just using a couple of vlans, no routing, only switching.

What could be done to troubleshoot this?

lurker888 · June 6, 2025, 1:39am

The CRS series of devices is primarily a switch, which means that it has a (relatively) weak CPU that is basically intended to be used for management purposes. It also has a quite powerful switch chip that is capable of wire-speed performance. It includes the full software capabilities of the RouterOS platform, and can perform those functions, but will do so for a small amount of traffic only. (This is not as useless as it sounds, because it gives you the ability to e.g. establish an encrypted VPN tunnel for management purposes, use BGP/OSPF to distribute routes, etc.)

The profile that you show quite clearly shows that the CPU is forwarding your traffic, with “networking”, “bridging”, and “prestera-dx-mac” consuming the CPU resources. For some reason or another, hardware switching (“bridge hardware offloading” as it’s called) is not active on your device. You will have to find why that is and correct it.

There can be various reasons for this. Just to start off with a few:

hardware offloading can be disabled on a per-port basis (by default it’s enabled)
only a single bridge can be offloaded to hardware (if you have more than one bridge configured, you can effect which one is offloaded by disabling offloading for the ports in the not-to-be-offloaded bridge(s))
if you are doing vlan-aware bridging, the correct configuration is to enable VLAN filtering on the bridge and attach relevant vlan interfaces to the bridge interface (where CPU involvement is needed - typically only for the management vlan), never to the individual ports and establishing bridges between those vlans. Doing so makes hardware offloading impossible.

This may seem strange, but this is how it’s done on Linux using the DSA framework, which is what’s happening in the background.

holvoetn · June 6, 2025, 8:22am

Apart from earlier made suggestions to investigate…

Show your config.

mbovenka · June 6, 2025, 8:41am

Which device is doing the routing between the VLANs then? Like someone else said, show us your config,

lakritspulver · June 6, 2025, 7:20pm

Hello, thanks for the answers!

My configuration at the moment looks as follows. This seems to give the function I want, but with poor performance:

/interface bridge
add name=bridge
add name=bridge-to-A
add name=bridge-to-B
/interface vlan
add interface=sfp-sfpplus1 name=sfp-sfpplus1-vlan41 vlan-id=41
add interface=sfp-sfpplus1 name=sfp-sfpplus1-vlan42 vlan-id=42
add interface=sfp-sfpplus2 name=sfp-sfpplus2-vlan42 vlan-id=42
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge-to-A interface=sfp-sfpplus1-vlan42
add bridge=bridge-to-A interface=sfp-sfpplus2-vlan42
add bridge=bridge-to-B interface=sfp-sfpplus1-vlan41
add bridge=bridge-to-B interface=sfp-sfpplus3
/interface bridge vlan
add bridge=bridge-to-A tagged=sfp-sfpplus1-vlan42 untagged=sfp-sfpplus2-vlan42 vlan-ids=42
add bridge=bridge-to-B tagged=sfp-sfpplus1-vlan41 untagged=sfp-sfpplus3 vlan-ids=41
/interface ethernet switch
set 0 l3-hw-offloading=yes
/ip address
[... ip addresses added here ...]

I have also tried the following config, which again works but also with poor performance:

/interface bridge
add name=bridge
/interface vlan
add interface=sfp-sfpplus1 name=sfp-sfpplus1-vlan41 vlan-id=41
add interface=sfp-sfpplus1 name=sfp-sfpplus1-vlan42 vlan-id=42
add interface=sfp-sfpplus2 name=sfp-sfpplus2-vlan42 vlan-id=42
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge interface=sfp-sfpplus1-vlan42
add bridge=bridge interface=sfp-sfpplus2-vlan42
add bridge=bridge interface=sfp-sfpplus3
add bridge=bridge interface=sfp-sfpplus1-vlan41
/interface bridge vlan
add bridge=bridge tagged=sfp-sfpplus1-vlan42,sfp-sfpplus2-vlan42 vlan-ids=42
add bridge=bridge tagged=sfp-sfpplus1-vlan41 untagged=sfp-sfpplus3 vlan-ids=41
/interface ethernet switch
set 0 l3-hw-offloading=yes
/ip address
[... ip addresses added here ...]

Based on what lurker888 wrote, I suppose both of the above are bad because in both cases I have attached vlan interfaces to the individual ports, which is something lurker888 said I should never do. So then perhaps it is not suprising that performance is bad, but I’m still not sure what a proper configuration should look like to achieve correct function and decent performance. So far all my attempts have failed, either things are not working at all or things work but with bad performance.

Grateful for any hints or suggestions about what a proper config should look like!

infabo · June 6, 2025, 7:52pm

https://help.mikrotik.com/docs/spaces/ROS/pages/103841826/Basic+VLAN+switching#BasicVLANswitching-CRS3xx,CRS5xxseriesswitches,CCR2116,CCR2216andRTL8367,88E6393X,88E6191X,88E6190,MT7621,MT7531andEN7562CTswitchchips

lakritspulver · June 9, 2025, 6:05am

Hi again, now I got it working, using configuration similar to the example that infabo linked to – thank you!

The working config looks like this:

/interface bridge
add name=bridge
add name=bridge2 vlan-filtering=yes
/interface vlan
add interface=bridge2 name=vlan41 vlan-id=41
/interface bridge port
add bridge=bridge comment=defconf hw=no interface=ether1
add bridge=bridge2 frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
add bridge=bridge2 frame-types=admit-only-vlan-tagged interface=sfp-sfpplus2
add bridge=bridge2 frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus3 pvid=41
/interface bridge vlan
add bridge=bridge2 tagged=sfp-sfpplus1,sfp-sfpplus2 vlan-ids=42
add bridge=bridge2 tagged=sfp-sfpplus1 untagged=sfp-sfpplus3 vlan-ids=41
/interface ethernet switch
set 0 l3-hw-offloading=yes
/ip address
[... ip addresses added here ...]

With that config, things work properly and with low cpu load, the cpu-load shown by the system/resource/print command is now only about 1% and there are no more ping delays and no more packet loss.

It was necessary to set “hw=no” for the first bridge, I think that is because hardware acceleration can only be used for one bridge and turning it off for the first one means that the second bridge gets it.

(The “l3-hw-offloading=yes” part I don’t think is really needed but I did not want to mess more with the config right now.)

Anyway, thanks everyone for the help and suggestions, it’s great to have it working now!