How to separate traffic in an MLAG setup

wassy83 · July 3, 2023, 10:43pm

I followed this tutorial to create my first MLAG
https://help.mikrotik.com/docs/display/ROS/Multi-chassis+Link+Aggregation+Group
and it’s working easy and perfect but I have one question:

my peer1 and peer2 switches are both CRS326-24S+2Q+ and my final scope is to have 2 groups of ports in HA on the same switch that will not comunicate among them. One group is for a proxmox ceph cluster and the other for proxmox lan, so I don’t want to mix those two kinds of traffic.

I know how to do this with vlans without MLAG but I don’t how to do this with MLAG on top.

mkx · July 4, 2023, 6:18am

With VLANs again … but it’s VLANs on top of MLAG and not the other way around (consider MLAG as L2.1 and VLANs as L2.5).

wiseroute · July 4, 2023, 8:59am

@mkx,

With VLANs again…

it still Tuesday

consider MLAG as L2.1 and VLANs as L2.5).

no no.. they said mpls as l2.5,
and ppp as l2.5… so that would make vlans as l2.3

@ wassy83

know how to do this with vlans without MLAG but I don’t how to do this with MLAG on top.

as @mkx said, it is the other way around.

and do some lab first with that config. good luck

wassy83 · July 4, 2023, 10:33am

what is so funny?

connectlife · July 4, 2023, 12:18pm

You have to put all the ports on the same bridge anyway, along with the ICCP port

You will tag group 1 ports with vlan (example) 100 (along with the ICCP port) on both switches

You will tag group 2 ports with vlan (example) 200 (along with the ICCP port) on both switches

wassy83 · July 4, 2023, 4:56pm

Dear thank you for your reply, honestly I followed exactly the tutorial here
https://help.mikrotik.com/docs/display/ROS/Multi-chassis+Link+Aggregation+Group
except that I added more ports to the inter-chassis-bridge, next I tried to tag ports as you suggested like this on both routers

/interface bridge vlan
add bridge=inter-chassis-bridge tagged=(all group one ports plus ICCP port) vlan-ids=100

/interface bridge vlan
add bridge=inter-chassis-bridge tagged=(all group two ports plus ICCP port) vlan-ids=120

but I can still ping from group one ports to group two ports and viceversa, furthermore I didn’t applied any kind of vlan on client side, I just made the bond interface, so i would expect to loose connectivity on client side but it still works.
I know that I’m missing some basics here but I cannot find something similar around to have a starting point..

connectlife · July 4, 2023, 6:19pm

Are you sure the traffic isn’t going to layer 3 from a gateway that the two port groups share? did you leave the default vlan 1 on all ports? the configuration is correct as the ports of both switches will only communicate on the tagged vlan. try posting your switch settings

chechito · July 4, 2023, 6:55pm

if you already configured MLAG using guide ok, good job
now
you must Learn Bridge VLAN Filtering

https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeVLANFiltering

to be proficient with VLAN matters

wassy83 · July 4, 2023, 9:45pm

Dear before posting my config

did you leave the default vlan 1 on all ports?

In each group’s port I removed the default pvid 1 and replaced with the respective VLAN id that I declared above, it’s this correct?

connectlife · July 5, 2023, 7:40am

Leave the PVID on 1 and set admit all or admin only VLAN Tagged on Frame Types, in this way only packets with the VLAN TAG you set on /interface/bridge/vlan will pass through the port

wassy83 · July 5, 2023, 4:56pm

Dear I tested everything now is working, your suggestions were very usefull, problem was this

Leave the PVID on 1 and set admit all or admin only VLAN Tagged on Frame Types

and the two groups are now isolated beetween them. So the from the original MLAG tutorial the more important part is to add tagged VLANs in /interface bridge and add the same VLAN on top of the bonding interface for the client side.

Just one question, will this kind off setup take advantage of hardware offload since I have switch chips in my CRS? Is there a way to test hardware offload?

Anyway thank you

connectlife · July 5, 2023, 6:29pm

To take advantage of hardware offload the switch must have a ONLY bridge..

by creating the vlans on the bridge (as you did) you will exploit the switch chip and not the CPU.

this is the correct way to handle vlans on mikrotik switches

on routers instead you will have to create the vlan interfaces from /interface/vlan

these for obvious reasons will use the CPU (also for almost all routers they don’t have integrated switch chip)

wassy83 · July 5, 2023, 8:24pm

Clearest answer ever, thank you for the support, regards from Sunny italy

chechito · July 5, 2023, 8:28pm

Notable exceptions of this, ccr2**116 and ccr22**16, the bigger models on the current product line

so i think is a very relevant thing in routers too, in fact today i use bridge vlan filtering model in most routers even without integrated switch chip

i have embraced bridge vlan filtering as my defacto standard in configuration, in that way if i have to migrate from for example ccr1036 to ccr2116 i dont have to almost any changes