MVRP with RSTP

DerDave · August 26, 2025, 2:11pm

Hello everyone,

i´m currently managing a network of around 40 switches, using CRS326 for access, CRS309 for aggregation and one CRS354 as core. All switches except the core are used in primary/secondary pairs linked to each other for redundancy. All redundant ports are correctly disabled by RSTP. This week i´ve discovered MVRP which seems really useful for the setup. Unfortunately the MVRP packets still pass through the ports disabled by RSTP, creating a loop by declaring and registering every vlan present in the whole system, even the ones not used there.

In this example, im seeing MVRP adding all 4 VLAN to all switches.
When removing the redundant links, the whole system works fine by only adding the vlans present on the switches/ports behind.

Has anyone some clues why this keeps happening?

Thanks!

EdPa · August 27, 2025, 12:26pm

Hi,

What RouterOS version are you using? Does the same problem happen with 7.20beta9, which includes the latest fix for MVRP?

*) bridge - fixed MVRP leave indication;

How do you detect the problem? Can you share your /interface/bridge/export, and give some examples of unexpected printouts from /interface/bridge/vlan/print and /interface/bridge/port/monitor commands?

Does any of your switches with blocked ports by RSTP, also have a static VLAN configuration applied in the /interface/bridge/vlan menu? In other words, do you have a situation like this where ether3 is alternate port, and it is manually configured as tagged VLAN member?

[admin@MikroTik] /interface/bridge/port> monitor [find where role=alternate-port]
               interface: ether3                  
                  status: in-bridge               
                 port-id: 0x80.2                  
                    role: alternate-port          
               edge-port: no                      
     edge-port-discovery: yes                     
     point-to-point-port: yes                     
            external-fdb: no                      
            sending-rstp: yes                     
                learning: no                      
              forwarding: no                      
        actual-path-cost: 20000                   
          root-path-cost: 20000                   
    designated-bridge-id: 0x1000.64:D1:54:C7:3A:59
         designated-cost: 0                       
      designated-port-id: 0x80.2                  
  designated-message-age: 0s                      
      designated-max-age: 20s                     
              tx-rx-bpdu: 3/273                   
     discard-transitions: 0                       
     forward-transitions: 0                       
                tx-rx-tc: 0/2                     
        topology-changes: 0                       
        hw-offload-group: switch1                 
       declared-vlan-ids: 10                      
                          20                      
     registered-vlan-ids: 10                      
                          20                      

[admin@MikroTik] /interface/bridge/vlan> print where dynamic=no and tagged~"ether3" 
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED
# BRIDGE   VLAN-IDS  CURRENT-TAGGED
0 bridge1        10  ether3        
                 20

DerDave · August 27, 2025, 2:08pm

Hi,

im currently using version 17.2 and i would like to try staying on the stable release branch.
How close is the 7.20 to the release to the stable branch?

This is the /interface/bridge/export of one aggregation switch in the setup:

# 1970-06-30 17:47:30 by RouterOS 7.17.2
# software id = UI77-BB8W
#
# model = CRS309-1G-8S+
# serial number = HGT0ABMPSJK
/interface bridge
add fast-forward=no frame-types=admit-only-vlan-tagged mvrp=yes name=bridge port-cost-mode=short priority=0x2000 vlan-filtering=yes
/interface bridge port
add bridge=bridge comment=Patch fast-leave=yes frame-types=admit-only-vlan-tagged ingress-filtering=no interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=bridge comment="S1 Regie" fast-leave=yes frame-types=admit-only-vlan-tagged ingress-filtering=no interface=sfp-sfpplus2 internal-path-cost=10 path-cost=10
add bridge=bridge comment="S1 Tasche" fast-leave=yes frame-types=admit-only-vlan-tagged ingress-filtering=no interface=sfp-sfpplus3 internal-path-cost=10 path-cost=10
add bridge=bridge comment="S1 Heuss" fast-leave=yes frame-types=admit-only-vlan-tagged ingress-filtering=no interface=sfp-sfpplus4 internal-path-cost=10 path-cost=10
add bridge=bridge comment="S2 Keller" fast-leave=yes frame-types=admit-only-vlan-tagged ingress-filtering=no interface=sfp-sfpplus5 internal-path-cost=10 path-cost=10
add bridge=bridge comment="S3 Inspi" fast-leave=yes frame-types=admit-only-vlan-tagged ingress-filtering=no interface=sfp-sfpplus6 internal-path-cost=10 path-cost=10
add bridge=bridge fast-leave=yes frame-types=admit-only-vlan-tagged ingress-filtering=no interface=sfp-sfpplus7 internal-path-cost=10 path-cost=10
add bridge=bridge comment="S1 Keller" fast-leave=yes frame-types=admit-only-vlan-tagged ingress-filtering=no interface=sfp-sfpplus8 internal-path-cost=10 path-cost=20
add bridge=bridge fast-leave=yes frame-types=admit-only-vlan-tagged ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=100 pvid=99

/interface/bridge/vlan/print is as expected on every switch, only vlan 99 for management.

/interface/bridge/port/monitor

                   ;;; S1 Regie       
            interface: sfp-sfpplus2   
               status: in-bridge      
          port-number: 2              
                 role: designated-port
            edge-port: no             
  edge-port-discovery: yes            
  point-to-point-port: yes            
         external-fdb: no             
         sending-rstp: yes            
             learning: yes            
           forwarding: yes            
     actual-path-cost: 10             
     hw-offload-group: switch1        
    declared-vlan-ids: 99             
                       111-113        
                       121            
                       213            
                       221            
                       313            
                       321            
                       411-413        
                       421            
                       431            
                       513            
                       521            
  registered-vlan-ids: 99             
                       111-113        
                       121            
                       213            
                       221            
                       313            
                       321            
                       411-413        
                       421            
                       431            
                       513            
                       521

another port working fine:

                   ;;; S2 Keller      
            interface: sfp-sfpplus5   
               status: in-bridge      
          port-number: 5              
                 role: designated-port
            edge-port: no             
  edge-port-discovery: yes            
  point-to-point-port: yes            
         external-fdb: no             
         sending-rstp: yes            
             learning: yes            
           forwarding: yes            
     actual-path-cost: 10             
     hw-offload-group: switch1        
    declared-vlan-ids: 99             
                       111-113        
                       121            
                       213            
                       221            
                       313            
                       321            
                       411-413        
                       421            
                       431            
                       513            
                       521            
  registered-vlan-ids: 99             
                       221

There is a ring of switches connecting sfp1 with sfp4, that seems to break something.

printout of the disabled port of the ring:

               interface: ether24                 
                  status: in-bridge               
             port-number: 24                      
                    role: alternate-port          
               edge-port: no                      
     edge-port-discovery: yes                     
     point-to-point-port: yes                     
            external-fdb: no                      
            sending-rstp: yes                     
                learning: no                      
              forwarding: no                      
        actual-path-cost: 20                      
          root-path-cost: 70                      
       designated-bridge: 0x4000.D4:01:C3:B0:19:3A
         designated-cost: 50                      
  designated-port-number: 23                      
        hw-offload-group: switch1                 
       declared-vlan-ids: 99                      
                          111-113                 
                          121                     
                          213                     
                          221                     
                          313                     
                          321                     
                          411-413                 
                          421                     
                          431                     
                          513                     
                          521                     
     registered-vlan-ids:

There is no static vlan configured on any switch.

Thanks!

David

//Edit:
ive detected the behaviour while looking at the bridge/vlan view in winbox:

in contrast to

EdPa · August 28, 2025, 10:56am

Thanks for the details. I can confirm the issue, and we will try to fix it in future RouterOS versions.

The mentioned fix in 7.20beta9 will not help in this setup.

biki73 · September 26, 2025, 5:24pm

in 7.20rc5 there's fix.
*) bridge - fixed incorrect port STP state after bridge MAC address change (introduced in v7.20beta3);
can you test if it solves this problem?

DerDave · September 29, 2025, 11:56am

As far as i understand this doesn't seem to fix it.
The issue is that MVRP doesn't care if ports are blocked by STP

We don't have enough spare switches for a test setup and i don't want to use firmware from the testing branch on our prod network.
I'll wait for the reply by the mikrotik support staff before i'll try again.

DerDave · October 18, 2025, 7:34pm

@EdPa Are there any updates?

I’ve read nothing about it in the patch notes

EdPa · November 27, 2025, 8:30am

Hi, @DerDave

The MVRP issues with STP should be fixed starting with 7.21 (currently 7.21beta9 being as latest testing version):

bridge - fixed possible MVRP issues when STP topology changes;
bridge - properly apply bridge MVRP settings on the fly;