Problem with (supposedly) simple VLAN setup and CRS326-24S+2Q+. Tagging and CPU usage.

Hello

I’m experiencing some puzzling behavior on a CRS326-24S+2Q+ running RouterOS 7.12.1, and I hope someone here might have insights. It’s a simple setup and shouldn’t really cause any problems. It’s more or less just like the ‘VLAN Example - Trunk and Access Ports’ example in the documentation found here. But there’s obviously something at my end that’s different but I cannot see it nor pinpoint it. Been at it for way to long and can’t make sense of it.

Any help is much appreciated.


Here’s the situation:

1. Setup Overview

• One trunk with two vlans (vlan10 and vlan475) connects to the MikroTik
• VLAN filtering is enabled.
• Two VLANs are configured:
• VLAN 475: Main client VLAN, operating on a 10GbE interface.
• VLAN 10: Auxiliary management VLAN, operating on multiple 1GbE interfaces.
• Both VLANs are tagged on a trunk port (qsfpplus2-1) connecting to a Cisco switch.

2. Issues Observed
Throughput on VLAN 475 (10GbE)

• Incoming traffic reaches near 10Gbps, but outgoing traffic caps at ~400Mbps.
• CPU usage spikes to 50% during outbound traffic; profiling shows high usage in “Networking” (42%), “Unclassified” (24%), and “Bridging” (5.5%).
• Hardware offloading (hw=yes) is enabled for all interfaces.

VLAN 10

• Devices on VLAN 10 can communicate locally but cannot access upstream networks, even though the gateway (192.168.47.1) is reachable.
• Outbound pings from VLAN 10 fail with “host unreachable,” despite correct routes and ARP entries.
• Sniffer shows ICMP packets entering the bridge with VLAN 10 but exiting the trunk without a tag.

3. Troubleshooting Steps Taken

• Verified VLAN filtering and bridge port settings (pvid, ingress-filtering, frame-types) for all interfaces.
• Cleared ARP entries and ensured proper routes are set.
• Disabled IGMP snooping, checked firewall rules (none active), and ensured correct tagging on the Cisco trunk.
• Hardware offloading is active on all interfaces, but the CPU still processes traffic.

4. Questions

• Why does traffic on VLAN 475 cap at ~400Mbps outbound when hardware offloading is enabled?
• On VLAN 10, why do packets lose their tag on the trunk port and fail to reach the upstream gateway?
• Could there be additional steps to debug the high “Networking” CPU usage and ensure proper VLAN tagging on the trunk?

Any guidance would be greatly appreciated! I’ve included relevant configs and outputs below. Please let me know if there’s more information I can provide.

/ip route print  
0  As 0.0.0.0/0          192.168.47.193         1  
DAc 192.168.47.0/26      vlan10                 0  
DAc 192.168.47.192/27    vlan475                0

/interface bridge vlan print detail
Flags: X - disabled, D - dynamic
 0   bridge=bridge vlan-ids=475 tagged=qsfpplus2-1,bridge untagged="" current-tagged=bridge,qsfpplus2-1 current-untagged=sfp-sfpplus10

 1   bridge=bridge vlan-ids=10 tagged=qsfpplus2-1,bridge untagged=sfp-sfpplus4,sfp-sfpplus2 current-tagged=bridge,qsfpplus2-1 current-untagged=sfp-sfpplus2,sfp-sfpplus4

 2 D bridge=bridge vlan-ids=1 tagged="" untagged="" current-tagged="" current-untagged=bridge

/interface bridge port print detail where interface=qsfpplus2-1  
interface=qsfpplus2-1 bridge=bridge priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-only-vlan-tagged ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no

/tool sniffer quick interface=sfp-sfpplus2 ip-protocol=icmp
Columns: INTERFACE, TIME, NUM, DIR, SRC-MAC, DST-MAC, VLAN, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, SIZE, CPU
INTERFACE     TIME   NUM  DIR  SRC-MAC            DST-MAC            VLAN  SRC-ADDRESS     DST-ADDRESS     PROTOCOL  SIZE  CPU
sfp-sfpplus2  7.235    1  ->   18:FD:74:49:FB:1E  EC:71:DB:B7:7D:67    10  192.168.47.200  192.168.47.45   ip:icmp    102    0
sfp-sfpplus2  7.236    2  <-   EC:71:DB:B7:7D:67  18:FD:74:49:FB:1E        192.168.47.45   192.168.47.200  ip:icmp     98    0
sfp-sfpplus2  8.241    3  ->   18:FD:74:49:FB:1E  EC:71:DB:B7:7D:67    10  192.168.47.200  192.168.47.45   ip:icmp    102    0
sfp-sfpplus2  8.241    4  <-   EC:71:DB:B7:7D:67  18:FD:74:49:FB:1E        192.168.47.45   192.168.47.200  ip:icmp     98    0

No network diagram?
Which vlan is the management or trusted vlan

I don’t use a separate vlan for mgmt and instead in-band management and the ip of vlan475 (if that was what you meant?).

/export file=anynameyouwish ( minus device serial number )

# 2025-01-13 17:47:22 by RouterOS 7.12.1
# software id = 4RZJ-MY29
#
# model = CRS326-24S+2Q+
/interface bridge
add admin-mac=18:FD:74:49:FB:1E auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=qsfpplus1-1 ] disabled=yes
set [ find default-name=qsfpplus1-2 ] disabled=yes
set [ find default-name=qsfpplus1-3 ] disabled=yes
set [ find default-name=qsfpplus1-4 ] disabled=yes
set [ find default-name=qsfpplus2-1 ] advertise=40G-baseSR4-LR4,40G-baseCR4 \
    comment="*** trunk 40GbE * vlan475 ***" loop-protect=off \
    rx-flow-control=on tx-flow-control=on
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no disabled=yes \
    speed=1G-baseX
set [ find default-name=sfp-sfpplus2 ] auto-negotiation=no comment=\
    "*** cam01 * VLAN 10 ***" rx-flow-control=auto speed=1G-baseT-full \
    tx-flow-control=auto
set [ find default-name=sfp-sfpplus3 ] auto-negotiation=no disabled=yes
set [ find default-name=sfp-sfpplus4 ] auto-negotiation=no comment=\
    "*** env01 * VLAN 10 ***" speed=1G-baseT-full
set [ find default-name=sfp-sfpplus5 ] disabled=yes
set [ find default-name=sfp-sfpplus6 ] disabled=yes
set [ find default-name=sfp-sfpplus7 ] disabled=yes
set [ find default-name=sfp-sfpplus8 ] disabled=yes
set [ find default-name=sfp-sfpplus9 ] disabled=yes
set [ find default-name=sfp-sfpplus10 ] auto-negotiation=no comment=\
    "*** client vlan475 ***" rx-flow-control=on speed=10G-baseT \
    tx-flow-control=on
set [ find default-name=sfp-sfpplus11 ] disabled=yes
set [ find default-name=sfp-sfpplus12 ] disabled=yes
set [ find default-name=sfp-sfpplus13 ] disabled=yes
set [ find default-name=sfp-sfpplus14 ] disabled=yes
set [ find default-name=sfp-sfpplus15 ] disabled=yes
set [ find default-name=sfp-sfpplus16 ] disabled=yes
set [ find default-name=sfp-sfpplus17 ] disabled=yes
set [ find default-name=sfp-sfpplus18 ] disabled=yes
set [ find default-name=sfp-sfpplus19 ] disabled=yes
set [ find default-name=sfp-sfpplus20 ] disabled=yes
set [ find default-name=sfp-sfpplus21 ] disabled=yes
set [ find default-name=sfp-sfpplus22 ] disabled=yes
set [ find default-name=sfp-sfpplus23 ] disabled=yes
set [ find default-name=sfp-sfpplus24 ] auto-negotiation=no disabled=yes
/interface vlan
add comment="*** VLAN10 ***" interface=bridge name=vlan10 vlan-id=10
add comment="*** VLAN475 - 192.168.47.192/27 ***" \
    interface=bridge name=vlan475 vlan-id=475
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/snmp community
set [ find default=yes ] disabled=yes
add addresses=::/0 authentication-protocol=SHA1 encryption-protocol=AES name=\
    mikrodicksucker security=authorized
/interface bridge port
add bridge=bridge comment=defconf disabled=yes interface=ether1
add bridge=bridge comment="*** client test * vlan475 ***" frame-types=\
    admit-only-untagged-and-priority-tagged interface=sfp-sfpplus10 pvid=475
add bridge=bridge comment="*** trunk to Cisco switch ***" \
    frame-types=admit-only-vlan-tagged interface=qsfpplus2-1
add bridge=bridge comment="*** PoE SWITCH for MISC DEVICES ***" frame-types=\
    admit-only-untagged-and-priority-tagged interface=sfp-sfpplus2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=sfp-sfpplus4 pvid=10
add bridge=bridge disabled=yes ingress-filtering=no interface=all \
    multicast-router=disabled
/interface bridge vlan
add bridge=bridge tagged=qsfpplus2-1,bridge vlan-ids=475
add bridge=bridge tagged=qsfpplus2-1,bridge untagged=\
    sfp-sfpplus4,sfp-sfpplus2 vlan-ids=10
/ip address
add address=192.168.47.194/27 interface=vlan475 network=192.168.47.192
add address=192.168.47.3/26 interface=vlan10 network=192.168.47.0
/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=192.168.47.193
/system logging
add topics=interface,bridge
add topics=bridge
add topics=debug,bridge
/system note
set show-at-login=no
/system routerboard settings
set boot-os=router-os

-Why do you not show spf-sfpplus4 connection on diagram???
-Added ingress filtering to /interface bridge port settings
-you have the wrong vlan tagged with the bridge, if 475 is your trusted vlan, then only it needs to have bridge tagged in /interface bridge vlan
-not absolutely necessary but add sfp-sfpplus10 as untagged for 475. Its consistent with 10 config and I prefer to see the untaggings…
-ONLY the trusted vlan has an IP address

• added a few items, single interface list etc…
  -cannot fathom what weird setup you have for network numbers for vlan475 ( but I trust my lack of knowledge means its just fine LOL)
  …

/interface bridge
add admin-mac=18:FD:74:49:FB:1E auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=OffBridge1 comment="safe spot to configure"
set [ find default-name=qsfpplus1-1 ] disabled=yes
set [ find default-name=qsfpplus1-2 ] disabled=yes
set [ find default-name=qsfpplus1-3 ] disabled=yes
set [ find default-name=qsfpplus1-4 ] disabled=yes
set [ find default-name=qsfpplus2-1 ] advertise=40G-baseSR4-LR4,40G-baseCR4 \
    comment="*** trunk 40GbE * vlan475 ***" loop-protect=off \
    rx-flow-control=on tx-flow-control=on
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no disabled=yes \
    speed=1G-baseX
set [ find default-name=sfp-sfpplus2 ] auto-negotiation=no comment=\
    "*** cam01 * VLAN 10 ***" rx-flow-control=auto speed=1G-baseT-full \
    tx-flow-control=auto
set [ find default-name=sfp-sfpplus3 ] auto-negotiation=no disabled=yes
set [ find default-name=sfp-sfpplus4 ] auto-negotiation=no comment=\
    "*** env01 * VLAN 10 ***" speed=1G-baseT-full
set [ find default-name=sfp-sfpplus5 ] disabled=yes
set [ find default-name=sfp-sfpplus6 ] disabled=yes
set [ find default-name=sfp-sfpplus7 ] disabled=yes
set [ find default-name=sfp-sfpplus8 ] disabled=yes
set [ find default-name=sfp-sfpplus9 ] disabled=yes
set [ find default-name=sfp-sfpplus10 ] auto-negotiation=no comment=\
    "*** client vlan475 ***" rx-flow-control=on speed=10G-baseT \
    tx-flow-control=on
set [ find default-name=sfp-sfpplus11 ] disabled=yes
set [ find default-name=sfp-sfpplus12 ] disabled=yes
set [ find default-name=sfp-sfpplus13 ] disabled=yes
set [ find default-name=sfp-sfpplus14 ] disabled=yes
set [ find default-name=sfp-sfpplus15 ] disabled=yes
set [ find default-name=sfp-sfpplus16 ] disabled=yes
set [ find default-name=sfp-sfpplus17 ] disabled=yes
set [ find default-name=sfp-sfpplus18 ] disabled=yes
set [ find default-name=sfp-sfpplus19 ] disabled=yes
set [ find default-name=sfp-sfpplus20 ] disabled=yes
set [ find default-name=sfp-sfpplus21 ] disabled=yes
set [ find default-name=sfp-sfpplus22 ] disabled=yes
set [ find default-name=sfp-sfpplus23 ] disabled=yes
set [ find default-name=sfp-sfpplus24 ] auto-negotiation=no disabled=yes
/interface list
add name=TRUSTED
/interface vlan
add comment="*** VLAN10 ***" interface=bridge name=vlan10 vlan-id=10
add comment="*** VLAN475 - 192.168.47.192/27 ***" \
    interface=bridge name=vlan475 vlan-id=475
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/snmp community
set [ find default=yes ] disabled=yes
add addresses=::/0 authentication-protocol=SHA1 encryption-protocol=AES name=\
    mikrodicksucker security=authorized
/interface bridge port
add bridge=bridge comment="*** client test * vlan475 ***"  ingress-filtering=yes frame-types=\
    admit-only-untagged-and-priority-tagged interface=sfp-sfpplus10 pvid=475
add bridge=bridge comment="*** trunk to Cisco switch ***" \
    ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=qsfpplus2-1
add bridge=bridge comment="*** PoE SWITCH for MISC DEVICES ***" ingress-filtering=yes frame-types=\
    admit-only-untagged-and-priority-tagged interface=sfp-sfpplus2 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged \
    interface=sfp-sfpplus4 pvid=10
/interface list member
add interface=vlan457  list=TRUSTED
add interface=OffBridge1 list=TRUSTED
/interface bridge vlan
add bridge=bridge tagged=bridge,qsfpplus2-1  untagged=sfp-sfpplus10 vlan-ids=475
add bridge=bridge tagged=qsfpplus2-1  untagged=sfp-sfpplus4,sfp-sfpplus2 vlan-ids=10
/ip address
add address=192.168.47.194/27 interface=vlan475 network=192.168.47.192 comment="trusted vlan"
add address=192.168.77.1/30 interface=OffBridge1 network=192.168.77.0  comment="off bridge access"
/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=192.168.47.193
/ip dns
add server=192.168.47.193
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/system logging
add topics=interface,bridge
add topics=bridge
add topics=debug,bridge
/system note
set show-at-login=no
/system routerboard settings
set boot-os=router-os
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.47.193
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

…

The additional address for ether1 simply means all you have to do is plug your laptop into ether1 on the switch, then change your IPV4 settings on the laptop to 192.168.77.2 and you should be able to access the router for config purposes safely off the bridge.

maybe in your switch the config end up doing L3 forwarding, if you need that you must configure L3 Hardware Offloading

L3 Hardware Offloading
https://help.mikrotik.com/docs/spaces/ROS/pages/62390319/L3+Hardware+Offloading

for a 300 series switch??? What L3… its all layer 2

chechito! You’re a genius! Thanks a bunch! That actually helped with the speed. Now near line speed in and out on that vlan. But that doesn’t solve the vlan10 issues and the odd vlan tagging though. Thinking that I might have to abandon multiple vlans. But it shouldn’t really be an issue or even hard. So strange.

THis switch model is actually listed on that URL, and it did actually solve that issue. Still have the vlan tagging issue though and there is something that I have misconfigured that I’m not seeing.

I surrendered. That switch and this config have taken too much time of my life. I removed vlan10 and streamlined it to only run one vlan. I obviously missed something simple but the easy route (no pun intended) is to just deal with it and move on.

actually the switch setting is NOT needed, hw offloading happens automagically on the 326 when setting up bridge vlan filtering

I just helped a chap setup his 326 and it works like butta.
Chechito needs stop eating some many chitos LOL, they are preventing synapses from firing.

Then something in my config was missed or there was/is a bug or something, it did not work properly until activated as per the instructions in that manual.

Cool! And do / did you see something in my config that differs that’s a potential issue?

The setup I gave you is gold and will work 100%,
Just work from an OffBridgePort to complete the configuration.

Oh dang! Apologies. I had totally missed that you posted that. Will look at it.

No worries, THe only thing I do not understand is the weird networking schema.
/ip address
add address=192.168.47.194/27 interface=vlan475 network=192.168.47.192 comment=“trusted vlan”

I cannot netmask myself out of a paper bag and if it doesnt look like this, i get easily confused
add address=192.168.47.194/24 interface=vlan475 network=192.168.47.0 comment=“trusted vlan”

IM sure its just fine!!

and then the gateway being 192.168.47.193 LOL ( I would have expected 192.168.47.1 or 192.168.47.254 )

So looks like ingress filtering on the brigde side of things might have been the issue then. I’ll try to find the time to test that config. Many many many thanks for taking your time with this! Much appreciated.

Sipcalc is your/our friend =)

sipcalc 192.168.47.192/27
-[ipv4 : 192.168.47.192/27] - 0

[CIDR]
Host address		- 192.168.47.192
Host address (decimal)	- 3232247744
Host address (hex)	- C0A82FC0
Network address		- 192.168.47.192
Network mask		- 255.255.255.224
Network mask (bits)	- 27
Network mask (hex)	- FFFFFFE0
Broadcast address	- 192.168.47.223
Cisco wildcard		- 0.0.0.31
Addresses in network	- 32
Network range		- 192.168.47.192 - 192.168.47.223
Usable range		- 192.168.47.193 - 192.168.47.222

Then, there’s also some logic to the madness you pointed out regarding naming. 192.168.47.0/24 is vlan47, named after the third octet. But, that c-net is split in to multiple subnets. This one then being the fifth, which adds the 5 after 47… vlan475. So not only logical, but also intuitive.