QinQ. Bridging VLAN interfaces (use-service-tag=yes) withing single bridge

Hi All,

My environment:
hAP ac^2 (RBD52G-5HacD2HnD)
RouterOS: 7.19.4

I have two VLAN (vlan-id=100, vlan-id=101) interfaces (use-service-tag=yes) configured on top of direct Ethernet link.

> /interface/vlan/print detail

 2 R name="vlan100" mtu=1500 l2mtu=1594 mac-address=MMM arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s loop-protect-disable-time=5m 
     vlan-id=100 interface=ether1 use-service-tag=yes mvrp=no 

 3 R name="vlan101" mtu=1500 l2mtu=1594  mac-address=MMM arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s loop-protect-disable-time=5m 
     vlan-id=101 interface=ether1 use-service-tag=yes mvrp=no 

S-VLANs carried respective list of C-VLANs
100 carrying 10,11
101 carrying 18

Both interfaces vlan100 and vlan101 are ports of bridge br1

> /interface/bridge/print detail 
Flags: D - dynamic; X - disabled, R - running 
 0  R name="br1" mtu=auto actual-mtu=1500 l2mtu=1560 arp=enabled arp-timeout=auto mac-address=MMM protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 
      max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=yes ether-type=0x8100 pvid=300 frame-types=admit-only-vlan-tagged ingress-filtering=yes dhcp-snooping=no port-cost-mode=long mvrp=no 
      max-learned-entries=auto 

> /interface/bridge/port/print detail
 0     interface=ether2 bridge=br1 priority=0x80 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=10 
       frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no mvrp-registrar-state=normal 
       mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no 

 1     interface=ether3 bridge=br1 priority=0x80 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=11 
       frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no mvrp-registrar-state=normal 
       mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no 

 5     interface=vlan100 bridge=br1 priority=0x80 edge=auto point-to-point=auto learn=auto horizon=none auto-isolate=no restricted-role=no restricted-tcn=no pvid=999 
       frame-types=admit-only-vlan-tagged ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no mvrp-registrar-state=normal 
       mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no 

 6     interface=vlan101 bridge=br1 priority=0x80 edge=auto point-to-point=auto learn=auto horizon=none auto-isolate=no restricted-role=no restricted-tcn=no pvid=999 frame-types=admit-only-vlan-tagged 
       ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no mvrp-registrar-state=normal mvrp-applicant-state=normal-participant 
       multicast-router=temporary-query fast-leave=no 

 8     interface=ether5 bridge=br1 priority=0x80 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=18 
       frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no mvrp-registrar-state=normal 
       mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no 

  > /interface/bridge/vlan/print detail 
Flags: X - disabled, D - dynamic 

 3   bridge=br1 vlan-ids=18 tagged=vlan101 untagged=ether5 mvrp-forbidden=""

 4   bridge=br1 vlan-ids=10 tagged=vlan100 untagged=ether2 mvrp-forbidden="" 

 5   bridge=br1 vlan-ids=11 tagged=br1,vlan100 untagged="ether3" mvrp-forbidden="" 

My problem is:
C-VLANs carrying by S-VLAN 100 works as expected: DHCP clients from corresponding access ports (ether2, ether3) can obtain IPs, icmp requests from gateway to assigned IPs are working.

C-VLANs carrying by S-VLAN 101 is not working. DHCP clients from corresponding access ports (ether5) can NOT obtain IPs.

image1006×706 46.9 KB

If I move interfaces vlan101 and ether5 into separate bridge br2 everything working as expected.

image973×648 48 KB

Maybe someone can give a hint why this behavior occurred?

Honestly I dislike an idea to keep several bridges due to RouterOS hw acceleration limit to one bridge.

Try to disable xSTP on the bridge ... or if absolutely necessary, use MSTP.

You don't write what's on the other end of your S-VLANs. If it's a similar setup with single bridge, then both bridges will see xSTP BPDUs arriving via both S-VLANs making them believe there's a loop.

@mkx you are totally right. My issue seems resolved after turning off RSTP even at one (described) side.

Thank you.

OK, time to refine the solution

You can set edge=yes on vlan100 and vlan101 interfaces under /interface/bridge/port and re-enable RSTP on bridge. Setting edge=yes should block BPDUs only on those ports. The only thing remain to be seen is if such setting is necessary on both ends or does it suffice to do it on one end only (i.e. does edge=yes block also ingress BPDUs or it just blocks them on egress).