RB5009 inter-VLAN vs port-based subnet

adwlodaro · July 6, 2023, 5:53pm

Hi,
I think I setup bridge VLAN filtering correctly, hw-offloading is on and I’m getting 1Gbps between devices on the same VLAN - RoS 7.9.2
My problem (with understanding and/or configuration) is when traffic is going between two VLANs (CCTV IP recorder and PC station are connected) and hitting CPU:

iperf shows 850Mbit/sec and CPU load is about 20%
with fasttrack enabled only between these two VLANS: CPU about 10% and iperf 910Mbit/sec
RoS configuration is minimal, no FW, literally nothing

Best result performance-wise is when configuration looks like this:

In that scenario the CPU load is about 8% and iperf shows 950Mbit/sec with Fasttrack enabled.
Questions for you:

Simple port-based dedicated subnet is more capable than VLAN-based solution. Is it just because of VLAN processing? Both configurations hitting CPU on RB5009 if I understand that right.
Is 20% load on CPU under one unicast communication on such powerfull RB5009 normal?
Thank you
My config - not related to the diagram above. This is for inter-vlan routing and this config causes that >20% CPU load:

# model = RB5009UG+S+
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge1 protocol-mode=none \
    vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20
/interface list
add name=mgmt
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool4 ranges=10.10.10.2-10.10.10.254
add name=dhcp_pool5 ranges=10.20.20.2-10.20.20.254
/ip dhcp-server
add address-pool=dhcp_pool4 interface=vlan10 name=dhcp1
add address-pool=dhcp_pool5 interface=vlan20 name=dhcp2
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether8 pvid=20
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=10
/ip firewall connection tracking
set tcp-established-timeout=30m
/ip neighbor discovery-settings
set discover-interface-list=all protocol=mndp
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether5 vlan-ids=10
add bridge=bridge1 tagged=bridge1 untagged=ether8 vlan-ids=20
/interface list member
add interface=*B list=mgmt
add interface=ether2 list=mgmt
/ip address
add address=10.10.10.1/24 interface=vlan10 network=10.10.10.0
add address=10.20.20.1/24 interface=vlan20 network=10.20.20.0
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.20.20.0/24 gateway=10.20.20.1
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes in-interface=vlan20 out-interface=\
    vlan10
add action=accept chain=forward
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=mgmt
/tool mac-server ping
set enabled=no

chechito · July 6, 2023, 6:10pm

i think the CPU usage is because of inter-vlan traffic, that is Layer 3 traffic, that uses CPU, intra-vlan traffic will not hit CPU because is L2 traffic as long as you have Bridge Hardware offload active

adwlodaro · July 6, 2023, 6:20pm

Thanks for the replay, yea, you’re right and that part works as expected. But the big question for me is why CPU load is that high under fairly simple traffic? And what about routing between VLAN-based network vs simple L3 port-based. I feel like I’m missing something…

anav · July 6, 2023, 6:23pm

That sounds right!!

Looking at the config
(1) … for 99% of cases the only thing you need to do is turn vlan-filtering=yes, so try removing the frame type addition should not be needed!!
Especially because on the bridge you have access ports (untagged traffic).
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge1 protocol-mode=none vlan-filtering=yes

(2) I see you have ethernet2 assigned off the bridge. This does not match your diagram!
other stuff missing as well.

(3) Firewall rules are weird…

adwlodaro · July 6, 2023, 7:54pm

I’m sorry for missleading, my bad… The config is not related to the diagram above, which shows routing between independent subnet and VLAN - this is where performance was the best. Now I’ve pasted correct configuration with inter-VLAN routing - again, not related to the diagram.

Okey, so when traffic arives at untagged port, it gets VLAN id that was set with PVID and then goes to the bridge interface, so I thought that frame-types on the bridge should be “admit-only-vlan-tagged”.

Buckeye · July 7, 2023, 3:22am

What is the purpose of the diagram if it doesn’t correspond to any export? It is especially confusing when you post a diagram and a config that doesn’t correspond to the diagram in the same post. And then after people have commented on the export, to replace it with yet another unrelated one.

What would be more useful would be to post the complete configs of each case you are comparing, and a diagram corresponding to each one.

Did you ever try between two independent ports? Was that different than the “fastest” case you found?

If you post a changed config, and want people to refer the new one, you could put a link to the post with the new config in it. Then when people comment on a config, they can put a link to the config they are responding to (especially if it isn’t in the lastest posting).

I would expect the performance on the 5009 to be similar for the following cases. But I think you are claiming this is not the case.

Routing between two independent ether ports that are not part of the bridge.
Routing between two independent ether ports when one has a vlan interface attached. The vlan interface will be tagged, so there will be a minimal amount of extra processing done in this case, possibly involving making an in memory copy of the complete frame. Also the device connected to the ether port with the vlan interface would need to be vlan aware and be able to process vlan tagged frames itself, i.e. vlan-aware. There is a tiny bit (4 bytes) of data on the wire, but that would be hard to measure, my guess is it would be “in the noise”.
Routing between two independent ether ports, when both interfaces are vlan interfaces.
Inter-vlan routing between two vlans on hardware accellerated vlan-filtering bridge. The CPU has to do the same amount of processing as in case 3, plus the bridge overhead (if running RSTP for example).

I don’t know enough about the Marvell 88E6393X switch ASIC to know how the internal “trunk” between the CPU and ASIC, it may be memory mapped an the transfer can be done with DMA. But the block diagram seems it indicate that the link is 10Gb/s full duplex.