ROS 6.49 - Device Discovery issue when VLAN is used

RcRaCk2k · July 20, 2022, 6:56am

Hi Guys,

the Mikrotik device discovery tool on CRS326-24S+2Q+ and the broadcast daemon on hEX S have some issues when using VLAN with VLAN-Aware-Hardware. Both devices uses VLANs with the new configuration-style via BRIDGE-VLAN.

So lets start with an example configuration on hEX S:

bridge is native (pvid) on vlan 1580
ether1 is native (pvid) on vlan 1580
sfp1 is tagged with vlan 1580

/interface bridge
    add add-dhcp-option82=yes dhcp-snooping=yes fast-forward=no name=bridge1 protocol-mode=none pvid=1580 vlan-filtering=yes
/interface bridge port
    add bridge=bridge1 hw=no interface=ether1 pvid=1580
    add bridge=bridge1 hw=no interface=sfp1 pvid=1 trusted=yes
/interface bridge settings
    set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
    set discover-interface-list=!dynamic
/interface bridge vlan
    add bridge=bridge1 tagged=sfp1 untagged=ether1 vlan-ids=1580

Problem: hEXs Discovery Broadcast Daemon is only sending out the discovery frames on VLAN 1 instead of the bridge-interface. SFP1 is slave of bridge1 so the broadcast daemon should not send frames on a slave device.

So lets start with an example configuration on CRS326-24S+2Q+:

bridge is native (pvid) on vlan 1580
bridge is tagged with vlan 1 and a vlan interface on bridge1 is added
customer-port is tagged with vlan 1580

/interface bridge
    add admin-mac=C4:AD:34:E3:73:70 auto-mac=no comment=defconf name=bridge protocol-mode=none pvid=1580 vlan-filtering=yes
/interface vlan
    add interface=bridge name=vlan1.management vlan-id=1
/interface bridge port
    add bridge=bridge ingress-filtering=yes interface=sfp-sfpplus10
/interface bridge vlan
    add bridge=bridge tagged="sfp-sfpplus10" vlan-ids=1580
    add bridge=bridge tagged=bridge vlan-ids=1

Problem: This results in a neighbour list with interface name “vlan1.management” instead if the correspondencing switch interface (sfp-sfpplus10).

This is the result of show neighs:

> ip neighbor print detail
 1 interface=vlan1.management address=172.16.18.70 address4=172.16.18.70 mac-address=2C:C8:1B:F3:88:01 
   identity="cust.de.seeon.Altenmarkterstr-28.Wohnung-8.xxxxxxx" platform="MikroTik" version="6.49.1 (stable)" unpack=none age=22s uptime=11w3d17h3m52s 
   software-id="RCHF-PT42" board="RB760iGS" interface-name="bridge1/sfp1" system-description="MikroTik RouterOS 6.49.1 (stable) RB760iGS" 
   system-caps=bridge,router system-caps-enabled=bridge,router

mkx · July 20, 2022, 7:42am

There are numerous reports where implicitly defined interface lists don’t work very well. Such as this configuration of yours:

/ip neighbor discovery-settings
    set discover-interface-list=!dynamic

Try to create explicit interface list and use it in this setting. Something like this:

/interface list
add name=MGMT
/interface list members
add list=MGMT interface=bridge1
/ip neighbor discovery-settings
set discover-interface-list=MGMT

BTW, my own preference is to use bridge as tagged-only entity whenever device is hit by VLANs … so no pvid setting on brdige interface, rather use it as anchor for appropriate /interface vlan entity and making bridge tagged member of appropriate VLANs in /interface bridge vlan … this way it’s entirely clear that we’re talking about access window to particular VLAN for ROS.

RcRaCk2k · July 23, 2022, 12:06pm

Yeah, i had also thoughts this way, that i have to define an interface-list, but when i am doing this, then i can not see one single device in discovery.

You are right, when not using PVID on bridge1, but using VLAN-Tagged on Bridge-Interface and adding a VLAN-Interface to bridge1 that will solve the issue. I also see that Beauvoir, but this is not the correct way it should go.

In that fact, the MNDP / CDP Daemon has a wrong implementation. The daemon should aggregate more informations on how to send broadcast-messages on the correct Interface - so only send on Interfaces that are not slave.

Mikrotiks hardware is VLAN-AWARE, why should i use CPU-VLAN instead of Hardware-VLAN-Capabilities, only because the MNDP/CDP is broken.

This bug have to be fixed from the ROS-Team.

expert · December 15, 2024, 10:01pm

Does this problem still exist in Ros 7?
I cannot delete PVID on the bridge interface.

mkx · December 16, 2024, 6:24am

This problem never existed for me, neither in v6 nor in v7.

You can’t delete PVID … but if you set bridge CPU-facing port with frame-types=admit-only-vlan-tagged, then PVID setting will become irrelevant. After setting it, when running /interface/bridge/vlan/print, bridge CPU-facing port is not listed as member of VID with same value as PVID any more.