RouterOS Bridge not forwarding MacSEC

blainefbo · August 25, 2023, 10:22am

I’m struggling to find out why my CRS328-4C-20S-4S in RouterOS mode is not forwarding MacSec and LACP packets, I’ve set the CRS328-4C-20S-4S as a Layer2 switch, it is connected to a Cisco PE which is creating an EoMPLS for all traffic encapsulated with Vlan 3111, the CRS328-4C-20S-4S is tacking sfp1 and putting it into a bridge i also have a vlan interface ID 3111 in the bridge.

Now when i push tagged or untagged traffic into sfp1 it’s fine, the traffic goes through the bridge and into the EoMPLS tunnel created by the Cisco and handed off at the other PE device, also a Cisco, to a CPE. Now when i remove the CRS328-4C-20S-4S and patch the CPE directly into the Cisco all traffic is passed and MacSEC, LACP etc work perfectly, but once the CRS328-4C-20S-4S is in the path, it drops those packet or rather it tries to interrogate the packets instead of passing them into the bridge.

Config Dump:

/interface bridge
add name=EoMPLS-Test

/interface ethernet
set [ find default-name=sfp1 ] comment="1Gbps Ethernet Link to Test CPE" l2mtu=9192 mtu=9192

/interface vlan
add interface=sfp-sfpplus1 mtu=9170 name=sfp-sfplus1-vlan3111-EoMPLS-TEST vlan-id=3111

/interface bridge port
add bridge=EoMPLS-Test interface=sfp1 point-to-point=yes trusted=yes
add bridge=EoMPLS-Test ingress-filtering=no interface=sfp-sfplus1-vlan3111-EoMPLS-TEST point-to-point=yes trusted=yes

blainefbo · August 25, 2023, 3:23pm

This has been solved. Bridge needs to be configured with protocol-mode=none as the protocols such as MacSEC and LACP use reserved multicast MAC destination addresses (01:80:C2:00:00:0X) which are not forwardable by R/M/STP compatible bridges.

Thank you to Edgars P. from <support@mikrotik.com> for clarifying this for me.

jbl42 · August 25, 2023, 8:59pm

Independent of protocol reserved multicast bridging, your VLAN should not be in a bridge with a physical interface

/interface ethernet
set [ find default-name=sfp1 ] comment="1Gbps Ethernet Link to Test CPE" mtu=9192
set [ find default-name=sfp-sfpplus1 ] comment="10Gbps Ethernet Link" mtu=9192

/interface bridge
add name=EoMPLS-Test vlan-filtering=no

/interface bridge port
add bridge=EoMPLS-Test interface=sfp1 pvid=3111 point-to-point=yes trusted=yes
add bridge=EoMPLS-Test interface=sfp-sfpplus1 point-to-point=yes trusted=yes

/interface bridge vlan
add bridge=EoMPLS-Test vlan-ids=3111 tagged=sfp-sfpplus1 untagged=sfp1

/interface/bridge
set [find name=EoMPLS-Test] vlan-filtering=yes

DarkNate · August 25, 2023, 9:44pm

Why do people still mess up their VLAN/Bridge configuration on MikroTik even though the process is identical on all Linux based NOSes?

Read this:
https://help.mikrotik.com/docs/display/ROS/Basic+VLAN+switching#BasicVLANswitching-CRS3xx,CRS5xxseriesswitches,CCR2116,CCR2216andRTL8367,88E6393X,88E6191X,88E6190,MT7621andMT7531switchchips