I have 11 CRS106-1C-5S running ROS version 6.42.6 all connected through single mode fiber cables and Mikrotik SFP modules.
Boards are running fine since 11 months now.
I created a bridge and added all ports to it with hardware offloading enabled.
I have set up tagged and untagged vlans on the switch chip according to Mikrotik wiki.
Management vlan 100 (tagged) created on the bridge interface.
Untagged vlan 200 assigned to combo/ether port.
I wanted complete isolation of vlans but the problem is:
I can see traffic from tagged vlan 100 going to combo port. (broadcast and multicast traffic).
I can also see untagged traffic going to all ports in bridge (802.2 traffic)
What may be the problem?
Also shouldn’t (interface ethernet switch set forward-unknown-vlan=no) eliminate this issue?
Here is my config export:
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=combo1 ] name=combo-TP-LinkSwitch
set [ find default-name=sfp1 ] name=sfp1-Main
set [ find default-name=sfp2 ] name=sfp2
/interface vlan
add interface=bridge name=vlan-mgmt vlan-id=100
/interface ethernet switch
set forward-unknown-vlan=no
/interface list
add name=Management
add exclude=dynamic name=discover
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge interface=sfp5
add bridge=bridge interface=sfp4
add bridge=bridge interface=sfp3
add bridge=bridge interface=sfp2
add bridge=bridge hw=no interface=combo-TP-LinkSwitch
add bridge=bridge interface=sfp1-Main
/ip neighbor discovery-settings
set discover-interface-list=Management
/interface ethernet switch egress-vlan-tag
add tagged-ports=sfp1-Main,sfp2,sfp3,sfp4,sfp5 vlan-id=200
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=200 ports=combo-TP-LinkSwitch
/interface ethernet switch vlan
add ports=switch1-cpu,sfp1-Main,sfp2,sfp3,sfp4,sfp5 vlan-id=100
add ports=sfp1-Main,combo-TP-LinkSwitch,sfp2,sfp3,sfp4,sfp5 vlan-id=200
/interface list member
add interface=vlan-mgmt list=Management
/ip address
add address=192.168.25.52/24 interface=vlan-mgmt network=192.168.25.0
/ip dns
set servers=192.168.25.12,192.168.25.13
/ip route
add distance=1 gateway=192.168.25.1
Well first thing I would do, is make sure that VLAN200 is setup as an actual interface on the router. You only have VLAN100 setup but you’re setting up VLAN rules that include 200.
hw=no was a mistake during config export, it is enabled by default.
sa-learning is enabled by default.
I don’t see how changing the PVID for each port would solve my issue.
The Main question is:
-Why am I seeing tagged traffic passing on to the combo port which is configured for vlan 200.
Update:
If I put the vlan 100 interface on the uplink port instead of the bridge, combo port stops receiving vlan 100 tagged packet!
can you explain this behaviour?
Problem is also happening on other switch chip devices as well.
Here are 2 examples of traffic passing from vlan 100 (broadcast) to access port vlan 200.
Both devices are on 6.42.9 version.
Pictures include all switch configurations.
OmniTik
CRS106-1C-5S
Please help me solve this mysterious problem.
@davzar switch1-cpu was added ONLY on the OmniTik because the wlan1 needs it to forward the tags properly.
If I remove switch1-cpu vlan200 will not pass onto wlan1.
switch1-cpu is not added on the CRS as you can see in the picture, so I highly doubt it is the culprit.
