I’m using SwOS lite 2.17 on a MikroTik CSS610-8G-2S+IN Switch. The switch is new and it’s my first MirkoTik. Better late than never!
Port nr. 7 is connected to the LAN port of a standard internet router (Fritzbox 5530).
Port nr. 7 is configured to be a member of VLAN 34 only (no other VLAN selected) in strict mode/only untagged/default VLAN ID 34/force VLAN ID disabled
Ports 1&2 are configured as LAG 1 being member of all VLANs (tagged only). They are connected to another switch.
I have DHCP clients on multiple VLANs, meaning their DHCP discover packets will receive the mikrotik on LAG 1 as broadcasts (DHCP) and IPv6 multicasts (DHCPv6). These requests for sure are tagged with some VLAN tag - depending on the network they are coming from. But I’m talking about a devices not being in VLAN 34. E.g. there is a printer device in VLAN 3057.
Now I discovered that the Fritzbox received their DHCP requests although Port 7 is strict and not a member of any of these VLANs. I wiresharked it, filtered for that printer’s MAC and discovered this: The broadcast packets received in VLAN 3057 on LAG1 are emitted on port 7 although port 7 is not a member of that VLAN:
For me at first glance it looks like a bug in SwOS that violates the separation of broadcast domains? Of course I’m considering an error in ISO/OSI layer 8, so my question: Is there some setting I might have overlooked or some concept I might have misunderstood?
I found some reports in this forum about IVL, but I don’t have duplicate mac addresses.
If somebody could give me a hint would be great! Thank you & cheers!
Sumpfdotter
–
Addition:
I reproduced this behaviour with pretty default settings: I reset the switch completely and attached only two devices to it. Then I emitted the broadcast packet I caputered (tagged for VLAN 3057) on one device and I received it with the other - that’s okay because in default settings all ports are in VLAN mode “optional”. Now I set the receiving port to “strict/untagged only” and assigned it to Default VLAN ID 2. Now VLAN 3057 MUST not be received by that port anymore, right? But it did - that dedicated broadcast package was transmitted again. I will file a bug attaching all the files. Support ticket SUP-142030.
Thank you much! The bug is already confirmed and reproduced by MikroTik. A fix may appear in one of the next versions. Luckily they found a workaround: Disable the “Add Information Option” setting under the SwOS System page - if you don’t need DHCP Option-82.
For those being interested, here the steps to reproduce:
Set the switch to default settings
Go to page VLAN and set port 7 to mode “strict/untagged only” and set Default VLAN ID to 2
Plug a receiving device into port 7
Plug a sending device into port 1
Send the packet to port 1. The packet is tagged with VLAN tag 3057
Observed Behavior:
The switch emits the packet as is (incl. VLAN tag 3057) on port 7
Expected Behavior:
The switch does not forward the package of VLAN 3057 to port 7
Here’s the VLAN page:
On VLANs I didn’t change anything (default settings).
