VLAN On switch chip working only when torch active

Hello,

I configure a CRS 106-1C-5S for two fiber link, however, in midle of the fiber link i have a client, who i used the Combo Port as a service port.

Made the configurations, OSPF Works fine, LAN IP answer outside the network, but, the clients in LAN network dont.

The link looks like this: a fiber link from other client comes, and go to headquarters.
draw.io file:
https://drive.google.com/file/d/1oFmNp-hiKlNguSurysnP-QhZ5q5IXLWO/view?usp=sharing

Communication with the CRS works fine, but i cant ping or communicate with clients in Combo1 LAN, only the IP address of gateway, answer, also, can communicate with the internet.

However, when i use torch in SFP2 or Combo1, the ping answer and clients can navigate…

/interface ethernet
set [ find default-name=combo1 ] comment="Client 3005"
set [ find default-name=sfp1 ] comment="Client 3003"
set [ find default-name=sfp2 ] comment="HeadQuarters"
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=sfp1,sfp2 \
    forward-unknown-vlan=no unknown-vlan-lookup-mode=ivl
/interface ethernet switch egress-vlan-tag
add tagged-ports=sfp1,sfp2 vlan-id=3003
add tagged-ports=switch1-cpu,sfp2 vlan-id=3005
/interface ethernet switch vlan
add ports=sfp1,sfp2 vlan-id=3003
add ports=switch1-cpu,sfp2 vlan-id=3005

The configurations for Bridge, are this:

/interface bridge
add name=loopback
add name=fiber-net
add name=local-net
/interface bridge port
add bridge=fiber-net interface=sfp1
add bridge=fiber-net interface=sfp2
add bridge=local-net interface=combo1

The ip address in interfaces:

/ip address
add address=172.30.5.254/24 interface=local-net network=172.30.5.0
add address=10.29.5.253/30 interface=vlan3005-headquarters network=10.29.5.252
add address=172.25.29.5 interface=loopback network=172.25.29.5

When only torch allows traffic to pass between combo port and CPU this means that intended switch chip configuration doesn’t allow traffic to pass between these two ports.

Since I don’t have a CRS106 device, I’m only guessing: even if you’re trying to use combo port as untagged, you still have to configure it as access port of some VLAN and then pass it via switch1-cpu port.

BTW, the config is sub-optimal: why using bridge local-net if only combo interface is member port? It does add a slight overhead (compared to using combo interface directly).
Any good reason to use switch (CRS106 is a switch with routing functionality) as router? You may want to pass 172.29.5.0/24 traffic (tagged with apropriate VID) towards core router and use CRS106 in pure switching config. This does come with drawbacks though, so you have to weigh both possibilites to see which one is “less bad”.

I added the interface to a Bridge, when first faced the situation. I remembered something about the access to CPU being made only by bridges for some services, then added the bridge. I tested without “local-net” bridge before putting combo1 in.

I thought using combo port with DHCP server and other services because some of the devices in network has a behavior of loosing dhcp and only taking address back with a local reboot… I know that a fiber link is more stable than my current Wireless links, but its just a test also. I will try to concentrate the link services in the core router if that doens’t work.
I also don’t need firewall rules in this setup because core router do it.

The “modern version” of what you want to configure is to leave switch setup alone, and configure one bridge with VLAN filtering and the proper VLANs and member ports.
That configuration will be “hardware accelerated” resulting in the same handling as what you configure in switches, but it is the more supported way so it will be easier to find information and resolve problems.

Not on CRS1xx.

Ok, I thought CRS devices were the first where this was fully implemented and the recommended configuration…
Apparently there still are exceptions.

It was … for (then new device generation) CRS3xx. Older CRS devices still have to be configured in “legacy” way.