VLAN problem on CRS326-24S+2Q+

Clauu · February 26, 2021, 9:06am

Good day, i’m having some issues using vlans on this device, scenario is like this:
2 x CRS326-24S+2Q+, bridge with vlans enabled, trying to get vlan30 tagged between switches(uplink sfpplus24) and untagged on port sfpplus23.

/interface bridge print
Flags: X - disabled, R - running
0 R ;;; defconf
name=“bridge” mtu=auto actual-mtu=1500 l2mtu=1584 arp=enabled
arp-timeout=auto mac-address=08:55:31:04:A6:71 protocol-mode=mstp
fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m
priority=0x8000 max-message-age=20s forward-delay=15s
transmit-hold-count=6 region-name=“” region-revision=0 max-hops=20
vlan-filtering=yes ether-type=0x8100 pvid=1 frame-types=admit-all
ingress-filtering=no dhcp-snooping=no

/interface bridge vlan print
Flags: X - disabled, D - dynamic

BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED

0 bridge 30 sfpplus24_UPLINK sfpplus23_DEVICE

sfpplus23_DEVICE has pvid 30.

/interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload

INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON

30 H ;;; defconf
sfpplus23_DEVICE bridge yes 30 0x80 10 10 none

Configuration is the same on both switches, uplink is up
UPLINK sfpplus24 between switches, SM fiber

/interface ethernet monitor sfpplus24_UPLINK
name: sfpplus24_UPLINK
status: link-ok
auto-negotiation: done
rate: 10Gbps
full-duplex: yes
tx-flow-control: no
rx-flow-control: no
advertising:
link-partner-advertising:
sfp-module-present: yes
sfp-rx-loss: no
sfp-tx-fault: no
sfp-type: SFP-or-SFP+
sfp-connector-type: LC
sfp-link-length-sm: 10km
sfp-vendor-name: Mikrotik
sfp-vendor-part-number: S+23LC10D
sfp-vendor-revision: A
sfp-vendor-serial: STST23183600169
sfp-manufacturing-date: 18-09-15
sfp-wavelength: 1270nm
sfp-temperature: 43C
sfp-supply-voltage: 3.302V
sfp-tx-bias-current: 35mA
sfp-tx-power: 1.518dBm
sfp-rx-power: -0.175dBm
eeprom-checksum: good
eeprom: 0000: 03 04 07 20 00 00 00 12 00 01 80 06 67 00 0a 64 … … …g..d
0010: 00 00 00 00 4d 69 6b 72 6f 74 69 6b 20 20 20 20 …Mikr otik
0020: 20 20 20 20 00 00 00 00 53 2b 32 33 4c 43 31 30 … S+23LC10

Device sfpplus23, RJ45 10GB module

interface ethernet monitor sfpplus23_DEVICE
name: sfpplus23_DEVICE
status: link-ok
auto-negotiation: done
rate: 10Gbps
full-duplex: yes
tx-flow-control: no
rx-flow-control: no
advertising: 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full
link-partner-advertising: 1000M-full,10000M-full
sfp-module-present: yes
sfp-rx-loss: no
sfp-tx-fault: no
sfp-type: SFP-or-SFP+
sfp-connector-type: RJ45
sfp-link-length-copper-active-om4: 1m
sfp-vendor-name: MikroTik
sfp-vendor-part-number: S+RJ10
sfp-vendor-revision: 2.16
sfp-vendor-serial: AF9403E2B711
sfp-manufacturing-date: 20-04-07
sfp-temperature: 66C
sfp-supply-voltage: 3.305V
sfp-tx-bias-current: 0mA
eeprom-checksum: good
eeprom: 0000: 03 04 22 00 00 00 00 00 08 00 00 06 67 00 00 00 .."… …g…
0010: 00 00 01 00 4d 69 6b 72 6f 54 69 6b 20 20 20 20 …Mikr oTik
0020: 20 20 20 20 00 00 40 20 53 2b 52 4a 31 30 20 20 ..@ S+RJ10
0030: 20 20 20 20 20 20 20 20 32 2e 31 36 05 00 00 b0 2.16…

On one device ip is 10.10.100.1/25, on the another one 10.10.100.2/25 and i just can’t get a ping between them. The only way when it works is tagging the sfpplus23_DEVICE with vlan30, but this works because of default vlan i think, since i don’t have any vlan enabled on any device.
I’ve had installed latest stable 6.48.1 and now 6.49beta11, same result on both versions.

sindy · February 27, 2021, 7:03am

You forgot to post the configuration exports from both devices, but here’s my wild guess until you fix that: you mention “vlan 30” and “ping between devices”, which hints that you have an /interface vlan row with vlan-id=30 interface=bridge and the IP address 10.10.100.x/25 is attached to this VLAN interface. If this is the case, you have to add bridge to the tagged list on the /interface bridge vlan row for vlan-ids=30. Details here.

Clauu · February 27, 2021, 12:45pm

Thank you for your time, well config is the same on the other CRS326-24S+2Q+ switch, same ports naming, same bridge config, same vlan.
For the bridge tagged part, i think you are referring to this?

/interface bridge vlan print
Flags: X - disabled, D - dynamic

BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED

0 bridge 30 sfpplus24_UPLINK sfpplus23_DEVICE

For now i’ve changed the tagged ports to ‘ingress filtering’ and ‘allow only tagged’, no difference same behaviour.
Currently i’m using mstp on the bridge, one strange thing is if i change it to rstp, then it works i can ping from 1 device to another a while, and then it will stop working again.

sindy · February 27, 2021, 3:20pm

Yes, I was referring to the /interface bridge vlan configuration, but you haven’t answered my indirect question, so I repeat it directly:
Are the IP addresses 10.10.100.x assigned to VLAN interfaces with vlan-id=30?
If yes, the output of /interface bridge vlan print has to read

#    BRIDGE    VLAN-IDS    CURRENT-TAGGED    CURRENT-UNTAGGED
0    bridge          30    bridge            sfpplus23_DEVICE
                           sfpplus24_UPLINK

But as said, it is only guessing, maybe the issue is somewhere else in your configuration, as the effect of the switchover from MSTP to RSTP suggests.

The issue is usually where you don’t expect it, so when describing the configuration, you don’t mention what you think is not relevant. That’s why posting the export of the configuration is a much faster way to get a useful help.

Setting ingress-filtering to yes just adds complexity to the setup, so first make it work with ingress-filtering=no and only then experiment with yes.

Clauu · February 28, 2021, 10:06am

sfpplus23_DEVICE is an untagged port with pvid30, in this port i have a device(linux box) connected with ip 10.10.100.1 on one switch, and on the second swicht another linux box with ip 10.10.100.2
Currently i disabled stp on the bridge(on both switches) and now i can ping between linux boxes. Strange..

sindy · February 28, 2021, 3:22pm

OK, so as none of the IP addresses in question is assigned to any of the CRS, there is no need to have the VLAN enabled on the internal port of the bridge, and the issue is a pure L2 one.

So when MSTP is on, what does /interface bridge port monitor [find where interface~" sfpplus2[34]"] show at each CRS?

And if you set hw=no on the ports in question (only do that if there is no live traffic on the trunk between the switches as the CPU might not cope with it!) using /interface bridge port set [find where interface~" sfpplus2[34]"] hw=no, does it change anything?