VLAN problem with CRS112-8P-4S

matgreg91 · June 9, 2021, 7:40am

Hi all,

we have a problem with all the CRS112 in our network.
They generally work but, sometimes, they stop forwarding all VLANS and wewe have to reboot them.
Can it be a MTU problem? LTU is set to 1500 and L2 MTU to 1588

I post here the config, the VLAN 255 is for management, other VLANS are for users:

#RouterOS 6.44.5
# software id = PK4Y-FSHB
#
# model = CRS112-8P-4S

/interface bridge
add name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] poe-out=off
set [ find default-name=ether2 ] poe-out=off
set [ find default-name=ether3 ] poe-out=forced-on
set [ find default-name=ether4 ] poe-out=forced-on
set [ find default-name=ether5 ] poe-out=forced-on
set [ find default-name=ether6 ] poe-out=off
set [ find default-name=ether7 ] poe-out=forced-on
set [ find default-name=ether8 ] poe-out=forced-on
/interface vlan
add interface=bridge1 name=vlan255 vlan-id=255
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=\
    ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8 \
    forward-unknown-vlan=no

/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
/interface ethernet switch egress-vlan-tag
add tagged-ports=\
    switch1-cpu,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8 \
    vlan-id=255
/interface ethernet switch vlan
add ports=switch1-cpu,ether1,ether2,ether3,ether4,ether5,ether6,ether8 \
    vlan-id=255
add ports=switch1-cpu,ether1,ether2 vlan-id=29
add ports=switch1-cpu,ether1,ether2 vlan-id=30
add ports=switch1-cpu,ether1,ether2 vlan-id=31
add ports=switch1-cpu,ether2,ether7 vlan-id=32
add ports=switch1-cpu,ether1,ether2 vlan-id=33
add ports=switch1-cpu,ether5,ether7 vlan-id=34
add ports=switch1-cpu,ether3,ether7 vlan-id=35
add ports=switch1-cpu,ether1,ether2 vlan-id=38
add ports=switch1-cpu,ether1,ether2 vlan-id=45
add ports=switch1-cpu,ether1,ether2 vlan-id=46
add ports=switch1-cpu,ether1,ether2 vlan-id=47
add ports=switch1-cpu,ether1,ether2 vlan-id=48
add ports=switch1-cpu,ether1,ether2 vlan-id=55
add ports=switch1-cpu,ether1,ether2 vlan-id=56
add ports=switch1-cpu,ether1,ether2 vlan-id=60
add ports=switch1-cpu,ether1,ether2 vlan-id=61
add ports=switch1-cpu,ether1,ether2 vlan-id=83
add ports=switch1-cpu,ether1,ether2 vlan-id=84
add ports=switch1-cpu,ether1,ether2 vlan-id=94
add ports=switch1-cpu,ether1,ether2 vlan-id=121
add ports=switch1-cpu,ether1,ether2 vlan-id=126
add ports=switch1-cpu,ether1,ether2 vlan-id=127
add ports=switch1-cpu,ether1,ether2 vlan-id=128
add ports=switch1-cpu,ether1,ether2 vlan-id=129
add ports=switch1-cpu,ether1,ether2 vlan-id=132
add ports=switch1-cpu,ether4,ether7 vlan-id=133
add ports=switch1-cpu,ether1,ether2 vlan-id=136
add ports=switch1-cpu,ether1,ether2 vlan-id=137
add ports=switch1-cpu,ether1,ether2 vlan-id=139
add ports=switch1-cpu,ether1,ether2 vlan-id=140
add ports=switch1-cpu,ether1,ether2 vlan-id=141
add ports=switch1-cpu,ether1,ether2 vlan-id=142
add ports=switch1-cpu,ether1,ether2 vlan-id=168
add ports=switch1-cpu,ether6,ether7 vlan-id=180
add ports=switch1-cpu,ether1,ether2 vlan-id=197
add ports=switch1-cpu,ether1,ether2 vlan-id=198
add ports=switch1-cpu,ether1,ether2 vlan-id=202
add ports=switch1-cpu,ether4,ether7 vlan-id=223

/ip address
add address=172.16.4.2/22 interface=vlan255 network=172.16.4.0
/ip route
add distance=1 gateway=172.16.4.1
/snmp
set enabled=yes

Thank you in advance for sharing your experience

rextended · June 9, 2021, 8:20am

I hope none of CRS112 have public access, because on 6.44.5 are present some bugs…
I suggest you to update all at least to 6.46.8,
but this is another question.

it’s desired the absence of ether7?
/interface ethernet switch vlan
add ports=switch1-cpu,ether1,ether2,ether3,ether4,ether5,ether6,**???,**ether8 vlan-id=255

it’s desired the absence of vlan-filtering=yes?
/interface bridge
add name=bridge1 protocol-mode=none ???

matgreg91 · June 9, 2021, 8:33am

They are not exposed and under firewall but yes, they will be updated soon.

Yes, the vlan cannt be propagated on port 7

no, this is default configuration. The Manual does not tell nothing about it on CRS1xx:
https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_VLANs_with_Trunks

rextended · June 9, 2021, 8:36am

I hope someone can find problem inside better than me,
I do not find anything strange.
Probably some bug on software?

I ask about ether7 because on this are considered:
/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-id=255

Ah, I forget:
L2MTU must be at least 1500 standard ethernet packet + 4 VLAN tag = 1504

matgreg91 · June 9, 2021, 8:51am

thank you, I changed the configuration, let's see if this can bring us to the solution

mada3k · June 9, 2021, 3:27pm

Default L2MTU is 1588 so it should be fine.
There is a lot of VLANs going into the switch1-cpu. That might cause much broadcast/multicast to reach the CPU. I only include switch1-cpu in VLAN1 and VLAN-MGMT.
I don’t see any ingress-taggning? Not used?

Example from mine:

/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu,ether1 vlan-id=39
add tagged-ports=ether1 vlan-id=31

/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=31 ports=ether5
add customer-vid=0 new-customer-vid=31 ports=ether6
add customer-vid=0 new-customer-vid=31 ports=ether7

/interface ethernet switch vlan
add comment=LAN ports=ether1,ether5,ether6,ether7 vlan-id=31
add comment=Management ports=switch1-cpu,ether1 vlan-id=39

mkx · June 9, 2021, 6:37pm

As @mada3k wrote: remove switch1-cpu from all vlan pirt grouos under /interface ethernet switch vlan except for VLAN 255. That’s only necessary for VLANs with which ROS interacts and it interacts through appropriate vlan interface. Admitting otger VLANs to CPU only alliws broadcasts to flood the CPU.

Also upgrade ROS to latest long-term (at time of writing this post it’s 6.47.10).

MTU setting on ports doesn’t matter at all, only L2MTU matters. The only place where MTU setting matters is on tge interface which has IP address set and sets maximum packet size which can be dealt with by ROS when using that interface (in your case that’s interface vlan255).

And: when dealing with VLANs using /interface ethernet switch configuration subtree one should not set anything related to VLANs on bridge. While mixing settings is not rejected by ROS they interfere with each other.

matgreg91 · June 10, 2021, 8:29am

I try to leave only VLAN 255 under the switch1-cpu.

no need to tag/untag on this device, only trunk ports.

Thank you dude, you help is very useful

matgreg91 · June 10, 2021, 8:34am

mmh, when VLANS don’t work and i need to rebboot the switch, the only available interface is the upstream one, i cannot figure why and how. Maybe this should be related with MTU/L2MTU

the IP address is set on the VLAN, so I must set VLAN 255 under the bridge, in order to assign the IP address.

mada3k · June 10, 2021, 5:51pm

The vlan225 bridge interface looks correct to me