VRRP with VLANs and redundant topology

mbrgen · September 15, 2024, 12:42pm

I have a topology with 2 routers (MT-CHR-1 and MT-CHR-3) that have VLAN interfaces and VRRP on top of them.
the problem is when one of the interfaces being used for VRRP connection tracking is apparently being blocked by STP and consequently VRRP interfaces on both routers are being in running&master state. The other issue is that MT-CHR-3 is unable to reach any host under 192.168.30.0/24 subnet (in the example 192.168.30.200 vlan host), so cannot reach VLAN. can anyone help me to figure out how to resolve this?

an approximate topology (excuse me for my drawing skills):

MT-CHR-3 /export:

[admin@MT-CHR-3] > /export
# 2024-09-15 11:27:45 by RouterOS 7.15.3
# software id =
#
/disk
set slot1 media-interface=none media-sharing=no slot=slot1
set slot2 media-interface=none media-sharing=no slot=slot2
set slot3 media-interface=none media-sharing=no slot=slot3
set slot4 media-interface=none media-sharing=no slot=slot4
set slot5 media-interface=none media-sharing=no slot=slot5
set slot6 media-interface=none media-sharing=no slot=slot6
set slot7 media-interface=none media-sharing=no slot=slot7
set slot8 media-interface=none media-sharing=no slot=slot8
set slot9 media-interface=none media-sharing=no slot=slot9
set slot10 media-interface=none media-sharing=no slot=slot10
set slot11 media-interface=none media-sharing=no slot=slot11
/interface bridge
add name=vlan-br-1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
set [ find default-name=ether5 ] disable-running-check=no
set [ find default-name=ether6 ] disable-running-check=no
set [ find default-name=ether7 ] disable-running-check=no
set [ find default-name=ether8 ] disable-running-check=no
/interface vlan
add interface=vlan-br-1 name=vlan-20 vlan-id=20
add interface=vlan-br-1 name=vlan-30 vlan-id=30
/interface vrrp
add interface=vlan-20 name=vrrp-b-20 priority=190 vrid=20
add interface=vlan-30 name=vrrp-b-30 priority=190 vrid=30
/ip pool
add name=vlan-20-pool ranges=192.168.20.100-192.168.20.200
add name=vlan-30-pool ranges=192.168.30.100-192.168.30.200
/port
set 0 name=serial0
/routing ospf instance
add disabled=no name=ospfv2-inst router-id=1.0.0.3
/routing ospf area
add disabled=no instance=ospfv2-inst name=ospfv2-a0
/interface bridge port
add bridge=vlan-br-1 interface=ether2
add bridge=vlan-br-1 interface=ether3
add bridge=vlan-br-1 interface=ether7 pvid=30
add bridge=vlan-br-1 interface=ether8 pvid=20
/interface bridge vlan
add bridge=vlan-br-1 tagged=vlan-br-1,ether2,ether3 untagged=ether8 vlan-ids=20
add bridge=vlan-br-1 tagged=vlan-br-1,ether2,ether3 untagged=ether7 vlan-ids=30
/ip address
add address=10.1.4.2/24 interface=ether2 network=10.1.4.0
add address=10.1.3.2/24 interface=ether3 network=10.1.3.0
add address=192.168.20.2/24 interface=vlan-20 network=192.168.20.0
add address=192.168.30.2/24 interface=vlan-30 network=192.168.30.0
add address=192.168.20.3 interface=vrrp-b-20 network=192.168.20.3
add address=192.168.30.3 interface=vrrp-b-30 network=192.168.30.3
/ip dhcp-server
add address-pool=vlan-20-pool interface=vlan-20 name=dhcp1
add address-pool=vlan-30-pool interface=vlan-30 name=dhcp2
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=192.168.20.3 gateway=192.168.20.3
add address=192.168.30.0/24 dns-server=192.168.30.3 gateway=192.168.30.3
/ip firewall nat
add action=masquerade chain=srcnat out-interface=vlan-br-1
/ip route
add distance=10 dst-address=0.0.0.0/0 gateway=10.1.3.1
add distance=20 dst-address=0.0.0.0/0 gateway=10.1.4.1
/routing ospf interface-template
add area=ospfv2-a0 disabled=no networks=10.1.4.0/24
add area=ospfv2-a0 disabled=no networks=10.1.3.0/24
/system console screen
set blank-interval=never line-count=40
/system identity
set name=MT-CHR-3
/system note
set show-at-login=no

MT-CHR-3 info:

[admin@MT-CHR-3] > ping 192.168.20.1
  SEQ HOST                                     SIZE TTL TIME       STATUS
    0 192.168.20.1                               56  64 416us
    1 192.168.20.1                               56  64 790us
    2 192.168.20.1                               56  64 852us
    sent=3 received=3 packet-loss=0% min-rtt=416us avg-rtt=686us max-rtt=852us

[admin@MT-CHR-3] > ping 192.168.30.1
  SEQ HOST                                     SIZE TTL TIME       STATUS
    0 192.168.30.1                                                 timeout
    1 192.168.30.1                                                 timeout
    2 192.168.30.1                                                 timeout
    3 192.168.30.2                               84  64 145ms371us host unreachable
    sent=4 received=0 packet-loss=100%

[admin@MT-CHR-3] > ping 192.168.30.200
  SEQ HOST                                     SIZE TTL TIME       STATUS
    0 192.168.30.200                                               timeout
    1 192.168.30.200                                               timeout
    sent=2 received=0 packet-loss=100%


[admin@MT-CHR-3] > /interface/vrrp/print detail
Flags: X - disabled; I - invalid; G - grp-authority, g - grp-member; R - running; M - master, B - backup, F - failure
 0     B name="vrrp-b-20" mtu=1500 mac-address=00:00:5E:00:01:14 arp=enabled arp-timeout=auto interface=vlan-20 group-authority="" vrid=20
         priority=190 interval=1s preemption-mode=yes authentication=none password="" on-backup="" on-master="" on-fail="" version=3
         v3-protocol=ipv4 sync-connection-tracking=no

 1    RM name="vrrp-b-30" mtu=1500 mac-address=00:00:5E:00:01:1E arp=enabled arp-timeout=auto interface=vlan-30 group-authority="" vrid=30
         priority=190 interval=1s preemption-mode=yes authentication=none password="" on-backup="" on-master="" on-fail="" version=3
         v3-protocol=ipv4 sync-connection-tracking=no
         
         
[admin@MT-CHR-3] > /interface/print detail
Flags: D - dynamic; X - disabled; I - inactive, R - running; S - slave; P - passthrough
 0       name="ether1" default-name="ether1" type="ether" mtu=1500 actual-mtu=1500 mac-address=0C:F8:94:94:00:00 link-downs=0

 1   RS  name="ether2" default-name="ether2" type="ether" mtu=1500 actual-mtu=1500 mac-address=0C:F8:94:94:00:01
         last-link-up-time=2024-09-15 06:32:48 link-downs=0

 2   RS  name="ether3" default-name="ether3" type="ether" mtu=1500 actual-mtu=1500 mac-address=0C:F8:94:94:00:02
         last-link-up-time=2024-09-15 06:32:48 link-downs=0

 3       name="ether4" default-name="ether4" type="ether" mtu=1500 actual-mtu=1500 mac-address=0C:F8:94:94:00:03 link-downs=0

 4       name="ether5" default-name="ether5" type="ether" mtu=1500 actual-mtu=1500 mac-address=0C:F8:94:94:00:04
         last-link-down-time=2024-09-15 09:21:58 last-link-up-time=2024-09-15 06:32:48 link-downs=1

 5       name="ether6" default-name="ether6" type="ether" mtu=1500 actual-mtu=1500 mac-address=0C:F8:94:94:00:05
         last-link-down-time=2024-09-15 09:21:57 last-link-up-time=2024-09-15 06:32:48 link-downs=1

 6   RS  name="ether7" default-name="ether7" type="ether" mtu=1500 actual-mtu=1500 mac-address=0C:F8:94:94:00:06
         last-link-up-time=2024-09-15 06:32:48 link-downs=0

 7   RS  name="ether8" default-name="ether8" type="ether" mtu=1500 actual-mtu=1500 mac-address=0C:F8:94:94:00:07
         last-link-up-time=2024-09-15 06:32:48 link-downs=0

 8   R   name="lo" type="loopback" mtu=65536 actual-mtu=65536 mac-address=00:00:00:00:00:00 last-link-up-time=2024-09-15 06:32:38 link-downs=0

 9   R   name="vlan-20" type="vlan" mtu=1500 actual-mtu=1500 l2mtu=65531 mac-address=0C:F8:94:94:00:01 last-link-up-time=2024-09-15 06:32:39
         link-downs=0

10   R   name="vlan-30" type="vlan" mtu=1500 actual-mtu=1500 l2mtu=65531 mac-address=0C:F8:94:94:00:01 last-link-up-time=2024-09-15 06:32:39
         link-downs=0

11   R   name="vlan-br-1" type="bridge" mtu=auto actual-mtu=1500 l2mtu=65535 mac-address=0C:F8:94:94:00:01 last-link-up-time=2024-09-15 06:32:39
         link-downs=0

12       name="vrrp-b-20" type="vrrp" mtu=1500 actual-mtu=1500 l2mtu=65531 mac-address=00:00:5E:00:01:14 last-link-down-time=2024-09-15 06:56:04
         last-link-up-time=2024-09-15 06:56:04 link-downs=5

13   R   name="vrrp-b-30" type="vrrp" mtu=1500 actual-mtu=1500 l2mtu=65531 mac-address=00:00:5E:00:01:1E last-link-down-time=2024-09-15 06:56:00
         last-link-up-time=2024-09-15 06:56:00 link-downs=6
         
         
[admin@MT-CHR-3] > /ip/address/print detail
Flags: X - disabled, I - invalid, D - dynamic
 0   address=10.1.4.2/24 network=10.1.4.0 interface=ether2 actual-interface=vlan-br-1

 1   address=10.1.3.2/24 network=10.1.3.0 interface=ether3 actual-interface=vlan-br-1

 2   address=192.168.20.2/24 network=192.168.20.0 interface=vlan-20 actual-interface=vlan-20

 3   address=192.168.30.2/24 network=192.168.30.0 interface=vlan-30 actual-interface=vlan-30

 4 I address=192.168.20.3/32 network=192.168.20.3 interface=vrrp-b-20 actual-interface=vrrp-b-20

 5   address=192.168.30.3/32 network=192.168.30.3 interface=vrrp-b-30 actual-interface=vrrp-b-30
 
 
[admin@MT-CHR-3] > /interface/bridge/monitor vlan-br-1 once
                  state: enabled
    current-mac-address: 0C:F8:94:94:00:01
            root-bridge: no
         root-bridge-id: 0x8000.0C:BF:64:AC:00:00
         root-path-cost: 20000
              root-port: ether8
             port-count: 4
  designated-port-count: 2
           fast-forward: no
           
           
[admin@MT-CHR-3] > /interface/bridge/print detail
Flags: X - disabled, R - running
 0 R name="vlan-br-1" mtu=auto actual-mtu=1500 l2mtu=65535 arp=enabled arp-timeout=auto mac-address=0C:F8:94:94:00:01 protocol-mode=rstp
     fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6
     vlan-filtering=yes ether-type=0x8100 pvid=1 frame-types=admit-all ingress-filtering=yes dhcp-snooping=no port-cost-mode=long mvrp=no
     
     
[admin@MT-CHR-3] > /interface/bridge/port/print detail
Flags: X - disabled, I - inactive; D - dynamic; H - hw-offload
 0     interface=ether2 bridge=vlan-br-1 priority=0x80 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no
       restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=yes
       unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no mvrp-registrar-state=normal
       mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no

 1     interface=ether3 bridge=vlan-br-1 priority=0x80 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no
       restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=yes
       unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no mvrp-registrar-state=normal
       mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no

 2     interface=ether7 bridge=vlan-br-1 priority=0x80 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no
       restricted-role=no restricted-tcn=no pvid=30 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=yes
       unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no mvrp-registrar-state=normal
       mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no

 3     interface=ether8 bridge=vlan-br-1 priority=0x80 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no
       restricted-role=no restricted-tcn=no pvid=20 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=yes
       unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no mvrp-registrar-state=normal
       mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no
       
       
[admin@MT-CHR-3] > /interface/vlan/print detail
Flags: X - disabled, R - running
 0 R name="vlan-20" mtu=1500 l2mtu=65531 mac-address=0C:F8:94:94:00:01 arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off
     loop-protect-send-interval=5s loop-protect-disable-time=5m vlan-id=20 interface=vlan-br-1 use-service-tag=no mvrp=no

 1 R name="vlan-30" mtu=1500 l2mtu=65531 mac-address=0C:F8:94:94:00:01 arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off
     loop-protect-send-interval=5s loop-protect-disable-time=5m vlan-id=30 interface=vlan-br-1 use-service-tag=no mvrp=no
     
     
[admin@MT-CHR-3] > /interface/bridge/vlan/print detail
Flags: X - disabled, D - dynamic
 0   bridge=vlan-br-1 vlan-ids=20 tagged=vlan-br-1,ether2,ether3 untagged=ether8 mvrp-forbidden="" current-tagged=vlan-br-1,ether2,ether3
     current-untagged=ether8

 1   bridge=vlan-br-1 vlan-ids=30 tagged=vlan-br-1,ether2,ether3 untagged=ether7 mvrp-forbidden="" current-tagged=vlan-br-1,ether2,ether3
     current-untagged=ether7

 2 D bridge=vlan-br-1 vlan-ids=1 tagged="" untagged=vlan-br-1,ether2,ether3 mvrp-forbidden="" current-tagged=""
     current-untagged=vlan-br-1,ether2,ether3

MT-CHR-1 /export:

[admin@MT-CHR-1] > /export
# 2024-09-15 11:30:26 by RouterOS 7.15.3
# software id =
#
/disk
set slot1 media-interface=none media-sharing=no slot=slot1
set slot2 media-interface=none media-sharing=no slot=slot2
set slot3 media-interface=none media-sharing=no slot=slot3
set slot4 media-interface=none media-sharing=no slot=slot4
set slot5 media-interface=none media-sharing=no slot=slot5
set slot6 media-interface=none media-sharing=no slot=slot6
set slot7 media-interface=none media-sharing=no slot=slot7
set slot8 media-interface=none media-sharing=no slot=slot8
set slot9 media-interface=none media-sharing=no slot=slot9
set slot10 media-interface=none media-sharing=no slot=slot10
set slot11 media-interface=none media-sharing=no slot=slot11
set slot12 media-interface=none media-sharing=no slot=slot12
/interface bridge
add name=vlan-br-1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
set [ find default-name=ether5 ] disable-running-check=no
set [ find default-name=ether6 ] disable-running-check=no
set [ find default-name=ether7 ] disable-running-check=no
set [ find default-name=ether8 ] disable-running-check=no
/interface vlan
add interface=vlan-br-1 name=vlan-20 vlan-id=20
add interface=vlan-br-1 name=vlan-30 vlan-id=30
/interface vrrp
add interface=vlan-20 name=vrrp-m-20 priority=200 vrid=20
add interface=vlan-30 name=vrrp-m-30 priority=200 vrid=30
/ip pool
add name=vlan-20-pool ranges=192.168.20.100-192.168.20.200
add name=vlan-30-pool ranges=192.168.30.100-192.168.30.200
/ip dhcp-server
add address-pool=vlan-20-pool interface=vlan-20 name=vlan-20-dhcp
add address-pool=vlan-30-pool interface=vlan-30 name=vlan-30-dhcp
/port
set 0 name=serial0
/routing ospf instance
add disabled=no name=ospfv2-inst router-id=1.0.0.1
/routing ospf area
add disabled=no instance=ospfv2-inst name=ospfv2-a0
/interface bridge port
add bridge=vlan-br-1 interface=ether3
add bridge=vlan-br-1 interface=ether1
add bridge=vlan-br-1 interface=ether7 pvid=20
add bridge=vlan-br-1 interface=ether8 pvid=30
/interface bridge vlan
add bridge=vlan-br-1 tagged=vlan-br-1,ether3,ether1 untagged=ether7 vlan-ids=20
add bridge=vlan-br-1 tagged=vlan-br-1,ether3,ether1 untagged=ether8 vlan-ids=30
/ip address
add address=10.1.2.2/24 interface=ether1 network=10.1.2.0
add address=10.1.1.2/24 interface=ether3 network=10.1.1.0
add address=192.168.20.1/24 interface=vlan-20 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan-30 network=192.168.30.0
add address=192.168.20.3 interface=vrrp-m-20 network=192.168.20.3
add address=192.168.30.3 interface=vrrp-m-30 network=192.168.30.3
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=192.168.20.3 gateway=192.168.20.3
add address=192.168.30.0/24 dns-server=192.168.30.3 gateway=192.168.30.3
/ip firewall nat
add action=masquerade chain=srcnat out-interface=vlan-br-1
/ip route
add distance=10 dst-address=0.0.0.0/0 gateway=10.1.1.1
add distance=20 dst-address=0.0.0.0/0 gateway=10.1.2.1
/routing ospf interface-template
add area=ospfv2-a0 disabled=no networks=10.1.2.0/24
add area=ospfv2-a0 disabled=no networks=10.1.1.0/24
/system console screen
set blank-interval=never line-count=40
/system identity
set name=MT-CHR-1
/system note
set show-at-login=no

MT-CHR-1 info:

[admin@MT-CHR-1] > ping 192.168.20.2
  SEQ HOST                                     SIZE TTL TIME       STATUS
    0 192.168.20.2                               56  64 897us
    1 192.168.20.2                               56  64 785us
    2 192.168.20.2                               56  64 811us
    sent=3 received=3 packet-loss=0% min-rtt=785us avg-rtt=831us max-rtt=897us

[admin@MT-CHR-1] > ping 192.168.30.2
  SEQ HOST                                     SIZE TTL TIME       STATUS
    0 192.168.30.2                                                 timeout
    1 192.168.30.2                                                 timeout
    2 192.168.30.2                                                 timeout
    3 192.168.30.1                               84  64 149ms793us host unreachable
    sent=4 received=0 packet-loss=100%

[admin@MT-CHR-1] > ping 192.168.30.200
  SEQ HOST                                     SIZE TTL TIME       STATUS
    0 192.168.30.200                             56  64 463us
    1 192.168.30.200                             56  64 799us
    2 192.168.30.200                             56  64 682us
    sent=3 received=3 packet-loss=0% min-rtt=463us avg-rtt=648us max-rtt=799us


[admin@MT-CHR-1] > /interface/vrrp/print detail
Flags: X - disabled; I - invalid; G - grp-authority, g - grp-member; R - running; M - master, B - backup, F - failure
 0    RM name="vrrp-m-20" mtu=1500 mac-address=00:00:5E:00:01:14 arp=enabled arp-timeout=auto interface=vlan-20 group-authority="" vrid=20
         priority=200 interval=1s preemption-mode=yes authentication=none password="" on-backup="" on-master="" on-fail="" version=3
         v3-protocol=ipv4 sync-connection-tracking=no

 1    RM name="vrrp-m-30" mtu=1500 mac-address=00:00:5E:00:01:1E arp=enabled arp-timeout=auto interface=vlan-30 group-authority="" vrid=30
         priority=200 interval=1s preemption-mode=yes authentication=none password="" on-backup="" on-master="" on-fail="" version=3
         v3-protocol=ipv4 sync-connection-tracking=no
         
         
[admin@MT-CHR-1] > /interface/print detail
Flags: D - dynamic; X - disabled; I - inactive, R - running; S - slave; P - passthrough
 0   RS  name="ether1" default-name="ether1" type="ether" mtu=1500 actual-mtu=1500 mac-address=0C:BF:64:AC:00:00
         last-link-up-time=2024-09-15 06:32:48 link-downs=0

 1       name="ether2" default-name="ether2" type="ether" mtu=1500 actual-mtu=1500 mac-address=0C:BF:64:AC:00:01 link-downs=0

 2   RS  name="ether3" default-name="ether3" type="ether" mtu=1500 actual-mtu=1500 mac-address=0C:BF:64:AC:00:02
         last-link-up-time=2024-09-15 06:32:48 link-downs=0

 3       name="ether4" default-name="ether4" type="ether" mtu=1500 actual-mtu=1500 mac-address=0C:BF:64:AC:00:03 link-downs=0

 4       name="ether5" default-name="ether5" type="ether" mtu=1500 actual-mtu=1500 mac-address=0C:BF:64:AC:00:04
         last-link-down-time=2024-09-15 09:21:58 last-link-up-time=2024-09-15 06:32:48 link-downs=1

 5       name="ether6" default-name="ether6" type="ether" mtu=1500 actual-mtu=1500 mac-address=0C:BF:64:AC:00:05
         last-link-down-time=2024-09-15 09:21:56 last-link-up-time=2024-09-15 06:32:48 link-downs=1

 6   RS  name="ether7" default-name="ether7" type="ether" mtu=1500 actual-mtu=1500 mac-address=0C:BF:64:AC:00:06
         last-link-up-time=2024-09-15 06:32:48 link-downs=0

 7   RS  name="ether8" default-name="ether8" type="ether" mtu=1500 actual-mtu=1500 mac-address=0C:BF:64:AC:00:07
         last-link-up-time=2024-09-15 06:32:48 link-downs=0

 8   R   name="lo" type="loopback" mtu=65536 actual-mtu=65536 mac-address=00:00:00:00:00:00 last-link-up-time=2024-09-15 06:32:38 link-downs=0

 9   R   name="vlan-20" type="vlan" mtu=1500 actual-mtu=1500 l2mtu=65531 mac-address=0C:BF:64:AC:00:00 last-link-up-time=2024-09-15 06:32:38
         link-downs=0

10   R   name="vlan-30" type="vlan" mtu=1500 actual-mtu=1500 l2mtu=65531 mac-address=0C:BF:64:AC:00:00 last-link-up-time=2024-09-15 06:32:39
         link-downs=0

11   R   name="vlan-br-1" type="bridge" mtu=auto actual-mtu=1500 l2mtu=65535 mac-address=0C:BF:64:AC:00:00 last-link-up-time=2024-09-15 06:32:38
         link-downs=0

12   R   name="vrrp-m-20" type="vrrp" mtu=1500 actual-mtu=1500 l2mtu=65531 mac-address=00:00:5E:00:01:14 last-link-down-time=2024-09-15 11:30:19
         last-link-up-time=2024-09-15 11:30:19 link-downs=5

13   R   name="vrrp-m-30" type="vrrp" mtu=1500 actual-mtu=1500 l2mtu=65531 mac-address=00:00:5E:00:01:1E last-link-down-time=2024-09-15 11:30:24
         last-link-up-time=2024-09-15 11:30:24 link-downs=6
         
         
[admin@MT-CHR-1] > /ip/address/print detail
Flags: X - disabled, I - invalid, D - dynamic
 0   address=10.1.2.2/24 network=10.1.2.0 interface=ether1 actual-interface=vlan-br-1

 1   address=10.1.1.2/24 network=10.1.1.0 interface=ether3 actual-interface=vlan-br-1

 2   address=192.168.20.1/24 network=192.168.20.0 interface=vlan-20 actual-interface=vlan-20

 3   address=192.168.30.1/24 network=192.168.30.0 interface=vlan-30 actual-interface=vlan-30

 4   address=192.168.20.3/32 network=192.168.20.3 interface=vrrp-m-20 actual-interface=vrrp-m-20

 5   address=192.168.30.3/32 network=192.168.30.3 interface=vrrp-m-30 actual-interface=vrrp-m-30
 
 
[admin@MT-CHR-1] > /interface/bridge/monitor vlan-br-1 once
                  state: enabled
    current-mac-address: 0C:BF:64:AC:00:00
            root-bridge: yes
         root-bridge-id: 0x8000.0C:BF:64:AC:00:00
         root-path-cost: 0
              root-port: none
             port-count: 4
  designated-port-count: 4
           fast-forward: no
           
           
[admin@MT-CHR-1] > /interface/bridge/print detail
Flags: X - disabled, R - running
 0 R name="vlan-br-1" mtu=auto actual-mtu=1500 l2mtu=65535 arp=enabled arp-timeout=auto mac-address=0C:BF:64:AC:00:00 protocol-mode=rstp
     fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6
     vlan-filtering=yes ether-type=0x8100 pvid=1 frame-types=admit-all ingress-filtering=yes dhcp-snooping=no port-cost-mode=long mvrp=no
     
     
[admin@MT-CHR-1] > /interface/bridge/port/print detail
Flags: X - disabled, I - inactive; D - dynamic; H - hw-offload
 0     interface=ether3 bridge=vlan-br-1 priority=0x80 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no
       restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=yes
       unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no mvrp-registrar-state=normal
       mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no

 1     interface=ether1 bridge=vlan-br-1 priority=0x80 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no
       restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=yes
       unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no mvrp-registrar-state=normal
       mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no

 2     interface=ether7 bridge=vlan-br-1 priority=0x80 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no
       restricted-role=no restricted-tcn=no pvid=20 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=yes
       unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no mvrp-registrar-state=normal
       mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no

 3     interface=ether8 bridge=vlan-br-1 priority=0x80 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no
       restricted-role=no restricted-tcn=no pvid=30 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=yes
       unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no mvrp-registrar-state=normal
       mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no
       
       
[admin@MT-CHR-1] > /interface/vlan/print detail
Flags: X - disabled, R - running
 0 R name="vlan-20" mtu=1500 l2mtu=65531 mac-address=0C:BF:64:AC:00:00 arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off
     loop-protect-send-interval=5s loop-protect-disable-time=5m vlan-id=20 interface=vlan-br-1 use-service-tag=no mvrp=no

 1 R name="vlan-30" mtu=1500 l2mtu=65531 mac-address=0C:BF:64:AC:00:00 arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off
     loop-protect-send-interval=5s loop-protect-disable-time=5m vlan-id=30 interface=vlan-br-1 use-service-tag=no mvrp=no
     
     
[admin@MT-CHR-1] > /interface/bridge/vlan/print detail
Flags: X - disabled, D - dynamic
 0   bridge=vlan-br-1 vlan-ids=20 tagged=vlan-br-1,ether3,ether1 untagged=ether7 mvrp-forbidden="" current-tagged=vlan-br-1,ether1,ether3
     current-untagged=ether7

 1   bridge=vlan-br-1 vlan-ids=30 tagged=vlan-br-1,ether3,ether1 untagged=ether8 mvrp-forbidden="" current-tagged=vlan-br-1,ether1,ether3
     current-untagged=ether8

 2 D bridge=vlan-br-1 vlan-ids=1 tagged="" untagged=vlan-br-1,ether1,ether3 mvrp-forbidden="" current-tagged=""
     current-untagged=vlan-br-1,ether1,ether3

sindy · September 17, 2024, 7:24am

If you want each of the two USW switches to only handle a single VLAN, they cannot be connected to the same bridges on the CHRs, or you must use MSTP that can handle a separate spanning tree for each group of VLANs. Since the configuration exports suggest that there are some other switches in your topology that are absent in the drawing, nor have you provided any information about capabilities of the USW switches (i.e. whether they are VLAN aware and what STP flavors they support), it is not clear which way to go. Yet another open point is whether the ethernet interfaces of the CHRs are controlling physical interfaces of the hypervisor or whether they are connected to the virtual switches provided by the virtualisation platform.

mbrgen · September 19, 2024, 1:19am

thank you for suggestions, well, i change the bridge protocol-mode to mstp, added MSTIs on both MT-CHR-1 and MT-CHR-3, but it doesn’t seem to resolve the problem.
on MT-CHR-3 the same (ether7) interface is still being blocked on both MSTIs i’ve created on this switch. i.e. ether8 is a root-port on all MSTIs, even on an MSTI with a vlan-mapping=30, which is weird considering the fact that a VLAN with a vlan-id=30 specified under the bridge doesn’t have any relation to that ether8 port and it has “untagged=ether7” when it’s specified under /interface/bridge/vlan instead. so the ether7 port should be the root-bridge under the MSTI with a vlan-mapping=30. am i missing something obvious?

about the additional switches you mentioned: in my topology i have upstream routers that are connected to MT-CHR-1 and MT-CHR-3, but in my understanding they are not important in this case, so i didn’t include them in the picture. USW switches are dumb L2 switches provided by GNS3 platform, as far as i understand they are not VLAN-aware, moreover, i don’t see it generating any traffic whatsoever, STP included.

MT-CHR-3 /export:

[admin@MT-CHR-3] > /export
# 2024-09-19 00:20:16 by RouterOS 7.15.3
# software id =
#
/disk
set slot1 media-interface=none media-sharing=no slot=slot1
set slot2 media-interface=none media-sharing=no slot=slot2
set slot3 media-interface=none media-sharing=no slot=slot3
set slot4 media-interface=none media-sharing=no slot=slot4
set slot5 media-interface=none media-sharing=no slot=slot5
set slot6 media-interface=none media-sharing=no slot=slot6
set slot7 media-interface=none media-sharing=no slot=slot7
set slot8 media-interface=none media-sharing=no slot=slot8
set slot9 media-interface=none media-sharing=no slot=slot9
set slot10 media-interface=none media-sharing=no slot=slot10
set slot11 media-interface=none media-sharing=no slot=slot11
set slot12 media-interface=none media-sharing=no slot=slot12
set slot13 media-interface=none media-sharing=no slot=slot13
set slot14 media-interface=none media-sharing=no slot=slot14
set slot15 media-interface=none media-sharing=no slot=slot15
set slot16 media-interface=none media-sharing=no slot=slot16
set slot17 media-interface=none media-sharing=no slot=slot17
set slot18 media-interface=none media-sharing=no slot=slot18
/interface bridge
add name=vlan-br-1 protocol-mode=mstp vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
set [ find default-name=ether5 ] disable-running-check=no
set [ find default-name=ether6 ] disable-running-check=no
set [ find default-name=ether7 ] disable-running-check=no
set [ find default-name=ether8 ] disable-running-check=no
/interface vlan
add interface=vlan-br-1 name=vlan-20 vlan-id=20
add interface=vlan-br-1 name=vlan-30 vlan-id=30
/interface vrrp
add interface=vlan-20 name=vrrp-b-20 priority=190 vrid=20
add interface=vlan-30 name=vrrp-b-30 priority=190 vrid=30
/ip pool
add name=vlan-20-pool ranges=192.168.20.100-192.168.20.200
add name=vlan-30-pool ranges=192.168.30.100-192.168.30.200
/port
set 0 name=serial0
/routing ospf instance
add disabled=no name=ospfv2-inst router-id=1.0.0.3
/routing ospf area
add disabled=no instance=ospfv2-inst name=ospfv2-a0
/interface bridge msti
add bridge=vlan-br-1 identifier=20 vlan-mapping=20
add bridge=vlan-br-1 identifier=30 vlan-mapping=30
/interface bridge port
add bridge=vlan-br-1 interface=ether2
add bridge=vlan-br-1 interface=ether3
add bridge=vlan-br-1 interface=ether7 pvid=30
add bridge=vlan-br-1 interface=ether8 pvid=20
/interface bridge vlan
add bridge=vlan-br-1 tagged=vlan-br-1,ether2,ether3 untagged=ether8 vlan-ids=20
add bridge=vlan-br-1 tagged=vlan-br-1,ether2,ether3 untagged=ether7 vlan-ids=30
/ip address
add address=10.1.4.2/24 interface=ether2 network=10.1.4.0
add address=10.1.3.2/24 interface=ether3 network=10.1.3.0
add address=192.168.20.2/24 interface=vlan-20 network=192.168.20.0
add address=192.168.30.2/24 interface=vlan-30 network=192.168.30.0
add address=192.168.20.3 interface=vrrp-b-20 network=192.168.20.3
add address=192.168.30.3 interface=vrrp-b-30 network=192.168.30.3
/ip dhcp-server
add address-pool=vlan-20-pool interface=vlan-20 name=dhcp1
add address-pool=vlan-30-pool interface=vlan-30 name=dhcp2
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=192.168.20.3 gateway=192.168.20.3
add address=192.168.30.0/24 dns-server=192.168.30.3 gateway=192.168.30.3
/ip firewall nat
add action=masquerade chain=srcnat out-interface=vlan-br-1
/ip route
add distance=10 dst-address=0.0.0.0/0 gateway=10.1.3.1
add distance=20 dst-address=0.0.0.0/0 gateway=10.1.4.1
/routing ospf interface-template
add area=ospfv2-a0 disabled=no networks=10.1.4.0/24
add area=ospfv2-a0 disabled=no networks=10.1.3.0/24
/system console screen
set blank-interval=never line-count=40
/system identity
set name=MT-CHR-3
/system note
set show-at-login=no

MT-CHR-1 /export:

[admin@MT-CHR-1] > /export
# 2024-09-19 00:21:19 by RouterOS 7.15.3
# software id =
#
/disk
set slot1 media-interface=none media-sharing=no slot=slot1
set slot2 media-interface=none media-sharing=no slot=slot2
set slot3 media-interface=none media-sharing=no slot=slot3
set slot4 media-interface=none media-sharing=no slot=slot4
set slot5 media-interface=none media-sharing=no slot=slot5
set slot6 media-interface=none media-sharing=no slot=slot6
set slot7 media-interface=none media-sharing=no slot=slot7
set slot8 media-interface=none media-sharing=no slot=slot8
set slot9 media-interface=none media-sharing=no slot=slot9
set slot10 media-interface=none media-sharing=no slot=slot10
set slot11 media-interface=none media-sharing=no slot=slot11
set slot12 media-interface=none media-sharing=no slot=slot12
set slot13 media-interface=none media-sharing=no slot=slot13
set slot14 media-interface=none media-sharing=no slot=slot14
set slot15 media-interface=none media-sharing=no slot=slot15
set slot16 media-interface=none media-sharing=no slot=slot16
set slot17 media-interface=none media-sharing=no slot=slot17
set slot18 media-interface=none media-sharing=no slot=slot18
set slot19 media-interface=none media-sharing=no slot=slot19
/interface bridge
add name=vlan-br-1 priority=0x5000 protocol-mode=mstp vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
set [ find default-name=ether5 ] disable-running-check=no
set [ find default-name=ether6 ] disable-running-check=no
set [ find default-name=ether7 ] disable-running-check=no
set [ find default-name=ether8 ] disable-running-check=no
/interface vlan
add interface=vlan-br-1 name=vlan-20 vlan-id=20
add interface=vlan-br-1 name=vlan-30 vlan-id=30
/interface vrrp
add interface=vlan-20 name=vrrp-m-20 priority=200 vrid=20
add interface=vlan-30 name=vrrp-m-30 priority=200 vrid=30
/ip pool
add name=vlan-20-pool ranges=192.168.20.100-192.168.20.200
add name=vlan-30-pool ranges=192.168.30.100-192.168.30.200
/ip dhcp-server
add address-pool=vlan-20-pool interface=vlan-20 name=vlan-20-dhcp
add address-pool=vlan-30-pool interface=vlan-30 name=vlan-30-dhcp
/port
set 0 name=serial0
/routing ospf instance
add disabled=no name=ospfv2-inst router-id=1.0.0.1
/routing ospf area
add disabled=no instance=ospfv2-inst name=ospfv2-a0
/interface bridge msti
add bridge=vlan-br-1 identifier=20 priority=0x5000 vlan-mapping=20
add bridge=vlan-br-1 identifier=30 priority=0x5000 vlan-mapping=30
/interface bridge port
add bridge=vlan-br-1 interface=ether3
add bridge=vlan-br-1 interface=ether1
add bridge=vlan-br-1 interface=ether7 pvid=20
add bridge=vlan-br-1 interface=ether8 pvid=30
/interface bridge vlan
add bridge=vlan-br-1 tagged=vlan-br-1,ether3,ether1 untagged=ether7 vlan-ids=20
add bridge=vlan-br-1 tagged=vlan-br-1,ether3,ether1 untagged=ether8 vlan-ids=30
/ip address
add address=10.1.2.2/24 interface=ether1 network=10.1.2.0
add address=10.1.1.2/24 interface=ether3 network=10.1.1.0
add address=192.168.20.1/24 interface=vlan-20 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan-30 network=192.168.30.0
add address=192.168.20.3 interface=vrrp-m-20 network=192.168.20.3
add address=192.168.30.3 interface=vrrp-m-30 network=192.168.30.3
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=192.168.20.3 gateway=192.168.20.3
add address=192.168.30.0/24 dns-server=192.168.30.3 gateway=192.168.30.3
/ip firewall nat
add action=masquerade chain=srcnat out-interface=vlan-br-1
/ip route
add distance=10 dst-address=0.0.0.0/0 gateway=10.1.1.1
add distance=20 dst-address=0.0.0.0/0 gateway=10.1.2.1
/routing ospf interface-template
add area=ospfv2-a0 disabled=no networks=10.1.2.0/24
add area=ospfv2-a0 disabled=no networks=10.1.1.0/24
/system console screen
set blank-interval=never line-count=40
/system identity
set name=MT-CHR-1
/system note
set show-at-login=no

here’s some info from both hosts

[admin@MT-CHR-1] > /interface/bridge/msti/print detail
Flags: X - disabled, D - dynamic
 0   identifier=20 bridge=vlan-br-1 priority=0x5000 vlan-mapping=20

 1   identifier=30 bridge=vlan-br-1 priority=0x5000 vlan-mapping=30

 2 D identifier=0 bridge=vlan-br-1 priority=0x5000 vlan-mapping=1-19,21-29,31-4094


[admin@MT-CHR-1] > /interface/bridge/msti/monitor numbers=0 once
                    state: enabled
               identifier: 20
      current-mac-address: 0C:BF:64:AC:00:00
              root-bridge: yes
  regional-root-bridge-id: 0x5014.0C:BF:64:AC:00:00
           root-path-cost: 0
                root-port: none
               port-count: 4
    designated-port-count: 4
    
    
[admin@MT-CHR-1] > /interface/bridge/msti/monitor numbers=1 once
                    state: enabled
               identifier: 30
      current-mac-address: 0C:BF:64:AC:00:00
              root-bridge: yes
  regional-root-bridge-id: 0x501E.0C:BF:64:AC:00:00
           root-path-cost: 0
                root-port: none
               port-count: 4
    designated-port-count: 4


[admin@MT-CHR-3] > /interface/bridge/msti/print detail
Flags: X - disabled, D - dynamic
 0   identifier=20 bridge=vlan-br-1 priority=0x8000 vlan-mapping=20

 1   identifier=30 bridge=vlan-br-1 priority=0x8000 vlan-mapping=30

 2 D identifier=0 bridge=vlan-br-1 priority=0x8000 vlan-mapping=1-19,21-29,31-4094

[admin@MT-CHR-3] > /interface/bridge/msti/monitor numbers=0 once
                    state: enabled
               identifier: 20
      current-mac-address: 0C:F8:94:94:00:01
              root-bridge: no
  regional-root-bridge-id: 0x5014.0C:BF:64:AC:00:00
           root-path-cost: 0
                root-port: ether8
               port-count: 4
    designated-port-count: 2
    
    
    [admin@MT-CHR-3] > /interface/bridge/msti/monitor numbers=1 once
                    state: enabled
               identifier: 30
      current-mac-address: 0C:F8:94:94:00:01
              root-bridge: no
  regional-root-bridge-id: 0x501E.0C:BF:64:AC:00:00
           root-path-cost: 0
                root-port: ether8
               port-count: 4
    designated-port-count: 2

mbrgen · September 19, 2024, 4:36am

posting an update. the problem’s not solved yet, but i’ve read about the /interface bridge port mst-override section and trying to implement it now, tho it’s not working yet (as root-port is still ether8 and not ether7) it seems like something that’ll help me :

[admin@MT-CHR-3] > /interface/bridge/msti/print detail
Flags: X - disabled, D - dynamic
 0   identifier=20 bridge=vlan-br-1 priority=0x8000 vlan-mapping=20

 1   identifier=30 bridge=vlan-br-1 priority=0x8000 vlan-mapping=30

 2 D identifier=0 bridge=vlan-br-1 priority=0x8000 vlan-mapping=1-19,21-29,31-4094


[admin@MT-CHR-3] > /interface/bridge/port/mst-override/print detail
Flags: X - disabled, D - dynamic
 0 D interface=ether2 identifier=20 priority=0x80

 1 D interface=ether2 identifier=30 priority=0x80

 2 D interface=ether3 identifier=20 priority=0x80

 3 D interface=ether3 identifier=30 priority=0x80

 4 D interface=ether7 identifier=20 priority=0x80

 5 D interface=ether8 identifier=20 priority=0x80

 6 D interface=ether8 identifier=30 priority=0x80

 7   interface=ether7 identifier=30 priority=0x10


[admin@MT-CHR-3] > /interface/bridge/msti/monitor numbers=0,1 once
                      state: enabled                  enabled
                 identifier: 20                       30
        current-mac-address: 0C:F8:94:94:00:01        0C:F8:94:94:00:01
                root-bridge: no                       no
    regional-root-bridge-id: 0x5014.0C:BF:64:AC:00:00 0x501E.0C:BF:64:AC:00:00
             root-path-cost: 0                        0
                  root-port: ether8                   ether8
                 port-count: 4                        4
      designated-port-count: 2                        2

sindy · September 19, 2024, 4:03pm

Indeed the mst-override is what you need, you have to set the internal-path-cost to be higher on the port to which the “wrong” switch for that VLAN (corresponding to the vlan group identifier) is connected and lower for the one to which the “correct” switch is connected - lower path cost makes the port a preferred choice. Also, you don’t need to place both VLAN 20 and VLAN 30 to their dedicated groups, you can keep one of them in the main group, which contains all VLANs from 1 to 4094 by default and you can move lists of VLANs to other groups from it.

Regarding the other connected switches, you are right that it is enough if they support RSTP because MSTP can interwork with RSTP, but you have to adjust the internal-path-cost (which is used inside the MSTP region) and the path-cost (which is used when talking to RSTP or to another MSTP region) in such a way that none of ether7 and ether8 would ever stop forwarding in their respective spanning trees, i.e. the MSTP must break the L2 loop by disabling forwarding through one of the uplinks to the other switches instead.

mbrgen · September 20, 2024, 2:57am

thank you very much for your help. The issue is resolved.