Community discussions

MUM Europe 2020
 
mainTAP
newbie
Topic Author
Posts: 36
Joined: Tue Oct 02, 2012 4:01 am

CRS125-24G-1S VLAN leak due to Dynamic created VLANs with ID above 4000

Fri Mar 27, 2015 1:55 pm

Dear All,

Can you please help with issue I have with CRS125 and simple VLAN scenario where ethernet-1 is a trunk port with vlans 1,100 and port8 should be access port for vlan 1 and port16 access port for vlan100.

Unfortunately I cannot make a port as an ACCESS port on this switch, when I mirror the traffic leaving the eth6 and eth16, i can see all the traffic from eth1 with all the tagging.

I believe this is due to dynamically created vlans I have found on the switch but I cannot delete them .

An answers for the following questions would be very appreciated :

1.Why I see these dynamically created vlans [4095,4089]on CRS and how can I get rid of them

2.How can I strip the VLAN tag as the traffic leaving the access port
(on a mikrotik router I can see vlan-mode and VLAN-HEADER [leave,strip,add if missing] options under the switching)


3.What doest the Egress VLAN mode and VLAN type do under switch ports ? As if I change it between [unmodified/untagged] I cannot see any difference and the access ports are still egressing all vlans and all tagged.

/interface ethernet switch egress-vlan-tag print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   VLAN-ID TAGGED-PORTS                                                                                                                                                                                       
 0 D    4095
 1 D    4089
 2         1 ether1-gateway                                                                                                                                                                                     
             switch1-cpu                                                                                                                                                                                        
 3       100 ether1-gateway 
/interface ethernet switch vlan print
Flags: X - disabled, I - invalid, D - dynamic 
 #   VLAN-ID PORTS                                                                            SVL LEARN FLOOD INGRESS-MIRROR QOS-GROUP                                                                          
 0 D    4095 ether23-slave-local                                                              no  no    no    no             none                                                                               
             ether24                                                                         
             sfp1-gateway                                                                    
             switch1-cpu                                                                     
 1 X     666 ether23-slave-local                                                              no  yes   yes   no             none                                                                               
             ether24                                                                         
 2 X     900 ether18-master                                                                   no  yes   no    no             none                                                                               
             ether23-slave-local                                                             
 3 D    4089 ether1-gateway                                                                   no  yes   no    no             none                                                                               
             ether2-master-local                                                             
             ether3-slave-local                                                              
             ether4-slave-local                                                              
             ether5-slave-local                                                              
             ether6-slave-local                                                              
             ether7-slave-local                                                              
             ether8-slave-local                                                              
             ether9-slave-local                                                              
             ether10-slave-local                                                             
             ether11-slave-local                                                             
             ether12-slave-local                                                             
             ether13-slave-local                                                             
             ether14-slave-local                                                             
             ether15-slave-local                                                             
             ether16-slave-local                                                             
             ether17-master                                                                  
             ether18-master                                                                  
             ether19-slave-local                                                             
             ether20-slave-local                                                             
             ether21-slave-local                                                             
             ether22-slave-local                                                             
             switch1-cpu                                                                     
 4         1 ether1-gateway                                                                   no  yes   no    no             none                                                                               
             ether8-slave-local                                                              
             switch1-cpu                                                                     
 5       100 ether1-gateway                                                                   no  yes   no    no             none                                                                               
             ether16-slave-local                                                             
 6         2 ether2-master-local                                                              no  yes   no    no             none                                                                               
             ether4-slave-local                                                              
/interface ethernet switch ingress-vlan-translation print 
Flags: X - disabled, I - invalid, D - dynamic 
 0   ports=ether8-slave-local service-vlan-format=any customer-vlan-format=any customer-vid=0 new-customer-vid=1 pcp-propagation=no sa-learning=yes 

 1   ports=ether16-slave-local service-vlan-format=any customer-vlan-format=any new-customer-vid=100 pcp-propagation=no sa-learning=yes 

 2 D ports=ether1-gateway,ether2-master-local,ether3-slave-local,ether4-slave-local,ether5-slave-local,ether6-slave-local,ether7-slave-local,ether8-slave-local,ether9-slave-local,ether10-slave-local,ether11-
      slave-local,ether12-slave-local,ether13-slave-local,ether14-slave-local,ether15-slave-local,ether16-slave-local,ether17-master,ether18-master,ether19-slave-local,ether20-slave-local,ether21-slave-local,
      ether22-slave-local 
     service-vlan-format=any customer-vlan-format=any new-customer-vid=4089 pcp-propagation=no sa-learning=yes 

 3 D ports=ether23-slave-local,ether24,sfp1-gateway service-vlan-format=any customer-vlan-format=any new-customer-vid=4095 pcp-propagation=no sa-learning=no 
/interface ethernet print
Flags: X - disabled, R - running, S - slave 
 #    NAME                            MTU MAC-ADDRESS       ARP        MASTER-PORT                          SWITCH                         
 0 R  ;;; Mikrotik 260G - port 2
      ether1-gateway                 1500 4C:5E:0C:97:A2:57 enabled    none                                 switch1                        
 1 RS ;;; NZXT - USB 2
      ether2-master-local            1500 4C:5E:0C:97:A2:58 enabled    ether1-gateway                       switch1                        
 2 XS ether3-slave-local             1500 4C:5E:0C:97:A2:59 enabled    ether1-gateway                       switch1                        
 3 XS ;;; ADVA_Management
      ether4-slave-local             1500 4C:5E:0C:97:A2:5A enabled    ether1-gateway                       switch1                        
 4 XS ether5-slave-local             1500 4C:5E:0C:97:A2:5B enabled    ether1-gateway                       switch1                        
 5 XS ether6-slave-local             1500 4C:5E:0C:97:A2:5C enabled    ether1-gateway                       switch1                        
 6 XS ;;; Mikrotik 751G - port 1
      ether7-slave-local             1500 4C:5E:0C:97:A2:5D enabled    ether1-gateway                       switch1                        
 7 XS ;;; Mikrotik 751G - port 2
      ether8-slave-local             1500 4C:5E:0C:97:A2:5E enabled    ether1-gateway                       switch1                        
 8 XS ;;; SRX_2 [fe-0/0/0]
      ether9-slave-local             1500 4C:5E:0C:97:A2:5F enabled    ether1-gateway                       switch1                        
 9 XS ;;; SRX_1 [fe-0/0/0]
      ether10-slave-local            1500 4C:5E:0C:97:A2:60 enabled    ether1-gateway                       switch1                        
10 XS ;;; SRX_2 [fe-0/0/1]
      ether11-slave-local            1500 4C:5E:0C:97:A2:61 enabled    ether1-gateway                       switch1                        
11 XS ;;; SRX_1 [fe-0/0/1]
      ether12-slave-local            1500 4C:5E:0C:97:A2:62 enabled    ether1-gateway                       switch1                        
12 XS ;;; SRX_2 [fe-0/0/2]
      ether13-slave-local            1500 4C:5E:0C:97:A2:63 enabled    ether1-gateway                       switch1                        
13 XS ;;; SRX_1 [fe-0/0/2]
      ether14-slave-local            1500 4C:5E:0C:97:A2:64 enabled    ether1-gateway                       switch1                        
14 XS ;;; SRX_2 [fe-0/0/3]
      ether15-slave-local            1500 4C:5E:0C:97:A2:65 enabled    ether1-gateway                       switch1                        
15 XS ;;; SRX_1 [fe-0/0/3]
      ether16-slave-local            1500 4C:5E:0C:97:A2:66 enabled    ether1-gateway                       switch1                        
16 XS ;;; ADVA-port2
      ether17-master                 1500 4C:5E:0C:97:A2:67 enabled    ether1-gateway                       switch1                        
17 XS ;;; ADVA-port1 - NETWORK_PORT
      ether18-master                 1500 4C:5E:0C:97:A2:68 enabled    ether1-gateway                       switch1                        
18 XS ether19-slave-local            1500 4C:5E:0C:97:A2:69 enabled    ether1-gateway                       switch1                        
19 XS ether20-slave-local            1500 4C:5E:0C:97:A2:6A enabled    ether1-gateway                       switch1                        
20 XS ether21-slave-local            1500 4C:5E:0C:97:A2:6B enabled    ether1-gateway                       switch1                        
21 XS ether22-slave-local            1500 4C:5E:0C:97:A2:6C enabled    ether1-gateway                       switch1                        
22 R  ;;; NZXT - USB 1 [captures]
      ether23-slave-local            1500 4C:5E:0C:97:A2:6D enabled    none                                 switch1                        
23 X  ether24                        1500 4C:5E:0C:97:A2:6E enabled    none                                 switch1                        
24 X  sfp1-gateway                   1500 4C:5E:0C:97:A2:6F enabled    none                                 switch1              
I was trying to follow the simple port-based vlans scenario from the wiki but still cannot achieve vlan isolation and a basic access port functionality.

I have disabled majority of the ports for testing and assign them to a single master port but still cannot remove the dynamic vlans.

I don't usually struggle with such a simple task as configuring vlan trunk and access port but on CRS this is very confusion.

Thank you very much in advance.
 
mainTAP
newbie
Topic Author
Posts: 36
Joined: Tue Oct 02, 2012 4:01 am

Re: CRS125-24G-1S VLAN leak due to Dynamic created VLANs with ID above 4000

Sun Apr 05, 2015 4:10 am

The switch also behaves differently when gets rebooted, is there any configuration applied only after a reboot ?
I have also managed to remove the vlans above 4000 ( by factory default and applying the same configuration ) .. which should not be the case ..
But the switch still leaks like a hub, completely ignoring the vlan configuration.

And how is Q-in-Q working on this device ? I have of course followed the examples on wiki ,but the switch doesn't seem to be pushing the S-tag on the frames..

I have also tried the Egress Vlan translation and translate anything leaving with a Service VID but looking at packet capture leaving the interface nothing was being tagged.

Am I missing something fundamental ?

Thank you
 
xvld
just joined
Posts: 5
Joined: Tue Jun 23, 2015 9:50 am

Re: CRS125-24G-1S VLAN leak due to Dynamic created VLANs with ID above 4000

Thu Jun 25, 2015 11:13 am

I subscribe to the issue
2.How can I strip the VLAN tag as the traffic leaving the access port
(on a mikrotik router I can see vlan-mode and VLAN-HEADER [leave,strip,add if missing] options under the switching)

Who is online

Users browsing this forum: franklin44377, Google [Bot] and 47 guests