Community discussions

 
jaykay2342
Member
Member
Topic Author
Posts: 335
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

CRS3xx Fasttrack on VLANs not working.

Sun Jul 01, 2018 10:38 pm

I got my first couple of CRS3xx devices and playing around with them in my lab.

I ran into the first problem. Following setup
CRS317

Using a bridge, as you need to with the CRS3xx series, with vlan-filtering.
/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus2 pvid=123
add bridge=bridge1 interface=sfp-sfpplus4
add bridge=bridge1 interface=sfp-sfpplus5
add bridge=bridge1 interface=sfp-sfpplus6
add bridge=bridge1 interface=sfp-sfpplus7
add bridge=bridge1 interface=sfp-sfpplus8
add bridge=bridge1 interface=sfp-sfpplus9
add bridge=bridge1 interface=sfp-sfpplus10
add bridge=bridge1 interface=sfp-sfpplus11
add bridge=bridge1 interface=sfp-sfpplus12
add bridge=bridge1 interface=sfp-sfpplus13
add bridge=bridge1 interface=sfp-sfpplus14
add bridge=bridge1 interface=sfp-sfpplus15
add bridge=bridge1 interface=sfp-sfpplus16 pvid=13
add bridge=bridge1 edge=yes frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp-sfpplus3 pvid=13
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,sfp-sfpplus16 untagged=sfp-sfpplus1,sfp-sfpplus2 vlan-ids=123
add bridge=bridge1 tagged=bridge1 untagged=sfp-sfpplus3,sfp-sfpplus16 vlan-ids=13

vlan inteface on top of the bridge
/interface vlan
add interface=bridge1 name=vlan13 vlan-id=13
add interface=bridge1 name=vlan123 vlan-id=123

simple Fast track configured.
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related

When traffic is flowing from vlan13 ( host at port sfp-sfpplus3 ) towards the network on sfp-sfpplus1 ( not bridged, no vlan ) it's not fasttracked
Although the connection is marked as fasttracked. But the bytecounter of the fasttrack dummy rule is not increasing.
The CPU is hitting 100% ( one core ) at ~500mbit/s

Traffic the other way around is fasttracked as expected. 1Gbit/s linespeed and CPU Is far away from 100%

It seems the problem is traffic coming in on a vlan interface on top of a bridge.

Is this a known limitation? And if so, why?
9-5 Job: Securityanalyst at a major MSSP.
Free time volunteer: Networkadmin and founder at a small non-profit WISP.
Certifications: ITILv3, GCIA
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: CRS3xx Fasttrack on VLANs not working.

Mon Jul 02, 2018 12:52 am

You say sfp-sfpplus1 is not a member of bridge1 and no vlan on it, but it is configured as untagged for vlan-id = 123?
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1736
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: CRS3xx Fasttrack on VLANs not working.

Mon Jul 02, 2018 6:51 am

CRS s a switch

the better way to do what you want to do is using a router + switch
 
jaykay2342
Member
Member
Topic Author
Posts: 335
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

Re: CRS3xx Fasttrack on VLANs not working.

Mon Jul 02, 2018 9:06 am

You say sfp-sfpplus1 is not a member of bridge1 and no vlan on it, but it is configured as untagged for vlan-id = 123?
that's just a left from previous tests.
9-5 Job: Securityanalyst at a major MSSP.
Free time volunteer: Networkadmin and founder at a small non-profit WISP.
Certifications: ITILv3, GCIA
 
jaykay2342
Member
Member
Topic Author
Posts: 335
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

Re: CRS3xx Fasttrack on VLANs not working.

Mon Jul 02, 2018 9:11 am

CRS s a switch

the better way to do what you want to do is using a router + switch
I know that it's main purpose is switching. But with fasttrack the cpu has no problem to route 1Gbps. So why using a separate device for that? And it's an CRS not a CCS
9-5 Job: Securityanalyst at a major MSSP.
Free time volunteer: Networkadmin and founder at a small non-profit WISP.
Certifications: ITILv3, GCIA
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1736
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: CRS3xx Fasttrack on VLANs not working.

Mon Jul 02, 2018 9:49 am

CRS s a switch

the better way to do what you want to do is using a router + switch
I know that it's main purpose is switching. But with fasttrack the cpu has no problem to route 1Gbps. So why using a separate device for that? And it's an CRS not a CCS


fast-track is for routing, if you are bridging check fast-path counters and status on bridge (i dont see any ip address in your config)


check using tools->profile the culprit of CPU usage
 
jaykay2342
Member
Member
Topic Author
Posts: 335
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

Re: CRS3xx Fasttrack on VLANs not working.

Mon Jul 02, 2018 10:21 am

CRS s a switch

the better way to do what you want to do is using a router + switch
I know that it's main purpose is switching. But with fasttrack the cpu has no problem to route 1Gbps. So why using a separate device for that? And it's an CRS not a CCS


fast-track is for routing, if you are bridging check fast-path counters and status on bridge (i dont see any ip address in your config)


check using tools->profile the culprit of CPU usage
Yes i'm routing here. The routeros receives the traffic on a VLAN interface that is on top of the bridge. I'm talking about the routed traffic not the bridged traffic. The bridged ( switched) traffic works fine, it's hardware offloaded as it should be.
9-5 Job: Securityanalyst at a major MSSP.
Free time volunteer: Networkadmin and founder at a small non-profit WISP.
Certifications: ITILv3, GCIA
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1736
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: CRS3xx Fasttrack on VLANs not working.

Mon Jul 02, 2018 9:05 pm

i think mikrotik will end killing CRS line because of situations like this

I think The fact CRS switch have routeros dont imply you have to do routing on it, i think a switch is a switch, and must be used like that, the advantages of having routeros on it comes from management perspective, you have a very powerfull and versatile winbox graphical user interface, integrated graphs...

that's my personal opinion
 
jaykay2342
Member
Member
Topic Author
Posts: 335
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

Re: CRS3xx Fasttrack on VLANs not working.

Mon Jul 02, 2018 10:43 pm

i think mikrotik will end killing CRS line because of situations like this

I think The fact CRS switch have routeros dont imply you have to do routing on it, i think a switch is a switch, and must be used like that, the advantages of having routeros on it comes from management perspective, you have a very powerfull and versatile winbox graphical user interface, integrated graphs...

that's my personal opinion
it's called cloud router switch. That does not imply that it's a switch only either. I'm fully aware that it has not the CPU power for line speed routing. But for the 3xx series they have a CPU that has more power than some of the "routers". And why not utilize those CPU cycles? whats the point of a 2core cpu if you use only the hardware offloaded switching function and the cpu idles at 1%?

Those switches fit perfect where you have a need for a fast local network and you have a somewhat slower internet connection. Putting an OLD RB2011 next to a CRS317 just to route 500Mbps internet connection ( with fasttrack ) is somehow stupid as the CPU much slower.

that's my opinion. What i would like to know is whether the limitation i run into has a technical reason or they just forgot of the scenario of a vlan on top of the (hardware offloaded) bridge and that they need to add a few lines of code to get such traffic handled by the fast-tracked path.
9-5 Job: Securityanalyst at a major MSSP.
Free time volunteer: Networkadmin and founder at a small non-profit WISP.
Certifications: ITILv3, GCIA
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: CRS3xx Fasttrack on VLANs not working.

Tue Jul 03, 2018 2:21 am

Can you post full config, there might be a misconfigured rule creating unexpected symptoms that we might not think about, but seeing the config might ring some bells
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1736
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: CRS3xx Fasttrack on VLANs not working.

Tue Jul 03, 2018 3:56 am

Can you post full config, there might be a misconfigured rule creating unexpected symptoms that we might not think about, but seeing the config might ring some bells
yes very difficult to help with incomplete config access
 
ToBeFrank
newbie
Posts: 32
Joined: Mon Dec 18, 2017 7:31 pm

Re: CRS3xx Fasttrack on VLANs not working.

Thu Jul 26, 2018 4:02 am

I'm seeing the same thing on a CCR1009. Did you get any resolution to this?

Who is online

Users browsing this forum: Google [Bot] and 100 guests