Non-leaky CRS3xx configuration

davidcx · Fri Jul 06, 2018 3:23 pm

I am struggling to find a configuration that does not leak untagged traffic between ports on both the CRS326 and CRS317.

Example with CRS326. All ports in a flat VLAN 1 except three special ports:

ether9 should have VLANs 2030 and 2031 tagged, nothing untagged.
ether10 should have VLANs 2030 and 2032 tagged, nothing untagged.
ether11 should have VLANs 2031 and 2032 tagged, nothing untagged.

These three ports should not accept anything untagged (so ingress-filtering=yes frame-types=admit-only-vlan-tagged) and should not send anything untagged. They should not participate in VLAN 1 in any way, they should not be able to see any device on the other ports at all.

There doesn't seem to be a way to unset pvid on a port, so I've given each port a unique pvid (1001, 1002, 1003) just in case (it would be nice if you could omit pvid on a port that is only admitting vlan tagged, since it is irrelevant).

Yet still untagged traffic is leaking between all ports. The simplest evidence for this is that they can see all the other attached devices under "/ip neighbor print", whereas they should not because they do not have any VLANs in common.

Am I missing something?

/interface bridge
add admin-mac=64:D1:54:zz:zz:zz auto-mac=no name=bridge1 vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether9 pvid=1001
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether10 pvid=1002
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether11 pvid=1003
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=ether1
/interface bridge vlan
add bridge=bridge1 tagged=ether9,ether10 vlan-ids=2030
add bridge=bridge1 tagged=ether9,ether11 vlan-ids=2031
add bridge=bridge1 tagged=ether10,ether11 vlan-ids=2032

bridge vlan print confirms VLAN 1 should not be appearing on these three ports:

/interface bridge vlan> print
Flags: X - disabled, D - dynamic 
 #   BRIDGE                     VLAN-IDS  CURRENT-TAGGED                    CURRENT-UNTAGGED                   
 0   bridge1                    2030      ether9                           
                                          ether10                          
 1   bridge1                    2031      ether9                           
                                          ether11                          
 2   bridge1                    2032      ether10                          
                                          ether11                          
 3 D bridge1                    1001                                        ether9                             
 4 D bridge1                    1002                                        ether10                            
 5 D bridge1                    1003                                        ether11                            
 6 D bridge1                    1                                           bridge1                            
                                                                            ether3                             
                                                                            ether4                             
                                                                            ether5                             
                                                                            ether6                             
                                                                            ether7                             
                                                                            ether8                             
                                                                            ether1

RouterOS 6.42.5

I also note that ports appear in current-untagged long after they have been removed, so yes I have done a reboot in between to clear this.

-davidc

YouTube · Fri Jul 06, 2018 4:37 pm

Note that frame-type applies to ingress traffic.

We recently discovered a bug on CRS326 that it allows to forward packets that are internally tagged with PVID=1, this will be fixed in future versions, though this bug does not exist on CRS317.

To avoid this bug, simply set PVID=2 to all ports that currently have pvid=1/no-pvid.

An entry in bridge VLAN table will be added automatically for each port with the respective PVID value, for this reason you are seeing these ports as untagged for those VLAN IDs.

davidcx · Fri Jul 06, 2018 10:11 pm

Hi artz,

Thanks, yes I understand that ingress-filtering only applies to ingress traffic. And there are no untagged VLANs on this port. So there should be no untagged packets on ingress or egress. The only possible traffic from this port should be on VLAN tags 2031 and 2032.

Yet here are the neighbours of the router directly connected to port ether11 in the above example (the local port is sfpplus1)

neighbor.png

It should have no neighbours on sfpplus1 at all, only on the VLAN interfaces sfpplus1.2031 and sfpplus.2032. It simply should not be able to pass traffic to/from the devices in VLAN 1, that is the whole concept of VLANs, that they should segregate traffic. Somehow VLAN 1 is leaking into these ports (bidirectionally - the other devices on VLAN 1 can see this router too).

Am I doing something wrong?

We recently discovered a bug on CRS326 that it allows to forward packets that are internally tagged with PVID=1, this will be fixed in future versions, though this bug does not exist on CRS317.

To avoid this bug, simply set PVID=2 to all ports that currently have pvid=1/no-pvid.

Noted, however you will see above that I gave these ports separate pvids of 1001, 1002 and 1003 anyway, so this isn't the problem.

David

davidcx · Fri Jul 06, 2018 10:31 pm

We recently discovered a bug on CRS326 that it allows to forward packets that are internally tagged with PVID=1, this will be fixed in future versions, though this bug does not exist on CRS317.

To avoid this bug, simply set PVID=2 to all ports that currently have pvid=1/no-pvid.

Actually it looks like this does resolve it if you change the pvid of the *other* ports (done as one line in safe mode to prevent loss of management connectivity):

/interface bridge set [find] pvid=2; /interface bridge port set [find pvid=1] pvid=2

Thanks for the info!

Although the problem might be a bit wider than you wrote, as it was leaking in the other direction as well.

-davidc

Nando_lavras · Mon Jul 09, 2018 11:53 pm

Note that frame-type applies to ingress traffic.

We recently discovered a bug on CRS326 that it allows to forward packets that are internally tagged with PVID=1, this will be fixed in future versions, though this bug does not exist on CRS317.

To avoid this bug, simply set PVID=2 to all ports that currently have pvid=1/no-pvid.

An entry in bridge VLAN table will be added automatically for each port with the respective PVID value, for this reason you are seeing these ports as untagged for those VLAN IDs.

Theres an estimate for this new version with this leak corrected?

Thanks.

Non-leaky CRS3xx configuration

Non-leaky CRS3xx configuration

Re: Non-leaky CRS3xx configuration

Re: Non-leaky CRS3xx configuration

Re: Non-leaky CRS3xx configuration

Re: Non-leaky CRS3xx configuration

Who is online