Community discussions

 
User avatar
pnajm
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 93
Joined: Thu Nov 21, 2013 6:54 pm

Switch Chip on CRS106-1C-5S

Fri Aug 31, 2018 10:33 am

I have 11 CRS106-1C-5S running ROS version 6.42.6 all connected through single mode fiber cables and Mikrotik SFP modules.
Boards are running fine since 11 months now.
I created a bridge and added all ports to it with hardware offloading enabled.
I have set up tagged and untagged vlans on the switch chip according to Mikrotik wiki.
Management vlan 100 (tagged) created on the bridge interface.
Untagged vlan 200 assigned to combo/ether port.

I wanted complete isolation of vlans but the problem is:
I can see traffic from tagged vlan 100 going to combo port. (broadcast and multicast traffic).
I can also see untagged traffic going to all ports in bridge (802.2 traffic)
What may be the problem?
Also shouldn't (interface ethernet switch set forward-unknown-vlan=no) eliminate this issue?

Here is my config export:
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=combo1 ] name=combo-TP-LinkSwitch
set [ find default-name=sfp1 ] name=sfp1-Main
set [ find default-name=sfp2 ] name=sfp2
/interface vlan
add interface=bridge name=vlan-mgmt vlan-id=100
/interface ethernet switch
set forward-unknown-vlan=no
/interface list
add name=Management
add exclude=dynamic name=discover
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge interface=sfp5
add bridge=bridge interface=sfp4
add bridge=bridge interface=sfp3
add bridge=bridge interface=sfp2
add bridge=bridge hw=no interface=combo-TP-LinkSwitch
add bridge=bridge interface=sfp1-Main
/ip neighbor discovery-settings
set discover-interface-list=Management
/interface ethernet switch egress-vlan-tag
add tagged-ports=sfp1-Main,sfp2,sfp3,sfp4,sfp5 vlan-id=200
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=200 ports=combo-TP-LinkSwitch
/interface ethernet switch vlan
add ports=switch1-cpu,sfp1-Main,sfp2,sfp3,sfp4,sfp5 vlan-id=100
add ports=sfp1-Main,combo-TP-LinkSwitch,sfp2,sfp3,sfp4,sfp5 vlan-id=200
/interface list member
add interface=vlan-mgmt list=Management
/ip address
add address=192.168.25.52/24 interface=vlan-mgmt network=192.168.25.0
/ip dns
set servers=192.168.25.12,192.168.25.13
/ip route
add distance=1 gateway=192.168.25.1
 
Samot
Member Candidate
Member Candidate
Posts: 109
Joined: Sat Nov 25, 2017 10:01 pm

Re: Switch Chip on CRS106-1C-5S

Fri Aug 31, 2018 3:29 pm

Well first thing I would do, is make sure that VLAN200 is setup as an actual interface on the router. You only have VLAN100 setup but you're setting up VLAN rules that include 200.
 
proximus
Member Candidate
Member Candidate
Posts: 111
Joined: Tue Oct 04, 2011 1:46 pm

Re: Switch Chip on CRS106-1C-5S

Fri Aug 31, 2018 3:50 pm

The last step in the guide is to add:
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=
https://wiki.mikrotik.com/wiki/Manual:C ... figuration

I don't see that in your config.
 
User avatar
ADahi
Member Candidate
Member Candidate
Posts: 217
Joined: Thu Sep 21, 2017 7:16 pm
Location: Iraq, Ninavah
Contact:

Re: Switch Chip on CRS106-1C-5S

Fri Aug 31, 2018 6:15 pm

The last step in the guide is to add:
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=
https://wiki.mikrotik.com/wiki/Manual:C ... figuration

I don't see that in your config.

this is same
/interface ethernet switch
set forward-unknown-vlan=no
Last edited by ADahi on Fri Aug 31, 2018 10:24 pm, edited 1 time in total.
 
User avatar
ADahi
Member Candidate
Member Candidate
Posts: 217
Joined: Thu Sep 21, 2017 7:16 pm
Location: Iraq, Ninavah
Contact:

Re: Switch Chip on CRS106-1C-5S

Fri Aug 31, 2018 6:33 pm

i guess the reason you specified "hw=no" for interface=combo-TP-LinkSwitch

if hw=no : switching configuration don bye CPU, bridge->vlan
if hw=yes : switching configuration don bye Switch Chip, switch->vlan

put different PVID for each port
and do not forgot "sa-learning=yes" in [/interface ethernet switch ingress-vlan-translation]

hop this help you
best regards
 
User avatar
pnajm
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 93
Joined: Thu Nov 21, 2013 6:54 pm

Re: Switch Chip on CRS106-1C-5S

Sat Sep 01, 2018 5:08 pm

i guess the reason you specified "hw=no" for interface=combo-TP-LinkSwitch

if hw=no : switching configuration don bye CPU, bridge->vlan
if hw=yes : switching configuration don bye Switch Chip, switch->vlan

put different PVID for each port
and do not forgot "sa-learning=yes" in [/interface ethernet switch ingress-vlan-translation]

hop this help you
best regards
hw=no was a mistake during config export, it is enabled by default.
sa-learning is enabled by default.
I don't see how changing the PVID for each port would solve my issue.
 
User avatar
pnajm
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 93
Joined: Thu Nov 21, 2013 6:54 pm

Re: Switch Chip on CRS106-1C-5S

Sat Sep 01, 2018 5:14 pm

The Main question is:
-Why am I seeing tagged traffic passing on to the combo port which is configured for vlan 200.

Update:
If I put the vlan 100 interface on the uplink port instead of the bridge, combo port stops receiving vlan 100 tagged packet!
can you explain this behaviour?
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1736
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Switch Chip on CRS106-1C-5S

Sat Sep 01, 2018 6:15 pm

try this setting if switching vlans on CRS 1xx or 2xx

without it switch practically do not filter vlans

beware of test on lab before, you can loose contact with switch if vlan are not configured properly
invalid vlan switch mikrotik.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
pnajm
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 93
Joined: Thu Nov 21, 2013 6:54 pm

Re: Switch Chip on CRS106-1C-5S

Sat Sep 01, 2018 6:42 pm

try this setting if switching vlans on CRS 1xx or 2xx

without it switch practically do not filter vlans

beware of test on lab before, you can loose contact with switch if vlan are not configured properly

invalid vlan switch mikrotik.png
forward invalid vlan=no is already set in my configuration!
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1736
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Switch Chip on CRS106-1C-5S

Sat Sep 01, 2018 7:12 pm

ok then

check in FDB your vlan setup behavior

switch fdb.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
ADahi
Member Candidate
Member Candidate
Posts: 217
Joined: Thu Sep 21, 2017 7:16 pm
Location: Iraq, Ninavah
Contact:

Re: Switch Chip on CRS106-1C-5S

Mon Sep 03, 2018 11:15 am

i have crs125 and working with bugfix version with no issues
 
User avatar
pnajm
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 93
Joined: Thu Nov 21, 2013 6:54 pm

Re: Switch Chip on CRS106-1C-5S

Tue Sep 04, 2018 1:15 am

i have crs125 and working with bugfix version with no issues
can you post which version you are using please?
 
User avatar
pnajm
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 93
Joined: Thu Nov 21, 2013 6:54 pm

Re: Switch Chip on CRS106-1C-5S

Tue Sep 04, 2018 1:37 am

ok then

check in FDB your vlan setup behavior
I can see vlan 0 but I didn't configure vlan 0 anywhere!
Is this behavior normal?
Capture.JPG
You do not have the required permissions to view the files attached to this post.
 
User avatar
pnajm
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 93
Joined: Thu Nov 21, 2013 6:54 pm

Re: Switch Chip on CRS106-1C-5S

Sat Oct 20, 2018 4:23 pm

bump
updated routeros version to 6.42.9 (longterm) and problem still exists!
 
User avatar
pnajm
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 93
Joined: Thu Nov 21, 2013 6:54 pm

Re: Switch Chip on CRS106-1C-5S

Fri Nov 09, 2018 3:51 am

Problem is also happening on other switch chip devices as well.
Here are 2 examples of traffic passing from vlan 100 (broadcast) to access port vlan 200.
Both devices are on 6.42.9 version.
Pictures include all switch configurations.

OmniTik
omni.jpg
CRS106-1C-5S
crs.jpg
Please help me solve this mysterious problem.
You do not have the required permissions to view the files attached to this post.
 
davzar
just joined
Posts: 8
Joined: Tue Aug 09, 2016 11:20 am

Re: Switch Chip on CRS106-1C-5S

Fri Nov 09, 2018 11:54 am

I think that the problem could be that you've added switch-cpu in both VLAN: you should use it only on management VLAN.
Give it a try
 
User avatar
pnajm
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 93
Joined: Thu Nov 21, 2013 6:54 pm

Re: Switch Chip on CRS106-1C-5S

Fri Nov 09, 2018 3:02 pm

I think that the problem could be that you've added switch-cpu in both VLAN: you should use it only on management VLAN.
Give it a try
@davzar switch1-cpu was added ONLY on the OmniTik because the wlan1 needs it to forward the tags properly.
If I remove switch1-cpu vlan200 will not pass onto wlan1.
switch1-cpu is not added on the CRS as you can see in the picture, so I highly doubt it is the culprit.
 
User avatar
pnajm
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 93
Joined: Thu Nov 21, 2013 6:54 pm

Re: Switch Chip on CRS106-1C-5S

Sun Nov 11, 2018 1:54 pm

Any help from mikrotik staff would be appreciated!
 
User avatar
pnajm
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 93
Joined: Thu Nov 21, 2013 6:54 pm

Re: Switch Chip on CRS106-1C-5S

Mon Nov 12, 2018 7:42 pm

bump
 
User avatar
pnajm
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 93
Joined: Thu Nov 21, 2013 6:54 pm

Re: Switch Chip on CRS106-1C-5S

Tue Nov 13, 2018 7:48 pm

anyone?

Who is online

Users browsing this forum: No registered users and 93 guests