Page 1 of 1

Switch Chip on CRS106-1C-5S

Posted: Fri Aug 31, 2018 10:33 am
by pnajm
I have 11 CRS106-1C-5S running ROS version 6.42.6 all connected through single mode fiber cables and Mikrotik SFP modules.
Boards are running fine since 11 months now.
I created a bridge and added all ports to it with hardware offloading enabled.
I have set up tagged and untagged vlans on the switch chip according to Mikrotik wiki.
Management vlan 100 (tagged) created on the bridge interface.
Untagged vlan 200 assigned to combo/ether port.

I wanted complete isolation of vlans but the problem is:
I can see traffic from tagged vlan 100 going to combo port. (broadcast and multicast traffic).
I can also see untagged traffic going to all ports in bridge (802.2 traffic)
What may be the problem?
Also shouldn't (interface ethernet switch set forward-unknown-vlan=no) eliminate this issue?

Here is my config export:
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=combo1 ] name=combo-TP-LinkSwitch
set [ find default-name=sfp1 ] name=sfp1-Main
set [ find default-name=sfp2 ] name=sfp2
/interface vlan
add interface=bridge name=vlan-mgmt vlan-id=100
/interface ethernet switch
set forward-unknown-vlan=no
/interface list
add name=Management
add exclude=dynamic name=discover
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge interface=sfp5
add bridge=bridge interface=sfp4
add bridge=bridge interface=sfp3
add bridge=bridge interface=sfp2
add bridge=bridge hw=no interface=combo-TP-LinkSwitch
add bridge=bridge interface=sfp1-Main
/ip neighbor discovery-settings
set discover-interface-list=Management
/interface ethernet switch egress-vlan-tag
add tagged-ports=sfp1-Main,sfp2,sfp3,sfp4,sfp5 vlan-id=200
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=200 ports=combo-TP-LinkSwitch
/interface ethernet switch vlan
add ports=switch1-cpu,sfp1-Main,sfp2,sfp3,sfp4,sfp5 vlan-id=100
add ports=sfp1-Main,combo-TP-LinkSwitch,sfp2,sfp3,sfp4,sfp5 vlan-id=200
/interface list member
add interface=vlan-mgmt list=Management
/ip address
add address=192.168.25.52/24 interface=vlan-mgmt network=192.168.25.0
/ip dns
set servers=192.168.25.12,192.168.25.13
/ip route
add distance=1 gateway=192.168.25.1

Re: Switch Chip on CRS106-1C-5S

Posted: Fri Aug 31, 2018 3:29 pm
by Samot
Well first thing I would do, is make sure that VLAN200 is setup as an actual interface on the router. You only have VLAN100 setup but you're setting up VLAN rules that include 200.

Re: Switch Chip on CRS106-1C-5S

Posted: Fri Aug 31, 2018 3:50 pm
by proximus
The last step in the guide is to add:
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=
https://wiki.mikrotik.com/wiki/Manual:C ... figuration

I don't see that in your config.

Re: Switch Chip on CRS106-1C-5S

Posted: Fri Aug 31, 2018 6:15 pm
by ADahi
The last step in the guide is to add:
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=
https://wiki.mikrotik.com/wiki/Manual:C ... figuration

I don't see that in your config.

this is same
/interface ethernet switch
set forward-unknown-vlan=no

Re: Switch Chip on CRS106-1C-5S

Posted: Fri Aug 31, 2018 6:33 pm
by ADahi
i guess the reason you specified "hw=no" for interface=combo-TP-LinkSwitch

if hw=no : switching configuration don bye CPU, bridge->vlan
if hw=yes : switching configuration don bye Switch Chip, switch->vlan

put different PVID for each port
and do not forgot "sa-learning=yes" in [/interface ethernet switch ingress-vlan-translation]

hop this help you
best regards

Re: Switch Chip on CRS106-1C-5S

Posted: Sat Sep 01, 2018 5:08 pm
by pnajm
i guess the reason you specified "hw=no" for interface=combo-TP-LinkSwitch

if hw=no : switching configuration don bye CPU, bridge->vlan
if hw=yes : switching configuration don bye Switch Chip, switch->vlan

put different PVID for each port
and do not forgot "sa-learning=yes" in [/interface ethernet switch ingress-vlan-translation]

hop this help you
best regards
hw=no was a mistake during config export, it is enabled by default.
sa-learning is enabled by default.
I don't see how changing the PVID for each port would solve my issue.

Re: Switch Chip on CRS106-1C-5S

Posted: Sat Sep 01, 2018 5:14 pm
by pnajm
The Main question is:
-Why am I seeing tagged traffic passing on to the combo port which is configured for vlan 200.

Update:
If I put the vlan 100 interface on the uplink port instead of the bridge, combo port stops receiving vlan 100 tagged packet!
can you explain this behaviour?

Re: Switch Chip on CRS106-1C-5S

Posted: Sat Sep 01, 2018 6:15 pm
by chechito
try this setting if switching vlans on CRS 1xx or 2xx

without it switch practically do not filter vlans

beware of test on lab before, you can loose contact with switch if vlan are not configured properly
invalid vlan switch mikrotik.png

Re: Switch Chip on CRS106-1C-5S

Posted: Sat Sep 01, 2018 6:42 pm
by pnajm
try this setting if switching vlans on CRS 1xx or 2xx

without it switch practically do not filter vlans

beware of test on lab before, you can loose contact with switch if vlan are not configured properly

invalid vlan switch mikrotik.png
forward invalid vlan=no is already set in my configuration!

Re: Switch Chip on CRS106-1C-5S

Posted: Sat Sep 01, 2018 7:12 pm
by chechito
ok then

check in FDB your vlan setup behavior

switch fdb.png

Re: Switch Chip on CRS106-1C-5S

Posted: Mon Sep 03, 2018 11:15 am
by ADahi
i have crs125 and working with bugfix version with no issues

Re: Switch Chip on CRS106-1C-5S

Posted: Tue Sep 04, 2018 1:15 am
by pnajm
i have crs125 and working with bugfix version with no issues
can you post which version you are using please?

Re: Switch Chip on CRS106-1C-5S

Posted: Tue Sep 04, 2018 1:37 am
by pnajm
ok then

check in FDB your vlan setup behavior
I can see vlan 0 but I didn't configure vlan 0 anywhere!
Is this behavior normal?
Capture.JPG

Re: Switch Chip on CRS106-1C-5S

Posted: Sat Oct 20, 2018 4:23 pm
by pnajm
bump
updated routeros version to 6.42.9 (longterm) and problem still exists!

Re: Switch Chip on CRS106-1C-5S

Posted: Fri Nov 09, 2018 3:51 am
by pnajm
Problem is also happening on other switch chip devices as well.
Here are 2 examples of traffic passing from vlan 100 (broadcast) to access port vlan 200.
Both devices are on 6.42.9 version.
Pictures include all switch configurations.

OmniTik
omni.jpg
CRS106-1C-5S
crs.jpg
Please help me solve this mysterious problem.

Re: Switch Chip on CRS106-1C-5S

Posted: Fri Nov 09, 2018 11:54 am
by davzar
I think that the problem could be that you've added switch-cpu in both VLAN: you should use it only on management VLAN.
Give it a try

Re: Switch Chip on CRS106-1C-5S

Posted: Fri Nov 09, 2018 3:02 pm
by pnajm
I think that the problem could be that you've added switch-cpu in both VLAN: you should use it only on management VLAN.
Give it a try
@davzar switch1-cpu was added ONLY on the OmniTik because the wlan1 needs it to forward the tags properly.
If I remove switch1-cpu vlan200 will not pass onto wlan1.
switch1-cpu is not added on the CRS as you can see in the picture, so I highly doubt it is the culprit.

Re: Switch Chip on CRS106-1C-5S

Posted: Sun Nov 11, 2018 1:54 pm
by pnajm
Any help from mikrotik staff would be appreciated!

Re: Switch Chip on CRS106-1C-5S

Posted: Mon Nov 12, 2018 7:42 pm
by pnajm
bump

Re: Switch Chip on CRS106-1C-5S

Posted: Tue Nov 13, 2018 7:48 pm
by pnajm
anyone?