Community discussions

MUM Europe 2020
 
tojoe
just joined
Topic Author
Posts: 9
Joined: Tue Apr 09, 2019 6:19 pm

CRS326 loop-protect with pvid != 1 and VLAN filtering

Sun Dec 01, 2019 10:42 am

Hello,
I've got my hands on a few CRS326-24G-2S+ (budget is tight at the end of the year...) running 6.45.7 to replace some old (f)ailing HP 1GBit switches in our labs but I'm having issues with the mikrotik implementation of the loop-protect feature.
loop-protect only works properly when a port is configured with the default PVID 1 or VLAN filtering is disabled, the moment I change the PVID or enable VLAN ingress filtering I do get log entries like "interface,warning ether7: bridge port received packet with own address as source address, probably loop" and "interface,warning ether7 excessive broadcasts/multicasts, probably a loop" but the ports dont get disabled. If I change PVID back to 1 or disable VLAN filtering the ports get properly disabled again.
To test just use the default config, disable STP, add another vlan, configure the PVID of 2 ports to that vlan, enable loop-protect on those ports.
The moment you enable any kind of VLAN (ingress) filtering either on the bridge ports or the bridge interface ports dont get disabled.

Using (R)STP does not help since we do have devices with multiple ports which block STP BPDUs while forwarding other traffic.

Any hint on how to get loop-protection working with VLAN filtering and different PVIDs?

Regards,
Thomas
 
Zacharias
Forum Guru
Forum Guru
Posts: 1075
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: CRS326 loop-protect with pvid != 1 and VLAN filtering

Sun Dec 01, 2019 11:20 am

That is normal, RSTP might not detect loops in a VLAN...
Since RouterOS v6.41 it is possible to enable Multiple Spanning Tree Protocol (MSTP) on a bridge interface to ensure loop-free topology across multiple VLANs
Read here : https://wiki.mikrotik.com/wiki/Manual:S ... e_Protocol
 
sindy
Forum Guru
Forum Guru
Posts: 4191
Joined: Mon Dec 04, 2017 9:19 pm

Re: CRS326 loop-protect with pvid != 1 and VLAN filtering

Sun Dec 01, 2019 12:47 pm

@Zacharias, the OP has stated he's got devices in his network which prevent any flavour of STP from working, as these devices are clever enough not to blindly forward frames with "link-local" dst-mac-address but not clever enough to run xSTP as such. So they just break the chain.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
tojoe
just joined
Topic Author
Posts: 9
Joined: Tue Apr 09, 2019 6:19 pm

Re: CRS326 loop-protect with pvid != 1 and VLAN filtering

Sun Dec 01, 2019 4:41 pm

Any kind of STP is not an option, loop protection implemented in the old HP switches works though. Simply enabling loop protection on the old HP switches just works without any issues, even when the ports are configured in different VLANs.
On the CRS326 loop-protection just doesnt do anything the moment a port is in a different PVID than 1 and VLAN filtering is enabled, even when both ports of the loop are configured wit the same PVID.
 
Zacharias
Forum Guru
Forum Guru
Posts: 1075
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: CRS326 loop-protect with pvid != 1 and VLAN filtering

Sun Dec 01, 2019 5:11 pm

On the CRS326 loop-protection just doesnt do anything the moment a port is in a different PVID than 1 and VLAN filtering is enabled
Loop protection using what protocol ? Still dont understand...
 
tojoe
just joined
Topic Author
Posts: 9
Joined: Tue Apr 09, 2019 6:19 pm

Re: CRS326 loop-protect with pvid != 1 and VLAN filtering

Sun Dec 01, 2019 5:20 pm

Using the loop-protect feature as described in https://wiki.mikrotik.com/wiki/Manual:Loop_Protect in the /interface ethernet sub-menu.
The manual says it's recommended to use STP when the interfaces are added to a bridge but not that it wont work at all the moment VLANs come into play.
Enabling loop-protect in the /interface vlan submenu doesnt help and I dont have interfaces added to all VLANs anyway.
 
Zacharias
Forum Guru
Forum Guru
Posts: 1075
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: CRS326 loop-protect with pvid != 1 and VLAN filtering

Sun Dec 01, 2019 5:33 pm

The manual says it's recommended to use STP when the interfaces are added to a bridge but not that it wont work at all the moment VLANs come into play
Wrong...
In case there is a loop inside a certain VLAN, (R)STP might not be able to detect it
https://wiki.mikrotik.com/wiki/Manual:S ... e_Protocol
Why dont you try MSTP ?
 
tojoe
just joined
Topic Author
Posts: 9
Joined: Tue Apr 09, 2019 6:19 pm

Re: CRS326 loop-protect with pvid != 1 and VLAN filtering

Sun Dec 01, 2019 5:44 pm

STP and the loop-protect feature are 2 different ways to prevent loops and due to certain circumstances I *cant* use any kind of STP to detect loops, only loop-protect works.
 
sindy
Forum Guru
Forum Guru
Posts: 4191
Joined: Mon Dec 04, 2017 9:19 pm

Re: CRS326 loop-protect with pvid != 1 and VLAN filtering

Sun Dec 01, 2019 5:50 pm

@tojoe, I agree that the manual is not excessively verbose regarding loop-protect, but there is an interesting point - you can activate it not only at physical Ethernet interfaces and L2 tunnels but also at /interface vlan. Which suggests that the protocol is VLAN-aware. So I've checked what is actually going on. I've used a hAP and a hEX for the test, but given that Mikrotik use their own ethertype for the loop-protect frames, I guess it is not implemented in hardware on CRS3xx so it behaves the same there. I've used 6.45.7 for the test.

The auto-disabling of an Ethernet port only happens when the port receives a tagless loop-protect frame with one of the machine's own MAC addresses as source. If it receives such a frame tagged, it forwards it rather than blocking itself, but it does log the event (it logs ANY frame like that, not just a loop-protect one).

While vlan-filtering is set to no on a bridge, no tagging or untagging is ever done on Ethernet or EoIP member ports of that bridge, only on /interface vlan attached to it, and the pvid values of /interface bridge port rows are ignored.

And what's best, if an /interface vlan receives a loop-protect frame with a matching tag, it gets disabled too. Which is fine in the one-bridge-per-each-vlan configuration (where the tagged ends of several /interface vlan are connected to different carrier interfaces and their tagless ends are member pors of the same bridge), but a disaster in the common-bridge-for-all-vlans setup where the loop-protection frame sent by itself comes back to an /interface vlan.

So if you can make sure that you use the same pvid on all Ethernet ports belonging to the same bridge, you are fine to use loop-protect on those Ethernet ports. If you need to use the same VLAN tagged on some ports of a bridge and tagless on other ports of the same bridge, the loop-protect mechanism as currently implemented in RouterOS will not work properly.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
tojoe
just joined
Topic Author
Posts: 9
Joined: Tue Apr 09, 2019 6:19 pm

Re: CRS326 loop-protect with pvid != 1 and VLAN filtering

Sun Dec 01, 2019 5:58 pm

@sindy thanks, that just affirms my doubts with mikrotiks implementation of loop-protect vs. what I'm used to from HP.
Guess we have to drill our students even more to not connect more than one cable unless they're 110% sure their config is right and otherwise hope the upstream switches catch the loop.
Need to test the behaviour of the switch-ports of our new VoIP phones whether at least they play nice with STP or still drop STP BPDUs like the ancient ones I've toyed with.
 
sindy
Forum Guru
Forum Guru
Posts: 4191
Joined: Mon Dec 04, 2017 9:19 pm

Re: CRS326 loop-protect with pvid != 1 and VLAN filtering

Sun Dec 01, 2019 6:41 pm

There is actually no good way of handling the loop protection on trunk ports without xSTP, because in some scenarios you may want to use a different physical link between the same two switches for different (groups of) VLANs, something a VLAN-agnostic loop protection mechanism is not compatible with. Whereas if only used to cut loops between access ports, both the HPE and the Mikrotik implementations work fine.

But I'd say let the students experience the fireworks, they will remember better why to take care about loops.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
tojoe
just joined
Topic Author
Posts: 9
Joined: Tue Apr 09, 2019 6:19 pm

Re: CRS326 loop-protect with pvid != 1 and VLAN filtering

Sun Dec 01, 2019 7:08 pm

Well, I'm not really concerned about loops on trunk ports but access ports (i.e. student loops switch port 3 with 5 because they mixed up the patch cables - even going as far as directly connecting the same cable to 2 ports of the CRS326), which doesnt get detected by loop-protect either as soon as the ethernet ports pvid is different from the bridges pvid as we discovered...
But STP should at least catch this as there is no device filtering STP BPDUs involved.
It's just really annoying when a whole lab goes offline because some coworkers are too lazy (dont want to call them names, but they're always surprised like this is the fist time...) to really care about stuff like loops and just come whining. Enabling loop-protect with high timeout on the re-enable timer and ignoring them for some time helped but if the loop (lacking working loop-protect) persists and stuff still doesnt work even the next day which means checking all connections in the lab or having to access the switch with serial console because the network is down gets tedious.

Who is online

Users browsing this forum: Google [Bot] and 70 guests