Community discussions

MikroTik App
 
markmcn
Member Candidate
Member Candidate
Topic Author
Posts: 121
Joined: Wed Mar 03, 2010 2:15 am

Vrrp+Vlan=Flooding?

Sat Dec 21, 2019 1:38 am

Hi All,
I’m having an issue with VRRP. Now it’s very possible the issue is me and a mistake I’m making but please hear me out. I would appreciate any help. The short version is when I build the topology in the diagram, RSTP converges exactly as I expect(Hardware offload is disabled by vlan filtering, This is not an issue.) So when I use VRRP with VLANs any frames with a dst-mac address of the VRRP interface are being flooded by the bridge as the bridge is not learning the mac address of the VRRP interface. I’ve recreated this in a test setup and if I just build the VRRP interface on the bridge then it works as expected and no flooding, However if I build vlans on the bridge and vrrp interfaces on each vlan interface then we end up with flooding. If I’ve got an error in my config please share. I have attached, Config dumps for both builds with and without vlans.(The phpBB won't allow me post the full backups or the support dumps)
Layout.jpg
I started with the latest and greatest code including firmware upgraded. For testing all devices are hEX(750G r3)
Router 1 With Vlans
/interface bridge
add admin-mac=02:00:00:AA:00:01 auto-mac=no name=brTrunk priority=0x2000 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=Router1<->Switch1
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] comment=Router1<->Router2
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] comment=Management
/interface vlan
add interface=brTrunk name=vlan10 vlan-id=10
/interface vrrp
add interface=vlan10 name=vrrp10 vrid=10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=brTrunk interface=ether3
add bridge=brTrunk interface=ether1
/interface bridge settings
set allow-fast-path=no
/interface bridge vlan
add bridge=brTrunk tagged=brTrunk,ether1,ether3 vlan-ids=10


/ip address
add address=10.0.0.2/24 interface=vlan10 network=10.0.0.0
add address=10.0.0.1 interface=vrrp10 network=10.0.0.1
Router2 With Vlans

/interface bridge
add admin-mac=02:00:00:AA:00:02 auto-mac=no name=brTrunk priority=0x3000 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether2 ] comment=Router2<->Switch1
set [ find default-name=ether3 ] comment=Router1<->Router2
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] comment=Management
/interface vlan
add interface=brTrunk name=vlan10 vlan-id=10
/interface vrrp
add interface=vlan10 name=vrrp10 vrid=10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=brTrunk interface=ether3
add bridge=brTrunk interface=ether2
/interface bridge vlan
add bridge=brTrunk tagged=brTrunk,ether2,ether3 vlan-ids=10
Switch1 with vlans

/interface bridge
add admin-mac=02:00:00:AA:00:03 auto-mac=no name=brTrunk vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=Router1
set [ find default-name=ether2 ] comment=Router2
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] comment=Management
/interface vlan
add interface=brTrunk name=vlan10 vlan-id=10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=brTrunk interface=ether1
add bridge=brTrunk interface=ether2
/interface bridge vlan
add bridge=brTrunk tagged=brTrunk,ether1,ether2 vlan-ids=10
When the above config is built and traffic is sourced from the switch in vlan 10 and destined to the vrrp mac address, Router1 will flood it to other links in this case router2. It's not an error in the winbox numbers as when I look on router 2 I can see and capture the traffic.
Router 1 Bridge host table (The VRRP mac is missing)

[admin@Router1] > /interface bridge host print 
Flags: X - disabled, I - invalid, D - dynamic, L - local, E - external 
 #       MAC-ADDRESS        VID ON-INTERFACE    BRIDGE    AGE                 
 0   DL  02:00:00:AA:00:01      brTrunk         brTrunk  
 1   DL  CC:2D:E0:7D:7F:71      ether1          brTrunk  
 2   DL  CC:2D:E0:7D:7F:73      ether3          brTrunk  
 3   DL  02:00:00:AA:00:01    1 brTrunk         brTrunk  
 4   D   02:00:00:AA:00:02    1 ether3          brTrunk   58s                 
 5   D   02:00:00:AA:00:03    1 ether3          brTrunk   57s                 
 6   D   CC:2D:E0:65:7D:F4    1 ether1          brTrunk   57s                 
 7   D   CC:2D:E0:65:7D:F5    1 ether3          brTrunk   57s                 
 8   D   CC:2D:E0:69:45:D4    1 ether3          brTrunk   58s                 
 9   DL  CC:2D:E0:7D:7F:71    1 ether1          brTrunk  
10   DL  CC:2D:E0:7D:7F:73    1 ether3          brTrunk  
11   DL  02:00:00:AA:00:01   10 brTrunk         brTrunk  
12   D   02:00:00:AA:00:02   10 ether3          brTrunk   58s                 
13   D   02:00:00:AA:00:03   10 ether1          brTrunk   1s                  
14   DL  CC:2D:E0:7D:7F:71   10 ether1          brTrunk  
15   DL  CC:2D:E0:7D:7F:73   10 ether3          brTrunk  
Below you can see the arp table and the bridge host table collected from the switch which shows it's able to learn the correct mac for the VRRP interface and it's swtiching it out the correct interface (ether1,tagged as vlan10)

[admin@Switch1] > /ip arp print 
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic, P - published, 
C - complete 
 #    ADDRESS         MAC-ADDRESS       INTERFACE                                
 0 DC 172.17.2.4      B8:27:EB:EF:C3:32 ether5                                   
 1 DC 10.0.0.1        [u][b]00:00:5E:00:01:0A [/b][/u]vlan10                                   

[admin@Switch1] > /interface bridge host print 
Flags: X - disabled, I - invalid, D - dynamic, L - local, E - external 
 #       MAC-ADDRESS        VID ON-INTERFACE    BRIDGE    AGE                 
 0   DL  02:00:00:AA:00:03      brTrunk         brTrunk  
 1   DL  CC:2D:E0:65:7D:F4      ether1          brTrunk  
 2   DL  CC:2D:E0:65:7D:F5      ether2          brTrunk  
 3   D   02:00:00:AA:00:01    1 ether1          brTrunk   43s                 
 4   D   02:00:00:AA:00:02    1 ether1          brTrunk   45s                 
 5   DL  02:00:00:AA:00:03    1 brTrunk         brTrunk  
 6   DL  CC:2D:E0:65:7D:F4    1 ether1          brTrunk  
 7   DL  CC:2D:E0:65:7D:F5    1 ether2          brTrunk  
 8   D   CC:2D:E0:69:45:D4    1 ether1          brTrunk   45s                 
 9   D   CC:2D:E0:7D:7F:71    1 ether1          brTrunk   1s                  
[u][b]10   D   00:00:5E:00:01:0A   10 ether1          brTrunk   0s [/b][/u]                 
11   D   02:00:00:AA:00:01   10 ether1          brTrunk   0s                  
12   D   02:00:00:AA:00:02   10 ether1          brTrunk   45s                 
13   DL  02:00:00:AA:00:03   10 brTrunk         brTrunk  
14   DL  CC:2D:E0:65:7D:F4   10 ether1          brTrunk  
15   DL  CC:2D:E0:65:7D:F5   10 ether2          brTrunk  
So that's it. Is it something I've mess up ? is it a bug? Please share your thoughts
I've uploaded full backup dumps, support output dumps and full configs in the attached zip file if you wish to recreate/test.
The DHCP client on ether5 on all devices was just used for management and setup of the lab so it can be ignored. I've seen this behavior also on an RB1100Ah4 so I'm thinking it's something i've done wrong.
Thank you to anyone who has taken the time to read this and is willing to share.
You do not have the required permissions to view the files attached to this post.
 
markmcn
Member Candidate
Member Candidate
Topic Author
Posts: 121
Joined: Wed Mar 03, 2010 2:15 am

Re: Vrrp+Vlan=Flooding?

Sat Dec 21, 2019 7:09 pm

Just an update on this,
I'm getting to the conclusion this is a bug,
If I move the VLAN interface to a physical port which is a member of brTrunk, The traffic does not flood, The mac address of the vrrp interface is still not showing in the bridge host table but atleast it's not flooding.
The problem this creates is if the physical port goes down then we loose the vlan interface :(
 
markmcn
Member Candidate
Member Candidate
Topic Author
Posts: 121
Joined: Wed Mar 03, 2010 2:15 am

Re: Vrrp+Vlan=Flooding?

Sun Dec 29, 2019 12:09 am

To Close this out just incase anyone else is reading this.
As of the date of posting this Mikrotik Support have confirmed this unexpected flooding of traffic is a software bug. They have not currently provided any details as to when it will be addressed.
So be warned if you are planning to use vrrp with vlans then you will see flooding of traffic as outlined above.
Cheers
Mark
 
User avatar
Phaere
just joined
Posts: 23
Joined: Thu Jul 17, 2014 3:01 pm
Location: Kyiv

Re: Vrrp+Vlan=Flooding?

Tue May 05, 2020 2:58 pm

Hello
@markmcn, thanks for detail info, seems that we have this problem too :(
Does Mikrotik Support provided additional info or any deadlines about this problem?
 
infused
Member
Member
Posts: 313
Joined: Fri Dec 28, 2012 2:33 pm

Re: Vrrp+Vlan=Flooding?

Thu Aug 27, 2020 8:11 am

bumping as we have the same issue on two CCRs
 
ashaw
just joined
Posts: 2
Joined: Fri Apr 03, 2020 3:32 pm

Re: Vrrp+Vlan=Flooding?

Tue Sep 22, 2020 3:00 pm

We also have this problem - *bump*

Who is online

Users browsing this forum: Amazon [Bot], CGGXANNX, hubi, menyarito, mkx, okw and 76 guests