Community discussions

MikroTik App
 
TheLordOfTheShells
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 71
Joined: Tue Oct 03, 2017 2:48 am

CRS317-1G-16S+ High CPU lead to drop packet

Mon Mar 01, 2021 11:26 am

Hi guy
I have a CRS 317 configuring as core for my system, on that we do not do much just create DHCP for 4 VLAN and enable CAPsMan to manager about 70 Hap ac 2 APs.
For nearly one week back hear I noticed that the traffic is drop randomly. After some checking I see our CRS 317 have quite high CPU usage.
So should I enable CAPsMAN on CRS 317, what is the cause of high CPU?
Thanks.
Image
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: CRS317-1G-16S+ High CPU lead to drop packet

Mon Mar 01, 2021 1:49 pm

CRS devices are intended to be L2 switches with some L3 functionality, such as providing DHCP, but NOT wire-speed L3 routing/firewalling as they performance-limited by the CPU.

If you use CAPsMAN manager forwarding it imposes a significant CPU load on the CAPsMAN controller, so with a CRS as the controller you should be using CAPsMAN local forwarding so the hAP ac2 WLAN - ethernet traffic is handled in the hAP.
 
ste
Forum Guru
Forum Guru
Posts: 1924
Joined: Sun Feb 13, 2005 11:21 pm

Re: CRS317-1G-16S+ High CPU lead to drop packet

Mon Mar 01, 2021 4:04 pm

CRS devices are intended to be L2 switches with some L3 functionality, such as providing DHCP, but NOT wire-speed L3 routing/firewalling as they performance-limited by the CPU.

If you use CAPsMAN manager forwarding it imposes a significant CPU load on the CAPsMAN controller, so with a CRS as the controller you should be using CAPsMAN local forwarding so the hAP ac2 WLAN - ethernet traffic is handled in the hAP.
This is true. At least with non beta ROS. With V7 beta CRS317 is able to do HW Layer3.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: CRS317-1G-16S+ High CPU lead to drop packet

Mon Mar 01, 2021 6:36 pm

The /tool profile doesn't suggest that CAPsMAN is the biggest CPU hog. The 32 % CPU spent on ethernet would bother me much more. So I'd assume that there is either a lot of inter-VLAN traffic routed by the 317, or hardware L2 forwarding has been disabled by mistake.

EDIT: indeed the Ethernet traffic may be the encapsulated wireless packets coming from the CAPs. So still possible it's the cause.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: CRS317-1G-16S+ High CPU lead to drop packet

Mon Mar 01, 2021 8:22 pm

Also the OP only provided CPU ustilisation for one core. AFAIK not all processes utilise multiple CPU cores well.
 
TheLordOfTheShells
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 71
Joined: Tue Oct 03, 2017 2:48 am

Re: CRS317-1G-16S+ High CPU lead to drop packet

Tue Mar 02, 2021 5:54 am

Hi guys
"So with a CRS as the controller you should be using CAPsMAN local forwarding so the hAP ac2 WLAN - ethernet traffic is handled in the hAP." Do you have any guide for that please share to me.
For the RouterOs: Currently my CRS317 running v6.48.1 the newest one.
For Hardware offloading: The status display it still running on our bridge.
I noticed that the overall traffic is not high. I wonder whether some computer in my network cause this problem? And how can I troubleshoot it.
Thanks
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: CRS317-1G-16S+ High CPU lead to drop packet

Tue Mar 02, 2021 10:05 am

"So with a CRS as the controller you should be using CAPsMAN local forwarding so the hAP ac2 WLAN - ethernet traffic is handled in the hAP." Do you have any guide for that please share to me.
The guide is as follows:
  • on each CAP:
    • make sure that a VLAN for each SSID you use on a given CAP is available on its uplink interface,
    • make the uplink interface a member port of bridge X (you can reuse the default bridge or create a new one, and take care not to lose management access to the CAP; if you need a more detailed guide on this, I need the current configuration of the CAP)
    • set the bridge item under /interface wireless cap to X
  • on the CRS317: on each /caps-man datapath row used by the individual SSID, set local-fowarding=yes vlan-mode=use-tag vlan-id=the-VID-for-that-SSID
This will move the conversion of wireless frames into VLAN-tagged Ethernet ones, and vice versa, from the CRS317 to the CAPs.

I noticed that the overall traffic is not high. I wonder whether some computer in my network cause this problem? And how can I troubleshoot it.
That computer would have to flood the CRS with a traffic its CPU would have to handle (packets to be routed, ARP requests to be responded, ...). Depending on the number of your wireless clients (not so much the number of CAPs), this traffic may be the encrypted and encapsulated wireless frames coming from the wireless clients, which the CPU of the CRS has to convert into plain Ethernet frames (and the opposite of course). So first implement the local forwarding on CAPs, and only if that doesn't help, start looking for other possibilities.
 
TheLordOfTheShells
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 71
Joined: Tue Oct 03, 2017 2:48 am

Re: CRS317-1G-16S+ High CPU lead to drop packet

Tue Mar 02, 2021 3:04 pm

Hi Sindy
Here is my config on Hap Ac2
/interface bridge
add name=Bridge vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2432/20-Ce/gn(18dBm), SSID: Avana Retreat, CAPsMAN forwarding
set [ find default-name=wlan1 ] ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(15dBm), SSID: Avana Retreat, CAPsMAN forwarding
set [ find default-name=wlan2 ] ssid=MikroTik
/interface vlan
add interface=Bridge name=MGMT_99 vlan-id=99
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=Bridge interface=ether1
add bridge=Bridge interface=ether2
add bridge=Bridge interface=ether3
add bridge=Bridge interface=ether4
/interface bridge vlan
add bridge=Bridge tagged=Bridge,ether1 vlan-ids=99
/interface wireless cap
# 
set discovery-interfaces=Bridge enabled=yes interfaces=wlan1,wlan2
/ip address
add address=172.16.99.249/24 interface=MGMT_99 network=172.16.99.0
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=172.16.99.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name=WF-NhaSo11
and here is datapath config on Crs317
Image
Will follow your guide.
Thanks
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: CRS317-1G-16S+ High CPU lead to drop packet

Tue Mar 02, 2021 9:27 pm

OK, so first on each CAP, use just
/interface bridge vlan add bridge=Bridge tagged=ether1 vlan-ids=20
to permit VLAN 20 tagged on ether1, and
/interface wireless cap set bridge=Bridge
to define to which local bridge the local wireless interfaces under CAPsMAN control will be connected once switched to local forwarding mode.
Of course it assumes that VLAN 20 is permitted all the way through the L2 network from the CAPs to the router, and that CAPs are connected using ether1 to the L2 network, as seems to be the case. As you do that, still nothing changes about the actual operation.

Once you finish the above on all CAPs, set local-forwarding=yes on the datapath row on the CAPsMAN, and that's it (assuming that all interfaces use the same datapath item).

Setting local-forwarding=yes makes the bridge item on the datapath row irrelevant, because it refers to a bridge on the CAPsMAN, which is only used when local-forwarding=no (i.e. CAPsMAN forwarding).
 
TheLordOfTheShells
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 71
Joined: Tue Oct 03, 2017 2:48 am

Re: CRS317-1G-16S+ High CPU lead to drop packet

Wed Mar 03, 2021 12:40 pm

Hi Sindy
Today I just configured some APs for test first but I have some questions hope you will explain it,
1. When local forwarding is enable How can I know it is working or not on each APs?
2. Is there anyway to track the number and the traffic of client connect to each AP?
Thanks
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: CRS317-1G-16S+ High CPU lead to drop packet

Wed Mar 03, 2021 1:16 pm

Just for the case - if you configure just some APs into local forwarding mode, you have to use a dedicated /caps-man datapath row for them.

You can see the bytes/packets Tx/Rx per client in CAPsMAN -> Registration Table in Winbox, or using caps-man registration-table print stats on command line. Just be aware that these data are only valid as long as the client is associated to a given interface; once they roam to another one, the statistics from the previous association of the same client is lost.

If the data volumes shown as per above are reasonably high, you know that the local forwarding works.

/caps-man actual-interface-configuration print will show you the actual configuration parameters, assembled from channel, configuration, datapath, and security items.

With 70 APs, did you use the /caps-man provisioning?
 
TheLordOfTheShells
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 71
Joined: Tue Oct 03, 2017 2:48 am

Re: CRS317-1G-16S+ High CPU lead to drop packet

Thu Mar 04, 2021 1:03 am

Yes, I have already created a new datapath for test APs and also see the client on CapsMan now.
With 70 APs, did you use the /caps-man provisioning?: Yes, I do.
After configuring new datapath I see one interface with this error "possible regulatory info mismatch with CAP" do you know what cause of this? I did not configure the channel just make it auto.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: CRS317-1G-16S+ High CPU lead to drop packet

Thu Mar 04, 2021 9:08 am

The channel profile aggregates various parameters related to radio characteristics of the interface. But permitted frequency channels as well as their Tx power limits differ country by country, and for some reason I don't understand, the country choice itself is a parameter of the configuration profile, not of the channel one.

So check that the correct country is set in the configuration profile used for that CAP, and check the country setting on the wireless physical interface on that CAP while it is exempted from CAPsMAN control, as the only possible reasons of this warning to come to my mind are
  • a combination of channel.frequency=auto and configuration.country=no_country_set,
  • different settings of the configuration.country used for that CAP and the country parameter of the /interface wireless row on the CAP itself.
 
TheLordOfTheShells
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 71
Joined: Tue Oct 03, 2017 2:48 am

Re: CRS317-1G-16S+ High CPU lead to drop packet

Wed Mar 17, 2021 10:23 am

Hi Sindy
After checking I found that the issue maybe was not from our CRS317 switch. Packet dropped on only wireless clients, sometime there is no traffic on wireless (Can not ping to our gateway)
I wonder whether it is the Capsman issue?
Thanks
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: CRS317-1G-16S+ High CPU lead to drop packet

Wed Mar 17, 2021 11:35 am

Hard to say. There might be some wireless protocol incompatibility with certain client models (this forum mostly mentions Apple devices to suffer from this but I assume it's just because they are the most ubiquitous ones among those experiencing those problems), but if so, it should affect both CAPsMAN-controlled and locally controlled wireless interfaces of the cAPs, as the wireless stack is the same in both cases, it is just its configuration method that differs.

It would require to identify a particular client device suffering from this and do some sniffing of its traffic - whether it has got an IP address via DHCP, whether the ping requests do not make it through or the responses, etc.
 
TheLordOfTheShells
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 71
Joined: Tue Oct 03, 2017 2:48 am

Re: CRS317-1G-16S+ High CPU lead to drop packet

Fri Apr 02, 2021 1:40 pm

Hi Sindy
I have created channels for 2.4Ghz and 5Ghz as code below, but I noticed that nearly all the CAPs choosing 2412 for 2.4 and 5745 for 5Ghz.
Reboot CAPs to renew channel did not take affect.
Do you have any recommend for auto channel?
Thanks
/caps-man channel
add band=2ghz-g/n extension-channel=Ce frequency=2412,2437,2462 name=Channels2.4Ghz tx-power=23
add band=5ghz-n/ac extension-channel=Ceee frequency=5745,5765,5785,5805 name=Channels5Ghz tx-power=25
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: CRS317-1G-16S+ High CPU lead to drop packet

Fri Apr 02, 2021 4:07 pm

If I remember right, the APs look for the channel with least interference among those permitted by the channel configuration; try /caps-man interface scan to check what you can really see in the air.

Plus I'm not an expert here and the manual is silent about this, but as you have specified Ce for the 2.4 GHz, I'm afraid you may have effectively permitted only use of two 40-MHz channel groups, 2412+2432 or 2437+2457 (as 2482 is not a permitted channel frequency), or maybe even just 20 MHz channels if exact match for the extension channel frequency is required; for 5 GHz, Ceee means just a single 80-MHz channel group, 5745+5765+5785+6805.
 
TheLordOfTheShells
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 71
Joined: Tue Oct 03, 2017 2:48 am

Re: CRS317-1G-16S+ High CPU lead to drop packet

Fri Apr 16, 2021 5:56 am

Hi Sindy
After following your recommendation setup all the ap to local forwarding. My crs317 still have really high cpu. So I want to ask you for 80 Cap what mikrotik router should I use to setup Capsman
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: CRS317-1G-16S+ High CPU lead to drop packet

Fri Apr 16, 2021 11:51 pm

Why did you put something like this on a switch, beats me.
Any router instead of a switch should do the job, right?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: CRS317-1G-16S+ High CPU lead to drop packet

Sat Apr 17, 2021 11:56 am

Please show the typical output of /tool profile cpu=all on the CRS317, and also the typical output of /interface monitor-traffic interface=aggregate and /interface monitor-traffic interface=the-wan-interface-name.

And the question is not how many cAPs but how many clients, and what you ask the router in the CRS317 to do with their traffic.

So add the configuration export of the 317 as well.

It will either lead to a suggestion what to change in the configuration or to a suggestion whether to add an ARM-based device (a 4011 or maybe a 1100AHx4) or a TILE based one (CCR1009-7G-1C-1S+PC) as an external router.
 
TheLordOfTheShells
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 71
Joined: Tue Oct 03, 2017 2:48 am

Re: CRS317-1G-16S+ High CPU lead to drop packet

Sat Apr 17, 2021 2:07 pm

Hi guys.
First I want to show you guys my topology:
Image
I have about 80 Caps and all will be manager on 2 CRS317 running VRRP
Maybe I have mistake in choosing device (I see CRS317 have 10Gb ports and layer 3 features with high performance ). Really want to hear you advice.
Thanks
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: CRS317-1G-16S+ High CPU lead to drop packet

Sat Apr 17, 2021 4:27 pm

I would think that just a good rstp switch config and implementing capsman failover built into the product would be sufficient enough. I think you are treating this device like a router and not a switch.
 
TheLordOfTheShells
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 71
Joined: Tue Oct 03, 2017 2:48 am

Re: CRS317-1G-16S+ High CPU lead to drop packet

Sun Apr 18, 2021 5:08 am

Hi
Today I have changed one CRS317 to CCR1016-12S-1S+ to check whether the issue is on device itself or it's because of my configuration.
Here is my configuration.
/caps-man channel
add band=2ghz-g/n frequency=2412,2437,2462 name=Channels2.4Ghz tx-power=23
add band=5ghz-n/ac extension-channel=Ceee name=Channels5Ghz tx-power=25
add band=2ghz-g/n frequency=2412,2437,2462 name=Channels2.4Ghz_HighTx \
    tx-power=28
add band=5ghz-n/ac extension-channel=Ceee name=Channels5Ghz_HighTx tx-power=\
    28
/caps-man datapath
add name=WiFi_Data vlan-id=20 vlan-mode=use-tag
add client-to-client-forwarding=yes name=WiFi_Office vlan-id=10 vlan-mode=\
    use-tag
add client-to-client-forwarding=yes local-forwarding=yes name=WiFi_Guest \
    vlan-id=20 vlan-mode=use-tag
add client-to-client-forwarding=yes local-forwarding=yes name=WiFi_Office_1 \
    vlan-id=10 vlan-mode=use-tag
add client-to-client-forwarding=yes local-forwarding=yes name=NS2 vlan-id=60 \
    vlan-mode=use-tag
add client-to-client-forwarding=yes local-forwarding=yes name=NS3 vlan-id=70 \
    vlan-mode=use-tag
/caps-man configuration
add channel=Channels2.4Ghz country="united states" datapath=NS2 hide-ssid=yes \
    installation=any mode=ap name=Config_NS2_2.4Ghz ssid=Hottab
add channel=Channels2.4Ghz country="united states" datapath=NS3 hide-ssid=yes \
    installation=any mode=ap name=Config_NS3_2.4Ghz ssid=Hottab
/interface bridge
add name=Loopback
add igmp-snooping=yes name=bridge1 priority=0x1000 protocol-mode=mstp \
    region-name=CS region-revision=1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=CAMERA_30 vlan-id=30
add interface=bridge1 name=LAN_10 vlan-id=10
add interface=bridge1 name=LOA_50 vlan-id=50
add interface=bridge1 name=MGMT_99 vlan-id=99
add interface=bridge1 name=NS2_60 vlan-id=60
add interface=bridge1 name=NS3_70 vlan-id=70
add interface=bridge1 name=TEL_40 vlan-id=40
add interface=bridge1 name=WIFI_20 vlan-id=20
/interface vrrp
add interface=CAMERA_30 name=VRRP_CAMERA_30 priority=105 vrid=30
add interface=LAN_10 name=VRRP_LAN_10 priority=105 vrid=10
add interface=LOA_50 name=VRRP_LOA_50 priority=105 vrid=50
add interface=MGMT_99 name=VRRP_MGMT_99 priority=105 vrid=99
add interface=NS2_60 name=VRRP_NS2_60 priority=105 vrid=60
add interface=NS3_70 name=VRRP_NS3_70 priority=105 vrid=70
add interface=TEL_40 name=VRRP_TEL_40 priority=105 vrid=40
add interface=WIFI_20 name=VRRP_WIFI_20 preemption-mode=no vrid=20
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=WiFi_Sec \
    passphrase=avana@123
/caps-man configuration
add country="viet nam" datapath=WiFi_Data mode=ap name=WiFi_Config security=\
    WiFi_Sec ssid="Avana Retreat"
add channel.control-channel-width=20mhz country="viet nam" datapath=\
    WiFi_Guest mode=ap name=WiFi_Guest security=WiFi_Sec ssid="Avana Retreat"
add country="viet nam" datapath=WiFi_Office_1 mode=ap name=WiFi_Office_1 \
    security=WiFi_Sec ssid="Avana Retreat"
add channel=Channels5Ghz country="united states" datapath=NS2 installation=\
    any mode=ap name=WiFi_NS2_5Ghz security=WiFi_Sec ssid="Avana Retreat"
add channel=Channels5Ghz country="united states" datapath=NS3 installation=\
    any mode=ap name=WiFi_NS3_5Ghz security=WiFi_Sec ssid="Avana Retreat"
add channel=Channels2.4Ghz country="united states" datapath=WiFi_Guest \
    installation=any mode=ap name=Config_Guest_2.4Ghz security=WiFi_Sec ssid=\
    "Avana Retreat"
add channel=Channels5Ghz country="united states" datapath=WiFi_Guest \
    installation=any mode=ap name=Config_Guest_5Ghz security=WiFi_Sec ssid=\
    "Avana Retreat"
add channel=Channels2.4Ghz_HighTx country="united states" datapath=WiFi_Guest \
    installation=any mode=ap name=Config_Guest_2.4Ghz_HighTx security=\
    WiFi_Sec ssid="Avana Retreat"
add channel=Channels5Ghz_HighTx country="united states" datapath=WiFi_Guest \
    installation=any mode=ap name=Config_Guest_5Ghz_HighTx security=WiFi_Sec \
    ssid="Avana Retreat"
add channel=Channels2.4Ghz country="united states" datapath=WiFi_Office_1 \
    installation=any mode=ap name=Config_Office_2.4Ghz security=WiFi_Sec \
    ssid="Avana Retreat"
add channel=Channels5Ghz country="united states" datapath=WiFi_Office_1 \
    installation=any mode=ap name=Config_Office_5Ghz security=WiFi_Sec ssid=\
    "Avana Retreat"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool0 ranges=172.16.10.20-172.16.10.250
add name=dhcp_pool1 ranges=172.16.20.20-172.16.21.250
add name=dhcp_pool2 ranges=172.16.30.20-172.16.30.250
add name=dhcp_pool3 ranges=172.16.40.20-172.16.40.100
add name=dhcp_pool4 ranges=172.16.99.50-172.16.99.70
add name=dhcp_pool5 ranges=172.16.50.20-172.16.50.250
add name=dhcp_pool10 ranges=172.16.60.100-172.16.60.200
add name=dhcp_pool11 ranges=172.16.70.100-172.16.70.200
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=VRRP_LAN_10 lease-time=4h \
    name=dhcp1
add address-pool=dhcp_pool1 authoritative=after-10sec-delay disabled=no \
    interface=VRRP_WIFI_20 lease-time=4h name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface=VRRP_CAMERA_30 lease-time=\
    4h name=dhcp3
add address-pool=dhcp_pool3 disabled=no interface=VRRP_TEL_40 lease-time=8h \
    name=dhcp4
add address-pool=dhcp_pool4 disabled=no interface=VRRP_MGMT_99 lease-time=4h \
    name=dhcp5
add address-pool=dhcp_pool5 disabled=no interface=VRRP_LOA_50 lease-time=4h \
    name=dhcp6
add address-pool=dhcp_pool10 disabled=no interface=VRRP_NS2_60 lease-time=3h \
    name=dhcp7
add address-pool=dhcp_pool11 disabled=no interface=VRRP_NS3_70 lease-time=4h \
    name=dhcp8
/routing ospf instance
set [ find default=yes ] router-id=4.4.4.4
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Config_Guest_5Ghz \
    name-format=identity name-prefix=WF-NhaSoNV-1-2 radio-mac=\
    C4:AD:34:FA:4A:35
add action=create-dynamic-enabled master-configuration=Config_Guest_2.4Ghz \
    name-format=identity name-prefix=WF-NhaSo19.2-1 radio-mac=\
    C4:AD:34:FA:62:C7
/interface bridge msti
add bridge=bridge1 identifier=2 priority=0x2000 vlan-mapping=20
add bridge=bridge1 identifier=1 priority=0x1000 vlan-mapping=\
    10,30,40,99,50,60,70
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus3
add bridge=bridge1 interface=sfp-sfpplus4
add bridge=bridge1 interface=sfp-sfpplus5
add bridge=bridge1 interface=sfp-sfpplus6
add bridge=bridge1 interface=sfp-sfpplus7
add bridge=bridge1 interface=sfp-sfpplus8
add bridge=bridge1 interface=sfp-sfpplus9
add bridge=bridge1 interface=sfp-sfpplus10
add bridge=bridge1 interface=sfp-sfpplus11
add bridge=bridge1 interface=sfp-sfpplus12
add bridge=bridge1 interface=sfp-sfpplus13
add bridge=bridge1 interface=sfp-sfpplus14
add bridge=bridge1 interface=sfp-sfpplus15
add bridge=bridge1 interface=sfp-sfpplus16
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged="bridge1,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-\
    sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp-sfpplus9,sfp-sfpplus10,sfp-sfpplus1\
    1,sfp-sfpplus12,sfp-sfpplus13,sfp-sfpplus14,sfp-sfpplus15,sfp-sfpplus16" \
    vlan-ids=99
add bridge=bridge1 tagged="bridge1,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-\
    sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp-sfpplus9,sfp-sfpplus10,sfp-sfpplus1\
    1,sfp-sfpplus12,sfp-sfpplus13,sfp-sfpplus14,sfp-sfpplus15,sfp-sfpplus16" \
    vlan-ids=20
add bridge=bridge1 tagged="bridge1,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-\
    sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp-sfpplus9,sfp-sfpplus10,sfp-sfpplus1\
    1,sfp-sfpplus12,sfp-sfpplus13,sfp-sfpplus14,sfp-sfpplus15,sfp-sfpplus16" \
    vlan-ids=30
add bridge=bridge1 tagged="bridge1,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-\
    sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp-sfpplus9,sfp-sfpplus10,sfp-sfpplus1\
    1,sfp-sfpplus12,sfp-sfpplus13,sfp-sfpplus14,sfp-sfpplus15,sfp-sfpplus16" \
    vlan-ids=10
add bridge=bridge1 tagged="bridge1,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-\
    sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp-sfpplus9,sfp-sfpplus10,sfp-sfpplus1\
    1,sfp-sfpplus12,sfp-sfpplus13,sfp-sfpplus14,sfp-sfpplus15,sfp-sfpplus16" \
    vlan-ids=40
add bridge=bridge1 tagged="bridge1,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-\
    sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp-sfpplus9,sfp-sfpplus10,sfp-sfpplus1\
    1,sfp-sfpplus12,sfp-sfpplus13,sfp-sfpplus14,sfp-sfpplus15,sfp-sfpplus16" \
    vlan-ids=50
add bridge=bridge1 tagged="bridge1,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-\
    sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp-sfpplus9,sfp-sfpplus10,sfp-sfpplus1\
    1,sfp-sfpplus12,sfp-sfpplus13,sfp-sfpplus14,sfp-sfpplus15,sfp-sfpplus16" \
    vlan-ids=60
add bridge=bridge1 tagged="bridge1,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-\
    sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp-sfpplus9,sfp-sfpplus10,sfp-sfpplus1\
    1,sfp-sfpplus12,sfp-sfpplus13,sfp-sfpplus14,sfp-sfpplus15,sfp-sfpplus16" \
    vlan-ids=70
/ip address
add address=172.16.10.2/24 interface=LAN_10 network=172.16.10.0
add address=172.16.99.2/24 interface=MGMT_99 network=172.16.99.0
add address=172.16.20.2/23 interface=WIFI_20 network=172.16.20.0
add address=172.16.30.2/24 interface=CAMERA_30 network=172.16.30.0
add address=172.16.40.2/24 interface=TEL_40 network=172.16.40.0
add address=172.16.2.2/24 interface=sfp-sfpplus1 network=172.16.2.0
add address=172.16.3.2/30 interface=sfp-sfpplus2 network=172.16.3.0
add address=172.16.10.1 interface=VRRP_LAN_10 network=172.16.10.1
add address=172.16.20.1 interface=VRRP_WIFI_20 network=172.16.20.1
add address=172.16.30.1 interface=VRRP_CAMERA_30 network=172.16.30.1
add address=172.16.40.1 interface=VRRP_TEL_40 network=172.16.40.1
add address=172.16.99.1 interface=VRRP_MGMT_99 network=172.16.99.1
add address=172.16.50.2/24 interface=LOA_50 network=172.16.50.0
add address=172.16.50.1 interface=VRRP_LOA_50 network=172.16.50.1
add address=172.16.60.2/24 interface=NS2_60 network=172.16.60.0
add address=172.16.60.1 interface=VRRP_NS2_60 network=172.16.60.1
add address=172.16.70.1 interface=VRRP_NS3_70 network=172.16.70.1
add address=172.16.70.2/24 interface=NS3_70 network=172.16.70.0
add address=4.4.4.4 interface=Loopback network=4.4.4.4
/ip dhcp-server network
add address=172.16.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.10.1
add address=172.16.20.0/23 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.20.1
add address=172.16.30.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.30.1
add address=172.16.40.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.40.1
add address=172.16.50.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.50.1
add address=172.16.60.0/24 gateway=172.16.60.1
add address=172.16.70.0/24 gateway=172.16.70.1
add address=172.16.99.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.99.1
/ip dns
set servers=8.8.8.8
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing ospf interface
add cost=100 interface=sfp-sfpplus2 network-type=broadcast
add cost=100 interface=CAMERA_30 network-type=broadcast
add cost=100 interface=LAN_10 network-type=broadcast
add cost=100 interface=MGMT_99 network-type=broadcast
add cost=100 interface=TEL_40 network-type=broadcast
add cost=100 interface=WIFI_20 network-type=broadcast
add cost=100 interface=VRRP_WIFI_20 network-type=broadcast
add cost=100 interface=LOA_50 network-type=broadcast
add cost=100 interface=NS2_60 network-type=broadcast
add cost=100 interface=NS3_70 network-type=broadcast
/routing ospf network
add area=backbone network=172.16.2.0/24
add area=backbone network=172.16.3.0/30
add area=backbone network=172.16.10.0/24
add area=backbone network=172.16.20.0/23
add area=backbone network=172.16.30.0/24
add area=backbone network=172.16.40.0/24
add area=backbone network=172.16.99.0/24
add area=backbone network=172.16.50.0/24
add area=backbone network=172.16.60.0/24
add area=backbone network=172.16.70.0/24
add area=backbone network=4.4.4.4/32
/system clock
set time-zone-name=Asia/Bangkok
/system identity
set name=CORE_SW01
/system logging
set 0 topics=info,!caps,!dhcp
add action=disk topics=warning
/system package update
set channel=long-term
/system routerboard settings
set boot-os=router-os
/system scheduler
add interval=3s name=schedule1 on-event=":if ([ /system resource get cpu-load]\
    >95) do={ \r\
    \n\t:log warning \"Reboot for 100% CPU\";\r\
    \n\t}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=apr/14/2021 start-time=12:25:11
I have written a script to check when CPU is full and noticed It almost happens from 8pm to 8am, sometime in day time also.
Image
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: CRS317-1G-16S+ High CPU lead to drop packet

Sun Apr 18, 2021 2:44 pm

Anything using the WiFi_Data or WiFi_Guest CAPsMAN datapath do not use local forwarding, so the traffic to/from clients using them will be handled by the CPU in the CRS.
 
TheLordOfTheShells
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 71
Joined: Tue Oct 03, 2017 2:48 am

Re: CRS317-1G-16S+ High CPU lead to drop packet

Mon Apr 19, 2021 2:38 am

Anything using the WiFi_Data or WiFi_Guest CAPsMAN datapath do not use local forwarding, so the traffic to/from clients using them will be handled by the CPU in the CRS.
First I used CapsMan forwarding and WiFi_Data and Wifi_Office datapath are for that purpose but now I don't use it anymore.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: CRS317-1G-16S+ High CPU lead to drop packet

Mon Apr 19, 2021 2:42 am

Your posted configuration does not agree with that statement
 
TheLordOfTheShells
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 71
Joined: Tue Oct 03, 2017 2:48 am

Re: CRS317-1G-16S+ High CPU lead to drop packet

Mon Apr 19, 2021 7:17 am

Your posted configuration does not agree with that statement
Because the provision is quite long and have the same configuration , I don't want to make you guys read all of that so I just make an example of configuration. If needed I will show all the provision config.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: CRS317-1G-16S+ High CPU lead to drop packet

Mon Apr 19, 2021 9:28 am

If all your cAPs do local forwarding, the only way how the CPU load on the CRS could be coming from CAPsMAN processing would be if the clients would keep re-authenticating, as the client traffic is converted between wireless and wired one at the cAPs themselves.

So most likely there is a traffic that needs to be routed and thus it hits the CPU. Posting of "simplified" configration is useless as the issue may be in the part you've deemed unrelated and thus haven't posted it.

Also post the results of the tests I've suggested above.

Your drawing shows that you've already got some routers in your setup; can you use those for all routing tasks, including inter-vlan routing, if any?
 
TheLordOfTheShells
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 71
Joined: Tue Oct 03, 2017 2:48 am

Re: CRS317-1G-16S+ High CPU lead to drop packet

Tue Apr 20, 2021 5:54 am

Hi all
Today I receive an E-mail from Mikroitk support team.
They told me the issue maybe caused by multicast traffic flooding and urge me to upgrade to the new stable 6.48.2 version because It just release some multicast and IGMP snooping improvements.
But I have changed my topology, 2 CRS1036 will be CAPsMan controller and 2 CRS317 as switch and it works well now.
Thank you all.

Who is online

Users browsing this forum: baragoon, bertus, ivicask, tuiespacecorp and 92 guests