Community discussions

MikroTik App
 
w4rh0und
Member Candidate
Member Candidate
Topic Author
Posts: 107
Joined: Fri Oct 16, 2009 10:58 pm

Multiple Trunk setup performance issues

Sat Apr 03, 2021 7:42 pm

Hi guys

I am trying to set up the following network:

Main router - CCR1009
Will have a Bridge here with ports 1,2,3,4,Sfp+. I will connect switches in these ports
I will have multiple VLANS

In which i will connect
-Sfp+ - 1xCRS317-1G-16S+ 16X10 - used for storage traffic
-ether1 and 2 - 2xCRS326-24G-2S+ 24x1GB - used for client traffic

Once i enable filtering on the bridge as i;ve seen on the mikrotik WIKI, there is no longer HW Offload - is this normal behaviour or there is something wrong in my configuration?

interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
# INTERFACE BRIDGE HW PVID PR PATH-COST INTERNA... HORIZON
0 ether1 BR1 yes 1 0x 10 10 none
1 I ether2 BR1 yes 1 0x 10 10 none
2 I ether3 BR1 yes 1 0x 10 10 none
3 I ether4 BR1 yes 1 0x 10 10 none



The config is below:

/interface ethernet
set [ find default-name=ether1 ] comment="##LINK TO: CRS317 - TRUNK - TAGGED TRAFFIC"

/interface bridge
add comment="##MAIN BRIDGE - TRUNK WITH ALL THE SWITCHES" name=BR1 vlan-filtering=yes
/interface vlan
add comment="##NET-Client1 - 172.16.119.0/24" interface=BR1 name=NET-Client1 vlan-id=119
add comment="##NET-Internal2 - 172.16.2.0/24" interface=BR1 name=NET-Internal2 vlan-id=2
add comment="##NET-Internal3 - 172.16.3.0/24" interface=BR1 name=NET-Internal3 vlan-id=3
add comment="##NET-MGMT 172.16.1.0/24" interface=BR1 name=NET-MGMT vlan-id=1011
add comment="##NET-Internal3 - 172.16.30.0/24" interface=BR1 name=NET-Internal3 vlan-id=1003
add comment="##NET-Test - 172.16.9.0/24" interface=BR1 name=NET-Test vlan-id=9
add comment="##NET-VPSPrivate - 172.16.10.0/24" interface=BR1 name=NET-VPSPrivate vlan-id=10
/interface list
add name=WAN
add name=VLAN
add name=MGMT
/interface bridge port
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether2
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether3
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether4
/interface bridge vlan
add bridge=BR1 comment="##NET-MGMT 172.16.1.0/24" tagged=BR1,ether1,ether2,ether3,ether4 vlan-ids=1011
add bridge=BR1 comment="##NET-Internal3 - 172.16.30.0/24" tagged=BR1,ether1,ether2,ether3,ether4 vlan-ids=1003
add bridge=BR1 comment="##NET-Internal2 - 172.16.2.0/24" tagged=BR1,ether1,ether2,ether3,ether4 vlan-ids=2
add bridge=BR1 comment="##NET-Internal3 - 172.16.3.0/24" tagged=BR1,ether1,ether2,ether3,ether4 vlan-ids=3
add bridge=BR1 comment="##NET-Test - 172.16.9.0/24" tagged=BR1,ether1,ether2,ether3,ether4 vlan-ids=9
add bridge=BR1 comment="##NET-VPSPrivate - 172.16.10.0/24" tagged=BR1,ether1,ether2,ether3,ether4 vlan-ids=10
add bridge=BR1 comment="##NET-Client1 - 172.16.119.0/24" tagged=BR1,ether1,ether2,ether3,ether4 vlan-ids=119
/interface list member
add interface=ether8 list=WAN
add interface=ether7 list=WAN
add interface=NET-MGMT list=MGMT
add interface=NET-Client1 list=VLAN
add interface=NET-Internal2 list=VLAN
add interface=NET-Internal3 list=VLAN
add interface=NET-MGMT list=VLAN
add interface=NET-Internal3 list=VLAN
add interface=NET-Test list=VLAN
add interface=NET-VPSPrivate list=VLAN
/ip address
add address=10.124.175.101/24 interface=ether8 network=10.124.175.0
add address=172.16.1.1/24 interface=NET-MGMT network=172.16.1.0
add address=172.16.2.1/24 interface=NET-Internal2 network=172.16.2.0
add address=172.16.3.1/24 interface=NET-Internal3 network=172.16.3.0
add address=172.16.119.1/24 interface=NET-Client1 network=172.16.119.0
add address=172.16.30.1/24 interface=NET-Internal3 network=172.16.30.0
add address=172.16.9.1/24 interface=NET-Test network=172.16.9.0
add address=172.16.10.1/24 interface=NET-VPSPrivate network=172.16.10.0
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.124.175.5 list=Winbox_Allow
/ip firewall filter
add action=accept chain=input comment="##INPUT:Allow Winbox from Radu" connection-state="" in-interface-list=WAN src-address-list=Winbox_Allow
add action=accept chain=input comment="##INPUT:Allow Established and Related " connection-state=established,related
add action=accept chain=input comment="##INPUT:Allow Input from MGMT" in-interface-list=MGMT
add action=drop chain=input comment="##INPUT:DROP Everything Else" connection-state="" log-prefix=DROP
add action=accept chain=forward comment="##INPUT:Allow Winbox from Radu" connection-state="" in-interface-list=WAN src-address-list=Winbox_Allow
add action=accept chain=forward comment="##FORWARD:Allow Established and Related " connection-state=established,related
add action=accept chain=forward comment="##FORWARD: VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
/ip route
add distance=1 gateway=10.124.175.1
set name=LAB-CCR1009
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Multiple Trunk setup performance issues

Sat Apr 03, 2021 8:09 pm

Your CCR1009 quite likely doesn't have switch chip built in (only early models without SFP+ port had one) and hence nothing can be HW offloaded. Your CCR is a great router but mediocre switch/bridge.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Multiple Trunk setup performance issues

Sat Apr 03, 2021 9:32 pm

/ip firewall filter
add action=accept chain=input comment="##INPUT:Allow Winbox from Radu" connection-state="" in-interface-list=WAN src-address-list=Winbox_Allow
add action=accept chain=input comment="##INPUT:Allow Established and Related " connection-state=established,related
add action=accept chain=input comment="##INPUT:Allow Input from MGMT" in-interface-list=MGMT
add action=drop chain=input comment="##INPUT:DROP Everything Else" connection-state="" log-prefix=DROP
add action=accept chain=forward comment="##INPUT:Allow Winbox from Radu" connection-state="" in-interface-list=WAN src-address-list=Winbox_Allow
add action=accept chain=forward comment="##FORWARD:Allow Established and Related " connection-state=established,related
add action=accept chain=forward comment="##FORWARD: VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN


Seem like very bad security infractions if you are letting access to winbox directly.
one should only access winbox by VPN Tunnel to the LAN side and then access winbox from there.
I also dont undertand why you have such a rule in both the input and forward chain??

Input is access to the router (aka winbox), winbox does not reside on the LAN??
 
w4rh0und
Member Candidate
Member Candidate
Topic Author
Posts: 107
Joined: Fri Oct 16, 2009 10:58 pm

Re: Multiple Trunk setup performance issues

Sat Apr 03, 2021 10:31 pm

@anav
It is a test router in a lab environment with no access outside and on the WAN it has private ip address.
I've added that rule so i can keep my access from the machine from where i configure it, while i test FW rules.


@mkx
When i disable vlan filtering on the bridge interface
/interface bridge
add comment="##MAIN BRIDGE - TRUNK WITH ALL THE SWITCHES" name=BR1 vlan-filtering=no

Automatically i get hw-offload. It has a switch chip ports 1-4 Atheros 8327
/interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON
0 I H ether2 BR1 yes 1 0x80 10 10 none
1 I H ether3 BR1 yes 1 0x80 10 10 none
2 I H ether4 BR1 yes 1 0x80 10 10 none
3 H ether1 BR1 yes 1 0x80 10 10 none
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Multiple Trunk setup performance issues

Sun Apr 04, 2021 8:38 pm

Ah, so your unit is one of old ones. The bridge vlan-filtering can only be offloaded on CRS3xx devices. The rest can not offload vlan filtering and one has to configure VLANs on switch chip (under /interface ethernet switch).
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Multiple Trunk setup performance issues

Sun Apr 04, 2021 8:44 pm

You can create all your VLANs on the SFP port of your CCR under /interface Vlan and connect it to your CRS317... That would be your Trunk port...
Then connect your CRS326s on your CRS317.. The latest (CRS models) will be configured using Bridge VLAN filtering...
 
w4rh0und
Member Candidate
Member Candidate
Topic Author
Posts: 107
Joined: Fri Oct 16, 2009 10:58 pm

Re: Multiple Trunk setup performance issues

Mon Apr 05, 2021 1:25 am

So would it be possible to configure the Vlans under the switch and on the CRS use bridge vlan filtering?

Will that work?

So far, once i place the ports in the switch and enable secure port and add tag if missing, i can no longer reach the other device.

Unfortuantely in the lab i have CCR1009 and 2011 routers only, i cannot test yet directly with a CRS ...

But i would like to get this working before configuring all on the live devices. I get only remote hands so i need to get all working from the beginning.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Multiple Trunk setup performance issues

Mon Apr 05, 2021 11:49 am

Basically you can configure VLANs either with bridge filtering or on switch, you should not mix both. If you want to configure SFP+ port on CCR as trunk as well, then you have a problem.

Your CCR is unfit for switching duties between any pair of ports apart from ports ether1-ether4 (which are run by switch chip), however they share a single 1Gbps line towards CPU (and the rest of ports) hence these ports are not great choice to be routed.
So you'll have to decide which traffic will be more: routed or switched. If it's switched, then use switch chip VLANs and use the old-fashioned "one bridge per VLAN" approach for the rest of ports (ether5-ether8 and sfp+). Use this document as guide how to configure switch chip.
If traffic will be more routed or a balanced mix of routed and switched, go with bridge vlan filtering and forget about HW offloading (in this case better use ether5-ether8, will probably offer better performance).
 
w4rh0und
Member Candidate
Member Candidate
Topic Author
Posts: 107
Joined: Fri Oct 16, 2009 10:58 pm

Re: Multiple Trunk setup performance issues

Mon Apr 05, 2021 10:20 pm

Switch chip is not working as expected. I've used the wiki to configure it.

I am trying the switch chip in the lab like below

CCR config Atheros 8327
Port 1 switch member configured as a trunk (Vlans:1011 management for devices ip 172.16.1.1/24 and Vlan 10) connects physically to a RB2011 router switch chip port 1
Port 2-4 switch member configured as a trunk (Vlans:1011 management, Vlan9 and vlan119) will connect to another RB2011 with different type of traffic

SW1 (RB2011) Atheros 8327
Port 1 trunk connected to port 1 of the CCR vlan 1011 management ip 172.16.1.11/24 and vlan 10)
Ports 2-5 access for clients on Vlan 10

The issue that I am having is that the moment I enable secure mode on the switch, I no longer have communication between CCR and SW on the mgmt network 172.16.1.0/24

Devices connected on SW1 port 2 no longer get an ip using DHCP.
Apparently it works if I leave Vlan mode disabled and the vlan-header leave as it is.

I do not understand what I am doing wrong here. I've done similar setups using Cisco/Fortigate/Aruba even Mikrotik with different switch vendors, etc.
Never had an issue with any type of config and ports.


CCR config
# apr/05/2021 22:02:21 by RouterOS 6.48.1
# software id = B4FY-V45T
#
# model = CCR1009-8G-1S-1S+
# serial number = 554A0480B05B
/interface ethernet
set [ find default-name=ether1 ] comment=\
    "##LINK TO: SW - TRUNK - TAGGED TRAFFIC"
set [ find default-name=sfp-sfpplus1 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface bridge
add name=BR1
/interface vlan
add comment="##NET-TEST - 172.16.9.0/24" interface=BR1 name=NET-Client1 \
    vlan-id=119
add comment="##NET-MGMT 172.16.1.0/24" interface=BR1 name=NET-MGMT vlan-id=\
    1011
add comment="##NET-TEST - 172.16.9.0/24" interface=BR1 name=NET-TEST vlan-id=\
    9
add comment="##NET-VPSPrivate - 172.16.10.0/24" interface=BR1 name=\
    NET-VPSPrivate vlan-id=10
/interface ethernet switch port
set 0 vlan-header=add-if-missing vlan-mode=secure
set 1 vlan-header=add-if-missing vlan-mode=secure
set 2 vlan-header=add-if-missing vlan-mode=secure
set 3 vlan-header=add-if-missing vlan-mode=secure
set 4 default-vlan-id=1011 vlan-mode=secure
/interface list
add name=WAN
add name=VLAN
add name=MGMT
/ip pool
add name=dhcp_pool0 ranges=172.16.9.100-172.16.9.150
add name=dhcp_pool1 ranges=172.16.10.100-172.16.10.150
add name=dhcp_pool2 ranges=172.16.9.100-172.16.9.150
add name=dhcp_pool3 ranges=172.16.119.100-172.16.119.150
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=NET-VPSPrivate lease-time=\
    4h10m name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=NET-TEST lease-time=4h10m \
    name=dhcp2
add address-pool=dhcp_pool3 disabled=no interface=NET-Client1 lease-time=\
    4h10m name=dhcp3
/interface bridge port
add bridge=BR1 interface=ether1
add bridge=BR1 interface=ether2
add bridge=BR1 interface=ether3
add bridge=BR1 interface=ether4
/interface ethernet switch vlan
add independent-learning=no ports=ether1 switch=switch1 vlan-id=10
add independent-learning=no ports=ether1,ether2,ether3,ether4,switch1-cpu \
    switch=switch1 vlan-id=1011
add independent-learning=no ports=ether2,ether3,ether4 switch=switch1 \
    vlan-id=9
add independent-learning=no ports=ether2,ether3,ether4 switch=switch1 \
    vlan-id=119
/interface list member
add interface=ether8 list=WAN
add interface=ether7 list=WAN
add interface=NET-MGMT list=MGMT
add interface=NET-MGMT list=VLAN
add interface=NET-VPSPrivate list=VLAN
add interface=NET-TEST list=VLAN
/ip address
add address=10.124.175.2/24 interface=ether8 network=10.124.175.0
add address=172.16.1.1/24 interface=NET-MGMT network=172.16.1.0
add address=172.16.10.1/24 interface=NET-VPSPrivate network=172.16.10.0
add address=172.16.9.1/24 interface=NET-TEST network=172.16.9.0
add address=172.16.119.1/24 interface=NET-Client1 network=172.16.119.0
/ip dhcp-server network
add address=172.16.9.0/24 gateway=172.16.9.1
add address=172.16.10.0/24 gateway=172.16.10.1
add address=172.16.119.0/24 gateway=172.16.119.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.124.175.5 list=Winbox_Allow
/ip route
add distance=1 gateway=10.124.175.1
/system identity
set name=LAB-CCR1009
SW config
# jan/02/1970 00:56:37 by RouterOS 6.48.1
# software id = DTV5-D782
#
# model = 2011UiAS-2HnD
# serial number = 91E10A9B3921
/interface bridge
add name=BR1
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface vlan
add interface=BR1 name=NET-MGMT vlan-id=1011
/interface ethernet switch port
set 1 vlan-header=add-if-missing vlan-mode=secure
set 2 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 5 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 11 default-vlan-id=1011 vlan-header=always-strip
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=BR1 interface=ether1
add bridge=BR1 interface=ether2
add bridge=BR1 interface=ether3
add bridge=BR1 interface=ether4
add bridge=BR1 interface=ether5
/interface ethernet switch vlan
add independent-learning=no ports=ether1,switch1-cpu switch=switch1 vlan-id=\
    1011
add independent-learning=no ports=ether1,ether2,ether3,ether4,ether5 switch=\
    switch1 vlan-id=10
/ip address
add address=172.16.1.11/24 interface=NET-MGMT network=172.16.1.0
/ip route
add distance=1 gateway=172.16.1.1
/system identity
set name=LAB-RB2011U1
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Multiple Trunk setup performance issues

Mon Apr 05, 2021 10:59 pm

Regarding RB2011 in switch mode:

The /interface ethernet switch port export is always confusing to me because it's using index numbers instead of port names so it's hard to correlate this section to other sections of config. Command interface ethernet switch port print provides missing information. So I'll just assume that index 0 relates to ether1, ..., index 4 relates to ether5 and index 5 relates to switch1-cpu. Which means your trunk port (ether1) is completely missing VLAN config, it should be
set 0 vlan-mode=secure

At the same time switch1-cpu is configured as access port (default-vlan-id set) while it should be configured as trunk, i.e. the same way as ether1.


CCR is similarly mis-configured. BTW, CCR will need switch1-cpu interface tagged also for the rest of VLANs, it's CPU doing routing. You'll use firewall rules to prevent unwanted inter-VLAN connections.

IMO switch chip VLAN setup is a bit harder to do right and trying to do it on both ends at the same time can be confusing as one doesn't know which end is broken (if not both). Hence I suggest you to configure one device with bridge vlan-filtering (it's easier to do and more peopke can spot an error if there is one) and focus on doing switch-chip vlans on other end. When it starts to work correctly, re-do the first device as well.
 
w4rh0und
Member Candidate
Member Candidate
Topic Author
Posts: 107
Joined: Fri Oct 16, 2009 10:58 pm

Re: Multiple Trunk setup performance issues

Tue Apr 06, 2021 2:15 pm

Hey mkx

I tinkered in all directions, anyway i think the issue was that i was not adding the swtich1_CPU in the port rules.

This is currently my config, CCR is in switch mode and the 2011 as well, and i can ping the management ip's 172.16.1.1 and 172.16.1.11
I also received ip by DHCP on 2011 port 2 and 3.
Please take a quick look and let me know if this is how it should be: Add if missing on Trunks and Always strip on Access

Thank you for all your help, I really appreciate it.

CCR:

interface ethernet switch port print 
Flags: I - invalid 
 #   NAME               SWITCH              VLAN-MODE VLAN-HEADER    DEFAULT-VLAN-ID
 0   ether1             switch1             secure    add-if-missing            auto
 1   ether2             switch1             secure    add-if-missing            auto
 2   ether3             switch1             secure    add-if-missing            auto
 3   ether4             switch1             secure    add-if-missing            auto
 4   switch1-cpu        switch1             secure    add-if-missing            auto
# apr/06/2021 14:05:39 by RouterOS 6.48.1
# software id = B4FY-V45T
#
# model = CCR1009-8G-1S-1S+
# serial number = 554A0480B05B
/interface bridge
add name=BR1
/interface vlan
add interface=BR1 name=NET-MGMT vlan-id=1011
add interface=BR1 name=NET-VPS-Private vlan-id=10
/interface ethernet switch port
set 0 vlan-header=add-if-missing vlan-mode=secure
set 1 vlan-header=add-if-missing vlan-mode=secure
set 2 vlan-header=add-if-missing vlan-mode=secure
set 3 vlan-header=add-if-missing vlan-mode=secure
set 4 vlan-header=add-if-missing vlan-mode=secure
/ip pool
add name=dhcp_pool0 ranges=172.16.1.100-172.16.1.150
add name=dhcp_pool1 ranges=172.16.10.100-172.16.10.150
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=NET-MGMT name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=NET-VPS-Private name=dhcp2
/interface bridge port
add bridge=BR1 interface=ether1
add bridge=BR1 interface=ether2
add bridge=BR1 interface=ether3
add bridge=BR1 interface=ether4
/interface ethernet switch vlan
add independent-learning=no ports=ether1,ether2,ether3,ether4,switch1-cpu switch=switch1 vlan-id=1011
add independent-learning=no ports=ether1,switch1-cpu switch=switch1 vlan-id=10
/ip address
add address=10.124.175.2/24 interface=ether8 network=10.124.175.0
add address=172.16.1.1/24 interface=NET-MGMT network=172.16.1.0
add address=172.16.10.1/24 interface=NET-VPS-Private network=172.16.10.0
/ip dhcp-server network
add address=172.16.1.0/24 gateway=172.16.1.1
add address=172.16.10.0/24 gateway=172.16.10.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip route
add distance=1 gateway=10.124.175.1
/system identity
set name=LAB-CCR1009

SW2011
[radu@LAB-RB2011U1] > interface ethernet switch port print 
Flags: I - invalid 
 #   NAME             SWITCH             VLAN-MODE VLAN-HEADER    DEFAULT-VLAN-ID
 0   sfp1             switch1            disabled  leave-as-is               auto
 1   ether1           switch1            secure    add-if-missing            auto
 2   ether2           switch1            secure    always-strip                10
 3   ether3           switch1            secure    always-strip                10
 4   ether4           switch1            secure    always-strip                10
 5   ether5           switch1            secure    always-strip                10
 6   ether6           switch2            disabled  leave-as-is                  0
 7   ether7           switch2            disabled  leave-as-is                  0
 8   ether8           switch2            disabled  leave-as-is                  0
 9   ether9           switch2            disabled  leave-as-is                  0
10   ether10          switch2            disabled  leave-as-is                  0
11   switch1-cpu      switch1            secure    add-if-missing            auto
12   switch2-cpu      switch2            disabled  leave-as-is                  0

# jan/02/1970 05:32:57 by RouterOS 6.48.1
# software id = DTV5-D782
#
# model = 2011UiAS-2HnD
# serial number = 91E10A9B3921
/interface bridge
add name=BR1
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface vlan
add interface=BR1 name=NET-MGMT vlan-id=1011
add interface=BR1 name=NET-VPS-Private vlan-id=10
/interface ethernet switch port
set 1 vlan-header=add-if-missing vlan-mode=secure
set 2 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 5 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 11 vlan-header=add-if-missing vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=BR1 interface=ether1
add bridge=BR1 interface=ether2
add bridge=BR1 interface=ether3
add bridge=BR1 interface=ether4
add bridge=BR1 interface=ether5
/interface ethernet switch vlan
add independent-learning=no ports=switch1-cpu,ether1 switch=switch1 vlan-id=\
    1011
add independent-learning=no ports=\
    ether1,ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=10
/ip address
add address=172.16.1.11/24 interface=NET-MGMT network=172.16.1.0
/system identity
set name=LAB-RB2011U1
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Multiple Trunk setup performance issues

Tue Apr 06, 2021 4:42 pm

Only one (minor) thing: on trunk ports I always set vlan-header=leave-as-is ...
 
w4rh0und
Member Candidate
Member Candidate
Topic Author
Posts: 107
Joined: Fri Oct 16, 2009 10:58 pm

Re: Multiple Trunk setup performance issues

Wed Apr 07, 2021 12:13 pm

Is it better to be leave as is instead of making sure the tag is added on the port or you want to make sure that if the case, untagged traffic could run through the trunk?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Multiple Trunk setup performance issues

Wed Apr 07, 2021 4:26 pm

If trunk port is set to vlan-header=leave-as-is and vlan-mode=secure then on ingress VLAN table (otherwise governing egress filtering) would be consulted. And there's no "untagged" option in that table (could be that it would be possible to add VID 0 to that table, VID 0 is sometimes used for "no tag"). Which means that untagged frame (or frame without VLAN ID if the 802.1q header is present for QoS reasons) would get dropped.

One more thing: IMO setting independent-learning=yes is better choice. Have a look at this thread, in that case setting independent-learning=no on access ports would break things.

Who is online

Users browsing this forum: archemist, tangent and 64 guests