Community discussions

MikroTik App
 
bda
Member Candidate
Member Candidate
Topic Author
Posts: 189
Joined: Fri Sep 03, 2010 11:07 am

CRS326-24G-2S+, hybrid ports, ipv6 problem/bug

Thu May 06, 2021 10:59 am

Hi,

I am facing very strange behavior of CRS326-24G-2S+.
Maybe it is a bug.
ROS version: 6.47.9

Description:

Network has:
ipv4 DHCP in vlan 17
ipv6 ND/SLAAC in vlan 888.

I have some ports in hybrid mode on CRS326: vlan 17 - native, vlan 50, 888 – tagged.
Hosts have dhcp-client on vlan 17 and get ip-addresses without problem.
Hosts have only one native interfaces, without any tagged sub-interfaces.

And then strange magic happened: all hosts connected to hybrid ports with vlan 17 access and vlan 888 in tagged mode get ipv6 addresses (global from ND/SLAAC-router)!
But only with one-way traffic flow: hosts get ipv6 address and they can't even ping ipv6 default gateway.

Hosts get ipv6 addresses from vlan 888 without self-tagging interfaces in this vlan! Hosts have only native (access) ethernet-interfaces but ipv6 address from Router!

Please help with this issue, if anybody know anything about something like this…

Configuration:
/interface bridge
add comment="-M- bridge-switch" ingress-filtering=yes name=bridge1-switch priority=0xA000 protocol-mode=mstp vlan-filtering=yes
/interface bridge port

/interface bridge
add ageing-time=5m arp=enabled arp-timeout=auto auto-mac=yes comment="-M- bridge-switch" dhcp-snooping=no disabled=no ether-type=0x8100 fast-forward=yes forward-delay=15s frame-types=admit-all igmp-snooping=no \
    ingress-filtering=yes max-hops=20 max-message-age=20s mtu=auto name=bridge1-switch priority=0xA000 protocol-mode=mstp pvid=1 region-name="" region-revision=0 transmit-hold-count=6 vlan-filtering=yes

/interface bridge port
add auto-isolate=no bpdu-guard=no bridge=bridge1-switch broadcast-flood=yes disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes ingress-filtering=yes interface=ether17 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query path-cost=10 point-to-point=auto priority=0x80 pvid=17 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
    unknown-multicast-flood=yes unknown-unicast-flood=yes

/interface bridge settings
set allow-fast-path=no use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no

/interface bridge vlan
add bridge=bridge1-switch comment=mngmt disabled=no tagged=bridge1-switch,ether1,ether6,ether7,ether22,ether23 untagged=ether2,ether9,ether13 vlan-ids=17
add bridge=bridge1-switch comment=ipv6_core disabled=no tagged=ether1,ether3,ether9,ether13,ether17,ether18,ether22,ether23 untagged="" vlan-ids=888
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: CRS326-24G-2S+, hybrid ports, ipv6 problem/bug

Fri May 07, 2021 12:47 pm

One possible explanation: ND and SLAAC are broadcast by router. Which means switch will push them through all active ports carrying appropriate VLAN (tagged or untagged). Which is fine. But then there are OSes with NIC drivers, which silently strip off VLAN tags (in particular Windows OS with many NIC drivers configured to defaults). Which then means that such computer will receive (and process) all packets from all VLANs which might pass that particular physical interface (including broadcasts), but will not be able to actively participate in those subnets (because tagging of transmitted packets is mandatory but OS/driver doesn't do it).

Which means that instead of taking shortcuts by having some generic port configuration you really should configure edge ports on switch only to carry traffic clients are supposed to process, don't count on clients not being configured in some particular way (to ignore some of traffic).
 
bda
Member Candidate
Member Candidate
Topic Author
Posts: 189
Joined: Fri Sep 03, 2010 11:07 am

Re: CRS326-24G-2S+, hybrid ports, ipv6 problem/bug

Fri May 07, 2021 1:26 pm

there are OSes with NIC drivers, which silently strip off VLAN tags
Thanks, it is true. All windows OSes simply strips all vlan tags, and RAs passing to OS and OS get (set by itself) an IPv6 address.

I think, that I find the solution (after many dogs was eaten).
Based on information from https://wiki.wireshark.org/CaptureSetup/VLAN#Windows

Marvell:
SkDisableVlanStrip = 1 in  (example)HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\000

Broadcom:
PreserveVlanInfoInRxPacket = 1 in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet (find it by TxCoalescingTicks in same folder)

Intel (without ANS):
(example)HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\
MonitorModeEnabled - 1
MonitorMode - 1
*PriorityVLANTag - 0
SkDisableVlanStrip - 1

Who is online

Users browsing this forum: gigabyte091, Thasaidon and 11 guests