Community discussions

MikroTik App
 
marina
just joined
Topic Author
Posts: 7
Joined: Mon May 30, 2022 10:22 am

CCR2004 does not transmit all tagged packets

Tue Oct 11, 2022 12:03 pm

Hello. I have several mikrotik switches connected together with links. The problem is between CCR2004 and CRS326. They are connected like: CCR2004 port sfp28-1 to CRS326 port sfp-sfpplus24. Both switches are configured with 3 vlans: 1- default, 11 - management and 14 - internet. For VLANS 11 and 14 the switches have assigned static IPs.
This is the related configuration:
For CCR2004:
/interface bridge
add name=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes vlan-filtering=yes
/interface vlan
add interface=bridge name=default vlan-id=1
add interface=bridge name=inet vlan-id=14
add interface=bridge name=mgt vlan-id=11
/interface bonding
add name=bonding28-1-2 slaves=sfp28-1,sfp28-2
/interface list
add name="STP Filter"
/interface bridge filter
add action=drop chain=output dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF out-interface-list="STP Filter"
add action=drop chain=forward dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF in-interface-list="STP Filter"
add action=drop chain=forward dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF out-interface-list="STP Filter"
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1 path-cost=30 trusted=yes
add bridge=bridge disabled=yes frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp28-1 trusted=yes
add bridge=bridge disabled=yes frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp28-2 trusted=yes
add bridge=bridge edge=yes frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp-sfpplus4 point-to-point=yes pvid=14 restricted-role=yes restricted-tcn=yes
add bridge=bridge edge=yes frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp-sfpplus5 point-to-point=yes pvid=14 restricted-role=yes restricted-tcn=yes
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=bonding28-1-2 trusted=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,sfp28-1,sfp28-2,bonding28-1-2 vlan-ids=1
add bridge=bridge tagged=bridge,ether1,sfp28-1,sfp28-2,bonding28-1-2 vlan-ids=11
add bridge=bridge tagged=bridge,ether1,sfp28-1,sfp28-2,bonding28-1-2 vlan-ids=14
/interface list member
add interface=sfp-sfpplus4 list="STP Filter"
add interface=sfp-sfpplus5 list="STP Filter"
/ip address
add address=192.168.0.1/24 interface=voip network=192.168.0.0
add address=192.168.1.52/28 interface=mtc network=192.168.1.48
/ip firewall filter
add action=drop chain=input connection-state=invalid,untracked
add action=accept chain=input connection-state=established,related
add action=accept chain=input in-interface=voip
add action=drop chain=input
add action=drop chain=forward connection-state=invalid,untracked
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward

and for CRS326:

/interface bridge
add name=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes vlan-filtering=yes
/interface vlan
add interface=bridge name=default vlan-id=1
add interface=bridge name=inet vlan-id=14
add interface=bridge name=mngt vlan-id=11
/interface list
add name="STP Filter"
/interface bridge filter
add action=drop chain=output dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF out-interface-list="STP Filter"
add action=drop chain=forward dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF in-interface-list="STP Filter"
add action=drop chain=forward dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF out-interface-list="STP Filter"
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1 trusted=yes
add bridge=bridge edge=yes frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp-sfpplus18 point-to-point=yes pvid=14 restricted-role=yes restricted-tcn=yes
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-sfpplus24 trusted=yes
/interface bridge vlan
add bridge=bridge tagged="bridge,ether1,sfp-sfpplus24" vlan-ids=1
add bridge=bridge tagged="bridge,ether1,sfp-sfpplus24" vlan-ids=11
add bridge=bridge tagged="bridge,sfp-sfpplus24" vlan-ids=14
/interface list member
add interface=sfp-sfpplus18 list="STP Filter"
/ip address
add address=192.168.0.87/24 interface=voip network=192.168.0.0
add address=192.168.1.50/28 interface=mtc network=192.168.1.48
/ip firewall filter
add action=drop chain=input connection-state=invalid,untracked
add action=accept chain=input connection-state=established,related
add action=accept chain=input in-interface=voip
add action=drop chain=input
add action=drop chain=forward connection-state=invalid,untracked
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward

Both mikrotiks does ping to providers gw 192.168.1.49.

While pinging the providers cable is inserted in CCR2004 port sfp-sfpplus4. For this case CCR2004 can ping provider's GW, but CRS326 can not ping provider's GW.
When the providers cable is connected to CRS326 port sfp-sfpplus18, both mikrotiks can ping the provider's GW.

The question is: Why when provider's cable is connected to CCR2004 the other mikrotik can not ping provider's GW? There is no problem with provider. Provider does not block by mac or something, only does not accept BPDU and STP packets.
Both mikrotiks are updated to latest RouterOS v.6.

Who is online

Users browsing this forum: Amazon [Bot], DanMos79, Google [Bot], Kuitz, matbcvo and 98 guests