Has anyone got production experience with the MLAG redundancy feature? We are experiencing some problems with a pair of CRS354-48G-4S+2Q+ (Marvell 98DX3257) switches.
Topology is identical to reference documentation:
https://help.mikrotik.com/docs/display/ ... tion+Group
2 x CRS354 using MLAG (core or spine)
9 x CRS326-24G-2S+ using LACP (access or leaf)
Each access switch has a bond (802.3ad mode) comprising of 2 x 1G ethernet interfaces essentially talking standard LACP with both CRS354 devices running MLAG.
If we enable loop-detect on the uplink interfaces that make up the bonds, on the access / leaf switches the ports occasionally disable as the port receives it's loop detect packet back in on the same port it originated from:
This behaviour did not occur when the core / spine switches were a stack of D-Link DGS-3120 switches. We have an identical architecture working perfectly where the core / spine switches are a stack of Netgear M4300 switches as well. The network is relatively static, 9+ months since leaf switches were replaced with CRS326-24G-2S+ switches (2 x ether bond uplinks with all other ports being access ports).
Food for thought:
- Loop protect frames are constantly generated
- Port on average only get blocked once an hour
- Seldomly happens to affect both uplinks concurrent (as per example above)
- Happens on all 9 access switches, all edge devices such as workstations, laptops, VoIP phones, etc (RADIUS 802.1X controlled)
- Does not happen on the MLAG core switches
- Other manufacturer switches which also have LACP uplinks to the CRS354 occasionally log 'possible spoofing' messages
- Problem does not occur when MLAG core switches are replaced with a stack of D-Link or Netgear switches
Access layer switch, relevant configurations:
Code: Select all
/interface bridge add add-dhcp-option82=yes admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no \ dhcp-snooping=yes name=bridge priority=0x7000 protocol-mode=mstp \ region-name=Turnberry vlan-filtering=yes /interface ethernet set [ find default-name=ether23 ] l2mtu=10218 loop-protect=on set [ find default-name=ether24 ] l2mtu=10218 loop-protect=on /interface bonding add lacp-rate=1sec mode=802.3ad name=bond slaves=ether23,ether24 \ transmit-hash-policy=layer-3-and-4 /interface bridge port add bridge=bridge interface=bond trusted=yes
Core layer switches running MLAG, relevant configuration:
Code: Select all
/interface bridge add add-dhcp-option82=yes admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no \ dhcp-snooping=yes name=bridge priority=0x6000 vlan-filtering=yes /interface ethernet set [ find default-name=ether46 ] l2mtu=10218 loop-protect=on set [ find default-name=sfp-sfpplus1 ] l2mtu=10218 loop-protect=on set [ find default-name=sfp-sfpplus2 ] l2mtu=10218 loop-protect=on /interface bonding add lacp-rate=1sec mode=802.3ad name=bond-peer slaves=sfp-sfpplus1,sfp-sfpplus2 transmit-hash-policy=layer-3-and-4 add lacp-rate=1sec mlag-id=46 mode=802.3ad name=bonde46 slaves=ether46 transmit-hash-policy=layer-3-and-4 /interface bridge mlag set bridge=bridge peer-port=bond-peer /interface bridge port add bridge=bridge comment="MLAG Peer:" interface=bond-peer pvid=99 trusted=yes add bridge=bridge interface=bonde46 restricted-role=yes