Table of Contents

Summary

...

The Cloud Router Switch series are CCR3xx series switches and CCR2116, CCR2216 routers have highly integrated switches with high-performance CPU and feature-rich packet processors. The CRS3xx series switches These devices can be designed into various Ethernet applications including unmanaged switch, Layer 2 managed switch, carrier switch, inter-VLAN router, and wired unified packet processingprocessor.

Note
This article applies to CRS3xx series switches, CCR2116, CCR2216 routers, and not to CRS1xx/CRS2xx series switches.

Features

Features	Description
Forwarding	Configurable ports for switching or routing Full non-blocking wire-speed switching Large Unicast FDB for Layer 2 unicast forwarding Forwarding Databases works based on IVL Jumbo frame support IGMP Snooping support DHCP Snooping with Option 82
Routing	Layer 3 Hardware Offloading: IPv4 Unicast Routing Supported on Ethernet, Bridge, Bonding, and VLAN interfaces ECMP Blackholes Offloaded Fasttrack connections (applies only to certain switch models) Offloaded NAT for Fasttrack connections (applies only to certain switch models) Multiple MTU profiles
Spanning Tree Protocol	STP RSTP MSTP
Mirroring	Various types of mirroring: Port based mirroring VLAN based mirroring MAC based mirroring
VLAN	Fully compatible with IEEE802.1Q and IEEE802.1ad VLAN 4k active VLANs Flexible VLAN assignment: Port based VLAN Protocol based VLAN MAC based VLAN VLAN filtering From any to any VLAN translation
Bonding	Supports 802.3ad (LACP) and balance-xor modes Up to 8 member ports per bonding interface Up to 30 bonding interfaces Hardware automatic failover and load balancing MLAG
Traffic Shaping	Ingress traffic limiting Port based MAC based IP based VLAN based Protocol based DSCP based Port based egress traffic limiting
Port isolation	Applicable for Private VLAN implementation
Access Control List	Ingress ACL tables Classification based on ports, L2, L3, L4 protocol header fields ACL actions include filtering, forwarding and modifying of the protocol header fields

Models

This table clarifies the main differences between Cloud Router Switch models and CCR routers.

SFP+ port+

Model

Switch Chip

CPU

Cores

Wireless

10G SFP+

10G Ethernet

25G SFP28

40G QSFP+

100G QSFP28

ACL rules

Unicast FDB entries

Jumbo Frame (Bytes)

netPower 15FR (CRS318-1Fi-15Fr-2S)

Marvell-98DX224S

800MHz

1

-

128

16,000

10218

netPower 16P (CRS318-16P-2S+)

Marvell-98DX226S

800MHz

1

2

-

128

16,000

10218

CRS326CRS310-1G-24G5S-2S4S+ (RMnetFiber 9/IN)

Marvell-98DX323698DX226S

800MHz

1

4

-

-+

128

16,000

10218

CRS326-24G-2S+ (RM/IN)

Marvell-98DX3236

800MHz

1

2

-

128

16,000

10218

CRS328-CRS328-24P-4S+

Marvell-98DX3236

800MHz

1

4

-

-+

128

16,000

10218

CRS328-4C-20S-4S+

Marvell-98DX3236

800MHz

1

4

-

-+

128

16,000

10218

CRS305-1G-4S+

Marvell-98DX3236

800MHz

1

4

-

+-

128

16,000

10218

CRS309-1G-8S+

Marvell-98DX8208

800MHz

2

8

-

+-

680

32 000

10218

CRS317-1G-16S+

Marvell-98DX8216

800MHz

2

16

-

-+

680

128,000

10218

CRS312-4C+8XG

Marvell-98DX8212

650MHz

1-

4 (combo ports)

+

8 + 4 (combo ports)

-

341341

32,000

10218

CRS326-24S+2Q+

Marvell-98DX8332

650MHz

1

24

-

2

+-

170

32,000

10218

CRS354-48G-4S+2Q+

Marvell-98DX3257

650MHz

1

4

-

2

-+

170

32,000

10218

CRS354-48P-4S+2Q+

Marvell-98DX3257

650MHz

1

4

-

2

-+

170

32,000

10218

Abbreviations

FDB - Forwarding Database
MDB - Multicast Database
SVL - Shared VLAN Learning
IVL - Independent VLAN Learning
PVID - Port VLAN ID
ACL - Access Control List
CVID - Customer VLAN ID
SVID - Service VLAN ID

Port switching

In order to set up a port switching on CRS3xx series switches, check the Bridge Hardware Offloading page.

Warning
Currently it is possible to create only one bridge with hardware offloading on CRS3xx series devices. Use the `hw=yes/no` parameter to select which bridge will use hardware offloading.

Note
On CRS3xx series switches, bridge STP/RSTP/MSTP, IGMP Snooping and VLAN filtering settings don't affect hardware offloading, since RouterOS v6.42 Bonding interfaces are also hardware offloaded.

VLAN

Since RouterOS version 6.41, a bridge provides VLAN aware Layer2 forwarding and VLAN tag modifications within the bridge. This set of features makes bridge operation more like a traditional Ethernet switch and allows to overcome Spanning Tree compatibility issues compared to the configuration when tunnel-like VLAN interfaces are bridged. Bridge VLAN Filtering configuration is highly recommended to comply with STP (802.1D), RSTP (802.1w) standards and it is mandatory to enable MSTP (802.1s) support in RouterOS.

VLAN Filtering

The main VLAN setting is vlan-filtering, which globally controls VLAN awareness and VLAN tag processing in the bridge. If vlan-filtering=no is used, the bridge ignores VLAN tags, works in a shared-VLAN-learning (SVL) mode and cannot modify VLAN tags of packets. Turning on vlan-filtering=yes, enables all bridge VLAN related functionality and independent-VLAN-learning (IVL) mode. Besides joining the ports for Layer2 forwarding, the bridge itself is also an interface therefore it has its own Port VLAN ID (pvid).

Note

Since RouterOS version 6.41, all VLAN switching related parameters are moved to the bridge section. On CRS3xx series devices, VLAN switching must be configured under the bridge section as well, this will not limit the device's performance, CRS3xx is designed to use the built-in switch chip to work with bridge VLAN filtering, you are able to achieve full non-blocking wire-speed switching performance while using bridges and bridge VLAN filtering. Make sure that all bridge ports have the "H" flag, which indicates that the device is using the switch chip to forward packets.

Sub-menu: /interface bridge

...

Sub-menu: /interface bridge port

...

VLAN Table

Bridge VLAN table represents per-VLAN port mapping with an egress VLAN tag action. tagged ports send out frames with a specified VLAN ID tag. untagged ports remove the VLAN tag before sending out frames.

Sub-menu: /interface bridge vlan

...

CCR2116-12G-4S+	Marvell-98DX3255	2000MHz	16	4	-	-	-	-	512	32,000	9570
CCR2216-1G-12XS-2XQ	Marvell-98DX8525	2000MHz	16	-	-	12	-	2	1024	128,000	9570

Abbreviations

FDB - Forwarding Database
MDB - Multicast Database
SVL - Shared VLAN Learning
IVL - Independent VLAN Learning
PVID - Port VLAN ID
ACL - Access Control List
CVID - Customer VLAN ID
SVID - Service VLAN ID

Port switching

...

In order to set up a port switching on CRS3xx series switches and CCR2116, CCR2216 routers, check the Bridge Hardware Offloading page.

Warning
Currently, it is possible to create only one bridge with hardware offloading. Use the `hw=yes/no` parameter to select which bridge will use hardware offloading.

Note
On CRS3xx series switches and CCR2116, CCR2216 routers, bridge STP/RSTP/MSTP, IGMP Snooping and VLAN filtering settings don't affect hardware offloading, since RouterOS v6.42 Bonding interfaces are also hardware offloaded.

VLAN

...

Since RouterOS version 6.41, a bridge provides VLAN aware Layer2 forwarding and VLAN tag modifications within the bridge. This set of features makes bridge operation more like a traditional Ethernet switch and allows to overcome Spanning Tree compatibility issues compared to the configuration when tunnel-like VLAN interfaces are bridged. Bridge VLAN Filtering configuration is highly recommended to comply with STP (802.1D), RSTP (802.1w) standards and it is mandatory to enable MSTP (802.1s) support in RouterOS.

VLAN Filtering

In order to set up a port switching on CRS3xx series switches and CCR2116, CCR2216 routers, check the Bridge VLAN Filtering page.

VLAN setup examples

Below are describes some of the most common ways how to utilize VLAN forwarding on the CRS3xx series switches and CCR2116, CCR2216 routers.

Port-Based VLAN

The configuration is described in the Bridge VLAN FIltering section

VLAN setup examples

Below are describes some of the most common ways on how to utilize VLAN forwarding on the CRS3xx series switches.

Port-Based VLAN

The configuration for CRS3xx switches is described in the Bridge VLAN FIltering section.

...

.

MAC Based VLAN

Note

The CRS3xx, CCR2116, CCR2216 Switch Rule table is used for MAC Based VLAN functionality, see this table on how many rules each device supports.
MAC-based VLANs will only work properly between switch ports and not between switch ports and CPU. When a packet is being forwarded to the CPU, the pvid property for the bridge port will be always used instead of new-vlan-id from ACL rules.
MAC-based VLANs will not work for DHCP packets when DHCP snooping is enabled.

...

Code Block

language	ros

/interface ethernet switch rule
add switch=switch1 ports=ether7 src-mac-address=A4:12:6D:77:94:43/FF:FF:FF:FF:FF:FF new-vlan-id=200
add switch=switch1 ports=ether7 src-mac-address=84:37:62:DF:04:20/FF:FF:FF:FF:FF:FF new-vlan-id=300
add switch=switch1 ports=ether7 src-mac-address=E7:16:34:A1:CD:18/FF:FF:FF:FF:FF:FF new-vlan-id=400

Protocol Based VLAN

Note

The CRS3xx, CCR2116, CCR2216 Switch Rule table is used for Protocol Based VLAN functionality, see this table on how many rules each device supports.
Protocol-based VLANs will only work properly between switch ports and not between switch ports and CPU. When a packet is being forwarded to the CPU, the pvid property for the bridge port will be always used instead of new-vlan-id from ACL rules.
Protocol-based VLANs will not work for DHCP packets when DHCP snooping is enabled.

...

Code Block

language	ros

/interface ethernet switch rule
add mac-protocol=ip new-vlan-id=200 ports=ether6 switch=switch1
add mac-protocol=ipx new-vlan-id=300 ports=ether7 switch=switch1
add mac-protocol=0x80F3 new-vlan-id=400 ports=ether8 switch=switch1

VLAN Tunneling (Q-in-Q)

Since RouterOS v6.43 it is possible to use a provider bridge (IEEE 802.1ad) and Tag and Tag Stacking VLAN filtering, and hardware offloading at the same time on CRS3xx series switches. The configuration for CRS3xx switches is described in the Bridge VLAN Tunneling (Q-in-Q) section.

Warning
Devices with switch chip Marvell-98DX3257 (e.g. CRS354 series) do not support VLAN filtering on 1Gbps Ethernet interfaces for other VLAN types (`0x88a8` and `0x9100`).

Ingress VLAN translation

It is possible to translate a certain VLAN ID to a different VLAN ID using ACL rules on an ingress port. In this example we create two ACL rules, allowing a bidirectional communication. This can be done by doing the following.

...

Warning
By enabling `vlan-filtering` you will be filtering out traffic destined to the CPU, before enabling VLAN filtering you should make sure that you set up a Management port

(R/M)STP

...

CRS3xx series switches and CCR2116, CCR2216 routers are capable of running STP, RSTP and MSTP on a hardware level. For more detailed information you should check out the Spanning Tree Protocol manual page.

Bonding

...

Since RouterOS v6.42 all CRS3xx series switches and CCR2116, CCR2216 routers support hardware offloading with bonding interfaces. Only 802.3ad and balance-xor bonding modes are hardware offloaded, other bonding modes will use the CPU's resources. You can find more information about the bonding interfaces in the Bonding Interface section. If 802.3ad mode is used, then LACP (Link Aggregation Control Protocol) is supported.

...

Note
With HW-offloaded bonding interfaces, the built-in switch chip will always use Layer2+Layer3+Layer4 for a transmit hash policy, changing the transmit hash policy manually will have no effect.

Multi-chassis Link Aggregation Group

...

MLAG (Multi-chassis Link Aggregation Group) implementation in RouterOS allows configuring LACP bonds on two separate devices, while the client device believes to be connected on the same machine. This provides a physical redundancy in case of switch failure. All CRS3xx series series and CCR2116, CCR2216 devices can be configured with MLAG. Read here for more information.

L3 Hardware Offloading

...

Layer3 hardware offloading (otherwise known as IP switching or HW routing) will allow to offload some of the router features on to onto the switch chip. This allows reaching wire speeds when routing packets, which simply would not be possible with the CPU.

Offloaded feature set depends on the used chipset. Read here for more info.

Port isolation

...

Since RouterOS v6.43 is it possible to create a Private VLAN setup on CRS3xx series switches, an example can be found in the Switch chip port isolation manual page. Hardware offloaded bonding interfaces are not included in the switch port-isolation menu, but it is still possible to configure port-isolation individually on each secondary interface of the bonding.

IGMP/MLD Snooping

...

CRS3xx series switches and CCR2116, CCR2216 routers are capable of using IGMP/MLD Snooping on a hardware level. To see more detailed information, you should check out the IGMP/MLD snooping manual page.

DHCP Snooping and DHCP Option 82

...

CRS3xx series switches and CCR2116, CCR2216 routers are capable of using DHCP Snooping with Option 82 on a hardware level. The switch will create a dynamic ACL rule to capture the DHCP packets and redirect them to the main CPU for further processing. To see more detailed information, please visit the DHCP Snooping and DHCP Option 82 manual page.

Warning
DHCP snooping will not work when hardware offloading bonding interfaces are created.

Controller Bridge and Port Extender

...

Controller Bridge (CB) and Port Extender (PE) is an IEEE 802.1BR standard implementation in RouterOS for CRS3xx series switches. It allows virtually extending the CB ports with a PE device and manage managing these extended interfaces from a single controlling device. Such configuration provides a simplified network topology, flexibility, increased port density, and ease of manageability. See more details on on Controller Bridge and Port Extender manual.

Mirroring

...

Mirroring lets the switch sniff all traffic that is going in a switch chip and send a copy of those packets out to another port (mirror-target). This feature can be used to easily set up a tap device that allows you to inspect the traffic on your network on a traffic analyzer device. It is possible to set up a simple port-based mirroring, but it is also possible to set up more complex mirroring based on various parameters. Note that mirror-target port has to belong to the same switch (see which port belongs to which switch in /interface ethernet menu). Also, mirror-target can have a special 'cpu' value, which means that sniffed packets will be sent out of switch chips cpu CPU port. There are many possibilities that can be used to mirror certain traffic, below you can find the most common mirroring examples:

...

There are other options as well, check the ACL section to find out all possible parameters that can be used to match packets.

Traffic Shaping

...

For CRS3xx series switches, it It is possible to limit ingress traffic that matches certain parameters with ACL rules and it is possible to limit ingress/egress traffic per port basis. The policer is used for ingress traffic, the shaper is used for egress traffic. The ingress policer controls the received traffic with packet drops. Everything that exceeds the defined limit will get dropped. This can affect the TCP congestion control mechanism on end hosts and achieved bandwidth can be actually less than defined. The egress shaper tries to queue packets that exceed the limit instead of dropping them. Eventually, it will also drop packets when the output queue gets full, however, it should allow utilizing the defined throughput better.

...

There are other options as well, check the ACL section to find out all possible parameters that can be used to match packets.

Note
The CRS3xx Switch Rule table is used for QoS functionality, see this table on how many rules each device supports.

Traffic Storm Control

...

Since RouterOS v6.42 it is possible to enable traffic storm control on CRS3xx series devices. A traffic storm can emerge when certain frames are continuously flooded on the network. For example, if a network loop has been created and no loop avoidance mechanisms are used (e.g. Spanning Tree Protocol), broadcast or multicast frames can quickly overwhelm the network, causing degraded network performance or even complete network breakdown. With CRS3xx series switches and CCR2116, CCR2216 routers it is possible to limit broadcast, unknown multicast and unknown unicast traffic. Unknown unicast traffic is considered when a switch does not contain a host entry for the destined MAC address. Unknown multicast traffic is considered when a switch does not contain a multicast group entry in the /interface bridge mdb menu. Storm control settings should be applied to ingress ports, the egress traffic will be limited.

...

Code Block

language	ros

/interface ethernet switch port
set ether1 storm-rate=1 limit-broadcasts=yes limit-unknown-unicasts=yes

MPLS hardware offloading

...

Since RouterOS v6.41 it is possible to offload certain MPLS functions to the switch chip, the switch must be a (P)rovider router in a PE-P-PE setup in order to achieve hardware offloading. A setup example can be found in the Basic MPLS setup example manual page. The hardware offloading will only take place when LDP interfaces are configured as physical switch interfaces (e.g. Ethernet, SFP, SFP+).

Note
Currently only `CRS317-1G-16S+` and `CRS309-1G-8S+` using RouterOS v6.41 and newer are capable of hardware offloading certain MPLS functions. `CRS317-1G-16S+` and `CRS309-1G-8S+` built-in switch chip is not capable of popping MPLS labels from packets, in a PE-P-PE setup you either have to use explicit null or disable TTL propagation in MPLS network to achieve hardware offloading.

Switch Rules (ACL)

...

Access Control List contains ingress policy and egress policy engines. See this table on how many rules each device supports (limited by RouterOS). It is an advanced tool for wire-speed packet filtering, forwarding and modifying based on Layer2, Layer3 and Layer4 protocol header field conditions.

...

Property	Description
copy-to-cpu (no \| yes; Default: no)	Clones the matching packet and sends it to the CPU.
disabled (yes \| no; Default: no)	Enables or disables ACL entry.
dscp (0..63)	Matching DSCP field of the packet.
dst-address (IP address/Mask)	Matching destination IP address and mask, also matches destination IP in ARP packets.
dst-address6 (IPv6 address/Mask)	Matching destination IPv6 address and mask, also matches source IP in ARP packets.
dst-mac-address (MAC address/Mask)	Matching destination MAC address and mask.
dst-port (0..65535)	Matching destination protocol port number.
flow-label (0..1048575)	Matching IPv6 flow label.
mac-protocol (802.2 \| arp \| homeplug-av \| ip \| ipv6 \| ipx \| lldp \| loop-protect \| mpls-multicast \| mpls-unicast \| packing-compr \| packing-simple \| pppoe \| pppoe-discovery \| rarp \| service-vlan \| vlan \| or 0..65535 \| or 0x0000-0xffff)	Matching particular MAC protocol specified by protocol name or number
mirror (no \| yes)	Clones the matching packet and sends it to the mirror-target port.
new-dst-ports (ports)	Changes the destination port as specified. An empty setting will drop the packet. A specified port will redirect the packet to it. When the parameter is not used, the packet will be accepted. Multiple "new-dst-ports" are not supported on the CRS3xx series switches.
new-vlan-id (0..4095)	Changes the VLAN ID to the specified value. Requires `vlan-filtering=yes`.
new-vlan-priority (0..7)	Changes the VLAN priority (priority code point). Requires `vlan-filtering=yes`.
ports (ports)	Matching ports on which will the rule apply on received traffic.
protocol (dccp \| ddp \| egp \| encap \| etherip \| ggp \| gre \| hmp \| icmp \| icmpv6 \| idpr-cmtp \| igmp \| ipencap \| ipip \| ipsec-ah \| ipsec-esp \| ipv6 \| ipv6-frag \| ipv6-nonxt \| ipv6-opts \| ipv6-route \| iso-tp4 \| l2tp \| ospf \| pim \| pup \| rdp \| rspf \| rsvp \| sctp \| st \| tcp \| udp \| udp-lite \| vmtp \| vrrp \| xns-idp \| xtp \| or 0..255)	Matching particular IP protocol specified by protocol name or number.
rate (0..4294967295)	Sets ingress traffic limitation (bits per second) for matched traffic.
redirect-to-cpu (no \| yes)	Changes the destination port of a matching packet to the CPU.
src-address (IP address/Mask)	Matching source IP address and mask.
src-address6 (IPv6 address/Mask)	Matching source IPv6 address and mask.
src-mac-address (MAC address/Mask)	Matching source MAC address and mask.
src-port (0..65535)	Matching source protocol port number.
switch (switch group)	Matching switch group on which will the rule apply.
traffic-class (0..255)	Matching IPv6 traffic class.
vlan-id (0..4095)	Matching VLAN ID. Requires `vlan-filtering=yes`.
vlan-header (not-present \| present)	Matching VLAN header, whether the VLAN header is present or not. Requires `vlan-filtering=yes`.
vlan-priority (0..7)	Matching VLAN priority (priority code point).

...

Note
For VLAN related matchers or VLAN related action parameters to work, you need to enable `vlan-filtering` on the bridge interface and make sure that hardware offloading is enabled on those ports, otherwise, these parameters will not have any effect.

...

Warning
When bridge interface `ether-type` is set to `0x8100`, then VLAN related ACL rules are relevant to 0x8100 (CVID) packets, this includes `vlan-id` and `new-vlan-id`. When bridge interface `ether-type` is set to `0x88a8`, then ACL rules are relevant to 0x88A8 (SVID) packets.

Port Security

...

It is possible to limit allowed MAC addresses on a single switch port on CRS3xx series switches. For example, to allow 64:D1:54:81:EF:8E MAC address on a switch port, start by switching multiple ports together, in this example 64:D1:54:81:EF:8E is going to be located behind ether1.

...

Warning
Broadcast traffic will still be sent out from ether1. To limit broadcast traffic flood on a bridge port, you can use the `broadcast-flood` parameter to toggle it. Do note that some protocols depend on broadcast traffic, such as streaming protocols and DHCP.

Dual Boot

...

“Dual The “dual boot” feature allows you to choose which operating system you prefer to use on CRS3xx series switches, RouterOS or SwOS. Device operating system could be changed using:

Command-line (/system routerboard settings set boot-os=swos)
Winbox
Webfig
Serial Console

More details about SwOS are described here: SwOS manual

Configuring SwOS using RouterOS

...

Since RouterOS 6.43 it is possible to load, save and reset SwOS configuration, as well as upgrade SwOS and set an IP address for the switch CRS3xx series switches by using RouterOS.

Save configuration with /system swos save-config

...

Property	Description
address-acquisition-mode (dhcp-only \| dhcp-with-fallback \| static; Default: dhcp-with-fallback)	Changes address acquisition method: dhcp-only - uses only a DHCP client to acquire address dhcp-with-fallback - for the first 10 seconds will try to acquire address using a DHCP client. If the request is unsuccessful, then address falls back to static as defined by static-ip-address property static - address is set as defined by static-ip-address property
allow-from (IP/Mask; Default: 0.0.0.0/0)	IP address or a network from which the switch is accessible. By default, the switch is accessible by any IP address.
allow-from-ports (name; Default: )	List of switch ports from which the device is accessible. By default, all ports are allowed to access the switch
allow-from-vlan (integer: 0..4094; Default: 0)	VLAN ID from which the device is accessible. By default, all VLANs are allowed
identity (name; Default: Mikrotik)	Name of the switch (used for Mikrotik Neighbor Discovery protocol)
static-ip-address (IP; Default: 192.168.88.1)	IP address of the switch in case address-acquisition-mode is either set to dhcp-with-fallback or static. By setting a static IP address, the address acquisition process does not change, which is DHCP with fallback by default. This means that the configured static IP address will become active only when there is going to be no DHCP servers in the same broadcast domain

Page tree

Page History

Versions Compared

Old Version 37

New Version 38

Key

Summary

Features

Models

Abbreviations

Port switching

VLAN

VLAN Filtering

VLAN Table

Abbreviations

Port switching

VLAN

VLAN Filtering

Port-Based VLAN

VLAN setup examples

Port-Based VLAN

MAC Based VLAN

Protocol Based VLAN

VLAN Tunneling (Q-in-Q)

Ingress VLAN translation

(R/M)STP

Bonding

Multi-chassis Link Aggregation Group

L3 Hardware Offloading

Port isolation

IGMP/MLD Snooping

DHCP Snooping and DHCP Option 82

Controller Bridge and Port Extender

Mirroring

Traffic Shaping

Traffic Storm Control

MPLS hardware offloading

Switch Rules (ACL)

Port Security

Dual Boot

Configuring SwOS using RouterOS

See also