Versions Compared

Old Version 1

changes.mady.by.user Edgars P.

Saved on

compared with

New Version 2

changes.mady.by.user Edgars P.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

SwOS Lite is an operating system designed specifically for the administration of MikroTik GPEN21 products. GPEN21 support only SwOS Lite operating system.

GPEN21 series features

FeaturesDescription
Forwarding
  • Full non-blocking wirespeed switching
  • Up to 2k MAC entries in the Host table 1
  • Forwarding Database works based only on SVL
  • Jumbo frame support - 10222 bytes
Monitoring
  • SNMP v1
  • Link fault detection
  • SFP diagnostics
  • Interface statistics
VLAN
  • Fully compatible with IEEE802.1Q
  • Port-based VLAN
  • Up to 250 VLAN entries (limited by SwOS)
  • VLAN filtering
Security
  • Port Lock
  • Broadcast Storm Control
Quality of Service (QoS)
  • Ingress traffic limiting
  • Egress traffic limiting
Access Control List
  • Ingress ACL tables
  • Up to 32 ACL rules (limited by SwOS)
  • Classification based on ports, L2, L3, L4 protocol header fields
  • ACL actions include filtering, forwarding, and modifying the protocol header fields


Info

1 The Host table limit does not affect forwarding because packets are sent from upstream to downstream ports and vice versa when the MAC learning limit is reached.

...

Info

SwOS uses a simple algorithm to ensure TCP/IP communication - it just replies to the same IP and MAC address packet came from. This way there is no need for Default Gateway on the device itself.

PropertyDescription
Address AcquisitionSpecify which address acquisition method to use:
  • DHCP with fallback - device is trying to request an IP address from a DHCP server. If the requests are unsuccessful, then the device can be accessed using a Static IP Address value
  • static - address is set as a Static IP Address value
  • DHCP only - device uses DHCP client to acquire address
Static IP AddressIP address of the device in case of Address Acquisition is set as DHCP with fallback or static
IdentityName of the device (for Mikrotik Neighbor Discovery protocol)
Allow FromIP address from which the device is accessible. Default value is '0.0.0.0/0' - any address
Allow From PortsList of device ports from which it is accessible
Allow From VLANVLAN ID from which the service is accessible. Make sure to first configure VLANs and VLAN pages
WatchdogEnable or disable system Watchdog. It will reset the CPU of the device in case of a fault condition
Mikrotik Discovery ProtocolEnable or disable Mikrotik Neighbor Discovery protocol
Dark ModeDisable or enable all LEDs on the device
MAC AddressMAC address of the device (read-only)
Serial NumberSerial number of the device (read-only)
Board NameMikroTik model name of the device (read-only)
UptimeCurrent device uptime (read-only)
PoE Out ModeSpecifies PoE-Out state:
  • auto-on - the board will attempt to detect if power can be applied to the port. For power-on to happen there should be resistance on spare pairs in the range from 3kΩ to 26.5kΩ
  • forced-on - detection range is removed. As a result power over Ethernet will be always on
  • off - all detection and power is turned off for this port
PoE Out StatusShows current PoE-Out status on port (read-only)

Password and Backup

Link

...

Link Tab allows you to configure each interface settings and monitor the link status.

PropertyDescription
EnabledEnable or disable port
NameEditable port name
Link StatusCurrent link status (read-only)
Auto NegotiationEnable or disable auto-negotiation
SpeedShows the negotiated speed, or allows manually changing the speed setting of the port (requires auto-negotiation to be disabled)
Full DuplexShows the negotiated duplex, or allows manually changing the duplex mode of the port (requires auto-negotiation to be disabled)
Hops
Last Hop
Length
Fault At
Cable PairsShows four positions of the cable pairs with their status: O - open; S - short.


Info

The device supports Jumbo frames up to 10222 bytes. Manually decreasing the MTU settings is not supported for SwOS Lite devices. 

...

Forwarding Tab provides advanced forwarding options among device ports, port locking, bandwidth limit, and broadcast storm control features.

PropertyDescription
Port Lock
  • Port Lock - Enables or disables MAC address learning on this port. When the option is enabled, it will restrict MAC address learning and static MAC addresses should be configured. Any received frames with an unknown source MAC address will be dropped.
  • Lock On First - Allows to learn source MAC address from the first received frame, this property should be used together with Port Lock. Learning of the first MAC address will reset every time an interface status changes.
Uplink Port
  • Set As Uplink Port - Allows changing the uplink port between PoE-in (Port1), PoE-out (Port2), or SFP interfaces. Packets received on downstream ports are forwarded only to the uplink port, only a single interface can be used as an uplink.
Broadcast Storm Control
  • Storm Rate - Limit the number of broadcast packets transmitted by an interface. The rate is measured in bits per second (bps).
  • Limit Unknown Unicast - Include unicast packets without an entry in the host table in Storm Rate limitation.
Bandwidth Limit
  • Ingress Rate - Limit traffic entering this port (bps)
  • Egress Rate - Limit traffic leaving this port (bps)


Info

It is possible to limit ingress/egress traffic per port basis. The policer is used for ingress traffic, the shaper is used for egress traffic. The ingress policer controls the received traffic with packet drops. Everything that exceeds the defined limit will get dropped. This can affect the TCP congestion control mechanism on end hosts and achieved bandwidth can be actually less than defined. The egress shaper tries to queue packets that exceed the limit instead of dropping them. Eventually, it will also drop packets when the output queue gets full, however, it should allow utilizing the defined throughput better.

...

VLAN configuration for device ports.


PropertyDescription
VLAN Mode (disabled | optional | strict; Default: optional)VLAN filtering mode, these options are relevant to egress ports (except for strict mode).
  • disabled - VLAN table is not used. The device discards packets with a VLAN tag on egress ports. If the packet has a VLAN tag and the VLAN ID matches Default VLAN ID on egress ports, then with VLAN Receive=any the device will remove the VLAN tag and forward the packet.
  • optional - Disabled VLAN filtering. Handle packets with VLAN tag ID that is not present in the VLAN table just like packets without VLAN tag.
  • strict - Enabled VLAN filtering with additional ingress filtering, which checks if the ingress port is a member of the received VLAN ID in the VLAN table. Received packets on the ingress port with a VLAN ID that does not match with the VLAN table will be dropped. Default VLAN ID must be specified for access ports since it will be used to tag ingress traffic and untag egress traffic for a certain port.
VLAN Receive (any | only tagged | only untagged; Default: optional)Received traffic filtering based on VLAN tag presence.
  • any - allows tagged and untagged packets on a certain port
  • only tagged - allows only packets with a VLAN tag. The "Default VLAN ID" will not work, because it only applies for untagged traffic
  • only untagged - Allows only packets without a VLAN tag
Default VLAN ID (integer: 1..4095; Default: 1)The device will place received untagged packets in the "Default VLAN ID" VLAN. Only has an effect on untagged traffic, and when VLAN Receive is set to "any" or "only untagged". It does not apply for tagged traffic. This parameter is usually used to allocate access ports with specific VLAN. It is also used to untag egress traffic if the packet's VLAN ID matches Default VLAN ID.
Force VLAN ID (integer: yes | no; Default: no)Assigns the Default VLAN ID value to all ingress traffic (tagged and untagged). Has effect in all VLAN Modes. If the port receives tagged traffic and Default VLAN ID is set to 1, then with this parameter the egress traffic will be untagged.


VLAN membership configuration for device ports.

PropertyDescription
VLAN ID (integer: 1..4094; Default: 0)VLAN ID to which assign ports.
Members (ports; Default: none)Group of ports, which are allowed to forward traffic on the defined VLAN.

VLAN Configuration Example

...

Note

Changing management VLAN can completely disable access to the device management if VLAN settings are not correctly configured. Save a configuration backup before changing this setting and use Reset in case management access is lost.

...

Static entries will take over dynamic if dynamic entry with the same mac-address already exists. Also by adding a static entry you get access to more functionality.

PropertyDescription
PortsPorts the packet should be forwarded to
MACMAC address
Port (read-only)Ports the packet should be forwarded to
MAC(read-only)Learned MAC address

SNMP

...

SwOS supports SNMP v1 and uses IF-MIB, SNMPv2-MIB, BRIDGE-MIB and MIKROTIK-MIB (only for health, PoE-out and SFP diagnostics).

...

  • System information
  • System uptime
  • Port status
  • Interface statistics
  • Host table information


PropertyDescription
EnabledEnable or disable SNMP service
CommunitySNMP community name
Contact InfoContact information for the NMS
LocationLocation information for the NMS

ACL

...

An access control list (ACL) rule table is a very powerful tool allowing wire-speed packet filtering, forwarding, and VLAN tagging based on L2,L3, and L4 protocol header field conditions. Each rule contains a conditions part and an action part.

...

Conditions part parameters

PropertyDescription
FromA port that packet came in from
MAC SrcSource MAC address and mask
MAC DstDestination MAC address and mask
EthertypeProtocol encapsulated in the payload of an Ethernet Frame
VLAN

VLAN header presence:

  • any
  • present
  • not present
VLAN IDVLAN tag ID
PriorityPriority in VLAN tag
IP Src (IP/netmask:port)Source IPv4 address, netmask, and L4 port number
IP Dst (IP/netmask:port)Destination IPv4 address, netmask, and L4 port number
Protocol (integer)IP protocol
DSCPIP DSCP field

Action part parameters

PropertyDescription
DropDrop packet
Set VLAN IDChanges the VLAN tag ID, if the VLAN tag is present
PriorityChanges the VLAN tag priority bits, if the VLAN tag is present

Reset and Reinstall

...

The GPEN21 has built-in backup SwOS firmware which can be loaded in case standard firmware breaks or an upgrade fails:

...