...
Note |
---|
This article applies to CRS3xx series switches and not to CRS1xx/CRS2xx series switches. |
Features
Features | Description |
---|---|
Forwarding |
|
Mirroring |
|
VLAN |
|
Bonding |
|
Traffic Shaping |
|
Port isolation |
|
Access Control List |
|
Models
This table clarifies the main differences between Cloud Router Switch models.
Model | Switch Chip | CPU | Cores | Wireless | SFP+ port | ACL rules | Unicast FDB entries | Jumbo Frame (Bytes) |
netPower 15FR (CRS318-1Fi-15Fr-2S) | Marvell-98DX224S | 800MHz | 1 | - | - | 128 | 16,000 | 10218 |
netPower 16P (CRS318-16P-2S+) | Marvell-98DX226S | 800MHz | 1 | - | + | 128 | 16,000 | 10218 |
CRS326-24G-2S+ (RM/IN) | Marvell-98DX3236 | 800MHz | 1 | - | + | 128 | 16,000 | 10218 |
CRS328-24P-4S+ | Marvell-98DX3236 | 800MHz | 1 | - | + | 128 | 16,000 | 10218 |
CRS328-4C-20S-4S+ | Marvell-98DX3236 | 800MHz | 1 | - | + | 128 | 16,000 | 10218 |
CRS305-1G-4S+ | Marvell-98DX3236 | 800MHz | 1 | - | + | 128 | 16,000 | 10218 |
CRS309-1G-8S+ | Marvell-98DX8208 | 800MHz | 2 | - | + | 680 | 32 000 | 10218 |
CRS317-1G-16S+ | Marvell-98DX8216 | 800MHz | 2 | - | + | 680 | 128,000 | 10218 |
CRS312-4C+8XG | Marvell-98DX8212 | 650MHz | 1 | - | + | 341 | 32,000 | 10218 |
CRS326-24S+2Q+ | Marvell-98DX8332 | 650MHz | 1 | - | + | 170 | 32,000 | 10218 |
CRS354-48G-4S+2Q+ | Marvell-98DX3257 | 650MHz | 1 | - | + | 170 | 32,000 | 10218 |
CRS354-48P-4S+2Q+ | Marvell-98DX3257 | 650MHz | 1 | - | + | 170 | 32,000 | 10218 |
Abbreviations
- FDB - Forwarding Database
- MDB - Multicast Database
- SVL - Shared VLAN Learning
- IVL - Independent VLAN Learning
- PVID - Port VLAN ID
- ACL - Access Control List
- CVID - Customer VLAN ID
- SVID - Service VLAN ID
...
Sub-menu: /interface bridge
Property | Description |
---|---|
vlan-filtering (yes | no; Default: no) | Globally enables or disables VLAN functionality for the bridge. |
pvid (1..4094; Default: 1) | Port VLAN ID (pvid ) specifies which VLAN the untagged ingress traffic is assigned to. It applies e.g. to frames sent from bridge IP and destined to a bridge port. |
Sub-menu: /interface bridge port
Property | Description |
---|---|
frame-types (admit-all | admit-only-untagged-and-priority-tagged | admit-only-vlan-tagged; Default: admit-all) | Specifies allowed ingress frame types on a bridge port. It only has an effect when vlan-filtering is enabled. |
ingress-filtering (yes | no; Default: no) | Enables or disables ingress filtering, which checks if an entry exists for the ingress port and the VLAN ID in the bridge VLAN table. Should be used with frame-types to specify if the ingress traffic should be tagged or untagged. This property only has an effect when vlan-filtering is set to yes . |
pvid (1..4094; Default: 1) | Port VLAN ID (pvid ) specifies which VLAN the untagged ingress traffic is assigned to. |
VLAN Table
Bridge VLAN table represents per-VLAN port mapping with an egress VLAN tag action. tagged
ports send out frames with a specified VLAN ID tag. untagged
ports remove the VLAN tag before sending out frames.
Sub-menu: /interface bridge vlan
Property | Description |
---|---|
bridge (name) | The bridge interface which the respective VLAN entry is intended for. |
disabled (yes | no; Default: no) | Enables or disables Bridge VLAN entry. |
tagged (interfaces; Default: none) | Interface list with a VLAN tag adding action in egress. This setting accepts comma-separated values. e.g. tagged=ether1,ether2 . |
untagged (interfaces; Default: none) | Interface list with a VLAN tag removing action in egress. This setting accepts comma-separated values. e.g. untagged=ether3,ether4 . |
vlan-ids (1..4094) | The list of VLAN IDs for certain port configuration. This setting accepts a VLAN ID range as well as comma-separated values. e.g. vlan-ids=100-115,120,122,128-130 . |
VLAN setup examples
Below are describes some of the most common ways on how to utilize VLAN forwarding on the CRS3xx series switches.
...
Currently supported and unsupported feature list:
Feature | Status | Description |
IPv4 Unicast | HW | Depending on the complexity of routes in routing table, max HW accelerated route count could be in range from 150-250k. When a hardware route limit is reached, other routes will fall back to CPU |
IPv6 Unicast | CPU | |
IPv4 Multicast | CPU | |
IPv6 Multicast | CPU | |
ECMP | HW | Max 4000 nexthops |
"blackhole" routes | HW | This feature enables the possibility to drop D/DOS attacks at wire speed |
"prohibit" routes | CPU | |
"unreachable" routes | CPU | |
gateway=<interface_name> | HW/CPU | This works only for directly connected networks. Since HW does not know how to send ARP requests, CPU sends ARP request and waits for a reply to find out a DST MAC address on the first received packet of the connection that matches a DST IP address. After DST MAC is determined, HW entry is added and all further packets will be processed by the switch chip. |
Bridge | HW | Routing from/to bridge interface |
VLAN | HW | Routing between VLAN interfaces |
Policy Routing (PBR) | N/A | |
Firewall | N/A | |
NAT | N/A | |
QoS | N/A |
Where:
- CPU - feature is supported but processed by CPU
- HW - feature is supported and offloaded in hardware
- N/A - feature is not available, meaning that L3 Hardware offloading MUST be disabled for these features to work
...
Sub-menu: /interface ethernet switch port
Property | Description |
---|---|
limit-broadcasts (yes | no; Default: yes) | Limit broadcast traffic on a switch port. |
limit-unknown-multicasts (yes | no; Default: no) | Limit unknown multicast traffic on a switch port. |
limit-unknown-unicasts (yes | no; Default: no) | Limit unknown unicast traffic on a switch port. |
storm-rate (integer 0..100; Default: 100) | Amount of broadcast, unknown multicast and/or unknown unicast traffic is limited to in percentage of the link speed. |
Warning |
---|
Devices with Marvell-98DX3236 switch chip cannot distinguish unknown multicast traffic from all multicast traffic. For example, CRS326-24G-2S+ will limit all multicast traffic when |
...
Sub-menu: /interface ethernet switch rule
Property | Description |
---|---|
copy-to-cpu (no | yes; Default: no) | Clones the matching packet and sends it to the CPU. |
disabled (yes | no; Default: no) | Enables or disables ACL entry. |
dscp (0..63) | Matching DSCP field of the packet. |
dst-address (IP address/Mask) | Matching destination IP address and mask. |
dst-address6 (IPv6 address/Mask) | Matching destination IPv6 address and mask. |
dst-mac-address (MAC address/Mask) | Matching destination MAC address and mask. |
dst-port (0..65535) | Matching destination protocol port number. |
flow-label (0..1048575) | Matching IPv6 flow label. |
mac-protocol (802.2 | arp | homeplug-av | ip | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan | or 0..65535 | or 0x0000-0xffff) | Matching particular MAC protocol specified by protocol name or number |
mirror (no | yes) | Clones the matching packet and sends it to the mirror-target port. |
new-dst-ports (ports) | Changes the destination port as specified. An empty setting will drop the packet. A specified port will redirect the packet to it. When the parameter is not used, the packet will be accepted. Multiple "new-dst-ports" are not supported on the CRS3xx series switches. |
new-vlan-id (0..4095) | Changes the VLAN ID to the specified value. Requires vlan-filtering=yes . |
new-vlan-priority (0..7) | Changes the VLAN priority tag. Requires vlan-filtering=yes . |
ports (ports) | Matching ports on which will the rule apply on received traffic. |
protocol (dccp | ddp | egp | encap | etherip | ggp | gre | hmp | icmp | icmpv6 | idpr-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | ipv6 | ipv6-frag | ipv6-nonxt | ipv6-opts | ipv6-route | iso-tp4 | l2tp | ospf | pim | pup | rdp | rspf | rsvp | sctp | st | tcp | udp | udp-lite | vmtp | vrrp | xns-idp | xtp | or 0..255) | Matching particular IP protocol specified by protocol name or number. |
rate (0..4294967295) | Sets ingress traffic limitation (bits per second) for matched traffic. |
redirect-to-cpu (no | yes) | Changes the destination port of a matching packet to the CPU. |
src-address (IP address/Mask) | Matching source IP address and mask. |
src-address6 (IPv6 address/Mask) | Matching source IPv6 address and mask. |
src-mac-address (MAC address/Mask) | Matching source MAC address and mask. |
src-port (0..65535) | Matching source protocol port number. |
switch (switch group) | Matching switch group on which will the rule apply. |
traffic-class (0..255) | Matching IPv6 traffic class. |
vlan-id (0..4095) | Matching VLAN ID. Requires vlan-filtering=yes . |
vlan-header (not-present | present) | Matching VLAN header, whether the VLAN header is present or not. Requires vlan-filtering=yes . |
vlan-priority (0..7) | Matching VLAN priority. |
Action parameters:
- copy-to-cpu
- redirect-to-cpu
- mirror
- new-dst-ports (can be used to drop packets)
- new-vlan-id
- new-vlan-priority
- rate
...
Note |
---|
The upgrade command will automatically install the latest available SwOS version, make sure that your device has access to the Internet in order for the upgrade process to work properly. |
Property | Description |
---|---|
address-acquisition-mode (dhcp-only | dhcp-with-fallback | static; Default: dhcp-with-fallback) | Changes address acquisition method: dhcp-only - uses only a DHCP client to acquire address dhcp-with-fallback - for the first 10 seconds will try to acquire address using a DHCP client. If the request is unsuccessful, then address falls back to static as defined by static-ip-address property static - address is set as defined by static-ip-address property |
allow-from (IP/Mask; Default: 0.0.0.0/0) | IP address or a network from which the switch is accessible. By default, the switch is accessible by any IP address. |
allow-from-ports (name; Default: ) | List of switch ports from which the device is accessible. By default, all ports are allowed to access the switch |
allow-from-vlan (integer: 0..4094; Default: 0) | VLAN ID from which the device is accessible. By default, all VLANs are allowed |
identity (name; Default: Mikrotik) | Name of the switch (used for Mikrotik Neighbor Discovery protocol) |
static-ip-address (IP; Default: 192.168.88.1) | IP address of the switch in case address-acquisition-mode is either set to dhcp-with-fallback or static. By setting a static IP address, the address acquisition process does not change, which is DHCP with fallback by default. This means that the configured static IP address will become active only when there is going to be no DHCP servers in the same broadcast domain |
See also
...