Versions Compared

Old Version 2

changes.mady.by.user Edgars P.

Saved on

compared with

New Version 3

changes.mady.by.user Edgars P.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note

This article applies to CRS3xx series switches and not to CRS1xx/CRS2xx series switches.

Features

FeaturesDescription
Forwarding
  • Configurable ports for switching or routing
  • Full non-blocking wire-speed switching
  • Large Unicast FDB for Layer 2 unicast forwarding
  • Forwarding Databases works based on IVL
  • Jumbo frame support
  • IGMP Snooping support
Mirroring
  • Various types of mirroring:
    • Port based mirroring
    • VLAN based mirroring
    • MAC based mirroring
VLAN
  • Fully compatible with IEEE802.1Q and IEEE802.1ad VLAN
  • 4k active VLANs
  • Flexible VLAN assignment:
    • Port based VLAN
    • Protocol based VLAN
    • MAC based VLAN
  • VLAN filtering
  • From any to any VLAN translation
Bonding
  • Supports 802.3ad (LACP) and balance-xor modes
  • Up to 8 member ports per bonding interface
  • Up to 30 bonding interfaces
  • Hardware automatic failover and load balancing
Traffic Shaping
  • Ingress traffic limiting
    • Port based
    • MAC based
    • IP based
    • VLAN based
    • Protocol based
    • DSCP based
  • Port based egress traffic limiting
Port isolation
  • Applicable for Private VLAN implementation
Access Control List
  • Ingress ACL tables
  • Classification based on ports, L2, L3, L4 protocol header fields
  • ACL actions include filtering, forwarding and modifying of the protocol header fields

Models

This table clarifies the main differences between Cloud Router Switch models.

ModelSwitch ChipCPUCoresWirelessSFP+ portACL rulesUnicast FDB entriesJumbo Frame (Bytes)
netPower 15FR (CRS318-1Fi-15Fr-2S)Marvell-98DX224S800MHz1--12816,00010218
netPower 16P (CRS318-16P-2S+)Marvell-98DX226S800MHz1-+12816,00010218
CRS326-24G-2S+ (RM/IN)Marvell-98DX3236800MHz1-+12816,00010218
CRS328-24P-4S+Marvell-98DX3236800MHz1-+12816,00010218
CRS328-4C-20S-4S+Marvell-98DX3236800MHz1-+12816,00010218
CRS305-1G-4S+Marvell-98DX3236800MHz1-+12816,00010218
CRS309-1G-8S+Marvell-98DX8208800MHz2-+68032 00010218
CRS317-1G-16S+Marvell-98DX8216800MHz2-+680128,00010218
CRS312-4C+8XGMarvell-98DX8212650MHz1-+34132,00010218
CRS326-24S+2Q+Marvell-98DX8332650MHz1-+17032,00010218
CRS354-48G-4S+2Q+Marvell-98DX3257650MHz1-+17032,00010218
CRS354-48P-4S+2Q+Marvell-98DX3257650MHz1-+17032,00010218

Abbreviations

  • FDB - Forwarding Database
  • MDB - Multicast Database
  • SVL - Shared VLAN Learning
  • IVL - Independent VLAN Learning
  • PVID - Port VLAN ID
  • ACL - Access Control List
  • CVID - Customer VLAN ID
  • SVID - Service VLAN ID

...

Sub-menu: /interface bridge

PropertyDescription
vlan-filtering (yes | no; Default: no)Globally enables or disables VLAN functionality for the bridge.
pvid (1..4094; Default: 1)Port VLAN ID (pvid) specifies which VLAN the untagged ingress traffic is assigned to. It applies e.g. to frames sent from bridge IP and destined to a bridge port.

Sub-menu: /interface bridge port

PropertyDescription
frame-types (admit-all | admit-only-untagged-and-priority-tagged | admit-only-vlan-tagged; Default: admit-all)Specifies allowed ingress frame types on a bridge port. It only has an effect when vlan-filtering is enabled.
ingress-filtering (yes | no; Default: no)Enables or disables ingress filtering, which checks if an entry exists for the ingress port and the VLAN ID in the bridge VLAN table. Should be used with frame-types to specify if the ingress traffic should be tagged or untagged. This property only has an effect when vlan-filtering is set to yes.
pvid (1..4094; Default: 1)Port VLAN ID (pvid) specifies which VLAN the untagged ingress traffic is assigned to.

VLAN Table

Bridge VLAN table represents per-VLAN port mapping with an egress VLAN tag action. tagged ports send out frames with a specified VLAN ID tag. untagged ports remove the VLAN tag before sending out frames.

Sub-menu: /interface bridge vlan

PropertyDescription
bridge (name)The bridge interface which the respective VLAN entry is intended for.
disabled (yes | no; Default: no)Enables or disables Bridge VLAN entry.
tagged (interfaces; Default: none)Interface list with a VLAN tag adding action in egress. This setting accepts comma-separated values. e.g. tagged=ether1,ether2.
untagged (interfaces; Default: none)Interface list with a VLAN tag removing action in egress. This setting accepts comma-separated values. e.g. untagged=ether3,ether4.
vlan-ids (1..4094)The list of VLAN IDs for certain port configuration. This setting accepts a VLAN ID range as well as comma-separated values. e.g. vlan-ids=100-115,120,122,128-130.

VLAN setup examples

Below are describes some of the most common ways on how to utilize VLAN forwarding on the CRS3xx series switches.

...

Currently supported and unsupported feature list:

FeatureStatusDescription
IPv4 UnicastHWDepending on the complexity of routes in routing table, max HW accelerated route count could be in range from 150-250k. When a hardware route limit is reached, other routes will fall back to CPU
IPv6 UnicastCPU
IPv4 MulticastCPU
IPv6 MulticastCPU
ECMPHWMax 4000 nexthops
"blackhole" routesHWThis feature enables the possibility to drop D/DOS attacks at wire speed
"prohibit" routesCPU
"unreachable" routesCPU
gateway=<interface_name>HW/CPUThis works only for directly connected networks. Since HW does not know how to send ARP requests, CPU sends ARP request and waits for a reply to find out a DST MAC address on the first received packet of the connection that matches a DST IP address. After DST MAC is determined, HW entry is added and all further packets will be processed by the switch chip.
BridgeHWRouting from/to bridge interface
VLANHWRouting between VLAN interfaces
Policy Routing (PBR)N/A
FirewallN/A
NATN/A
QoSN/A

Where:

  • CPU - feature is supported but processed by CPU
  • HW - feature is supported and offloaded in hardware
  • N/A - feature is not available, meaning that L3 Hardware offloading MUST be disabled for these features to work

...

Sub-menu: /interface ethernet switch port

PropertyDescription
limit-broadcasts (yes | no; Default: yes)Limit broadcast traffic on a switch port.
limit-unknown-multicasts (yes | no; Default: no)Limit unknown multicast traffic on a switch port.
limit-unknown-unicasts (yes | no; Default: no)Limit unknown unicast traffic on a switch port.
storm-rate (integer 0..100; Default: 100)Amount of broadcast, unknown multicast and/or unknown unicast traffic is limited to in percentage of the link speed.


Warning

Devices with Marvell-98DX3236 switch chip cannot distinguish unknown multicast traffic from all multicast traffic. For example, CRS326-24G-2S+ will limit all multicast traffic when limit-unknown-multicasts and storm-rate is used. For other devices, for example, CRS317-1G-16S+ the limit-unknown-multicasts parameter will limit only unknown multicast traffic (addresses that are not present in /interface bridge mdb).

...

Sub-menu: /interface ethernet switch rule

PropertyDescription
copy-to-cpu (no | yes; Default: no)Clones the matching packet and sends it to the CPU.
disabled (yes | no; Default: no)Enables or disables ACL entry.
dscp (0..63)Matching DSCP field of the packet.
dst-address (IP address/Mask)Matching destination IP address and mask.
dst-address6 (IPv6 address/Mask)Matching destination IPv6 address and mask.
dst-mac-address (MAC address/Mask)Matching destination MAC address and mask.
dst-port (0..65535)Matching destination protocol port number.
flow-label (0..1048575)Matching IPv6 flow label.
mac-protocol (802.2 | arp | homeplug-av | ip | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan | or 0..65535 | or 0x0000-0xffff)Matching particular MAC protocol specified by protocol name or number
mirror (no | yes)Clones the matching packet and sends it to the mirror-target port.
new-dst-ports (ports)Changes the destination port as specified. An empty setting will drop the packet. A specified port will redirect the packet to it. When the parameter is not used, the packet will be accepted. Multiple "new-dst-ports" are not supported on the CRS3xx series switches.
new-vlan-id (0..4095)Changes the VLAN ID to the specified value. Requires vlan-filtering=yes.
new-vlan-priority (0..7)Changes the VLAN priority tag. Requires vlan-filtering=yes.
ports (ports)Matching ports on which will the rule apply on received traffic.
protocol (dccp | ddp | egp | encap | etherip | ggp | gre | hmp | icmp | icmpv6 | idpr-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | ipv6 | ipv6-frag | ipv6-nonxt | ipv6-opts | ipv6-route | iso-tp4 | l2tp | ospf | pim | pup | rdp | rspf | rsvp | sctp | st | tcp | udp | udp-lite | vmtp | vrrp | xns-idp | xtp | or 0..255)Matching particular IP protocol specified by protocol name or number.
rate (0..4294967295)Sets ingress traffic limitation (bits per second) for matched traffic.
redirect-to-cpu (no | yes)Changes the destination port of a matching packet to the CPU.
src-address (IP address/Mask)Matching source IP address and mask.
src-address6 (IPv6 address/Mask)Matching source IPv6 address and mask.
src-mac-address (MAC address/Mask)Matching source MAC address and mask.
src-port (0..65535)Matching source protocol port number.
switch (switch group)Matching switch group on which will the rule apply.
traffic-class (0..255)Matching IPv6 traffic class.
vlan-id (0..4095)Matching VLAN ID. Requires vlan-filtering=yes.
vlan-header (not-present | present)Matching VLAN header, whether the VLAN header is present or not. Requires vlan-filtering=yes.
vlan-priority (0..7)Matching VLAN priority.

Action parameters:

  • copy-to-cpu
  • redirect-to-cpu
  • mirror
  • new-dst-ports (can be used to drop packets)
  • new-vlan-id
  • new-vlan-priority
  • rate

...

Note

The upgrade command will automatically install the latest available SwOS version, make sure that your device has access to the Internet in order for the upgrade process to work properly.


PropertyDescription
address-acquisition-mode (dhcp-only | dhcp-with-fallback | static; Default: dhcp-with-fallback)Changes address acquisition method:

dhcp-only - uses only a DHCP client to acquire address

dhcp-with-fallback - for the first 10 seconds will try to acquire address using a DHCP client. If the request is unsuccessful, then address falls back to static as defined by static-ip-address property

static - address is set as defined by static-ip-address property

allow-from (IP/Mask; Default: 0.0.0.0/0)IP address or a network from which the switch is accessible. By default, the switch is accessible by any IP address.
allow-from-ports (name; Default: )List of switch ports from which the device is accessible. By default, all ports are allowed to access the switch
allow-from-vlan (integer: 0..4094; Default: 0)VLAN ID from which the device is accessible. By default, all VLANs are allowed
identity (name; Default: Mikrotik)Name of the switch (used for Mikrotik Neighbor Discovery protocol)
static-ip-address (IP; Default: 192.168.88.1)IP address of the switch in case address-acquisition-mode is either set to dhcp-with-fallback or static. By setting a static IP address, the address acquisition process does not change, which is DHCP with fallback by default. This means that the configured static IP address will become active only when there is going to be no DHCP servers in the same broadcast domain

See also

CRS Router

CRS3xx VLANs with Bonds

...