Versions Compared

Old Version 59

changes.mady.by.user Edgars P.

Saved on

compared with

New Version 60

changes.mady.by.user Guntis G.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: typos

...

The CCR3xx, CRS5xx series switches, and CCR2116, CCR2216 routers have highly integrated switches with high-performance CPU and feature-rich packet processors. These devices can be designed into various Ethernet applications including unmanaged switch, Layer 2 managed switch, carrier switch, inter-VLAN router, and wired unified packet processor.

Note

This article applies to CRS3xx, CRS5xx series switches, and CCR2116, CCR2216 routers, and not to to CRS1xx/CRS2xx series switches.

...

FeaturesDescription
Forwarding
  • Configurable ports for switching or routing
  • Full non-blocking wire-speed switching
  • Large Unicast FDB for Layer 2 unicast forwarding
  • Forwarding Databases works based on IVL
  • Jumbo frame support
  • IGMP Snooping support
  • DHCP Snooping with Option 82 
Routing
  • Layer 3 Hardware Offloading:
    • IPv4, IPv6 Unicast Routing
    • Supported on Ethernet, Bridge, Bonding, and VLAN interfaces
    • ECMP
    • Blackholes
    • Offloaded Fasttrack connections (applies only to certain switch models)
    • Offloaded NAT for Fasttrack connections (applies only to certain switch models)
    • Multiple MTU profiles
Spanning Tree Protocol
  • STP
  • RSTP
  • MSTP
Mirroring
  • Various types of mirroring:
    • Port based mirroring
    • VLAN based mirroring
    • MAC based mirroring
VLAN
  • Fully compatible with IEEE802.1Q and IEEE802.1ad VLAN
  • 4k active VLANs
  • Flexible VLAN assignment:
    • Port based VLAN
    • Protocol based VLAN
    • MAC based VLAN
  • VLAN filtering
  • Ingress VLAN translation
Bonding
  • Supports 802.3ad (LACP) and balance-xor modes
  • Up to 8 member ports per bonding interface
  • Hardware automatic failover and load balancing
  • MLAG
Traffic Shaping
  • Ingress traffic limiting
    • Port based
    • MAC based
    • IP based
    • VLAN based
    • Protocol based
    • DSCP based
  • Port based egress traffic limiting
  • Traffic Storm Control
Port isolation
  • Applicable for Private VLAN implementation
Access Control List
  • Ingress ACL tables
  • Classification based on ports, L2, L3, L4 protocol header fields
  • ACL actions include filtering, forwarding, and modifying of the protocol header fields

...

  • FDB - Forwarding Database
  • MDB - Multicast Database
  • SVL - Shared VLAN Learning
  • IVL - Independent VLAN Learning
  • PVID - Port VLAN ID
  • ACL - Access Control List
  • CVID - Customer VLAN ID
  • SVID - Service VLAN ID

Port switching

...

In order to To set up a port switching, check the Bridge Hardware Offloading page.

...

Note

Bridge STP/RSTP/MSTP, IGMP Snooping, and VLAN filtering settings don't affect hardware offloading, since RouterOS v6.42 Bonding interfaces are also hardware offloaded.

VLAN

...

Since RouterOS version 6.41, a bridge Bridge provides VLAN aware Layer2 forwarding and VLAN tag modifications within the bridge. This set of features makes bridge operation more like a traditional Ethernet switch and allows to overcome Spanning Tree compatibility issues compared to the configuration when tunnel-like VLAN interfaces are bridged. Bridge VLAN Filtering configuration is highly recommended to comply with STP (802.1D), RSTP (802.1w) standards and it is mandatory to enable MSTP (802.1s) support in RouterOS.

...

VLAN filtering is described on in the Bridge VLAN Filtering section.

VLAN setup examples

Below are describes some Some of the most common ways how to utilize VLAN forwarding.:

Port-Based VLAN

The configuration is described on in the Bridge VLAN FIlteringFiltering section.

MAC Based VLAN

Note
  • The Switch Rule table is used for MAC Based VLAN functionality, see this table on how many rules each device supports.
  • MAC-based VLANs will only work properly between switch ports and not between switch ports and CPU. When a packet is being forwarded to the CPU, the pvid property for property of the bridge port will be always used instead of of new-vlan-id from ACL rules.
  • MAC-based VLANs will not work for DHCP packets when DHCP snooping is enabled.

...

Code Block
languageros
/interface bridge vlan
add bridge=bridge1 tagged=ether2 untagged=ether7 vlan-ids=200,300,400

Add Switch rules which that assign VLAN id ID based on MAC address:

Code Block
languageros
/interface ethernet switch rule
add switch=switch1 ports=ether7 src-mac-address=A4:12:6D:77:94:43/FF:FF:FF:FF:FF:FF new-vlan-id=200
add switch=switch1 ports=ether7 src-mac-address=84:37:62:DF:04:20/FF:FF:FF:FF:FF:FF new-vlan-id=300
add switch=switch1 ports=ether7 src-mac-address=E7:16:34:A1:CD:18/FF:FF:FF:FF:FF:FF new-vlan-id=400

...

Note
  • The Switch Rule table is used for Protocol Based -based VLAN functionality, see this table on how many rules each device supports.
  • Protocol-based VLANs will only work properly between switch ports and not between switch ports and CPU. When a packet is being forwarded to the CPU, the pvid property for property of the bridge port will be always used instead of of new-vlan-id from ACL rules.
  • Protocol-based VLANs will not work for DHCP packets when DHCP snooping is enabled.

...

Code Block
languageros
/interface bridge vlan
add bridge=bridge1 tagged=ether2 untagged=ether6 vlan-ids=200
add bridge=bridge1 tagged=ether2 untagged=ether7 vlan-ids=300
add bridge=bridge1 tagged=ether2 untagged=ether8 vlan-ids=400

Add Switch rules which that assign VLAN id ID based on MAC protocol:

Code Block
languageros
/interface ethernet switch rule
add mac-protocol=ip new-vlan-id=200 ports=ether6 switch=switch1
add mac-protocol=ipx new-vlan-id=300 ports=ether7 switch=switch1
add mac-protocol=0x80F3 new-vlan-id=400 ports=ether8 switch=switch1

VLAN Tunneling (Q-in-Q)

Since RouterOS v6.43 it It is possible to use a provider bridge (IEEE 802.1ad) and Tag Stacking VLAN filtering, and hardware offloading at the same time. The configuration is described in the Bridge VLAN Tunneling (Q-in-Q) section.

...

CRS3xx, CRS5xx series switches, and CCR2116, and CCR2216 routers are capable of running STP, RSTP, and MSTP on a hardware level. For more detailed information you should check out the Spanning Tree Protocol manual page.

...

CRS3xx, CRS5xx series switches, and CCR2116, CCR2216 routers support hardware offloading with bonding interfaces. Only 802.3ad and balance-xor bonding modes are hardware offloaded, other bonding modes will use the CPU's resources. You can find more information about the bonding interfaces in the Bonding Interface section. If 802.3ad mode is used, then LACP (Link Aggregation Control Protocol) is supported.

...

Note

Do not add interfaces to a bridge that are already in a bond, RouterOS will not allow you to add an interface to a bridge that is already a slave port for bonding.

...

MLAG (Multi-chassis Link Aggregation Group) implementation in RouterOS allows configuring LACP bonds on two separate devices, while the client device believes to be connected on to the same machine. This provides a physical redundancy in case of switch failure. All CRS3xx, CRS5xx series, and CCR2116, CCR2216 devices can be configured with MLAG. Read here for more information.

...

Layer3 hardware offloading (otherwise also known as IP switching or HW routing) will allow to offload allows offloading some of the router features onto the switch chip. This allows reaching wire speeds when routing packets, which simply would not be possible with the CPU. 

Offloaded The offloaded feature set depends on the used chipset. Read here for more info.

Port isolation

...

Since RouterOS v6.43 It is it possible to create a Private VLAN setup, an example can be found in the Switch chip port isolation manual page. Hardware offloaded bonding interfaces are not included in the switch port-isolation menu, but it is still possible to configure port-isolation individually on each secondary interface of the bonding.

Note

Port isolation can be used with vlana VLAN-filtering bridge and it is possible to isolate ports that are members of the same VLAN. The isolation works per - port, it is not possible to isolate ports per - VLAN.

IGMP/MLD Snooping

...

CRS3xx, CRS5xx series switches and CCR2116, CCR2216 routers are capable of using can use IGMP/MLD Snooping on a hardware level. To see For more detailed information, you should check out the IGMP/MLD snooping manual page.

...

CRS3xx, CRS5xx series switches and CCR2116, CCR2216 routers are capable of using can use DHCP Snooping with Option 82 on a hardware level. The switch will create a dynamic ACL rule to capture the DHCP packets and redirect them to the main CPU for further processing. To see more detailed information, please visit the DHCP Snooping and DHCP Option 82 manual page.

...

Controller Bridge (CB) and Port Extender (PE) is an IEEE 802.1BR standard implementation in RouterOS. It allows virtually extending the CB ports with a PE device and managing these extended interfaces from a single controlling device. Such configuration provides a simplified network topology, flexibility, increased port density, and ease of manageability. See more details on the Controller Bridge and Port Extender manual.

...

Mirroring lets the switch sniff all traffic that is going in a switch chip and send a copy of those packets out to another port (mirror-target). This feature can be used to easily set up a tap device that allows you to inspect the traffic on your network on a traffic analyzer device. It is possible to set up a simple port-based mirroring, but it is also possible to set up more complex mirroring based on various parameters. Note that the mirror-target port has to belong to the same switch (see which port belongs to which switch in /interface ethernet menu). Also, mirror-target can have a special 'cpu' value, which means that sniffed packets will be sent out of the switch chips chip's CPU port. There are many possibilities that can be used ways to mirror certain traffic, below you can find the most common mirroring examples:

...

It is possible to limit ingress traffic that matches certain parameters with ACL rules and it is possible to limit ingress/egress traffic per port basis. The policer is used for ingress traffic, the shaper is used for egress traffic. The ingress policer controls the received traffic with packet drops. Everything that exceeds the defined limit will get dropped. This can affect the TCP congestion control mechanism on end hosts and the achieved bandwidth can be actually less than defined. The egress shaper tries to queue packets that exceed the limit instead of dropping them. Eventually, it will also drop packets when the output queue gets full, however, it should allow utilizing the defined throughput better.

...

Note

The Switch Rule table is used for QoS functionality, see this table on for how many rules each device supports.

...

Since RouterOS v6.42 it is possible to enable traffic storm control. A traffic storm can emerge when certain frames are continuously flooded on the network. For example, if a network loop has been created and no loop avoidance mechanisms are used (e.g. Spanning Tree Protocol), broadcast or multicast frames can quickly overwhelm the network, causing degraded network performance or even complete network breakdown. With CRS3xx, CRS5xx series switches and CCR2116, CCR2216 routers it is possible to limit broadcast, unknown multicast, and unknown unicast traffic. Unknown unicast traffic is considered when a switch does not contain a host entry for the destined MAC address. Unknown multicast traffic is considered when a switch does not contain a multicast group entry in the /interface bridge mdb menu. Storm control settings should be applied to ingress ports, the egress traffic will be limited.

Note

The storm control parameter is specified in percentage (%) of the link speed. If your link speed is 1Gbps, then specifying storm-rate as 10 will allow only 100Mbps of broadcast, unknown multicast, and/or unknown unicast traffic to be forwarded.

...

PropertyDescription
limit-broadcasts (yes | no; Default: yes)Limit broadcast traffic on a switch port.
limit-unknown-multicasts (yes | no; Default: no)Limit unknown multicast traffic on a switch port.
limit-unknown-unicasts (yes | no; Default: no)Limit unknown unicast traffic on a switch port.
storm-rate (integer 0..100; Default: 100)Amount The amount of broadcast, unknown multicast, and/or unknown unicast traffic is limited to in a percentage of the link speed.

...

Code Block
languageros
/interface ethernet switch port
set ether1 storm-rate=1 limit-broadcasts=yes limit-unknown-unicasts=yes

MPLS hardware offloading

...

Since RouterOS v6.41 it It is possible to offload certain MPLS functions to the switch chip, the switch must be a (P)rovider router in a PE-P-PE setup in order to achieve hardware offloading. A setup example can be found in the Basic MPLS setup example manual page. The hardware offloading will only take place when LDP interfaces are configured as physical switch interfaces (e.g. Ethernet, SFP, SFP+).

Note

Currently only CRS317-1G-16S+ and CRS309-1G-8S+ using RouterOS v6.41 and newer are capable of hardware offloading certain MPLS functions. CRS317-1G-16S+ and CRS309-1G-8S+ built-in switch chip is not capable of popping MPLS labels from packets, in a PE-P-PE setup you either have to use explicit null or disable TTL propagation in the MPLS network to achieve hardware offloading.

...

Access Control List contains an ingress policy engine. See this table on how many rules each device supports. It is an advanced tool for wire-speed packet filtering, forwarding, and modifying based on Layer2, Layer3, and Layer4 protocol header field conditions.

Note

ACL rules are checked for each received packet until a match has been found. If there are multiple rules that can match, then only the first rule will be triggered. A rule without any action parameters is a rule to accept the packet.

...

PropertyDescription
copy-to-cpu (no | yes; Default: no)Clones the matching packet and sends it to the CPU.
disabled (yes | no; Default: no)Enables or disables ACL entry.
dscp (0..63)Matching the DSCP field of the packet (only applies to IPv4 packets).
dst-address (IP address/Mask)Matching destination IPv4 address and mask, also matches the destination IP in ARP packets. 
dst-address6 (IPv6 address/Mask)Matching destination IPv6 address and mask.
dst-mac-address (MAC address/Mask)Matching destination MAC address and mask.
dst-port (0..65535)Matching destination protocol port number (applies to IPv4 and IPv6 packets if mac-protocol is not specified).
flow-label (0..1048575)Matching IPv6 flow label.
mac-protocol (802.2 | arp | homeplug-av | ip | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan | or 0..65535 | or 0x0000-0xffff)Matching particular MAC protocol specified by protocol name or number
mirror (no | yes)Clones the matching packet and sends it to the mirror-target port.
new-dst-ports (ports)Changes the destination port as specified. An empty setting will drop the packet. A specified port will redirect the packet to it. When the parameter is not used, the packet will be accepted. Multiple "new-dst-ports" are not supported.
new-vlan-id (0..4095)Changes the VLAN ID to the specified value. Requires vlan-filtering=yes.
new-vlan-priority (0..7)Changes the VLAN priority (priority code point). Requires vlan-filtering=yes.
ports (ports)Matching ports on which will the rule apply on received traffic.
protocol (dccp | ddp | egp | encap | etherip | ggp | gre | hmp | icmp | icmpv6 | idpr-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | ipv6 | ipv6-frag | ipv6-nonxt | ipv6-opts | ipv6-route | iso-tp4 | l2tp | ospf | pim | pup | rdp | rspf | rsvp | sctp | st | tcp | udp | udp-lite | vmtp | vrrp | xns-idp | xtp | or 0..255)Matching particular IP protocol specified by protocol name or number. Only This only applies to IPv4 packets if mac-protocol is not specified. To match certain IPv6 protocols, use the mac-protocol=ipv6 setting.
rate (0..4294967295)Sets ingress traffic limitation (bits per second) for matched traffic.
redirect-to-cpu (no | yes)Changes the destination port of a matching packet to the CPU.
src-address (IP address/Mask)Matching source IPv4 address and mask, also matches the source IP in ARP packets. 
src-address6 (IPv6 address/Mask)Matching source IPv6 address and mask.
src-mac-address (MAC address/Mask)Matching source MAC address and mask.
src-port (0..65535)Matching source protocol port number (applies to IPv4 and IPv6 packets if mac-protocol is not specified).
switch (switch group)Matching switch group on which will the rule apply.
traffic-class (0..255)Matching IPv6 traffic class.
vlan-id (0..4095)Matching VLAN ID. Requires vlan-filtering=yes.
vlan-header (not-present | present)Matching VLAN header, whether the VLAN header is present or not. Requires vlan-filtering=yes.
vlan-priority (0..7)Matching VLAN priority (priority code point).

...

Switch all required ports together, disable MAC learning, and disable unknown unicast flooding on ether1:

...

Warning

Broadcast traffic will still be sent out from ether1. To limit broadcast traffic flood on a bridge port, you can use the broadcast-flood parameter to toggle it. Do note Note that some protocols depend on broadcast traffic, such as streaming protocols and DHCP, depend on broadcast traffic.

Dual Boot

...

The “dual boot” feature allows you to choose which operating system you prefer to use on CRS3xx series switches, RouterOS or SwOS. Device operating system could be changed using:

...

Configuring SwOS using RouterOS

...

Since RouterOS 6.43 it It is possible to load, save, and reset SwOS configuration, as well as upgrade SwOS and set an IP address for the CRS3xx series switches by using RouterOS.

...

Note

The upgrade command will automatically install the latest available SwOS primary backup version, make sure that your device has access to the Internet in order for the upgrade process to work properly. When the device is booted into SwOS, the version number will include the letter "p", indicating a primary backup version. You can then install the latest available SwOS secondary main version from the SwOS "Upgrade" menu.

...

PropertyDescription
address-acquisition-mode (dhcp-only | dhcp-with-fallback | static; Default: dhcp-with-fallback)Changes address acquisition method:

dhcp-only - uses only a DHCP client to acquire the address

dhcp-with-fallback - for the first 10 seconds will try to acquire an address using a DHCP client. If the request is unsuccessful, then the address falls back to static as defined by  the static-ip-address property

static - the address is set as defined by  the static-ip-address property

allow-from (IP/Mask; Default: 0.0.0.0/0)IP address or a network from which the switch is accessible. By default, the switch is accessible by any IP address.
allow-from-ports (name; Default: )List of switch ports from which the device is accessible. By default, all ports are allowed to access the switch
allow-from-vlan (integer: 0..4094; Default: 0)VLAN ID from which the device is accessible. By default, all VLANs are allowed
identity (name; Default: Mikrotik)Name of the switch (used for Mikrotik Neighbor Discovery protocol)
static-ip-address (IP; Default: 192.168.88.1)The IP address of the switch in case address-acquisition-mode is either set to dhcp-with-fallback or static. By setting a static IP address, the address acquisition process does not change, which is DHCP with fallback by default. This means that the configured static IP address will become active only when there is going to be no DHCP servers in the same broadcast domain

...