Table of Contents
Summary
...
The CRS3xx and CCR3xx, CRS5xx series switches , as well as the CCR2116 and and CCR2116, CCR2216 routers , feature have highly integrated switches with high-performance CPUs CPU and feature-rich packet processors. These devices can be used for designed into various Ethernet applications , including unmanaged switchesswitch, Layer 2 managed switchesswitch, carrier switchesswitch, inter-VLAN routersrouter, and wired unified packet processorsprocessor.
Note |
---|
This article applies to CRS3xx, CRS5xx series switches, and CCR2116, CCR2216 routers, and not to to CRS1xx/CRS2xx series switches. |
...
Features | Description |
---|---|
Forwarding |
|
Routing |
|
Spanning Tree Protocol |
|
Mirroring |
|
VLAN |
|
Bonding |
|
Traffic Shaping |
|
Port isolation |
|
Access Control List |
|
...
Model | Switch Chip | CPU | Cores | 10G SFP+ | 2.5G Ethernet10G Ethernet | 25G SFP28 | 40G QSFP+ | 100G QSFP28 | ACL rules | Unicast FDB entries | Jumbo Frame (Bytes) | ||||||||||||||
netPower 15FR (CRS318-1Fi-15Fr-2S) | Marvell-98DX224S | 800MHz | 1 | - | - | - | - | - | - | 128 | 16,000 | 10218 | |||||||||||||
netPower 16P (CRS318-16P-2S+) | Marvell-98DX226S | 800MHz | 1 | 2 | - | - | - | - | - | 128 | 16,000 | 10218 | |||||||||||||
CRS310-1G-5S-4S+ (netFiber 9/IN) | Marvell-98DX226S | 800MHz | 1 | 4 | - | - | - | - | - | 128 | 16,000 | 10218 | CRS310-8G+2S+ | Marvell-98DX226S | 800MHz | 2 | 2 | 8 | - | - | - | - | 128 | 16,000 | 10218 |
CRS326-24G-2S+ (RM/IN) | Marvell-98DX3236 | 800MHz | 1 | 2- | - | - | - | - | 128 | 16,000 | 10218 | ||||||||||||||
CRS328-24P-4S+ | Marvell-98DX3236 | 800MHz | 1 | 4- | - | - | - | - | 128 | 16,000 | 10218 | ||||||||||||||
CRS328-4C-20S-4S+ | Marvell-98DX3236 | 800MHz | 1 | 4 | - | - | - | - | - | 128 | 16,000 | 10218 | |||||||||||||
CRS305-1G-4S+ | Marvell-98DX3236 | 800MHz | 1 | 4 | - | - | - | - | - | 128 | 16,000 | 10218 | |||||||||||||
CRS309-1G-8S+ | Marvell-98DX8208 | 800MHz | 2 | 8 | - | - | - | - | - | 1024 | 32,000 | 10218 | |||||||||||||
CRS317-1G-16S+ | Marvell-98DX8216 | 800MHz | 2 | 16 | - | - | - | - | - | 1024 | 128,000 | 10218 | |||||||||||||
CRS312-4C+8XG | Marvell-98DX8212 | 650MHz | 1 | 4 (combo ports)- | 8 + 4 (combo ports) | - | - | - | 512 | 32,000 | 10218 | ||||||||||||||
CRS326-24S+2Q+ | Marvell-98DX8332 | 650MHz | 1 | 24- | - | - | 2 | - | 256 | 32,000 | 10218 | ||||||||||||||
CRS354-48G-4S+2Q+ | Marvell-98DX3257 | 650MHz | 1 | 4- | - | - | 2 | - | 170 | 32,000 | 10218 | ||||||||||||||
CRS354-48P-4S+2Q+ | Marvell-98DX3257 | 650MHz | 1 | 4- | - | - | 2 | - | 170 | 32,000 | 10218 | ||||||||||||||
CRS504-4XQ (IN/OUT) | Marvell-98DX4310 | 650MHz | 1 | - | - | - | - | - | 4 | 1024 | 128,000 | 10218 | |||||||||||||
CRS510-8XS-2XQ-IN | Marvell-98DX4310 | 650MHz | 1 | - | - | - | 8 | - | 2 | 1024 | 128,000 | 10218 | |||||||||||||
CRS518-16XS-2XQ | Marvell-98DX8525 | 650MHz | 1- | - | - | 16 | - | 2 | 1024 | 128,000 | 10218 | ||||||||||||||
CCR2116-12G-4S+ | Marvell-98DX3255 | 2000MHz | 16 | 4 | - | - | - | - | - | 512 | 32,000 | 9570 | |||||||||||||
CCR2216-1G-12XS-2XQ | Marvell-98DX8525 | 2000MHz | 16 | - | - | - | 12 | - | 2 | 1024 | 128,000 | 9570 |
Info |
---|
For L3 hardware offloading feature support and hardware limits, please refer to Feature Support and Device Support user manuals. |
...
- FDB - Forwarding Database
- MDB - Multicast Database
- SVL - Shared VLAN Learning
- IVL - Independent VLAN Learning
- PVID - Port VLAN ID
- ACL - Access Control List
- CVID - Customer VLAN ID
- SVID - Service VLAN ID
Port switching
...
To In order to set up a port switching, check the Bridge Hardware Offloading page.
Warning |
---|
Currently, it is possible to create only one bridge with hardware offloading. Use the |
...
Note |
---|
Bridge STP/RSTP/MSTP, IGMP Snooping , and VLAN filtering settings don't affect hardware offloading, since RouterOS v6.42 Bonding interfaces are also hardware offloaded. |
VLAN
...
The Since RouterOS version 6.41, a bridge provides VLAN - aware Layer 2 Layer2 forwarding and VLAN tag modifications within the bridge. This set of features makes bridge operation more akin to like a traditional Ethernet switch , allowing it and allows to overcome Spanning Tree compatibility issues compared to configurations where the configuration when tunnel-like VLAN interfaces are bridged. Configuring Bridge VLAN Filtering configuration is highly recommended to comply with STP (802.1D) and , RSTP (802.1w) standards , and enabling it is mandatory to enable MSTP (802.1s) support in RouterOS is mandatory.
VLAN Filtering
VLAN filtering is described in on the Bridge VLAN Filtering section.
VLAN setup examples
Some Below are describes some of the most common ways how to utilize VLAN forwarding:.
Port-Based VLAN
The configuration is described in on the Bridge VLAN FilteringFIltering section.
MAC Based VLAN
Note |
---|
|
...
Code Block | ||
---|---|---|
| ||
/interface bridge vlan add bridge=bridge1 tagged=ether2 untagged=ether7 vlan-ids=200,300,400 |
Add Switch rules that which assign VLAN ID id based on MAC address:
Code Block | ||
---|---|---|
| ||
/interface ethernet switch rule add switch=switch1 ports=ether7 src-mac-address=A4:12:6D:77:94:43/FF:FF:FF:FF:FF:FF new-vlan-id=200 add switch=switch1 ports=ether7 src-mac-address=84:37:62:DF:04:20/FF:FF:FF:FF:FF:FF new-vlan-id=300 add switch=switch1 ports=ether7 src-mac-address=E7:16:34:A1:CD:18/FF:FF:FF:FF:FF:FF new-vlan-id=400 |
Protocol Based VLAN
Note |
---|
|
...
Code Block | ||
---|---|---|
| ||
/interface bridge vlan add bridge=bridge1 tagged=ether2 untagged=ether6 vlan-ids=200 add bridge=bridge1 tagged=ether2 untagged=ether7 vlan-ids=300 add bridge=bridge1 tagged=ether2 untagged=ether8 vlan-ids=400 |
Add Switch rules that which assign VLAN ID id based on MAC protocol:
Code Block | ||
---|---|---|
| ||
/interface ethernet switch rule add mac-protocol=ip new-vlan-id=200 ports=ether6 switch=switch1 add mac-protocol=ipx new-vlan-id=300 ports=ether7 switch=switch1 add mac-protocol=0x80F3 new-vlan-id=400 ports=ether8 switch=switch1 |
VLAN Tunneling (Q-in-Q)
It Since RouterOS v6.43 it is possible to use a provider bridge (IEEE 802.1ad) and Tag Stacking VLAN filtering, and hardware offloading simultaneouslyat the same time. The configuration for this is outlined described in the Bridge VLAN Tunneling (Q-in-Q) section.
Warning |
---|
Devices equipped with switch chip Marvell-98DX3257 (e.g. CRS354 series) do not support VLAN filtering on 1Gbps Ethernet interfaces for other VLAN types ( |
...
It is possible to translate a certain VLAN ID to a different VLAN ID using ACL rules on an ingress port. In this example , we create two ACL rules, allowing bidirectional communication. This can be done by doing the following these steps:.
1) Create a new bridge and add ports to it with hardware offloading:
Code Block | ||
---|---|---|
| ||
/interface bridge add name=bridge1 vlan-filtering=no /interface bridge port add interface=ether1 bridge=bridge1 hw=yes add interface=ether2 bridge=bridge1 hw=yes |
2) Add ACL rules to translate a VLAN ID in each direction:
Code Block | ||
---|---|---|
| ||
/interface ethernet switch rule add new-dst-ports=ether2 new-vlan-id=20 ports=ether1 switch=switch1 vlan-id=10 add new-dst-ports=ether1 new-vlan-id=10 ports=ether2 switch=switch1 vlan-id=20 |
3) Add both VLAN IDs to the bridge VLAN table:
Code Block | ||
---|---|---|
| ||
/interface bridge vlan add bridge=bridge1 tagged=ether1 vlan-ids=10 add bridge=bridge1 tagged=ether2 vlan-ids=20 |
4) Enable bridge VLAN filtering:
...
Note |
---|
Bidirectional communication is limited only between two switch ports. Translating VLAN ID between more ports can cause traffic flooding or incorrect forwarding between the same VLAN ports. |
Warning |
---|
By enabling |
...
CRS3xx, CRS5xx series switches, and CCR2116, and CCR2216 routers are capable of running STP, RSTP, and MSTP on a hardware level. For more detailed information you should check out the Spanning Tree Protocol manual page.
...
CRS3xx, CRS5xx series switches , and CCR2116, CCR2216 routers support hardware offloading with bonding interfaces. Only 802.3ad
and balance-xor xor
bonding modes are hardware offloaded, other bonding modes will use the CPU's resources. You can find more information about the bonding interfaces in the Bonding Interface section. If 802.3ad
mode is used, then LACP (Link Aggregation Control Protocol) is supported.
...
Note |
---|
Do not add interfaces to a bridge that are already in a bond, RouterOS will not allow you to add an interface to a bridge that is already a slave port for bonding. |
...
MLAG (Multi-chassis Link Aggregation Group) implementation in RouterOS allows configuring LACP bonds on two separate devices, while the client device believes to be connected to on the same machine. This provides a physical redundancy in case of switch failure. All CRS3xx, CRS5xx series , and CCR2116, CCR2216 devices can be configured with MLAG. Read here for more information.
...
Layer3 hardware offloading , also (otherwise known as IP switching or HW routing, enables the offloading of certain ) will allow to offload some of the router features onto the switch chip. This capability allows for achieving reaching wire speeds when routing packets, a feat that which simply would not be possible with just the CPU alone.
The offloaded Offloaded feature set depends on the used chipset. For more information, please refer to the documentation provided hereRead here for more info.
Port isolation
...
It Since RouterOS v6.43 is it possible to create a Private VLAN setup, an example can be found in the Switch chip port isolation manual page. Hardware offloaded bonding interfaces are not included in the switch port-isolation menu, but it is still possible to configure port-isolation individually on each secondary interface of the bonding.
Note |
---|
Port isolation can be used with a VLANvlan-filtering bridge and it is possible to isolate ports that are members of the same VLAN. The isolation works per-port, it is not possible to isolate ports per-VLAN. |
IGMP/MLD Snooping
...
CRS3xx, CRS5xx series switches and CCR2116, CCR2216 routers can use are capable of using IGMP/MLD Snooping on a hardware level. For To see more detailed information, you should check out the IGMP/MLD snooping manual page.
...
CRS3xx, CRS5xx series switches and CCR2116, CCR2216 routers can use are capable of using DHCP Snooping with Option 82 on a hardware level. The switch will create a dynamic ACL rule to capture the DHCP packets and redirect them to the main CPU for further processing. To see more detailed information, please visit the DHCP Snooping and DHCP Option 82 manual page.
...
Controller Bridge (CB) and Port Extender (PE) is an IEEE 802.1BR standard implementation in RouterOS. It allows virtually extending the CB ports with a PE device and managing these extended interfaces from a single controlling device. Such configuration provides a simplified network topology, flexibility, increased port density, and ease of manageability. See more details on the Controller Bridge and Port Extender manual.
Mirroring
...
Mirroring allows the is a function that allows a network switch to intercept duplicate all traffic the data passing through the switch chip it and send a copy of those packets to another designated port (specified port, known as the mirror-target
). This feature facilitates the creation of is useful for setting up a tap device, enabling which allows for analyzing network traffic inspection on using a traffic analyzer separate device. You can configure simple port-based mirroring or more complex mirroring based on various parameters. Note set up mirroring in a simple way by designating source ports (see mirror-egress
and mirror-ingress
in /interface/ethernet/switch/port
), or you can configure more advanced mirroring based on different criteria (see mirror
in /interface/ethernet/switch/rule
).
It is important to note that the mirror-target
port must belong to be on the same switch (you can identify which port belongs to which switch in . You can check the device block diagram or navigate to the /interface/ethernet
menu ). Additionally, the to identify which interfaces are connected where. When setting up the configration, it is not mandatory to add the mirror-target
interface to the same hardware offloaded bridge where the source ports are set up. The mirror-target
port can be a standalone interface (not configured as a bridge port), or it can be within a bridge setup. When using the mirror-target
with a bridge, note that data and mirrored traffic may both travel on the same LAN. In such cases, consider employing RSPAN (Remote Switch Port Analyzer), where mirrored traffic is encapsulated into a separate VLAN before being transmitted over the network.
Additionally, you can set the mirror-target
port to a special value "cpu", which means that the copied packets will be sent to the switch set to a special value 'cpu', indicating that sniffed packets will be forwarded to the switch chip's CPU port.
Configuration examples
There are several various methods to mirror for mirroring specific types of traffic, and below are some common examples of the most common mirroring examples:how mirroring can be used.
Port Based Mirroring
Starting from RouterOS version 7.15, it is possible to configure multiple source ports and selectively choose whether to mirror incoming traffic, outgoing traffic, or both. In this example, both incoming and outgoing traffic from the ether2 interface will be copied and sent to the ether3 interface for monitoring or analysis.:
Code Block | ||
---|---|---|
| ||
# Since RouterOS v7.15 /interface ethernet switch port set switch1ether2 mirror-sourceegress=ether2yes mirror-target=ether3 |
Note |
---|
Property |
Code Block | ||
---|---|---|
| ||
ingress=yes /interface ethernet switch set switch1 mirror-source=none mirror-target=ether3 # Older RouterOS: /interface ethernet switch set rule addswitch1 mirror-source=yesether2 ports=ether1,ether2 switch=switch1 | ||
mirror-target=ether3 |
VLAN Based Mirroring
Using ACL rules, it is possible to mirror packets from multiple
...
interfaces using the ports
setting. Additionally, you can specify more detailed criteria such as VLAN ID, MAC/IP address or TCP/UDP port. Only ingress packets are mirrored to mirror-target
interface.
...
VLAN Based Mirroring:This example will mirror incoming VLAN 11 traffic from the ether2 interface, and send copies to the ether3 interface. To use an ACL rule with a vlan-id
matcher, you need to have bridge vlan-filtering enabled.
Code Block | ||
---|---|---|
| ||
/interface bridge
set bridge1 vlan-filtering=yes
/interface ethernet switch
set switch1 mirror-target=ether3 mirror-source=none
/interface ethernet switch rule
add mirror=yes ports=ether1 switch=switch1 vlan-id=11 |
Warning |
---|
By enabling |
MAC Based Mirroring
This example will mirror incoming traffic with 64:D1:54:D9:27:E6 MAC destination or source address from the ether1 interface, and send copies to the ether3 interface.MAC Based Mirroring:
Code Block | ||
---|---|---|
| ||
/interface ethernet switch
set switch1 mirror-target=ether3 mirror-source=none
/interface ethernet switch rule
add mirror=yes ports=ether1 switch=switch1 dst-mac-address=64:D1:54:D9:27:E6/FF:FF:FF:FF:FF:FF
add mirror=yes ports=ether1 switch=switch1 src-mac-address=64:D1:54:D9:27:E6/FF:FF:FF:FF:FF:FF |
...
IP Based Mirroring
...
This example will mirror incoming traffic with 192.168.88.0/24 IP destination or source address from the ether1 interface, and send copies to the ether3 interface.
...
Code Block | ||
---|---|---|
| ||
/interface ethernet switch
set switch1 mirror-target=ether3 mirror-source=none
/interface ethernet switch rule
add mirror=yes ports=ether1 switch=switch1 mac-protocol=ipx |
IP Based Mirroring:
Code Block | ||
---|---|---|
| ||
/interface ethernet switch
set switch1 mirror-target=ether3 mirror-source=none
/interface ethernet switch rule
add mirror=yes ports=ether1 switch=switch1 src-address=192.168.88.0/24
add mirror=yes ports=ether1 switch=switch1 dst-address=192.168.88.0/24 |
...
0/24 |
There are other options as well, check the ACL section to find out all possible parameters that can be used to match packets.
Remote Switch Port Analyzer
This example will mirror incomming and outgoing traffic from the ether2 interface, copies will be encapsulated in 802.1Q VLAN using the 999 as VLAN ID, and packets will be sent to the ether3 interface. If the original traffic is already VLAN tagged, RSPAN will add another layer of VLAN tagging as an outer tag. This results in the mirrored traffic being tagged twice. If the mirror-target
port is included in vlan-filtering bridge, it is not required to make the interface as tagged VLAN member under the /interface/bridge/vlan
menu for the RSPAN.
Code Block | ||
---|---|---|
| ||
/interface ethernet switch port
set ether2 mirror-egress=yes mirror-ingress=yes
/interface ethernet switch
set switch1 mirror-target=ether3 rspan=yes rspan-egress-vlan-id=999 rspan-ingress-vlan-id=999 |
Property Reference
Sub-menu:
/interface/ethernet/switch
Property | Description |
---|---|
mirror-target (cpu | name | none; Default:none) | Selects a single mirroring target port. Packets from |
rspan (no | yes; Default: no) | Enables Remote Switch Port Analyzer (RSPAN) feature on mirror-target . Traffic marked for ingress or egress mirroring is carried over a specified remote analyzer VLAN - rspan-egress-vlan-id and rspan-ingress-vlan-id . |
rspan-egress-vlan-id (integer: 1..4095; Default: 1) | Selects the VLAN ID for marked egress traffic. Only applies when rspan is enabled. |
rspan-ingress-vlan-id (integer: 1..4095; Default: 1) | Selects the VLAN ID for marked ingress traffic. Only applies when rspan is enabled. |
Sub-menu:
/interface/ethernet/switch/port
Property | Description |
---|---|
mirror-egress (no | yes; Default: no) | Whether to send egress packet copy to the |
mirror-ingress (no | yes; Default: no) | Whether to send ingress packet copy to the |
Sub-menu:
/interface/ethernet/switch/rule
Property | Description |
---|---|
mirror (no | yes; Default: no) | Whether to send a packet copy to mirror-target port. |
Traffic Shaping
...
It is possible to limit ingress traffic that matches certain parameters with ACL rules and it is possible to limit ingress/egress traffic per port basis. The policer is used for ingress traffic, the shaper is used for egress traffic. The ingress policer controls the received traffic with packet drops. Everything that exceeds the defined limit will get dropped. This can affect the TCP congestion control mechanism on end hosts and the achieved bandwidth can be actually less than defined. The egress shaper tries to queue packets that exceed the limit instead of dropping them. Eventually, it will also drop packets when the output queue gets full, however, it should allow for better utilization of utilizing the defined throughput better.
Port-based traffic police and shaper:
...
Code Block | ||
---|---|---|
| ||
/interface bridge set bridge1 vlan-filtering=yes /interface ethernet switch rule add ports=ether1 switch=switch1 vlan-id=11 rate=10M |
Warning |
---|
By enabling |
...
Note |
---|
The Switch Rule table is used for QoS functionality, see this table for on how many rules each device supports. |
Traffic Storm Control
...
Since RouterOS v6.42 it is possible to enable traffic storm control. A traffic storm can emerge when certain frames are continuously flooded on the network. For example, if a network loop has been created and no loop avoidance mechanisms are used (e.g. Spanning Tree Protocol), broadcast or multicast frames can quickly overwhelm the network, causing degraded network performance or even complete network breakdown. With CRS3xx, CRS5xx series switches and CCR2116, CCR2216 routers it is possible to limit broadcast, unknown multicast , and unknown unicast traffic. Unknown unicast traffic is considered when a switch does not contain a host entry for the destined MAC address. Unknown multicast traffic is considered when a switch does not contain a multicast group entry in the /interface bridge mdb
menu. Storm control settings should be applied to ingress ports, the egress traffic will be limited.
Note |
---|
The storm control parameter is specified in percentage (%) of the link speed. If your link speed is 1Gbps, then specifying |
...
Property | Description |
---|---|
limit-broadcasts (yes | no; Default: yes) | Limit broadcast traffic on a switch port. |
limit-unknown-multicasts (yes | no; Default: no) | Limit unknown multicast traffic on a switch port. |
limit-unknown-unicasts (yes | no; Default: no) | Limit unknown unicast traffic on a switch port. |
storm-rate (integer 0..100; Default: 100) | The amount Amount of broadcast, unknown multicast , and/or unknown unicast traffic is limited to a in percentage of the link speed. |
...
Warning |
---|
Devices with Marvell-98DX3236 switch chip cannot distinguish unknown multicast traffic from all multicast traffic. For example, CRS326-24G-2S+ will limit all multicast traffic when |
For example, to limit 1% (10Mbps) of broadcast and unknown unicast traffic on ether1 (1Gbps), use the following commands:
Code Block | ||
---|---|---|
| ||
/interface ethernet switch port set ether1 storm-rate=1 limit-broadcasts=yes limit-unknown-unicasts=yes |
MPLS hardware offloading
...
It Since RouterOS v6.41 it is possible to offload certain MPLS functions to the switch chip, the switch must be a (P)rovider router in a PE-P-PE setup in order to achieve hardware offloading. A setup example can be found in the Basic MPLS setup example manual page. The hardware offloading will only take place when LDP interfaces are configured as physical switch interfaces (e.g. Ethernet, SFP, SFP+).
Note |
---|
Currently only |
...
Access Control List contains an ingress policy and egress policy engineengines. See this table on how many rules each device supports. It is an advanced tool for wire-speed packet filtering, forwarding , and modifying based on Layer2, Layer3 , and Layer4 protocol header field conditions.
Note |
---|
ACL rules are checked for each received packet until a match has been found. If there are multiple rules that can match, then only the first rule will be triggered. A rule without any action parameters is a rule to accept the packet. |
...
Property | Description |
---|---|
copy-to-cpu (no | yes; Default: no) | Clones the matching packet and sends it to the CPU. |
disabled (yes | no; Default: no) | Enables or disables ACL entry. |
dscp (0..63) | Matching the DSCP field of the packet (only applies to IPv4 packets). |
dst-address (IP address/Mask) | Matching destination IPv4 address and mask, also matches the destination IP in ARP packets. |
dst-address6 (IPv6 address/Mask) | Matching destination IPv6 address and mask. |
dst-mac-address (MAC address/Mask) | Matching destination MAC address and mask. |
dst-port (0..65535) | Matching destination protocol port number (applies to IPv4 and IPv6 packets if mac-protocol is not specified). |
flow-label (0..1048575) | Matching IPv6 flow label. |
mac-protocol (802.2 | arp | homeplug-av | ip | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan | or 0..65535 | or 0x0000-0xffff) | Matching particular MAC protocol specified by protocol name or number |
mirror (no | yes) | Clones the matching packet and sends it to the mirror-target port. |
new-dst-ports (ports) | Changes the destination port as specified. An empty setting will drop the packet. A specified port will redirect the packet to it. When the parameter is not used, the packet will be accepted. Multiple "new-dst-ports" are not supported. |
new-vlan-id (0..4095) | Changes the VLAN ID to the specified value. Requires vlan-filtering=yes . |
new-vlan-priority (0..7) | Changes the VLAN priority (priority code point). Requires vlan-filtering=yes . |
ports (ports) | Matching ports on which will the rule apply on received traffic. |
protocol (dccp | ddp | egp | encap | etherip | ggp | gre | hmp | icmp | icmpv6 | idpr-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | ipv6 | ipv6-frag | ipv6-nonxt | ipv6-opts | ipv6-route | iso-tp4 | l2tp | ospf | pim | pup | rdp | rspf | rsvp | sctp | st | tcp | udp | udp-lite | vmtp | vrrp | xns-idp | xtp | or 0..255) | Matching particular IP protocol specified by protocol name or number. This only Only applies to IPv4 packets if mac-protocol is not specified. To match certain IPv6 protocols, use the mac-protocol=ipv6 setting. |
rate (0..4294967295) | Sets ingress traffic limitation (bits per second) for matched traffic. |
redirect-to-cpu (no | yes) | Changes the destination port of a matching packet to the CPU. |
src-address (IP address/Mask) | Matching source IPv4 address and mask, also matches the source IP in ARP packets. |
src-address6 (IPv6 address/Mask) | Matching source IPv6 address and mask. |
src-mac-address (MAC address/Mask) | Matching source MAC address and mask. |
src-port (0..65535) | Matching source protocol port number (applies to IPv4 and IPv6 packets if mac-protocol is not specified). |
switch (switch group) | Matching switch group on which will the rule apply. |
traffic-class (0..255) | Matching IPv6 traffic class. |
vlan-id (0..4095) | Matching VLAN ID. Requires vlan-filtering=yes . |
vlan-header (not-present | present) | Matching VLAN header, whether the VLAN header is present or not. Requires vlan-filtering=yes . |
vlan-priority (0..7) | Matching VLAN priority (priority code point). |
...
Note |
---|
For VLAN related matchers or VLAN related action parameters to work, you need to enable |
...
Warning |
---|
When bridge interface |
Port Security
...
It is possible to limit allowed MAC addresses on a single switch port. For example, to allow 64:D1:54:81:EF:8E MAC address on a switch port, start by switching multiple ports together, in this example 64:D1:54:81:EF:8E is going to be located behind ether1.
...
Switch all required ports together, disable MAC learning , and disable unknown unicast flooding on ether1:
...
Warning |
---|
Broadcast traffic will still be sent out from ether1. To limit broadcast traffic flood on a bridge port, you can use the |
Dual Boot
...
The “dual boot” feature allows you to choose which operating system you prefer to use on CRS3xx series switches, RouterOS , or SwOS. Device operating system can could be changed using:
- Command-line (
/system routerboard settings set boot-os=swos
) - WinBoxWinbox
- WebFigWebfig
- Serial Console
More details about SwOS are described here: SwOS manual
Configuring SwOS using RouterOS
...
It Since RouterOS 6.43 it is possible to load, save , and reset SwOS configuration, as well as upgrade SwOS and set an IP address for the CRS3xx series switches by using RouterOS.
- Save configuration with
/system swos save-config
Note |
---|
The configuration will be saved on the same device with "with |
- Load configuration with
/system swos load-config
- Change password with
/system swos password
- Reset configuration with
/system swos reset-config
- Upgrade SwOS from RouterOS using
/system swos upgrade
Note |
---|
The upgrade command will automatically install the latest available SwOS primary backup version. Ensure , make sure that your device has access to the Internet in order for the upgrade process to work properly. When the device is booted into SwOS, the version number will include the letter "p", indicating a primary backup version. You can then install the latest available SwOS secondary main version from the SwOS "Upgrade" menu. |
Property | Description |
---|---|
address-acquisition-mode (dhcp-only | dhcp-with-fallback | static; Default: dhcp-with-fallback) | Changes address acquisition method: dhcp-only - uses only a DHCP client to acquire the address dhcp-with-fallback - for the first 10 seconds will try to acquire an address using a DHCP client. If the request is unsuccessful, then the address falls back to static as defined by the static-ip-address property static - the address is set as defined by the static-ip-address property |
allow-from (IP/Mask; Default: 0.0.0.0/0) | IP address or a network from which the switch is accessible. By default, the switch is accessible by any IP address. |
allow-from-ports (name; Default: ) | List of switch ports from which the device is accessible. By default, all ports are allowed to access the switch |
allow-from-vlan (integer: 0..4094; Default: 0) | VLAN ID from which the device is accessible. By default, all VLANs are allowed |
identity (name; Default: Mikrotik) | Name of the switch (used for Mikrotik Neighbor Discovery protocol) |
static-ip-address (IP; Default: 192.168.88.1) | The IP address of the switch in case address-acquisition-mode is either set to dhcp-with-fallback or static. By setting a static IP address, the address acquisition process does not change, which is DHCP with fallback by default. This means that the configured static IP address will become active only when there are is going to be no DHCP servers in the same broadcast domain |
See also
CRS1xx/2xx series switchesCRS Router
CRS3xx , RS6xx, CCR2116, CCR2216 VLANs with Bonds
...