...
| Warning |
|---|
This article applies to CRS1xx and CRS2xx series switches and not to CRS3xx series switches. For CRS3xx series devices read the CRS3xx, CRS5xx series switches and CCR2116, CCR2216 manual. |
Port switching
...
In order to To set up port switching on CRS1xx/2xx series switches, check the Bridge Hardware Offloading page.
| Warning |
|---|
It is possible to create multiple isolated switch group groups by using multiple bridges with enabled hardware offloading, this is possible only on CRS1xx/2xx series switches. For more complex setups (for example, VLAN filtering) you should use the port isolation feature instead. |
...
If invalid VLAN filtering is not enabled, management access to the device using tagged or untagged (VLAN 0) traffic is already allowed from any port, though this is not a good practice, this can cause security issues and can cause the device's CPU to be overloaded in certain situations (most commonly with a broadcast type of traffic).
If you are intending intend to use invalid VLAN filtering (which you should), then ports, from which you are going to access the switch, must be added to the VLAN table for untagged (VLAN 0) traffic, for example, in case you want to access the switch from ether2:
...
| Code Block | ||
|---|---|---|
| ||
/interface ethernet switch egress-vlan-tag add tagged-ports=ether2,switch1-cpu vlan-id=99 |
After a valid VLAN99 configuration has been set up, you can enable unknown/invalid VLAN filtering, which will not allow the management access through different ports than specified in the VLAN table:
...
| Note |
|---|
It is recommended to get a Serial Console cable and test testing it before configuring VLANs because you may lose access to the CPU and/or the port you are connected to. |
...
| Note |
|---|
Some changes may take some time to take effect due to already-learned MAC addresses. In such cases flushing the Unicast Forwarding Database can help: |
| Warning |
|---|
Multiple hardware offloaded bridge configuration is designed as a fast and simple port isolation solution, but it limits part of the VLAN functionality supported by the CRS switch-chip. For advanced configurations use one bridge within the CRS switch chip for all ports, configure VLANs, and isolate port groups with port isolation profile configuration. |
...
| Note |
|---|
When an entry is created under |
You must also specify which VLANs should be sent out to the trunk port with a VLAN tag. Use the tagged-ports property to set up a trunk port:
...
| Code Block | ||
|---|---|---|
| ||
/interface ethernet switch vlan add ports=ether2,ether6 vlan-id=200 add ports=ether2,ether7 vlan-id=300 add ports=ether2,ether8 vlan-id=400 |
After a valid VLAN configuration has been set up, you can enable unknown/invalid VLAN filtering:
...
| Note |
|---|
It is possible to use the built-in switch chip and the CPU at the same time to create a Switch-Router setup, where a device acts as a switch and as a router at the same timesimultaneously. You can find a configuration example in the CRS-Router guide. |
Example 2 (Trunk and Hybrid
...
Ports)
Switch together the required ports:
...
| Code Block | ||
|---|---|---|
| ||
/interface ethernet switch vlan add ports=ether2,ether6,ether7,ether8 vlan-id=200 learn=yes add ports=ether2,ether6,ether7,ether8 vlan-id=300 learn=yes add ports=ether2,ether6,ether7,ether8 vlan-id=400 learn=yes |
After a valid VLAN configuration has been set up, you can enable unknown/invalid VLAN filtering:
| Code Block | ||
|---|---|---|
| ||
/interface ethernet switch set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether2,ether6,ether7,ether8 |
Protocol Based VLAN
Switch together the required ports:
...
| Warning |
|---|
Internally all MAC addresses in MAC-based VLANs are hashed, certain MAC addresses can have the same hash, which will prevent a MAC address from being loaded into the switch chip if the hash matches with a hash from a MAC address that has been already loaded, for this reason, it is recommended to use Port bases VLANs in combination with MAC-based VLANs. This is a hardware limitation. |
Switch together the required ports:
...
Add MAC-to-VLAN mapping entries in the MAC-based VLAN table:
| Code Block | ||
|---|---|---|
| ||
/interface ethernet switch mac-based-vlan add src-mac=A4:12:6D:77:94:43 new-customer-vid=200 add src-mac=84:37:62:DF:04:20 new-customer-vid=300 add src-mac=E7:16:34:A1:CD:18 new-customer-vid=400 |
Add VLAN200, VLAN300, and VLAN400 tagging on the ether2 port to create it as a VLAN trunk port:
| Code Block | ||
|---|---|---|
| ||
/interface ethernet switch egress-vlan-tag add tagged-ports=ether2 vlan-id=200 add tagged-ports=ether2 vlan-id=300 add tagged-ports=ether2 vlan-id=400 |
...
InterVLAN routing configuration consists of two main parts – VLAN tagging in switch-chip and routing in RouterOS. This configuration can be used in many applications by combining it with a DHCP server, Hotspot, PPP, and other features for each VLAN.
...
| Code Block | ||
|---|---|---|
| ||
/interface bridge add name=bridge1 /interface bridge port add bridge=bridge1 interface=ether6 hw=yes add bridge=bridge1 interface=ether7 hw=yes add bridge=bridge1 interface=ether8 hw=yes |
Set VLAN tagging on the CPU port for all VLANs to make packets tagged before they are routed:
...
| Warning |
|---|
Make sure the VLAN interfaces are created on top of the bridge interface instead of any of the physical interfaces. If the VLAN interfaces are created on a slave interface, then the packet might not be received correctly, and therefore routing might fail. More detailed information can be found in the the VLAN interface on a slave interface manual page. |
Add IP addresses to on created the VLAN interfaces. In this example, three 192.168.x.1 addresses are added to VLAN200, VLAN300, and VLAN400 interfaces:
| Code Block | ||
|---|---|---|
| ||
/ip address add address=192.168.20.1/24 interface=VLAN200 add address=192.168.30.1/24 interface=VLAN300 add address=192.168.40.1/24 interface=VLAN400 |
...
VLAN membership is defined in the VLAN table. Adding entries with VLAN ID and ports makes that VLAN traffic valid on those ports. After a valid VLAN configuration has been setupset up, unknown/invalid VLAN filtering can be enabled. This VLAN filtering configuration example applies to the InterVLAN Routing setup.
| Code Block | ||
|---|---|---|
| ||
/interface ethernet switch vlan add ports=switch1-cpu,ether6 vlan-id=200 add ports=switch1-cpu,ether7 vlan-id=300 add ports=switch1-cpu,ether8 vlan-id=400 |
...
| Warning |
|---|
Using multiple bridges on a single switch chip with enabled unknown/invalid VLAN filtering can cause unexpected behavior. You should always use a single bridge configuration whenever using VLAN filtering. If port isolation is required, then the port isolation feature should be used instead of using multiple bridges. |
VLAN Tunneling (Q-in-Q)
This example covers a typical VLAN tunneling use case where service provider devices add another VLAN tag for independent forwarding in the mean time meantime allowing customers to use their own VLANs.
| Note |
|---|
This example contains only the Service VLAN tagging part. It is recommended to additionally set Unknown/Invalid VLAN filtering configuration on ports. |
CRS-1: The first switch on the edge of the service provider network has to properly indentify identify traffic from the customer VLAN id ID on port and assign a new service VLAN id ID with ingress VLAN translation rules. VLAN trunk port configuration for service provider VLAN tags is in the same egress-vlan-tag tag table. The main difference from basic Port-Based VLAN configuration is that the CRS switch-chip has to be set to do forwarding according to service (outer) VLAN id ID instead of customer (inner) VLAN idID.
| Code Block | ||
|---|---|---|
| ||
/interface bridge add name=bridge1 /interface bridge port add bridge=bridge1 interface=ether1 hw=yes add bridge=bridge1 interface=ether2 hw=yes add bridge=bridge1 interface=ether9 hw=yes /interface ethernet switch ingress-vlan-translation add customer-vid=200 new-service-vid=400 ports=ether1 add customer-vid=300 new-service-vid=500 ports=ether2 /interface ethernet switch egress-vlan-tag add tagged-ports=ether9 vlan-id=400 add tagged-ports=ether9 vlan-id=500 /interface ethernet switch set bridge-type=service-vid-used-as-lookup-vid |
CRS-2: The second switch in the service provider network require requires only switched ports to do forwarding according to service (outer) VLAN id ID instead of customer (inner) VLAN idID.
| Code Block | ||
|---|---|---|
| ||
/interface bridge add name=bridge1 /interface bridge port add bridge=bridge1 interface=ether9 hw=yes add bridge=bridge1 interface=ether10 hw=yes /interface ethernet switch set bridge-type=service-vid-used-as-lookup-vid |
CRS-3: The third switch has a similar configuration to CRS-1:
- Ports in a switch group using a bridge;
- Ingress VLAN translation rules to define new service VLAN assingments assignments on ports;
- tagged-ports for service provider VLAN trunks;
- CRS switch-chip set to use service VLAN id ID in switching lookup.
| Code Block | ||
|---|---|---|
| ||
/interface bridge add name=bridge1 /interface bridge port add bridge=bridge1 interface=ether3 hw=yes add bridge=bridge1 interface=ether4 hw=yes add bridge=bridge1 interface=ether10 hw=yes /interface ethernet switch ingress-vlan-translation add customer-vid=200 new-service-vid=400 ports=ether3 add customer-vid=300 new-service-vid=500 ports=ether4 /interface ethernet switch egress-vlan-tag add tagged-ports=ether10 vlan-id=400 add tagged-ports=ether10 vlan-id=500 /interface ethernet switch set bridge-type=service-vid-used-as-lookup-vid |
...
Set the switch to filter VLANs based on the service tag (0x88a8):
| Code Block | ||
|---|---|---|
| ||
/interface ethernet switch set bridge-type=service-vid-used-as-lookup-vid |
...
| Note |
|---|
Since the switch is set to look up VLAN ID based on the service tag, which is overridden with a different EtherType, then VLAN filtering is only done on the outer tag of a packet, the inner tag is not checked. |
Mirroring
...
The Cloud Router Switches support three types of mirroring. Port-based mirroring can be applied to any of switch-chip ports, VLAN-based mirroring works for all specified VLANs regardless of switch-chip ports, and MAC-based mirroring copies traffic sent or received from specific device reachable from the port configured in Unicast Forwarding Database.
Port-Based Mirroring
The first configuration sets the ether5 port as a mirror0 analyzer port for both ingress and egress mirroring, mirrored traffic will be sent to this port. Port-based ingress and egress mirroring are enabled from the ether6 port.
| Code Block | ||
|---|---|---|
| ||
/interface ethernet switch set ingress-mirror0=ether5 egress-mirror0=ether5 /interface ethernet switch port set ether6 ingress-mirror-to=mirror0 egress-mirror-to=mirror0 |
...
The second example requires ports to be switched in a group. Mirroring configuration sets the ether5 port as a mirror0 analyzer port and sets the mirror0 port to be used when mirroring from VLAN occurs. VLAN table entry enables mirroring only for VLAN 300 traffic between ether2 and ether7 ports.
...
The third configuration also requires ports to be switched in a group. Mirroring configuration sets the ether5 port as a mirror0 analyzer port and sets the mirror0 port to be used when mirroring from the Unicast Forwarding database occurs. The entry from the Unicast Forwarding database enables mirroring for packets with source or destination MAC address E7:16:34:A1:CD:18 from ether8 port.
| Code Block | ||
|---|---|---|
| ||
/interface bridge add name=bridge1 /interface bridge port add bridge=bridge1 interface=ether2 hw=yes add bridge=bridge1 interface=ether8 hw=yes /interface ethernet switch set ingress-mirror0=ether5 fdb-uses=mirror0 /interface ethernet switch unicast-fdb add port=ether8 mirror=yes svl=yes mac-address=E7:16:34:A1:CD:18 |
Trunking
...
The Trunking in the Cloud Router Switches provides static link aggregation groups with hardware automatic failover and load balancing. IEEE802.3ad and IEEE802.1ax compatible Link Aggregation Control Protocol is not supported yet. Up to 8 Trunk groups are supported with up to 8 Trunk member ports per Trunk group.
...
| Note |
|---|
You can find a working example for trunking and port-based VLANs aton CRS VLANs with Trunks page. |
...
| Warning |
|---|
Bridge (R)STP is not aware of the underlying switch trunking configuration and some trunk ports can move to a discarding or blocking state. When trunking member ports are connected to other bridges, you should either disable the (R)STP or filter out any BPDU between trunked devices (e.g. with ACL rules). |
...
Disabling MAC learning and configuring static MAC addresses gives the ability to control what exact devices can communicate to CRS1xx/2xx switches and through them.
Configuration requires a group of switched ports, disabled MAC learning on those ports, and static UFDB entries:
| Code Block | ||
|---|---|---|
| ||
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether6 hw=yes learn=no unknown-unicast-flood=no
add bridge=bridge1 interface=ether7 hw=yes learn=no unknown-unicast-flood=no
/interface ethernet switch unicast-fdb
add mac-address=4C:5E:0C:00:00:01 port=ether6 svl=yes
add mac-address=D4:CA:6D:00:00:02 port=ether7 svl=yes
/interface ethernet switch acl
add action=drop src-mac-addr-state=sa-not-found src-ports=ether6,ether7 table=egress
add action=drop src-mac-addr-state=static-station-move src-ports=ether6,ether7 table=egress |
CRS1xx/2xx switches also allow to learn one dynamic MAC per port to ensure only one end-user device is connected no matter of its MAC address:
| Code Block | ||
|---|---|---|
| ||
/interface ethernet switch port set ether6 learn-limit=1 set ether7 learn-limit=1 |
Isolation
...
Port Level Isolation
Port-level isolation is often used for Private VLAN, where:
- One or multiple uplink ports are shared among all users for accessing the gateway or router.
- Port group Isolated Ports is for guest users. Communication is through the uplink ports only.
- Port group Community 0 is for department A. Communication is allowed between the group members and through uplink ports.
- Port group Community X is for department X. Communication is allowed between the group members and through uplink ports.
The Cloud Router Switches use port-level isolation profiles for Private VLAN implementation:
- Uplink ports – Portport-level isolation profile 0
- Isolated ports – Portport-level isolation profile 1
- Community 0 ports - Portport-level isolation profile 2
- Community X (X <= 30) ports - Portport-level isolation profile X
...
The first part of port isolation configuration is setting the Uplink port – set a port profile to 0 for ether2:
...
| Code Block | ||
|---|---|---|
| ||
/interface ethernet switch port set ether7 isolation-leakage-profile-override=2 set ether8 isolation-leakage-profile-override=2 /interface ethernet switch port-isolation add port-profile=2 ports=ether2,ether7,ether8 type=dst /interface ethernet switch port set ether9 isolation-leakage-profile-override=3 set ether10 isolation-leakage-profile-override=3 /interface ethernet switch port-isolation add port-profile=3 ports=ether2,ether9,ether10 type=dst |
Protocol Level Isolation
Protocol level isolation on CRS switches can be used to enchance enhance network security. For example, restricting DHCP traffic between the users and allowing it only to trusted DHCP server port ports can prevent security risks like DHCP spoofing attackattacks. The following example shows how to configure it on CRS.
...
And configure port isolation/leakage profile for selected Community (2) to allow DHCP traffic destined only to the port where the trusted DHCP server is located. registration - status and traffic-type properties have to be set empty in order to apply restriction restrictions only for DHCP protocol.
| Code Block | ||
|---|---|---|
| ||
/interface ethernet switch port-isolation add port-profile=2 protocol-type=dhcpv4 type=dst forwarding-type=bridged ports=ether1 registration-status="" traffic-type="" |
...
In Strict Priority scheduling mode, the highest priority queue is served first. The queue number represents the priority and the queue with the highest queue number has the highest priority. Traffic is transmitted from the highest priority queue until the queue is empty, and then moves to the next highest priority queue, and so on. If no congestion is present on at the egress port, a packet is transmitted as soon as it is received. If congestion occurs on in the port where high-priority traffics traffic keeps coming, the lower-priority queues starve.
On all CRS switches the scheme where MAC-based egress traffic scheduling is done according to internal Priority would be the following: [MAC address] -> [QoS Group] -> [Priority] -> [Queue];
In this example, host1 (E7:16:34:00:00:01) and host2 (E7:16:34:00:00:02) will have higher priority 1 and the rest of the hosts will have lower priority 0 for transmitted traffic on port ether7. Note that CRS has a maximum of 8 queues per port.
| Code Block | ||
|---|---|---|
| ||
/interface bridge add name=bridge1 /interface bridge port add bridge=bridge1 interface=ether6 hw=yes add bridge=bridge1 interface=ether7 hw=yes add bridge=bridge1 interface=ether8 hw=yes |
Create a QoS group for use in UFDB:
...
Add UFDB entries to match specific MACs on ether7 and apply the QoS group1:
| Code Block | ||
|---|---|---|
| ||
/interface ethernet switch unicast-fdb add mac-address=E7:16:34:00:00:01 port=ether7 qos-group=group1 svl=yes add mac-address=E7:16:34:00:00:02 port=ether7 qos-group=group1 svl=yes |
...
MAC-based traffic shaping using internal Priority
The scheme where MAC-based traffic shaping is done according to internal Priority would be following: [MAC address] -> [QoS Group] -> [Priority] -> [Queue] -> [Shaper];
In this example, unlimited traffic will have priority 0 and limited traffic will have priority 1 with a bandwidth limit of 10Mbit. Note that CRS has a maximum of 8 queues per port.
...
| Code Block | ||
|---|---|---|
| ||
/interface bridge add name=bridge1 /interface bridge port add bridge=bridge1 interface=ether6 hw=yes add bridge=bridge1 interface=ether7 hw=yes add bridge=bridge1 interface=ether8 hw=yes |
Create a QoS group for use in UFDB:
...
| Code Block | ||
|---|---|---|
| ||
/interface ethernet switch acl policer add name=policer1 yellow-burst=100k yellow-rate=10M /interface ethernet switch acl add mac-dst-address=E7:16:34:A1:CD:18 policer=policer1 |
VLAN-based traffic scheduling + shaping using internal Priorities
The best practice is to assign lower internal QoS Priority for traffic limited by shaper to make it also less important in the Strict Priority scheduler. (higher priority should be more important and unlimited)
...
Create QoS groups for use in the VLAN table.
| Code Block | ||
|---|---|---|
| ||
/interface ethernet switch qos-group add name=group0 priority=0 add name=group1 priority=1 add name=group2 priority=2 |
...
Configure ether6, ether7, and ether8 port queues to work according to Strict Priority and QoS schemes only for VLAN-based QoS.
...
| Code Block | ||
|---|---|---|
| ||
/interface ethernet switch shaper add port=ether6 rate=10M |
PCP-based traffic scheduling
By default, CRS1xx/CRS2xx series devices will ignore the PCP/CoS/802.1p value and forward packets based on FIFO (First-In-First-Out) manner. When the device's internal queue is not full, then packets are sent in a FIFO manner, but as soon as a queue is filled, then higher-priority traffic can be sent out first. Let us consider a scenario when ether1 and ether2 are forwarding data to ether3, but when ether3 is congested, then packets are going to be scheduled, we can configure the switch to hold the lowest priority packets until all higher priority packets are sent out, this is a very common scenario for VoIP type setups, where some traffic needs to be prioritized.
...
Both Ingress Port policer and Shaper provide bandwidth-limiting features for CRS switches.
...
The same Ingress Port policer also can be used for the traffic storm control to prevent disruptions on Layer 2 ports caused by broadcast, multicast, or unicast traffic storms.
...
- Example with multiple packet types which includes ARP and ND protocols and unregistered multicast traffic. Unregistered multicast is traffic that is not defined in the Multicast Forwarding databaseDatabase.
| Code Block | ||
|---|---|---|
| ||
/interface ethernet switch ingress-port-policer add port=ether5 rate=5k meter-unit=packet packet-types=broadcast,arp-or-nd,unregistered-multicast |
...