Versions Compared

Old Version 17

changes.mady.by.user Edgars P.

Saved on

compared with

New Version Current

changes.mady.by.user Edgars P.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Summary

...

The Cloud Router Switch series are CCR3xx, CRS5xx series switches and CCR2116, CCR2216 routers have highly integrated switches with high-performance CPU and feature-rich packet processors. The CRS3xx series switches These devices can be designed into various Ethernet applications including unmanaged switch, Layer 2 managed switch, carrier switch, inter-VLAN router, and wired unified packet processingprocessor.

Note

This article applies to CRS3xx, CRS5xx series switches, CCR2116, CCR2216 routers, and not to CRS1xx/CRS2xx series switches.

Features

FeaturesDescription
Forwarding
  • Configurable ports for switching or routing
  • Full non-blocking wire-speed switching
  • Large Unicast FDB for Layer 2 unicast forwarding
  • Forwarding Databases works based on IVL
  • Jumbo frame support
  • IGMP Snooping support
Mirroring
  • Various types of mirroring:
    • Port based mirroring
    • VLAN based mirroring
    • MAC based mirroring
  • DHCP Snooping with Option 82 
Routing
  • Layer 3 Hardware Offloading:
    • IPv4, IPv6 Unicast Routing
    • Supported on Ethernet, Bridge, Bonding, and VLAN interfaces
    • ECMP
    • Blackholes
    • Offloaded Fasttrack connections (applies only to certain switch models)
    • Offloaded NAT for Fasttrack connections (applies only to certain switch models)
    • Multiple MTU profiles
Spanning Tree Protocol
  • STP
  • RSTP
  • MSTP
Mirroring
  • Various types of mirroring:
    • Port based mirroring
    • VLAN based mirroring
    • MAC based mirroring
VLAN
  • Fully compatible with IEEE802.1Q and
VLAN
  • Fully compatible with IEEE802.1Q and IEEE802.1ad VLAN
  • 4k active VLANs
  • Flexible VLAN assignment:
    • Port based VLAN
    • Protocol based VLAN
    • MAC based VLAN
  • VLAN filtering
  • From any to any Ingress VLAN translation
Bonding
  • Supports 802.3ad (LACP) and balance-xor modes
  • Up to 8 member ports per bonding interface
  • Up to 30 bonding interfaces
  • Hardware automatic failover and load balancing
  • MLAG
Traffic Shaping
  • Ingress traffic limiting
    • Port based
    • MAC based
    • IP based
    • VLAN based
    • Protocol based
    • DSCP based
  • Port based egress traffic limiting
  • Traffic Storm Control
Port isolation
  • Applicable for Private VLAN implementation
Access Control List
  • Ingress ACL tables
  • Classification based on ports, L2, L3, L4 protocol header fields
  • ACL actions include filtering, forwarding and modifying of the protocol header fields

Models

This table clarifies the main differences between Cloud Router Switch models and CCR routers.

ModelSwitch ChipCPUCoresWireless10G SFP+ portACL rules10G Ethernet25G SFP2840G QSFP+100G QSFP28ACL rulesUnicast FDB Unicast FDB entriesJumbo Frame (Bytes)
netPower 15FR (CRS318-1Fi-15Fr-2S)Marvell-98DX224S800MHz1-----12816,00010218
netPower 16P (CRS318-16P-2S+)Marvell-98DX226S800MHz12----12816,00010218
CRS310-1G-5S-4S+ (netFiber 9/IN)Marvell-98DX226S800MHz14----12816,00010218
CRS326-24G-2S+ (RM/IN)Marvell-98DX3236800MHz12----+12816,00010218
CRS328-24P-4S+Marvell-98DX3236800MHz14---+-12816,00010218
CRS328-4C-20S-4S+Marvell-98DX3236800MHz14---+-12816,00010218
CRS305-1G-4S+Marvell-98DX3236800MHz14-+---12816,00010218
CRS309-1G-8S+Marvell-98DX8208800MHz28---+-680102432,00010218
CRS317-1G-16S+Marvell-98DX8216800MHz216---+-6801024128,00010218
CRS312-4C+8XGMarvell-98DX8212650MHz14 (combo ports)8 + 4 (combo ports)--+-34151232,00010218
CRS326-24S+2Q+Marvell-98DX8332650MHz124--2+-17025632,00010218
CRS354-48G-4S+2Q+Marvell-98DX3257650MHz14--2+-17032,00010218
CRS354-48P-4S+2Q+Marvell-98DX3257650MHz14--2+-17032,00010218

Abbreviations

  • FDB - Forwarding Database
  • MDB - Multicast Database
  • SVL - Shared VLAN Learning
  • IVL - Independent VLAN Learning
  • PVID - Port VLAN ID
  • ACL - Access Control List
  • CVID - Customer VLAN ID
  • SVID - Service VLAN ID

Port switching

In order to set up a port switching on CRS3xx series switches, check the Bridge Hardware Offloading page.

Warning

Currently it is possible to create only one bridge with hardware offloading on CRS3xx series devices. Use the hw=yes/no parameter to select which bridge will use hardware offloading.

Note

On CRS3xx series switches, bridge STP/RSTP/MSTP, IGMP Snooping and VLAN filtering settings don't affect hardware offloading, since RouterOS v6.42 Bonding interfaces are also hardware offloaded.

VLAN

Since RouterOS version 6.41, a bridge provides VLAN aware Layer2 forwarding and VLAN tag modifications within the bridge. This set of features makes bridge operation more like a traditional Ethernet switch and allows to overcome Spanning Tree compatibility issues compared to the configuration when tunnel-like VLAN interfaces are bridged. Bridge VLAN Filtering configuration is highly recommended to comply with STP (802.1D), RSTP (802.1w) standards and it is mandatory to enable MSTP (802.1s) support in RouterOS.

VLAN Filtering

The main VLAN setting is vlan-filtering, which globally controls VLAN awareness and VLAN tag processing in the bridge. If vlan-filtering=no is used, the bridge ignores VLAN tags, works in a shared-VLAN-learning (SVL) mode and cannot modify VLAN tags of packets. Turning on vlan-filtering=yes, enables all bridge VLAN related functionality and independent-VLAN-learning (IVL) mode. Besides joining the ports for Layer2 forwarding, the bridge itself is also an interface therefore it has its own Port VLAN ID (pvid).

Note

Since RouterOS version 6.41, all VLAN switching related parameters are moved to the bridge section. On CRS3xx series devices, VLAN switching must be configured under the bridge section as well, this will not limit the device's performance, CRS3xx is designed to use the built-in switch chip to work with bridge VLAN filtering, you are able to achieve full non-blocking wire-speed switching performance while using bridges and bridge VLAN filtering. Make sure that all bridge ports have the "H" flag, which indicates that the device is using the switch chip to forward packets.

Sub-menu: /interface bridge

...

Sub-menu: /interface bridge port

...

VLAN Table

Bridge VLAN table represents per-VLAN port mapping with an egress VLAN tag action. tagged ports send out frames with a specified VLAN ID tag. untagged ports remove the VLAN tag before sending out frames.

Sub-menu: /interface bridge vlan

...

CRS504-4XQ (IN/OUT)Marvell-98DX4310650MHz1----41024128,00010218
CRS510-8XS-2XQ-INMarvell-98DX4310650MHz1--8-21024128,00010218
CRS518-16XS-2XQMarvell-98DX8525650MHz1--16-21024128,00010218
CCR2116-12G-4S+Marvell-98DX32552000MHz164----51232,0009570
CCR2216-1G-12XS-2XQMarvell-98DX85252000MHz16--12-21024128,0009570


Info

For L3 hardware offloading feature support and hardware limits, please refer to Feature Support and Device Support user manuals.

Abbreviations

  • FDB - Forwarding Database
  • MDB - Multicast Database
  • SVL - Shared VLAN Learning
  • IVL - Independent VLAN Learning
  • PVID - Port VLAN ID
  • ACL - Access Control List
  • CVID - Customer VLAN ID
  • SVID - Service VLAN ID

Port switching

...

In order to set up a port switching, check the Bridge Hardware Offloading page.

Warning

Currently, it is possible to create only one bridge with hardware offloading. Use the hw=yes/no parameter to select which bridge will use hardware offloading.


Note

Bridge STP/RSTP/MSTP, IGMP Snooping and VLAN filtering settings don't affect hardware offloading, since RouterOS v6.42 Bonding interfaces are also hardware offloaded.

VLAN

...

Since RouterOS version 6.41, a bridge provides VLAN aware Layer2 forwarding and VLAN tag modifications within the bridge. This set of features makes bridge operation more like a traditional Ethernet switch and allows to overcome Spanning Tree compatibility issues compared to the configuration when tunnel-like VLAN interfaces are bridged. Bridge VLAN Filtering configuration is highly recommended to comply with STP (802.1D), RSTP (802.1w) standards and it is mandatory to enable MSTP (802.1s) support in RouterOS.

VLAN Filtering

VLAN filtering is described on the Bridge VLAN Filtering section.

VLAN setup examples

Below are describes some of the most common ways how to utilize VLAN forwarding.

Port-Based VLAN

The configuration is described on the Bridge VLAN FIltering section.

MAC Based VLAN

Note
  • The Switch Rule table is used for MAC Based VLAN functionality, see this table on how many rules each device supports.
  • MAC-based VLANs will only work properly between switch ports and not between switch ports and CPU. When a packet is being forwarded to the CPU, the pvid property for the bridge port will be always used instead of new-vlan-id from ACL rules.
  • MAC-based VLANs will not work for DHCP packets when DHCP snooping is enabled.

Enable switching on ports by creating a bridge with enabled hw-offloading:

Code Block
languageros
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether7 hw=yes

Add VLANs in the Bridge VLAN table and specify ports:

Code Block
languageros
/interface bridge vlan
add bridge=bridge1 tagged=ether2 untagged=ether7 vlan-ids=200,300,400

Add Switch rules which assign VLAN id based on MAC address:

Code Block
languageros
/interface ethernet switch rule
add switch=switch1 ports=ether7 src-mac-address=A4:12:6D:77:94:43/FF:FF:FF:FF:FF:FF new-vlan-id=200
add switch=switch1 ports=ether7 src-mac-address=84:37:62:DF:04:20/FF:FF:FF:FF:FF:FF new-vlan-id=300
add switch=switch1 ports=ether7 src-mac-address=E7:16:34:A1:CD:18/FF:FF:FF:FF:FF:FF new-vlan-id=400

Protocol Based VLAN

Note
  • The Switch Rule table is used for Protocol Based VLAN functionality, see this table on how many rules each device supports.
  • Protocol-based VLANs will only work properly between switch ports and not between switch ports and

VLAN setup examples

Below are describes some of the most common ways on how to utilize VLAN forwarding on the CRS3xx series switches.

Port-Based VLAN

The configuration for CRS3xx switches is described in the Bridge VLAN FIltering section.

Note

It is possible to use the built-in switch chip and the CPU at the same time to create a Switch-Router setup, where a device acts as a switch and as a router at the same time. You can find a configuration example in the CRS-Router guide.

MAC Based VLAN

Note
  • The CRS3xx Switch Rule table is used for MAC Based VLAN functionality, see this table on how many rules each device supports.
    • MAC-based VLANs will only work properly between switch ports and not between switch ports and
  • CPU. When a packet is being forwarded to the CPU,
    • the 
  • the pvid property for the bridge port will be always used instead of new-vlan-id from ACL rules.
    • MAC
  • Protocol-based VLANs will not work for DHCP packets when DHCP snooping is enabled.

Enable switching on ports by creating a bridge with enabled hw-offloading:

Code Block
languageros
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether6 hw=yes
add bridge=bridge1 interface=ether7 hw=yes
add bridge=bridge1 interface=ether8 hw=yes

Add VLANs in the Bridge VLAN table and specify ports:

Code Block
languageros
/interface bridge vlan
add bridge=bridge1 tagged=ether2 untagged=ether6 vlan-ids=200
add bridge=bridge1 tagged=ether2 untagged=ether7 vlan-ids=200,300,300
add bridge=bridge1 tagged=ether2 untagged=ether8 vlan-ids=400

Add Switch rules which assign VLAN id based on MAC addressprotocol:

Code Block
languageros
/interface ethernet switch rule
add switch=switch1 mac-protocol=ip new-vlan-id=200 ports=ether7 src-mac-address=A4:12:6D:77:94:43/FF:FF:FF:FF:FF:FFether6 switch=switch1
add mac-protocol=ipx new-vlan-id=200
add300 ports=ether7 switch=switch1 ports=ether7 src-
add mac-address=84:37:62:DF:04:20/FF:FF:FF:FF:FF:FFprotocol=0x80F3 new-vlan-id=300
add switch=switch1 400 ports=ether7 src-mac-address=E7:16:34:A1:CD:18/FF:FF:FF:FF:FF:FF new-vlan-id=400

Protocol Based VLAN

Note
  • The CRS3xx Switch Rule table is used for Protocol Based VLAN functionality, see this table on how many rules each device supports.
  • Protocol-based VLANs will only work properly between switch ports and not between switch ports and CPU. When a packet is being forwarded to the CPU, the pvid property for the bridge port will be always used instead of new-vlan-id from ACL rules.
  • Protocol-based VLANs will not work for DHCP packets when DHCP snooping is enabled.
ether8 switch=switch1

VLAN Tunneling (Q-in-Q)

Since RouterOS v6.43 it is possible to use a provider bridge (IEEE 802.1ad) and Tag Stacking VLAN filtering, and hardware offloading at the same time. The configuration is described in the Bridge VLAN Tunneling (Q-in-Q) section.

Warning

Devices with switch chip Marvell-98DX3257 (e.g. CRS354 series) do not support VLAN filtering on 1Gbps Ethernet interfaces for other VLAN types (0x88a8 and 0x9100).

Ingress VLAN translation

It is possible to translate a certain VLAN ID to a different VLAN ID using ACL rules on an ingress port. In this example we create two ACL rules, allowing bidirectional communication. This can be done by doing the following.

Create a new bridge and add ports to it with hardware Enable switching on ports by creating a bridge with enabled hw- offloading:

Code Block
languageros
/interface bridge
add name=bridge1 vlan-filtering=yesno
/interface bridge port
add interface=ether1 bridge=bridge1 interface=ether2 hw=yes
add interface=ether2 bridge=bridge1 interface=ether6 hw=yes
add bridge=bridge1 interface=ether7 hw=yes
add bridge=bridge1 interface=ether8 hw=yes

Add ACL rules to translate a VLAN ID in each directionAdd VLANs in the Bridge VLAN table and specify ports:

Code Block
languageros
/interface bridgeethernet switch vlanrule
add bridge=bridge1 taggednew-dst-ports=ether2 untagged=ether6 new-vlan-idsid=200
add20 bridgeports=bridge1ether1 taggedswitch=ether2switch1 untagged=ether7 vlan-idsid=30010
add bridge=bridge1 taggednew-dst-ports=ether1 new-vlan-id=10 ports=ether2 untaggedswitch=ether8switch1 vlan-idsid=40020

Add Switch rules which assign VLAN id based on MAC protocolboth VLAN IDs to the bridge VLAN table:

Code Block
languageros
/interface ethernetbridge switch rulevlan
add mac-protocol=ip new-vlan-id=200 ports=ether6 switch=switch1
add mac-protocol=ipx new-vlan-id=300 ports=ether7 switch=switch1
add mac-protocol=0x80F3 new-vlan-id=400 ports=ether8 switch=switch1

VLAN Tunneling (Q-in-Q)

Since RouterOS v6.43 it is possible to use a provider bridge (IEEE 802.1ad) and Tag Stacking VLAN filtering, and hardware offloading at the same time on CRS3xx series switches. The configuration for CRS3xx switches is described in the Bridge VLAN Tunneling (Q-in-Q) section.

Ingress VLAN translation

It is possible to translate a certain VLAN ID to a different VLAN ID using ACL rules on an ingress port. In this example we create two ACL rules, allowing a bidirectional communication. This can be done by doing the following.

Create a new bridge and add ports to it with hardware offloading:

bridge=bridge1 tagged=ether1 vlan-ids=10
add bridge=bridge1 tagged=ether2 vlan-ids=20

Enable bridge VLAN filtering:

Code Block
languageros
/interface bridge set bridge1 vlan-filtering=yes


Note

Bidirectional communication is limited only between two switch ports. Translating VLAN ID between more ports can cause traffic flooding or incorrect forwarding between the same VLAN ports.


Warning

By enabling vlan-filtering you will be filtering out traffic destined to the CPU, before enabling VLAN filtering you should make sure that you set up a Management port.

(R/M)STP

...

CRS3xx, CRS5xx series switches, and CCR2116, CCR2216 routers are capable of running STP, RSTP, and MSTP on a hardware level. For more detailed information you should check out the Spanning Tree Protocol manual page.

Bonding

...

CRS3xx, CRS5xx series switches and CCR2116, CCR2216 routers support hardware offloading with bonding interfaces. Only 802.3ad and balance-xor bonding modes are hardware offloaded, other bonding modes will use the CPU's resources. You can find more information about the bonding interfaces in the Bonding Interface section. If 802.3ad mode is used, then LACP (Link Aggregation Control Protocol) is supported.

To create a hardware offloaded bonding interface, you must create a bonding interface with a supported bonding mode:

Code Block
languageros
/interface bonding
add mode=802.3ad name=bond1 slaves=ether1,ether2

This interface can be added to a bridge alongside other interfaces:

Code Block
languageros
/interface bridge
add name=bridge
Code Block
languageros
/interface bridge
add name=bridge1 vlan-filtering=no
/interface bridge port
add bridge=bridge interface=ether1 bridge=bridge1=bond1 hw=yes
add bridge=bridge interface=ether3 hw=yes
add interfacebridge=ether2bridge bridgeinterface=bridge1ether4 hw=yes

Add ACL rules to translate a VLAN ID in each direction:

Code Block
languageros
/interface ethernet switch rule
add new-dst-ports=ether2 new-vlan-id=20 ports=ether1 switch=switch1 vlan-id=10
add new-dst-ports=ether1 new-vlan-id=10 ports=ether2 switch=switch1 vlan-id=20

Add both VLAN IDs to the bridge VLAN table:

Code Block
languageros
/interface bridge vlan
add bridge=bridge1 tagged=ether1 vlan-ids=10
add bridge=bridge1 tagged=ether2 vlan-ids=20

Enable bridge VLAN filtering:

Code Block
languageros
/interface bridge set bridge1 vlan-filtering=yes
Note

Bidirectional communication is limited only between two switch ports. Translating VLAN ID between more ports can cause traffic flooding or incorrect forwarding between the same VLAN ports.

Warning

By enabling vlan-filtering you will be filtering out traffic destined to the CPU, before enabling VLAN filtering you should make sure that you set up a Management port

(R/M)STP

CRS3xx series switches are capable of running STP, RSTP and MSTP on a hardware level. For more detailed information you should check out the Spanning Tree Protocol manual page.

Bonding

Since RouterOS v6.42 all CRS3xx series switches support hardware offloading with bonding interfaces. Only 802.3ad and balance-xor bonding modes are hardware offloaded, other bonding modes will use the CPU's resources. You can find more information about the bonding interfaces in the Bonding Interface section. If 802.3ad mode is used, then LACP (Link Aggregation Control Protocol) is supported.

To create a hardware offloaded bonding interface, you must create a bonding interface with a supported bonding mode:

Code Block
languageros
/interface bonding
add mode=802.3ad name=bond1 slaves=ether1,ether2

This interface can be added to a bridge alongside with other interfaces:

Code Block
languageros
/interface bridge
add name=bridge
/interface bridge port
add bridge=bridge interface=bond1 hw=yes
add bridge=bridge interface=ether3 hw=yes
add bridge=bridge interface=ether4 hw=yes
Note

Do not add interfaces to a bridge that are already in a bond, RouterOS will not allow you to add an interface to bridge that is already a slave port for bonding.

Make sure that the bonding interface is hardware offloaded by checking the "H" flag:


 Note
Do not add interfaces to a bridge that are already in a bond, RouterOS will not allow you to add an interface to bridge that is already a slave port for bonding.
Make sure that the bonding interface is hardware offloaded by checking the "H" flag:
 Code Block
languagetext
/interface bridge port print 
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE            
 Code Block
languagetext
/interface bridge port print 
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE                                 BRIDGE                                 HW
 0   H bond1                                     bridge                                 yes
 1   H ether3                                    bridge                                 yes
 2   H ether4                                    bridge                                 yes
...
 Note
With HW-offloaded bonding interfaces, the built-in switch chip will always use Layer2+Layer3+Layer4 for a transmit hash policy, changing the transmit hash policy manually will have no effectalways use Layer2+Layer3+Layer4 for a transmit hash policy, changing the transmit hash policy manually will have no effect.
Multi-chassis Link Aggregation Group
...
MLAG (Multi-chassis Link Aggregation Group) implementation in RouterOS allows configuring LACP bonds on two separate devices, while the client device believes to be connected on the same machine. This provides a physical redundancy in case of switch failure. All CRS3xx, CRS5xx series and CCR2116, CCR2216 devices can be configured with MLAG. Read here for more information.
L3 Hardware Offloading
...
Layer3 hardware offloading (otherwise known as IP switching or HW routing) will allow to offload some of the router  features on to the switch chip. This allows to reach wire speeds when routing packets, which simply would not be possible with the CPU. 
The feature can be enabled with:
 Code Block
languageros
/interface ethernet switch
set switch1 l3hw=yes
 Note
After turning off HW Offloading it is recommended to reboot the switch, to make sure that all HW related configuration is cleared from switch chip.
Currently supported and unsupported feature list:
...
Depending on the complexity of routes in routing table, max HW accelerated route count could change (see hardware specific limits below). Whole-byte IP prefixes (/8, /16, /24, etc.) occupy less HW space than others (e.g., /22).
If HW route limit is reached new routes will fall back to CPU, except cases when newly added route overlaps with already existing routes processed by hardware. In this case destinations that were processed in hardware will continue to be processed in hardware. The user should choose the device with HW capability large-enough to store all the routes.
...
Where:
  • CPU - feature is supported but processed by CPU
  • HW - feature is supported and offloaded in hardware (works when l3hw=yes)
  • FW - feature is supported and offloaded in hardware (works when l3hw=fw)
  • N/A - feature is not available, meaning that L3 Hardware offloading MUST be disabled for these features to work
 Warning
Currently user must choose whether to use hardware accelerated routing or firewall. It is not possible to use both at the same time.
List of supported devices and their limits
...
  1. 4500 / 3750 3
...
*1 When the HW limit of Fasttrack or NAT entries is reached, other connections will fall back to the CPU. MikroTik's smart connection offload algorithm ensures that the connections with the most traffic are offloaded to the hardware.
*2 Fasttrack connections share the same HW memory with ACL rules. Depending on the complexity, one ACL rule may occupy the memory of 3-6 Fasttrack connections. 
*3 (Both MPLS and Bridge Port Extender are disabled) / (MPLS, Bridge Port Extender, or both are enabled). MPLS shares the HW memory with Fasttrack connections. Moreover, enabling MPLS requires the allocation of the entire memory region, which could store up to 750 Fasttrack connections otherwise. The same applies to Bridge Port Extender. However, MPLS and Bridge Port Extended may use the same memory region, so enabling them both doesn't double the limitation of Fasttrack connections. 
*4 All NAT entries cannot be used due to the limited amount of Fasttrack connections.
Port isolation
Since RouterOS v6.43 is it possible to create a Private VLAN setup on CRS3xx series switches, an example can be found in the Switch chip port isolation manual page. Hardware offloaded bonding interfaces are not included in the switch port-isolation menu, but it is still possible to configure port-isolation individually on each secondary interface of the bonding.
IGMP Snooping
CRS3xx series switches are capable of using IGMP Snooping on a hardware level. To see more detailed information, you should check out the IGMP Snooping manual page.
DHCP Snooping and DHCP Option 82
CRS3xx series switches are capable of using DHCP Snooping with Option 82 on a hardware level. The switch will create a dynamic ACL rule to capture the DHCP packets and redirect them to the main CPU for further processing. To see more detailed information, please visit the DHCP Snooping and DHCP Option 82 manual page.
Mirroring
Mirroring lets the switch sniff all traffic that is going in a switch chip and send a copy of those packets out to another port (mirror-target). This feature can be used to easily set up a tap device that allows you to inspect the traffic on your network on a traffic analyzer device. It is possible to set up a simple port-based mirroring, but it is also possible to set up more complex mirroring based on various parameters. Note that mirror-target port has to belong to the same switch (see which port belongs to which switch in /interface ethernet menu). Also mirror-target can have a special 'cpu' value, which means that sniffed packets will be sent out of switch chips cpu port. There are many possibilities that can be used to mirror certain traffic, below you can find most common mirroring examples:
Port Based Mirroring:
 Code Block
languageros
/interface ethernet switch
set switch1 mirror-source=ether2 mirror-target=ether3
...
features onto the switch chip. This allows reaching wire speeds when routing packets, which simply would not be possible with the CPU. 
Offloaded feature set depends on the used chipset. Read here for more info.
Port isolation
...
Since RouterOS v6.43 is it possible to create a Private VLAN setup, an example can be found in the Switch chip port isolation manual page. Hardware offloaded bonding interfaces are not included in the switch port-isolation menu, but it is still possible to configure port-isolation individually on each secondary interface of the bonding.
 Note
Port isolation can be used with vlan-filtering bridge and it is possible to isolate ports that are members of the same VLAN. The isolation works per-port, it is not possible to isolate ports per-VLAN.

IGMP/MLD Snooping
...
CRS3xx, CRS5xx series switches and CCR2116, CCR2216 routers are capable of using IGMP/MLD Snooping on a hardware level. To see more detailed information, you should check out the IGMP/MLD snooping manual page.
DHCP Snooping and DHCP Option 82
...
CRS3xx, CRS5xx series switches and CCR2116, CCR2216 routers are capable of using DHCP Snooping with Option 82 on a hardware level. The switch will create a dynamic ACL rule to capture the DHCP packets and redirect them to the main CPU for further processing. To see more detailed information, please visit the DHCP Snooping and DHCP Option 82 manual page.
 Warning
DHCP snooping will not work when hardware offloading bonding interfaces are created.
Controller Bridge and Port Extender
...
Controller Bridge (CB) and Port Extender (PE) is an IEEE 802.1BR standard implementation in RouterOS. It allows virtually extending the CB ports with a PE device and managing these extended interfaces from a single controlling device. Such configuration provides a simplified network topology, flexibility, increased port density, and ease of manageability. See more details on Controller Bridge and Port Extender manual.
Mirroring
...
Mirroring is a function that allows a network switch to duplicate all the data passing through it and send a copy to another specified port, known as the mirror-target. This feature is useful for setting up a tap device, which allows for analyzing network traffic using a separate device. You can set up mirroring in a simple way by designating source ports (see mirror-egress and mirror-ingress in /interface/ethernet/switch/port), or you can configure more advanced mirroring based on different criteria (see mirror in /interface/ethernet/switch/rule).
It is important to note that the mirror-target port must be on the same switch. You can check the device block diagram or navigate to the /interface/ethernet menu to identify which interfaces are connected where. When setting up the configration, it is not mandatory to add the mirror-target interface to the same hardware offloaded bridge where the source ports are set up. The mirror-target port can be a standalone interface (not configured as a bridge port), or it can be within a bridge setup. When using the mirror-target with a bridge, note that data and mirrored traffic may both travel on the same LAN. In such cases, consider employing RSPAN (Remote Switch Port Analyzer), where mirrored traffic is encapsulated into a separate VLAN before being transmitted over the network.
Additionally, you can set the mirror-target port to a special value "cpu", which means that the copied packets will be sent to the switch chip's CPU port.
Configuration examples
Port Based Mirroring
Starting from RouterOS version 7.15, it is possible to configure multiple source ports and selectively choose whether to mirror incoming traffic, outgoing traffic, or both. In this example, both incoming and outgoing traffic from the ether2 interface will be copied and sent to the ether3 interface for monitoring or analysis.
 Code Block
languageros
# Since RouterOS v7.15
/interface ethernet switch port
set ether2 mirror-egress=yes mirror-ingress=yes
/interface ethernet switch
set switch1 mirror-target=ether3

# Older RouterOS:
/interface ethernet switch
set switch1 mirror-source=ether2 mirror-target=ether3
VLAN Based Mirroring
Using ACL rules, it is possible to mirror packets from multiple interfaces using the ports setting. Additionally, you can specify more detailed criteria such as VLAN ID, MAC/IP address or TCP/UDP port. Only ingress packets are mirrored to mirror-target interface. This example will mirror incoming VLAN 11 traffic from the ether2 interface, and send copies to the ether3 interface. To use an ACL rule with a vlan-id matcher, you need to have bridge vlan-filtering enabled.
 Code Block
languageros
/interface bridge
set bridge1 vlan-filtering=yes
/interface ethernet switch
set switch1 mirror-target=ether3
/interface ethernet switch rule
add mirror=yes ports=ether1 switch=switch1 vlan-id=11
MAC Based Mirroring
This example will mirror incoming traffic with 64:D1:54:D9:27:E6 MAC destination or source address from the ether1 interface, and send copies to the ether3 interface.
 Code Block
languageros
/interface ethernet switch
set switch1 mirror-target=ether3
/interface ethernet switch rule
add mirror=yes ports=ether1 switch=switch1 dst-mac-address=64:D1:54:D9:27:E6/FF:FF:FF:FF:FF:FF
add mirror=yes ports=ether1 switch=switch1 src-mac-address=64:D1:54:D9:27:E6/FF:FF:FF:FF:FF:FF
IP Based Mirroring
This example will mirror incoming traffic with 192.168.88.0/24 IP destination or source address from the ether1 interface, and send copies to the ether3 interface.
 Code Block
languageros
/interface ethernet switch
set switch1 mirror-target=ether3 mirror-source=none
/interface ethernet switch rule
add mirror=yes ports=ether1 switch=switch1 src-address=192.168.88.0/24
add mirror=yes ports=ether1 switch=switch1 dst-address=192.168.88.0/24
There are other options as well, check the ACL section to find out all possible parameters that can be used to match packets.
Remote Switch Port Analyzer
This example will mirror incomming and outgoing traffic from the ether2 interface, copies will be encapsulated in 802.1Q VLAN using the 999 as VLAN ID, and packets will be sent to the ether3 interface. If the original traffic is already VLAN tagged, RSPAN will add another layer of VLAN tagging as an outer tag. This results in the mirrored traffic being tagged twice. If the mirror-target port is included in vlan-filtering bridge, it is not required to make the interface as tagged VLAN member under the /interface/bridge/vlan menu for the RSPAN.
 Code Block
languageros
/interface ethernet switch port
set switch1ether2 mirror-sourceegress=noneyes mirror-targetingress=ether3yes
/interface ethernet switch
set rule
addswitch1 mirror-target=yesether3 portsrspan=ether1,ether2 switch=switch1
 Note
Using ACL rules, it is possible to mirror packets from multiple ports interfaces. Only ingress packets are mirrored to mirror-target interface.
VLAN Based Mirroring:
 Code Block
languageros
/interface bridge
set bridge1 vlan-filtering=yes
/interface ethernet switch
set switch1 mirror-target=ether3 mirror-source=none
/interface ethernet switch rule
add mirror=yes ports=ether1 switch=switch1 vlan-id=11
 Warning
By enabling vlan-filtering you will be filtering out traffic destined to the CPU, before enabling VLAN filtering you should make sure that you set up a Management port.
MAC Based Mirroring:
 Code Block
languageros
/interface ethernet switch
set switch1 mirror-target=ether3 mirror-source=none
/interface ethernet switch rule
add mirror=yes ports=ether1 switch=switch1 dst-mac-address=64:D1:54:D9:27:E6/FF:FF:FF:FF:FF:FF
add mirror=yes ports=ether1 switch=switch1 src-mac-address=64:D1:54:D9:27:E6/FF:FF:FF:FF:FF:FF
Protocol Based Mirroring:
 Code Block
languageros
/interface ethernet switch
set switch1 mirror-target=ether3 mirror-source=none
/interface ethernet switch rule
add mirror=yes ports=ether1 switch=switch1 mac-protocol=ipx
IP Based Mirroring:
 Code Block
languageros
/interface ethernet switch
set switch1 mirror-target=ether3 mirror-source=none
/interface ethernet switch rule
add mirror=yes ports=ether1 switch=switch1 src-address=192.168.88.0/24
add mirror=yes ports=ether1 switch=switch1 dst-address=192.168.88.0/24
There are other options as well, check the ACL section to find out all possible parameters that can be used to match packets.
Traffic Shaping
yes rspan-egress-vlan-id=999 rspan-ingress-vlan-id=999
Property Reference
Sub-menu: /interface/ethernet/switch
PropertyDescription
mirror-target (cpu | name | none; Default:none)
Selects a single mirroring target port. Packets from mirror-egress and mirror-ingress (/interface/ethernet/switch/port) and mirror (/interface/ethernet/switch/rule) will be sent to the selected port.
rspan (no | yes; Default: no)Enables Remote Switch Port Analyzer (RSPAN) feature on mirror-target. Traffic marked for ingress or egress mirroring is carried over a specified remote analyzer VLAN - rspan-egress-vlan-id and rspan-ingress-vlan-id.
rspan-egress-vlan-id (integer: 1..4095; Default: 1)Selects the VLAN ID for marked egress traffic. Only applies when rspan is enabled.
rspan-ingress-vlan-id (integer: 1..4095; Default: 1)Selects the VLAN ID for marked ingress traffic. Only applies when rspan is enabled.
Sub-menu: /interface/ethernet/switch/port
PropertyDescription
mirror-egress (no | yes; Default: no)
Whether to send egress packet copy to the mirror-target port.
mirror-ingress (no | yes; Default: no)
Whether to send ingress packet copy to the mirror-target port.
Sub-menu: /interface/ethernet/switch/rule
PropertyDescription
mirror (no | yes; Default: no)Whether to send a packet copy to mirror-target port.
Traffic Shaping
...
It It is possible to limit a certain type of traffic using ACL rules. For CRS3xx series switches it is possible to limit ingress traffic that matches certain parameters with ACL rules and it is possible to limit ingress/egress traffic per port basis. For ingress traffic QoS policer is used, for egress traffic QoS shaper is used.basis. The policer is used for ingress traffic, the shaper is used for egress traffic. The ingress policer controls the received traffic with packet drops. Everything that exceeds the defined limit will get dropped. This can affect the TCP congestion control mechanism on end hosts and achieved bandwidth can be actually less than defined. The egress shaper tries to queue packets that exceed the limit instead of dropping them. Eventually, it will also drop packets when the output queue gets full, however, it should allow utilizing the defined throughput better.
Port-based traffic police and shaperPort Based Traffic Shaping:
 Code Block
languageros
/interface ethernet switch port
set ether1 ingress-rate=10M egress-rate=5M
MAC Based Traffic Shaping-based traffic policer:
 Code Block
languageros
/interface ethernet switch rule
add ports=ether1 switch=switch1 src-mac-address=64:D1:54:D9:27:E6/FF:FF:FF:FF:FF:FF rate=10M
VLAN Based Traffic Shaping-based traffic policer:
 Code Block
languageros
/interface bridge
set bridge1 vlan-filtering=yes
/interface ethernet switch rule
add ports=ether1 switch=switch1 vlan-id=11 rate=10M
...
 Warning
By enabling vlan-filtering you will be filtering out traffic destined to the CPU, before enabling VLAN filtering you should make sure that you set up a Management port.
Protocol Based Traffic Shaping-based traffic policer:
 Code Block
languageros
/interface ethernet switch rule
add ports=ether1 switch=switch1 mac-protocol=ipx rate=10M
There are other options as well, check the ACL section to find out all possible parameters that can be used to match packets.
 Note
The CRS3xx Switch Rule table is used for QoS functionality, see this table on how many rules each device supports.
Traffic Storm Control
...
Since RouterOS v6.42 it is possible to enable traffic storm control on CRS3xx series devices. A traffic storm can emerge when certain frames are continuously flooded on the network. For example, if a network loop has been created and no loop avoidance mechanisms are used (e.g. Spanning Tree Protocol), broadcast or multicast frames can quickly overwhelm the network, causing degraded network performance or even complete network breakdown. With CRS3xx, CRS5xx series switches and CCR2116, CCR2216 routers it is possible to limit broadcast, unknown multicast and unknown unicast traffic. Unknown unicast traffic is considered when a switch does not contain a host entry for the destined MAC address. Unknown multicast traffic is considered when a switch does not contain a multicast group entry in the /interface bridge mdb menu. Storm control settings should be applied to ingress ports, the egress traffic will be limited.
...
 Code Block
languageros
/interface ethernet switch port
set ether1 storm-rate=1 limit-broadcasts=yes limit-unknown-unicasts=yes
MPLS hardware offloading
...
Since RouterOS v6.41 it is possible to offload certain MPLS functions to the switch chip, the switch must be a (P)rovider router in a PE-P-PE setup in order to achieve hardware offloading. A setup example can be found in the Basic MPLS setup example manual page. The hardware offloading will only take place when LDP interfaces are configured as physical switch interfaces (e.g. Ethernet, SFP, SFP+).
 Note
Currently only CRS317-1G-16S+ and CRS309-1G-8S+ using RouterOS v6.41 and newer are capable of hardware offloading certain MPLS functions. CRS317-1G-16S+ and CRS309-1G-8S+ built-in switch chip is not capable of popping MPLS labels from packets, in a PE-P-PE setup you either have to use explicit null or disable TTL propagation in MPLS network to achieve hardware offloading.

 Warning
The MPLS hardware offloading has been removed since RouterOS v7.

Switch Rules (ACL)
...
Access Control List contains ingress policy and egress policy engines. See this table on how many rules each device supports (limited by RouterOS). It is an advanced tool for wire-speed packet filtering, forwarding and modifying based on Layer2, Layer3 and Layer4 protocol header field conditions.packet filtering, forwarding and modifying based on Layer2, Layer3 and Layer4 protocol header field conditions.
 Note
ACL rules are checked for each received packet until a match has been found. If there are multiple rules that can match, then only the first rule will be triggered. A rule without any action parameters is a rule to accept the packet.
 Note
It is not required to set mac-protocol to certain IP version when using L3 or L4 matchers, however, it is recommended to set the mac-protocol=ip or mac-protocol=ipv6  when filtering any IP packets.
 Note
When switch ACL rules are modified (e.g. added, removed, disabled, enabled, or moved), the existing switch rules will be inactive for a short time. This can cause some packet leakage during the ACL rule modifications
 Note
ACL rules are checked for each received packet until a match has been found. If there are multiple rules that can match, then only the first rule will be triggered. A rule without any action parameters is a rule to accept the packet.

Sub-menu: /interface ethernet switch rule
PropertyDescription
copy-to-cpu (no | yes; Default: no)Clones the matching packet and sends it to the CPU.
disabled (yes | no; Default: no)Enables or disables ACL entry.
dscp (0..63)Matching the DSCP field of the packet (only applies to IPv4 packets).
dst-address (IP address/Mask)Matching destination IP IPv4 address and mask, also matches the destination IP in ARP packets. 
dst-address6 (IPv6 address/Mask)Matching destination IPv6 address and mask.
dst-mac-address (MAC address/Mask)Matching destination MAC address and mask.
dst-port (0..65535)Matching destination protocol port number (applies to IPv4 and IPv6 packets if mac-protocol is not specified).
flow-label (0..1048575)Matching IPv6 flow label.
mac-protocol (802.2 | arp | homeplug-av | ip | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan | or 0..65535 | or 0x0000-0xffff)Matching particular MAC protocol specified by protocol name or number
mirror (no | yes)Clones the matching packet and sends it to the mirror-target port.
new-dst-ports (ports)Changes the destination port as specified. An empty setting will drop the packet. A specified port will redirect the packet to it. When the parameter is not used, the packet will be accepted. Multiple "new-dst-ports" are not supported on the CRS3xx series switches.
new-vlan-id (0..4095)Changes the VLAN ID to the specified value. Requires vlan-filtering=yes.
new-vlan-priority (0..7)Changes the VLAN priority (priority code point). Requires vlan-filtering=yes.
ports (ports)Matching ports on which will the rule apply on received traffic.
protocol (dccp | ddp | egp | encap | etherip | ggp | gre | hmp | icmp | icmpv6 | idpr-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | ipv6 | ipv6-frag | ipv6-nonxt | ipv6-opts | ipv6-route | iso-tp4 | l2tp | ospf | pim | pup | rdp | rspf | rsvp | sctp | st | tcp | udp | udp-lite | vmtp | vrrp | xns-idp | xtp | or 0..255)Matching particular IP protocol specified by protocol name or number. Only applies to IPv4 packets if mac-protocol is not specified. To match certain IPv6 protocols, use the mac-protocol=ipv6 setting.
rate (0..4294967295)Sets ingress traffic limitation (bits per second) for matched traffic.
redirect-to-cpu (no | yes)Changes the destination port of a matching packet to the CPU.
src-address (IP address/Mask)Matching source IP address and mask.Matching source IPv4 address and mask, also matches the source IP in ARP packets. 
src-address6 (IPv6 address/Mask)Matching source IPv6 address and mask.
src-mac-address (MAC address/Mask)Matching source MAC address and mask.
src-port (0..65535)Matching source protocol port number (applies to IPv4 and IPv6 packets if mac-protocol is not specified).
switch (switch group)Matching switch group on which will the rule apply.
traffic-class (0..255)Matching IPv6 traffic class.
vlan-id (0..4095)Matching VLAN ID. Requires vlan-filtering=yes.
vlan-header (not-present | present)Matching VLAN header, whether the VLAN header is present or not. Requires vlan-filtering=yes.
vlan-priority (0..7)Matching VLAN priority (priority code point).
...
 Note
For VLAN related matchers or VLAN related action parameters to work, you need to enable vlan-filtering on the bridge interface and make sure that hardware offloading is enabled on those ports, otherwise, these parameters will not have any effect.

 Warning
When bridge interface vlanether-protocoltype is set to 802.1Q 0x8100, then VLAN related ACL rules are relevant to 0x8100 (CVID) packets frames tagged using regular/customer VLAN (TPID 0x8100), this includes vlan-id and new-vlan-id. When  vlan-protocolbridge interface ether-type is set to 802.1ad 0x88a8, then ACL rules are relevant to  0x88A8 (SVID) packets. For example, frames tagged with 802.1Q the vlan-id matcher will match CVID packets, but with 802.1ad the vlan-id matcher will match SVID packets1ad service tag (TPID 0x88a8).
Port Security
...
It is possible to limit allowed MAC addresses on a single switch port on CRS3xx series switches. For example, to allow 64:D1:54:81:EF:8E MAC address on a switch port, start by switching multiple ports together, in this example 64:D1:54:81:EF:8E is going to be located behind ether1
...
 Warning
Broadcast traffic will still be sent out from ether1. To limit broadcast traffic flood on a bridge port, you can use the broadcast-flood parameter to toggle it. Do note that some protocols depend on broadcast traffic, such as streaming protocols and DHCP.
Dual Boot
...
“Dual The “dual boot” feature allows you to choose which operating system you prefer to use on CRS3xx series switches, RouterOS or SwOS. Device operating system could be changed using:
  • Command-line (/system routerboard settings set boot-os=swos)
  • Winbox
  • Webfig
  • Serial Console
More details about SwOS are described here: SwOS manual
Configuring SwOS using RouterOS
...
Since RouterOS 6.43 it is possible to load, save and reset SwOS configuration, as well as upgrade SwOS and set an IP address for the switch CRS3xx series switches by using RouterOS.
  • Save configuration with /system swos save-config
 Note
The configuration will be saved on the same device with swos.config as as a filename, make sure you download the file from your device since the configuration file will be removed after a reboot.
...
 Note
The upgrade command will automatically install the latest available SwOS primary backup version, make sure that your device has access to the Internet in order for the upgrade process to work properly. When the device is booted into SwOS, the version number will include the letter "p", indicating a primary backup version. You can then install the latest available SwOS secondary main version from the SwOS "Upgrade" menu.

PropertyDescription
address-acquisition-mode (dhcp-only | dhcp-with-fallback | static; Default: dhcp-with-fallback)Changes address acquisition method:
dhcp-only - uses only a DHCP client to acquire address
dhcp-with-fallback - for the first 10 seconds will try to acquire address using a DHCP client. If the request is unsuccessful, then address falls back to static as defined by static-ip-address property
static - address is set as defined by static-ip-address property
allow-from (IP/Mask; Default: 0.0.0.0/0)IP address or a network from which the switch is accessible. By default, the switch is accessible by any IP address.
allow-from-ports (name; Default: )List of switch ports from which the device is accessible. By default, all ports are allowed to access the switch
allow-from-vlan (integer: 0..4094; Default: 0)VLAN ID from which the device is accessible. By default, all VLANs are allowed
identity (name; Default: Mikrotik)Name of the switch (used for Mikrotik Neighbor Discovery protocol)
static-ip-address (IP; Default: 192.168.88.1)IP address of the switch in case address-acquisition-mode is either set to dhcp-with-fallback or static. By setting a static IP address, the address acquisition process does not change, which is DHCP with fallback by default. This means that the configured static IP address will become active only when there is going to be no DHCP servers in the same broadcast domain
See also
CRS Router
CRS3xx VLANs with Bonds
Basic VLAN switching
Bridge Hardware Offloading
Route Hardware Offloading
Spanning Tree Protocol
MTU on RouterBOARD
Layer2 misconfiguration
Bridge VLAN Table
Bridge IGMP/MLD snooping
Multi-chassis Link Aggregation Group