...
Features | Description |
---|---|
Forwarding |
|
Routing |
|
Spanning Tree Protocol |
|
Mirroring |
|
VLAN |
|
Bonding |
|
Traffic Shaping |
|
Port isolation |
|
Access Control List |
|
...
Model | Switch Chip | CPU | Cores | 10G SFP+ | 10G Ethernet | 25G SFP28 | 40G QSFP+ | 100G QSFP28 | ACL rules | Unicast FDB entries | Jumbo Frame (Bytes) |
netPower 15FR (CRS318-1Fi-15Fr-2S) | Marvell-98DX224S | 800MHz | 1 | - | - | - | - | - | 128 | 16,000 | 10218 |
netPower 16P (CRS318-16P-2S+) | Marvell-98DX226S | 800MHz | 1 | 2 | - | - | - | - | 128 | 16,000 | 10218 |
CRS310-1G-5S-4S+ (netFiber 9/IN) | Marvell-98DX226S | 800MHz | 1 | 4 | - | - | - | - | 128 | 16,000 | 10218 |
CRS326-24G-2S+ (RM/IN) | Marvell-98DX3236 | 800MHz | 1 | 2 | - | - | - | - | 128 | 16,000 | 10218 |
CRS328-24P-4S+ | Marvell-98DX3236 | 800MHz | 1 | 4 | - | - | - | - | 128 | 16,000 | 10218 |
CRS328-4C-20S-4S+ | Marvell-98DX3236 | 800MHz | 1 | 4 | - | - | - | - | 128 | 16,000 | 10218 |
CRS305-1G-4S+ | Marvell-98DX3236 | 800MHz | 1 | 4 | - | - | - | - | 128 | 16,000 | 10218 |
CRS309-1G-8S+ | Marvell-98DX8208 | 800MHz | 2 | 8 | - | - | - | - | 1024 | 32,000 | 10218 |
CRS317-1G-16S+ | Marvell-98DX8216 | 800MHz | 2 | 16 | - | - | - | - | 1024 | 128,000 | 10218 |
CRS312-4C+8XG | Marvell-98DX8212 | 650MHz | 1 | 4 (combo ports) | 8 + 4 (combo ports) | - | - | - | 512 | 32,000 | 10218 |
CRS326-24S+2Q+ | Marvell-98DX8332 | 650MHz | 1 | 24 | - | - | 2 | - | 256 | 32,000 | 10218 |
CRS354-48G-4S+2Q+ | Marvell-98DX3257 | 650MHz | 1 | 4 | - | - | 2 | - | 170 | 32,000 | 10218 |
CRS354-48P-4S+2Q+ | Marvell-98DX3257 | 650MHz | 1 | 4 | - | - | 2 | - | 170 | 32,000 | 10218 |
CRS504-4XQ -(IN/OUT) | Marvell-98DX4310 | 650MHz | 1 | - | - | - | - | 4 | 1024 | 128,000 | 10218 |
CRS510-8XS-2XQ-IN | Marvell-98DX4310 | 650MHz | 1 | - | - | 8 | - | 2 | 1024 | 128,000 | 10218 |
CRS518-16XS-2XQ | Marvell-98DX8525 | 650MHz | 1 | - | - | 16 | - | 2 | 1024 | 128,000 | 10218 |
CCR2116-12G-4S+ | Marvell-98DX3255 | 2000MHz | 16 | 4 | - | - | - | - | 512 | 32,000 | 9570 |
CCR2216-1G-12XS-2XQ | Marvell-98DX8525 | 2000MHz | 16 | - | - | 12 | - | 2 | 1024 | 128,000 | 9570 |
...
Since RouterOS v6.43 is it possible to create a Private VLAN setup, an example can be found in the Switch chip port isolation manual page. Hardware offloaded bonding interfaces are not included in the switch port-isolation menu, but it is still possible to configure port-isolation individually on each secondary interface of the bonding.
IGMP/MLD Snooping
Note |
---|
Port isolation can be used with vlan-filtering bridge and it is possible to isolate ports that are members of the same VLAN. The isolation works per-port, it is not possible to isolate ports per-VLAN. |
IGMP/MLD Snooping
...
CRS3xx, CRS5xx series switches and CCR2116, CCR2216 routers are capable of using IGMP/MLD CRS3xx, CRS5xx series switches and CCR2116, CCR2216 routers are capable of using IGMP/MLD Snooping on a hardware level. To see more detailed information, you should check out the IGMP/MLD snooping manual page.
...
Controller Bridge (CB) and Port Extender (PE) is an IEEE 802.1BR standard implementation in RouterOS. It allows virtually extending the CB ports with a PE device and managing these extended interfaces from a single controlling device. Such configuration provides a simplified network topology, flexibility, increased port density, and ease of manageability. See more details on Controller Bridge and Port Extender manual.
Mirroring
...
Mirroring lets the switch sniff all traffic that is going in a switch chip is a function that allows a network switch to duplicate all the data passing through it and send a copy of those packets out to another specified port (, known as the mirror-target
). This feature can be used to easily set is useful for setting up a tap device that allows you to inspect the traffic on your network on a traffic analyzer device. It is possible to set up a simple port-based mirroring, but it is also possible to set up more complex mirroring based on various parameters. Note that mirror-target port has to belong to the same switch (see which port belongs to which switch in /interface ethernet
menu). Also, mirror-target can have a special 'cpu' value, which means that sniffed packets will be sent out of switch chips CPU port. There are many possibilities that can be used to mirror certain traffic, below you can find the most common mirroring examples:
Port Based Mirroring:
Code Block | ||
---|---|---|
| ||
/interface ethernet switch
set switch1 mirror-source=ether2 mirror-target=ether3 |
Note |
---|
Property |
, which allows for analyzing network traffic using a separate device. You can set up mirroring in a simple way by designating source ports (see mirror-egress
and mirror-ingress
in /interface/ethernet/switch/port
), or you can configure more advanced mirroring based on different criteria (see mirror
in /interface/ethernet/switch/rule
).
It is important to note that the mirror-target
port must be on the same switch. You can check the device block diagram or navigate to the /interface/ethernet
menu to identify which interfaces are connected where. When setting up the configration, it is not mandatory to add the mirror-target
interface to the same hardware offloaded bridge where the source ports are set up. The mirror-target
port can be a standalone interface (not configured as a bridge port), or it can be within a bridge setup. When using the mirror-target
with a bridge, note that data and mirrored traffic may both travel on the same LAN. In such cases, consider employing RSPAN (Remote Switch Port Analyzer), where mirrored traffic is encapsulated into a separate VLAN before being transmitted over the network.
Additionally, you can set the mirror-target
port to a special value "cpu", which means that the copied packets will be sent to the switch chip's CPU port.
Configuration examples
Port Based Mirroring
Starting from RouterOS version 7.15, it is possible to configure multiple source ports and selectively choose whether to mirror incoming traffic, outgoing traffic, or both. In this example, both incoming and outgoing traffic from the ether2 interface will be copied and sent to the ether3 interface for monitoring or analysis.
Code Block | ||
---|---|---|
| ||
# Since RouterOS v7.15
/interface ethernet switch port
set ether2 mirror-egress=yes mirror-ingress=yes | ||
Code Block | ||
| ||
/interface ethernet switch set switch1 mirror-source=none mirror-target=ether3 /interface ethernet switch set rule addswitch1 mirror=yes ports=ether1,ether2 switch=switch1 | ||
-target=ether3
# Older RouterOS:
/interface ethernet switch
set switch1 mirror-source=ether2 mirror-target=ether3 |
VLAN Based Mirroring
Using ACL rules, it is possible to mirror packets from multiple
...
interfaces using the ports
setting. Additionally, you can specify more detailed criteria such as VLAN ID, MAC/IP address or TCP/UDP port. Only ingress packets are mirrored to mirror-target
interface.
...
This example will mirror incoming VLAN 11 traffic from the ether2 interface, and send copies to the ether3 interface. To use an ACL rule with a vlan-id
matcher, you need to have bridge vlan-filtering enabled.
Code Block | ||
---|---|---|
| ||
/interface bridge |
VLAN Based Mirroring:
Code Block | ||
---|---|---|
| ||
/interface bridge set bridge1 vlan-filtering=yes /interface ethernet switch set switch1 mirror-target=ether3 mirror-source=none /interface ethernet switch rule add mirror=yes ports=ether1 switch=switch1 vlan-id=11 |
Warning |
---|
By enabling |
MAC Based Mirroring
This example will mirror incoming traffic with 64:D1:54:D9:27:E6 MAC destination or source address from the ether1 interface, and send copies to the ether3 interface.MAC Based Mirroring:
Code Block | ||
---|---|---|
| ||
/interface ethernet switch
set switch1 mirror-target=ether3 mirror-source=none
/interface ethernet switch rule
add mirror=yes ports=ether1 switch=switch1 dst-mac-address=64:D1:54:D9:27:E6/FF:FF:FF:FF:FF:FF
add mirror=yes ports=ether1 switch=switch1 src-mac-address=64:D1:54:D9:27:E6/FF:FF:FF:FF:FF:FF |
IP Based Mirroring
This example will mirror incoming traffic with 192.168.88.0/24 IP destination or source address from the ether1 interface, and send copies to the ether3 interface.Protocol Based Mirroring:
Code Block | ||
---|---|---|
| ||
/interface ethernet switch set switch1 mirror-target=ether3 mirror-source=none /interface ethernet switch rule add mirror=yes ports=ether1 switch=switch1 macsrc-protocol=ipx |
IP Based Mirroring:
Code Block | ||
---|---|---|
| ||
/interface ethernet switch set switch1 mirror-target=ether3 mirror-source=none /interface ethernet switch ruleaddress=192.168.88.0/24 add mirror=yes ports=ether1 switch=switch1 srcdst-address=192.168.88.0/24 add mirror=yes ports=ether1 switch=switch1 dst-address=192.168.88.0/24 |
...
There are other options as well, check the ACL section to find out all possible parameters that can be used to match packets.
Remote Switch Port Analyzer
This example will mirror incomming and outgoing traffic from the ether2 interface, copies will be encapsulated in 802.1Q VLAN using the 999 as VLAN ID, and packets will be sent to the ether3 interface. If the original traffic is already VLAN tagged, RSPAN will add another layer of VLAN tagging as an outer tag. This results in the mirrored traffic being tagged twice. If the mirror-target
port is included in vlan-filtering bridge, it is not required to make the interface as tagged VLAN member under the /interface/bridge/vlan
menu for the RSPAN.
Code Block | ||
---|---|---|
| ||
/interface ethernet switch port
set ether2 mirror-egress=yes mirror-ingress=yes
/interface ethernet switch
set switch1 mirror-target=ether3 rspan=yes rspan-egress-vlan-id=999 rspan-ingress-vlan-id=999 |
Property Reference
Sub-menu:
/interface/ethernet/switch
Property | Description |
---|---|
mirror-target (cpu | name | none; Default:none) | Selects a single mirroring target port. Packets from |
rspan (no | yes; Default: no) | Enables Remote Switch Port Analyzer (RSPAN) feature on mirror-target . Traffic marked for ingress or egress mirroring is carried over a specified remote analyzer VLAN - rspan-egress-vlan-id and rspan-ingress-vlan-id . |
rspan-egress-vlan-id (integer: 1..4095; Default: 1) | Selects the VLAN ID for marked egress traffic. Only applies when rspan is enabled. |
rspan-ingress-vlan-id (integer: 1..4095; Default: 1) | Selects the VLAN ID for marked ingress traffic. Only applies when rspan is enabled. |
Sub-menu:
/interface/ethernet/switch/port
Property | Description |
---|---|
mirror-egress (no | yes; Default: no) | Whether to send egress packet copy to the |
mirror-ingress (no | yes; Default: no) | Whether to send ingress packet copy to the |
Sub-menu:
/interface/ethernet/switch/rule
Property | Description |
---|---|
mirror (no | yes; Default: no) | Whether to send a packet copy to mirror-target port |
...
. |
Traffic Shaping
...
It is possible to limit ingress traffic that matches certain parameters with ACL rules and it is possible to limit ingress/egress traffic per port basis. The policer is used for ingress traffic, the shaper is used for egress traffic. The ingress policer controls the received traffic with packet drops. Everything that exceeds the defined limit will get dropped. This can affect the TCP congestion control mechanism on end hosts and achieved bandwidth can be actually less than defined. The egress shaper tries to queue packets that exceed the limit instead of dropping them. Eventually, it will also drop packets when the output queue gets full, however, it should allow utilizing the defined throughput better.
...
Warning |
---|
When bridge interface |
Port Security
...
It is possible to limit allowed MAC addresses on a single switch port. For example, to allow 64:D1:54:81:EF:8E MAC address on a switch port, start by switching multiple ports together, in this example 64:D1:54:81:EF:8E is going to be located behind ether1.
...