Versions Compared

Old Version 60

changes.mady.by.user Guntis G.

Saved on

compared with

New Version 61

changes.mady.by.user Guntis G.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: formatting/typos

Table of Contents

Summary

...

The CCR3xx, CRS3xx and CRS5xx series switches, as well as the CCR2116 and CCR2116, CCR2216 routers have , feature highly integrated switches with high-performance CPU CPUs and feature-rich packet processors. These devices can be designed into used for various Ethernet applications, including unmanaged switchswitches, Layer 2 managed switchswitches, carrier switchswitches, inter-VLAN routerrouters, and wired unified packet processorprocessors.

Note

This article applies to CRS3xx, CRS5xx series switches, and CCR2116, CCR2216 routers, and not to CRS1xx/CRS2xx series switches.

...

Warning

Currently, it is possible to create only one bridge with hardware offloading. Use the hw=yes/no parameter to select which bridge will use hardware offloading.

...

Note

Bridge STP/RSTP/MSTP, IGMP Snooping, and VLAN filtering settings don't affect hardware offloading, Bonding interfaces are also hardware offloaded.

VLAN

Bridge The bridge provides VLAN-aware Layer2 Layer 2 forwarding and VLAN tag modifications. This set of features makes bridge operation more like akin to a traditional Ethernet switch and allows , allowing it to overcome Spanning Tree compatibility issues compared to the configuration when configurations where tunnel-like VLAN interfaces are bridged. Configuring Bridge VLAN Filtering configuration is highly recommended to comply with STP (802.1D) , and RSTP (802.1w) standards, and it is mandatory to enable enabling MSTP (802.1s) support in RouterOS is mandatory.

VLAN Filtering

VLAN filtering is described in the Bridge VLAN Filtering section.

...

Note
  • The Switch Rule table is used for MAC Based VLAN functionality, see this table on how many rules each device supports.
  • MAC-based VLANs will only work properly between switch ports and not between switch ports and CPU. When a packet is being forwarded to the CPU, the pvid property of the bridge port will be always used instead of new-vlan-id id from ACL rules.
  • MAC-based VLANs will not work for DHCP packets when DHCP snooping is enabled.

...

Code Block
languageros
/interface ethernet switch rule
add switch=switch1 ports=ether7 src-mac-address=A4:12:6D:77:94:43/FF:FF:FF:FF:FF:FF new-vlan-id=200
add switch=switch1 ports=ether7 src-mac-address=84:37:62:DF:04:20/FF:FF:FF:FF:FF:FF new-vlan-id=300
add switch=switch1 ports=ether7 src-mac-address=E7:16:34:A1:CD:18/FF:FF:FF:FF:FF:FF new-vlan-id=400

Protocol Based VLAN

Note
  • The Switch Rule table is used utilized for Protocol-based VLAN functionality, see. Refer to this table on how many to determine the number of rules each device supports.
  • Protocol-based VLANs will only work properly function correctly between switch ports and not between switch ports and the CPU. When a packet is being forwarded to the CPU, the pvid property of the bridge port will always be always used instead of the new-vlan-id idfrom ACL rules.
  • Protocol-based VLANs will not work function for DHCP packets when DHCP snooping is enabled.

...

It is possible to use a provider bridge (IEEE 802.1ad) Tag Stacking VLAN filtering, and hardware offloading at the same timesimultaneously. The configuration for this is described outlined in the Bridge VLAN Tunneling (Q-in-Q) section.

Warning

Devices equipped with switch chip Marvell-98DX3257 (e.g. CRS354 series) do not support VLAN filtering on 1Gbps Ethernet interfaces for other VLAN types (0x88a8 and 0x9100).

...

It is possible to translate a certain VLAN ID to a different VLAN ID using ACL rules on an ingress port. In this example, we create two ACL rules, allowing bidirectional communication. This can be done by doing the following .these steps:

1) Create a new bridge and add ports to it with hardware offloading:

Code Block
languageros
/interface bridge
add name=bridge1 vlan-filtering=no
/interface bridge port
add interface=ether1 bridge=bridge1 hw=yes
add interface=ether2 bridge=bridge1 hw=yes

2) Add ACL rules to translate a VLAN ID in each direction:

Code Block
languageros
/interface ethernet switch rule
add new-dst-ports=ether2 new-vlan-id=20 ports=ether1 switch=switch1 vlan-id=10
add new-dst-ports=ether1 new-vlan-id=10 ports=ether2 switch=switch1 vlan-id=20

3) Add both VLAN IDs to the bridge VLAN table:

Code Block
languageros
/interface bridge vlan
add bridge=bridge1 tagged=ether1 vlan-ids=10
add bridge=bridge1 tagged=ether2 vlan-ids=20

4) Enable bridge VLAN filtering:

...

Note

Bidirectional communication is limited only between two switch ports. Translating VLAN ID between more ports can cause traffic flooding or incorrect forwarding between the same VLAN ports.


Warning

By enabling vlan-filtering you will be filtering out traffic destined to the CPU, before enabling VLAN filtering you should make sure that you set up a Management port.

...

CRS3xx, CRS5xx series switches, and CCR2116, CCR2216 routers support hardware offloading with bonding interfaces. Only 802.3ad and balance-xor xor bonding modes are hardware offloaded, other bonding modes will use the CPU's resources. You can find more information about the bonding interfaces in the Bonding Interface section. If 802.3ad mode is used, then LACP (Link Aggregation Control Protocol) is supported.

...

Layer3 hardware offloading (, also known as IP switching or HW routing) allows , enables the offloading some of the certain router features onto the switch chip.This capability allows reaching for achieving wire speeds when routing packets, which simply a feat that would not be possible with just the CPU alone. 

The offloaded feature set depends on the used chipset. Read here for more infoFor more information, please refer to the documentation provided here.

Port isolation

...

It is possible to create a Private VLAN setup, an example can be found in the Switch chip port isolation manual page. Hardware offloaded bonding interfaces are not included in the switch port-isolation menu, but it is still possible to configure port-isolation individually on each secondary interface of the bonding.

...

Controller Bridge (CB) and Port Extender (PE) is an IEEE 802.1BR standard implementation in RouterOS. It allows virtually extending the CB ports with a PE device and managing these extended interfaces from a single controlling device. Such configuration provides a simplified network topology, flexibility, increased port density, and ease of manageability. See more details on the Controller Bridge and Port Extender manual.

Mirroring

...

Mirroring lets allows the switch sniff to intercept all traffic that is going in a passing through the switch chip and send a copy of those packets out to another designated port (mirror-target). This feature can be used to easily set up facilitates the creation of a tap device that allows you to inspect the traffic on your network on , enabling network traffic inspection on a traffic analyzer device. It is possible to set up a You can configure simple port-based mirroring , but it is also possible to set up or more complex mirroring based on various parameters. Note that the mirror-target port has to must belong to the same switch (see you can identify which port belongs to which switch in  the /interface ethernet   menu). AlsoAdditionally, the mirror-target port can have be set to a special value 'cpu' value, which means indicating that sniffed packets will be sent out of forwarded to the switch chip's CPU port. There are many ways several methods to mirror certain specific traffic, below you can find and below are some of the most common mirroring examples:

Port Based Mirroring:

Code Block
languageros
/interface ethernet switch
set switch1 mirror-source=ether2 mirror-target=ether3


Note

Property mirror-source will send an ingress and egress packet copies to the mirror-target port. Both mirror-source source and mirror-target are limited to a single interface.

...

Note

Using ACL rules, it is possible to mirror packets from multiple ports interfaces. Only ingress packets are mirrored to mirror-target interface.

VLAN Based Mirroring:

Code Block
languageros
/interface bridge
set bridge1 vlan-filtering=yes
/interface ethernet switch
set switch1 mirror-target=ether3 mirror-source=none
/interface ethernet switch rule
add mirror=yes ports=ether1 switch=switch1 vlan-id=11


Warning

By enabling vlan-filtering you will be filtering out traffic destined to for the CPU, before enabling VLAN filtering you should make sure that you set up a Management port.

...

It is possible to limit ingress traffic that matches certain parameters with ACL rules and it is possible to limit ingress/egress traffic per port basis. The policer is used for ingress traffic, the shaper is used for egress traffic. The ingress policer controls the received traffic with packet drops. Everything that exceeds the defined limit will get dropped. This can affect the TCP congestion control mechanism on end hosts and the achieved bandwidth can be actually less than defined. The egress shaper tries to queue packets that exceed the limit instead of dropping them. Eventually, it will also drop packets when the output queue gets full, however, it should allow utilizing for better utilization of the defined throughput better.

Port-based traffic police and shaper:

...

Code Block
languageros
/interface bridge
set bridge1 vlan-filtering=yes
/interface ethernet switch rule
add ports=ether1 switch=switch1 vlan-id=11 rate=10M


Warning

By enabling vlan-filtering you will be filtering out traffic destined to the CPU, before enabling VLAN filtering you should make sure that you set up a Management port.

...

Note

The Switch Rule table is used for QoS functionality, see this table for how many rules each device supports.

Traffic Storm Control

...

Since RouterOS v6.42 it is possible to enable traffic storm control. A traffic storm can emerge when certain frames are continuously flooded on the network. For example, if a network loop has been created and no loop avoidance mechanisms are used (e.g. Spanning Tree Protocol), broadcast or multicast frames can quickly overwhelm the network, causing degraded network performance or even complete network breakdown. With CRS3xx, CRS5xx series switches and CCR2116, CCR2216 routers it is possible to limit broadcast, unknown multicast, and unknown unicast traffic. Unknown unicast traffic is considered when a switch does not contain a host entry for the destined MAC address. Unknown multicast traffic is considered when a switch does not contain a multicast group entry in the /interface bridge mdb menu. Storm control settings should be applied to ingress ports, the egress traffic will be limited.

Note

The storm control parameter is specified in percentage (%) of the link speed. If your link speed is 1Gbps, then specifying storm-rate as 10 will allow only 100Mbps of broadcast, unknown multicast, and/or unknown unicast traffic to be forwarded.

...

Warning

Devices with Marvell-98DX3236 switch chip cannot distinguish unknown multicast traffic from all multicast traffic. For example, CRS326-24G-2S+ will limit all multicast traffic when limit-unknown-multicasts and storm-rate is used. For other devices, for example, CRS317-1G-16S+ the limit-unknown-multicasts parameter will limit only unknown multicast traffic (addresses that are not present in /interface bridge mdb).

For example, to limit 1% (10Mbps) of broadcast and unknown unicast traffic on ether1 (1Gbps), use the following commands:

...

PropertyDescription
copy-to-cpu (no | yes; Default: no)Clones the matching packet and sends it to the CPU.
disabled (yes | no; Default: no)Enables or disables ACL entry.
dscp (0..63)Matching the DSCP field of the packet (only applies to IPv4 packets).
dst-address (IP address/Mask)Matching destination IPv4 address and mask, also matches the destination IP in ARP packets. 
dst-address6 (IPv6 address/Mask)Matching destination IPv6 address and mask.
dst-mac-address (MAC address/Mask)Matching destination MAC address and mask.
dst-port (0..65535)Matching destination protocol port number (applies to IPv4 and IPv6 packets if mac-protocol is not specified).
flow-label (0..1048575)Matching IPv6 flow label.
mac-protocol (802.2 | arp | homeplug-av | ip | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan | or 0..65535 | or 0x0000-0xffff)Matching particular MAC protocol specified by protocol name or number
mirror (no | yes)Clones the matching packet and sends it to the mirror-target port.
new-dst-ports (ports)Changes the destination port as specified. An empty setting will drop the packet. A specified port will redirect the packet to it. When the parameter is not used, the packet will be accepted. Multiple "new-dst-ports" are not supported.
new-vlan-id (0..4095)Changes the VLAN ID to the specified value. Requires vlan-filtering=yes.
new-vlan-priority (0..7)Changes the VLAN priority (priority code point). Requires vlan-filtering=yes.
ports (ports)Matching ports on which will the rule apply on received traffic.
protocol (dccp | ddp | egp | encap | etherip | ggp | gre | hmp | icmp | icmpv6 | idpr-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | ipv6 | ipv6-frag | ipv6-nonxt | ipv6-opts | ipv6-route | iso-tp4 | l2tp | ospf | pim | pup | rdp | rspf | rsvp | sctp | st | tcp | udp | udp-lite | vmtp | vrrp | xns-idp | xtp | or 0..255)Matching particular IP protocol specified by protocol name or number. This only applies to IPv4 packets if mac-protocol is not specified. To match certain IPv6 protocols, use the mac-protocol=ipv6 setting.
rate (0..4294967295)Sets ingress traffic limitation (bits per second) for matched traffic.
redirect-to-cpu (no | yes)Changes the destination port of a matching packet to the CPU.
src-address (IP address/Mask)Matching source IPv4 address and mask, also matches the source IP in ARP packets. 
src-address6 (IPv6 address/Mask)Matching source IPv6 address and mask.
src-mac-address (MAC address/Mask)Matching source MAC address and mask.
src-port (0..65535)Matching source protocol port number (applies to IPv4 and IPv6 packets if mac-protocol is not specified).
switch (switch group)Matching switch group on which will the rule apply.
traffic-class (0..255)Matching IPv6 traffic class.
vlan-id (0..4095)Matching VLAN ID. Requires vlan-filtering=yes.
vlan-header (not-present | present)Matching VLAN header, whether the VLAN header is present or not. Requires vlan-filtering=yes.
vlan-priority (0..7)Matching VLAN priority (priority code point).

...

Note

For VLAN related matchers or VLAN related action parameters to work, you need to enable vlan-filtering on the bridge interface and make sure that hardware offloading is enabled on those ports, otherwise, these parameters will not have any effect.

...

Warning

When bridge interface ether-type is set to 0x8100, then VLAN related ACL rules are relevant to frames tagged using regular/customer VLAN (TPID 0x8100), this includes vlan-id and new-vlan-id. When bridge interface ether-type is set to 0x88a8, then ACL rules are relevant to frames tagged with 802.1ad service tag (TPID 0x88a8).

Port Security

...

It is possible to limit allowed MAC addresses on a single switch port. For example, to allow 64:D1:54:81:EF:8E MAC address on a switch port, start by switching multiple ports together, in this example 64:D1:54:81:EF:8E is going to be located behind ether1

...

The “dual boot” feature allows you to choose which operating system you prefer to use on CRS3xx series switches, RouterOS, or SwOS. Device operating system could can be changed using:

  • Command-line (/system routerboard settings set boot-os=swos)
  • WinboxWinBox
  • WebfigWebFig
  • Serial Console

More details about SwOS are described here: SwOS manual

...

It is possible to load, save, and reset SwOS configuration, as well as upgrade SwOS and set an IP address for the CRS3xx series switches by using RouterOS.

  • Save configuration with /system swos save-config
Note

The configuration will be saved on the same device with with "swos.config" as a filename, make sure you download the filename. Please ensure you downloaded the file from your device since , as the configuration file will be removed after a reboot.

  • Load configuration with /system swos load-config
  • Change password with /system swos password
  • Reset configuration with /system swos reset-config
  • Upgrade SwOS from RouterOS using /system swos upgrade
Note

The upgrade command will automatically install the latest available SwOS primary backup version, make sure . Ensure that your device has access to the Internet for the upgrade process to work properly. When the device is booted into SwOS, the version number will include the letter "p", indicating a primary backup version. You can then install the latest available SwOS secondary main version from the SwOS "Upgrade" menu.


PropertyDescription
address-acquisition-mode (dhcp-only | dhcp-with-fallback | static; Default: dhcp-with-fallback)Changes address acquisition method:

dhcp-only - uses only a DHCP client to acquire the address

dhcp-with-fallback - for the first 10 seconds will try to acquire an address using a DHCP client. If the request is unsuccessful, then the address falls back to static as defined by the static-ip-address property

static - the address is set as defined by the static-ip-address property

allow-from (IP/Mask; Default: 0.0.0.0/0)IP address or a network from which the switch is accessible. By default, the switch is accessible by any IP address.
allow-from-ports (name; Default: )List of switch ports from which the device is accessible. By default, all ports are allowed to access the switch
allow-from-vlan (integer: 0..4094; Default: 0)VLAN ID from which the device is accessible. By default, all VLANs are allowed
identity (name; Default: Mikrotik)Name of the switch (used for Mikrotik Neighbor Discovery protocol)
static-ip-address (IP; Default: 192.168.88.1)The IP address of the switch in case address-acquisition-mode is either set to dhcp-with-fallback or static. By setting a static IP address, the address acquisition process does not change, which is DHCP with fallback by default. This means that the configured static IP address will become active only when there is going to be are no DHCP servers in the same broadcast domain

See also

CRS RouterCRS1xx/2xx series switches

CRS3xx, RS6xx, CCR2116, CCR2216 VLANs with Bonds

Basic VLAN switching

Bridge Hardware Offloading

...