Controller Bridge (CB) and Port Extender (PE) is an IEEE 802.1BR standard implementation in RouterOS for CRS3xx series switches. It allows virtually extending the CB ports with a PE device and manage these extended interfaces from a single controlling device. Such configuration provides a simplified network topology, flexibility, increased port density and ease manageability. An example of Controller Bridge and Port Extender topology can be seen below.
The Controller Bridge establishes communication with the Port Extender through a cascade port. Similarly, the Port Extender will communicate with the Controller Bridge only through an upstream port. On a PE device, control ports must be configured and only one port (closest to the CB) will act as an upstream port, other control ports can act as a backup for upstream port or even cascade port for switches connected in series (e.g. Port Extender 2 and 3 in the image above). Cascade and upstream ports are used to transmit and receive control and network traffic. Extended ports are interfaces that are controlled by the CB device and they are typically connected to the end hosts. Extended ports only transmit and receive network traffic.
See supported features for each switch model below.
|Model||Controller Bridge||Port Extender|
|netPower 15FR (CRS318-1Fi-15Fr-2S)||-||+|
|netPower 16P (CRS318-16P-2S+)||-||+|
Although controller allows to configure port extender interfaces, some bridging and switching features cannot be used or will not work properly. Below are the most common controller and extender limitations. The list might change with an upcoming RouterOS releases.
|Bonding for cascade and upstream ports||+|
|Bridge VLAN filtering||+|
|Bonding for extended ports||-|
|Dot1x authenticator (server)||-|
|Ingress and egress rate||-|
|Port ingress VLAN filtering||-|
|Switch rules (ACL)||-|
In this example, we will create a Controlling Bridge (e.g. a CRS317-1G-16S+ switch) that will connect to a single Port Extender (e.g. a CRS326-24G-2S+ switch) through an SFP+1 interface.
First, configure a bridge with enabled VLAN filtering on a CB device:
On the same device, configure a port that is connected to the PE device and will act as cascade port:
Last, on a PE device, simply configure a control port, which will be selected as an upstream port:
Once PE and CB devices are connected, all interfaces that are on the same switch group (except for control ports) will be extended and can be further configured on a CB device. An automatic bridge port configuration will be applied on the CB device which adds all extended ports in a single bridge, this configuration can be modified afterward.
In order to exclude some port from being extended (e.g. for out-of-band management purposes), additionally, configure
Make sure not to include the cascade-ports and control-ports in any routing or bridging configurations. These ports are recommended only for a CB and PE usage.
Before frame forwarding on extended ports is possible, Controlling Bridge and Port Extender must discover each other and exchange with essential information.
CB and PE enabled devices are using a neighbor discovery protocol LLDP with specific Port Extension TLV. This allows CB and PE devices to advertise their support on cascade and control ports.
CB and PE configuration can override the neighbor discovery settings, for example, if a cascade port is not included in a neighbor discovery interface list, the LLDP messages will be still sent.
Once LLDP messages are exchanged between CB and PE, a Control and Status Protocol (CSP) over an Edge Control Protocol (ECP) will initiate. The CSP is used between CB and PE to assert control and receive status information from the associated PE - it assigns unique IDs for extended ports, controls data-path settings (e.g. port VLAN membership) and sends port status information (e.g. interface stats, PoE-out monitoring). The ECP provides a reliable and sequenced frame delivery (encoded with EtherType 0x8940).
The current CB implementation does not support any failover techniques. Once the CB device becomes unavailable, the PE devices will lose all the control and data forwarding rules.
To better understand the underlying principles of Controlling Bridge and Port Extender, a packet walkthrough is provided below:
This section describes the Controller Bridge settings and monitoring options.
/interface bridge port-controller
|bridge (name; Default: none)||The bridge interface where ports will be extended. The CB will only enable when |
|cascade-ports (interfaces; Default: none)||Interfaces that will act as cascade ports. A bonding interface with 802.3ad or balance-xor |
|switch (name; Default: none)||The switch that will act as the CB and ensure the control and network traffic. The CB will only enable when |
After CB and PE devices are configured and connected, each PE device will be automatically visible on the device menu, use
monitor commands to see more details.
/interface bridge port-controller device
|connected-via-devs (name)||Shows the connected devices in the path from PE to CB.|
|connected-via-ports (name)||Shows the connection path from PE to CB.|
|control-ports (interfaces)||PE device control ports.|
|descr (name)||Short PE device description.|
|name (name)||Automatically assigned PE device name.|
|pe-mac (MAC address)||PE device MAC address.|
|status (active | inactive)||PE device status.|
Additionally, each PE device interface can be monitored on the port menu, use
monitor commands to see more details.
/interface bridge port-controller port
|device (name)||Automatically assigned PE device name.|
|name (name)||Automatically assigned PE port name.|
|pcid (integer)||Automatically assigned port identifier.|
|port-status (dev-inactive | not-added | ok)||PE port status.|
|rate (bps)||Data rate of the connection.|
|status (link-ok | no-link | unknown)||PE port link status.|
The Controller Bridge can monitor the PoE-out related information from Port Extenders on the port poe menu, use
monitor commands to see more details. For more information regarding PoE-out, please visit the PoE-out manual.
This section describes the Port Extender settings.
/interface bridge port-extender
|control-ports (interfaces; Default: none)||Interfaces that will either connect to the CB (upstream port) or connect other PE devices in series (cascade port). A bonding interface with 802.3ad or balance-xor |
|excluded-ports (interfaces; Default: none)||Interfaces that will not be extended.|
|switch (name; Default: none)||The switch that will act as the extender and ensure the control and network traffic. The PE will only enable when this property is specified, otherwise, it will be in a disabled state.|
Below are described the most common configuration examples. Some examples are using bridge VLAN filtering, so make sure to understand the filtering principles first - bridge VLAN filtering, bridge VLAN table.
In this example, a CRS317-1G-16S+ device is used as a Controller Bridge and CRS328-24P-4S+ as a Port Extender, see the connection scheme below.
First, we need to configure our CB device. This can be done by adding a bridge interface with enabled VLAN filtering. Additionally, we can add any local interfaces to the same bridge, and it will allow us to forward traffic between our local interface and extended interfaces. In this example, we are adding an sfp-sfpplus2 interface.
To enable CB, you need to specify the bridge, switch and at least one cascade port. Make sure that cascade ports are not included in the bridge or routing configurations. These ports are recommended only for a CB and PE usage.
To enable PE, you need to configure control ports and switch. Additionally, you can configure one or multiple interfaces that should not be extended with
excluded-ports property (e.g. for out-of-band management purposes). In this examples, all switch ports will be extended.
Once PE and CB devices finish the discovery and start the Control and Status Protocol (CSP), the RouterOS will permanently create new interfaces and add them into bridge on the CB device. Interfaces are named by the automatically assigned PE device name, plus the default interface name, these interface names can be modified. By default, ports are added with
frame-types set to
admit-only-untagged-and-priority-tagged. Note that control and excluded ports will also be displayed into the interface list, but they are not included into the bridge.
Now the CRS317-1G-16S+ device has extended its ports using the CRS328-24P-4S+ device and packet forwarding can be done between all bridged ports.
In this example, untagged (access) and tagged (trunk) port configuration will be created on the Controller Bridge device, see the network diagram below.
We first need to configure the CB and PE devices, the configuration is identical to the previous example.
After extended ports are successfully created and added to the bridge on the CB device, we can start configuring VLAN related properties. First, we will configure access ports to their respective VLAN ID using a
pvid property. Use a
/interface bridge port" menu to find out the exact interface name.
Then add bridge VLAN entries and specify tagged, untagged ports. Note that there are two tagged ports - local port named sfp-sfpplus2 and extended port named pe1-sfpplus1.
Last, enable port
ingress-filtering on local bridge ports and use additional frame filtering based on the packet type with
Port ingress VLAN filtering is not supported on extended ports.