[RouterOS] Pages FeedConfluence Syndication Feedhttps://help.mikrotik.com/docsSwitch Chip FeaturesGuntis G.tag:help.mikrotik.com,2009:page-15302988-752024-03-28T17:14:30Z2020-02-10T14:44:35Z<div class="feed"> <p>
Page
<b>edited</b> by
<a href=" https://help.mikrotik.com/docs/display/~guntis
">Guntis G.</a>
- "typos"
</p>
<div style="border-top: 1px solid #ddd; border-bottom: 1px solid #ddd; padding: 10px;">
<p><span class="mw-headline"><style type='text/css'>/*<![CDATA[*/
div.rbtoc1711701162674 {padding: 0px;}
div.rbtoc1711701162674 ul {margin-left: 0px;}
div.rbtoc1711701162674 li {margin-left: 0px;padding-left: 0px;}
/*]]>*/</style><div class='toc-macro rbtoc1711701162674'>
<ul class='toc-indentation'>
<li><a href='#SwitchChipFeatures-Introduction'>Introduction</a></li>
<li><a href='#SwitchChipFeatures-Features'>Features</a>
<ul class='toc-indentation'>
<li><a href='#SwitchChipFeatures-PortSwitching'>Port Switching</a>
<ul class='toc-indentation'>
<li><a href='#SwitchChipFeatures-SwitchAllPortsFeature'>Switch All Ports Feature</a></li>
</ul>
</li>
<li><a href='#SwitchChipFeatures-PortMirroring'>Port Mirroring</a></li>
<li><a href='#SwitchChipFeatures-PortSettings'>Port Settings</a></li>
<li><a href='#SwitchChipFeatures-VLANTable'>VLAN Table</a></li>
<li><a href='#SwitchChipFeatures-HostTable'>Host Table</a></li>
<li><a href='#SwitchChipFeatures-RuleTable'>Rule Table</a></li>
<li><a href='#SwitchChipFeatures-Portisolation'>Port isolation</a>
<ul class='toc-indentation'>
<li><a href='#SwitchChipFeatures-PrivateVLAN'>Private VLAN</a></li>
<li><a href='#SwitchChipFeatures-Isolatedswitchgroups'>Isolated switch groups</a></li>
</ul>
</li>
<li><a href='#SwitchChipFeatures-CPUFlowControl'>CPU Flow Control</a></li>
<li><a href='#SwitchChipFeatures-Statistics'>Statistics</a></li>
</ul>
</li>
<li><a href='#SwitchChipFeatures-SetupExamples'>Setup Examples</a>
<ul class='toc-indentation'>
<li><a href='#SwitchChipFeatures-VLANExample1(TrunkandAccessPorts)'>VLAN Example 1 (Trunk and Access Ports)</a></li>
<li><a href='#SwitchChipFeatures-VLANExample2(TrunkandHybridPorts)'>VLAN Example 2 (Trunk and Hybrid Ports)</a></li>
<li><a href='#SwitchChipFeatures-Managementaccessconfiguration'>Management access configuration</a>
<ul class='toc-indentation'>
<li><a href='#SwitchChipFeatures-Tagged'>Tagged</a></li>
<li><a href='#SwitchChipFeatures-Untagged'>Untagged</a></li>
<li><a href='#SwitchChipFeatures-Untaggedfromtaggedport'>Untagged from tagged port</a></li>
</ul>
</li>
<li><a href='#SwitchChipFeatures-Inter-VLANrouting'>Inter-VLAN routing</a></li>
</ul>
</li>
<li><a href='#SwitchChipFeatures-Seealso'>See also</a></li>
</ul>
</div></span></p><h1 id="SwitchChipFeatures-Introduction"><span class="mw-headline">Introduction</span></h1><hr/><p>There are several types of switch chips on Routerboards and they have different sets of features. Most of them (from now on "Other") have only the basic "Port Switching" feature, but there are a few with more features:</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/><col/><col/><col/><col/><col/><col/><col/><col/><col/><col/><col/><col/></colgroup><tbody><tr><th class="confluenceTh">Feature</th><th class="confluenceTh">QCA8337</th><th class="confluenceTh">Atheros8327</th><th class="confluenceTh">Atheros8316</th><th class="confluenceTh">Atheros8227</th><th class="confluenceTh">Atheros7240</th><th class="confluenceTh">IPQ-PPE</th><th class="confluenceTh">ICPlus175D</th><th class="confluenceTh">MT7621, MT7531</th><th class="confluenceTh">RTL8367</th><th class="confluenceTh">88E6393X</th><th class="confluenceTh">88E6191X, <span style="color: rgb(23,43,77);">88E6190</span></th><th class="confluenceTh">98PX1012</th><th class="confluenceTh">Other</th></tr><tr><td class="confluenceTd">Port Switching</td><td class="confluenceTd">yes</td><td class="confluenceTd">yes</td><td class="confluenceTd">yes</td><td class="confluenceTd">yes</td><td class="confluenceTd">yes</td><td class="confluenceTd">yes</td><td class="confluenceTd">yes</td><td class="confluenceTd">yes</td><td class="confluenceTd">yes</td><td class="confluenceTd">yes</td><td class="confluenceTd">yes</td><td class="confluenceTd">no</td><td class="confluenceTd">yes</td></tr><tr><td class="confluenceTd">Port Mirroring</td><td class="confluenceTd">yes</td><td class="confluenceTd">yes</td><td class="confluenceTd">yes</td><td class="confluenceTd">yes</td><td class="confluenceTd">yes</td><td class="confluenceTd">no</td><td class="confluenceTd">yes</td><td class="confluenceTd">yes</td><td class="confluenceTd">yes</td><td class="confluenceTd">yes</td><td class="confluenceTd">yes</td><td class="confluenceTd">no</td><td class="confluenceTd">no</td></tr><tr><td class="confluenceTd">TX limit <sup>1</sup></td><td class="confluenceTd">yes</td><td class="confluenceTd">yes</td><td class="confluenceTd">yes</td><td class="confluenceTd">yes</td><td class="confluenceTd">yes</td><td class="confluenceTd">no</td><td class="confluenceTd">no</td><td class="confluenceTd">yes</td><td class="confluenceTd">yes</td><td class="confluenceTd">yes</td><td class="confluenceTd">yes</td><td class="confluenceTd">no</td><td class="confluenceTd">no</td></tr><tr><td class="confluenceTd">RX limit <sup>1</sup></td><td class="confluenceTd">yes</td><td class="confluenceTd">yes</td><td class="confluenceTd">no</td><td class="confluenceTd">no</td><td class="confluenceTd">no</td><td class="confluenceTd">no</td><td class="confluenceTd">no</td><td class="confluenceTd">yes</td><td class="confluenceTd">yes</td><td class="confluenceTd">yes</td><td class="confluenceTd">yes</td><td class="confluenceTd">no</td><td class="confluenceTd">no</td></tr><tr><td class="confluenceTd">Host table</td><td class="confluenceTd">2048 entries</td><td class="confluenceTd">2048 entries</td><td class="confluenceTd">2048 entries</td><td class="confluenceTd">1024 entries</td><td class="confluenceTd">2048 entries</td><td class="confluenceTd">2048 entries</td><td class="confluenceTd"><div class="content-wrapper"><p>2048 entries <sup>2</sup></p></div></td><td class="confluenceTd">2048 entries</td><td class="confluenceTd">2048 entries</td><td class="confluenceTd">16k entries</td><td class="confluenceTd">16k entries</td><td class="confluenceTd">no</td><td class="confluenceTd">no</td></tr><tr><td class="confluenceTd">Vlan table</td><td class="confluenceTd">4096 entries</td><td class="confluenceTd">4096 entries</td><td class="confluenceTd">4096 entries</td><td class="confluenceTd">4096 entries</td><td class="confluenceTd">16 entries</td><td class="confluenceTd">no</td><td class="confluenceTd">no</td><td class="confluenceTd">4096 entries <sup>3</sup></td><td class="confluenceTd">4096 entries <sup>3</sup></td><td class="confluenceTd">4096 entries <sup>3</sup></td><td class="confluenceTd">4096 entries <sup>3</sup></td><td class="confluenceTd">no</td><td class="confluenceTd">no</td></tr><tr><td class="confluenceTd">Rule table</td><td class="confluenceTd">92 rules</td><td class="confluenceTd">92 rules</td><td class="confluenceTd">32 rules</td><td class="confluenceTd">no</td><td class="confluenceTd">no</td><td class="confluenceTd">no</td><td class="confluenceTd">no</td><td class="confluenceTd">no</td><td class="confluenceTd">no</td><td class="confluenceTd">256</td><td class="confluenceTd">no</td><td class="confluenceTd">no</td><td class="confluenceTd">no</td></tr></tbody></table></div><p><strong><span style="letter-spacing: 0.0px;">Notes</span></strong></p><ol><li><span>For QCA8337, Atheros8327, Atheros8316, Atheros8227, and Atheros7240 the Tx/Rx rate limits can be changed with <code>bandwidth</code> property on <code>"<span style="color: rgb(51,153,102);">/interface ethernet</span>"</code> menu, see more details in the <a href="https://help.mikrotik.com/docs/display/ROS/Ethernet" rel="nofollow">Ethernet manual</a>. For RTL8367, 88E6393X, 88E6191X, <span style="color: rgb(23,43,77);">88E6190,</span> MT7621 and MT7531 Tx/Rx rate limit can be changed with<span style="color: rgb(51,153,102);"><code> egress-rate</code></span> and <code><span style="color: rgb(51,153,102);">ingress-rate</span></code> properties on "<span style="color: rgb(51,153,102);"><code>/interface ethernet switch port</code></span>" menu.</span></li><li><span style="letter-spacing: 0.0px;">MAC addresses are learned up to the specified number, but the content of a switch host table is not available in RouterOS and static host configuration is not supported. </span></li><li><a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeVLANFiltering" rel="nofollow">Bridge HW vlan-filtering</a> was added in the RouterOS <span style="color: rgb(23,43,77);">7.1rc1 (for RTL8367) and 7.1rc5 (for MT7621) versions</span>. <span style="color: rgb(48,48,48);"><span>The switch does not support<span> </span></span>other<span> </span><span style="color: rgb(51,153,102);"><code>ether-type</code></span><span> </span>0x88a8 or 0x9100 (only 0x8100 is supported) and no<span> </span><code><span style="color: rgb(51,153,102);">tag-stacking</span></code>. Using these features will disable HW offload.</span></li></ol><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Cloud Router Switch (CRS) series devices have highly advanced switch chips built-in, they support a wide variety of features. For more details about switch chip capabilities on CRS1xx/CRS2xx series devices check the <a href="https://help.mikrotik.com/docs/pages/viewpage.action?pageId=103841835" rel="nofollow">CRS1xx/CRS2xx series switches</a> manual, for CRS3xx series devices check the <a href="https://help.mikrotik.com/docs/display/ROS/CRS3xx%2C+CRS5xx%2C+CCR2116%2C+CCR2216+switch+chip+features" rel="nofollow">CRS3xx, CRS5xx series switches, and CCR2116, CCR2216 routers</a> manual.</p></div></div><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><tbody><tr><th class="confluenceTh">RouterBoard</th><th class="confluenceTh">Switch-chip description</th></tr><tr><td class="confluenceTd"><strong>C52iG-5HaxD2HaxD-TC (hAP ax<sup>2</sup>), C53UiG+5HPaxD2HPaxD (hAP ax<sup>3</sup>), Chateau ax series</strong></td><td class="confluenceTd">IPQ-PPE (ether1-ether5)</td></tr><tr><td class="confluenceTd"><strong>cAPGi-5HaxD2HaxD (cAP ax)</strong></td><td class="confluenceTd">IPQ-PPE (ether1-ether2)</td></tr><tr><td class="confluenceTd"><strong>L009 series</strong></td><td class="confluenceTd"><span style="color: rgb(23,43,77);">88E6190 (ether2-ether8, sfp1)</span></td></tr><tr><td class="confluenceTd"><strong>RB5009 series</strong></td><td class="confluenceTd">88E6393X (ether1-ether8, sfp-sfpplus1)</td></tr><tr><td class="confluenceTd"><strong>CCR2004-16G-2S+</strong></td><td class="confluenceTd">88E6191X (ether1-ether8); 88E6191X (ether9-ether16); </td></tr><tr><td class="confluenceTd"><strong>RB4011iGS+</strong></td><td class="confluenceTd">RTL8367 (ether1-ether5); RTL8367 (ether6-ether10);</td></tr><tr><td class="confluenceTd"><strong>RB1100AHx4</strong></td><td class="confluenceTd">RTL8367 (ether1-ether5); RTL8367 (ether6-ether10); RTL8367 (ether11-ether13)</td></tr><tr><td class="confluenceTd"><strong>L41G-2axD (hAP ax lite)</strong></td><td class="confluenceTd">MT7531 (ether1-ether4)</td></tr><tr><td class="confluenceTd"><strong>RB750Gr3 (hEX), RB760iGS (hEX S)</strong></td><td class="confluenceTd">MT7621 (ether1-ether5)</td></tr><tr><td class="confluenceTd"><strong>RBM33G</strong></td><td class="confluenceTd">MT7621 (ether1-ether3)</td></tr><tr><td class="confluenceTd"><strong>RB3011 series</strong></td><td class="confluenceTd">QCA8337 (ether1-ether5); QCA8337 (ether6-ether10)</td></tr><tr><td class="confluenceTd"><strong>RB OmniTik ac series</strong></td><td class="confluenceTd">QCA8337 (ether1-ether5)</td></tr><tr><td class="confluenceTd"><strong>RBwsAP-5Hac2nD (wsAP ac lite)</strong></td><td class="confluenceTd">Atheros8227 (ether1-ether3)</td></tr><tr><td class="confluenceTd"><strong>RB941-2nD (hAP lite)</strong></td><td class="confluenceTd">Atheros8227 (ether1-ether4)</td></tr><tr><td class="confluenceTd"><strong>RB951Ui-2nD (hAP); RB952Ui-5ac2nD (hAP ac lite); RB750r2 (hEX lite); RB750UPr2 (hEX PoE lite); RB750P-PBr2 (PowerBox); RB750P r2; RBOmniTikU-5HnDr2 (OmniTIK 5); RBOmniTikUPA-5HnDr2 (OmniTIK 5 PoE)</strong></td><td class="confluenceTd">Atheros8227 (ether1-ether5)</td></tr><tr><td class="confluenceTd"><strong>RB750Gr2 (hEX); RB962UiGS-5HacT2HnT (hAP ac); RB960PGS (hEX PoE); RB960PGS-PB (PowerBox Pro)</strong></td><td class="confluenceTd">QCA8337 (ether1-ether5)</td></tr><tr><td class="confluenceTd"><strong>RB953GS</strong></td><td class="confluenceTd">Atheros8327 (ether1-ether3+sfp1)</td></tr><tr><td class="confluenceTd"><strong>RB850Gx2</strong></td><td class="confluenceTd">Atheros8327 (ether1-ether5) with ether1 optional</td></tr><tr><td class="confluenceTd"><strong>RB2011 series</strong></td><td class="confluenceTd">Atheros8327 (ether1-ether5+sfp1); Atheros8227 (ether6-ether10)</td></tr><tr><td class="confluenceTd"><strong>RB750GL; RB751G-2HnD; RB951G-2HnD; RBD52G-5HacD2HnD (hAP ac²), RBD53iG-5HacD2HnD (hAP ac³), RBD53GR-5HacD2HnD&R11e-LTE6 (hAP ac³ LTE6 kit), RBD53G-5HacD2HnD-TC&EG12-EA (Chateau LTE12)<br/></strong></td><td class="confluenceTd">Atheros8327 (ether1-ether5)</td></tr><tr><td class="confluenceTd"><strong>RBcAPGi-5acD2nD (cAP ac), RBwAPGR-5HacD2HnD (wAP R ac and wAP ac LTE series), RBwAPG-5HacD2HnD (wAP ac), RBD25G-5HPacQD2HPnD (Audience), RBD25GR-5HPacQD2HPnD&R11e-LTE6 (Audience LTE6 kit), <br/></strong></td><td class="confluenceTd">Atheros8327 (ether1-ether2)</td></tr><tr><td class="confluenceTd"><strong>RBD22UGS-5HPacD2HnD (mANTBox 52 15s)</strong></td><td class="confluenceTd">Atheros8327 (ether1-sfp1)</td></tr><tr><td class="confluenceTd"><strong>RB1100AH</strong></td><td class="confluenceTd">Atheros8327 (ether1-ether5); Atheros8327 (ether6-ether10)</td></tr><tr><td class="confluenceTd"><strong>RB1100AHx2</strong></td><td class="confluenceTd">Atheros8327 (ether1-ether5); Atheros8327 (ether6-ether10)</td></tr><tr><td class="confluenceTd"><strong>CCR1009-8G-1S-1S+; CCR1009-8G-1S</strong></td><td class="confluenceTd">Atheros8327 (ether1-ether4)</td></tr><tr><td class="confluenceTd"><strong>RB493G</strong></td><td class="confluenceTd">Atheros8316 (ether1+ether6-ether9); Atheros8316 (ether2-ether5)</td></tr><tr><td class="confluenceTd"><strong>RB435G</strong></td><td class="confluenceTd">Atheros8316 (ether1-ether3) with ether1 optional</td></tr><tr><td class="confluenceTd"><strong>RB450G</strong></td><td class="confluenceTd">Atheros8316 (ether1-ether5) with ether1 optional</td></tr><tr><td class="confluenceTd"><strong>RB450Gx4</strong></td><td class="confluenceTd">Atheros8327 (ether1-ether5)</td></tr><tr><td class="confluenceTd"><strong>RB433GL</strong></td><td class="confluenceTd">Atheros8327 (ether1-ether3)</td></tr><tr><td class="confluenceTd"><strong>RB750G</strong></td><td class="confluenceTd">Atheros8316 (ether1-ether5)</td></tr><tr><td class="confluenceTd"><strong>RB1200</strong></td><td class="confluenceTd">Atheros8316 (ether1-ether5)</td></tr><tr><td class="confluenceTd"><strong>RB1100</strong></td><td class="confluenceTd">Atheros8316 (ether1-ether5); Atheros8316 (ether6-ether10)</td></tr><tr><td class="confluenceTd"><strong>DISC Lite5</strong></td><td class="confluenceTd">Atheros8227 (ether1)</td></tr><tr><td class="confluenceTd"><strong>RBmAP2nD</strong></td><td class="confluenceTd">Atheros8227 (ether1-ether2)</td></tr><tr><td class="confluenceTd"><strong>RBmAP2n</strong></td><td class="confluenceTd">Atheros7240 (ether1-ether2)</td></tr><tr><td class="confluenceTd"><strong>RB750</strong></td><td class="confluenceTd">Atheros7240 (ether2-ether5)</td></tr><tr><td class="confluenceTd"><strong>RB750UP</strong></td><td class="confluenceTd">Atheros7240 (ether2-ether5)</td></tr><tr><td class="confluenceTd"><strong>RB751U-2HnD</strong></td><td class="confluenceTd">Atheros7240 (ether2-ether5)</td></tr><tr><td class="confluenceTd"><strong>RB951-2n</strong></td><td class="confluenceTd">Atheros7240 (ether2-ether5)</td></tr><tr><td class="confluenceTd"><strong>RB951Ui-2HnD</strong></td><td class="confluenceTd">Atheros8227 (ether1-ether5)</td></tr><tr><td class="confluenceTd"><strong>RB433 series</strong></td><td class="confluenceTd">ICPlus175D (ether2-ether3); older models had ICPlus175C</td></tr><tr><td class="confluenceTd"><strong>RB450</strong></td><td class="confluenceTd">ICPlus175D (ether2-ether5); older models had ICPlus175C</td></tr><tr><td class="confluenceTd"><strong>RB493 series</strong></td><td class="confluenceTd">ICPlus178C (ether2-ether9)</td></tr><tr><td class="confluenceTd"><strong>RB816</strong></td><td class="confluenceTd">ICPlus178C (ether1-ether16)</td></tr></tbody></table></div><p>The command-line configuration is under the switch<span> </span>menu. This menu contains a list of all switch chips present in the system and some sub-menus as well.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > /interface ethernet switch print
Flags: I - invalid
# NAME TYPE MIRROR-SOURCE MIRROR-TARGET SWITCH-ALL-PORTS
0 switch1 Atheros-8327 none none
1 switch2 Atheros-8227 none none </pre>
</div></div><p>Depending on the switch type there can be different configuration capabilities available.</p><h1 id="SwitchChipFeatures-Features"><span class="mw-headline">Features</span></h1><hr/><h2 id="SwitchChipFeatures-PortSwitching"><span class="mw-headline">Port Switching</span></h2><p>To set up port switching on non-CRS series devices, check the<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeHardwareOffloading" rel="nofollow">Bridge Hardware Offloading</a><span> </span>page.</p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Port switching in RouterOS v6.41 and newer is done using the bridge configuration. Before RouterOS v6.41 port switching was done using the<span> </span>master-port<span> </span>property.</p></div></div><h3 id="SwitchChipFeatures-SwitchAllPortsFeature"><span class="mw-headline">Switch All Ports Feature</span></h3><p>Ether1 port on RB450G/RB435G/RB850Gx2 devices has a feature that allows it to be removed/added to the default switch group, this setting is available on the <code><span style="color: rgb(51,153,102);">/interface ethernet switch</span> </code>menu. By default ether1 port will be included in the switch group.</p><p><span class="confluence-embedded-file-wrapper image-center-wrapper"><img class="confluence-embedded-image image-center" draggable="false" src="https://help.mikrotik.com/docs/download/attachments/15302988/Switch4.png?version=1&modificationDate=1583499374411&api=v2" data-image-src="https://help.mikrotik.com/docs/download/attachments/15302988/Switch4.png?version=1&modificationDate=1583499374411&api=v2" data-unresolved-comment-count="0" data-linked-resource-id="19136841" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="Switch4.png" data-base-url="https://help.mikrotik.com/docs" data-linked-resource-content-type="image/png" data-linked-resource-container-id="15302988" data-linked-resource-container-version="75" alt=""></span></p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><span><strong>switch-all-ports</strong> </span>(no<em> | yes</em>; Default: <strong>yes</strong>)</td><td class="confluenceTd"><p>Changes ether1 switch group only on RB450G/RB435G/RB850Gx2 devices.</p><ul><li><code>yes</code> - ether1 is part of the switch and supports switch grouping and all other advanced Atheros8316/Atheros8327 features including extended statistics (<code>/interface ethernet print stats</code>).</li><li><code>no</code> - ether1 is not part of the switch, effectively making it a stand-alone ethernet port, this way increasing its throughput to other ports in bridged and routed mode, but removing the switching possibility on this port.</li></ul></td></tr></tbody></table></div><h2 id="SwitchChipFeatures-PortMirroring"><span class="mw-headline">Port Mirroring</span></h2><p>Port mirroring lets the switch to copy all traffic that is going in and out of one port (<code><span style="color: rgb(51,153,102);">mirror-source</span></code>) and send out these copied frames to some other port (<code><span style="color: rgb(51,153,102);">mirror-target</span></code>). This feature can be used to easily set up a 'tap' device that receives all traffic that goes in/out of some specific port. Note that <code><span style="color: rgb(51,153,102);">mirror-source</span></code> and <code><span style="color: rgb(51,153,102);">mirror-target</span></code> ports have to belong to the same switch (see which port belongs to which switch in<span> </span><code>/interface ethernet</code><span> </span>menu). Also, mirror-target can have a special '<code>cpu</code>' value, which means that mirrored packets should be sent out to the switch chips CPU port. Port mirroring happens independently of switching groups that have or have not been set up.</p><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch</code></p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><span><strong>mirror-source</strong> </span>(<em>name | none</em>; Default: <strong>none</strong>)</td><td class="confluenceTd"><p>Selects a single mirroring source port. Ingress and egress traffic will be sent to the <code><span style="color: rgb(51,153,102);">mirror-target</span></code> port. <span style="color: rgb(23,43,77);">Note that <code><span style="color: rgb(51,153,102);">mirror-target</span></code> port has to belong to the same switch (see which port belongs to which switch in</span><span style="color: rgb(23,43,77);"> </span><code>/interface ethernet</code><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(23,43,77);">menu).</span></p></td></tr><tr><td colspan="1" class="confluenceTd"><span><strong>mirror-target</strong> </span>(<em>name | none | cpu</em>; Default: <strong>none</strong>)</td><td colspan="1" class="confluenceTd"><p>Selects a single mirroring target port. Mirrored packets from <code><span style="color: rgb(51,153,102);">mirror-source</span></code> and <code><span style="color: rgb(51,153,102);">mirror</span></code> (see the property in rule and host table) will be sent to the selected port.</p></td></tr><tr><td colspan="1" class="confluenceTd"><span><strong>mirror-egress-target</strong> </span>(<em>name | none</em>; Default: <strong>none</strong>)</td><td colspan="1" class="confluenceTd"><p>Selects a single mirroring egress target port, only available on <strong>88E6393X</strong>, <strong>88E6191X</strong> and <span style="color: rgb(23,43,77);"><strong>88E6190</strong> </span>switch chips. Mirrored packets from <code><span style="color: rgb(51,153,102);">mirror-egress</span></code> (see the property in port menu) will be sent to the selected port.</p></td></tr></tbody></table></div><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch rule</code></p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>mirror</strong><span> </span>(<em>no | yes</em>; Default:<span> <strong>no</strong></span>)</td><td class="confluenceTd">Whether to send a packet copy to <span style="color: rgb(51,153,102);"><code>mirror-target</code></span> port.</td></tr><tr><td colspan="1" class="confluenceTd"><strong>mirror-ports</strong><span> </span>(<em>name</em>; Default:<span> </span>)</td><td colspan="1" class="confluenceTd">Selects multiple mirroring target ports, only available on <strong>88E6393X</strong> switch chip. Matched packets in the ACL rule will be copied and sent to selected ports.</td></tr></tbody></table></div><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch host</code></p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>mirror</strong><span> </span>(<em>no | yes</em>; Default:<span> <strong>no</strong></span>)</td><td class="confluenceTd">Whether to send a frame copy to <span style="color: rgb(51,153,102);"><code>mirror-target</code></span> port from a frame with a matching MAC destination address (matching destination or source address for CRS3xx series switches)</td></tr></tbody></table></div><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch port</code></p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col style="width: 344.0px;"/><col style="width: 1119.0px;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><span><strong>mirror-egress</strong> (<em>no | yes</em>; Default: <strong>no</strong>)</span></td><td class="confluenceTd"><p>Whether to send egress packet copy to the <span style="color: rgb(51,153,102);"><code>mirror-egress-target</code></span> port, only available on <strong>88E6393X</strong>, <strong>88E6191X</strong> and <span style="color: rgb(23,43,77);"><strong>88E6190</strong></span> switch chips.</p></td></tr><tr><td colspan="1" class="confluenceTd"><span><strong>mirror-ingress</strong> (<em>no | yes</em>; Default: <strong>no</strong>)</span></td><td colspan="1" class="confluenceTd"><p>Whether to send ingress packet copy to the <span style="color: rgb(51,153,102);"><code>mirror-ingress-target</code></span> port, only available on <strong>88E6393X</strong>, <strong>88E6191X</strong> and <span style="color: rgb(23,43,77);"><strong>88E6190</strong></span> switch chips.</p></td></tr><tr><td colspan="1" class="confluenceTd"><span><strong>mirror-ingress-target</strong> </span>(<em>name | none</em>; Default: <strong>none</strong>)</td><td colspan="1" class="confluenceTd"><p>Selects a single mirroring ingress target port, only available on <strong>88E6393X</strong>, <strong>88E6191X</strong> and <span style="color: rgb(23,43,77);"><strong>88E6190</strong></span> switch chips. Mirrored packets from <code><span style="color: rgb(51,153,102);">mirror-ingress</span></code> will be sent to the selected port.</p></td></tr></tbody></table></div><p>Port mirroring configuration example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch
set switch1 mirror-source=ether2 mirror-target=ether3</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p><span> </span>If you set <span style="color: rgb(51,153,102);">mirror-source</span> as an Ethernet port for a device with at least two switch chips and these mirror-source ports are in a single bridge while mirror-target for both switch chips are set to send the packets to the CPU, then this will result in a loop, which can make your device inaccessible.</p></div></div><h2 id="SwitchChipFeatures-PortSettings"><span class="mw-headline">Port Settings</span></h2><p>Properties under this menu are used to configure VLAN switching and filtering options for switch chips that support a VLAN Table. These properties are only available to switch chips that have VLAN Table support, check the<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features#SwitchChipFeatures-Introduction" rel="nofollow">Switch Chip Features</a><span> </span>table to make sure your device supports such a feature.</p><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Ingress traffic is considered as traffic that is being sent<span> </span><strong>IN</strong><span> </span>a certain port, this port is sometimes called<span> </span><strong>ingress port</strong>. Egress traffic is considered as traffic that is being sent<span> </span><strong>OUT</strong><span> </span>of a certain port, this port is sometimes called<span> </span><strong>egress port</strong>. Distinguishing them is very important to properly set up VLAN filtering since some properties apply only to either ingress or egress traffic.</p></div></div><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>vlan-mode</strong><span> </span>(<em>check | disabled | fallback | secure</em>; Default:<span> </span><strong>disabled</strong>)</td><td class="confluenceTd">Changes the VLAN lookup mechanism against the<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features#SwitchChipFeatures-VLANTable" rel="nofollow">VLAN Table</a><span> </span>for ingress traffic.<ul><li><code>disabled</code><span> </span>- disables checking against the VLAN Table completely for ingress traffic. No traffic is dropped when set on the ingress port.</li><li><code>fallback</code><span> </span>- checks tagged traffic against the VLAN Table for ingress traffic and forwards all untagged traffic. If ingress traffic is tagged and the egress port is not found in the VLAN table for the appropriate VLAN ID, then traffic is dropped. If a VLAN ID is not found in the VLAN Table, then traffic is forwarded. Used to allow known VLANs only in specific ports.</li><li><code>check</code><span> </span>- checks tagged traffic against the VLAN Table for ingress traffic and drops all untagged traffic. If ingress traffic is tagged and the egress port is not found in the VLAN table for the appropriate VLAN ID, then traffic is dropped.</li><li><code>secure</code><span> </span>- checks tagged traffic against the VLAN Table for ingress traffic and drops all untagged traffic. Both ingress and egress port must be found in the VLAN Table for the appropriate VLAN ID, otherwise, traffic is dropped.</li></ul></td></tr><tr><td class="confluenceTd"><strong>vlan-header</strong><span> </span>(<em>add-if-missing | always-strip | leave-as-is</em>; Default:<span> </span><strong>leave-as-is</strong>)</td><td class="confluenceTd">Sets action which is performed on the port for egress traffic.<ul><li><code>add-if-missing</code><span> </span>- adds a VLAN tag on egress traffic and uses<span> </span>default-vlan-id<span> </span>from the ingress port. Should be used for trunk ports.</li><li><code>always-strip</code><span> </span>- removes a VLAN tag on egress traffic. Should be used for access ports.</li><li><code>leave-as-is</code><span> </span>- does not add nor remove a VLAN tag on egress traffic. Should be used for hybrid ports.</li></ul></td></tr><tr><td class="confluenceTd"><strong>default-vlan-id</strong><span> </span>(<em>auto | integer: 0..4095</em>; Default:<span> </span><strong>auto</strong>)</td><td class="confluenceTd">Adds a VLAN tag with the specified VLAN ID on all untagged ingress traffic on a port, should be used with<span> </span><span style="color: rgb(51,153,102);">vlan-header</span><span> </span>set to<span> </span><span style="color: rgb(51,153,102);"><code>always-strip</code></span><span> </span>on a port to configure the port to be the access port. For hybrid ports<span> </span><span style="color: rgb(51,153,102);">default-vlan-id </span>is used to tag untagged traffic. If two ports have the same<span style="color: rgb(51,153,102);"> default-vlan-id</span>, then VLAN tag is not added since the switch chip assumes that traffic is being forwarded between access ports.</td></tr></tbody></table></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>On <strong>QCA8337</strong> and <strong>Atheros8327</strong> switch chips, a default <span style="color: rgb(51,153,102);"><code>vlan-header=leave-as-is</code> </span>property should be used. The switch chip will determine which ports are access ports by using the <span style="color: rgb(51,153,102);"><code>default-vlan-id</code></span> property. The <span style="color: rgb(51,153,102);"><code>default-vlan-id</code></span> should only be used on access/hybrid ports to specify which VLAN the untagged ingress traffic is assigned to.</p></div></div><h2 id="SwitchChipFeatures-VLANTable"><span class="mw-headline">VLAN Table</span></h2><p><span style="color: rgb(34,34,34);">VLAN table specifies certain forwarding rules for packets that have a specific 802.1Q tag. Those rules are of higher priority than switch groups configured using the<span> </span></span><a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeHardwareOffloading" rel="nofollow">Bridge Hardware Offloading</a><span style="color: rgb(34,34,34);"><span> </span>feature. Basically, the table contains entries that map specific VLAN tag IDs to a group of one or more ports. Packets with VLAN tags leave the switch chip through one or more ports that are set in the corresponding table entry. The exact logic that controls how packets with VLAN tags are treated is controlled by a <code>vlan-mode</code> parameter that is changeable per switch port.</span></p><p><span style="color: rgb(34,34,34);">VLAN ID based forwarding takes into account the MAC addresses dynamically learned or manually added in the host table. QCA8337 and Atheros8327 switch-chips also support Independent VLAN Learning (IVL) which does the learning based on both - MAC addresses and VLAN IDs, thus allowing the same MAC to be used in multiple VLANs.</span></p><p>Packets without VLAN tag are treated just as if they had a VLAN tag with port<code><span> </span><span style="color: rgb(51,153,102);">default-vlan-id</span></code>. If <span style="color: rgb(51,153,102);"><code>vlan-mode=check</code></span> or <span style="color: rgb(51,153,102);"><code>vlan=mode=secure</code></span> is configured, to forward packets without VLAN tags you have to add an entry to the VLAN table with the same VLAN ID according to<span> </span><span style="color: rgb(51,153,102);"><code>default-vlan-id</code></span>.</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>disabled</strong><span> </span>(<em>no | yes</em>; Default:<span> <strong>no</strong></span>)</td><td class="confluenceTd">Enables or disables switch VLAN entry.</td></tr><tr><td class="confluenceTd"><span><strong>independent-learning</strong> </span>(no<em> | yes</em>; Default:<span> <strong>yes</strong></span>)</td><td class="confluenceTd">Whether to use shared-VLAN-learning (SVL) or independent-VLAN-learning (IVL). </td></tr><tr><td class="confluenceTd"><span><strong>ports</strong> </span>(<em>name</em>; Default:<span> <strong>none</strong></span>)</td><td class="confluenceTd">Interface member list for the respective VLAN. This setting accepts comma-separated values. e.g.<span> </span><code>ports=ether1,ether2</code>.</td></tr><tr><td class="confluenceTd"><span><strong>switch</strong> </span>(<em>name</em>; Default:<span> <strong>none</strong></span>)</td><td class="confluenceTd">Name of the switch <span style="color: rgb(34,34,34);">for which the respective VLAN entry is intended for.</span></td></tr><tr><td class="confluenceTd"><span><strong>vlan-id</strong> </span>(<em>integer: 0..4095</em>; Default:<strong> </strong>)</td><td class="confluenceTd">The VLAN ID for certain switch port configurations.</td></tr></tbody></table></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Devices with <strong>MT7621</strong>, <strong>MT7531</strong>, <strong>RTL8367</strong>, <strong>88E6393X</strong>, <strong>88E6191X</strong>, <span style="color: rgb(23,43,77);"><strong>88E6190 </strong></span>switch chips support <a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeVLANFiltering" rel="nofollow">HW offloaded vlan-filtering</a> in RouterOS v7. VLAN-related configuration on the "<span style="color: rgb(51,153,102);">/interface ethernet switc</span>h" menu is not available. </p></div></div><p><span style="font-size: 16.0px;font-weight: bold;letter-spacing: -0.006em;">VLAN Forwarding</span></p><p>Both<span> </span><code>vlan-mode</code><span> </span>and<span> </span><code>vlan-header</code><span> </span>along with the VLAN Table can be used to configure VLAN tagging, untagging and filtering, multiple combinations are possible, each achieving a different result. Below you can find a table of what kind of traffic is going to be sent out through an egress port when a certain traffic is received on an ingress port for each VLAN Mode.</p><p><strong>NOTES:</strong></p><ul><li><strong>L</strong><span> </span>-<span> </span><code>vlan-header</code><span> </span>is set to<span> </span><code>leave-as-is</code></li><li><strong>S</strong><span> </span>-<span> </span><code>vlan-header</code><span> </span>set to<span> </span><code>always-strip</code></li><li><strong>A</strong><span> </span>-<span> </span><code>vlan-header</code><span> </span>set to<span> </span><code>add-if-missing</code></li><li><strong>U</strong><span> </span>- Untagged traffic is sent out</li><li><strong>T</strong><span> </span>- Tagged traffic is sent out, a tag is already present on the ingress port</li><li><strong>TA</strong><span> </span>- Tagged traffic is sent out, a tag was added on the ingress port</li><li><strong>DI</strong><span> </span>- Traffic is dropped on ingress port because of mode selected in<span> </span>vlan-mode</li><li><strong>DE</strong><span> </span>- Traffic is dropped on egress port because egress port was not found in the VLAN Table</li><li><strong>VID match</strong><span> </span>- VLAN ID from the VLAN tag for ingress traffic is present in the VLAN Table</li><li><strong>Port match</strong><span> </span>- Ingress port is present in the VLAN Table for the appropriate VLAN ID</li></ul><div class="table-wrap"><table class="wrapped confluenceTable" style="text-align: center;"><colgroup><col/><col/><col/><col/><col/><col/><col/></colgroup><tbody><tr><td rowspan="2" class="confluenceTd"><em>VLAN Mode = disabled</em></td><th style="text-align: center;" colspan="3" class="confluenceTh">Egress port not present in VLAN Table</th><th style="text-align: center;" colspan="3" class="confluenceTh">Egress port is present in VLAN Table</th></tr><tr><th style="text-align: center;" class="confluenceTh">L</th><th style="text-align: center;" class="confluenceTh">S</th><th style="text-align: center;" class="confluenceTh">A</th><th style="text-align: center;" class="confluenceTh">L</th><th style="text-align: center;" class="confluenceTh">S</th><th style="text-align: center;" class="confluenceTh">A</th></tr><tr><th style="text-align: center;" class="confluenceTh">Untagged traffic</th><td class="confluenceTd">U</td><td class="confluenceTd">U</td><td class="confluenceTd">TA</td><td class="confluenceTd">U</td><td class="confluenceTd">U</td><td class="confluenceTd">TA</td></tr><tr><th style="text-align: center;" class="confluenceTh">Tagged traffic; no VID match</th><td class="confluenceTd">T</td><td class="confluenceTd">U</td><td class="confluenceTd">T</td><td colspan="3" class="confluenceTd"><br/></td></tr><tr><th style="text-align: center;" class="confluenceTh">Tagged traffic; VID match; no Port match</th><td class="confluenceTd">T</td><td class="confluenceTd">U</td><td class="confluenceTd">T</td><td class="confluenceTd">T</td><td class="confluenceTd">U</td><td class="confluenceTd">T</td></tr><tr><th style="text-align: center;" class="confluenceTh">Tagged traffic; VID match; Port match</th><td class="confluenceTd">T</td><td class="confluenceTd">U</td><td class="confluenceTd">T</td><td class="confluenceTd">T</td><td class="confluenceTd">U</td><td class="confluenceTd">T</td></tr></tbody></table></div><div class="table-wrap"><table class="wrapped confluenceTable" style="text-align: center;"><colgroup><col/><col/><col/><col/><col/><col/><col/></colgroup><tbody><tr><td rowspan="2" class="confluenceTd"><em>VLAN Mode = fallback</em></td><th style="text-align: center;" colspan="3" class="confluenceTh">Egress port not present in VLAN Table</th><th style="text-align: center;" colspan="3" class="confluenceTh">Egress port is present in VLAN Table</th></tr><tr><th style="text-align: center;" class="confluenceTh">L</th><th style="text-align: center;" class="confluenceTh">S</th><th style="text-align: center;" class="confluenceTh">A</th><th style="text-align: center;" class="confluenceTh">L</th><th style="text-align: center;" class="confluenceTh">S</th><th style="text-align: center;" class="confluenceTh">A</th></tr><tr><th style="text-align: center;" class="confluenceTh">Untagged traffic</th><td class="confluenceTd">U</td><td class="confluenceTd">U</td><td class="confluenceTd">TA</td><td class="confluenceTd">U</td><td class="confluenceTd">U</td><td class="confluenceTd">TA</td></tr><tr><th style="text-align: center;" class="confluenceTh">Tagged traffic; no VID match</th><td class="confluenceTd">T</td><td class="confluenceTd">U</td><td class="confluenceTd">T</td><td colspan="3" class="confluenceTd"><br/></td></tr><tr><th style="text-align: center;" class="confluenceTh">Tagged traffic; VID match; no Port match</th><td class="highlight-red confluenceTd" title="Background colour : Red" data-highlight-colour="red">DE</td><td class="highlight-red confluenceTd" title="Background colour : Red" data-highlight-colour="red">DE</td><td class="highlight-red confluenceTd" title="Background colour : Red" data-highlight-colour="red">DE</td><td class="confluenceTd">T</td><td class="confluenceTd">U</td><td class="confluenceTd">T</td></tr><tr><th style="text-align: center;" class="confluenceTh">Tagged traffic; VID match; Port match</th><td class="highlight-red confluenceTd" title="Background colour : Red" data-highlight-colour="red">DE</td><td class="highlight-red confluenceTd" title="Background colour : Red" data-highlight-colour="red">DE</td><td class="highlight-red confluenceTd" title="Background colour : Red" data-highlight-colour="red">DE</td><td class="confluenceTd">T</td><td class="confluenceTd">U</td><td class="confluenceTd">T</td></tr></tbody></table></div><div class="table-wrap"><table class="wrapped confluenceTable" style="text-align: center;"><colgroup><col/><col/><col/><col/><col/><col/><col/></colgroup><tbody><tr><td rowspan="2" class="confluenceTd"><em>VLAN Mode = check</em></td><th style="text-align: center;" colspan="3" class="confluenceTh">Egress port not present in VLAN Table</th><th style="text-align: center;" colspan="3" class="confluenceTh">Egress port is present in VLAN Table</th></tr><tr><th style="text-align: center;" class="confluenceTh">L</th><th style="text-align: center;" class="confluenceTh">S</th><th style="text-align: center;" class="confluenceTh">A</th><th style="text-align: center;" class="confluenceTh">L</th><th style="text-align: center;" class="confluenceTh">S</th><th style="text-align: center;" class="confluenceTh">A</th></tr><tr><th style="text-align: center;" class="confluenceTh">Untagged traffic</th><td colspan="6" class="confluenceTd"><br/></td></tr><tr><th style="text-align: center;" class="confluenceTh">Tagged traffic; no VID match</th><td class="highlight-red confluenceTd" title="Background colour : Red" data-highlight-colour="red">DI</td><td class="highlight-red confluenceTd" title="Background colour : Red" data-highlight-colour="red">DI</td><td class="highlight-red confluenceTd" title="Background colour : Red" data-highlight-colour="red">DI</td><td colspan="3" class="confluenceTd"><br/></td></tr><tr><th style="text-align: center;" class="confluenceTh">Tagged traffic; VID match; no Port match</th><td class="highlight-red confluenceTd" title="Background colour : Red" data-highlight-colour="red">DE</td><td class="highlight-red confluenceTd" title="Background colour : Red" data-highlight-colour="red">DE</td><td class="highlight-red confluenceTd" title="Background colour : Red" data-highlight-colour="red">DE</td><td class="confluenceTd">T</td><td class="confluenceTd">U</td><td class="confluenceTd">T</td></tr><tr><th style="text-align: center;" class="confluenceTh">Tagged traffic; VID match; Port match</th><td class="highlight-red confluenceTd" title="Background colour : Red" data-highlight-colour="red">DE</td><td class="highlight-red confluenceTd" title="Background colour : Red" data-highlight-colour="red">DE</td><td class="highlight-red confluenceTd" title="Background colour : Red" data-highlight-colour="red">DE</td><td class="confluenceTd">T</td><td class="confluenceTd">U</td><td class="confluenceTd">T</td></tr></tbody></table></div><div class="table-wrap"><table class="wrapped confluenceTable" style="text-align: center;"><colgroup><col/><col/><col/><col/><col/><col/><col/></colgroup><tbody><tr><td rowspan="2" class="confluenceTd"><em>VLAN Mode = secure</em></td><th style="text-align: center;" colspan="3" class="confluenceTh">Egress port not present in VLAN Table</th><th style="text-align: center;" colspan="3" class="confluenceTh">Egress port is present in VLAN Table</th></tr><tr><th style="text-align: center;" class="confluenceTh">L</th><th style="text-align: center;" class="confluenceTh">S</th><th style="text-align: center;" class="confluenceTh">A</th><th style="text-align: center;" class="confluenceTh">L</th><th style="text-align: center;" class="confluenceTh">S</th><th style="text-align: center;" class="confluenceTh">A</th></tr><tr><th style="text-align: center;" class="confluenceTh">Untagged traffic</th><td colspan="6" class="confluenceTd"><br/></td></tr><tr><th style="text-align: center;" class="confluenceTh">Tagged traffic; no VID match</th><td class="highlight-red confluenceTd" title="Background colour : Red" data-highlight-colour="red">DI</td><td class="highlight-red confluenceTd" title="Background colour : Red" data-highlight-colour="red">DI</td><td class="highlight-red confluenceTd" title="Background colour : Red" data-highlight-colour="red">DI</td><td colspan="3" class="confluenceTd"><br/></td></tr><tr><th style="text-align: center;" class="confluenceTh">Tagged traffic; VID match; no Port match</th><td class="highlight-red confluenceTd" title="Background colour : Red" data-highlight-colour="red">DI</td><td class="highlight-red confluenceTd" title="Background colour : Red" data-highlight-colour="red">DI</td><td class="highlight-red confluenceTd" title="Background colour : Red" data-highlight-colour="red">DI</td><td class="highlight-red confluenceTd" title="Background colour : Red" data-highlight-colour="red">DI</td><td class="highlight-red confluenceTd" title="Background colour : Red" data-highlight-colour="red">DI</td><td class="highlight-red confluenceTd" title="Background colour : Red" data-highlight-colour="red">DI</td></tr><tr><th style="text-align: center;" class="confluenceTh">Tagged traffic; VID match; Port match</th><td class="highlight-red confluenceTd" title="Background colour : Red" data-highlight-colour="red">DE</td><td class="highlight-red confluenceTd" title="Background colour : Red" data-highlight-colour="red">DE</td><td class="highlight-red confluenceTd" title="Background colour : Red" data-highlight-colour="red">DE</td><td class="confluenceTd">T</td><td class="confluenceTd">U</td><td class="confluenceTd">T</td></tr></tbody></table></div><p><br/></p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>The tables above are meant for more advanced configurations and to double-check your understanding of how packets will be processed with each VLAN related property.</p></div></div><h2 id="SwitchChipFeatures-HostTable"><span style="letter-spacing: -0.008em;">Host Table</span></h2><p>The host table represents switch chip's internal MAC address to port mapping. It can contain two kinds of entries: dynamic and static. Dynamic entries get added automatically, this is also called a learning process: when switch chip receives a packet from a certain port, it adds the packet's source MAC address and port it received the packet from to the host table, so when a packet comes in with the same destination MAC address, it knows to which port it should forward the packet. If the destination MAC address is not present in the host table (so-called unknown-unicast traffic) then it forwards the packet to all ports in the group. Dynamic entries take about 5 minutes to time out. Learning is enabled only on ports that are configured as part of the switch group, so you won't see dynamic entries if you have not set up port switching. Also, you can add static entries that take over dynamic if a dynamic entry with the same MAC address already exists. Since port switching is configured using a bridge with hardware offloading, any static entries created on one table (either bridge host or switch host) will appear on the opposite table as a dynamic entry. Adding a static entry on the switch host table will provide access to some more functionality that is controlled via the following params:</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><span><strong>copy-to-cpu</strong> </span>(<em>no | yes</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Whether to send a frame copy to switch CPU port from a frame with a matching MAC destination address (matching destination or source address for CRS3xx series switches)</td></tr><tr><td class="confluenceTd"><strong>drop</strong><span> </span>(<em>no | yes</em>; Default:<span> <strong>no</strong></span>)</td><td class="confluenceTd">Whether to drop a frame with a matching MAC source address received on a certain port (matching destination or source address for CRS3xx series switches)</td></tr><tr><td class="confluenceTd"><strong>mac-address</strong><span> </span>(<em>MAC;</em> Default:<span> <strong>00:00:00:00:00:00</strong></span>)</td><td class="confluenceTd">Host's MAC address</td></tr><tr><td colspan="1" class="confluenceTd"><strong>mirror</strong><span> </span>(<em>no | yes</em>; Default:<span> <strong>no</strong></span>)</td><td colspan="1" class="confluenceTd">Whether to send a frame copy to <span style="color: rgb(51,153,102);"><code>mirror-target</code></span> port from a frame with a matching MAC destination address (matching destination or source address for CRS3xx series switches)</td></tr><tr><td colspan="1" class="confluenceTd"><span><strong>ports</strong> </span>(<em>name</em>; Default:<span> <strong>none</strong></span>)</td><td colspan="1" class="confluenceTd">Name of the interface, static MAC address can be mapped to more than one port, including switch CPU port</td></tr><tr><td colspan="1" class="confluenceTd"><span><strong>redirect-to-cpu</strong> </span>(<em>no | yes</em>; Default:<span> <strong>no</strong></span>)</td><td colspan="1" class="confluenceTd">Whether to redirect a frame to switch CPU port from a frame with a matching MAC destination address (matching destination or source address for CRS3xx series switches)</td></tr><tr><td colspan="1" class="confluenceTd"><strong>share-vlan-learned </strong>(<em>no | yes</em>; Default:<span> <strong>no</strong></span>)</td><td colspan="1" class="confluenceTd">Whether the static host MAC address lookup is used with shared-VLAN-learning (SVL) or independent-VLAN-learning (IVL). The SVL mode is used for those VLAN entries that do not support IVL or IVL is disabled (independent-learning=no)</td></tr><tr><td colspan="1" class="confluenceTd"><span><strong>switch</strong> </span>(<em>name</em>; Default:<span> <strong>none</strong></span>)</td><td colspan="1" class="confluenceTd">Name of the switch <span style="color: rgb(34,34,34);">to which the MAC address is going to be assigned to</span></td></tr><tr><td colspan="1" class="confluenceTd"><span><strong>vlan-id</strong> </span>(<em>integer: 0..4095</em>; Default:<strong> </strong>)</td><td colspan="1" class="confluenceTd">VLAN ID for the statically added MAC address entry</td></tr></tbody></table></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p><span class="mw-headline">Every switch chip has a finite number of MAC addresses it can store on the chip, see the Introduction table for a specific host table size. Once a host table is full, different techniques can be utilized to cope with the situation, for example, the switch can remove older entries to free space for more recent MAC addresses (used on QCA-8337 and Atheros-8327 switch chips), another option is to simply ignore the new MAC addresses and only remove entries after a timeout has passed (used on Atheros8316, Atheros8227, Atheros-7240, ICPlus175D and Realtek-RTL8367 switch chips), the last option is a combination of the previous two - only allow a certain amount of entries to be renewed and keep the other host portion intact till the timeout (used on MediaTek-MT7621, MT7531 switch chip). These techniques cannot be changed with configuration.</span></p></div></div><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p class="auto-cursor-target">For <span class="mw-headline">Atheros8316, Atheros8227 and Atheros-7240 switch chips, the switch-cpu port will always participate in the host learning process when at least one hardware offloaded bridge port is active on the switching group. It will cause the switch-cpu port to learn MAC addresses from non-HW offloaded interfaces. This might cause packet loss when a single bridge contains HW and non-HW offloaded interfaces. Also, packet loss might appear when a duplicate MAC address is used on the same switching group regardless if hosts are located on different logical networks. It is recommended to use HW offloading only when all bridge ports can use HW offloaded or keep it disabled on all switch ports when one or more bridge ports cannot be configured with HW offloading.</span></p></div></div><h2 class="auto-cursor-target" id="SwitchChipFeatures-RuleTable"><span style="font-size: 20.0px;letter-spacing: -0.008em;">Rule Table</span></h2><p>Rule table is a very powerful tool allowing wire-speed packet filtering, forwarding and VLAN tagging based on L2, L3 and L4 protocol header field conditions. The menu contains an ordered list of rules just like in<span> </span><span style="color: rgb(51,153,102);"><code>/ip firewall filter</code></span>, so ACL rules are checked for each packet until a match has been found. If multiple rules can match, then only the first rule will be triggered. A rule without any action parameters is a rule to accept the packet. </p><p>Each rule contains a conditions part and an action part. The action part is controlled by the following parameters:</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col style="width: 248.0px;"/><col style="width: 1530.0px;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><span><strong>copy-to-cpu</strong> </span>(<em>no | yes</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Whether to send a packet copy to switch CPU port</td></tr><tr><td colspan="1" class="confluenceTd"><strong>mirror</strong><span> </span>(<em>no | yes</em>; Default:<span> <strong>no</strong></span>)</td><td colspan="1" class="confluenceTd">Whether to send a packet copy to <span style="color: rgb(51,153,102);"><code>mirror-target</code></span> port</td></tr><tr><td colspan="1" class="confluenceTd"><span><strong>new-dst-ports</strong> </span>(<em>name</em>; Default:<span> <strong>none</strong></span>)</td><td colspan="1" class="confluenceTd">Changes the destination port as specified, multiple ports allowed, including a switch CPU port. An empty setting will drop the packet. When the parameter is not used, the packet will be accepted</td></tr><tr><td colspan="1" class="confluenceTd"><span><strong>new-vlan-id</strong> </span>(<em>integer: 0..4095</em>)</td><td colspan="1" class="confluenceTd">Changes the VLAN ID to the specified value or adds a new VLAN tag if one was not already present (the property only applies to the<strong> Atheros8316</strong>, and <strong>88E6393X</strong> switch chips)</td></tr><tr><td colspan="1" class="confluenceTd"><strong>new-vlan-priority </strong>(<em>integer: 0..7</em>)</td><td colspan="1" class="confluenceTd">Changes the VLAN priority field (priority code point, the property only applies to <strong>Atheros8327</strong>, <strong>QCA8337 </strong>and <strong>Atheros8316 </strong>switch chips)</td></tr><tr><td colspan="1" class="confluenceTd"><span><strong>rate</strong> </span>(<em>integer: 0..4294967295</em>)</td><td colspan="1" class="confluenceTd">Sets ingress traffic limitation (bits per second) for matched traffic, can only be applied to the first 32 rule slots (the property only applies to<strong> Atheros8327/QCA8337</strong> switch chips)</td></tr><tr><td colspan="1" class="confluenceTd"><span><strong>redirect-to-cpu</strong> </span>(<em>no | yes</em>; Default: <strong>no</strong>)</td><td colspan="1" class="confluenceTd">Changes the destination port of a matching packet to the switch CPU</td></tr></tbody></table></div><p>The conditions part is controlled by the rest of the parameters:</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>disabled</strong> (<em>no | yes</em>; Default: <strong>no</strong>)</td><td class="confluenceTd">Enables or disables switch rule</td></tr><tr><td class="confluenceTd"><strong>dscp</strong> (<em>integer: 0..63</em>)</td><td class="confluenceTd">Matching DSCP field of the packet</td></tr><tr><td class="confluenceTd"><strong>dst-address</strong> (<em>IP address/Mask</em>)</td><td class="confluenceTd">Matching destination IP address and mask</td></tr><tr><td class="confluenceTd"><strong>dst-address6</strong> (<em>IPv6 address/Mask</em>)</td><td class="confluenceTd">Matching destination IPv6 address and mask</td></tr><tr><td class="confluenceTd"><strong>dst-mac-address</strong> (<em>MAC address/Mask</em>)</td><td class="confluenceTd">Matching destination MAC address and mask</td></tr><tr><td class="confluenceTd"><strong>dst-port</strong> (<em>integer: </em><em>0..65535</em>)</td><td class="confluenceTd">Matching destination protocol port number or range</td></tr><tr><td class="confluenceTd"><strong>flow-label</strong> (<em>integer: </em><em>0..1048575</em>)</td><td class="confluenceTd">Matching IPv6 flow label</td></tr><tr><td class="confluenceTd"><strong>mac-protocol</strong> (<em>802.2 | arp | homeplug-av | ip | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan | or 0..65535 | or 0x0000-0xffff</em>)</td><td class="confluenceTd">Matching particular MAC protocol specified by protocol name or number (skips VLAN tags if any)</td></tr><tr><td class="confluenceTd"><strong>ports</strong> (<em>name</em>)</td><td class="confluenceTd">Name of the interface on which the rule will apply on the received traffic, multiple ports are allowed</td></tr><tr><td class="confluenceTd"><strong>protocol</strong> (<em>dccp | ddp | egp | encap | etherip | ggp | gre | hmp | icmp | icmpv6 | idpr-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | ipv6 | ipv6-frag | ipv6-nonxt | ipv6-opts | ipv6-route | iso-tp4 | l2tp | ospf | pim | pup | rdp | rspf | rsvp | sctp | st | tcp | udp | udp-lite | vmtp | vrrp | xns-idp | xtp | or 0..255</em>)</td><td class="confluenceTd">Matching particular IP protocol specified by protocol name or number</td></tr><tr><td class="confluenceTd"><strong>src-address</strong> (<em>IP address/Mask</em>)</td><td class="confluenceTd">Matching source IP address and mask</td></tr><tr><td class="confluenceTd"><strong>src-address6</strong> (<em>IPv6 address/Mask</em>)</td><td class="confluenceTd">Matching source IPv6 address and mask</td></tr><tr><td class="confluenceTd"><strong>src-mac-address</strong> (<em>MAC address/Mask</em>)</td><td class="confluenceTd">Matching source MAC address and mask</td></tr><tr><td class="confluenceTd"><strong>src-port</strong> (<em>0..65535</em>)</td><td class="confluenceTd">Matching source protocol port number or range</td></tr><tr><td class="confluenceTd"><strong>switch</strong> (<em>switch group</em>)</td><td class="confluenceTd">Matching switch group on which will the rule apply</td></tr><tr><td class="confluenceTd"><strong>traffic-class</strong> (<em>0..255</em>)</td><td class="confluenceTd">Matching IPv6 traffic class</td></tr><tr><td class="confluenceTd"><strong>vlan-id</strong> (<em>0..4095</em>)</td><td class="confluenceTd">Matching VLAN ID (the property only applies to the<span style="color: rgb(255,0,0);"><strong> </strong><span style="color: rgb(0,0,0);">Atheros8316, Atheros8327, QCA8337, 88E6393X </span></span>switch chips)</td></tr><tr><td class="confluenceTd"><strong>vlan-header</strong> (<em>not-present | present</em>)</td><td class="confluenceTd">Matching VLAN header, whether the VLAN header is present or not (the property only applies to th<span style="color: rgb(0,0,0);">e Atheros8316, Atheros8327, QCA8337, 88E6393X switch chips</span>)</td></tr><tr><td class="confluenceTd"><strong>vlan-priority</strong> (<em>0..7</em>)</td><td class="confluenceTd">Matching VLAN priority (priority code point)</td></tr></tbody></table></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>IPv4 and IPv6 specific conditions cannot be present in the same rule.</p></div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Because the rule table is processed entirely in switch chips hardware, there is a limitation to how many rules you may have. Depending on the number of conditions (MAC layer, IP layer, IPv6, L4 layer) you use in your rules, the number of active rules may vary from 8 to 32 for Atheros8316 switch chip, from 24 to 96 for Atheros8327/QCA8337 switch chip and from 42 to 256 for 88E6393X switch chip. You can always do <code><span style="color: rgb(51,153,102);">/interface ethernet switch rule print</span> </code>after modifying your rule set to see that no rules at the end of the list are 'invalid' which means those rules did not fit into the switch chip.</p></div></div><h2 id="SwitchChipFeatures-Portisolation"><span class="mw-headline">Port isolation</span></h2><p>Port isolation provides the possibility to divide (isolate) certain parts of your network, this might be useful when you need to make sure that certain devices cannot access other devices, this can be done by isolating switch ports. Port isolation only works between ports that are members of the same switch. Switch port isolation is available on all switch chips since RouterOS v6.43.</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>forwarding-override</strong><span> </span>(<em>interface</em>; Default: )</td><td class="confluenceTd">Forces ingress traffic to be forwarded to a specific interface. Multiple interfaces can be specified by separating them with a comma.</td></tr></tbody></table></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>(R/M)STP will only work properly in PVLAN setups, (R/M)STP will not work properly in setups, where there are multiple isolated switch groups, because switch groups might not properly receive BPDUs and therefore fail to detect network loops.</p></div></div><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>The<span> </span><code>forwarding-override</code><span> </span>property affects ingress traffic only. Switch ports that do not have the<span> </span><span style="color: rgb(51,153,102);"><code>forwarding-override</code></span><span> </span>specified can send packets through all switch ports.</p></div></div><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Switch chips with a VLAN table support (<strong>QCA8337</strong>,<span> </span><strong>Atheros8327</strong>,<span> </span><strong>Atheros8316</strong>,<span> </span><strong>Atheros8227</strong><span> </span>and<span> </span><strong>Atheros7240</strong>) can override the port isolation configuration when enabling a VLAN lookup on the switch port (the<span> </span><span style="color: rgb(51,153,102);"><code>vlan-mode</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>fallback</code></span>,<span> </span><span style="color: rgb(51,153,102);"><code>check</code></span><span> </span>or<span> </span><span style="color: rgb(51,153,102);"><code>secure</code></span>). If additional port isolation is needed between ports on the same VLAN, a switch rule with a<span> </span>new-dst-ports<span> </span>property can be implemented. Other devices without switch rule support cannot overcome this limitation.</p></div></div><h3 id="SwitchChipFeatures-PrivateVLAN"><span class="mw-headline">Private VLAN</span></h3><p>In some scenarios, you might need to forward all traffic to an uplink port while all other ports are isolated from each other. This kind of setup is called<span> </span><strong>Private VLAN</strong><span> </span>configuration, the<span> </span><strong>Switch</strong><span> </span>will forward all Ethernet frames directly to the uplink port allowing the<span> </span><strong>Router</strong><span> </span>to filter unwanted packets and limit access between devices that are behind switch ports.</p><p><span class="confluence-embedded-file-wrapper image-center-wrapper"><img class="confluence-embedded-image image-center" draggable="false" src="https://help.mikrotik.com/docs/download/attachments/15302988/Isolation.png?version=2&modificationDate=1618318949793&api=v2" data-image-src="https://help.mikrotik.com/docs/download/attachments/15302988/Isolation.png?version=2&modificationDate=1618318949793&api=v2" data-unresolved-comment-count="0" data-linked-resource-id="16351616" data-linked-resource-version="2" data-linked-resource-type="attachment" data-linked-resource-default-alias="Isolation.png" data-base-url="https://help.mikrotik.com/docs" data-linked-resource-content-type="image/png" data-linked-resource-container-id="15302988" data-linked-resource-container-version="75" alt=""></span></p><p>To configure switch port isolation, you need to switch all required ports:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
add name=bridge1
/interface bridge port
add interface=sfp1 bridge=bridge1 hw=yes
add interface=ether1 bridge=bridge1 hw=yes
add interface=ether2 bridge=bridge1 hw=yes
add interface=ether3 bridge=bridge1 hw=yes</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>By default, the bridge interface is configured with <code>protocol-mode</code> set to <code>rstp</code>. For some devices, this can disable hardware offloading because specific switch chips do not support this feature. See the <a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeHardwareOffloading" rel="nofollow">Bridge Hardware Offloading</a> section with supported features.</p></div></div><p>Override the egress port for each switch port that needs to be isolated (excluding the uplink port):</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch port-isolation
set ether1 forwarding-override=sfp1
set ether2 forwarding-override=sfp1
set ether3 forwarding-override=sfp1</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>It is possible to set multiple uplink ports for a single switch chip, this can be done by specifying multiple interfaces and separating them with a comma.</p></div></div><h3 id="SwitchChipFeatures-Isolatedswitchgroups"><span class="mw-headline">Isolated switch groups</span></h3><p>In some scenarios you might need to isolate a group of devices from other groups, this can be done using the switch port isolation feature. This is useful when you have multiple networks but you want to use a single switch, with port isolation you can allow certain switch ports to be able to communicate through only a set of switch ports. In this example, devices on<span> </span><strong>ether1-3</strong><span> </span>will only be able to communicate with devices that are on<span> </span><strong>ether1-3</strong>, while devices on<span> </span><strong>ether4-5</strong><span> </span>will only be able to communicate with devices on<span> </span><strong>ether4-5</strong><span> </span>(<strong>ether1-3</strong><span> </span>is not able to communicate with<span> </span><strong>ether4-5</strong>)</p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Port isolation is only available between ports that are members of the same switch.</p></div></div><p><br/></p><p><span class="confluence-embedded-file-wrapper image-center-wrapper"><img class="confluence-embedded-image image-center" draggable="false" src="https://help.mikrotik.com/docs/download/attachments/15302988/Port_isolation_2.png?version=1&modificationDate=1620716068287&api=v2" data-image-src="https://help.mikrotik.com/docs/download/attachments/15302988/Port_isolation_2.png?version=1&modificationDate=1620716068287&api=v2" data-unresolved-comment-count="0" data-linked-resource-id="66355232" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="Port_isolation_2.png" data-base-url="https://help.mikrotik.com/docs" data-linked-resource-content-type="image/png" data-linked-resource-container-id="15302988" data-linked-resource-container-version="75" alt=""></span></p><p>To configure isolated switch groups you must first switch all ports:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
add name=bridge
/interface bridge port
add bridge=bridge1 interface=ether1 hw=yes
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether3 hw=yes
add bridge=bridge1 interface=ether4 hw=yes
add bridge=bridge1 interface=ether5 hw=yes</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>By default, the bridge interface is configured with <span style="color: rgb(51,153,102);"><code>protocol-mode</code></span> set to <span style="color: rgb(51,153,102);"><code>rstp</code></span>. For some devices, this can disable hardware offloading because specific switch chips do not support this feature. See the <a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeHardwareOffloading" rel="nofollow">Bridge Hardware Offloading</a> section with supported features.</p></div></div><p>Then specify in the<span> </span><span style="color: rgb(51,153,102);"><code>forwarding-override</code></span><span> </span>property all ports that you want to be in the same isolated switch group (except the port on which you are applying the property), for example, to create an isolated switch group for<span> </span><strong>A</strong><span> </span>devices:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch port-isolation
set ether1 forwarding-override=ether2,ether3
set ether2 forwarding-override=ether1,ether3
set ether3 forwarding-override=ether1,ether2</pre>
</div></div><p>To create an isolated switch group for<span> </span><strong>B</strong><span> </span>devices:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch port-isolation
set ether4 forwarding-override=ether5
set ether5 forwarding-override=ether4</pre>
</div></div><h2 id="SwitchChipFeatures-CPUFlowControl"><span class="mw-headline">CPU Flow Control</span></h2><p>All switch chips have a special port that is called<span> </span><strong>switchX-cpu</strong>, this is the CPU port for a switch chip, it is meant to forward traffic from a switch chip to the CPU, such a port is required for management traffic and routing features. By default the switch chip ensures that this special CPU port is not congested and sends out Pause Frames when link capacity is exceeded to make sure the port is not oversaturated, this feature is called<span> </span><strong>CPU Flow Control</strong>. Without this feature packets that might be crucial for routing or management purposes might get dropped.</p><p>Since RouterOS v6.43 it is possible to disable the CPU Flow Control feature on some devices that are using one of the following switch chips: Atheros8227, QCA8337, Atheros8327, Atheros7240 or Atheros8316. Other switch chips have this feature enabled by default and cannot be changed. To disable CPU Flow Control use the following command:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch set switch1 cpu-flow-control=no</pre>
</div></div><h2 id="SwitchChipFeatures-Statistics"><span class="mw-headline">Statistics</span></h2><p>Some switch chips are capable of reporting statistics, this can be useful to monitor how many packets are sent to the CPU from the built-in switch chip. These statistics can also be used to monitor CPU Flow Control. You can find an example of the switch chip's statistics below:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > /interface ethernet switch print stats
name: switch1
driver-rx-byte: 221 369 701
driver-rx-packet: 1 802 975
driver-tx-byte: 42 621 969
driver-tx-packet: 310 485
rx-bytes: 414 588 529
rx-packet: 2 851 236
rx-too-short: 0
rx-too-long: 0
rx-broadcast: 1 040 309
rx-pause: 0
rx-multicast: 486 321
rx-fcs-error: 0
rx-align-error: 0
rx-fragment: 0
rx-control: 0
rx-unknown-op: 0
rx-length-error: 0
rx-code-error: 0
rx-carrier-error: 0
rx-jabber: 0
rx-drop: 0
tx-bytes: 44 071 621
tx-packet: 312 597
tx-too-short: 0
tx-too-long: 8 397
tx-broadcast: 2 518
tx-pause: 2 112
tx-multicast: 7 142
tx-excessive-collision: 0
tx-multiple-collision: 0
tx-single-collision: 0
tx-excessive-deferred: 0
tx-deferred: 0
tx-late-collision: 0
tx-total-collision: 0
tx-drop: 0
tx-jabber: 0
tx-fcs-error: 0
tx-control: 2 112
tx-fragment: 0
tx-rx-64: 6 646
tx-rx-65-127: 1 509 891
tx-rx-128-255: 1 458 299
tx-rx-256-511: 178 975
tx-rx-512-1023: 953
tx-rx-1024-1518: 672
tx-rx-1519-max: 0</pre>
</div></div><p>Some devices have multiple CPU cores that are directly connected to a built-in switch chip using separate data lanes. These devices can report which data lane was used to forward the packet from or to the CPU port from the switch chip. For such devices an extra line is added for each row, the first line represents data that was sent using the first data lane, the second line represents data that was sent using the second data line, and so on. You can find an example of the switch chip's statistics for a device with multiple data lanes connecting the CPU and the built-in switch chip:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > /interface ethernet switch print stats
name: switch1
driver-rx-byte: 226 411 248
0
driver-rx-packet: 1 854 971
0
driver-tx-byte: 45 988 067
0
driver-tx-packet: 345 282
0
rx-bytes: 233 636 763
0
rx-packet: 1 855 018
0
rx-too-short: 0
0
rx-too-long: 0
0
rx-pause: 0
0
rx-fcs-error: 0
0
rx-overflow: 0
0
tx-bytes: 47 433 203
0
tx-packet: 345 282
0
tx-total-collision: 0
0</pre>
</div></div><h1 id="SwitchChipFeatures-SetupExamples"><span class="mw-headline">Setup Examples</span></h1><hr/><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Make sure you have added all needed interfaces to the VLAN table when using secure <code>vlan-mode</code>. For routing functions to work properly on the same device through ports that use secure <code>vlan-mode</code>, you will need to allow access to the CPU from those ports, this can be done by adding the switchX-cpu interface itself to the VLAN table. Examples can be found in the <a href="https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features#SwitchChipFeatures-Managementaccessconfiguration" rel="nofollow">Management port</a> section.</p></div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>It is possible to use the built-in switch chip and the CPU at the same time to create a Switch-Router setup, where a device acts as a switch and as a router at the same time. You can find a configuration example in the<span> </span><a class="external-link" href="https://wiki.mikrotik.com/wiki/Manual:Switch_Router" rel="nofollow" style="text-decoration: none;" title="Manual:Switch Router">Switch-Router</a><span> </span>guide.</p></div></div><p><br/></p><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>When allowing access to the CPU, you are allowing access from a certain port to the actual router/switch, this is not always desirable. Make sure you implement proper firewall filter rules to secure your device when access to the CPU is allowed from a certain VLAN ID and port, use firewall filter rules to allow access to only certain services.</p></div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Devices with <strong>MT7621</strong>, <strong>MT7531</strong>, <strong>RTL8367</strong>, <strong>88E6393X</strong>, <strong>88E6191X,</strong> <span style="color: rgb(23,43,77);"><strong>88E6190 </strong></span>switch chips support <a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeVLANFiltering" rel="nofollow">HW offloaded vlan-filtering</a> in RouterOS v7. VLAN-related configuration on the "/interface ethernet switch" menu is not available. </p></div></div><h2 id="SwitchChipFeatures-VLANExample1(TrunkandAccessPorts)"><span class="mw-headline">VLAN Example 1 (Trunk and Access Ports)</span></h2><p style="text-align: justify;">RouterBOARDs with Atheros switch chips can be used for 802.1Q Trunking. This feature in RouterOS v6 is supported by<span> </span><strong>QCA8337, Atheros8316, Atheros8327, Atheros8227</strong><span> </span>and<span> </span><strong>Atheros7240</strong><span> </span>switch chips. In this example,<span> </span><strong>ether3</strong>, <strong>ether4,</strong><span> </span>and<span> </span><strong>ether5</strong><span> </span>interfaces are access ports, while<span> </span><strong>ether2</strong><span> </span>is a trunk port. VLAN IDs for each access port: ether3 - 400, ether4 - 300, ether5 - 200.</p><p><span class="confluence-embedded-file-wrapper image-center-wrapper"><img class="confluence-embedded-image image-center" draggable="false" src="https://help.mikrotik.com/docs/download/attachments/15302988/access_ports_small.png?version=2&modificationDate=1626780110393&api=v2" data-image-src="https://help.mikrotik.com/docs/download/attachments/15302988/access_ports_small.png?version=2&modificationDate=1626780110393&api=v2" data-unresolved-comment-count="0" data-linked-resource-id="76939375" data-linked-resource-version="2" data-linked-resource-type="attachment" data-linked-resource-default-alias="access_ports_small.png" data-base-url="https://help.mikrotik.com/docs" data-linked-resource-content-type="image/png" data-linked-resource-container-id="15302988" data-linked-resource-container-version="75" alt=""></span></p><p>Switch together the required ports:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether3 hw=yes
add bridge=bridge1 interface=ether4 hw=yes
add bridge=bridge1 interface=ether5 hw=yes</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>By default, the bridge interface is configured with<span> </span><code>protocol-mode</code><span> </span>set to<span> </span><code>rstp</code>. For some devices, this can disable hardware offloading because specific switch chips do not support this feature. See the<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeHardwareOffloading" rel="nofollow">Bridge Hardware Offloading</a><span> </span>section with supported features.</p></div></div><p>Add VLAN table entries to allow frames with specific VLAN IDs between ports:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch vlan
add ports=ether2,ether3 switch=switch1 vlan-id=200
add ports=ether2,ether4 switch=switch1 vlan-id=300
add ports=ether2,ether5 switch=switch1 vlan-id=400</pre>
</div></div><p>Assign<span> </span><code>vlan-mode</code><span> </span>and<span> </span><code>vlan-header</code> mode for each port and also<span> </span><code>default-vlan-id</code><span> </span>on ingress for each access port:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch port
set ether2 vlan-mode=secure vlan-header=add-if-missing
set ether3 vlan-mode=secure vlan-header=always-strip default-vlan-id=200
set ether4 vlan-mode=secure vlan-header=always-strip default-vlan-id=300
set ether5 vlan-mode=secure vlan-header=always-strip default-vlan-id=400</pre>
</div></div><ul><li>Setting<span> </span><span style="color: rgb(51,153,102);"><code>vlan-mode=secure</code></span><span> </span>ensures strict use of the VLAN table.</li><li>Setting<span> </span><span style="color: rgb(51,153,102);"><code>vlan-header=always-strip</code></span><span> </span>for access ports removes the VLAN header from the frame when it leaves the switch chip.</li><li>Setting<span> </span><span style="color: rgb(51,153,102);"><code>vlan-header=add-if-missing</code></span><span> </span>for trunk port adds VLAN header to untagged frames.</li><li><span style="color: rgb(51,153,102);"><code>default-vlan-id</code></span><span> </span>specifies what VLAN ID is added for untagged ingress traffic of the access port.</li></ul><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>On <strong>QCA8337</strong> and <strong>Atheros8327</strong> switch chips, a default <code>vlan-header=leave-as-is</code> property should be used. The switch chip will determine which ports are access ports by using the <span style="color: rgb(51,153,102);"><code>default-vlan-id</code></span> property. The <span style="color: rgb(51,153,102);"><code>default-vlan-id</code> </span>should only be used on access/hybrid ports to specify which VLAN the untagged ingress traffic is assigned to.</p></div></div><h2 id="SwitchChipFeatures-VLANExample2(TrunkandHybridPorts)"><span class="mw-headline">VLAN Example 2 (Trunk and Hybrid Ports)</span></h2><p style="text-align: justify;">VLAN Hybrid ports can forward both tagged and untagged traffic. This configuration is supported only by some Gigabit switch chips (<strong>QCA8337, Atheros8327</strong>).</p><p><span class="confluence-embedded-file-wrapper image-center-wrapper"><img class="confluence-embedded-image image-center" draggable="false" src="https://help.mikrotik.com/docs/download/attachments/15302988/hybrid_ports_small.png?version=1&modificationDate=1626777140786&api=v2" data-image-src="https://help.mikrotik.com/docs/download/attachments/15302988/hybrid_ports_small.png?version=1&modificationDate=1626777140786&api=v2" data-unresolved-comment-count="0" data-linked-resource-id="76939376" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="hybrid_ports_small.png" data-base-url="https://help.mikrotik.com/docs" data-linked-resource-content-type="image/png" data-linked-resource-container-id="15302988" data-linked-resource-container-version="75" alt=""></span></p><p>Switch together the required ports:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether3 hw=yes
add bridge=bridge1 interface=ether4 hw=yes
add bridge=bridge1 interface=ether5 hw=yes</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>By default, the bridge interface is configured with<span> </span><span style="color: rgb(51,153,102);"><code>protocol-mode</code></span><span> </span>set to<span style="color: rgb(51,153,102);"> <code>rstp</code></span>. For some devices, this can disable hardware offloading because specific switch chips do not support this feature. See the<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeHardwareOffloading" rel="nofollow">Bridge Hardware Offloading</a><span> </span>section with supported features.</p></div></div><p>Add VLAN table entries to allow frames with specific VLAN IDs between ports.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch vlan
add ports=ether2,ether3,ether4,ether5 switch=switch1 vlan-id=200
add ports=ether2,ether3,ether4,ether5 switch=switch1 vlan-id=300
add ports=ether2,ether3,ether4,ether5 switch=switch1 vlan-id=400</pre>
</div></div><p>In the switch port menu set<span style="color: rgb(51,153,102);"> <code>vlan-mode</code></span><span> </span>on all ports and also<span> </span><span style="color: rgb(51,153,102);"><code>default-vlan-id</code></span><span> </span>on planned hybrid ports:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch port
set ether2 vlan-mode=secure vlan-header=leave-as-is
set ether3 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=200
set ether4 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=300
set ether5 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=400</pre>
</div></div><ul><li><span style="color: rgb(51,153,102);"><code>vlan-mode=secure</code></span><span> </span>will ensure strict use of the VLAN table.</li><li><span style="color: rgb(51,153,102);"><code>default-vlan-id</code></span><span> </span>will define VLAN for untagged ingress traffic on the port.</li><li>In QCA8337 and Atheros8327 chips when<span> </span><code><span style="color: rgb(51,153,102);">vlan-mode=secur</span>e</code><span> </span>is used, it ignores switch port<span> </span><span style="color: rgb(51,153,102);"><code>vlan-header</code></span><span> </span>options. VLAN table entries handle all the egress tagging/untagging and works as<span> </span><span style="color: rgb(51,153,102);"><code>vlan-header=leave-as-is</code></span><span> </span>on all ports. It means what comes in tagged, goes out tagged as well, only<span> </span><span style="color: rgb(51,153,102);"><code>default-vlan-id</code></span><span> </span>frames are untagged at the egress port.</li></ul><h2 id="SwitchChipFeatures-Managementaccessconfiguration"><span class="mw-headline">Management access configuration</span></h2><p>In these examples, there will be shown examples for multiple scenarios, but each of these scenarios requires you to have switched ports. Below you can find how to switch multiple ports:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
add name=bridge1
/interface bridge port
add interface=ether1 bridge=bridge1 hw=yes
add interface=ether2 bridge=bridge1 hw=yes</pre>
</div></div><p><br/></p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>By default, the bridge interface is configured with<span> </span><span style="color: rgb(51,153,102);"><code>protocol-mode</code></span><span> </span>set to<span> </span><span style="color: rgb(51,153,102);"><code>rstp</code></span>. For some devices, this can disable hardware offloading because specific switch chips do not support this feature. See the<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeHardwareOffloading" rel="nofollow">Bridge Hardware Offloading</a><span> </span>section with supported features.</p></div></div><p>In these examples, it will be assumed that<span> </span><strong>ether1</strong><span> </span>is the trunk port and<span> </span><strong>ether2</strong><span> </span>is the access port, for configuration as the following:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch port
set ether1 vlan-header=add-if-missing
set ether2 default-vlan-id=100 vlan-header=always-strip
/interface ethernet switch vlan
add ports=ether1,ether2,switch1-cpu switch=switch1 vlan-id=100</pre>
</div></div><h3 id="SwitchChipFeatures-Tagged"><span class="mw-headline">Tagged</span></h3><p>To make the device accessible only from a certain VLAN, you need to create a new VLAN interface on the bridge interface and assign an IP address to it:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface vlan
add name=MGMT vlan-id=99 interface=bridge1
/ip address
add address=192.168.99.1/24 interface=MGMT</pre>
</div></div><p>Specify from which interfaces it is allowed to access the device:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch vlan
add ports=ether1,switch1-cpu switch=switch1 vlan-id=99</pre>
</div></div><p style="margin-left: 20.0px;"><br/></p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Only specify trunk ports in this VLAN table entry, it is not possible to allow access to the CPU with tagged traffic through an access port since the access port will tag all ingress traffic with the specified<span> </span><span style="color: rgb(51,153,102);"><code>default-vlan-id</code></span><span> </span>value.</p></div></div><p>When the VLAN table is configured, you can enable<span> </span><span style="color: rgb(51,153,102);"><code>vlan-mode=secure</code></span><span> </span>to limit access to the CPU:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch port
set ether1 vlan-header=add-if-missing vlan-mode=secure
set ether2 default-vlan-id=100 vlan-header=always-strip vlan-mode=secure
set switch1-cpu vlan-header=leave-as-is vlan-mode=secure</pre>
</div></div><h3 id="SwitchChipFeatures-Untagged"><span class="mw-headline">Untagged</span></h3><p>To make the device accessible from the access port, create a VLAN interface with the same VLAN ID as set in<span> </span><span style="color: rgb(51,153,102);"><code>default-vlan-id</code></span>, for example, VLAN 100, and add an IP address to it:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface vlan
add name=VLAN100 vlan-id=100 interface=bridge1
/ip address
add address=192.168.100.1/24 interface=VLAN100</pre>
</div></div><p>Specify which access (untagged) ports are allowed to access the CPU:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch vlan
add ports=ether1,ether2,switch1-cpu switch=switch1 vlan-id=100</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Most commonly an access (untagged) port is accompanied by a trunk (tagged) port. In case of untagged access to the CPU, you are forced to specify both the access port and the trunk port, this gives access to the CPU from the trunk port as well. Not always this is desired and a Firewall might be required on top of VLAN filtering.</p></div></div><p>When the VLAN table is configured, you can enable<span> </span><span style="color: rgb(51,153,102);"><code>vlan-mode=secure</code></span><span> </span>to limit access to the CPU:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch port
set ether1 vlan-header=add-if-missing vlan-mode=secure
set ether2 default-vlan-id=100 vlan-header=always-strip vlan-mode=secure
set switch1-cpu vlan-header=leave-as-is vlan-mode=secure</pre>
</div></div><p><br/></p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>To setup the management port using untagged traffic on a device with the<span> </span><strong>Atheros7240</strong><span> </span>switch chip, you will need to set<span> </span><code><span style="color: rgb(51,153,102);">vlan-header=add-if-missin</span>g</code><span> </span>for the CPU port.</p></div></div><h3 id="SwitchChipFeatures-Untaggedfromtaggedport"><span class="mw-headline">Untagged from tagged port</span></h3><p>It is possible to allow access to the device from the trunk (tagged) port with untagged traffic. To do so, assign an IP address on the bridge interface:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip address
add address=10.0.0.1/24 interface=bridge1</pre>
</div></div><p>Specify which ports are allowed to access the CPU. Use<span> </span><span style="color: rgb(51,153,102);"><code>vlan-id</code></span><span> </span>that is used in<span> </span><span style="color: rgb(51,153,102);"><code>default-vlan-id</code></span><span> </span>for switch-cpu and trunk ports, by default it is set to 0 or 1.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch vlan
add ports=ether1,switch1-cpu switch=switch1 vlan-id=1</pre>
</div></div><p>When the VLAN table is configured, you can enable<span> </span><code>vlan-mode=secure</code><span> </span>to limit access to the CPU:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch port
set ether1 default-vlan-id=1 vlan-header=add-if-missing vlan-mode=secure
set switch1-cpu default-vlan-id=1 vlan-header=leave-as-is vlan-mode=secure</pre>
</div></div><p><strong> </strong></p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>This configuration example is not possible for devices with the<span> </span><strong>Atheros8316</strong><span> </span>and<span> </span><strong>Atheros7240</strong><span> </span>switch chips. For devices with<span> </span><strong>QCA8337</strong><span> </span>and<span> </span><strong>Atheros8327</strong><span> </span>switch chips, it is possible to use any other<span> </span><span style="color: rgb(51,153,102);"><code>default-vlan-id</code></span><span> </span>as long as it stays the same on switch-cpu and trunk ports. For devices with<span> </span><strong>Atheros8227</strong><span> </span>switch chip only<span> </span><span style="color: rgb(51,153,102);"><code>default-vlan-id=0</code> </span>can be used and the trunk port must use<span> </span><span style="color: rgb(51,153,102);"><code>vlan-header=leave-as-is</code></span>.</p></div></div><h2 id="SwitchChipFeatures-Inter-VLANrouting"><span class="mw-headline">Inter-VLAN routing</span></h2><p><span class="mw-headline"><span style="color: rgb(32,33,34);">Many MikroTik's devices come with a built-in switch chip that can be used to greatly improve overall throughput when configured properly. Devices with a switch chip can be used as a router and a switch at the same time, this gives you the possibility to use a single device instead of multiple devices for your network.</span></span></p><p><span class="confluence-embedded-file-wrapper image-center-wrapper"><img class="confluence-embedded-image image-center" draggable="false" src="https://help.mikrotik.com/docs/download/attachments/15302988/Switch_router.jpg?version=1&modificationDate=1654752884582&api=v2" data-image-src="https://help.mikrotik.com/docs/download/attachments/15302988/Switch_router.jpg?version=1&modificationDate=1654752884582&api=v2" data-unresolved-comment-count="0" data-linked-resource-id="131366957" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="Switch_router.jpg" data-base-url="https://help.mikrotik.com/docs" data-linked-resource-content-type="image/jpeg" data-linked-resource-container-id="15302988" data-linked-resource-container-version="75" alt=""></span></p><p><br/></p><p>For this type of setup to work, you must switch all required ports together</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether3 hw=yes</pre>
</div></div><p>Create a VLAN interface for each VLAN ID and assign an IP address to it:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface vlan
add interface=bridge1 name=VLAN10 vlan-id=10
add interface=bridge1 name=VLAN20 vlan-id=20
/ip address
add address=192.168.10.1/24 interface=VLAN10
add address=192.168.20.1/24 interface=VLAN20</pre>
</div></div><p>Setup a DHCP Server for each VLAN:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip pool
add name=POOL10 ranges=192.168.10.100-192.168.10.200
add name=POOL20 ranges=192.168.20.100-192.168.20.200
/ip dhcp-server
add address-pool=POOL10 disabled=no interface=VLAN10 name=DHCP10
add address-pool=POOL20 disabled=no interface=VLAN20 name=DHCP20
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1</pre>
</div></div><p>Enable NAT on the device:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1</pre>
</div></div><p>Add each port to the VLAN table and allow these ports to access the CPU to make DHCP and routing work:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch vlan
add independent-learning=yes ports=ether2,switch1-cpu switch=switch1 vlan-id=10
add independent-learning=yes ports=ether3,switch1-cpu switch=switch1 vlan-id=20</pre>
</div></div><p>Specify each port to be an access port, and enable secure VLAN mode on each port and on the switch1-cpu port:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch port
set ether2 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set ether3 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set switch1-cpu vlan-mode=secure</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>On <strong>QCA8337</strong> and <strong>Atheros8327</strong> switch chips, a default <span style="color: rgb(51,153,102);"><code>vlan-header=leave-as-is</code></span> property should be used. The switch chip will determine which ports are access ports by using the <span style="color: rgb(51,153,102);"><code>default-vlan-id</code></span> property. The <span style="color: rgb(51,153,102);"><code>default-vlan-id</code></span> should only be used on access/hybrid ports to specify which VLAN the untagged ingress traffic is assigned to.</p></div></div><p><span style="color: rgb(32,33,34);">If your device has a switch rule table, then you can limit access between VLANs on a hardware level. As soon as you add an IP address on the VLAN interface you enable inter-VLAN routing, but this can be limited on a hardware level while preserving DHCP Server and other router-related services. To do so, use these ACL rules. With this type of configuration, you can achieve isolated port groups using VLANs.</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch rule
add dst-address=192.168.20.0/24 new-dst-ports="" ports=ether2 switch=switch1
add dst-address=192.168.10.0/24 new-dst-ports="" ports=ether3 switch=switch1</pre>
</div></div><h1 id="SwitchChipFeatures-Seealso"><span class="mw-headline">See also</span></h1><ul><li><a class="external-link" href="https://wiki.mikrotik.com/wiki/Manual:Switch_Router" rel="nofollow" style="text-decoration: none;" title="Manual:Switch Router">Switch Router</a></li><li><a href="https://help.mikrotik.com/docs/display/ROS/Basic+VLAN+switching" rel="nofollow">Basic VLAN Switching</a></li><li><a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeHardwareOffloading" rel="nofollow">Bridge Hardware Offloading</a></li><li><a href="https://help.mikrotik.com/docs/display/ROS/Spanning+Tree+Protocol" rel="nofollow">Spanning Tree Protocol</a></li><li><a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-DHCPSnoopingandDHCPOption82" rel="nofollow">DHCP Snooping and Option 82</a></li><li><a href="https://help.mikrotik.com/docs/display/ROS/MTU+in+RouterOS" rel="nofollow">MTU on RouterBOARD</a></li><li><a href="https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration" rel="nofollow">Layer2 misconfiguration</a></li><li><a class="external-link" href="https://wiki.mikrotik.com/wiki/Manual:Master-port" rel="nofollow" style="text-decoration: none;" title="Manual:Master-port">Master-port</a></li></ul>
</div>
<div style="padding: 10px 0;">
<a href="https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features">View Online</a>
·
<a href="https://help.mikrotik.com/docs/pages/diffpagesbyversion.action?pageId=15302988&revisedVersion=75&originalVersion=74">View Changes Online</a>
</div>
</div>Guntis G.2020-02-10T14:44:35ZQuality of Service (QoS)Guntis G.tag:help.mikrotik.com,2009:page-189497483-192024-03-28T16:40:00Z2023-05-10T12:49:14Z<div class="feed"> <p>
Page
<b>edited</b> by
<a href=" https://help.mikrotik.com/docs/display/~guntis
">Guntis G.</a>
- "formatting"
</p>
<div style="border-top: 1px solid #ddd; border-bottom: 1px solid #ddd; padding: 10px;">
<p><style type='text/css'>/*<![CDATA[*/
div.rbtoc1711701162729 {padding: 0px;}
div.rbtoc1711701162729 ul {margin-left: 0px;}
div.rbtoc1711701162729 li {margin-left: 0px;padding-left: 0px;}
/*]]>*/</style><div class='toc-macro rbtoc1711701162729'>
<ul class='toc-indentation'>
<li><a href='#QualityofService(QoS)-Overview'>Overview</a></li>
<li><a href='#QualityofService(QoS)-QoSTerminology'>QoS Terminology</a></li>
<li><a href='#QualityofService(QoS)-BasicConfigurationExample'>Basic Configuration Example</a></li>
<li><a href='#QualityofService(QoS)-UnderstandingMapranges'>Understanding Map ranges</a></li>
<li><a href='#QualityofService(QoS)-UnderstandingPort,ProfileandMaprelation'>Understanding Port, Profile and Map relation</a></li>
<li><a href='#QualityofService(QoS)-PropertyReference'>Property Reference</a>
<ul class='toc-indentation'>
<li><a href='#QualityofService(QoS)-Switchsettings'>Switch settings</a></li>
<li><a href='#QualityofService(QoS)-Portsettings'>Port settings</a></li>
<li><a href='#QualityofService(QoS)-QoSSettings'>QoS Settings</a></li>
<li><a href='#QualityofService(QoS)-QoSProfile'>QoS Profile</a></li>
<li><a href='#QualityofService(QoS)-QoSMapping'>QoS Mapping</a></li>
<li><a href='#QualityofService(QoS)-VLANMap'>VLAN Map</a></li>
<li><a href='#QualityofService(QoS)-DSCPMap'>DSCP Map</a></li>
</ul>
</li>
</ul>
</div></p><h1 id="QualityofService(QoS)-Overview">Overview</h1><p>This document defines <strong>Quality of Service (QoS)</strong> usage in RouterOS based on<strong> Marvell Prestera DX switch chips </strong>(CRS3xx, CRS5xx series switches, and CCR2116, CCR2216 routers). </p><p>QoS is a set of features in network switches that allow network administrators to prioritize traffic and allocate network resources to ensure that important data flows smoothly and with low latency.</p><p>The primary function of QoS in network switches is to manage network traffic in a way that meets the specific requirements of different types of network applications. For example, voice and video data require low latency and minimal packet loss to ensure high-quality communication, while file transfers and other data applications can tolerate higher levels of latency and packet loss.</p><p>QoS works by identifying the type of traffic flowing through the switch and assigning it a priority level based on its requirements. The switch can then use this information to alter packet headers and prioritize the flow of traffic, ensuring that higher-priority traffic is given preferential treatment over lower-priority traffic.</p><p>The current implementation is for <strong>QoS Phase 1 - QoS Marking </strong>(introduced in RouterOS v7.10).</p><p>Planned QoS implementation phases:</p><ol><li><strong>QoS Marking.</strong> QoS profile matching by ingress packet headers, then egress header alternation according to the assigned QoS profiles.</li><li><strong>QoS Enforcement</strong>. Avoid or resolve congestion based on the assigned QoS profiles and traffic shaping.</li><li><strong>QoS Policy</strong>. Assign QoS profiles via ACL rules.</li></ol><h1 id="QualityofService(QoS)-QoSTerminology">QoS Terminology</h1><p>These terms will be used throughout the article.</p><ul><li><strong>QoS</strong> - Quality of Service.</li><li><strong>ACL</strong> - Access Control List, a set of switch rules used to filter network traffic based on specified criteria.</li><li><strong>DSCP</strong> - Differentiated Services Code Point, a 6-bit field in the IP header used to prioritize network traffic.</li><li><strong>PCP</strong> - Priority Code Point, a 3-bit field in the VLAN header used to prioritize traffic within a VLAN.</li></ul><h1 id="QualityofService(QoS)-BasicConfigurationExample">Basic Configuration Example</h1><p>In this example, we define just one QoS level - VoIP (IP Telephony) on top of the standard "Best Effort" class. Let's imagine that we have a CRS326-24G-2S+ device where:</p><ul><li>all ports are bridged and using <strong><a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeVLANFiltering" rel="nofollow">vlan-filtering</a></strong>;</li><li>sfp-sfpplus1 is a VLAN trunk connected to another switch;</li><li>ether1-ether9 are dedicated ports for IP phones;</li><li>ether10-ether24 are standard ports for host connection;</li></ul><p>First, we need to define QoS profiles. Defined <span style="color: rgb(51,153,102);"><code>dscp</code></span> and <span style="color: rgb(51,153,102);"><code>pcp</code></span> values will be used in forwarded packets on egress:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch qos profile
add dscp=46 name=voip pcp=5</pre>
</div></div><p><span>Port-based QoS profile assignment on dedicated ports for IP phones applies to ingress traffic. Other Ethernet ports will use the default <span style="color: rgb(51,153,102);"><code>qos-profile</code></span> (where <span style="color: rgb(51,153,102);"><code>dscp=0</code></span> and <span style="color: rgb(51,153,102);"><code>pcp=0</code></span>):</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch port
set ether1 qos-profile=voip
set ether2 qos-profile=voip
set ether3 qos-profile=voip
set ether4 qos-profile=voip
set ether5 qos-profile=voip
set ether6 qos-profile=voip
set ether7 qos-profile=voip
set ether8 qos-profile=voip
set ether9 qos-profile=voip</pre>
</div></div><p><span>The trunk port receives both types of QoS traffic. We need to create VLAN priority mapping with the QoS profile and enable <span style="color: rgb(51,153,102);"><code>qos-trust-l2</code></span> to differentiate them:</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch qos map vlan
add pcp=5 qos-profile=voip
/interface ethernet switch port
set sfp-sfpplus1 qos-trust-l2=trust</pre>
</div></div><p>Finally, enable QoS hardware offloading for the above settings to start working:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch
set switch1 qos-hw-offloading=yes</pre>
</div></div><p>It is possible to verify the port QoS profile and Layer2, and Layer3 trust settings with <code><span style="color: rgb(0,0,0);">print qos</span> </code>command:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] /interface/ethernet/switch/port print qos
Columns: NAME, SWITCH, QOS-PROFILE, QOS-MAP, QOS-TRUST-L2, QOS-TRUST-L3
# NAME SWITCH QOS-PROFILE QOS-MAP QOS-TRUST-L2 QOS-TRUST-L3
0 ether1 switch1 voip default ignore ignore
1 ether2 switch1 voip default ignore ignore
2 ether3 switch1 voip default ignore ignore
3 ether4 switch1 voip default ignore ignore
4 ether5 switch1 voip default ignore ignore
5 ether6 switch1 voip default ignore ignore
6 ether7 switch1 voip default ignore ignore
7 ether8 switch1 voip default ignore ignore
8 ether9 switch1 voip default ignore ignore
9 ether10 switch1 default default ignore ignore
10 ether11 switch1 default default ignore ignore
11 ether12 switch1 default default ignore ignore
12 ether13 switch1 default default ignore ignore
13 ether14 switch1 default default ignore ignore
14 ether15 switch1 default default ignore ignore
15 ether16 switch1 default default ignore ignore
16 ether17 switch1 default default ignore ignore
17 ether18 switch1 default default ignore ignore
18 ether19 switch1 default default ignore ignore
19 ether20 switch1 default default ignore ignore
20 ether21 switch1 default default ignore ignore
21 ether22 switch1 default default ignore ignore
22 ether23 switch1 default default ignore ignore
23 ether24 switch1 default default ignore ignore
24 sfp-sfpplus1 switch1 default default trust ignore
25 sfp-sfpplus2 switch1 default default ignore ignore
26 switch1-cpu switch1 </pre>
</div></div><p>Now incoming packets on ports ether1-ether9 are marked with a Priority Code Point (PCP) value of 5 and a Differentiated Services Code Point (DSCP) value of 46, and incoming packets on ports ether10-ether24 are marked with PCP and DSCP values of 0. When packets are incoming to sfp-sfpplus1 port, any packets with a PCP value of 5 or higher will retain their PCP value of 5 and DSCP value of 46, while all other packets will be marked with PCP and DSCP values of 0.</p><h1 id="QualityofService(QoS)-UnderstandingMapranges">Understanding Map ranges</h1><p>To avoid the need to define all possible PCP and DSCP mappings, RouterOS allows setting the <em>minimal</em> PCP and DSCP values for QoS Profile mapping.</p><p>In the following example, PCP values 0-2 use the default QoS profile, 3-4 - streaming, 5 - voip, and 6-7 - control.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch qos map vlan
add pcp=3 qos-profile=streaming
add pcp=5 qos-profile=voip
add pcp=6 qos-profile=control</pre>
</div></div><p>Since the <span style="color: rgb(51,153,102);"><code>pcp</code> </span>parameter identifies the <em>minimum</em> value, all packets with a higher PCP value match too. If such behavior is undesired, add mapping for higher values. The next example sets voip profile for <code><span style="color: rgb(51,153,102);">pcp=5</span></code> only. Packets with PCP values 6 or 7 are reset back to the default profile.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch qos map vlan
add pcp=5 qos-profile=voip
add pcp=6 qos-profile=default</pre>
</div></div><h1 id="QualityofService(QoS)-UnderstandingPort,ProfileandMaprelation"><span class="mw-headline">Understanding Port, Profile and Map relation</span></h1><p><span class="mw-headline">Each switch port has Layer2 and Layer3 trust settings, that will change how ingress packets are classified into QoS profiles and what PCP and DSCP values will be used. Below are tables that describe all possible options:</span></p><div class="table-wrap"><table class="wrapped confluenceTable"><tbody class=""><tr class=""><th class="confluenceTh"><strong style="text-align: left;">qos-trust-l2</strong></th><th class="confluenceTh"><strong style="text-align: left;">qos-trust-l3</strong></th><th class="confluenceTh">Behavior</th></tr><tr class=""><td class="confluenceTd"><strong>ignore</strong></td><td class="confluenceTd"><strong>ignore</strong></td><td class="confluenceTd">The port is considered untrusted. Both headers are ignored, and the port's <strong>qos-profile</strong> is forced to all ingress packets. This is the default setting.</td></tr><tr class=""><td class="confluenceTd"><strong>ignore</strong></td><td class="confluenceTd"><strong>trust</strong></td><td class="confluenceTd">Trust the Layer 3 header. Use the DSCP field from the IP header of ingress packets for QoS profile lookup (see <span style="color: rgb(51,153,102);"><code>/in/eth/sw/qos/map/ip</code></span>). If the lookup fails (no QoS profiles are mapped to the given DSCP value), the <strong>default</strong> profile is used (not the switch port's qos-profile). The switch port's <strong>qos-profile</strong> field is used only for non-IP traffic.</td></tr><tr class=""><td class="confluenceTd"><strong>ignore</strong></td><td class="confluenceTd"><strong>keep</strong></td><td class="confluenceTd">Trust the Layer 3 header. Use the DSCP field from the IP header of ingress packets for QoS profile lookup (see <span style="color: rgb(51,153,102);"><code>/in/eth/sw/qos/map/ip</code></span>). If the lookup fails, the <strong>default</strong> profile is used. The switch port's <strong>qos-profile</strong> field is used only for non-IP traffic. If the forwarded/routed packet is VLAN-tagged, its PCP value is set from the selected QoS profile. However, the original DSCP value of the packet is kept intact.</td></tr><tr class=""><td class="confluenceTd"><strong>trust</strong></td><td class="confluenceTd"><strong>ignore</strong></td><td class="confluenceTd">Trust the Layer 2 header but ignore L3. If an ingress packet is VLAN-tagged, use the PCP field from the VLAN header for QoS profile lookup (see <span style="color: rgb(51,153,102);"><code>/in/eth/sw/qos/map/vlan</code></span>). If the lookup fails (no QoS profiles are mapped to the given PCP value), the <strong>default</strong> profile is used. The switch port's <strong>qos-profile</strong> field is used only for untagged traffic.</td></tr><tr class=""><td class="confluenceTd"><strong>trust</strong></td><td class="confluenceTd"><strong>trust</strong></td><td class="confluenceTd">Trust both headers, but Layer 3 has higher precedence. In the case of an IP packet, use the DSCP field for QoS profile lookup (see <span style="color: rgb(51,153,102);"><code>/in/eth/sw/qos/map/ip</code></span>). If the DSCP-to-QoS lookup fails, use the <strong>default</strong> profile. If the packet is not an IP packet but is VLAN-tagged, use the PCP field from the VLAN header for QoS profile lookup (see <span style="color: rgb(51,153,102);"><code>/in/eth/sw/qos/map/vlan</code></span>). If the VLAN-to-QoS lookup fails, use the <strong>default</strong> profile. Non-IP untagged packets use the switch port's <strong>qos-profile</strong>.</td></tr><tr class=""><td class="confluenceTd"><strong>trust</strong></td><td class="confluenceTd"><strong>keep</strong></td><td class="confluenceTd">The same as <strong>trust+trust</strong>, but the original DSCP value is preserved in forwarded/routed packets.</td></tr><tr class=""><td class="confluenceTd"><strong>keep</strong></td><td class="confluenceTd"><strong>ignore</strong></td><td class="confluenceTd">Trust the Layer 2 header but ignore L3. If an ingress packet is VLAN-tagged, use the PCP field from the VLAN header for QoS profile lookup (see <span style="color: rgb(51,153,102);"><code>/in/eth/sw/qos/map/vlan</code></span>). If the lookup fails (no QoS profiles are mapped to the given PCP value), the <strong>default</strong> profile is used. The switch port's <strong>qos-profile</strong> field is used only for untagged traffic. If the packet is VLAN-tagged on both ingress and egress, the original PCP value is kept.</td></tr><tr class=""><td class="confluenceTd"><strong>keep</strong></td><td class="confluenceTd"><strong>trust</strong></td><td class="confluenceTd">Trust both headers, but Layer 3 has higher precedence. In the case of an IP packet, use the DSCP field for QoS profile lookup (see <span style="color: rgb(51,153,102);"><code>/in/eth/sw/qos/map/ip</code></span>). If the DSCP-to-QoS lookup fails, use the <strong>default</strong> profile. If the packet is not an IP packet but is VLAN-tagged, use the PCP field from the VLAN header for QoS profile lookup (see <span style="color: rgb(51,153,102);"><code>/in/eth/sw/qos/map/vlan</code></span>). If the VLAN-to-QoS lookup fails, use the <strong>default</strong> profile. Non-IP untagged packets use the switch port's <strong>qos-profile</strong>. If the packet is VLAN-tagged on both ingress and egress, the original PCP value is kept. The DSCP value in forwarded/routed packets is set from the selected QoS profile.</td></tr><tr class=""><td class="confluenceTd"><strong>keep</strong></td><td class="confluenceTd"><strong>keep</strong></td><td class="confluenceTd">Trust both headers, but Layer 3 has higher precedence. In the case of an IP packet, use the DSCP field for QoS profile lookup (see <span style="color: rgb(51,153,102);"><code>/in/eth/sw/qos/map/ip</code></span>). If the DSCP-to-QoS lookup fails, use the <strong>default</strong> profile. If the packet is not an IP packet but is VLAN-tagged, use the PCP field from the VLAN header for QoS profile lookup (see <span style="color: rgb(51,153,102);"><code>/in/eth/sw/qos/map/vlan</code></span>). If the VLAN-to-QoS lookup fails, use the <strong>default</strong> profile. Non-IP untagged packets use the switch port's <strong>qos-profile</strong>. Keep both the original PCP and/or DSCP values intact in cases of VLAN-tagged and/or IP packets, respectively.</td></tr></tbody></table></div><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup class=""><col class=""/><col class=""/><col class=""/><col class=""/><col class=""/><col class=""/><col class=""/><col class=""/><col class=""/><col class=""/><col class=""/><col class=""/><col class=""/><col class=""/></colgroup><tbody class=""><tr class=""><th style="text-align: center;" colspan="2" class="confluenceTh"><strong style="text-align: left;">Port settings</strong><strong style="text-align: left;"><br/></strong></th><th style="text-align: center;" colspan="12" class="confluenceTh">The selected QoS profile and the source for PCP / DSCP field values in forwarded/routed packets</th></tr><tr class=""><th style="text-align: center;" rowspan="2" class="confluenceTh"><strong style="text-align: left;">qos-trust-l2</strong><br/><strong style="text-align: left;"> </strong></th><th style="text-align: center;" rowspan="2" class="confluenceTh"><strong style="text-align: left;">qos-trust-l3</strong><strong style="text-align: left;"><br/></strong></th><th style="text-align: center;" colspan="3" class="confluenceTh">VLAN-Tagged IP</th><th style="text-align: center;" colspan="3" class="confluenceTh">Untagged IP</th><th style="text-align: center;" colspan="3" class="confluenceTh">VLAN-Tagged Non-IP</th><th style="text-align: center;" colspan="3" class="confluenceTh">Untagged Non-IP</th></tr><tr class=""><th style="text-align: center;" class="confluenceTh">QoS Profile</th><th style="text-align: center;" class="confluenceTh">PCP</th><th style="text-align: center;" class="confluenceTh">DSCP</th><th style="text-align: center;" class="confluenceTh">QoS Profile</th><th style="text-align: center;" class="confluenceTh">PCP <em><sup>1</sup></em></th><th style="text-align: center;" class="confluenceTh">DSCP</th><th style="text-align: center;" class="confluenceTh">QoS Profile</th><th style="text-align: center;" class="confluenceTh">PCP</th><th style="text-align: center;" class="confluenceTh">DSCP</th><th style="text-align: center;" class="confluenceTh">QoS Profile</th><th style="text-align: center;" class="confluenceTh">PCP <em><sup>1</sup></em></th><th style="text-align: center;" class="confluenceTh">DSCP</th></tr><tr class=""><td style="text-align: center;" class="confluenceTd">ignore</td><td style="text-align: center;" class="confluenceTd">ignore</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">qos-profile</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">qos-profile</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">qos-profile</td><td style="text-align: center;" class="confluenceTd">qos-profile</td><td style="text-align: center;" class="confluenceTd">qos-profile</td><td style="text-align: center;" class="confluenceTd">qos-profile</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">qos-profile</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">qos-profile</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">-</td><td style="text-align: center;" class="confluenceTd">qos-profile</td><td style="text-align: center;" class="confluenceTd">qos-profile</td><td style="text-align: center;" class="confluenceTd">-</td></tr><tr class=""><td style="text-align: center;" class="confluenceTd">ignore</td><td style="text-align: center;" class="confluenceTd">trust</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">map/ip</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">map/ip</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">map/ip</td><td style="text-align: center;" class="confluenceTd">map/ip</td><td style="text-align: center;" class="confluenceTd">map/ip</td><td style="text-align: center;" class="confluenceTd">map/ip</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">qos-profile</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">qos-profile</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">-</td><td style="text-align: center;" class="confluenceTd">qos-profile</td><td style="text-align: center;" class="confluenceTd">qos-profile</td><td style="text-align: center;" class="confluenceTd">-</td></tr><tr class=""><td style="text-align: center;" class="confluenceTd">ignore</td><td style="text-align: center;" class="confluenceTd">keep</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">map/ip</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">map/ip</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">original</td><td style="text-align: center;" class="confluenceTd">map/ip</td><td style="text-align: center;" class="confluenceTd">map/ip</td><td style="text-align: center;" class="confluenceTd">original</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">qos-profile</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">qos-profile</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">-</td><td style="text-align: center;" class="confluenceTd">qos-profile</td><td style="text-align: center;" class="confluenceTd">qos-profile</td><td style="text-align: center;" class="confluenceTd">-</td></tr><tr class=""><td style="text-align: center;" class="confluenceTd">trust</td><td style="text-align: center;" class="confluenceTd">ignore</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">map/vlan</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">map/vlan</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">map/vlan</td><td style="text-align: center;" class="confluenceTd">qos-profile</td><td style="text-align: center;" class="confluenceTd">qos-profile</td><td style="text-align: center;" class="confluenceTd">qos-profile</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">map/vlan</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">map/vlan</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">-</td><td style="text-align: center;" class="confluenceTd">qos-profile</td><td style="text-align: center;" class="confluenceTd">qos-profile</td><td style="text-align: center;" class="confluenceTd">-</td></tr><tr class=""><td style="text-align: center;" class="confluenceTd">trust</td><td style="text-align: center;" class="confluenceTd">trust</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">map/ip</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">map/ip</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">map/ip</td><td style="text-align: center;" class="confluenceTd">map/ip</td><td style="text-align: center;" class="confluenceTd">map/ip</td><td style="text-align: center;" class="confluenceTd">map/ip</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">map/vlan</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">map/vlan</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">-</td><td style="text-align: center;" class="confluenceTd">qos-profile</td><td style="text-align: center;" class="confluenceTd">qos-profile</td><td style="text-align: center;" class="confluenceTd">-</td></tr><tr class=""><td style="text-align: center;" class="confluenceTd">trust</td><td style="text-align: center;" class="confluenceTd">keep</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">map/ip</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">map/ip</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">original</td><td style="text-align: center;" class="confluenceTd">map/ip</td><td style="text-align: center;" class="confluenceTd">map/ip</td><td style="text-align: center;" class="confluenceTd">original</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">map/vlan</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">map/vlan</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">-</td><td style="text-align: center;" class="confluenceTd">qos-profile</td><td style="text-align: center;" class="confluenceTd">qos-profile</td><td style="text-align: center;" class="confluenceTd">-</td></tr><tr class=""><td style="text-align: center;" class="confluenceTd">keep</td><td style="text-align: center;" class="confluenceTd">ignore</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">map/vlan</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">original</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">map/vlan</td><td style="text-align: center;" class="confluenceTd">qos-profile</td><td style="text-align: center;" class="confluenceTd">qos-profile</td><td style="text-align: center;" class="confluenceTd">qos-profile</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">map/vlan</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">original</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">-</td><td style="text-align: center;" class="confluenceTd">qos-profile</td><td style="text-align: center;" class="confluenceTd">qos-profile</td><td style="text-align: center;" class="confluenceTd">-</td></tr><tr class=""><td style="text-align: center;" class="confluenceTd">keep</td><td style="text-align: center;" class="confluenceTd">trust</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">map/ip</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">original</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">map/ip</td><td style="text-align: center;" class="confluenceTd">map/ip</td><td style="text-align: center;" class="confluenceTd">qos-profile</td><td style="text-align: center;" class="confluenceTd">map/ip</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">map/vlan</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">original</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">-</td><td style="text-align: center;" class="confluenceTd">qos-profile</td><td style="text-align: center;" class="confluenceTd">qos-profile</td><td style="text-align: center;" class="confluenceTd">-</td></tr><tr class=""><td style="text-align: center;" class="confluenceTd">keep</td><td style="text-align: center;" class="confluenceTd">keep</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">map/ip</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">original</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">original</td><td style="text-align: center;" class="confluenceTd">map/ip</td><td style="text-align: center;" class="confluenceTd">qos-profile</td><td style="text-align: center;" class="confluenceTd">original</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">map/vlan</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">original</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">-</td><td style="text-align: center;" class="confluenceTd">qos-profile</td><td style="text-align: center;" class="confluenceTd">qos-profile</td><td style="text-align: center;" class="confluenceTd">-</td></tr></tbody></table></div><p><em><sup>1</sup> applies only when ingress traffic is untagged, but the egress needs to be VLAN-tagged.</em></p><h1 id="QualityofService(QoS)-PropertyReference"><span class="mw-headline">Property Reference</span></h1><h2 id="QualityofService(QoS)-Switchsettings"><span class="mw-headline">Switch settings</span></h2><p><strong style="text-decoration: none;">Sub-menu:<code> </code></strong><code>/interface/ethernet/switch</code></p><p>Switch QoS settings (in addition to the existing ones).</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup class=""><col class=""/><col class=""/></colgroup><tbody class=""><tr class=""><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr class=""><td class="confluenceTd"><strong>qos-hw-offloading </strong>(<em>yes | no</em>; Default: <strong>no</strong>)</td><td class="confluenceTd">Allows enabling QoS for the given switch chip (if the latter supports QoS).</td></tr></tbody></table></div><h2 id="QualityofService(QoS)-Portsettings">Port settings</h2><p><strong style="text-decoration: none;">Sub-menu:<code> </code></strong><code>/interface/ethernet/switch/port</code></p><p>Switch port settings (in addition to the existing ones). Assigns a QoS profile to ingress packets on the given port. The assigned profile can be changed via match rules if the port is considered trusted.</p><p>By default, ports are untrusted and receive the default QoS profile (Best-Effort, PCP=0, DSCP=0), where priority fields are cleared from the egress packets.</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup class=""><col class=""/><col class=""/></colgroup><tbody class=""><tr class=""><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr class=""><td class="confluenceTd"><strong>qos-map</strong> (<em>name</em>; Default: <strong>default</strong>)</td><td class="confluenceTd">Allows user-defined priority-to-profile mapping in the case of a trusted port or host (see <strong><code>/in/eth/sw/qos/map</code></strong>).</td></tr><tr class=""><td class="confluenceTd"><strong>qos-profile</strong> (<em>name</em>; Default: <strong>default</strong>)</td><td class="confluenceTd">The name of the QoS profile to assign to the ingress packets by default (see <strong><code>/in/eth/sw/qos/profile</code></strong>).</td></tr><tr class=""><td class="confluenceTd"><strong>qos-trust-l2</strong> (<em>ignore | trust | keep</em>; Default: <strong>ignore</strong>)</td><td class="confluenceTd"><p>Whenever to trust the Layer 2 headers of the incoming packets (802.1p PCP field):</p><ul><li><strong>ignore</strong> - ignore L2 header; use the port's <strong>qos-profile</strong> value for all incoming packets;</li><li><strong>trust</strong> - use PCP field of VLAN-tagged packets for QoS profile lookup in <strong>qos-map</strong>. Untagged packets use the port's <strong>qos-profile</strong> value. Forwarded VLAN or priority-tagged packets receive the PCP value from the selected QoS profile (overwriting the original value).</li><li><strong>keep</strong> - trust but keep the original PCP value in forwarded packets. </li></ul></td></tr><tr class=""><td class="confluenceTd"><strong>qos-trust-l3</strong> (<em>ignore | trust | keep</em>; Default: <strong>ignore</strong>)</td><td class="confluenceTd"><p>Whenever to trust the Layer 3 headers of the incoming packets (IP DSCP field):</p><ul><li><strong>ignore</strong> - ignore L3 header; use either L2 header or the port's <strong>qos-profile</strong> (depends on <strong>qos-trust-l2</strong>).</li><li><strong>trust</strong> - use DSCP field of IP packets for QoS profile lookup in <strong>qos-map</strong>. Forwarded/routed IP packets receive the DSCP value from the selected QoS profile (overwriting the original value).</li><li><strong>keep</strong> - trust but keep the original DSCP value in forwarded/routed packets.</li></ul></td></tr></tbody></table></div><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>L3 trust mode has higher precedence than L2 unless <em><code><span style="color: rgb(51,153,102);">qos-trust-l3=ignore</span></code> </em>or the packet does not have an IP header.</p></div></div><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Forwarded/routed packets obtain priority field values (PCP, DSCP) from the selected QoS profile, overwriting the original values, unless the respective trust mode is set to <strong>keep</strong>.</p></div></div><p>Commands (in addition to the existing ones).</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup class=""><col class=""/><col class=""/></colgroup><tbody class=""><tr class=""><th class="confluenceTh">Command</th><th class="confluenceTh">Description</th></tr><tr class=""><td class="confluenceTd"><strong>print qos</strong></td><td class="confluenceTd">Prints all QoS-related information in a human-friendly format.</td></tr></tbody></table></div><h2 id="QualityofService(QoS)-QoSSettings">QoS Settings</h2><p><strong style="text-decoration: none;">Sub-menu:<code> </code></strong><code>/interface/ethernet/switch/qos</code></p><p>Almost the entire QoS HW configuration is located under <span style="color: rgb(51,153,102);"><strong><code>/in/eth/sw/qos</code></strong></span>. Such an approach allows storing all QoS-related configuration items in one place, easy monitoring and exporting (<span style="color: rgb(51,153,102);"><code>/in/eth/sw/qos/export</code></span>).</p><p>All QoS entries have two major flags:</p><ul><li><strong>H</strong> - Hardware-offloaded.</li><li><strong>I</strong><span> - Inactive.</span></li></ul><h2 id="QualityofService(QoS)-QoSProfile">QoS Profile</h2><p><strong style="text-decoration: none;">Sub-menu:<code> </code></strong><code>/interface/ethernet/switch/qos/profile</code></p><p class="auto-cursor-target">QoS profiles determine priority field values (PCP, DSCP) for the forwarded/routed packets. Congestion avoidance/resolution is based on QoS profiles. Each packet gets a QoS profile assigned based on the ingress switch port QoS settings (see <span style="color: rgb(51,153,102);"><code>/in/eth/sw/port</code></span>).</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup class=""><col class=""/><col class=""/></colgroup><tbody class=""><tr class=""><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr class=""><td class="confluenceTd"><strong><strong style="text-align: left;">dscp</strong></strong> (<em style="text-align: left;">integer: 0..63</em>; Default: <strong>0</strong>)</td><td class="confluenceTd">IPv4/IPv6 DSCP field value for the egress packets assigned to the QoS profile.</td></tr><tr class=""><td class="confluenceTd"><strong>name</strong> (<em>string</em>; Default: )</td><td class="confluenceTd">The user-defined name of the QoS profile. </td></tr><tr class=""><td class="confluenceTd"><strong style="text-align: left;">pcp</strong> (<em style="text-align: left;">integer: 0..7</em>; Default: <strong style="text-align: left;">0</strong>)</td><td class="confluenceTd">VLAN priority value (IEEE 802.1q PCP - Priority Code Point). Used only if the egress packets assigned to the QoS profile are VLAN-tagged (have the 802.1q header). The value can be further altered via the QoS Egress Map.</td></tr></tbody></table></div><h2 id="QualityofService(QoS)-QoSMapping">QoS Mapping</h2><p><strong style="text-decoration: none;">Sub-menu:<code> </code></strong><code>/interface/ethernet/switch/qos/map</code></p><p>Priority-to-profile mapping table(-s) for trusted packets. All switch chips have one built-in map - <strong>default</strong>. In addition, some models allow the user to define custom mapping tables and assign different maps to various switch ports via the <strong>qos-map</strong> property:</p><ul><li>devices based on <strong>Marvell Prestera <strong style="text-align: left;">98DX224S, 98DX226S</strong></strong>, or <strong><strong style="text-align: left;">98DX3236</strong></strong> switch chip models support only one map - default.</li><li>devices based on <strong>Marvell Prestera 98DX8xxx</strong>, <strong>98DX4xxx</strong> switch chips, or <strong>98DX325x</strong> model devices support up to 12 maps (the default + 11 user-defined).</li></ul><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup class=""><col class=""/><col class=""/></colgroup><tbody class=""><tr class=""><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr class=""><td class="confluenceTd"><strong>name</strong> (<em>string</em>; Default: )</td><td class="confluenceTd">The user-defined name of the mapping table.</td></tr></tbody></table></div><h2 id="QualityofService(QoS)-VLANMap"><code>VLAN Map</code></h2><p><strong style="text-decoration: none;">Sub-menu:<code> </code></strong><code>/interface/ethernet/switch/qos/map/vlan</code></p><p>Matches VLAN priorities (802.1p PCP field) to QoS profiles. By default, all values are matched to the default QoS profile.</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup class=""><col class=""/><col class=""/></colgroup><tbody class=""><tr class=""><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr class=""><td class="confluenceTd"><strong style="text-align: left;">qos-map</strong> (<em style="text-align: left;">name</em>; Default: <strong style="text-align: left;">default</strong>)</td><td class="confluenceTd">The name of the mapping table.</td></tr><tr class=""><td class="confluenceTd"><strong style="text-align: left;">qos-profile</strong> (<em style="text-align: left;">name</em>; Default: )</td><td class="confluenceTd">The name of the QoS profile to assign to the matched packets.</td></tr><tr class=""><td class="confluenceTd"><strong style="text-align: left;">pcp</strong> (<em style="text-align: left;">integer: 0..7</em>; Default: <strong style="text-align: left;">0</strong>)</td><td class="confluenceTd"><em>Minimum</em><strong> </strong>VLAN priority (PCP) value for the lookup. </td></tr></tbody></table></div><h2 id="QualityofService(QoS)-DSCPMap">DSCP Map</h2><p><strong style="text-decoration: none;">Sub-menu:<code> </code></strong><code>/interface/ethernet/switch/qos/map/ip</code></p><p>Matches DSCP values to QoS profiles.</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup class=""><col class=""/><col class=""/></colgroup><tbody class=""><tr class=""><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr class=""><td class="confluenceTd"><strong style="text-align: left;">dscp</strong> (<em style="text-align: left;">integer: 0..63</em>; Default: <strong style="text-align: left;">0</strong>)</td><td class="confluenceTd"><em>Minimum </em>DSCP value for the lookup.</td></tr><tr class=""><td class="confluenceTd"><strong style="text-align: left;">qos-map</strong> (<em style="text-align: left;">name</em>; Default: <strong>default</strong>)</td><td class="confluenceTd">The name of the mapping table. If not set, the standard (built-in) mapping table gets altered.</td></tr><tr class=""><td class="confluenceTd"><strong style="text-align: left;">qos-profile</strong> (<em style="text-align: left;">name</em>; Default: )</td><td class="confluenceTd">The name of the QoS profile to assign to the matched packets.</td></tr></tbody></table></div><p><br/></p>
</div>
<div style="padding: 10px 0;">
<a href="https://help.mikrotik.com/docs/pages/viewpage.action?pageId=189497483">View Online</a>
·
<a href="https://help.mikrotik.com/docs/pages/diffpagesbyversion.action?pageId=189497483&revisedVersion=19&originalVersion=18">View Changes Online</a>
</div>
</div>Guntis G.2023-05-10T12:49:14ZMACVLANGuntis G.tag:help.mikrotik.com,2009:page-217874440-32024-03-28T16:27:25Z2023-10-09T11:39:45Z<div class="feed"> <p>
Page
<b>edited</b> by
<a href=" https://help.mikrotik.com/docs/display/~guntis
">Guntis G.</a>
- "typos"
</p>
<div style="border-top: 1px solid #ddd; border-bottom: 1px solid #ddd; padding: 10px;">
<p><style type='text/css'>/*<![CDATA[*/
div.rbtoc1711701162748 {padding: 0px;}
div.rbtoc1711701162748 ul {margin-left: 0px;}
div.rbtoc1711701162748 li {margin-left: 0px;padding-left: 0px;}
/*]]>*/</style><div class='toc-macro rbtoc1711701162748'>
<ul class='toc-indentation'>
<li><a href='#MACVLAN-Overview'>Overview</a></li>
<li><a href='#MACVLAN-BasicConfigurationExample'>Basic Configuration Example</a></li>
<li><a href='#MACVLAN-PropertyReference'>Property Reference</a></li>
</ul>
</div></p><h1 id="MACVLAN-Overview">Overview</h1><p>The MACVLAN provides a means to create multiple virtual network interfaces, each with its own unique Media Access Control (MAC) address, attached to a physical network interface. This technology is utilized to address specific network requirements, such as obtaining multiple IP addresses or establishing distinct PPPoE client connections from a single physical Ethernet interface while using different MAC addresses. Unlike traditional <a href="https://help.mikrotik.com/docs/display/ROS/VLAN" rel="nofollow">VLAN</a> (Virtual LAN) interfaces, which rely on Ethernet frames tagged with VLAN identifiers, MACVLAN operates at the MAC address level, making it a versatile and efficient solution for specific networking scenarios.</p><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>RouterOS MACVLAN interfaces are not supported by <a href="https://help.mikrotik.com/docs/display/ROS/Container" rel="nofollow">Container</a>, as it exclusively utilizes <a href="https://help.mikrotik.com/docs/display/ROS/Container#Container-Createnetwork" rel="nofollow">VETH</a> (Virtual Ethernet) interfaces for its networking.</p></div></div><h1 id="MACVLAN-BasicConfigurationExample">Basic Configuration Example</h1><p>Picture a scenario where the ether1 interface connects to your ISP, and your router needs to lease two IP addresses, each with a distinct MAC address. Traditionally, this would require the use of two physical Ethernet interfaces and an additional switch. However, a more efficient solution is to create a virtual MACVLAN interface. </p><p>To create a MACVLAN interface, select the needed Ethernet interface. A MAC address will be automatically assigned if not manually specified:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface macvlan
add interface=ether1 name=macvlan1
/interface macvlan print
Flags: R - RUNNING
Columns: NAME, MTU, INTERFACE, MAC-ADDRESS, MODE
# NAME MTU INTERFACE MAC-ADDRESS MODE
0 R macvlan1 1500 ether1 76:81:BF:68:69:83 bridge</pre>
</div></div><p>Now, a DHCP client can be created on ether1 and macvlan1 interfaces:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip dhcp-client
add interface=ether1
add interface=macvlan1</pre>
</div></div><h1 id="MACVLAN-PropertyReference"><span class="mw-headline">Property Reference</span></h1><p><strong>Sub-menu:</strong> <code>/interface/macvlan</code></p><p>Configuration settings for the MACVLAN interface.</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup class=""><col class=""/><col class=""/></colgroup><tbody class=""><tr class=""><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr class=""><td class="confluenceTd"><strong>arp</strong><span> </span>(<em>disabled | enabled | local-proxy-arp | proxy-arp | reply-only</em>; Default:<span> </span><strong>enabled</strong>)</td><td class="confluenceTd">Address Resolution Protocol setting<ul><li><span style="color: rgb(51,153,102);"><code>disabled</code> </span>- the interface will not use ARP</li><li><span style="color: rgb(51,153,102);"><code>enabled</code> </span>- the interface will use ARP</li><li><span style="color: rgb(51,153,102);"><code>local-proxy-arp</code></span><span> </span>-<span> </span><span style="color: rgb(34,34,34);"><span> </span>the router performs proxy ARP on the interface and sends replies to the same interface</span></li><li><span style="color: rgb(51,153,102);"><code>proxy-arp</code></span><span> </span>-<span> </span><span style="color: rgb(34,34,34);">the router performs proxy ARP on the interface and sends replies to other interfaces</span></li><li><span style="color: rgb(51,153,102);"><code>reply-only</code></span><span> </span>- the interface will only reply to requests originating from matching IP address/MAC address combinations, which are entered as static entries in the<span> </span>IP/ARP<span> </span>table. No dynamic entries will be automatically stored in the<span> </span>IP/ARP<span> </span>table. Therefore, for communications to be successful, a valid static entry must already exist.</li></ul></td></tr><tr class=""><td class="confluenceTd"><strong>arp-timeout</strong><span> </span>(<em>auto | integer</em>; Default:<span> </span><strong>auto</strong>)</td><td class="confluenceTd">Sets for how long the ARP record is kept in the ARP table after no packets are received from IP. Value<span> </span><span style="color: rgb(51,153,102);"><code>auto</code> </span>equals to the value of<span> </span><span style="color: rgb(51,153,102);"><code>arp-timeout</code></span><span> </span>in<span> <code><span style="color: rgb(51,153,102);">/</span></code></span><code><span style="color: rgb(51,153,102);">ip/settings/</span></code>, default is 30s.</td></tr><tr><td style="text-align: left;vertical-align: top;" class="confluenceTd"><strong>comment</strong><span> </span>(<em>string</em>; Default: )</td><td style="text-align: left;vertical-align: top;" class="confluenceTd">Short description of the interface.</td></tr><tr class=""><td class="confluenceTd"><strong>disabled</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Changes whether the interface is disabled.</td></tr><tr class=""><td class="confluenceTd"><strong>interface</strong><span> </span>(<em>name</em>; Default:<span> </span>)</td><td class="confluenceTd">Name of the interface on top of which MACVLAN will work. MACVLAN interfaces can be created on Ethernet or VLAN interfaces, adding VLAN on MACVLAN is not supported.</td></tr><tr class=""><td style="text-align: left;vertical-align: top;" class="confluenceTd"><strong>loop-protect</strong><span> </span>(<em>on | off | default</em>; Default:<span> </span><strong>default</strong>)</td><td style="text-align: left;vertical-align: top;" class="confluenceTd">Enables or disables loop protect on the interface, the<span> </span><strong>default</strong><span> </span>works as turned off.</td></tr><tr><td style="text-align: left;vertical-align: top;" class="confluenceTd"><strong>loop-protect-disable-time</strong><span> </span>(<em>time interval | 0</em>; Default:<span> </span><strong>5m</strong>)</td><td style="text-align: left;vertical-align: top;" class="confluenceTd">Sets how long the selected interface is disabled when a loop is detected.<span> </span><strong>0</strong><span> </span>- forever.</td></tr><tr><td style="text-align: left;vertical-align: top;" class="confluenceTd"><strong>loop-protect-send-interval</strong><span> </span>(<em>time interval</em>; Default:<span> </span><strong>5s</strong>)</td><td style="text-align: left;vertical-align: top;" class="confluenceTd">Sets how often loop protect packets are sent on the selected interface.</td></tr><tr><td style="text-align: left;vertical-align: top;" class="confluenceTd"><strong>mac-address</strong><span> </span>(<em>MAC</em>; Default: )</td><td style="text-align: left;vertical-align: top;" class="confluenceTd"><span style="color: rgb(23,43,77);">Static MAC address of the interface. A</span> randomly generated MAC address will be assigned when not specified.</td></tr><tr><td style="text-align: left;vertical-align: top;" class="confluenceTd"><strong>mode </strong>(<em>private | bridge</em>; Default: <strong>bridge</strong>)</td><td style="text-align: left;vertical-align: top;" class="confluenceTd"><p>Sets MACVLAN interface mode:</p><ul><li><span style="color: rgb(51,153,102);"><code>private</code> </span>- does not allow communication between MACVLAN instances on the same parent <strong>interface</strong>.</li><li><span style="color: rgb(51,153,102);"><code>bridge</code> </span>- allows communication between MACVLAN instances on the same parent <strong>interface</strong>.</li></ul></td></tr><tr><td style="text-align: left;vertical-align: top;" class="confluenceTd"><strong>mtu</strong><span> </span>(<em>integer</em>; Default:<span> </span><strong>1500</strong>)</td><td style="text-align: left;vertical-align: top;" class="confluenceTd"><p>Sets Layer 3 Maximum Transmission Unit. For the MACVLAN interface, it cannot be higher than the parent <strong>interface</strong>.</p></td></tr><tr><td class="confluenceTd"><strong>name</strong><span> </span>(<em>string</em>; Default:<span> </span>)</td><td class="confluenceTd">Interface name.</td></tr></tbody></table></div><p><br/></p>
</div>
<div style="padding: 10px 0;">
<a href="https://help.mikrotik.com/docs/display/ROS/MACVLAN">View Online</a>
·
<a href="https://help.mikrotik.com/docs/pages/diffpagesbyversion.action?pageId=217874440&revisedVersion=3&originalVersion=2">View Changes Online</a>
</div>
</div>Guntis G.2023-10-09T11:39:45ZMACsecGuntis G.tag:help.mikrotik.com,2009:page-201523202-52024-03-28T16:23:59Z2023-07-17T14:14:40Z<div class="feed"> <p>
Page
<b>edited</b> by
<a href=" https://help.mikrotik.com/docs/display/~guntis
">Guntis G.</a>
</p>
<div style="border-top: 1px solid #ddd; border-bottom: 1px solid #ddd; padding: 10px;">
<p><style type='text/css'>/*<![CDATA[*/
div.rbtoc1711701162766 {padding: 0px;}
div.rbtoc1711701162766 ul {margin-left: 0px;}
div.rbtoc1711701162766 li {margin-left: 0px;padding-left: 0px;}
/*]]>*/</style><div class='toc-macro rbtoc1711701162766'>
<ul class='toc-indentation'>
<li><a href='#MACsec-Overview'>Overview</a></li>
<li><a href='#MACsec-BasicConfigurationExample'>Basic Configuration Example</a></li>
<li><a href='#MACsec-PropertyReference'>Property Reference</a>
<ul class='toc-indentation'>
<li><a href='#MACsec-Interfacesettings'>Interface settings</a></li>
<li><a href='#MACsec-Profilesettings'>Profile settings</a></li>
</ul>
</li>
</ul>
</div></p><h1 id="MACsec-Overview">Overview</h1><p>The MACsec (Media Access Control Security) protocol is a standard security technology employed in Ethernet networks to ensure the confidentiality, integrity, and authenticity of data transmitted over the physical medium. MACsec is defined by IEEE standard 802.1AE.</p><p>MACsec utilizes GCM-AES-128 encryption over Ethernet and secures all LAN traffic, including DHCP, ARP, LLDP, and higher-layer protocols.</p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>RouterOS MACsec implementation is in the early stage, it <strong>does not support</strong> dynamic key management via <a href="https://help.mikrotik.com/docs/display/ROS/Dot1X" rel="nofollow">Dot1x</a> (manual key configuration is required) and hardware-accelerated encryption (maximum throughput is highly limited by the device CPU).</p></div></div><h1 id="MACsec-BasicConfigurationExample">Basic Configuration Example</h1><p>Imagine Host1 ether1 is connected to Switch ether1 and Host2 ether1 is connected to Switch ether2. In this example, we will create two MACsec interface pairs and use a bridge to create a secure Layer2 connection between both end devices. </p><p>First, configure MACsec interfaces on Host1 and Host2. We can specify only the Ethernet interface and RouterOS will automatically generate the Connectivity Association Key (CAK) and connectivity association name (CKN). Use the <span style="color: rgb(128,0,128);"><code>print</code></span> command to see the values:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence"># Host1
/interface macsec
add interface=ether1 name=macsec1
[admin@Host2] /interface/macsec print
Flags: I - inactive, X - disabled, R - running
0 name="macsec1" mtu=1468 interface=ether1 status="negotiating" cak=71a7c363794da400dbde595d3926b0e9
ckn=f2c4660060169391d29d8db8a1f06e5d4b84a128bad06ad43ea2bd4f7d21968f profile=default
# Host2
/interface macsec
add interface=ether1 name=macsec1
[admin@Host2] /interface/macsec print
Flags: I - inactive, X - disabled, R - running
0 name="macsec1" mtu=1468 interface=ether1 status="negotiating" cak=dc47d94291d19a6bb26a0c393a1af9a4
ckn=e9bd0811dad1e56f06876aa7715de1855f1aee0baf5982ac8b508d4fc0f162d9 profile=default</pre>
</div></div><p>On the Switch device, to enable MACsec we need to configure the matching CAK and CKN values for the appropriate Ethernet interface:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence"># Switch
/interface macsec
add comment=Host1 cak=71a7c363794da400dbde595d3926b0e9 ckn=f2c4660060169391d29d8db8a1f06e5d4b84a128bad06ad43ea2bd4f7d21968f interface=ether1 name=macsec1
add comment=Host2 cak=dc47d94291d19a6bb26a0c393a1af9a4 ckn=e9bd0811dad1e56f06876aa7715de1855f1aee0baf5982ac8b508d4fc0f162d9 interface=ether2 name=macsec2</pre>
</div></div><p>Once the pre-shared keys are successfully exchanged, the MACsec Key Agreement (MKA) protocol is activated. MKA is responsible for ensuring the continuity of MACsec on the link and determines which side becomes the key server in a point-to-point connection. The key server generates a Secure Association Key (SAK) that is shared exclusively with the device on the other end of the link. This SAK is used to secure all data traffic passing through the link. Periodically, the key server generates a new randomly-created SAK and shares it over the point-to-point link to maintain MACsec functionality.</p><p>In RouterOS, the MACsec interface can be configured like any Ethernet interface. It can be used as a routable interface with an IP address, or placed inside a bridge. On Host1 and Host2 we will add an IP address from the same network. On Switch, we will use a bridge. </p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence"># Host1
/ip address
add address=192.168.10.10/24 interface=macsec1
# Host2
/ip address
add address=192.168.10.20/24 interface=macsec1
# Switch
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=macsec1
add bridge=bridge1 interface=macsec2</pre>
</div></div><p>Last, confirm that Host1 can reach Host2 using a ping.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence"> [admin@Host1] > ping 192.168.10.20
SEQ HOST SIZE TTL TIME STATUS
0 192.168.10.20 56 64 1ms438us
1 192.168.10.20 56 64 818us
2 192.168.10.20 56 64 791us
3 192.168.10.20 56 64 817us
4 192.168.10.20 56 64 783us
sent=5 received=5 packet-loss=0% min-rtt=783us avg-rtt=929us max-rtt=1ms438us</pre>
</div></div><h1 id="MACsec-PropertyReference"><span class="mw-headline">Property Reference</span></h1><h2 id="MACsec-Interfacesettings"><span class="mw-headline">Interface settings</span></h2><p><strong>Sub-menu:</strong> <code>/interface/macsec</code></p><p>Configuration settings for the MACsec interface.</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup class=""><col class=""/><col class=""/></colgroup><thead class=""><tr class=""><th style="text-align: left;" class="confluenceTh"><p>Property</p></th><th style="text-align: left;" class="confluenceTh"><p>Description</p></th></tr></thead><tbody class=""><tr class=""><td style="text-align: left;" class="confluenceTd"><strong>cak</strong><span> (<em>string</em>; Default: )</span></td><td style="text-align: left;" class="confluenceTd">A 16-byte pre-shared connectivity association key (CAK). To enable MACsec, configure the matching CAK and CKN on both ends of the link. When not specified, RouterOS will automatically generate a random value.</td></tr><tr class=""><td style="text-align: left;" class="confluenceTd"><strong>ckn<span> </span></strong>(<em>string</em>; Default: )</td><td style="text-align: left;" class="confluenceTd">A 32-byte connectivity association name (CKN). To enable MACsec, configure the matching CAK and CKN on both ends of the link. When not specified, RouterOS will automatically generate a random value.</td></tr><tr class=""><td style="text-align: left;" class="confluenceTd"><strong>comment</strong><span> </span>(<em>string</em>; Default: )</td><td style="text-align: left;" class="confluenceTd">Short description of the interface.</td></tr><tr class=""><td style="text-align: left;" class="confluenceTd"><strong>disabled</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td style="text-align: left;" class="confluenceTd">Changes whether the interface is disabled.</td></tr><tr class=""><td style="text-align: left;" class="confluenceTd"><strong>interface</strong><span> </span>(<em>name</em>; Default:<span> </span>)</td><td style="text-align: left;" class="confluenceTd">Ethernet interface name where MACsec is created on, limited to one MACsec interface per Ethernet.</td></tr><tr class=""><td style="text-align: left;" class="confluenceTd"><strong>mtu</strong><span> </span>(<em>integer</em>; Default:<span> </span><strong>1468</strong>)</td><td style="text-align: left;" class="confluenceTd"><p>Sets the maximum transmission unit. The<span> </span><code><span style="color: rgb(51,153,102);">l2mtu</span></code><span> </span>will be set automatically according to the associated<span> </span><code><span style="color: rgb(51,153,102);">interface</span></code><span> </span>(subtracting 32 bytes corresponding to the MACsec encapsulation). The<span> </span><code><span style="color: rgb(51,153,102);">l2mtu</span></code><span> </span>cannot be changed.</p></td></tr><tr class=""><td style="text-align: left;" class="confluenceTd"><strong>name</strong><span> </span>(<span><em>string</em></span>; Default:<span> </span><strong>macsec1</strong>)</td><td style="text-align: left;" class="confluenceTd">Name of the interface.</td></tr><tr class=""><td style="text-align: left;" class="confluenceTd"><strong>profile</strong><span> </span>(<em>name</em>; Default:<span> <strong>default</strong></span>)</td><td style="text-align: left;" class="confluenceTd"><p>Sets MACsec profile, used for determining the key server in a point-to-point connection.</p></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>status </strong>(<em>read-only: disabled |<span style="color: rgb(36,41,46);">initializing</span> | <span style="color: rgb(36,41,46);">invalid</span> | negotiating | open-encrypted</em>)</td><td style="text-align: left;" class="confluenceTd"><p>Shows the current MACsec interface status.</p></td></tr></tbody></table></div><h2 id="MACsec-Profilesettings"><span class="mw-headline">Profile settings</span></h2><p><strong>Sub-menu:</strong> <code>/interface/macsec/profile</code></p><p>Configuration settings for the MACsec profile.</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup class=""><col class=""/><col class=""/></colgroup><thead class=""><tr class=""><th style="text-align: left;" class="confluenceTh"><p>Property</p></th><th style="text-align: left;" class="confluenceTh"><p>Description</p></th></tr></thead><tbody class=""><tr class=""><td style="text-align: left;" class="confluenceTd"><strong>name</strong><span> (<em>string</em>; Default: )</span></td><td style="text-align: left;" class="confluenceTd">Name of the profile.</td></tr><tr class=""><td style="text-align: left;" class="confluenceTd"><strong>server-priority<span> </span></strong>(<em>integer: 0..255</em>; Default: <strong>10</strong>)</td><td style="text-align: left;" class="confluenceTd"><span style="color: rgb(23,43,77);">Sets the priority for determining the key server in a point-to-point connection, a lower value means higher priority. In case of a priority match, the interface with the lowest MAC address will be acting as a key server.</span></td></tr></tbody></table></div>
</div>
<div style="padding: 10px 0;">
<a href="https://help.mikrotik.com/docs/display/ROS/MACsec">View Online</a>
·
<a href="https://help.mikrotik.com/docs/pages/diffpagesbyversion.action?pageId=201523202&revisedVersion=5&originalVersion=4">View Changes Online</a>
</div>
</div>Guntis G.2023-07-17T14:14:40ZVLANEdgars P.tag:help.mikrotik.com,2009:page-88014957-52024-03-28T13:49:57Z2021-10-01T11:58:32Z<div class="feed"> <p>
Page
<b>edited</b> by
<a href=" https://help.mikrotik.com/docs/display/~edgarspa
">Edgars P.</a>
</p>
<div style="border-top: 1px solid #ddd; border-bottom: 1px solid #ddd; padding: 10px;">
<p><style type='text/css'>/*<![CDATA[*/
div.rbtoc1711701162793 {padding: 0px;}
div.rbtoc1711701162793 ul {margin-left: 0px;}
div.rbtoc1711701162793 li {margin-left: 0px;padding-left: 0px;}
/*]]>*/</style><div class='toc-macro rbtoc1711701162793'>
<ul class='toc-indentation'>
<li><a href='#VLAN-Summary'>Summary</a></li>
<li><a href='#VLAN-802.1Q'>802.1Q</a></li>
<li><a href='#VLAN-Q-in-Q'>Q-in-Q</a></li>
<li><a href='#VLAN-Properties'>Properties</a></li>
<li><a href='#VLAN-Setupexamples'>Setup examples</a>
<ul class='toc-indentation'>
<li><a href='#VLAN-Layer2VLANexamples'>Layer2 VLAN examples</a></li>
<li><a href='#VLAN-Layer3VLANexamples'>Layer3 VLAN examples</a>
<ul class='toc-indentation'>
<li><a href='#VLAN-SimpleVLANrouting'>Simple VLAN routing</a></li>
<li><a href='#VLAN-InterVLANrouting'>InterVLAN routing</a></li>
<li><a href='#VLAN-RouterOS/32andIPunnumberedaddresses'>RouterOS /32 and IP unnumbered addresses</a></li>
</ul>
</li>
</ul>
</li>
</ul>
</div></p><h1 id="VLAN-Summary"><span class="mw-headline">Summary</span></h1><p><strong>Standards:</strong><span> </span><code>IEEE 802.1Q, IEEE <span style="color: rgb(32,33,34);">802.1ad</span></code></p><p>Virtual Local Area Network (VLAN) is a Layer 2 method that allows multiple Virtual LANs on a single physical interface (ethernet, wireless, etc.), giving the ability to segregate LANs efficiently.</p><p>You can use MikroTik RouterOS (as well as Cisco IOS, Linux, and other router systems) to mark these packets as well as to accept and route marked ones.</p><p>As VLAN works on OSI Layer 2, it can be used just like any other network interface without any restrictions. VLAN successfully passes through regular Ethernet bridges.</p><p>You can also transport VLANs over wireless links and put multiple VLAN interfaces on a single wireless interface. Note that as VLAN is not a full tunnel protocol (i.e., it does not have additional fields to transport MAC addresses of sender and recipient), the same limitation applies to bridging over VLAN as to bridging plain wireless interfaces. In other words, while wireless clients may participate in VLANs put on wireless interfaces, it is not possible to have VLAN put on a wireless interface in station mode bridged with any other interface.</p><h1 id="VLAN-802.1Q"><span class="mw-headline">802.1Q</span></h1><p>The most commonly used protocol for Virtual LANs (VLANs) is IEEE 802.1Q. It is a standardized encapsulation protocol that defines how to insert a four-byte VLAN identifier into the Ethernet header.</p><p>Each VLAN is treated as a separate subnet. It means that by default, a host in a specific VLAN cannot communicate with a host that is a member of another VLAN, although they are connected in the same switch. So if you want inter-VLAN communication you need a router. RouterOS supports up to 4095 VLAN interfaces, each with a unique VLAN ID, per interface. VLAN priorities may also be used and manipulated.</p><p>When the VLAN extends over more than one switch, the inter-switch link has to become a 'trunk', where packets are tagged to indicate which VLAN they belong to. A trunk carries the traffic of multiple VLANs; it is like a point-to-point link that carries tagged packets between switches or between a switch and router.</p><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>The IEEE 802.1Q standard has reserved VLAN IDs with special use cases, the following VLAN IDs should not be used in generic VLAN setups: 0, 1, 4095</p></div></div><h1 id="VLAN-Q-in-Q"><span class="mw-headline">Q-in-Q</span></h1><p>Original 802.1Q allows only one VLAN header, Q-in-Q on the other hand allows two or more VLAN headers. In RouterOS, Q-in-Q can be configured by adding one VLAN interface over another. Example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface vlan
add name=vlan1 vlan-id=11 interface=ether1
add name=vlan2 vlan-id=12 interface=vlan1</pre>
</div></div><p><br/></p><p>If any packet is sent over the 'vlan2' interface, two VLAN tags will be added to the Ethernet header - '11' and '12'.</p><h1 id="VLAN-Properties"><span class="mw-headline">Properties</span></h1><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>arp</strong><span> </span>(<em>disabled | enabled | local-proxy-arp | proxy-arp | reply-only</em>; Default:<span> </span><strong>enabled</strong>)</td><td class="confluenceTd">Address Resolution Protocol setting<ul><li><span style="color: rgb(51,153,102);"><code>disabled</code> </span>- the interface will not use ARP</li><li><span style="color: rgb(51,153,102);"><code>enabled</code> </span>- the interface will use ARP</li><li><span style="color: rgb(51,153,102);"><code>local-proxy-arp</code></span><span> </span>-<span> </span><span style="color: rgb(34,34,34);"><span> </span>the router performs proxy ARP on the interface and sends replies to the same interface</span></li><li><span style="color: rgb(51,153,102);"><code>proxy-arp</code></span><span> </span>-<span> </span><span style="color: rgb(34,34,34);">the router performs proxy ARP on the interface and sends replies to other interfaces</span></li><li><span style="color: rgb(51,153,102);"><code>reply-only</code></span><span> </span>- the interface will only reply to requests originated from matching IP address/MAC address combinations which are entered as static entries in the<span> </span>IP/ARP<span> </span>table. No dynamic entries will be automatically stored in the<span> </span>IP/ARP<span> </span>table. Therefore for communications to be successful, a valid static entry must already exist.</li></ul></td></tr><tr><td class="confluenceTd"><strong>arp-timeout</strong><span> </span>(<em>auto | integer</em>; Default:<span> </span><strong>auto</strong>)</td><td class="confluenceTd">How long the ARP record is kept in the ARP table after no packets are received from IP. Value<span> </span><span style="color: rgb(51,153,102);"><code>auto</code> </span>equals to the value of<span> </span><span style="color: rgb(51,153,102);"><code>arp-timeout</code></span><span> </span>in<span> </span>IP/Settings, default is 30s.</td></tr><tr><td class="confluenceTd"><strong>disabled</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Changes whether the bridge is disabled.</td></tr><tr><td class="confluenceTd"><strong>interface</strong><span> </span>(<em>name</em>; Default:<span> </span>)</td><td class="confluenceTd">Name of the interface on top of which VLAN will work</td></tr><tr><td style="text-align: left;vertical-align: top;" class="confluenceTd"><strong>mvrp</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td style="text-align: left;vertical-align: top;" class="confluenceTd">Specifies whether this VLAN should declare its attributes through Multiple VLAN Registration Protocol (MVRP) as an applicant. It can be used to register the VLAN with connected<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-MVRP" rel="nofollow" style="">bridges that support MVRP</a>. <span style="color: rgb(23,43,77);"><span> </span>This property only has an effect when</span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(51,153,102);"><code>use-service-tag</code></span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(23,43,77);">is disabled</span><span style="color: rgb(23,43,77);">.</span></td></tr><tr><td class="confluenceTd"><strong>mtu</strong><span> </span>(<em>integer</em>; Default:<span> </span><strong>1500</strong>)</td><td class="confluenceTd">Layer3 Maximum transmission unit</td></tr><tr><td class="confluenceTd"><strong>name</strong><span> </span>(<em>string</em>; Default:<span> </span>)</td><td class="confluenceTd">Interface name</td></tr><tr><td class="confluenceTd"><strong>use-service-tag</strong><span> </span>(<em>yes | no</em>; Default:<span> </span>)</td><td class="confluenceTd">IEEE 802.1ad compatible Service Tag</td></tr><tr><td class="confluenceTd"><strong>vlan-id</strong><span> </span>(<em>integer: 4095</em>; Default:<span> </span><strong>1</strong>)</td><td class="confluenceTd">Virtual LAN identifier or tag that is used to distinguish VLANs. Must be equal for all computers that belong to the same VLAN.</td></tr></tbody></table></div><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>MTU should be set to 1500 bytes same as on Ethernet interfaces. But this may not work with some Ethernet cards that do not support receiving/transmitting of full-size Ethernet packets with VLAN header added (1500 bytes data + 4 bytes VLAN header + 14 bytes Ethernet header). In this situation, MTU 1496 can be used, but note that this will cause packet fragmentation if larger packets have to be sent over the interface. At the same time remember that MTU 1496 may cause problems if path MTU discovery is not working properly between source and destination.</p></div></div><h1 id="VLAN-Setupexamples"><span class="mw-headline">Setup examples</span></h1><h2 id="VLAN-Layer2VLANexamples"><span class="mw-headline">Layer2 VLAN examples</span></h2><p>There are multiple possible configurations that you can use, but each configuration type is designed for a special set of devices since some configuration methods will give you the benefits of the built-in switch chip and gain larger throughput. Check the<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Basic+VLAN+switching" rel="nofollow">Basic VLAN switching</a><span> </span>guide to see which configuration to use for each type of device to gain maximum possible throughput and compatibility, the guide shows how to setup a very basic VLAN trunk/access port configuration.</p><p>There are some other ways to setup VLAN tagging or VLAN switching, but the recommended way is to use<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeVLANFiltering" rel="nofollow">Bridge VLAN Filtering</a>. Make sure you have not used any<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration" rel="nofollow">known Layer2 misconfigurations</a>.</p><h2 id="VLAN-Layer3VLANexamples"><span class="mw-headline">Layer3 VLAN examples</span></h2><h3 id="VLAN-SimpleVLANrouting"><span class="mw-headline">Simple VLAN routing</span></h3><p>Let us assume that we have several MikroTik routers connected to a hub. Remember that a hub is an OSI physical layer device (if there is a hub between routers, then from the L3 point of view it is the same as an Ethernet cable connection between them). For simplification assume that all routers are connected to the hub using the ether1 interface and have assigned IP addresses as illustrated in the figure below. Then on each of them the VLAN interface is created.</p><p>Configuration for R2 and R4 is shown below:</p><p>R2:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] /interface vlan> add name=VLAN2 vlan-id=2 interface=ether1 disabled=no
[admin@MikroTik] /interface vlan> print
Flags: X - disabled, R - running, S - slave
# NAME MTU ARP VLAN-ID INTERFACE
0 R VLAN2 1500 enabled 2 ether1</pre>
</div></div><p>R4:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] /interface vlan> add name=VLAN2 vlan-id=2 interface=ether1 disabled=no
[admin@MikroTik] /interface vlan> print
Flags: X - disabled, R - running, S - slave
# NAME MTU ARP VLAN-ID INTERFACE
0 R VLAN2 1500 enabled 2 ether1</pre>
</div></div><p>The next step is to assign IP addresses to the VLAN interfaces.</p><p>R2:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence"> [admin@MikroTik] ip address> add address=10.10.10.3/24 interface=VLAN2
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 10.0.1.4/24 10.0.1.0 10.0.1.255 ether1
1 10.20.0.1/24 10.20.0.0 10.20.0.255 pc1
2 10.10.10.3/24 10.10.10.0 10.10.10.255 vlan2
[admin@MikroTik] ip address> </pre>
</div></div><p>R4:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence"> [admin@MikroTik] ip address> add address=10.10.10.5/24 interface=VLAN2
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 10.0.1.5/24 10.0.1.0 10.0.1.255 ether1
1 10.30.0.1/24 10.30.0.0 10.30.0.255 pc2
2 10.10.10.5/24 10.10.10.0 10.10.10.255 vlan2
[admin@MikroTik] ip address> </pre>
</div></div><p>At this point it should be possible to ping router R4 from router R2 and vice versa:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence"> "Ping from R2 to R4:"
[admin@MikroTik] ip address> /ping 10.10.10.5
10.10.10.5 64 byte ping: ttl=255 time=4 ms
10.10.10.5 64 byte ping: ttl=255 time=1 ms
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 1/2.5/4 ms
"From R4 to R2:"
[admin@MikroTik] ip address> /ping 10.10.10.3
10.10.10.3 64 byte ping: ttl=255 time=6 ms
10.10.10.3 64 byte ping: ttl=255 time=1 ms
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 1/3.5/6 ms </pre>
</div></div><p><br/></p><p>To make sure if the VLAN setup is working properly, try to ping R1 from R2. If pings are timing out then VLANs are successfully isolated.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence"> "From R2 to R1:"
[admin@MikroTik] ip address> /ping 10.10.10.2
10.10.10.2 ping timeout
10.10.10.2 ping timeout
3 packets transmitted, 0 packets received, 100% packet loss </pre>
</div></div><h3 id="VLAN-InterVLANrouting"><span class="mw-headline">InterVLAN routing</span></h3><p>If separate VLANs are implemented on a switch, then a router is required to provide communication between VLANs. A switch works at OSI layer 2 so it uses only Ethernet header to forward and does not check IP header. For this reason, we must use the router that is working as a gateway for each VLAN. Without a router, a host is unable to communicate outside of its own VLAN. The routing process between VLANs described above is called inter-VLAN communication.</p><p>To illustrate inter-VLAN communication, we will create a trunk that will carry traffic from three VLANs (VLAN2 and VLAN3, VLAN4) across a single link between a Mikrotik router and a manageable switch that supports VLAN trunking.</p><p>Each VLAN has its own separate subnet (broadcast domain) as we see in figure above:</p><ul><li>VLAN 2 – 10.10.20.0/24;</li><li>VLAN 3 – 10.10.30.0/24;</li><li>VLAN 4 – 10.10.40.0./24.</li></ul><p>VLAN configuration on most switches is straightforward, basically, we need to define which ports are members of the VLANs and define a 'trunk' port that can carry tagged frames between the switch and the router.</p><p>Create VLAN interfaces:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface vlan
add name=VLAN2 vlan-id=2 interface=ether1 disabled=no
add name=VLAN3 vlan-id=3 interface=ether1 disabled=no
add name=VLAN4 vlan-id=4 interface=ether1 disabled=no</pre>
</div></div><p><br/></p><p>Add IP addresses to VLANs:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip address
add address=10.10.20.1/24 interface=VLAN2
add address=10.10.30.1/24 interface=VLAN3
add address=10.10.40.1/24 interface=VLAN4</pre>
</div></div><h3 id="VLAN-RouterOS/32andIPunnumberedaddresses"><span class="mw-headline">RouterOS /32 and IP unnumbered addresses</span></h3><p>In RouterOS, to create a point-to-point tunnel with addresses you have to use the address with a network mask of '/32' that effectively brings you the same features as some vendors unnumbered IP address.</p><p>There are 2 routers RouterA and RouterB where each is part of networks 10.22.0.0/24 and 10.23.0.0/24 respectively and to connect these routers using VLANs as a carrier with the following configuration:</p><p>RouterA:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence"> /ip address add address=10.22.0.1/24 interface=ether1
/interface vlan add interface=ether2 vlan-id=1 name=vlan1
/ip address add address=10.22.0.1/32 interface=vlan1 network=10.23.0.1
/ip route add gateway=10.23.0.1 dst-address=10.23.0.0/24 </pre>
</div></div><p>RouterB:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence"> /ip address add address=10.23.0.1/24 interface=ether1
/interface vlan add interface=ether2 vlan-id=1 name=vlan1
/ip address add address=10.23.0.1/32 interface=vlan1 network=10.22.0.1
/ip route add gateway=10.22.0.1 dst-address=10.22.0.0/24 </pre>
</div></div>
</div>
<div style="padding: 10px 0;">
<a href="https://help.mikrotik.com/docs/display/ROS/VLAN">View Online</a>
·
<a href="https://help.mikrotik.com/docs/pages/diffpagesbyversion.action?pageId=88014957&revisedVersion=5&originalVersion=4">View Changes Online</a>
</div>
</div>Edgars P.2021-10-01T11:58:32ZL3 Hardware OffloadingGuntis G.tag:help.mikrotik.com,2009:page-62390319-712024-03-28T13:13:08Z2021-04-16T07:46:47Z<div class="feed"> <p>
Page
<b>edited</b> by
<a href=" https://help.mikrotik.com/docs/display/~guntis
">Guntis G.</a>
- "typos and formatting"
</p>
<div style="border-top: 1px solid #ddd; border-bottom: 1px solid #ddd; padding: 10px;">
<p><style type='text/css'>/*<![CDATA[*/
div.rbtoc1711701162887 {padding: 0px;}
div.rbtoc1711701162887 ul {margin-left: 0px;}
div.rbtoc1711701162887 li {margin-left: 0px;padding-left: 0px;}
/*]]>*/</style><div class='toc-macro rbtoc1711701162887'>
<ul class='toc-indentation'>
<li><a href='#L3HardwareOffloading-Introduction'>Introduction</a></li>
<li><a href='#L3HardwareOffloading-SwitchConfiguration'>Switch Configuration</a>
<ul class='toc-indentation'>
<li><a href='#L3HardwareOffloading-SwitchPortConfiguration'>Switch Port Configuration</a></li>
<li><a href='#L3HardwareOffloading-L3HWSettings'>L3HW Settings</a>
<ul class='toc-indentation'>
<li><a href='#L3HardwareOffloading-BasicSettings'>Basic Settings</a></li>
<li><a href='#L3HardwareOffloading-AdvancedSettings'>Advanced Settings</a></li>
<li><a href='#L3HardwareOffloading-Monitor'>Monitor</a></li>
<li><a href='#L3HardwareOffloading-AdvancedMonitor'>Advanced Monitor</a></li>
</ul>
</li>
<li><a href='#L3HardwareOffloading-InterfaceLists'>Interface Lists</a></li>
<li><a href='#L3HardwareOffloading-MTU'>MTU</a></li>
<li><a href='#L3HardwareOffloading-Layer2Dependency'>Layer 2 Dependency</a></li>
<li><a href='#L3HardwareOffloading-MACtelnetandRoMON'>MAC telnet and RoMON</a></li>
<li><a href='#L3HardwareOffloading-Inter-VLANRouting'>Inter-VLAN Routing</a></li>
<li><a href='#L3HardwareOffloading-L3HWMACAddressRangeLimitation(DX2000/DX3000seriesonly)'>L3HW MAC Address Range Limitation (DX2000/DX3000 series only)</a></li>
</ul>
</li>
<li><a href='#L3HardwareOffloading-RouteConfiguration'>Route Configuration</a>
<ul class='toc-indentation'>
<li><a href='#L3HardwareOffloading-SuppressingHWOffload'>Suppressing HW Offload</a></li>
<li><a href='#L3HardwareOffloading-RoutingFilters'>Routing Filters</a></li>
<li><a href='#L3HardwareOffloading-OffloadingFasttrackConnections'>Offloading Fasttrack Connections</a></li>
<li><a href='#L3HardwareOffloading-StatelessHardwareFirewall'>Stateless Hardware Firewall</a></li>
<li><a href='#L3HardwareOffloading-SwitchRules(ACL)vs.FasttrackHWOffloading'>Switch Rules (ACL) vs. Fasttrack HW Offloading</a></li>
</ul>
</li>
<li><a href='#L3HardwareOffloading-ConfigurationExamples'>Configuration Examples</a>
<ul class='toc-indentation'>
<li><a href='#L3HardwareOffloading-Inter-VLANRoutingwithUpstreamPortBehindFirewall/NAT'>Inter-VLAN Routing with Upstream Port Behind Firewall/NAT</a></li>
</ul>
</li>
<li><a href='#L3HardwareOffloading-TypicalMisconfiguration'>Typical Misconfiguration</a>
<ul class='toc-indentation'>
<li><a href='#L3HardwareOffloading-VLANinterfaceonaswitchportorbond'>VLAN interface on a switch port or bond</a></li>
<li><a href='#L3HardwareOffloading-Notaddingthebridgeinterfaceto/interface/bridge/vlan/'>Not adding the bridge interface to /interface/bridge/vlan/</a></li>
<li><a href='#L3HardwareOffloading-Creatingmultiplebridges'>Creating multiple bridges</a></li>
<li><a href='#L3HardwareOffloading-Usingportsthatdonotbelongtotheswitch'>Using ports that do not belong to the switch</a></li>
<li><a href='#L3HardwareOffloading-RelyingonFasttrackHWOffloadingtoomuch'>Relying on Fasttrack HW Offloading too much</a></li>
<li><a href='#L3HardwareOffloading-Tryingtooffloadslow-pathconnections'>Trying to offload slow-path connections</a></li>
</ul>
</li>
<li><a href='#L3HardwareOffloading-L3HWFeatureSupport'>L3HW Feature Support</a></li>
<li><a href='#L3HardwareOffloading-L3HWDeviceSupport'>L3HW Device Support</a>
<ul class='toc-indentation'>
<li><a href='#L3HardwareOffloading-CRS3xx:SwitchDX3000andDX2000Series'>CRS3xx: Switch DX3000 and DX2000 Series</a></li>
<li><a href='#L3HardwareOffloading-CRS3xx,CRS5xx:SwitchDX8000andDX4000Series'>CRS3xx, CRS5xx: Switch DX8000 and DX4000 Series</a></li>
<li><a href='#L3HardwareOffloading-CCR2000'>CCR2000</a></li>
</ul>
</li>
</ul>
</div></p><h1 id="L3HardwareOffloading-Introduction">Introduction</h1><p><span style="color: rgb(23,43,77);"><strong>Layer 3 Hardware Offloading</strong> (<strong>L3HW</strong>, otherwise known as IP switching or HW routing) allows to offload some router features onto the switch chip. This allows reaching wire speeds when routing packets, which would simply not be possible with the CPU. </span></p><h1 id="L3HardwareOffloading-SwitchConfiguration">Switch Configuration</h1><p>To enable Layer 3 Hardware Offloading, set <code><span style="color: rgb(0,128,0);">l3-hw-offloading=yes</span></code> for the switch:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface/ethernet/switch set 0 l3-hw-offloading=yes</pre>
</div></div><h2 id="L3HardwareOffloading-SwitchPortConfiguration">Switch Port Configuration</h2><p>Layer 3 Hardware Offloading can be configured for each physical switch port. For example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface/ethernet/switch/port set sfp-sfpplus1 l3-hw-offloading=yes</pre>
</div></div><p>Note that l3hw settings for switch and ports are different:</p><ul><li>Setting <span style="color: rgb(51,153,102);"><code>l3-hw-offloading</code><code>=no</code></span> for the switch completely disables offloading - all packets will be routed by CPU.</li><li>However, setting <span style="color: rgb(51,153,102);"><code>l3-hw-offloading</code><code>=no</code></span> for a switch port only disables hardware routing from/to this particular port. Moreover, the port can still participate in Fastrack connection offloading. </li></ul><p>To enable full hardware routing, enable l3hw on all switch ports:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface/ethernet/switch set 0 l3-hw-offloading=yes
/interface/ethernet/switch/port set [find] l3-hw-offloading=yes</pre>
</div></div><p>To make all packets go through the CPU first, and offload only the Fasttrack connections, disable l3hw on all ports but keep it enabled on the switch chip itself:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface/ethernet/switch set 0 l3-hw-offloading=yes
/interface/ethernet/switch/port set [find] l3-hw-offloading=no</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p><strong>Packets get routed by the hardware only if both source and destination ports have <span style="color: rgb(51,153,102);"><code>l3-hw-offloading=yes</code></span>. </strong>If at least one of them has <span style="color: rgb(51,153,102);"><code>l3-hw-offloading=no</code></span>, packets will go through the CPU/Firewall while offloading only the Fasttrack connections.</p></div></div><p class="auto-cursor-target">The next example enables hardware routing on all ports but the upstream port (sfp-sfpplus16). Packets going to/from sfp-sfpplus16 will enter the CPU and, therefore, subject to Firewall/NAT processing.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface/ethernet/switch set 0 l3-hw-offloading=yes
/interface/ethernet/switch/port set [find] l3-hw-offloading=yes
/interface/ethernet/switch/port set sfp-sfpplus16 l3-hw-offloading=no</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>The existing connections may be unaffected by the <span style="color: rgb(51,153,102);"><code>l3-hw-offloading</code></span> setting change.</p></div></div><h2 class="auto-cursor-target" id="L3HardwareOffloading-L3HWSettings">L3HW Settings</h2><h3 id="L3HardwareOffloading-BasicSettings">Basic Settings</h3><p>The L3HW Settings menu has been introduced in RouterOS version 7.6.</p><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch l3hw-settings</code></p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><thead><tr><th style="text-align: left;" class="confluenceTh"><p>Property</p></th><th style="text-align: left;" class="confluenceTh"><p>Description</p></th></tr></thead><tbody><tr><td style="text-align: left;" class="confluenceTd"><strong>autorestart</strong> <span style="color: rgb(23,43,77);">(</span><em style="text-align: left;">yes | no</em><span style="color: rgb(23,43,77);">; Default:</span><span style="color: rgb(23,43,77);"> </span><strong>no</strong><span style="color: rgb(23,43,77);">)</span></td><td style="text-align: left;" class="confluenceTd"><span style="color: rgb(23,43,77);">Automatically restarts the l3hw driver in case of an error. Otherwise, if an error occurs,<span> </span><code>l3-hw-offloading</code><span> </span>gets disabled, and the error code is displayed in the switch settings and<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading#L3HardwareOffloading-Monitor" rel="nofollow">#monitor</a>. Autorestart does not work for system failures, such as OOM (Out Of Memory).</span></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>fasttrack-hw</strong><span> </span><span style="color: rgb(23,43,77);">(</span><em style="text-align: left;">yes | no</em><span style="color: rgb(23,43,77);">; Default:</span><span style="color: rgb(23,43,77);"> </span><strong style="text-align: left;">yes<span> </span></strong>(if supported)<span style="color: rgb(23,43,77);">)</span></td><td style="text-align: left;" class="confluenceTd"><span style="color: rgb(23,43,77);">Enables or disables FastTrack HW Offloading. Keep it enabled unless HW TCAM memory reservation is required, e.g., for dynamic switch ACL rules creation. Not all switch chips support FastTrack HW Offloading (see<span> </span><strong>hw-supports-fasttrack</strong>).</span></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>ipv6-hw</strong><span> </span><span style="color: rgb(23,43,77);">(</span><em style="text-align: left;">yes | no</em><span style="color: rgb(23,43,77);">; Default:</span><span style="color: rgb(23,43,77);"> </span><strong style="text-align: left;">no</strong><span style="color: rgb(23,43,77);">)</span></td><td style="text-align: left;" class="confluenceTd">Enables or disables IPv6 Hardware Offloading. Since IPv6 routes occupy a lot of HW memory, enable it only if IPv6 traffic speed is significant enough to benefit from hardware routing.</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>icmp-reply-on-error</strong><span> </span><span style="color: rgb(23,43,77);">(</span><em style="text-align: left;">yes | no</em><span style="color: rgb(23,43,77);">; Default:</span><span style="color: rgb(23,43,77);"> </span><strong style="text-align: left;">yes</strong><span style="color: rgb(23,43,77);">)</span></td><td style="text-align: left;" class="confluenceTd">Since the hardware cannot send ICMP messages, the packet must be redirected to the CPU to send an ICMP reply in case of an error (e.g., "Time Exceeded", "Fragmentation required", etc.). Enabling icmp-reply-on-error<strong> </strong>helps with network diagnostics but may open potential vulnerabilities for DDoS attacks. Disabling icmp-reply-on-error silently drops the packets on the hardware level in case of an error.</td></tr></tbody></table></div><p class="auto-cursor-target"><strong>Read-Only Properties</strong></p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><thead><tr><th style="text-align: left;" class="confluenceTh"><p>Property</p></th><th style="text-align: left;" class="confluenceTh"><p>Description</p></th></tr></thead><tbody><tr><td style="text-align: left;" class="confluenceTd"><strong>hw-supports-fasttrack</strong><span> </span>(<em><em style="text-align: left;">yes | no</em></em><span style="color: rgb(23,43,77);">)</span></td><td style="text-align: left;" class="confluenceTd">Indicates if the hardware (switch chip) supports FastTrack HW Offloading.</td></tr></tbody></table></div><h3 class="auto-cursor-target" id="L3HardwareOffloading-AdvancedSettings">Advanced Settings</h3><p>This menu allows tweaking l3hw settings for specific use cases.</p><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>It is NOT recommended to change the advanced L3HW settings unless instructed by MikroTik Support or MikroTik Certified Routing Engineer. Applying incorrect settings may break the L3HW operation.</p></div></div><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch l3hw-settings</code> advanced</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup class=""><col class=""/><col class=""/></colgroup><thead class=""><tr class=""><th style="text-align: left;" class="confluenceTh"><p>Property</p></th><th style="text-align: left;" class="confluenceTh"><p>Description</p></th></tr></thead><tbody class=""><tr class=""><td style="text-align: left;" class="confluenceTd"><strong>route-queue-limit-high</strong><span> </span><span style="color: rgb(23,43,77);">(</span><em style="text-align: left;">number</em><span style="color: rgb(23,43,77);">; Default:</span><span style="color: rgb(23,43,77);"> </span><strong style="text-align: left;">256</strong><span style="color: rgb(23,43,77);">)</span></td><td style="text-align: left;" class="confluenceTd"><p>The switch driver stops route indexing when<span> </span><span style="color: rgb(51,153,102);"><strong>route-queue-size</strong></span><span> </span>(see<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading#L3HardwareOffloading-Monitor" rel="nofollow">#monitor</a>) exceeds this value. Lowering this value leads to faster route processing but increases the lag between a route's appearance in RouterOS and hardware memory.</p><p>Setting<span> </span><strong><span style="color: rgb(51,153,102);">route-queue-limit-high=0</span><span> </span></strong>disables route indexing when there are any routes in the processing queue - the most efficient CPU usage but the longest delay before hardware offloading. Useful when there are static routes only. Not recommended together with routing protocols (such as BGP or OSPF) when there are frequent routing table changes.</p></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>route-queue-limit-low</strong><span> </span><span style="color: rgb(23,43,77);">(</span><em style="text-align: left;">number</em><span style="color: rgb(23,43,77);">; Default:</span><span style="color: rgb(23,43,77);"> </span><strong style="text-align: left;">0</strong><span style="color: rgb(23,43,77);">)</span></td><td style="text-align: left;" class="confluenceTd"><p>Re-enable route indexing when<span> </span><span style="color: rgb(51,153,102);"><strong>route-queue-size</strong></span><span> </span>drops down to this value. Must not exceed the high limit.</p><p>Setting<span> </span><span style="color: rgb(51,153,102);"><strong>route-queue-limit-low=0 </strong></span>tells the switch driver to process all pending routes before the next hw-offloading attempt. While this is the desired behavior, it may completely block the hw-offloading under a constant BGP feed.</p></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>shwp-reset-counter </strong><span> </span><span style="color: rgb(23,43,77);">(</span><em>number</em><span style="color: rgb(23,43,77);">; Default:</span><span style="color: rgb(23,43,77);"> </span><strong>128</strong><span style="color: rgb(23,43,77);">)</span></td><td style="text-align: left;" class="confluenceTd"><p>Reset the Shortest HW Prefix (see<span> </span><span style="color: rgb(51,153,102);"><strong>ipv4-shortest-hw-prefix</strong></span><span> </span>/<span> </span><strong>i<span style="color: rgb(51,153,102);">pv6-shortest-hw-prefix</span></strong><span> </span>in<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading#L3HardwareOffloading-Monitor" rel="nofollow">#monitor</a>) and try the full route table offloading after this amount of changes in the routing table. At a partial offload, when the entire routing table does not fit into the hardware memory and shorter prefixes are redirected to the CPU, there is no need to try offloading route prefixes shorter than SHWP since those will get redirected to the CPU anyway, theoretically. However, significant changes to the routing table may lead to a different index layout and, therefore, a different amount of routes that can be hw-offloaded. That's why it is recommended to do the full table re-indexing occasionally.</p><p>Lowering this value may allow more routes to be hw-offloaded but increases CPU usage and vice-versa. Setting<span> </span><span style="color: rgb(51,153,102);"><strong>shwp-reset-counter=0</strong></span><span> </span>always does full re-indexing after each routing table change.</p><p>This setting is used only during Partial Offloading and has no effect when<span> </span><span style="color: rgb(51,153,102);"><strong>ipv4-shortest-hw-prefix=0</strong> </span>(and ipv6, respectively).</p></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>partial-offload-chunk </strong><span style="color: rgb(23,43,77);">(</span><em>number</em><span style="color: rgb(23,43,77);">; Default:</span><span style="color: rgb(23,43,77);"> </span><strong>1024</strong>, min: 16<span style="color: rgb(23,43,77);">)</span></td><td style="text-align: left;" class="confluenceTd"><p>The minimum number of routes for incremental adding in Partial Offloading. Depending on the switch chip model, routes are offloaded either as-is (each routing entry in RouterOS corresponds to an entry in the hardware memory) or getting indexed, and the index entries are the ones that are written into the hardware memory. This setting is used only for the latter during Partial Offloading.</p><p>Depending on index fragmentation, a single IPv4 route addition can occupy from -3 to +6 LPM blocks of HW memory (some route addition may lower the amount of required HW memory thanks to index defragmentation). Hence, it is impossible to predict the exact number of routes that may fit in the hardware memory. The switch driver uses a binary split algorithm to find the maximum number of routes that fit in the hardware.</p><p>Let's imagine 128k routes, all of them not fitting into the hardware memory. The algorithm halves the number and tries offloading 64k routes. Let's say offloading succeeded. In the next iteration, the algorithm picks 96k, let's say it fails; then 80k - fails again, 72k - succeeds, 76k, etc. until the difference between succeeded and failed numbers drops below the<span> </span><strong><span style="color: rgb(51,153,102);">partial-offload-chunk</span><span> </span></strong>value.</p><p>Lowering the<span> </span><strong><span style="color: rgb(51,153,102);">partial-offload-chunk</span><span> </span></strong>value increases the number of hw-offloaded routes but also raises CPU usage and vice-versa.</p></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>route-index-delay-min</strong><span> </span><span style="color: rgb(23,43,77);">(</span><em>time</em><span style="color: rgb(23,43,77);">; Default:</span><span style="color: rgb(23,43,77);"> </span><strong>1s</strong><span style="color: rgb(23,43,77);">)</span></td><td style="text-align: left;" class="confluenceTd"><p>The minimum delay between route processing and its offloading. The delay allows processing more routes together and offloading them at once, saving CPU usage. It also makes offloading the entire routing table faster by reducing the per-route processing work. On the other hand, it slows down the offloading of an individual route.</p><p>If an additional route is received during the delay, the latter resets to the<span> </span><span style="color: rgb(51,153,102);"><strong>route-index-delay-min</strong></span><span> </span>value<strong>.</strong><span> </span>Adding more and more routes within the delay keeps resetting the timer until the<span> </span><strong><span style="color: rgb(51,153,102);">route-index-delay-max</span><span> </span></strong>is reached.</p></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>route-index-delay-max</strong> <span style="color: rgb(23,43,77);">(</span><em>time</em><span style="color: rgb(23,43,77);">; Default:</span><span style="color: rgb(23,43,77);"> </span><strong>10s</strong><span style="color: rgb(23,43,77);">)</span></td><td style="text-align: left;" class="confluenceTd"><p>The maximum delay between route processing and its offloading. When the maximum delay is reached, the processed routes get offloaded despite more routes pending. However,<span> </span><strong><span style="color: rgb(51,153,102);">route-queue-limit-high</span> </strong>has higher priority than this, meaning that the indexing/offloading gets paused anyway when a certain queue size is reached.</p></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>neigh-keepalive-interval</strong><span> </span><span style="color: rgb(23,43,77);">(</span><em>time</em><span style="color: rgb(23,43,77);">; Default:</span><span style="color: rgb(23,43,77);"> <strong>1</strong></span><strong>5s</strong>, min: 5s<span style="color: rgb(23,43,77);">)</span></td><td style="text-align: left;" class="confluenceTd"><p>Neighbor (host) keepalive interval. When a host (IP neighbor) gets hw-offloaded, all traffic from/to it is routed by the switch chip, and RouterOS may think the neighbor is inactive and delete it. To prevent that, the switch driver must keep the offloaded neighbors alive by sending periodical refreshes to RouterOS.</p></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>neigh-discovery-interval</strong><span> </span><span style="color: rgb(23,43,77);">(</span><em>time</em><span style="color: rgb(23,43,77);">; Default:</span><span style="color: rgb(23,43,77);"><span> </span><strong>1m37s</strong></span>, min: 30s<span style="color: rgb(23,43,77);">)</span></td><td style="text-align: left;" class="confluenceTd"><p>Unfortunately, switch chips do not provide per-neighbor stats. Hence, the only way to check if the offloaded host is still active is by sending occasional ARP (IPv4) / Neighbor Discovery (IPv6) requests to the connected network. Increasing the value lowers the broadcast traffic but may leave inactive hosts in hardware memory for longer.</p><p>Neighbor discovery is triggered within the neighbor keepalive work. Hence, the discovery time is rounded up to the next keepalive session. Choose a value for<span> </span><span style="color: rgb(51,153,102);"><strong>neigh-discovery-interval</strong></span><span> </span>not dividable by<span> </span><span style="color: rgb(51,153,102);"><strong>neigh-keepalive-interval</strong></span><span> </span>to send ARP/ND requests in various sessions, preventing broadcast bursts.</p></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>neigh-discovery-burst-limit</strong><strong> </strong><span style="color: rgb(23,43,77);">(</span><em>number</em><span style="color: rgb(23,43,77);">; Default:</span><span style="color: rgb(23,43,77);"> </span><strong>64</strong><span style="color: rgb(23,43,77);">)</span></td><td style="text-align: left;" class="confluenceTd"><p>The maximum number of ARP/ND requests that can be sent at once.</p></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>neigh-discovery-burst-delay</strong><span> </span><span style="color: rgb(23,43,77);">(</span><em>time</em><span style="color: rgb(23,43,77);">; Default:</span><span style="color: rgb(23,43,77);"><span> </span><strong>300ms</strong></span>, min: 10ms<span style="color: rgb(23,43,77);">)</span></td><td style="text-align: left;" class="confluenceTd"><p>The delay between ARP/ND subsequent bursts if the number of requests exceeds<span> </span><span style="color: rgb(51,153,102);"><strong>neigh-discovery-burst-limit</strong></span><strong>.</strong></p></td></tr></tbody></table></div><p><br/></p><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Some settings only apply to certain switch models.</p></div></div><h3 class="auto-cursor-target" id="L3HardwareOffloading-Monitor">Monitor</h3><p>The L3HW Monitor feature has been introduced in RouterOS version 7.10. It allows monitoring of switch chip and driver stats related to L3HW. </p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface/ethernet/switch/l3hw-settings/monitor
ipv4-routes-total: 99363
ipv4-routes-hw: 61250
ipv4-routes-cpu: 38112
ipv4-shortest-hw-prefix: 24
ipv4-hosts: 87
ipv6-routes-total: 15
ipv6-routes-hw: 11
ipv6-routes-cpu: 4
ipv6-shortest-hw-prefix: 0
ipv6-hosts: 7
route-queue-size: 118
fasttrack-ipv4-conns: 2031
fasttrack-hw-min-speed: 0
nexthop-cap: 8192
nexthop-usage: 93</pre>
</div></div><p class="auto-cursor-target"><strong>Stats</strong></p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup class=""><col class=""/><col class=""/></colgroup><thead class=""><tr class=""><th style="text-align: left;" class="confluenceTh"><p>Property</p></th><th style="text-align: left;" class="confluenceTh"><p>Description</p></th></tr></thead><tbody class=""><tr class=""><td style="text-align: left;" class="confluenceTd"><strong>ipv4-routes-total</strong></td><td style="text-align: left;" class="confluenceTd">The total number of IPv4 routes handled by the switch driver.</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>ipv4-routes-hw</strong></td><td style="text-align: left;" class="confluenceTd">The number of hardware-offloaded IPv4 routes (a.k.a. hardware routes)</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>ipv4-routes-cpu</strong></td><td style="text-align: left;" class="confluenceTd">The number of IPv4 routes redirected to the CPU (a.k.a. software routes)</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>ipv4-shortest-hw-prefix</strong></td><td style="text-align: left;" class="confluenceTd"><em>Shortest Hardware Prefix (SHWP)<span> </span></em>for IPv4. If the entire IPv4 routing table does not fit into the hardware memory,<span> </span><em>partial offloading</em><span> </span>is applied, where the longest prefixes are hw-offloaded while the shorter ones are redirected to the CPU. This field shows the shortest route prefix (/x) that is offloaded to the hardware memory. All prefixes shorter than this are processed by the CPU. "<span style="color: rgb(51,153,102);"><code>ipv4-shortest-hw-prefix=0</code></span>" means the entire IPv4 routing table is offloaded to the hardware memory.</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>ipv4-hosts</strong></td><td style="text-align: left;" class="confluenceTd">The number of hardware-offloaded IPv4 hosts (/32 routes)</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>ipv6-routes-total<span> </span></strong><em><sup>1</sup></em></td><td style="text-align: left;" class="confluenceTd">The total number of IPv6 routes handled by the switch driver.</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>ipv6-routes-hw</strong><span> </span><em><sup>1</sup></em></td><td style="text-align: left;" class="confluenceTd">The number of hardware-offloaded IPv6 routes (a.k.a. hardware routes)</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>ipv6-routes-cpu</strong><span> </span><em><sup>1</sup></em></td><td style="text-align: left;" class="confluenceTd">The number of IPv6 routes redirected to the CPU (a.k.a. software routes)</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>ipv6-shortest-hw-prefix</strong><strong><span> </span></strong><em><sup>1</sup></em></td><td style="text-align: left;" class="confluenceTd"><em>Shortest Hardware Prefix (SHWP)<span> </span></em>for IPv6. If the entire IPv6 routing table does not fit into the hardware memory,<span> </span><em>partial offloading</em><span> </span>is applied, where the longest prefixes are hw-offloaded while the shorter ones are redirected to the CPU. This field shows the shortest route prefix (/x) that is offloaded to the hardware memory. All prefixes shorter than this are processed by the CPU. "<span style="color: rgb(51,153,102);"><code>ipv6-shortest-hw-prefix=0</code></span>" means the entire IPv6 routing table is offloaded to the hardware memory.</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>ipv6-hosts<span> </span></strong><em><sup>1</sup></em></td><td style="text-align: left;" class="confluenceTd">The number of hardware-offloaded IPv6 hosts (/128 routes)</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>route-queue-size</strong></td><td style="text-align: left;" class="confluenceTd">The number of routes in the queue for processing by the switch chip driver. Under normal working conditions, this field is 0, meaning that all routes are processed by the driver.</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>fasttrack-ipv4-conns</strong><span> </span><em><sup>2</sup></em></td><td style="text-align: left;" class="confluenceTd">The number of hardware-offloaded FastTrack connections.</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>fasttrack-hw-min-speed</strong><span> </span><em><sup>2</sup></em></td><td style="text-align: left;" class="confluenceTd">When the hardware memory for storing FastTrack is full, this field shows the minimum speed (in bytes per second) of a hw-offloaded FastTrack connection. Slower connections are routed by the CPU.</td></tr></tbody></table></div><p class="auto-cursor-target"><em><sup>1</sup><span> </span>IPv6 stats appear only when IPv6 hardware routing is enabled (<span style="color: rgb(51,153,102);"><code>ipv6-hw=yes</code></span>)</em></p><p class="auto-cursor-target"><em><sup>2</sup><span> </span>FastTrack stats appear only when hardware offloading of FastTrack connections is enabled (<span style="color: rgb(51,153,102);">fasttrack-hw<code>=yes</code></span>)</em></p><h3 class="auto-cursor-target" id="L3HardwareOffloading-AdvancedMonitor">Advanced Monitor</h3><p>An enhanced version of Monitor with extra telemetry data for advanced users. Advanced Monitor contains all data from the basic monitor<span> </span>plus the fields listed below.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface/ethernet/switch/l3hw-settings/advanced> monitor once
ipv4-routes-total: 29968
ipv4-routes-hw: 29957
ipv4-routes-cpu: 11
ipv4-shortest-hw-prefix: 0
ipv4-hosts: 3
ipv6-routes-total: 4
ipv6-routes-hw: 0
ipv6-routes-cpu: 4
ipv6-shortest-hw-prefix: 0
ipv6-hosts: 0
route-queue-size: 0
route-queue-rate: 0
route-process-rate: 0
fasttrack-ipv4-conns: 0
fasttrack-queue-size: 0
fasttrack-queue-rate: 0
fasttrack-process-rate: 0
fasttrack-hw-min-speed: 0
fasttrack-hw-offloaded: 0
fasttrack-hw-unloaded: 0
lpm-cap: 54560
lpm-usage: 31931
lpm-bank-cap: 2728
lpm-bank-usage: 46,0,0,0,2589,2591,1983,0,2728,2728,2728,2728,2728,2728,2728,2728,2728,170,0,0
pbr-cap: 8192
pbr-usage: 0
pbr-lpm-bank: 3
nat-usage: 0
nexthop-cap: 8192
nexthop-usage: 85</pre>
</div></div><p class="auto-cursor-target"><strong>Stats</strong></p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup class=""><col class=""/><col class=""/></colgroup><thead class=""><tr class=""><th style="text-align: left;" class="confluenceTh"><p>Property</p></th><th style="text-align: left;" class="confluenceTh"><p>Description</p></th></tr></thead><tbody class=""><tr class=""><td style="text-align: left;" class="confluenceTd"><strong>route-queue-rate</strong></td><td style="text-align: left;" class="confluenceTd">The rate at which routes are added to the queue for the switch driver processing. In other words, the growth rate of<span> </span><span style="color: rgb(51,153,102);"><strong>route-queue-size</strong> </span>(routes per second)</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>route-process-rate</strong></td><td style="text-align: left;" class="confluenceTd">The rate at which previously queued routes are processed by the switch driver. In other words, the shrink rate of<span> </span><span style="color: rgb(51,153,102);"><strong>route-queue-size</strong></span><span> </span>(routes per second)</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>fasttrack-queue-size</strong></td><td style="text-align: left;" class="confluenceTd">The number of FastTrack connections in the queue for processing by the switch chip driver.</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>fasttrack-queue-rate</strong></td><td style="text-align: left;" class="confluenceTd">The rate at which FastTrack connections are added to the queue for the switch driver processing. In other words, the growth rate of<span> </span><span style="color: rgb(51,153,102);"><strong>fasttrack-queue-size</strong></span><span> </span>(connections per second)</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>fasttrack-process-rate</strong></td><td style="text-align: left;" class="confluenceTd">The rate at which previously queued FastTrack connections are processed by the switch driver. In other words, the shrink rate of<span> </span><span style="color: rgb(51,153,102);"><strong>fasttrack-queue-size</strong></span><span> </span>(connections per second)</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>fasttrack-hw-offloaded</strong></td><td style="text-align: left;" class="confluenceTd">The number of FastTrack connections offloaded to the hardware. The counter resets every second (or every monitor interval).</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>fasttrack-hw-unloaded</strong></td><td style="text-align: left;" class="confluenceTd">The number of FastTrack connections unloaded from the hardware (redirected to software routing). The counter resets every second (or every monitor interval).</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>lpm-cap</strong></td><td style="text-align: left;" class="confluenceTd">The size of the LPM hardware table (LPM = Longest Prefix Match). LPM stores route indexes for hardware routing. Not every switch chip model uses LPM. Others use TCAM.</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>lpm-usage</strong></td><td style="text-align: left;" class="confluenceTd">The number of used LPM blocks.<span> </span><strong><span style="color: rgb(51,153,102);">lpm-usage</span><span> </span></strong>/<span> </span><span style="color: rgb(51,153,102);"><strong>lpm-cap</strong></span><span> </span>= usage percentage.</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>lpm-bank-cap</strong></td><td style="text-align: left;" class="confluenceTd">LPM memory is organized in banks - special memory units. The bank size depends on the switch chip model. This value shows the size of a single bank (in LPM blocks).<span> </span><span style="color: rgb(51,153,102);"><strong>lpm-cap</strong></span><span> </span>/<span> </span><span style="color: rgb(51,153,102);"><strong>lpm-bank-cap</strong> </span>= the number of banks (usually, 20).</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>lpm-bank-usage</strong></td><td style="text-align: left;" class="confluenceTd">Per-bank LPM usage (in LPM blocks)</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>pbr-cap</strong></td><td style="text-align: left;" class="confluenceTd">The size of the Policy-Based Routing (PBR) hardware table. PBR is used for NAT offloading of FastTrack connections.</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>pbr-usage</strong></td><td style="text-align: left;" class="confluenceTd">The number of used PBR entries.<span> </span><strong><span style="color: rgb(51,153,102);">pbr-usage</span><span> </span></strong>/<span> </span><span style="color: rgb(51,153,102);"><strong>pbr-cap</strong></span><span> </span>= usage percentage.</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>pbr-lpm-bank</strong></td><td style="text-align: left;" class="confluenceTd">PBR shares LPM memory banks with routing tables. This value shows the LPM bank index shared with PBR (0 = the first bank).</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>nat-usage</strong></td><td style="text-align: left;" class="confluenceTd">The number of used NAT hardware entries (for FastTrack connections).</td></tr></tbody></table></div><h2 id="L3HardwareOffloading-InterfaceLists"><span style="font-size: 20.0px;letter-spacing: -0.008em;">Interface Lists</span></h2><p>It is impossible to use interface lists directly to control <span style="color: rgb(51,153,102);"><code>l3-hw-offloading</code> </span>because an interface list may contain virtual interfaces (such as VLAN) while the <code><span style="color: rgb(51,153,102);">l3-hw-offloading</span></code> setting must be applied to physical switch ports only. For example, if there are two VLAN interfaces (vlan20 and vlan30) running on the same switch port (trunk port), it is impossible to enable hardware routing on vlan20 but keep it disabled on vlan30.</p><p><span>However, an interface list may be used as a port selector. The following example demonstrates how to enable hardware routing on LAN ports (ports that belong to the "LAN" interface list) and disable it on WAN ports:</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">:foreach i in=[/interface/list/member/find where list=LAN] do={
/interface/ethernet/switch/port set [/interface/list/member/get $i interface] l3-hw-offloading=yes
}
:foreach i in=[/interface/list/member/find where list=WAN] do={
/interface/ethernet/switch/port set [/interface/list/member/get $i interface] l3-hw-offloading=no
}</pre>
</div></div><p><span>Please take into account that since interface lists are not directly used in hardware routing control., <strong>modifying the interface list also does not automatically reflect in l3hw changes</strong>. For instance, adding a switch port to the "LAN" interface list does not automatically enable <span style="color: rgb(51,153,102);"><code>l3-hw-offloading</code></span> on it. The user has to rerun the above script to apply the changes.</span></p><h2 id="L3HardwareOffloading-MTU">MTU</h2><p>The hardware supports up to 8 MTU profiles, meaning that the user can set up to 8 different MTU values for interfaces: the default 1500 + seven custom ones.</p><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body">It is recommended to disable <span style="color: rgb(51,153,102);"><code>l3-hw-offloading</code> </span>while changing the MTU/L2MTU values on the interfaces.</div></div><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b> MTU Change Example</b></div><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface/ethernet/switch set 0 l3-hw-offloading=no
/interface set sfp-sfpplus1 mtu=9000 l2mtu=9022
/interface set sfp-sfpplus2 mtu=9000 l2mtu=9022
/interface set sfp-sfpplus3 mtu=10000 l2mtu=10022
/interface/ethernet/switch set 0 l3-hw-offloading=yes</pre>
</div></div><h2 id="L3HardwareOffloading-Layer2Dependency">Layer 2 Dependency</h2><p>Layer 3 hardware processing lies on top of Layer 2 hardware processing. Therefore, L3HW offloading requires L2HW offloading on the underlying interfaces. The latter is enabled by default, but there are some exceptions. For example, CRS3xx devices support only one hardware bridge. If there are multiple bridges, others are processed by the CPU and are not subject to L3HW. </p><p>Another example is ACL rules. If a rule redirects traffic to the CPU for software processing, then hardware routing (L3HW) is not triggered:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>ACL rule to disable hardware processing on a specific port</b></div><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface/ethernet/switch/rule/add switch=switch1 ports=ether1 redirect-to-cpu=yes</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body">It is recommended to turn off L3HW offloading during L2 configuration.</div></div><p>To make sure that Layer 3 is in sync with Layer 2 on both the software and hardware sides, we recommend disabling L3HW while configuring Layer 2 features. The recommendation applies to the following configuration:</p><ul><li>adding/removing/enabling/disabling bridge;</li><li>adding/removing switch ports to/from the bridge;</li><li><span class="v1diff-html-added">bonding switch ports / removing bond;</span></li><li>changing VLAN settings;</li><li>changing MTU/L2MTU on switch ports;</li><li>changing ethernet (MAC) addresses.</li></ul><p>In short, disable <span style="color: rgb(51,153,102);"><code>l3-hw-offloading</code></span> while making changes under <span style="color: rgb(51,153,102);"><code>/interface/bridge/</code></span> and <span style="color: rgb(51,153,102);"><code>/interface/vlan/</code></span>:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Layer 2 Configuration Template</b></div><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface/ethernet/switch set 0 l3-hw-offloading=no
/interface/bridge
# put bridge configuration changes here
/interface/vlan
# define/change VLAN interfaces
/interface/ethernet/switch set 0 l3-hw-offloading=yes</pre>
</div></div><h2 id="L3HardwareOffloading-MACtelnetandRoMON"><span style="color: rgb(36,41,46);">MAC telnet and RoMON </span></h2><p><span style="color: rgb(36,41,46);">There is a limitation for MAC telnet and RoMON when L3HW offloading is enabled on <strong>98DX8xxx</strong>, <strong>98DX4xxx,</strong> or <strong>98DX325x</strong> switch chips. Packets from these protocols are dropped and do not reach the CPU, thus access to the device will fail.</span></p><p><span style="color: rgb(36,41,46);">If MAC telnet or RoMON are desired in combination with L3HW, certain ACL rules can be created to force these packets to the CPU.</span></p><p><span style="color: rgb(36,41,46);">For example, if MAC telnet access on sfp-sfpplus1 and sfp-sfpplus2 is needed, you will need to add this ACL rule. It is possible to select even more interfaces with the <code><span style="color: rgb(51,153,102);">ports</span></code> setting.</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch rule
add dst-port=20561 ports=sfp-sfpplus1,sfp-sfpplus2 protocol=udp redirect-to-cpu=yes switch=switch1</pre>
</div></div><p><span style="color: rgb(36,41,46);">For example, if RoMON access on sfp-sfpplus2 is needed, you will need to add this ACL rule. </span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch rule
add mac-protocol=0x88BF ports=sfp-sfpplus2 redirect-to-cpu=yes switch=switch1</pre>
</div></div><h2 id="L3HardwareOffloading-Inter-VLANRouting">Inter-VLAN Routing</h2><p>Since L3HW depends on L2HW, and L2HW is the one that does VLAN processing, Inter-VLAN <em>hardware</em> routing requires a hardware bridge underneath. Even if a particular VLAN has only one tagged port member, the latter must be a bridge member. Do not assign a VLAN interface directly on a switch port! Otherwise, L3HW offloading fails and the traffic will get processed by the CPU:</p><p><code><span style="color: rgb(255,0,0);"><s>/interface/vlan add interface=ether2 name=vlan20 vlan-id=20</s></span></code></p><p>Assign the VLAN interface to the bridge instead. This way, VLAN configuration gets offloaded to the hardware, and, with L3HW enabled, the traffic is subject to inter-VLAN hardware routing.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>VLAN Configuration Example</b></div><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface/ethernet/switch set 0 l3-hw-offloading=no
/interface/bridge/port add bridge=bridge interface=ether2
/interface/bridge/vlan add bridge=bridge tagged=bridge,ether2 vlan-ids=20
/interface/vlan add interface=bridge name=vlan20 vlan-id=20
/ip/address add address=192.0.2.1/24 interface=vlan20
/interface/bridge set bridge vlan-filtering=yes
/interface/ethernet/switch set 0 l3-hw-offloading=yes</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body">For Inter-VLAN routing, the bridge interface must be a tagged member of every routable <span style="color: rgb(51,153,102);"><code>/interface/bridge/vlan/</code></span> entry.</div></div><h2 id="L3HardwareOffloading-L3HWMACAddressRangeLimitation(DX2000/DX3000seriesonly)">L3HW MAC Address Range Limitation (DX2000/DX3000 series only)</h2><p>Marvell Prestera DX2000 and DX3000 switch chips have a hardware limitation that allows configuring only the last (least significant) octet of the MAC address for each interface. The other five (most significant) octets are configured globally and, therefore, must be equal for all interfaces (switch ports, bridge, VLANs). In other words, the MAC addresses must be in the format "<strong>XX:XX:XX:XX:XX:??</strong>", where:</p><ul><li>"<strong>XX:XX:XX:XX:XX</strong>" part is common for all interfaces.</li><li>"<strong>??</strong>" is a variable part.</li></ul><p><strong>This requirement applies only to Layer 3 (routing).</strong> Layer 2 (bridging) does not use the switch's ethernet addresses. Moreover, it does not apply to bridge ports because they use the bridge's MAC address.</p><p>The requirement for common five octets applies to:</p><ul><li>Standalone switch ports (not bridge members) with hardware routing enabled (<code>l3-hw-offloading=yes</code>).</li><li>Bridge itself.</li><li>VLAN interfaces (those that use the bridge's MAC address by default).</li></ul><h1 id="L3HardwareOffloading-RouteConfiguration">Route Configuration</h1><h2 id="L3HardwareOffloading-SuppressingHWOffload">Suppressing HW Offload</h2><p><span style="color: rgb(23,43,77);">By default, all the routes are participating to be hardware candidate routes. To further fine-tune which traffic to offload, there is an option for each route to disable/enable<span> </span></span><strong><span style="color: rgb(0,128,0);"><code>suppress-hw-offload</code></span></strong><span style="color: rgb(23,43,77);">. </span></p><p><span style="color: rgb(23,43,77);">For example, if we know that the majority of traffic flows to the network where servers are located, we can enable offloading only to that specific destination:</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip/route set [find where static && dst-address!="192.168.3.0/24"] suppress-hw-offload=yes</pre>
</div></div><p><span style="color: rgb(23,43,77);">Now only the route to 192.168.3.0/24 has H-flag, indicating that it will be the only one eligible to be selected for HW offloading:</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: RDark" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="RDark">[admin@MikroTik] > /ip/route print where static
Flags: A - ACTIVE; s - STATIC, y - COPY; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY D
0 As 0.0.0.0/0 172.16.2.1 1
1 As 10.0.0.0/8 10.155.121.254 1
2 AsH 192.168.3.0/24 172.16.2.1 1</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p><span style="color: rgb(51,51,51);">H-flag does not indicate that the route is actually HW offloaded, it indicates only that the route can be selected to be HW offloaded.</span></p></div></div><h2 id="L3HardwareOffloading-RoutingFilters">Routing Filters</h2><p>For dynamic routing protocols like OSFP and BGP, it is possible to suppress HW offloading using <a href="https://help.mikrotik.com/docs/pages/viewpage.action?pageId=74678285" rel="nofollow">routing filters</a>. For example, to suppress HW offloading on all OSFP instance routes, use "<strong><span style="color: rgb(0,128,0);"><code>suppress-hw-offload yes</code></span></strong><span style="color: rgb(51,51,51);">" property:</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/routing/ospf/instance
set [find name=instance1] in-filter-chain=ospf-input
/routing/filter/rule
add chain="ospf-input" rule="set suppress-hw-offload yes; accept"</pre>
</div></div><h2 id="L3HardwareOffloading-OffloadingFasttrackConnections">Offloading Fasttrack Connections</h2><p>Firewall filter rules have <span style="color: rgb(0,128,0);"><strong><code>hw-offload</code></strong> </span>option for Fasttrack, allowing fine-tuning connection offloading. Since the hardware memory for Fasttrack connections is very limited, we can choose what type of connections to offload and, therefore, benefit from near-the-wire-speed traffic. The next example offloads only TCP connections while UDP packets are routed via the CPU and do not occupy HW memory:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip/firewall/filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes protocol=tcp
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=no
add action=accept chain=forward connection-state=established,related</pre>
</div></div><h2 id="L3HardwareOffloading-StatelessHardwareFirewall">Stateless Hardware Firewall</h2><p>While connection tracking and stateful firewalling can be performed only by the CPU, the hardware can perform stateless firewalling via<span> </span><a class="external-link" href="https://help.mikrotik.com/docs/display/ROS/CRS3xx%2C+CRS5xx%2C+CCR2116%2C+CCR2216+switch+chip+features#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-SwitchRules(ACL)" rel="nofollow">switch rules (ACL)</a>. The next example prevents (on a hardware level) accessing a MySQL server from the ether1, and redirects to the CPU/Firewall packets from ether2 and ether3:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch rule
add switch=switch1 dst-address=10.0.1.2/32 dst-port=3306 ports=ether1 new-dst-ports=""
add switch=switch1 dst-address=10.0.1.2/32 dst-port=3306 ports=ether2,ether3 redirect-to-cpu=yes</pre>
</div></div><h2 id="L3HardwareOffloading-SwitchRules(ACL)vs.FasttrackHWOffloading">Switch Rules (ACL) vs. Fasttrack HW Offloading</h2><p>Some firewall rules may be implemented both via<span> </span><a class="external-link" href="https://help.mikrotik.com/docs/display/ROS/CRS3xx%2C+CRS5xx%2C+CCR2116%2C+CCR2216+switch+chip+features#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-SwitchRules(ACL)" rel="nofollow">switch rules (ACL)</a> and CPU<span> </span><a class="external-link" href="https://help.mikrotik.com/docs/display/ROS/Filter" rel="nofollow">Firewall Filter</a><span> </span>+ Fasttrack HW Offloading. Both options grant near-the-wire-speed performance. So the question is which one to use?</p><p>First,<span> </span><a class="external-link" href="https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading#L3HardwareOffloading-L3HWDeviceSupport" rel="nofollow">not all devices support Fasttrack HW Offloading</a>, and without HW offloading, Firewall Filter uses only software routing, which is dramatically slower than its hardware counterpart. Second, even if Fasttrack HW Offloading is an option, a rule of thumb is:</p><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Always use Switch Rules (ACL), if possible.</p></div></div><p>Switch rules share the hardware memory with Fastrack connections. However, hardware resources are allocated for each Fasttrack connection while a single ACL rule can match multiple connections. For example, if you have a guest WiFi network connected to sfp-sfpplus1 VLAN 10 and you don't want it to access your internal network, simply create an ACL rule:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface/ethernet/switch/rule
add switch=switch1 ports=sfp-sfpplus1 vlan-id=10 dst-address=10.0.0.0/8 new-dst-ports=""</pre>
</div></div><p>The matched packets will be dropped on the hardware level. It is much better than letting<span> </span><em>all</em><span> </span>guest packets to the CPU for Firewall filtering.</p><p>Of course, ACL rules cannot match everything. For instance, ACL rules cannot filter connection states: accept established, drop others. That is where Fasttrack HW Offloading gets into action - redirect the packets to the CPU by default for firewall filtering, then offload the established Fasttrack connections. However, disabling<span> </span><span style="color: rgb(51,153,102);"><code>l3-hw-offloading</code></span><span> </span>for the entire switch, port is not the only option.</p><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Define ACL rules with<span> </span><span style="color: rgb(51,153,102);"><code><strong>redirect-to-cpu=yes</strong></code></span><span> </span>instead of setting<span> </span><span style="color: rgb(51,153,102);"><code>l3-hw-offloading=no</code></span><span> </span>of the switch port for narrowing down the traffic that goes to the CPU.</p></div></div><h1 id="L3HardwareOffloading-ConfigurationExamples">Configuration Examples</h1><h2 id="L3HardwareOffloading-Inter-VLANRoutingwithUpstreamPortBehindFirewall/NAT">Inter-VLAN Routing with Upstream Port Behind Firewall/NAT</h2><p>This example demonstrates how to benefit from near-to-wire-speed inter-VLAN routing while keeping Firewall and NAT running on the upstream port. Moreover, Fasttrack connections to the upstream port get offloaded to hardware as well, boosting the traffic speed close to wire-level. Inter-VLAN traffic is fully routed by the hardware, not entering the CPU/Firewall, and, therefore, not occupying the hardware memory of Fasttrack connections.</p><p>We use the <strong>CRS317-1G-16S+</strong> model with the following setup:</p><ul><li>sfp1-sfp4 - bridged ports, VLAN ID 20, untagged</li><li>sfp5-sfp8 - bridged ports, VLAN ID 30, untagged</li><li>sfp16 - the upstream port</li><li>ether1 - management port</li></ul><p><br/></p><p>Setup interface lists for easy access:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Interface Lists</b></div><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface list
add name=LAN
add name=WAN
add name=MGMT
/interface list member
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
add interface=sfp-sfpplus5 list=LAN
add interface=sfp-sfpplus6 list=LAN
add interface=sfp-sfpplus7 list=LAN
add interface=sfp-sfpplus8 list=LAN
add interface=sfp-sfpplus16 list=WAN
add interface=ether1 list=MGMT </pre>
</div></div><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Bridge Setup</b></div><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
add name=bridge vlan-filtering=yes
/interface bridge port
add bridge=bridge interface=sfp-sfpplus1 pvid=20
add bridge=bridge interface=sfp-sfpplus2 pvid=20
add bridge=bridge interface=sfp-sfpplus3 pvid=20
add bridge=bridge interface=sfp-sfpplus4 pvid=20
add bridge=bridge interface=sfp-sfpplus5 pvid=30
add bridge=bridge interface=sfp-sfpplus6 pvid=30
add bridge=bridge interface=sfp-sfpplus7 pvid=30
add bridge=bridge interface=sfp-sfpplus8 pvid=30
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4 vlan-ids=20
add bridge=bridge tagged=bridge untagged=sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8 vlan-ids=30</pre>
</div></div><p>Routing requires dedicated VLAN interfaces. For standard L2 VLAN bridging (without inter-VLAN routing), the next step can be omitted.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>VLAN Interface Setup for Routing</b></div><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface vlan
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan30 vlan-id=30
/ip address
add address=192.168.20.17/24 interface=vlan20 network=192.168.20.0
add address=192.168.30.17/24 interface=vlan30 network=192.168.30.0</pre>
</div></div><p class="auto-cursor-target">Configure management and upstream ports, a basic firewall, NAT, and enable hardware offloading of Fasttrack connections:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Firewall Setup</b></div><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip address
add address=192.168.88.1/24 interface=ether1
add address=10.0.0.17/24 interface=sfp-sfpplus16
/ip route
add gateway=10.0.0.1
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN</pre>
</div></div><p class="auto-cursor-target">At this moment, all routing still is performed by the CPU. Enable hardware routing on the switch chip:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Enable Layer 3 Hardware Offloading</b></div><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence"># Enable full hardware routing on LAN ports
:foreach i in=[/interface/list/member/find where list=LAN] do={
/interface/ethernet/switch/port set [/interface/list/member/get $i interface] l3-hw-offloading=yes
}
# Disable full hardware routing on WAN or Management ports
:foreach i in=[/interface/list/member/find where list=WAN or list=MGMT] do={
/interface/ethernet/switch/port set [/interface/list/member/get $i interface] l3-hw-offloading=no
}
# Activate Layer 3 Hardware Offloading on the switch chip
/interface/ethernet/switch/set 0 l3-hw-offloading=yes</pre>
</div></div><p class="auto-cursor-target">Results:</p><ul><li class="auto-cursor-target">Within the same VLAN (e.g., sfp1-sfp4), traffic is forwarded by the hardware on Layer 2 <em>(L2HW)</em>.</li><li class="auto-cursor-target">Inter-VLAN traffic (e.g. sfp1-sfp5) is routed by the hardware on Layer 3 <em>(L3HW).</em></li><li class="auto-cursor-target">Traffic from/to the WAN port gets processed by the CPU/Firewall first. Then Fasttrack connections get offloaded to the hardware <em>(Hardware-Accelerated L4 Stateful Firewall). </em>NAT applies both on CPU- and HW-processed packets.</li><li class="auto-cursor-target">Traffic to the management port is protected by the Firewall.</li></ul><h1 id="L3HardwareOffloading-TypicalMisconfiguration">Typical Misconfiguration</h1><p>Below are typical user errors in configuring Layer 3 Hardware Offloading.</p><h2 id="L3HardwareOffloading-VLANinterfaceonaswitchportorbond">VLAN interface on a switch port or bond</h2><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface/vlan
add name=vlan10 vlan-id=10 interface=sfp-sfpplus1
add name=vlan20 vlan-id=20 interface=bond1</pre>
</div></div><p><span style="letter-spacing: 0.0px;">VLAN interface must be set on the bridge due to Layer 2 Dependency. Otherwise, L3HW will not work. The correct configuration is:</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface/bridge/port
add bridge=bridge1 interface=sfp-sfpplus1 frame-types=admit-only-vlan-tagged
add bridge=bridge1 interface=bond1 frame-types=admit-only-vlan-tagged
/interface/bridge/vlan
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 vlan-ids=10
add bridge=bridge1 tagged=bridge1,bond1 vlan-ids=20
/interface/vlan
add name=vlan10 vlan-id=10 interface=bridge1
add name=vlan20 vlan-id=20 interface=bridge1</pre>
</div></div><h2 id="L3HardwareOffloading-Notaddingthebridgeinterfaceto/interface/bridge/vlan/"><span style="font-size: 20.0px;letter-spacing: -0.008em;">Not adding the bridge interface to /interface/bridge/vlan/</span></h2><p>For Inter-VLAN routing, the bridge interface itself needs to be added to the tagged members of the given VLANs. In the next example, Inter-VLAN routing works between VLAN 10 and 11, but packets are NOT routed to VLAN 20. </p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge vlan
add bridge=bridge1 vlan-ids=10 tagged=bridge1,sfp-sfpplus1
add bridge=bridge1 vlan-ids=11 tagged=bridge1 untagged=sfp-sfpplus2,sfp-sfpplus3
add bridge=bridge1 vlan-ids=20 tagged=sfp-sfpplus1 untagged=sfp-sfpplus4,sfp-sfpplus5</pre>
</div></div><p><span style="letter-spacing: 0.0px;">The above example does not always mean an error. Sometimes, you may want the device to act as a simple L2 switch in some/all VLANs. Just make sure you set such behavior on purpose, not due to a mistake.</span></p><h2 id="L3HardwareOffloading-Creatingmultiplebridges">Creating multiple bridges</h2><p>The devices support only one hardware bridge. If there are multiple bridges created, only one gets hardware offloading. While for L2 that means software forwarding for other bridges, in the case of L3HW, multiple bridges may lead to undefined behavior.</p><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Instead of creating multiple bridges, create one and segregate L2 networks with VLAN filtering.</p></div></div><h2 id="L3HardwareOffloading-Usingportsthatdonotbelongtotheswitch">Using ports that do not belong to the switch</h2><p>Some devices have two switch chips or the management port directly connected to the CPU. For example,<span> </span><strong style="text-align: left;">CRS312-4C+8XG </strong>has<span> an </span><strong>ether9</strong><span> </span>port connected to a separate switch chip. Trying to add this port to a bridge or involve it in the L3HW setup leads to unexpected results. Leave the management port for management!</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@crs312] /interface/ethernet/switch> print
Columns: NAME, TYPE, L3-HW-OFFLOADING
# NAME TYPE L3-HW-OFFLOADING
0 switch1 Marvell-98DX8212 yes
1 switch2 Atheros-8227 no
[admin@crs312] /interface/ethernet/switch> port print
Columns: NAME, SWITCH, L3-HW-OFFLOADING, STORM-RATE
# NAME SWITCH L3-HW-OFFLOADING STORM-RATE
0 ether9 switch2
1 ether1 switch1 yes 100
2 ether2 switch1 yes 100
3 ether3 switch1 yes 100
4 ether4 switch1 yes 100
5 ether5 switch1 yes 100
6 ether6 switch1 yes 100
7 ether7 switch1 yes 100
8 ether8 switch1 yes 100
9 combo1 switch1 yes 100
10 combo2 switch1 yes 100
11 combo3 switch1 yes 100
12 combo4 switch1 yes 100
13 switch1-cpu switch1 100
14 switch2-cpu switch2</pre>
</div></div><h2 id="L3HardwareOffloading-RelyingonFasttrackHWOffloadingtoomuch"><span style="font-size: 20.0px;letter-spacing: -0.008em;">Relying on Fasttrack HW Offloading too much</span></h2><p>Since Fasttrack HW Offloading offers near-the-wire-speed performance at zero configuration overhead, the users are tempted to use it as the default solution. However, the number of HW Fasttrack connections is very limited, leaving the other traffic for the CPU. Try using the hardware routing as much as possible, reduce the CPU traffic to the minimum via switch ACL rules, and then fine-tune which Fasttrack connections to offload with firewall filter rules.</p><h2 id="L3HardwareOffloading-Tryingtooffloadslow-pathconnections">Trying to offload slow-path connections</h2><p><span style="color: rgb(48,48,48);">Using certain configurations (e.g. enabling bridge "<span style="color: rgb(51,153,102);"><strong>use-ip-firewall</strong></span>" setting, creating bridge nat/filter rules) or running specific features like sniffer or torch can disable RouterOS <a href="https://help.mikrotik.com/docs/display/ROS/Packet+Flow+in+RouterOS#PacketFlowinRouterOS-FastPath" rel="nofollow">FastPath</a>, which will affect the ability to properly FastTrack and HW offload connections. If HW offloaded Fasttrack is required, make sure that there are no settings that disable the FastPath and verify that connections are getting the "H" flag or use the L3HW <a href="https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading#L3HardwareOffloading-Monitor" rel="nofollow">monitor</a> command to see the amount of HW offloaded connections.</span></p><h1 class="auto-cursor-target" id="L3HardwareOffloading-L3HWFeatureSupport">L3HW Feature Support</h1><ul><li><span style="color: rgb(51,153,102);"><strong>HW</strong></span><span> </span>- the feature is supported and offloaded to the hardware.</li><li><span style="color: rgb(255,153,0);"><strong>CPU</strong></span><span> </span>- the feature is supported but performed by software (CPU)</li><li><span style="color: rgb(255,0,0);"><strong>N/A</strong></span><span> </span>- the feature is not available together with L3HW. Layer 3 hardware offloading must be completely disabled (<strong>switch</strong> <span style="color: rgb(255,0,0);"><code>l3-hw-offloading=no</code></span>) to make this feature work.</li><li><span style="color: rgb(51,102,255);"><strong>FW</strong></span><span> </span>- the feature requires<span> <span style="color: rgb(255,0,0);"><code>l3-hw-offloading</code></span></span><span style="color: rgb(255,0,0);"><code>=no</code></span> for a given <strong>switch port</strong>. On the <strong>switch </strong>level, <span><code><span style="color: rgb(0,128,0);">l3-hw-offloading=yes</span></code>.</span></li></ul><p><br/></p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 91.9452%;"><colgroup><col style="width: 12.6416%;"/><col style="width: 7.21527%;"/><col style="width: 66.3685%;"/><col style="width: 13.7746%;"/></colgroup><tbody><tr><th style="text-align: center;" class="confluenceTh">Feature</th><th style="text-align: center;" class="confluenceTh">Support</th><th style="text-align: center;" class="confluenceTh">Comments</th><th class="confluenceTh">Release</th></tr><tr><td class="confluenceTd">IPv4 Unicast Routing</td><td class="confluenceTd"><span style="color: rgb(51,153,102);"><strong title="">HW</strong></span></td><td class="confluenceTd"><br/></td><td class="confluenceTd"><span style="color: rgb(23,43,77);">7.1</span></td></tr><tr><td class="confluenceTd">IPv6 Unicast Routing</td><td class="confluenceTd"><span style="color: rgb(51,153,102);"><strong>HW</strong></span></td><td class="confluenceTd"><pre class="code-java">/interface/ethernet/switch/l3hw-settings/set ipv6-hw=yes</pre></td><td class="confluenceTd">7.6</td></tr><tr><td class="confluenceTd">IPv4 Multicast Routing</td><td class="confluenceTd"><span style="color: rgb(255,153,0);"><strong>CPU</strong></span></td><td class="confluenceTd"><br/></td><td class="confluenceTd"><br/></td></tr><tr><td class="confluenceTd">IPv6 Multicast Routing</td><td class="confluenceTd"><span style="color: rgb(255,153,0);"><strong>CPU</strong></span></td><td class="confluenceTd"><br/></td><td class="confluenceTd"><br/></td></tr><tr><td class="confluenceTd">ECMP</td><td class="confluenceTd"><span style="color: rgb(51,153,102);"><strong>HW</strong></span></td><td class="confluenceTd">Multipath routing</td><td class="confluenceTd"><span style="color: rgb(23,43,77);">7.1</span></td></tr><tr><td class="confluenceTd">Blackholes</td><td class="confluenceTd"><span style="color: rgb(51,153,102);"><strong>HW</strong></span></td><td class="confluenceTd"><pre class="code-java">/ip/route add dst-address=10.0.99.0/24 blackhole</pre></td><td class="confluenceTd"><span style="color: rgb(23,43,77);">7.1</span></td></tr><tr><td class="confluenceTd">gateway=<interface_name></td><td class="confluenceTd"><span style="color: rgb(51,153,102);"><strong>CPU/HW</strong></span></td><td class="confluenceTd"><pre class="code-java">/ip/route add dst-address=10.0.0.0/24 gateway=ether1 </pre><p>This works only for directly connected networks. Since HW does not know how to send ARP requests,<br/>CPU sends an ARP request and waits for a reply to find out the DST MAC address on the first received packet of the connection that matches a DST IP address.<br/>After DST MAC is determined, HW entry is added and all further packets will be processed by the switch chip.</p></td><td class="confluenceTd">7.1</td></tr><tr><td class="confluenceTd">BRIDGE</td><td class="confluenceTd"><span style="color: rgb(51,153,102);"><strong>HW</strong></span></td><td class="confluenceTd">IP Routing from/to <a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeHardwareOffloading" rel="nofollow">hardware-offloaded bridge</a> interface.</td><td class="confluenceTd"><span style="color: rgb(23,43,77);">7.1</span></td></tr><tr><td class="confluenceTd">VLAN</td><td class="confluenceTd"><span style="color: rgb(51,153,102);"><strong>HW</strong></span></td><td class="confluenceTd">Routing between VLAN interfaces that are created on hardware-offloaded bridge interface with <a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeVLANFiltering" rel="nofollow">vlan-filtering</a>.</td><td class="confluenceTd"><span style="color: rgb(23,43,77);">7.1</span></td></tr><tr><td class="confluenceTd">Bonding</td><td class="confluenceTd"><span style="color: rgb(51,153,102);"><strong>HW</strong></span></td><td class="confluenceTd"><pre class="code-java">/<span class="code-keyword" style="color: rgb(145,0,145);">interface</span>/bonding</pre></td><td class="confluenceTd"><span style="color: rgb(23,43,77);">7.1</span></td></tr><tr><td class="confluenceTd">IPv4 Firewall</td><td class="confluenceTd"><span style="color: rgb(51,102,255);"><strong>FW</strong></span></td><td class="confluenceTd">Users must choose either HW-accelerated routing or firewall.<br/>Firewall rules get processed by the CPU. <em><strong>Fasttrack</strong></em><span> </span>connections get offloaded to HW.</td><td class="confluenceTd"><span style="color: rgb(23,43,77);">7.1</span></td></tr><tr><td class="confluenceTd">IPv4 NAT</td><td class="confluenceTd"><span style="color: rgb(51,102,255);"><strong>FW</strong></span></td><td class="confluenceTd">NAT rules applied to the offloaded<span> </span><em><strong>Fasttrack</strong></em><span> </span>connections get processed by HW too.</td><td class="confluenceTd"><span style="color: rgb(23,43,77);">7.1</span></td></tr><tr><td class="confluenceTd">MLAG</td><td class="confluenceTd"><span style="color: rgb(51,102,255);"><strong><span style="color: rgb(255,0,0);">N/A</span></strong></span></td><td class="confluenceTd"><br/></td><td class="confluenceTd"><span style="color: rgb(23,43,77);"> </span></td></tr><tr><td class="confluenceTd">VRF</td><td class="confluenceTd"><span style="color: rgb(255,0,0);"><strong>N/A</strong></span></td><td class="confluenceTd">Only the <strong>main</strong> routing table gets offloaded. If VRF is used together with L3HW and packets arrive on a switch port with <span style="color: rgb(51,153,102);"><code>l3-hw-offloadin</code></span><span style="color: rgb(51,153,102);"><code>g=yes</code></span>, packets can be incorrectly routed through the main routing table. To avoid this, disable L3HW on needed switch ports or use ACL rules to redirect specific traffic to the CPU.</td><td class="confluenceTd"><br/></td></tr><tr><td class="confluenceTd">VRRP</td><td class="confluenceTd"><span style="color: rgb(255,0,0);"><strong>N/A</strong></span></td><td class="confluenceTd"><br/></td><td class="confluenceTd"><br/></td></tr><tr><td class="confluenceTd">Controller Bridge and Port Extender</td><td class="confluenceTd"><span style="color: rgb(255,0,0);"><strong><span style="color: rgb(255,0,0);">N/A</span></strong></span></td><td class="confluenceTd"><br/></td><td class="confluenceTd"><br/></td></tr><tr><td class="confluenceTd">VXLAN</td><td class="confluenceTd"><span style="color: rgb(255,153,0);"><strong>CPU</strong></span></td><td class="confluenceTd"><br/></td><td class="confluenceTd"><br/></td></tr><tr><td class="confluenceTd">MTU</td><td class="confluenceTd"><span style="color: rgb(51,153,102);"><strong>HW</strong></span></td><td class="confluenceTd">The hardware supports up to 8 MTU profiles.</td><td class="confluenceTd"><span style="color: rgb(23,43,77);">7.1</span></td></tr><tr><td class="confluenceTd">QinQ and tag-stacking</td><td class="confluenceTd"><span style="color: rgb(255,153,0);"><strong>CPU</strong></span></td><td class="confluenceTd"><span style="color: rgb(63,67,80);">Stacked VLAN interfaces will lose HW offloading, while other VLANs created directly on the </span><span class="mention--highlight" style="color: rgb(27,29,34);">bridge</span><span style="color: rgb(63,67,80);"> interface can still use HW offloading. </span></td><td class="confluenceTd"><span style="color: rgb(23,43,77);"> </span></td></tr></tbody></table></div><p>Only the devices listed in the table below support L3 HW Offloading.</p><h1 id="L3HardwareOffloading-L3HWDeviceSupport">L3HW Device Support</h1><p>Only the devices listed in the table below support L3 HW Offloading.</p><h2 id="L3HardwareOffloading-CRS3xx:SwitchDX3000andDX2000Series">CRS3xx: Switch DX3000 and DX2000 Series</h2><p>The devices below are based on <strong>Marvell <strong style="text-align: left;">98DX224S, 98DX226S</strong></strong>, or <strong><strong style="text-align: left;">98DX3236</strong></strong> switch chip models. <span style="color: rgb(255,0,0);">These devices do not support Fasttrack or NAT connection offloading.</span></p><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p><span>The <strong>98DX3255 </strong>and </span><strong>98DX3257<span> </span></strong><span>models are exceptions, which have a feature set of the DX8000 rather than the DX3000 series.</span></p></div></div><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/><col/><col/><col/><col/><col/></colgroup><tbody><tr><th style="text-align: center;" class="confluenceTh">Model</th><th style="text-align: center;" class="confluenceTh">Switch Chip</th><th style="text-align: center;" class="confluenceTh">Release</th><th style="text-align: center;" class="confluenceTh">IPv4 Route Prefixes<sup>1</sup></th><th style="text-align: center;" class="confluenceTh">IPv6 Route Prefixes<sup>2</sup></th><th style="text-align: center;" class="confluenceTh">Nexthops</th><th class="confluenceTh">ECMP paths per prefix<sup>3</sup></th></tr><tr><td class="confluenceTd"><strong><span style="color: rgb(23,43,77);">CRS305-1G-4S+</span></strong></td><td class="confluenceTd"><strong><span style="color: rgb(23,43,77);"><strong style="text-align: left;">98DX3236</strong></span></strong></td><td class="highlight-#abf5d1 confluenceTd" data-highlight-colour="#abf5d1">7.1</td><td class="confluenceTd">13312</td><td class="confluenceTd"><span style="color: rgb(23,43,77);">3328</span></td><td class="confluenceTd">4K</td><td class="confluenceTd">8</td></tr><tr><td class="confluenceTd"><strong><span style="color: rgb(23,43,77);">CRS310-1G-5S-4S+</span></strong></td><td class="confluenceTd"><strong><span style="color: rgb(23,43,77);"><strong style="text-align: left;">98DX226S</strong></span></strong></td><td class="highlight-#abf5d1 confluenceTd" data-highlight-colour="#abf5d1">7.1</td><td class="confluenceTd">13312</td><td class="confluenceTd"><span style="color: rgb(23,43,77);">3328</span></td><td class="confluenceTd">4K</td><td class="confluenceTd">8</td></tr><tr><td style="text-align: left;vertical-align: top;" class="confluenceTd"><strong>CRS310-8G+2S+</strong></td><td class="confluenceTd"><strong><span style="color: rgb(23,43,77);"><strong style="text-align: left;"><span style="color: rgb(23,43,77);">98DX226S</span></strong></span></strong></td><td class="highlight-#abf5d1 confluenceTd" data-highlight-colour="#abf5d1">7.1</td><td class="confluenceTd">13312</td><td class="confluenceTd"><span style="color: rgb(23,43,77);"><span style="color: rgb(23,43,77);">3328</span></span></td><td class="confluenceTd">4K</td><td class="confluenceTd">8</td></tr><tr><td class="confluenceTd"><strong><span style="color: rgb(23,43,77);">CRS318-1Fi-15Fr-2S</span></strong></td><td class="confluenceTd"><strong><span style="color: rgb(23,43,77);"><strong style="text-align: left;">98DX224S</strong></span></strong></td><td class="highlight-#abf5d1 confluenceTd" data-highlight-colour="#abf5d1">7.1</td><td class="confluenceTd">13312</td><td class="confluenceTd"><span style="color: rgb(23,43,77);">3328</span></td><td class="confluenceTd">4K</td><td class="confluenceTd">8</td></tr><tr><td class="confluenceTd"><strong><span style="color: rgb(23,43,77);">CRS318-16P-2S+</span></strong></td><td class="confluenceTd"><strong><span style="color: rgb(23,43,77);"><strong style="text-align: left;">98DX226S</strong></span></strong></td><td class="highlight-#abf5d1 confluenceTd" data-highlight-colour="#abf5d1">7.1</td><td class="confluenceTd">13312</td><td class="confluenceTd"><span style="color: rgb(23,43,77);">3328</span></td><td class="confluenceTd">4K</td><td class="confluenceTd">8</td></tr><tr><td class="confluenceTd"><strong><span style="color: rgb(0,0,0);">CRS326-24G-2S+</span></strong></td><td class="confluenceTd"><strong><span style="color: rgb(0,0,0);"><span style="color: rgb(23,43,77);"><strong style="text-align: left;">98DX3236</strong></span></span></strong></td><td class="highlight-#abf5d1 confluenceTd" data-highlight-colour="#abf5d1">7.1</td><td class="confluenceTd">13312</td><td class="confluenceTd"><span style="color: rgb(23,43,77);">3328</span></td><td class="confluenceTd">4K</td><td class="confluenceTd">8</td></tr><tr><td class="confluenceTd"><strong><span style="color: rgb(0,0,0);">CRS328-24P-4S+</span></strong></td><td class="confluenceTd"><strong><span style="color: rgb(0,0,0);"><span style="color: rgb(23,43,77);"><strong style="text-align: left;">98DX3236</strong></span></span></strong></td><td class="highlight-#abf5d1 confluenceTd" data-highlight-colour="#abf5d1">7.1</td><td class="confluenceTd">13312</td><td class="confluenceTd"><span style="color: rgb(23,43,77);">3328</span></td><td class="confluenceTd">4K</td><td class="confluenceTd">8</td></tr><tr><td class="confluenceTd"><strong><span style="color: rgb(0,0,0);">CRS328-4C-20S-4S+</span></strong></td><td class="confluenceTd"><strong><span style="color: rgb(0,0,0);"><span style="color: rgb(23,43,77);"><strong style="text-align: left;">98DX3236</strong></span></span></strong></td><td class="highlight-#abf5d1 confluenceTd" data-highlight-colour="#abf5d1">7.1</td><td class="confluenceTd">13312</td><td class="confluenceTd"><span style="color: rgb(23,43,77);">3328</span></td><td class="confluenceTd">4K</td><td class="confluenceTd">8</td></tr></tbody></table></div><p><em><sup>1</sup> Since the total amount of routes that can be offloaded is limited, prefixes with higher netmask are preferred to be forwarded by hardware (e.g., /32, /30, /29, etc.), any other prefixes that do not fit in the HW table will be processed by the CPU. Directly connected hosts are offloaded as /32 (IPv4) or /128 (IPv6) route prefixes. The number of hosts is also limited by max-neighbor-entries in <a href="https://help.mikrotik.com/docs/display/ROS/IP+Settings#IPSettings-IPv4Settings" rel="nofollow">IP Settings</a> / <a href="https://help.mikrotik.com/docs/display/ROS/IP+Settings#IPSettings-IPv6Settings" rel="nofollow">IPv6 Settings</a>.</em></p><p><em><sup>2</sup><span> </span>IPv4 and IPv6 routing tables share the same hardware memory.</em></p><p><em><sup>3</sup> If a route has more paths than the hardware ECMP limit (X), only the first X paths get offloaded.</em></p><h2 id="L3HardwareOffloading-CRS3xx,CRS5xx:SwitchDX8000andDX4000Series">CRS3xx, CRS5xx: Switch DX8000 and DX4000 Series</h2><p>The devices below are based on <strong>Marvell 98DX8xxx</strong>, <strong>98DX4xxx</strong> switch chips, or <strong style="text-align: left;"><span class="v1diff-html-added">98DX325x</span></strong> model.</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/><col/><col/><col/><col/><col/><col/><col/><col/></colgroup><tbody><tr><th style="text-align: center;" class="confluenceTh">Model</th><th style="text-align: center;" class="confluenceTh">Switch Chip</th><th style="text-align: center;" class="confluenceTh">Release</th><th style="text-align: center;" class="confluenceTh">IPv4 Routes<span> </span><sup>1</sup></th><th style="text-align: center;" class="confluenceTh">IPv4 Hosts <sup>7</sup></th><th style="text-align: center;" class="confluenceTh">IPv6 Routes<sup>8</sup></th><th style="text-align: center;" class="confluenceTh">IPv6 Hosts<sup>7</sup></th><th style="text-align: center;" class="confluenceTh">Nexthops</th><th style="text-align: center;" class="confluenceTh"><strong>Fasttrack</strong> <strong>connections <sup>2,3,4</sup></strong></th><th style="text-align: center;" class="confluenceTh">NAT entries <sup>2,5</sup> </th></tr><tr><td class="confluenceTd"><strong>CRS317-1G-16S+</strong></td><td class="confluenceTd"><strong><strong style="text-align: left;">98DX8216</strong></strong></td><td class="highlight-#abf5d1 confluenceTd" data-highlight-colour="#abf5d1">7.1</td><td class="confluenceTd">120K - 240K</td><td class="confluenceTd">64K</td><td class="confluenceTd"><span style="color: rgb(23,43,77);">30K - 40K</span></td><td style="text-align: left;" class="confluenceTd">32K</td><td class="confluenceTd">8K</td><td class="confluenceTd">4.5K</td><td class="confluenceTd">4K</td></tr><tr><td class="confluenceTd"><strong>CRS309-1G-8S+</strong></td><td class="confluenceTd"><strong><strong style="text-align: left;">98DX8208</strong></strong></td><td class="highlight-#abf5d1 confluenceTd" data-highlight-colour="#abf5d1">7.1</td><td class="confluenceTd">16K - 36K</td><td class="confluenceTd">16K</td><td style="text-align: left;" class="confluenceTd">4K - 6K</td><td class="confluenceTd"><span style="color: rgb(23,43,77);">8K</span></td><td class="confluenceTd">8K</td><td class="confluenceTd">4.5K</td><td class="confluenceTd">3.9K</td></tr><tr><td class="confluenceTd"><strong>CRS312-4C+8XG</strong></td><td class="confluenceTd"><strong><strong style="text-align: left;">98DX8212</strong></strong></td><td class="highlight-#abf5d1 confluenceTd" data-highlight-colour="#abf5d1">7.1</td><td class="confluenceTd">16K - 36K</td><td class="confluenceTd">16K</td><td style="text-align: left;" class="confluenceTd">4K - 6K</td><td class="confluenceTd"><span style="color: rgb(23,43,77);">8K</span></td><td class="confluenceTd">8K</td><td class="confluenceTd">2.25K</td><td class="confluenceTd">2.25K</td></tr><tr><td class="confluenceTd"><strong>CRS326-24S+2Q+</strong></td><td class="confluenceTd"><strong><strong style="text-align: left;">98DX8332</strong></strong></td><td class="highlight-#abf5d1 confluenceTd" data-highlight-colour="#abf5d1">7.1</td><td class="confluenceTd">16K - 36K</td><td class="confluenceTd">16K</td><td style="text-align: left;" class="confluenceTd">4K - 6K</td><td class="confluenceTd"><span style="color: rgb(23,43,77);">8K</span></td><td class="confluenceTd">8K</td><td class="confluenceTd">2.25K</td><td class="confluenceTd">2.25K</td></tr><tr><td class="confluenceTd"><strong>CRS354-48G-4S+2Q+, CRS354-48P-4S+2Q+</strong></td><td class="confluenceTd"><strong><strong style="text-align: left;">98DX3257 <sup>6</sup></strong></strong></td><td class="highlight-#abf5d1 confluenceTd" data-highlight-colour="#abf5d1">7.1</td><td class="confluenceTd">16K - 36K</td><td class="confluenceTd">16K</td><td style="text-align: left;" class="confluenceTd">4K - 6K</td><td class="confluenceTd"><span style="color: rgb(23,43,77);">8K</span></td><td class="confluenceTd">8K</td><td class="confluenceTd">2.25K</td><td class="confluenceTd">2.25K</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>CRS504-4XQ</strong></td><td style="text-align: left;" class="confluenceTd"><strong><strong style="text-align: left;">98DX4310</strong></strong></td><td class="highlight-#abf5d1 confluenceTd" style="text-align: left;" data-highlight-colour="#abf5d1">7.1</td><td style="text-align: left;" class="confluenceTd">60K - 120K</td><td style="text-align: left;" class="confluenceTd">64K</td><td style="text-align: left;" class="confluenceTd"><span style="color: rgb(23,43,77);">15K - 20K</span></td><td style="text-align: left;" class="confluenceTd"><span style="color: rgb(23,43,77);">32K</span></td><td style="text-align: left;" class="confluenceTd">8K</td><td style="text-align: left;" class="confluenceTd">4.5K</td><td style="text-align: left;" class="confluenceTd">4K</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>CRS510-8XS-2XQ</strong></td><td style="text-align: left;" class="confluenceTd"><strong><span style="color: rgb(23,43,77);">98DX4310</span></strong></td><td class="highlight-#abf5d1 confluenceTd" style="text-align: left;" title="Background color : Light green 100%" data-highlight-colour="#abf5d1">7.3</td><td style="text-align: left;" class="confluenceTd">60K - 120K</td><td style="text-align: left;" class="confluenceTd">64K</td><td style="text-align: left;" class="confluenceTd">15K - 20K</td><td style="text-align: left;" class="confluenceTd">32K</td><td style="text-align: left;" class="confluenceTd">8K</td><td style="text-align: left;" class="confluenceTd">4.5K</td><td style="text-align: left;" class="confluenceTd">4K</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>CRS518-16XS-2XQ</strong></td><td style="text-align: left;" class="confluenceTd"><strong><span style="color: rgb(23,43,77);">98DX8525</span></strong></td><td class="highlight-#abf5d1 confluenceTd" style="text-align: left;" data-highlight-colour="#abf5d1">7.3</td><td style="text-align: left;" class="confluenceTd">60K - 120K</td><td style="text-align: left;" class="confluenceTd">64K</td><td style="text-align: left;" class="confluenceTd"><span style="color: rgb(23,43,77);">15K - 20K</span></td><td style="text-align: left;" class="confluenceTd"><span style="color: rgb(23,43,77);">32K</span></td><td style="text-align: left;" class="confluenceTd">8K</td><td style="text-align: left;" class="confluenceTd">4.5K</td><td style="text-align: left;" class="confluenceTd">4K</td></tr></tbody></table></div><p><em><sup>1</sup><span> </span>Depends on the complexity of the routing table. Whole-byte IP prefixes (/8, /16, /24, etc.) occupy less HW space than others (e.g., /22). Starting with<span> </span><strong>RouterOS v7.3</strong>, when the Routing HW table gets full, only routes with longer subnet prefixes are offloaded (/30, /29, /28, etc.) while the CPU processes the shorter prefixes. In RouterOS v7.2 and before, Routing HW memory overflow led to undefined behavior. Users can fine-tune what routes to offload via routing filters (for dynamic routes) or suppressing hardware offload of static routes. IPv4 and IPv6 routing tables share the same hardware memory.</em></p><p><em><sup>2</sup><span> </span>When the HW limit of Fasttrack or NAT entries is reached, other connections will fall back to the CPU. MikroTik's smart connection offload algorithm ensures that the connections with the most traffic are offloaded to the hardware.</em></p><p><em><sup>3</sup><span> </span>Fasttrack connections share the same HW memory with ACL rules. Depending on the complexity, one ACL rule may occupy the memory of 3-6 Fasttrack connections.</em></p><p><em><sup>4</sup><span> </span></em><em>MPLS shares the HW memory with Fasttrack connections. Moreover, enabling MPLS requires the allocation of the entire memory region, which could otherwise store up to 768 (0.75K) Fasttrack connections. The same applies to the Bridge Port Extender. However, MPLS and BPE may use the same memory region, so enabling them both doesn't double the limitation of Fasttrack connections.</em></p><p><em><sup>5</sup><span> </span>If a Fasttrack connection requires Network Address Translation, a hardware NAT entry is created. The hardware supports both SRCNAT and DSTNAT.</em></p><p><em><sup>6</sup> The switch chip has a feature set of the DX8000 series.</em></p><p><em><sup>7</sup><span> </span>DX4000/DX8000 switch chips store directly connected hosts, IPv4 /32, and IPv6 /128 route entries in the FDB table rather than the routing table. The HW memory is shared between regular FDB L2 entries (MAC), IPv4, and IPv6 addresses. The number of hosts is also limited by max-neighbor-entries in <a href="https://help.mikrotik.com/docs/display/ROS/IP+Settings#IPSettings-IPv4Settings" rel="nofollow">IP Settings</a> / <a href="https://help.mikrotik.com/docs/display/ROS/IP+Settings#IPSettings-IPv6Settings" rel="nofollow">IPv6 Settings</a>.</em></p><p><em><sup>8</sup> IPv4 and IPv6 routing tables share the same hardware memory.</em></p><h2 id="L3HardwareOffloading-CCR2000"><span style="font-size: 20.0px;letter-spacing: -0.008em;">CCR2000</span></h2><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/><col/><col/><col/><col/><col/><col/><col/><col/></colgroup><tbody><tr><th style="text-align: center;" class="confluenceTh">Model</th><th style="text-align: center;" class="confluenceTh">Switch Chip</th><th style="text-align: center;" class="confluenceTh">Release</th><th style="text-align: center;" class="confluenceTh">IPv4 Routes</th><th style="text-align: center;" class="confluenceTh">IPv4 Hosts</th><th style="text-align: center;" class="confluenceTh">IPv6 Routes</th><th style="text-align: center;" class="confluenceTh">IPv6 Hosts</th><th style="text-align: center;" class="confluenceTh">Nexthops</th><th style="text-align: center;" class="confluenceTh"><strong>Fasttrack</strong> <strong>connections</strong></th><th style="text-align: center;" class="confluenceTh">NAT entries</th></tr><tr><td class="confluenceTd"><strong>CCR2116-12G-4S+</strong></td><td class="confluenceTd"><span><strong>98DX3255 </strong><sup>1</sup></span></td><td class="highlight-#abf5d1 confluenceTd" data-highlight-colour="#abf5d1">7.1</td><td class="confluenceTd">16K - 36K</td><td class="confluenceTd">16K</td><td style="text-align: left;" class="confluenceTd">4K - 6K</td><td class="confluenceTd"><span style="color: rgb(23,43,77);">8K</span></td><td class="confluenceTd">8K</td><td class="confluenceTd">2.25K</td><td class="confluenceTd">2.25K</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>CCR2216-1G-12XS-2XQ</strong></td><td style="text-align: left;" class="confluenceTd"><strong><span style="color: rgb(23,43,77);">98DX8525</span></strong></td><td class="highlight-#abf5d1 confluenceTd" style="text-align: left;" data-highlight-colour="#abf5d1">7.1</td><td style="text-align: left;" class="confluenceTd">60K - 120K</td><td style="text-align: left;" class="confluenceTd">64K</td><td style="text-align: left;" class="confluenceTd">15K - 20K</td><td style="text-align: left;" class="confluenceTd"><span style="color: rgb(23,43,77);">32K</span></td><td style="text-align: left;" class="confluenceTd">8k</td><td style="text-align: left;" class="confluenceTd">4.5K</td><td style="text-align: left;" class="confluenceTd">4K</td></tr></tbody></table></div><p class="auto-cursor-target"><em><sup>1</sup><span> </span>The switch chip has a feature set of the DX8000 series.</em></p>
</div>
<div style="padding: 10px 0;">
<a href="https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading">View Online</a>
·
<a href="https://help.mikrotik.com/docs/pages/diffpagesbyversion.action?pageId=62390319&revisedVersion=71&originalVersion=70">View Changes Online</a>
</div>
</div>Guntis G.2021-04-16T07:46:47ZWiFiGuntis G.tag:help.mikrotik.com,2009:page-224559120-332024-03-27T14:50:38Z2023-11-13T13:33:24Z<div class="feed"> <p>
Page
<b>edited</b> by
<a href=" https://help.mikrotik.com/docs/display/~guntis
">Guntis G.</a>
- "distance"
</p>
<div style="border-top: 1px solid #ddd; border-bottom: 1px solid #ddd; padding: 10px;">
<p><style type='text/css'>/*<![CDATA[*/
div.rbtoc1711701163012 {padding: 0px;}
div.rbtoc1711701163012 ul {margin-left: 0px;}
div.rbtoc1711701163012 li {margin-left: 0px;padding-left: 0px;}
/*]]>*/</style><div class='toc-macro rbtoc1711701163012'>
<ul class='toc-indentation'>
<li><a href='#WiFi-Overview'>Overview</a></li>
<li><a href='#WiFi-WiFiTerminology'>WiFi Terminology</a></li>
<li><a href='#WiFi-BasicConfiguration'>Basic Configuration</a></li>
<li><a href='#WiFi-Configurationprofiles'>Configuration profiles</a></li>
<li><a href='#WiFi-AccessList'>Access List</a>
<ul class='toc-indentation'>
<li><a href='#WiFi-MACaddressauthentication'>MAC address authentication</a></li>
<li><a href='#WiFi-Accessruleexamples'>Access rule examples</a></li>
</ul>
</li>
<li><a href='#WiFi-Frequencyscan'>Frequency scan</a></li>
<li><a href='#WiFi-Scancommand'>Scan command</a></li>
<li><a href='#WiFi-Sniffer'>Sniffer</a></li>
<li><a href='#WiFi-WPS'>WPS</a>
<ul class='toc-indentation'>
<li><a href='#WiFi-WPSclient'>WPS client</a></li>
<li><a href='#WiFi-WPSserver'>WPS server</a></li>
</ul>
</li>
<li><a href='#WiFi-Radios'>Radios</a></li>
<li><a href='#WiFi-Registrationtable'>Registration table</a>
<ul class='toc-indentation'>
<li><a href='#WiFi-De-authentication'>De-authentication</a></li>
</ul>
</li>
<li><a href='#WiFi-WiFiCAPsMAN'>WiFi CAPsMAN</a>
<ul class='toc-indentation'>
<li><a href='#WiFi-CAPsMAN-CAPsimpleconfigurationexample:'>CAPsMAN - CAP simple configuration example:</a></li>
<li><a href='#WiFi-CAPsMAN-CAPVLANconfigurationexample:'>CAPsMAN - CAP VLAN configuration example:</a>
<ul class='toc-indentation'>
<li><a href='#WiFi-CAPsMAN:'>CAPsMAN:</a></li>
<li><a href='#WiFi-CAPusing"wifi-qcom"package:'>CAP using "wifi-qcom" package:</a></li>
<li><a href='#WiFi-CAPusing"wifi-qcom-ac"package:'>CAP using "wifi-qcom-ac" package:</a></li>
</ul>
</li>
</ul>
</li>
<li><a href='#WiFi-Advancedexamples'>Advanced examples</a></li>
<li><a href='#WiFi-Replacing'wireless'package'>Replacing 'wireless' package</a>
<ul class='toc-indentation'>
<li><a href='#WiFi-Compatibility'>Compatibility</a></li>
<li><a href='#WiFi-Benefits'>Benefits</a></li>
<li><a href='#WiFi-Lostfeatures'>Lost features</a></li>
</ul>
</li>
<li><a href='#WiFi-PropertyReference'>Property Reference</a>
<ul class='toc-indentation'>
<li><a href='#WiFi-AAAproperties'>AAA properties</a></li>
<li><a href='#WiFi-Channelproperties'>Channel properties</a></li>
<li><a href='#WiFi-Configurationproperties'>Configuration properties</a></li>
<li><a href='#WiFi-Datapathproperties'>Datapath properties</a></li>
<li><a href='#WiFi-SecurityProperties'>Security Properties</a></li>
<li><a href='#WiFi-Steeringproperties'>Steering properties</a></li>
<li><a href='#WiFi-Miscellaneousproperties'>Miscellaneous properties</a></li>
<li><a href='#WiFi-Read-onlyproperties'>Read-only properties</a></li>
<li><a href='#WiFi-AccessList.1'>Access List</a></li>
<li><a href='#WiFi-Frequencyscan.1'>Frequency scan</a></li>
<li><a href='#WiFi-Flat-snoop'>Flat-snoop</a></li>
<li><a href='#WiFi-Scancommand.1'>Scan command</a></li>
<li><a href='#WiFi-Sniffer.1'>Sniffer</a></li>
<li><a href='#WiFi-WPS.1'>WPS</a></li>
<li><a href='#WiFi-Radios.1'>Radios</a></li>
<li><a href='#WiFi-Registrationtable.1'>Registration table</a></li>
<li><a href='#WiFi-CAPsMANGlobalConfiguration'>CAPsMAN Global Configuration</a></li>
<li><a href='#WiFi-CAPsMANProvisioning'>CAPsMAN Provisioning</a></li>
<li><a href='#WiFi-CAPconfiguration'>CAP configuration</a></li>
</ul>
</li>
</ul>
</div></p><h1 id="WiFi-Overview">Overview</h1><p>The 'WiFi' configuration menu, introduced in <strong>RouterOS 7.13</strong>, is a RouterOS menu for managing Wi-Fi 5 wave2 and newer WiFi interfaces.</p><p>Devices with compatible radios also require either the 'wifi-qcom-ac' driver package (for 802.11ac chipsets) or the 'wifi-qcom' driver package for 802.11ax and newer chipsets.</p><p>The configuration menu used to be called 'wifiwave2' in RouterOS versions before 7.13, where it was a part of the 'wifiwave2' software package.</p><h1 id="WiFi-WiFiTerminology">WiFi Terminology</h1><p><span style="color: rgb(23,43,77);">Before we move on let's familiarize ourselves with terms important for understanding the operation of the menu. These terms will be used throughout the article.</span></p><ul><li><span style="color: rgb(23,43,77);"><strong>Profile</strong> - refers to the configuration preset created under one of this WiFi sub-menus: <strong>aaa</strong>, <strong>channel</strong>, <strong>security</strong>, <strong>datapath</strong>, or <strong>interworking</strong>. </span></li><li><strong><span style="color: rgb(23,43,77);">Configuration</span></strong><span style="color: rgb(23,43,77);"> <strong>profile</strong> - configuration preset defined under /interface/wifi/configuration, it can reference various profiles.</span></li><li><span style="color: rgb(23,43,77);"><strong>Station</strong> - wireless client.</span></li></ul><h1 class="auto-cursor-target" id="WiFi-BasicConfiguration">Basic Configuration</h1><p class="auto-cursor-target"><strong>Basic password-protected AP</strong></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface/wifi
set wifi1 disabled=no configuration.country=Latvia configuration.ssid=MikroTik security.authentication-types=wpa2-psk,wpa3-psk security.passphrase=8-63_characters</pre>
</div></div><p><br/></p><p class="auto-cursor-target"><strong>Open AP with OWE transition mode</strong></p><p>Opportunistic wireless encryption (OWE) allows the creation of wireless networks that do not require the knowledge of a password to connect, but still offer the benefits of traffic encryption and management frame protection. It is an improvement on regular open access points.</p><p>However, since a network cannot be simultaneously encrypted and unencrypted, 2 separate interface configurations are required to offer connectivity to older devices that do not support OWE and offer the benefits of OWE to devices that do.</p><p>This configuration is referred to as OWE transition mode.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface/wifi
add master-interface=wifi1 name=wifi1_owe configuration.ssid=MikroTik_OWE security.authentication-types=owe security.owe-transition-interface=wifi1 configuration.hide-ssid=yes
set wifi1 configuration.country=Latvia configuration.ssid=MikroTik security.authentication-types="" security.owe-transition-interface=wifi1_owe
enable wifi1,wifi1_owe</pre>
</div></div><p>Client devices that support OWE will prefer the OWE interface. If you don't see any devices in your registration table that are associated with the regular open AP, you may want to move on from running a transition mode setup to a single OWE-encrypted interface.</p><p><strong>Resetting configuration</strong></p><p>WiFi interface configurations can be reset by using the 'reset' command.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface/wifi reset wifi1</pre>
</div></div><h1 id="WiFi-Configurationprofiles">Configuration profiles</h1><p>One of the new WiFi additions is configuration profiles, you can create various presets, that can be assigned to interfaces as needed. Configuration settings for WiFi are grouped in <strong>profiles</strong> according to the parameter sections found at the end of this page - <strong>aaa</strong>, <strong>channel</strong>, <strong>configuration</strong>, <strong>datapath</strong>, <strong>interworking</strong>, and<strong> security</strong>, and can then be assigned to interfaces. <strong>Configuration</strong> <strong>profiles</strong> can include other profiles as well as separate parameters from other categories.</p><p>This optional flexibility is meant to allow each user to arrange their configuration in a way that makes the most sense for them, but it also means that each parameter may have different values assigned to it in different sections of the configuration.</p><p>The following priority determines, which value is used:</p><ol><li>Value in interface settings</li><li>Value in a profile assigned to the interface</li><li>Value in configuration profile assigned to interface</li><li>Value in a profile assigned to the configuration profile (which in turn is assigned to the interface).</li></ol><p>If you are at any point unsure of which parameter value will be used for an interface, consult the <strong>actual-configuration </strong>menu. For an example of configuration profile usage, see the following example.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Example for dual-band home AP</b></div><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence"># Creating a security profile, which will be common for both interfaces
/interface wifi security
add name=common-auth authentication-types=wpa2-psk,wpa3-psk passphrase="diceware makes good passwords" wps=disable
# Creating a common configuration profile and linking the security profile to it
/interface wifi configuration
add name=common-conf ssid=MikroTik country=Latvia security=common-auth
# Creating separate channel configurations for each band
/interface wifi channel
add name=ch-2ghz frequency=2412,2432,2472 width=20mhz
add name=ch-5ghz frequency=5180,5260,5500 width=20/40/80mhz
# Assigning to each interface the common profile as well as band-specific channel profile
/interface wifi
set wifi1 channel=ch-2ghz configuration=common-conf disabled=no
set wifi2 channel=ch-5ghz configuration=common-conf disabled=no
/interface/wifi/actual-configuration print
0 name="wifi1" mac-address=74:4D:28:94:22:9A arp-timeout=auto radio-mac=74:4D:28:94:22:9A
configuration.ssid="MikroTik" .country=Latvia
security.authentication-types=wpa2-psk,wpa3-psk .passphrase="diceware makes good passwords" .wps=disable
channel.frequency=2412,2432,2472 .width=20mhz
1 name="wifi2" mac-address=74:4D:28:94:22:9B arp-timeout=auto radio-mac=74:4D:28:94:22:9B
configuration.ssid="MikroTik" .country=Latvia
security.authentication-types=wpa2-psk,wpa3-psk .passphrase="diceware makes good passwords" .wps=disable
channel.frequency=5180,5260,5500 .width=20/40/80mhz</pre>
</div></div><h1 class="with-breadcrumbs" id="WiFi-AccessList">Access List</h1><p>The access list provides multiple ways of filtering and managing wireless connections.</p><p>RouterOS will check each new connection to see if its parameters match the parameters specified in any access list rule.</p><p>The rules are checked in the order they appear in the list. Only management actions specified in the first matching rule are applied to each connection.</p><p>Connections, which have been accepted by an access list rule, will be periodically checked, to see if they remain within the permitted <strong>time</strong> and <strong>signal-range</strong>. If they do not, they will be terminated.</p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Take care when writing access list rules which reject clients. After being repeatedly rejected by an AP, a client device may start avoiding it.</p></div></div><p>The access list has two kinds of parameters - <a href="#WiFi-filtering">filtering</a>, and <a href="#WiFi-action">action</a>. Filtering properties are only used for matching clients, to whom the access list rule should be applied to. Action parameters can change connection parameters for that specific client and <span style="color: rgb(32,33,34);">potentially overriding its default connection parameters with ones specified in the access list rule.</span></p><h2 id="WiFi-MACaddressauthentication">MAC address authentication</h2><p>Implemented through the <strong>query-radius</strong> action, MAC address authentication is a way to implement a centralized whitelist of client MAC addresses using a RADIUS server.</p><p>When a client device tries to associate with an AP, which is configured to perform MAC address authentication, the AP will send an access-request message to a RADIUS server with the device's MAC address as the user name and an empty password. If the RADIUS server answers with access-accept to such a request, the AP proceeds with whatever regular authentication procedure (passphrase or EAP authentication) is configured for the interface.</p><h2 id="WiFi-Accessruleexamples">Access rule examples</h2><p>Only accept connections to guest network from nearby devices during business hours</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface/wifi/access-list/print detail
Flags: X - disabled
0 signal-range=-60..0 allow-signal-out-of-range=5m ssid-regexp="MikroTik Guest" time=7h-19h,mon,tue,wed,thu,fri action=accept
1 ssid-regexp="MikroTik Guest" action=reject </pre>
</div></div><p class="auto-cursor-target">Reject connections from locally-administered ('anonymous'/'randomized') MAC addresses</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface/wifi/access-list/print detail
Flags: X - disabled
0 mac-address=02:00:00:00:00:00 mac-address-mask=02:00:00:00:00:00 action=reject</pre>
</div></div><p>Assigning a different passphrase for a specific client can be useful, if you need to provide wireless access to a client, but don't want to share your wireless password, or don't want to create a separate SSID. When the matching client connects to this network, instead of using the password defined in the interface configuration, the access list will make that client use a different password. Just make sure that the specific client doesn't get matched by a more generic access list rule first.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface wifi access-list
add action=accept disabled=no mac-address=22:F9:70:E5:D2:8E interface=wifi1 passphrase=StrongPassword</pre>
</div></div><h1 id="WiFi-Frequencyscan">Frequency scan</h1><p>The '/interface/wifi/frequency-scan wifi1' command provides information about RF conditions on available channels that can be obtained by running the frequency-scan command. Used to approximate the spectrum usage, it can be useful to find less crowded frequencies.</p><p><span class="confluence-embedded-file-wrapper"><img class="confluence-embedded-image" draggable="false" src="https://help.mikrotik.com/docs/download/attachments/224559120/image-2023-3-10_18-6-37.png?version=1&modificationDate=1699882404215&api=v2" data-image-src="https://help.mikrotik.com/docs/download/attachments/224559120/image-2023-3-10_18-6-37.png?version=1&modificationDate=1699882404215&api=v2" data-unresolved-comment-count="0" data-linked-resource-id="224559118" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="image-2023-3-10_18-6-37.png" data-base-url="https://help.mikrotik.com/docs" data-linked-resource-content-type="image/png" data-linked-resource-container-id="224559120" data-linked-resource-container-version="33" alt=""></span></p><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Running a frequency scan will disconnect all connected clients, or if the interface is in station mode, it will disconnect from AP.</p></div></div><h1 id="WiFi-Scancommand">Scan command</h1><p>The '/interface wifi scan' command will scan for access points and print out information about any APs it detects. It doesn't show the frequency usage, per channel, but it will reveal all access points that are transmitting. You can use the "connect" button, to initiate a connection to a specific AP.</p><p><span style="color: rgb(23,43,77);">The scan command takes all the same parameters as the frequency-scan command.</span></p><p><span class="confluence-embedded-file-wrapper"><img class="confluence-embedded-image" draggable="false" src="https://help.mikrotik.com/docs/download/attachments/224559120/image-2023-3-10_18-16-42.png?version=1&modificationDate=1699882404265&api=v2" data-image-src="https://help.mikrotik.com/docs/download/attachments/224559120/image-2023-3-10_18-16-42.png?version=1&modificationDate=1699882404265&api=v2" data-unresolved-comment-count="0" data-linked-resource-id="224559117" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="image-2023-3-10_18-16-42.png" data-base-url="https://help.mikrotik.com/docs" data-linked-resource-content-type="image/png" data-linked-resource-container-id="224559120" data-linked-resource-container-version="33" alt=""></span></p><h1 id="WiFi-Sniffer">Sniffer</h1><p>The sniffer command enables monitor mode on a wireless interface. This turns the interface into a passive receiver for all WiFi transmissions.<br/>The command continuously prints out information on received packets and can save them locally to a pcap file or stream them using the TZSP protocol.</p><p>The sniffer will operate on whichever channel is configured for the chosen interface.</p><p><span class="confluence-embedded-file-wrapper"><img class="confluence-embedded-image" draggable="false" src="https://help.mikrotik.com/docs/download/attachments/224559120/wave2_sniffer.png?version=1&modificationDate=1699882404295&api=v2" data-image-src="https://help.mikrotik.com/docs/download/attachments/224559120/wave2_sniffer.png?version=1&modificationDate=1699882404295&api=v2" data-unresolved-comment-count="0" data-linked-resource-id="224559115" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="wave2_sniffer.png" data-base-url="https://help.mikrotik.com/docs" data-linked-resource-content-type="image/png" data-linked-resource-container-id="224559120" data-linked-resource-container-version="33" alt=""></span></p><h1 id="WiFi-WPS">WPS</h1><h2 id="WiFi-WPSclient">WPS client</h2><p>The wps-client command enables obtaining authentication information from a WPS-enabled AP.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface/wifi/wps-client wifi1</pre>
</div></div><h2 id="WiFi-WPSserver">WPS server</h2><p>An AP can be made to accept WPS authentication by a client device for 2 minutes by running the following command.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface/wifi wps-push-button wifi1</pre>
</div></div><h1 id="WiFi-Radios">Radios</h1><p>Information about the capabilities of each radio can be gained by running the `/interface/wifi/radio print detail` command. It can be useful to see what bands are supported by the interface and what channels can be selected. The country profile that is applied to the interface will influence the results.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">interface/wifi/radio/print detail
Flags: L - local
0 L radio-mac=48:A9:8A:0B:F7:4A phy-id=0 tx-chains=0,1 rx-chains=0,1
bands=5ghz-a:20mhz,5ghz-n:20mhz,20/40mhz,5ghz-ac:20mhz,20/40mhz,20/40/80mhz,5ghz-ax:20mhz,
20/40mhz,20/40/80mhz
ciphers=tkip,ccmp,gcmp,ccmp-256,gcmp-256,cmac,gmac,cmac-256,gmac-256 countries=all
5g-channels=5180,5200,5220,5240,5260,5280,5300,5320,5500,5520,5540,5560,5580,5600,5620,5640,5660,
5680,5700,5720,5745,5765,5785,5805,5825
max-vlans=128 max-interfaces=16 max-station-interfaces=3 max-peers=120 hw-type="QCA6018"
hw-caps=sniffer interface=wifi1 current-country=Latvia
current-channels=5180/a,5180/n,5180/n/Ce,5180/ac,5180/ac/Ce,5180/ac/Ceee,5180/ax,5180/ax/Ce,
5180/ax/Ceee,5200/a,5200/n,5200/n/eC,5200/ac,5200/ac/eC,5200/ac/eCee,5200/ax...
...5680/n/eC,5680/ac,5680/ac/eC,5680/ax,5680/ax/eC,5700/a,5700/n,5700/ac,5700/ax
current-gopclasses=115,116,128,117,118,119,120,121,122,123 current-max-reg-power=30 </pre>
</div></div><p>While Radio information gives us information about supported channel width, it is also possible to deduce this information from the product page, to do so you need to check the following parameters: <strong>number of chains</strong>, <strong>max data rate</strong>. Once you know these parameters, you need to check the modulation and coding scheme (MCS) table, for example, here: <a class="external-link" href="https://mcsindex.com/" rel="nofollow">https://mcsindex.com/</a>.</p><p>If we take hAP ax<sup>2</sup>, as an example, we can see that number of chains is 2, and the max data rate is 1200 - 1201 in the MCS table. In the MCS table we need to find entry for 2 spatial streams - chains, and the respective data rate, which in this case shows us that 80MHz is the maximum supported channel width.</p><h1 id="WiFi-Registrationtable">Registration table</h1><p>'/interface/wifi/registration-table/' displays a list of connected wireless clients and detailed information about them.</p><p><span class="confluence-embedded-file-wrapper"><img class="confluence-embedded-image" draggable="false" src="https://help.mikrotik.com/docs/download/attachments/224559120/image-2023-3-10_18-29-11.png?version=1&modificationDate=1699882404281&api=v2" data-image-src="https://help.mikrotik.com/docs/download/attachments/224559120/image-2023-3-10_18-29-11.png?version=1&modificationDate=1699882404281&api=v2" data-unresolved-comment-count="0" data-linked-resource-id="224559116" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="image-2023-3-10_18-29-11.png" data-base-url="https://help.mikrotik.com/docs" data-linked-resource-content-type="image/png" data-linked-resource-container-id="224559120" data-linked-resource-container-version="33" alt=""></span></p><h2 id="WiFi-De-authentication">De-authentication</h2><p class="auto-cursor-target">Wireless peers can be manually de-authenticated (forcing re-association) by removing them from the registration table.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface/wifi/registration-table remove [find where mac-address=02:01:02:03:04:05]</pre>
</div></div><h1 id="WiFi-WiFiCAPsMAN">WiFi CAPsMAN</h1><p>WiFi CAPsMAN allows applying wireless settings to multiple MikroTik WiFi AP devices from a central configuration interface.</p><p>More specifically, the Controlled Access Point system Manager (CAPsMAN) allows the centralization of wireless network management. When using the CAPsMAN feature, the network will consist of a number of 'Controlled Access Points' (CAP) that provide wireless connectivity and a 'system Manager' (CAPsMAN) that manages the configuration of the APs, it also takes care of client authentication.</p><p>WiFi CAPsMAN only passes wireless configuration to the CAP, all forwarding decisions are left to the CAP itself - there is no CAPsMAN forwarding mode.</p><p>Requirements:</p><ul><li>Any RouterOS device, that supports the WiFi package, can be a controlled wireless access point (CAP) as long as it has at least a Level 4 RouterOS license.</li><li>WiFi CAPsMAN server can be installed on any RouterOS device that supports the WiFi package, even if the device itself does not have a wireless interface</li><li>Unlimited CAPs (access points) supported by CAPsMAN</li></ul><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>WiFi CAPsMAN can only control WiFi interfaces, and WiFi CAPs can join only WiFi CAPsMAN, similarly, regular CAPsMAN only supports non-WiFi caps.</p><p>The CAPs don't send traffic usage information to CAPsMAN.</p></div></div><h2 id="WiFi-CAPsMAN-CAPsimpleconfigurationexample:">CAPsMAN - CAP simple configuration example:</h2><p>CAPsMAN in WiFi uses the same menu as a regular WiFi interface, meaning when you pass configuration to CAPs, you have to use the same configuration, security, channel configuration, etc. as you would for regular WiFi interfaces.</p><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body">You can configure sub-configuration menus, directly under "/interface/wifi/configuration" or reference previously created profiles in the main configuration profile</div></div><p class="auto-cursor-target">CAPsMAN:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">#create a security profile
/interface wifi security
add authentication-types=wpa3-psk name=sec1 passphrase=HaveAg00dDay
#create configuraiton profiles to use for provisioning
/interface wifi configuration
add country=Latvia name=5ghz security=sec1 ssid=CAPsMAN_5
add name=2ghz security=sec1 ssid=CAPsMAN2
add country=Latvia name=5ghz_v security=sec1 ssid=CAPsMAN5_v
#configure provisioning rules, configure band matching as needed
/interface wifi provisioning
add action=create-dynamic-enabled master-configuration=5ghz slave-configurations=5ghz_v supported-bands=\
5ghz-n
add action=create-dynamic-enabled master-configuration=2ghz supported-bands=2ghz-n
#enable CAPsMAN service
/interface wifi capsman
set ca-certificate=auto enabled=yes</pre>
</div></div><p>CAP:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">#enable CAP service, in this case CAPsMAN is on same LAN, but you can also specify "caps-man-addresses=x.x.x.x" here
/interface/wifi/cap set enabled=yes
#set configuration.manager= on the WiFi interface that should act as CAP
/interface/wifi/set wifi1,wifi2 configuration.manager=capsman-or-local</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>If the CAP is hAP ax<sup>2</sup> or hAP ax<sup>3</sup>, it is strongly recommended to enable RSTP in the bridge configuration, on the CAP</p><p>configuration.manager should only be set on the CAP device itself, don't pass it to the CAP or configuration profile that you provision.</p></div></div><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>The interface that should act as CAP needs additional configuration under "interface/wifi/set wifiX configuration.manager="</p></div></div><h2 id="WiFi-CAPsMAN-CAPVLANconfigurationexample:">CAPsMAN - CAP VLAN configuration example:</h2><p>In this example, we will assign VLAN10 to our main SSID, and will add VLAN20 for the guest network, ether5 from CAPsMAN is connected to CAP.</p><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>CAPs using "wifi-qcom" package can get "vlan-id" via Datapath from CAPsMAN, CAPs using "wifi-qcom-ac" package will need to use the configuration provided at the end of this example.</p></div></div><h3 id="WiFi-CAPsMAN:">CAPsMAN:</h3><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
add name=br vlan-filtering=yes
/interface vlan
add interface=br name=MAIN vlan-id=10
add interface=br name=GUEST vlan-id=20
/interface wifi datapath
add bridge=br name=MAIN vlan-id=10
add bridge=br name=GUEST vlan-id=20
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk ft=yes ft-over-ds=yes name=Security_MAIN passphrase=HaveAg00dDay
add authentication-types=wpa2-psk,wpa3-psk ft=yes ft-over-ds=yes name=Security_GUEST passphrase=HaveAg00dDay
/interface wifi configuration
add datapath=MAIN name=MAIN security=Security_MAIN ssid=MAIN_Network
add datapath=GUEST name=GUEST security=Security_GUEST ssid=GUEST_Network
/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool2 ranges=192.168.20.2-192.168.20.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=yes interface=br name=dhcp1
add address-pool=dhcp_pool1 interface=MAIN name=dhcp2
add address-pool=dhcp_pool2 interface=GUEST name=dhcp3
/interface bridge port
add bridge=br interface=ether5
add bridge=br interface=ether4
add bridge=br interface=ether3
add bridge=br interface=ether2
/interface bridge vlan
add bridge=br tagged=br,ether5,ether4,ether3,ether2 vlan-ids=20
add bridge=br tagged=br,ether5,ether4,ether3,ether2 vlan-ids=10
/interface wifi capsman
set enabled=yes interfaces=br
/interface wifi provisioning
add action=create-dynamic-enabled master-configuration=MAIN slave-configurations=GUEST supported-bands=5ghz-ax
add action=create-dynamic-enabled master-configuration=MAIN slave-configurations=GUEST supported-bands=2ghz-ax
/ip address
add address=192.168.1.1/24 interface=br network=192.168.1.0
add address=192.168.10.1/24 interface=MAIN network=192.168.10.0
add address=192.168.20.1/24 interface=GUEST network=192.168.20.0
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
/system identity
set name=cAP_Controller</pre>
</div></div><h3 id="WiFi-CAPusing"wifi-qcom"package:">CAP using "wifi-qcom" package:</h3><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
add name=bridgeLocal
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp disabled=no
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip dhcp-client
add interface=bridgeLocal disabled=no</pre>
</div></div><h3 id="WiFi-CAPusing"wifi-qcom-ac"package:">CAP using "wifi-qcom-ac" package:</h3><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
add name=bridgeLocal vlan-filtering=yes
/interface wifi
set [ find default-name=wifi1 ] configuration.manager=capsman disabled=no
set [ find default-name=wifi2 ] configuration.manager=capsman disabled=no
add disabled=no master-interface=wifi1 name=wifi21
add disabled=no master-interface=wifi2 name=wifi22
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
add bridge=bridgeLocal interface=wifi1 pvid=10
add bridge=bridgeLocal interface=wifi21 pvid=20
add bridge=bridgeLocal interface=wifi2 pvid=10
add bridge=bridgeLocal interface=wifi22 pvid=20
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1 untagged=wifi1,wifi2 vlan-ids=10
add bridge=bridgeLocal tagged=ether1 untagged=wifi21,wifi22 vlan-ids=20
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-static=yes</pre>
</div></div><p>Additionally, the configuration below has to be added to the <strong>CAPsMAN configuration</strong>:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface wifi datapath
add bridge=br name=DP_AC
/interface wifi configuration
add datapath=DP_AC name=MAIN_AC security=Security_MAIN ssid=MAIN_Network
add datapath=DP_AC name=GUEST_AC security=Security_GUEST ssid=GUEST_Network
/interface wifi provisioning
add action=create-dynamic-enabled master-configuration=MAIN_AC slave-configurations=GUEST_AC supported-bands=5ghz-ac
add action=create-dynamic-enabled master-configuration=MAIN_AC slave-configurations=GUEST_AC supported-bands=2ghz-n</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Passing datapaths "MAIN/GUEST" from the start of the example to "wifi-qcom-ac" CAP would be misconfiguration, make sure to use datapath without "vlan-id" specified to such devices.</p></div></div><h1 id="WiFi-Advancedexamples">Advanced examples</h1><p class="with-breadcrumbs"><a href="https://help.mikrotik.com/docs/display/ROS/Enterprise+wireless+security+with+User+Manager+v5" rel="nofollow">Enterprise wireless security with User Manager v5</a></p><h1 id="WiFi-Replacing'wireless'package">Replacing 'wireless' package</h1><p>Some MikroTik Wi-Fi 5 APs, which ship with their interfaces managed by the 'wireless' menu, can install the additional 'wifi-qcom-ac' package to make their interfaces compatible with the 'wifi' menu instead.</p><p>To do this, it is necessary to uninstall the 'wireless' package, then install 'wifi-qcom-<strong>ac</strong>'.</p><h2 id="WiFi-Compatibility">Compatibility</h2><p>The wifi-qcom-<strong>ac</strong> package includes alternative drivers for IPQ4018/4019 and QCA9984 radios that make them compatible with the WiFi configuration menu. For possible, wifi-qcom-ac/wifi-qcom/wireless, package combinations, please see the package types section <a href="https://help.mikrotik.com/docs/display/ROS/Wireless" rel="nofollow">here</a>.</p><p>As a rule of thumb, the package is compatible with 802.11ac products, which have an ARM CPU. It is NOT compatible with any of our 802.11ac products which have a MIPS CPU.</p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 99.9393%;"><colgroup><col style="width: 13.8625%;"/><col style="width: 86.1375%;"/></colgroup><tbody><tr><th scope="col" class="confluenceTh">Compatibility</th><th scope="col" class="confluenceTh">Devices</th></tr><tr><td class="confluenceTd">Compatible</td><td class="confluenceTd">Audience, Audience LTE kit, Chateau (all variants of D53), hAP ac<span class="productMainTitle">^2</span>, hAP ac^3, cAP ac, cAP XL ac, <span class="productMainTitle">LDF 5 ac</span>, <span class="productMainTitle">LHG XL 5 ac</span>, <span class="productMainTitle">LHG XL 52 ac</span>, <span class="productMainTitle">NetMetal ac^2, mANTBox 52 15s, </span>wAP ac (RBwAPG-5HacD2HnD), <span class="productMainTitle">SXTsq 5 ac</span></td></tr><tr><td class="confluenceTd">Incompatible</td><td class="confluenceTd">RB4011iGS+5HacQ2HnD-IN (no support for the 2.4GHz interface), <span class="productMainTitle">Cube 60Pro ac (no support for 60GHz interface), wAP ac (RBwAPG-5HacT2HnD) and <strong>all other devices with a MIPSBE CPU</strong></span></td></tr></tbody></table></div><h2 id="WiFi-Benefits">Benefits</h2><ul><li>WPA3 authentication and OWE (opportunistic wireless encryption)</li><li>802.11w standard management frame protection</li><li>802.11r/k/v</li><li>MU-MIMO and beamforming</li><li>400Mb/s maximum data rate in the 2.4GHz band for IPQ4019 interfaces</li></ul><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>These benefits apply both to the wifi-qcom and wifi-qcom-ac packages.</p></div></div><h2 id="WiFi-Lostfeatures">Lost features</h2><p>The following notable features are lost when running 802.11ac products with drivers that are compatible with the 'wifi' management interface</p><ul><li>Nstreme and Nv2 wireless protocols</li><li>VLAN configuration in the wireless settings (Per-interface VLANs can be configured in bridge settings)</li><li>Compatibility with station-bridging as implemented in the 'wireless' package, station-bridge only works between the same type of drivers. Wifi to Wifi, and <a href="https://help.mikrotik.com/docs/display/ROS/Wireless+Interface" rel="nofollow">Wireless</a> to Wireless.</li></ul><h1 id="WiFi-PropertyReference"><span style="letter-spacing: -0.01em;">Property Reference</span></h1><h2 id="WiFi-AAAproperties">AAA properties</h2><p>Properties in this category configure an access point's interaction with AAA (RADIUS) servers.</p><p>Certain parameters in the table below take <em>format-string</em> as their value. In a<em> format-string</em>, certain characters are interpreted in the following way:</p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 61.8046%;"><colgroup><col style="width: 14.9287%;"/><col style="width: 84.9616%;"/></colgroup><tbody><tr><th style="text-align: center;" class="confluenceTh">Character</th><th style="text-align: center;" class="confluenceTh">Interpretation</th></tr><tr><td style="text-align: center;" class="confluenceTd">a</td><td style="text-align: left;" class="confluenceTd">Hexadecimal character making up the MAC address of the client device in lowercase</td></tr><tr><td style="text-align: center;" class="confluenceTd">A</td><td style="text-align: left;" class="confluenceTd">Hexadecimal character making up the MAC address of the client device in upper case</td></tr><tr><td style="text-align: center;" class="confluenceTd">i</td><td style="text-align: left;" class="confluenceTd">Hexadecimal character making up the MAC address of the AP's interface in lowercase</td></tr><tr><td style="text-align: center;" class="confluenceTd">I (capital 'i') </td><td style="text-align: left;" class="confluenceTd">Hexadecimal character making up the MAC address of the AP's interface in upper case</td></tr><tr><td style="text-align: center;" class="confluenceTd">N</td><td style="text-align: left;" class="confluenceTd">The entire name of the AP's interface (e.g. 'wifi1')</td></tr><tr><td style="text-align: center;" class="confluenceTd">S</td><td style="text-align: left;" class="confluenceTd">The entire SSID</td></tr></tbody></table></div><p class="auto-cursor-target">All other characters are used without interpreting them in any way. For examples, see default values.</p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 99.299%;"><colgroup><col style="width: 24.7112%;"/><col style="width: 75.2247%;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh"><p>Description</p></th></tr><tr><td class="confluenceTd"><strong>called-format</strong> (<em>format-string</em>)</td><td class="confluenceTd"><p>Format for the value of the Called-Station-Id RADIUS attribute, in AP's messages to RADIUS servers. Default:<strong> </strong>II-II-II-II-II-II:S</p></td></tr><tr><td class="confluenceTd"><strong>calling-format</strong> (<em>format-string</em>)</td><td class="confluenceTd">Format for the value of the Calling-Station-Id RADIUS attribute, in AP's messages to RADIUS servers. Default: AA-AA-AA-AA-AA-AA</td></tr><tr><td class="confluenceTd"><strong>interim-update</strong> (<em>time interval)</em></td><td class="confluenceTd">Interval at which to send interim updates about traffic accounting to the RADIUS server. Default: 5m</td></tr><tr><td class="confluenceTd"><strong>mac-caching</strong> (<em>time interval </em>| <em>'disabled'</em>)</td><td class="confluenceTd"><p>Length of time to cache RADIUS server replies, when MAC address authentication is enabled.<br/>This resolves issues with client device authentication timing out due to (comparatively high latency of RADIUS server replies.</p><p>Default value: disabled.</p></td></tr><tr><td class="confluenceTd"><strong>name</strong> (<em>string</em>)</td><td class="confluenceTd">A unique name for the AAA profile. No default value.</td></tr><tr><td class="confluenceTd"><strong>nas-identifier</strong> (<em>string</em>)</td><td class="confluenceTd"> Value of the NAS-Identifier attribute, in AP's messages to RADIUS servers. Defaults to the host name of the device (/system/identity).</td></tr><tr><td class="confluenceTd"><strong>password-format</strong> (<em>format-string</em>)</td><td class="confluenceTd"><p>Format for value to use in calculating the value of the User-Password attribute in AP's messages to RADIUS servers when performing MAC address authentication.</p><p>Default value: "" (an empty string).</p></td></tr><tr><td class="confluenceTd"><strong>username-format</strong> (<em>format-string</em>)</td><td class="confluenceTd"><p>Format for the value of the User-Name attribute in APs messages to RADIUS servers when performing MAC address authentication.</p><p>Default value : <code>AA:AA:AA:AA:AA:AA</code></p></td></tr></tbody></table></div><h2 class="auto-cursor-target" id="WiFi-Channelproperties">Channel properties</h2><p>Properties in this category specify the desired radio channel.</p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 99.7344%;"><colgroup><col style="width: 24.7004%;"/><col style="width: 75.233%;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>band </strong>(<em>2ghz-g</em> | <em>2ghz-n</em> | <em>2ghz-ax</em> | <em>5ghz-a</em> | <em>5ghz-ac</em> | <em>5ghz-an</em> | <em>5ghz-ax</em>)</td><td class="confluenceTd"><div class="content-wrapper"><p>Frequency band and wireless standard that will be used by the AP. Defaults to newest supported standard.<br/><strong>Note that band support is limited by radio capabilities.</strong></p></div></td></tr><tr><td class="confluenceTd"><strong>frequency</strong> (<em>list of integers or integer ranges</em>)</td><td class="confluenceTd"><div class="content-wrapper"><p><span class="confluence-anchor-link" id="WiFi-frequency-syntax"></span>For an interface in AP mode, specifies frequencies (in MHz) to consider when picking control channel center frequency.</p><p>For an interface in station mode, specifies frequencies on which to scan for APs.</p><p>Leave unset (default) to consider all frequencies supported by the radio and permitted by the applicable regulatory profille.</p><p>The parameter can contain 1 or more comma-separated values of integers or, optionally, ranges of integers denoted using the syntax RangeBeginning-RangeEnd:RangeStep</p><p>Examples of valid channel.frequency values:</p><ul><li>2412</li><li>2412,2432,2472</li><li>5180-5240:20,5500-5580:20</li></ul></div></td></tr><tr><td class="confluenceTd"><strong>secondary-frequency</strong> (<em>list of integers</em> | 'disabled') </td><td class="confluenceTd"><p>Frequency (in MHz) to use for the center of the secondary part of a split 80+80MHz channel.</p><p>Only <a class="external-link" href="https://en.wikipedia.org/wiki/List_of_WLAN_channels#5_GHz_(802.11a/h/j/n/ac/ax)" rel="nofollow">official 80MHz channels</a> (5210, 5290, 5530, 5610, 5690, 5775) are supported.</p><p>Leave unset (default) for automatic selection of secondary channel frequency.</p></td></tr><tr><td class="confluenceTd"><strong>skip-dfs-channels</strong> (<em>10min-cac</em> | <em>all</em> | <em>disabled</em>)</td><td class="confluenceTd"><p>Whether to avoid using channels, on which channel availability check (listening for presence of radar signals) is required.</p><ul><li><em>10min-cac</em> - interface will avoid using channels, on which 10 minute long CAC is required</li><li><em>all </em>- interface will avoid using all channels, on which CAC is required</li><li><em>disabled</em> (default) - interface may select any supported channel, regardless of CAC requirements</li></ul></td></tr><tr><td class="confluenceTd"><strong>width</strong> ( <em>20mhz</em> | <em>20/40mhz</em> | <em>20/40mhz-Ce</em> | <em>20/40mhz-eC</em> | <em>20/40/80mhz</em> | <em>20/40/80+80mhz</em> | <em>20/40/80/160mhz</em>)</td><td class="confluenceTd"><p>Width of radio channel. Defaults to widest channel supported by the radio hardware.</p></td></tr><tr><td class="confluenceTd"><strong>reselect-interval </strong>(time interval)</td><td class="confluenceTd"><p>Specifies when the interface should rescan channel availability and select the most appropriate one to use. Specifying intervall will allow the system to select this interval dynamically and randomly. This helps to avoid a situation when many APs at the same time scan network, select the same channel and prefer to use it at the same time.</p></td></tr></tbody></table></div><h2 class="auto-cursor-target" id="WiFi-Configurationproperties">Configuration properties</h2><p>This section includes properties relating to the operation of the interface and the associated radio.</p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 84.915%;"><colgroup><col style="width: 24.1758%;"/><col style="width: 75.8242%;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><p><strong>antenna-gain</strong> (<em>integer 0..30</em>)</p></td><td class="confluenceTd"><div class="content-wrapper"><p>Overrides the default antenna gain. The <em>master</em> interface of each radio sets the antenna gain for every interface which uses the same radio.</p><p>This setting cannot override the antenna gain to be lower than the minimum antenna gain of a radio.<br/>No default value.</p></div></td></tr><tr><td class="confluenceTd"><p><strong>beacon-interval </strong>(<em>time interval 100ms..1s</em>)</p></td><td class="confluenceTd"><div class="content-wrapper"><p>Interval between beacon frames of an AP. Default: 100ms.</p><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>The 802.11 standard defines beacon interval in terms of <em>time units</em> (1 TU = 1.024 ms). The actual interval between beacons will be 1 TU for every 1 ms configured.</p></div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Every AP running on the same radio (i.e. a master AP and all its 'virtual'/'slave' APs) must use the same beacon interval.</p></div></div></div></td></tr><tr><td class="confluenceTd"><p><strong>chains</strong> (<em>list of integer 0..7 </em>)</p></td><td class="confluenceTd"><p><a class="external-link" href="https://en.wikipedia.org/wiki/RF_chain" rel="nofollow">Radio chains</a> to use for receiving signals. Defaults to all chains available to the corresponding radio hardware.</p></td></tr><tr><td class="confluenceTd"><p><strong>country</strong> (<em>name of a country</em>)</p></td><td class="confluenceTd"><div class="content-wrapper"><p>Determines, which regulatory domain restrictions are applied to an interface. Defaults to "Latvia".</p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>It is important to set this value correctly to comply with local regulations and ensure interoperability with other devices.</p></div></div></div></td></tr><tr><td class="confluenceTd"><p><strong>distance </strong>()</p></td><td class="confluenceTd"><div class="content-wrapper"><p>Maximum link distance in kilometers, needs to be set for long-range outdoor links. The value should reflect the distance to the AP or station that is furthest from the device. Unconfigured value allows usage of 3KM links. </p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p><code><span style="color: rgb(51,153,102);">distance</span></code> is not used by the wifi-qcom-ac package. Setting <span style="color: rgb(51,153,102);"><code>distance </code></span>above the actual needed value can have detrimental effects on throughput and latency.</p></div></div></div></td></tr><tr><td class="confluenceTd"><p><strong>dtim-period </strong>(<em>integer 1..255</em>)</p></td><td class="confluenceTd"><p>Period at which to transmit multicast traffic, when there are client devices in power save mode connected to the AP. Expressed as a multiple of the beacon interval.</p><p>Higher values enable client devices to save more energy, but increase network latency.</p><p>Default: 1</p></td></tr><tr><td class="confluenceTd"><p><strong>hide-ssid</strong> (<em>no</em> | <em>yes</em>)</p></td><td class="confluenceTd"><ul><li><p><em>yes</em> - AP does not include its SSID in beacon frames, and does not reply to probe requests that have broadcast SSID.</p></li><li><p><em>no</em> - AP includes its SSID in the beacon frames, and replies to probe requests that have broadcast SSID.</p></li></ul><p>Default: no</p></td></tr><tr><td class="confluenceTd"><p><strong>manager (</strong><em>capsman</em> |<em> </em><em>capsman-or-local </em>| <em>local</em><strong><em>)</em></strong></p></td><td class="confluenceTd"><p>capsman - the interface will act as CAP only, this option should <strong>not </strong>be passed via provisioning rules to the CAP</p><p>capsman-or-local - the interface will get configuration via CAPsMAN or use its own, if /interface/wifi/cap is not enabled.</p><p>local - interface won't contact CAPsMAN in order to get configuration.</p><p>Default: local<em><br/></em></p></td></tr><tr><td class="confluenceTd"><strong>mode</strong> (<em>ap</em> | <em>station</em>)</td><td class="confluenceTd"><div class="content-wrapper"><p>Interface operation mode</p><ul><li><em>ap</em> (default) - interface operates as an access point</li><li><em>station</em> - interface acts as a client device, scanning for access points advertising the configured SSID</li><li>station-bridge - interface acts as a client device and enables support for a 4-address frame format, so that the interface can be used as a bridge port</li></ul><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>The station-bridge mode, as implemented for 'wifi' intefaces, is incompatible with APs running the older 'wireless' package and vice versa.</p></div></div><p><br/></p></div></td></tr><tr><td class="confluenceTd"><strong>multicast-enhance </strong>(<em>enabled </em>| <em>disabled</em>)</td><td class="confluenceTd"><p>With the multicast-enhance feature enabled, an AP will convert every multicast-addressed IP or IPv6 packet into multiple unicast-addressed frames for each connected station.<br/>This may improve link throughput and reliability since, unlike multicast frames, unicasts are acknowledged by stations and transmitted using a higher data rate.</p><p>Default: disabled</p></td></tr><tr><td class="confluenceTd"><strong>qos-classifier </strong>(<em>dscp-high-3-bits </em>| <em>priority</em>)</td><td class="confluenceTd"><div class="content-wrapper"><ul><li>dscp-high-3-bits - interface will transmit data packets using a WMM priority equal to the value of the 3 most significant bits of the IP DSCP field</li><li>priority - interface will transmit data packets using a WMM priority equal to that set by IP firewall or bridge filter</li></ul><p>Default: priority</p><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>802.11ac wireless chipsets do not support the dscp-high-3-bits classifier mode. For 802.11ac interfaces, please see <a href="https://help.mikrotik.com/docs/display/ROS/WMM+and+VLAN+priority#WMMandVLANpriority-SetVLANorWMMpriorityfromDSCP" rel="nofollow">DSCP from priority</a>.</p></div></div><p><br/></p></div></td></tr><tr><td class="confluenceTd"><strong>ssid</strong> (<em>string</em>)</td><td class="confluenceTd">The name of the wireless network, aka the (E)SSID. No default value.</td></tr><tr><td class="confluenceTd"><strong>tx-chains</strong> (<em>list of integer 0..7</em>)</td><td class="confluenceTd"><a class="external-link" href="https://en.wikipedia.org/wiki/RF_chain" rel="nofollow">Radio chains</a> to use for transmitting signals. Defaults to all chains available to the corresponding radio hardware.</td></tr><tr><td class="confluenceTd"><strong>tx-power</strong> (<em>integer 0..40</em>)</td><td class="confluenceTd">A limit on the transmit power (in dBm) of the interface. Can not be used to set power above limits imposed by the regulatory profile. Unset by default.</td></tr></tbody></table></div><h2 id="WiFi-Datapathproperties">Datapath properties</h2><p>Parameters relating to forwarding packets to and from wireless client devices.</p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 100.0%;"><colgroup><col style="width: 24.3348%;"/><col style="width: 75.6652%;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>bridge</strong> (<em>bridge interface</em>)</td><td class="confluenceTd">Bridge interface to add interface to, as a bridge port.<br/>Virtual ('slave') interfaces are by default added to the same bridge, if any, as the corresponding master interface. Master interfaces are not by default added to any bridge.</td></tr><tr><td class="confluenceTd"><strong>bridge-cost </strong>(<em>integer</em>)</td><td class="confluenceTd">Bridge port cost to use when adding as bridge port. Default: 10</td></tr><tr><td class="confluenceTd"><strong>bridge-horizon</strong> (<em>none </em>| <em>integer)</em></td><td class="confluenceTd">Bridge horizon to use when adding as bridge port Default: none.</td></tr><tr><td class="confluenceTd"><strong>client-isolation </strong>(<em>no</em> | <em>yes</em>)</td><td class="confluenceTd">Determines whether client devices connecting to this interface are (by default) isolated from others or not.<br/>This policy can be overridden on a per-client basis using access list rules, so a an AP can have a mixture of isolated and non-isolated clients.<br/>Traffic from an isolated client will not be forwarded to other clients and unicast traffic from a non-isolated client will not be forwarded to an isolated one.<br/>Default: no</td></tr><tr><td class="confluenceTd"><strong>interface-list</strong> (<em>interface list</em>) <strong><br/></strong></td><td class="confluenceTd">List to which add the interface as a member. No default value.</td></tr><tr><td class="confluenceTd"><strong>vlan-id </strong>(<em>none </em>|<em> integer</em> 1..4095)</td><td class="confluenceTd"><div class="content-wrapper"><p>Default VLAN ID to assign to client devices connecting to this interface (only relevant to interfaces in AP mode).<br/>When a client is assigned a VLAN ID, traffic coming from the client is automatically tagged with the ID and only packets tagged with with this ID are forwarded to the client.<br/>Default: none</p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>802.11ac chipsets do not support this type of VLAN tagging , but they can be <a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-VLANExample-TrunkandAccessPorts" rel="nofollow">configured</a> as VLAN access ports in bridge settings.</p></div></div></div></td></tr></tbody></table></div><h2 id="WiFi-SecurityProperties">Security Properties</h2><p>Parameters relating to authentication.</p><div class="table-wrap"><table class="relative-table wrapped confluenceTable"><colgroup><col style="width: 374.0px;"/><col style="width: 1173.0px;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><p><strong>authentication-types</strong> (<em>list of wpa-psk, wpa2-psk, wpa-eap, wpa2-eap, wpa3-psk, owe, wpa3-eap, wpa3-eap-192</em>)</p></td><td class="confluenceTd"><p>Authentication types to enable on the interface.</p><p>The default value is an empty list (no authentication, an open network).</p><p>Configuring a passphrase adds to the default list the <em>wpa2-psk</em> authentication method (if the interface is an AP) or both <em>wpa-psk</em> and <em>wpa2-psk </em>(if the interface is a station).</p><p>Configuring an <em>eap-username</em> and an <em>eap-password</em> adds to the default list <em>wpa-eap and wpa2-eap</em> authentication methods.</p></td></tr><tr><td class="confluenceTd"><strong>connect-group</strong> ( <em>string </em>)</td><td class="confluenceTd"><p>APs within the same connect group do not allow more than 1 client device with the same MAC address. This is to prevent malicious authorized users from intercepting traffic intended to other users ('MacStealer' attack) or performing a denial of service attack by spoofing the MAC address of a victim.</p><p>Handling of new connections with duplicate MAC addresses depends on the connect-priority of AP interfaces involved.</p><p>By default, all APs are assigned the same connect-group.</p></td></tr><tr><td class="confluenceTd"><strong>connect-priority </strong>(accept-priority/hold-priority (<em>integers</em>))</td><td class="confluenceTd"><p>These parameters determine, how a connection is handled if the MAC address of the client device is the same as that of another active connection to another AP.<br/>If (accept-priority of AP2) < (hold-priority of AP1), a connection to AP2 wil cause the client to be dropped from AP1.<br/>If (accept-priority of AP2) = (hold-priority of AP1), a connection to AP2 will be allowed only if the MAC address can no longer be reached via AP1.<br/>If (accept-priority of AP2) > (hold-priority of AP1), a connection to AP2 will not be accepted.</p><p>If omitted, hold-priority is the same as accept-priority.<br/>By default, APs, which perform user authentication, have higher priority (lower integer value), than open APs.</p></td></tr><tr><td class="confluenceTd"><strong>dh-groups</strong> (<em>list of 19, 20, 21</em>)</td><td class="confluenceTd"><p>Identifiers of <a class="external-link" href="http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xhtml#ipsec-registry-10" rel="nofollow">elliptic curve cryptography groups</a> to use in SAE (WPA3) authentication.</p></td></tr><tr><td class="confluenceTd"><strong>disable-pmkid</strong> (<em>no</em> | <em>yes</em>)</td><td class="confluenceTd">For interfaces in AP mode, disables inclusion of a PMKID in EAPOL frames. Disabling PMKID can cause compatibility issues with client devices that make use of it.<ul><li><em>yes</em> - Do not include PMKID in EAPOL frames.</li><li><em>no</em> (default) - include PMKID in EAPOL frames.</li></ul></td></tr><tr><td class="confluenceTd"><strong>eap-accounting</strong> (<em>no</em> | <em>yes</em>)</td><td class="confluenceTd">Send accounting information to RADIUS server for EAP-authenticated peers. Default: no.</td></tr><tr><td style="text-align: left;" colspan="2" class="confluenceTd"><div class="content-wrapper"><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body">Properties related to EAP, are only relevant to interfaces in station mode. APs delegate (passthrough) EAP authentication to the RADIUS server.</div></div></div></td></tr><tr><td class="confluenceTd"><strong>eap-anonymous-identity</strong> (<em>string</em>)</td><td class="confluenceTd">Optional anonymous identity for EAP outer authentication. No default value.</td></tr><tr><td class="confluenceTd"><strong>eap-certificate-mode</strong> (<em>dont-verify-certificate</em> | <em>no-certificates</em> |<em> verify-certificate</em> | <em>verify-certificate-with-crl</em>)</td><td class="confluenceTd"><p>Policy for handling the TLS certificate of the RADIUS server.</p><ul><li>verify-certificate - require server to have a valid certificate. Check that it is signed by a trusted certificate authority.</li><li>dont-verify-certificate (default) - Do not perform any checks on the certificate.</li><li>no-certificates - Attempt to establish the TLS tunnel by performing anonymous Diffie-Hellman key exchange. To be used if the RADIUS server has no certificate at all.</li><li>verify-certificate-with-crl - Same as <em>verify-certificate,</em> but also checks if the certificate is valid by checking the Certificate Revocation List.</li></ul></td></tr><tr><td class="confluenceTd"><strong>eap-methods </strong>(<em>list of </em><em>peap, tls, ttls</em>)</td><td class="confluenceTd">EAP methods to consider for authentication. Defaults to all supported methods.</td></tr><tr><td class="confluenceTd"><strong>eap-password</strong> (<em>string</em>)</td><td class="confluenceTd">Password to use, when the chosen EAP method requires one. No default value.</td></tr><tr><td class="confluenceTd"><strong>eap-tls-certificate</strong> (<em>certificate</em>)</td><td class="confluenceTd">Name or id of a certificate in the device's certificate store to use, when the chosen EAP authentication method requires one. No default value.</td></tr><tr><td class="confluenceTd"><strong>eap-username</strong> (<em>string</em>)</td><td class="confluenceTd">Username to use when the chosen EAP method requires one. No default value.</td></tr><tr><td style="text-align: center;" colspan="2" class="confluenceTd"><div class="content-wrapper"><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Take care when configuring encryption ciphers.</p><p>All client devices MUST support the group encryption cipher used by the AP to connect, and some client devices (notably, Intel® 8260) will also fail to connect if the list of unicast ciphers includes any they don't support.</p></div></div></div></td></tr><tr><td class="confluenceTd"><strong>encryption</strong> (<em>list of ccmp, ccmp-256, gcmp, gcmp-256, tkip</em>)</td><td class="confluenceTd"><p>A list of ciphers to support for encrypting unicast traffic.</p><p>Defaults to <em>ccmp</em>.</p></td></tr><tr><td colspan="2" class="confluenceTd"><div class="content-wrapper"><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Properties related to 802.11r fast BSS transition only apply to interfaces in AP mode. WiFi interfaces in station mode do not support 802.11r.</p><p>For a client device to successfully roam between 2 APs, the APs need to be managed by the same instance of RouterOS. For information on how to centrally manage multiple APs, see <a href="https://help.mikrotik.com/docs/display/ROS/WifiWave2#WifiWave2-WifiWave2CAPsMAN" rel="nofollow">CAPsMAN</a></p></div></div></div></td></tr><tr><td class="confluenceTd"><strong>ft</strong> (<em>no | yes</em>)</td><td class="confluenceTd"><p>Whether to enable 802.11r fast BSS transitions ( roaming). Default: no.</p></td></tr><tr><td class="confluenceTd"><strong>ft-mobility-domain</strong> (<em>integer 0..65535</em>) </td><td class="confluenceTd"><p>The fast BSS transition mobility domain ID. Default: 44484 (0xADC4).</p></td></tr><tr><td class="confluenceTd"><strong>ft-nas-identifier</strong> (string of <em>2..96 hex characters</em>)</td><td class="confluenceTd"><p>Fast BSS transition PMK-R0 key holder identifier. Default: MAC address of the interface.</p></td></tr><tr><td class="confluenceTd"><strong>ft-over-ds</strong> (<em>no</em> | <em>yes </em>) </td><td class="confluenceTd"><p> Whether to enable fast BSS transitions over DS (distributed system). Default: no.</p></td></tr><tr><td class="confluenceTd"><strong>ft-preserve-vlanid</strong> (<em>no </em>| <em>yes</em> )</td><td class="confluenceTd"><ul><li>no - when a client connects to this AP via 802.11r fast BSS transition, it is assigned a VLAN ID according to the access and/or interface settings</li><li>yes (default) - when a client connects to this AP via 802.11r fast BSS transition, it retains the VLAN ID, which it was assigned during initial authentication</li></ul><p>The default behavior is essential when relying on a RADIUS server to assign VLAN IDs to users, since a RADIUS server is only used for initial authentication.</p></td></tr><tr><td class="confluenceTd"><strong>ft-r0-key-lifetime</strong> (<em>time interval 1s..6w3d12h15m</em>)</td><td class="confluenceTd"><p>Lifetime of the fast BSS transition PMK-R0 encryption key. Default: 600000s (~7 days)</p></td></tr><tr><td class="confluenceTd"><strong>ft-reassociation-deadline</strong> (<em>time interval 0..70s</em>) </td><td class="confluenceTd"><p>Fast BSS transition reassociation deadline. Default: 20s.</p></td></tr><tr><td class="confluenceTd"><strong>group-encryption </strong>(<em>ccmp</em> | <em>ccmp-256</em> | <em>gcmp</em> | <em>gcmp-256</em> | <em>tkip</em>)</td><td class="confluenceTd"><p>Cipher to use for encrypting multicast traffic.</p><p>Defaults to <em>ccmp</em>.</p></td></tr><tr><td class="confluenceTd"><strong>group-key-update</strong> (<em>time interval</em>)</td><td class="confluenceTd"><p>Interval at which the group temporal key (key for encrypting broadcast traffic) is renewed. Defaults to 24 hours.</p></td></tr><tr><td class="confluenceTd"><strong>management-encryption</strong> (<em>cmac</em> | <em>cmac-256</em> | <em>gmac</em> | <em>gmac-256</em>)</td><td class="confluenceTd"><p>Cipher to use for encrypting protected management frames. Defaults to<em> cmac</em>.</p></td></tr><tr><td class="confluenceTd"><p><strong>management-protection</strong> (<em>allowed</em> | <em>disabled</em> | <em>required</em>)</p></td><td class="confluenceTd"><p>Whether to use 802.11w management frame protection. <strong>I</strong><strong>ncompatible with management frame protection in standard wireless package</strong>.</p><p>The default value depends on the value of the selected authentication type. WPA2 allows the use of management protection, WPA3 requires it.</p></td></tr><tr><td class="confluenceTd"><p><strong>owe-transition-interface</strong> (<em>i</em><em>nterface</em>)</p></td><td class="confluenceTd"><p>Name or internal id of an interface whose MAC address and SSID to advertise as the matching AP when running in OWE transition mode.</p><p>Required for setting up open APs that offer OWE, but also work with older devices that don't support the standard. See <a href="#WiFi-owe-transition-mode">configuration example below</a>.</p></td></tr><tr><td class="confluenceTd"><strong>passphrase</strong> (<em>string of up to 63 characters</em>)</td><td class="confluenceTd"><p>The passphrase to use for PSK authentication types. Defaults to an empty string - "".</p><p>WPA-PSK and WPA2-PSK authentication requires a minimum of 8 chars, while WPA3-PSK does not have a minimum passphrase length.</p></td></tr><tr><td class="confluenceTd"><strong>sae-anti-clogging-threshold</strong> (<em>'disabled'</em> | <em>integer</em>)</td><td class="confluenceTd"><p>Due to SAE (WPA3) associations being CPU resource intensive, overwhelming an AP with bogus authentication requests makes for a feasible denial-of-service attack.</p><p>This parameter provides a way to mitigate such attacks by specifying a threshold of in-progress SAE authentications, at which the AP will start requesting that client devices include a cookie bound to their MAC address in their authentication requests. It will then only process authentication requests that contain valid cookies.</p><p>Default: 5.</p></td></tr><tr><td class="confluenceTd"><strong>sae-max-failure-rate </strong>(<em>'</em><em>d</em><em>isabled'</em> | <em>integer</em>)</td><td class="confluenceTd">Rate of failed SAE (WPA3) associations per minute, at which the AP will stop processing new association requests. Default: 40.<em><br/></em></td></tr><tr><td class="confluenceTd"><strong>sae-pwe</strong> (<em>both</em> | <em>hash-to-element </em>| <em>hunting-and-pecking</em>)</td><td class="confluenceTd">Methods to support for deriving SAE password element. Default: both.</td></tr><tr><td class="confluenceTd"><strong>wps</strong> (<em>disabled</em> | <em>push-button</em>)</td><td class="confluenceTd"><ul><li><em>push-button</em> (default) - AP will accept WPS authentication for 2 minutes after 'wps-push-button' command is called. Physical WPS button functionality not yet implemented.</li><li><em>disabled </em>- AP will not accept WPS authentication</li></ul></td></tr></tbody></table></div><h2 id="WiFi-Steeringproperties">Steering properties</h2><p>Properties in this category govern mechanisms for advertising potential roaming candidates to client devices.</p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 97.4716%;"><colgroup><col style="width: 24.1198%;"/><col style="width: 75.8802%;"/></colgroup><tbody><tr><th scope="col" class="confluenceTh">Property</th><th scope="col" class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>neighbor-group</strong> (<em>string</em>) </td><td class="confluenceTd"><p>When sending neighbor reports and BSS transition management requests, an AP will list all other APs within its neighbor group as potential roaming candidates. </p><p>By default, a dynamic neighbor group is created for each set of APs with the same SSID and authentication settings.<br/>APs operating in the 5GHz band are indicated to be preferable to ones operating in the 2.4GHz band.</p></td></tr><tr><td class="confluenceTd"><strong>rrm</strong> (<em>no</em> | <em>yes</em>)</td><td class="confluenceTd">Enables sending of 802.11k neighbor reports. Default: yes</td></tr><tr><td class="confluenceTd"><strong>wnm</strong> (<em>no</em> | <em>yes</em>)</td><td class="confluenceTd">Enables sending of solicited 802.11v BSS transition management requests. Default: yes</td></tr></tbody></table></div><h2 id="WiFi-Miscellaneousproperties">Miscellaneous properties</h2><div class="table-wrap"><table class="relative-table wrapped confluenceTable"><colgroup><col style="width: 374.0px;"/><col style="width: 1173.0px;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>arp</strong> (<em>disabled </em>| <em>enabled</em> | <em>local-proxy-arp</em> | <em>proxy-arp</em> | <em>reply-only)</em></td><td class="confluenceTd">Address Resolution Protocol mode:<ul><li><em>disabled</em> - the interface will not use ARP</li><li><em>enabled</em> - the interface will use ARP (default)</li><li><em>local-proxy-arp</em> - the router performs proxy ARP on the interface and sends replies to the same interface</li><li><em>proxy-arp</em> - the router performs proxy ARP on the interface and sends replies to other interfaces</li><li><em>reply-only</em> - the interface will only reply to requests originated from matching IP address/MAC address combinations which are entered as static entries in the <a class="external-link" href="https://wiki.mikrotik.com/wiki/Manual:IP/ARP" rel="nofollow" title="Manual:IP/ARP"> ARP</a> table. No dynamic entries will be automatically stored in the ARP table. Therefore for communications to be successful, a valid static entry must already exist.</li></ul></td></tr><tr><td class="confluenceTd"><strong>arp-timeout</strong> (<em>time interval</em> | <em>'auto'</em>)</td><td class="confluenceTd">Determines how long a dynamically added ARP table entry is considered valid since the last packet was received from the respective IP address.<br/>Value <em>auto</em> equals to the value of<strong> </strong><em>arp-timeout</em> in<strong> </strong><em>/ip settings</em>, which defaults to 30s.</td></tr><tr><td class="confluenceTd"><strong>disable-running-check</strong> <em>(no</em> | <em>yes</em>)</td><td class="confluenceTd"><ul><li><p><em>yes</em> - interface's <em>r</em><em>unning </em>property will be true whenever the interface is not disabled</p></li><li><p><em>no </em>(default) - interface's <em>running</em> property will only be true when it has established a link to another device</p></li></ul></td></tr><tr><td class="confluenceTd"><p><strong>disabled</strong> (<em>no</em> | <em>yes</em>) (X)</p></td><td class="confluenceTd"><p>Hardware interfaces are disabled by default. Virtual interfaces are not.</p></td></tr><tr><td class="confluenceTd"><p><strong>mac-address</strong> (<em>MAC</em>)</p></td><td class="confluenceTd"><p>MAC address (BSSID) to use for an interface.</p><p>Hardware interfaces default to the MAC address of the associated radio interface.</p><p>Default MAC addresses for virtual interfaces are generated by</p><ol><li><p>Taking the MAC address of the associated master interface</p></li><li><p>Setting the second-least-significant bit of the first octet to 1, resulting in a <a class="external-link" href="https://en.wikipedia.org/wiki/MAC_address#Ranges_of_group_and_locally_administered_addresses" rel="nofollow">locally administered MAC address</a></p></li><li><p>If needed, increment the last octet of the address to ensure it doesn't overlap with the address of another interface on the device</p></li></ol></td></tr><tr><td class="confluenceTd"><p><strong>mtu </strong>(<em style="text-align: left;">integer [32..2290]</em><span style="color: rgb(23,43,77);">; Default:</span><span style="color: rgb(23,43,77);"> </span><strong>1500</strong>)</p></td><td class="confluenceTd"><p><span style="color: rgb(23,43,77);">Layer 3 Maximum transmission unit.</span></p></td></tr><tr><td class="confluenceTd"><p><strong>l2mtu</strong> (<em style="text-align: left;">integer [32..2290]</em><span style="color: rgb(23,43,77);">; Default:</span><span style="color: rgb(23,43,77);"> <strong>229</strong></span><strong style="text-align: left;">0</strong>)</p></td><td class="confluenceTd"><p><span style="color: rgb(23,43,77);">Layer 2 Maximum transmission unit. </span></p></td></tr><tr><td class="confluenceTd"><p><strong>master-interface</strong> (<em>i</em><em>nterface</em>)</p></td><td class="confluenceTd"><p>Multiple interface configurations can be run simultaneously on every wireless radio.</p><p>Only one of them determines the radio's state (whether it is enabled, what frequency it's using, etc). This 'master' interface, is <em>bound </em>to a radio with the corresponding <em>radio-mac.</em></p><p>To create additional ('virtual') interface configurations on a radio, they need to be <em>bound</em> to the corresponding master interface.</p><p>No default value.</p></td></tr><tr><td class="confluenceTd"><p><strong>name </strong>(<em>string</em>)</p></td><td class="confluenceTd"><p>A name for the interface. Defaults to <em>wifiN</em>, where <em>N </em>is the lowest integer that has not yet been used for naming an interface.</p></td></tr></tbody></table></div><h2 class="auto-cursor-target" id="WiFi-Read-onlyproperties">Read-only properties</h2><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 100.0%;"><colgroup><col style="width: 23.6964%;"/><col style="width: 76.3036%;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>bound</strong> (<em>boolean</em>) (B)</td><td class="confluenceTd"><p>True for <em>master</em> interfaces that are currently available for WiFi manager.</p><p>True for a virtual interface (configurations linked to a master interface) when both the interface itself and its master interface are not disabled and the <em>master </em>interface has a bound flag.</p></td></tr><tr><td colspan="1" class="confluenceTd"><strong>default-name</strong> (<em>string</em>)</td><td colspan="1" class="confluenceTd">The default name for an interface.</td></tr><tr><td class="confluenceTd"><strong>inactive</strong> (<em>boolean</em>) (I)</td><td class="confluenceTd"><p>False for interfaces in AP mode when they've selected a channel for operation (i.e. configuration has been successfully applied).</p><p>False for interfaces in station mode when they've connected to an AP (i.e. configuration has been successfully applied, and an AP with matching settings has been found).</p><p>True otherwise.</p></td></tr><tr><td colspan="1" class="confluenceTd"><strong>master </strong>(<em>boolean</em>) (M)</td><td colspan="1" class="confluenceTd"><p>True for physical interfaces on the router itself or detected CAP if running as CAPsMAN.</p><p>False for virtual interfaces.</p></td></tr><tr><td colspan="1" class="confluenceTd"><strong>radio-mac</strong> (<em>MAC</em>)</td><td colspan="1" class="confluenceTd">The MAC address of the associated radio.</td></tr><tr><td colspan="1" class="confluenceTd"><strong>running</strong> (<em>boolean</em>) (R)</td><td colspan="1" class="confluenceTd"><p>True, when an interface has established a link to another device.</p><p>If <em>disable-running-check</em> is set to 'yes', true whenever the interface is not disabled.</p></td></tr></tbody></table></div><h2 class="with-breadcrumbs" id="WiFi-AccessList.1">Access List</h2><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 99.7449%;"><colgroup><col style="width: 22.6198%;"/><col style="width: 77.3163%;"/></colgroup><tbody><tr><th style="text-align: center;" colspan="2" class="confluenceTh"><div class="content-wrapper"><p>Filtering parameters<span class="confluence-anchor-link" id="WiFi-Filtering"></span></p></div></th></tr><tr><th style="text-align: center;" class="confluenceTh">Parameter</th><th style="text-align: center;" class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>interface</strong> (<em>interface </em>| <em>interface-list </em>|<em> 'any'</em>)</td><td class="confluenceTd">Match if connection takes place on the specified interface or interface belonging to a specified list. Default: any.</td></tr><tr><td class="confluenceTd"><strong>mac-address</strong> (<em>MAC address</em>)</td><td class="confluenceTd">Match if the client device has the specified MAC address. No default value.</td></tr><tr><td class="confluenceTd"><strong>mac-address-mask</strong> (<em>MAC address</em>)</td><td class="confluenceTd"><p>Modifies the <strong>mac-address</strong> parameter to match if it is equal to the result of performing bit-wise AND operation on the client MAC address and the given address mask.</p><p>Default: FF:FF:FF:FF:FF:FF (i.e. client's MAC address must match value of <strong>mac-address</strong> exactly)</p></td></tr><tr><td class="confluenceTd"><strong>signal-range</strong> (<em>min..max</em>)</td><td class="confluenceTd">Match if the strength of the received signal from the client device is within the given range. Default: '-120..120'</td></tr><tr><td class="confluenceTd"><strong>ssid-regexp</strong> (<em>regex</em>)</td><td class="confluenceTd">Match if the given regular expression matches the SSID.</td></tr><tr><td class="confluenceTd"><strong>time</strong> (<em>start-end,days</em>)</td><td class="confluenceTd">Match during the specified time of day and (optionally) days of week. Default: 0s-1d</td></tr></tbody></table></div><p><br/></p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 99.8085%;"><colgroup><col style="width: 22.7969%;"/><col style="width: 77.1392%;"/></colgroup><tbody><tr><th style="text-align: center;" colspan="2" class="confluenceTh"><div class="content-wrapper"><p>Action parameters<span class="confluence-anchor-link" id="WiFi-Action"></span></p></div></th></tr><tr><th style="text-align: center;" class="confluenceTh">Parameter</th><th style="text-align: center;" class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>allow-signal-out-of-range</strong> (<em>time period</em> | 'always')</td><td class="confluenceTd"><p>The length of time which a connected peer's signal strength is allowed to be outside the range required by the <strong>signal-range </strong>parameter, before it is disconnected.</p><p>If the value is set to 'always', peer signal strength is only checked during association.</p><p>Default: 0s.</p></td></tr><tr><td class="confluenceTd"><strong>action</strong> (<em>accept </em>| <em>reject </em>|<em> query-radius</em>)</td><td class="confluenceTd"><p>Whether to authorize a connection</p><ul><li><em>accept</em> - connection is allowed</li><li><em>reject</em> - connection is not allowed</li><li><em>query-radius</em> - connection is allowed if MAC address authentication of the client's MAC address succeeds</li></ul><p>Default: <em>accept</em></p></td></tr><tr><td class="confluenceTd"><strong>client-isolation</strong> (<em>no</em> | <em>yes</em>)</td><td class="confluenceTd"><p>Whether to <a href="https://help.mikrotik.com/docs/display/ROS/WifiWave2#WifiWave2-Datapathproperties" rel="nofollow">isolate</a> the client from others connected to the same AP. No default value.</p></td></tr><tr><td class="confluenceTd"><strong>passphrase</strong> (<em>string</em>)</td><td class="confluenceTd">Override the default passphrase with given value. No default value.</td></tr><tr><td class="confluenceTd"><strong>radius-accounting</strong> (<em>no </em>|<em> yes</em>)</td><td class="confluenceTd">Override the default RADIUS accounting policy with given value. No default value.</td></tr><tr><td class="confluenceTd"><strong>vlan-id </strong>(<em> none </em>| <em>integer 1..4095 </em>)</td><td class="confluenceTd">Assign the given <a href="https://help.mikrotik.com/docs/display/ROS/WifiWave2#WifiWave2-Datapathproperties" rel="nofollow">VLAN ID</a> to matched clients. No default value.</td></tr></tbody></table></div><h2 id="WiFi-Frequencyscan.1">Frequency scan</h2><p>Information about RF conditions on available channels can be obtained by running the frequency-scan command.</p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 100.0%;"><colgroup><col style="width: 22.5083%;"/><col style="width: 77.4917%;"/></colgroup><tbody><tr><th style="text-align: center;" colspan="2" class="confluenceTh">Command parameters</th></tr><tr><th class="confluenceTh">Parameter</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>duration</strong> (<em>time interval)</em></td><td class="confluenceTd">Length of time to perform the scan for before exiting. Useful for non-interactive use. Not set by default.</td></tr><tr><td class="confluenceTd"><strong>freeze-frame-interval</strong> (<em>time interval)</em></td><td class="confluenceTd">Time interval at which to update command output. Default: 1s.</td></tr><tr><td class="confluenceTd"><strong>frequency</strong> (<em>list of frequencies/ranges)</em></td><td class="confluenceTd">Frequencies to perform the scan on. See <a href="#WiFi-frequency-syntax">channel.frequency parameter syntax</a> above for more detail. Defaults to all supported frequencies.</td></tr><tr><td class="confluenceTd"><strong>number</strong> (<em>string)</em></td><td class="confluenceTd">Either the name or internal id of the interface to perform the scan with. Required. Not set by default.</td></tr><tr><td class="confluenceTd"><strong>rounds</strong> (<em>integer)</em></td><td class="confluenceTd">Number of times to go through list of scannable frequencies before exiting. Useful for non-interactive use. Not set by default.</td></tr><tr><td class="confluenceTd"><strong>save-file</strong> (string)</td><td class="confluenceTd">Name of file to save output to. Not set by default.</td></tr></tbody></table></div><p style="text-align: center;"><br/></p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 100.0%;"><colgroup><col style="width: 22.1122%;"/><col style="width: 77.8878%;"/></colgroup><tbody><tr><th style="text-align: center;" colspan="2" class="confluenceTh">Output parameters</th></tr><tr><th class="confluenceTh">Parameter</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>channel</strong> (<em>integer)</em></td><td class="confluenceTd">Frequency (in MHz) of the channel scanned.</td></tr><tr><td class="confluenceTd"><strong>networks</strong> (<em>integer)</em></td><td class="confluenceTd"><p>Number of access points detected on the channel.</p></td></tr><tr><td class="confluenceTd"><strong>load</strong> (integer<em>)</em></td><td class="confluenceTd">Percentage of time the channel was busy during the scan.</td></tr><tr><td class="confluenceTd"><strong>nf</strong> (integer)</td><td class="confluenceTd">Noise floor (in dBm) of the channel.</td></tr><tr><td class="confluenceTd"><strong>max-signal</strong> (<em>integer</em>)</td><td class="confluenceTd">Maximum signal strength (in dBm) of APs detected in the channel.</td></tr><tr><td class="confluenceTd"><strong>min-signal</strong> (<em>integer</em>)</td><td class="confluenceTd">Minimum signal strength (in dBm) of APs detected in the channel.</td></tr><tr><td class="confluenceTd"><strong>primary </strong>(<em>boolean</em>) (P)</td><td class="confluenceTd">Channel is in use as the primary (control) channel by an AP.</td></tr><tr><td class="confluenceTd"><strong>secondary</strong> (boolean) (S)</td><td class="confluenceTd">Channel is in use as a secondary (extension) channel by an AP.</td></tr></tbody></table></div><h2 id="WiFi-Flat-snoop">Flat-snoop</h2><p>The '/interface wifi flat-snoop' is a tool for surveying APs and stations. Monitors frequency usage, and displays which devices occupy each frequency. Provides more detailed infromation regarding nearby APs than scan, and offers easy overview of frequency usage by station/AP count.</p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 100.0%;"><colgroup class=""><col class="" style="width: 22.1122%;"/><col class="" style="width: 77.8878%;"/></colgroup><tbody class=""><tr class=""><th style="text-align: center;" colspan="2" class="confluenceTh">Output parameters</th></tr><tr class=""><th class="confluenceTh">Parameter</th><th class="confluenceTh">Description</th></tr><tr class=""><td class="confluenceTd"><strong>duration</strong><em> </em>(<em>time interval</em>)</td><td class="confluenceTd">Length of time to perform the scan before exiting. Useful for non-interactive use. Not set by default.</td></tr><tr class=""><td class="confluenceTd"><strong>filter-type</strong> (<em>bsss </em>|<em>frequency </em>|<em>stas</em>)</td><td class="confluenceTd"><p>bsss - list of active APs and their parameters.</p><p>frequency - list of station and AP count per scanned frequency</p><p>stas - a detailed list of stations on each scanned frequency</p><p>If filter-type is unspecified all types will be returned.</p></td></tr><tr class=""><td class="confluenceTd"><strong>freeze-frame-interval</strong> (<em>time interval)</em></td><td class="confluenceTd">Time interval at which to update command output. Default: 1s.</td></tr></tbody></table></div><h2 id="WiFi-Scancommand.1">Scan command</h2><p>The '/interface wifi scan' command will scan for access points and print out information about any APs it detects.</p><p>The scan command takes all the same parameters as the frequency-scan command.</p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 100.0%;"><colgroup><col style="width: 22.2442%;"/><col style="width: 77.7558%;"/></colgroup><tbody><tr><th style="text-align: center;" colspan="2" class="confluenceTh">Output parameters</th></tr><tr><th class="confluenceTh">Parameter</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>active</strong> (<em>boolean</em>) (A)</td><td class="confluenceTd">This signifies that beacons from the AP have been received in the last 30 seconds.</td></tr><tr><td class="confluenceTd"><strong>address</strong> (<em>MAC</em>)</td><td class="confluenceTd">The MAC address (BSSID) of the AP.</td></tr><tr><td class="confluenceTd"><strong>channel</strong> (<em>string</em>)</td><td class="confluenceTd">The control channel frequency used by the AP, its supported wireless standards and control/extension channel layout.</td></tr><tr><td class="confluenceTd"><p><strong>security</strong> (<em>string</em>)</p></td><td class="confluenceTd"><p>Authentication methods supported by the AP.</p></td></tr><tr><td class="confluenceTd"><strong>signal</strong> (<em>integer</em>)</td><td class="confluenceTd">The signal strength of the AP's beacons (in dBm).</td></tr><tr><td class="confluenceTd"><strong>ssid</strong> (<em>string</em>)</td><td class="confluenceTd">The extended service set identifier of the AP.</td></tr><tr><td class="confluenceTd"><strong>sta-count</strong> (<em>integer</em>)</td><td class="confluenceTd">The number of client devices associated with the AP. Only available if the AP includes this information in its beacons.</td></tr></tbody></table></div><h2 id="WiFi-Sniffer.1">Sniffer</h2><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 100.19%;"><colgroup><col style="width: 22.0114%;"/><col style="width: 77.9886%;"/></colgroup><tbody><tr><th style="text-align: center;" colspan="2" scope="colgroup" class="confluenceTh">Command parameters</th></tr><tr><th style="text-align: left;" scope="col" class="confluenceTh">Parameter</th><th style="text-align: left;" scope="col" class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>duration </strong>(<em>time interval</em>)</td><td class="confluenceTd">Automatically interrupt the sniffer after the specified time has passed. No default value.</td></tr><tr><td class="confluenceTd"><strong>filter </strong>(<em>string</em>)</td><td class="confluenceTd"><p>A string that specifies a filter to apply to captured frames. Only frames matched by the filter expression will be displayed, saved or streamed.</p><p>This works similarly to filter strings in libpcap, for example.</p><p>The filter can match</p><ul><li>Address fields (addr1, addr2, addr3)</li><li>Wireless frame type and subtype, including shortcuts such as 'beacon' (type == 0 && subtype == 8)</li><li>Flags (to-ds, from-ds, retry, power, protected)</li></ul><p>A string can include the following operators:</p><ul><li>== (exact match)</li><li>!= (does not equal)</li><li>&& (logical AND)</li><li>|| (logical OR)</li><li>() (for grouping filter expressions)</li></ul></td></tr><tr><td class="confluenceTd"><div class="content-wrapper"><p><strong>number </strong>(<em>interface</em>)</p></div></td><td class="confluenceTd">Interface to use for sniffing.</td></tr><tr><td class="confluenceTd"><strong>pcap-file </strong>(<em>string</em><em>)</em></td><td class="confluenceTd">Save captured frames to a file with the given name. No default value (captured frames are not saved to a file by default).</td></tr><tr><td class="confluenceTd"><strong>pcap-size-limit </strong>(<em>integer</em>)</td><td class="confluenceTd">File size limit (in bytes) when storing captured frames locally.<br/>When this limit has been reached, no new frames are added to the capture file. No default value.</td></tr><tr><td class="confluenceTd"><strong>stream-address </strong>(IP address)</td><td class="confluenceTd">Stream captured packets via the TZSP protocol to the given address. No default value (captured packets are not streamed anywhere by default).</td></tr><tr><td class="confluenceTd"><strong>stream-rate </strong>(<em>integer</em>)</td><td class="confluenceTd">Limit the rate (in packets per second) at which captured frames are streamed via TZSP.</td></tr></tbody></table></div><h2 id="WiFi-WPS.1">WPS</h2><p>interface/wifi/wps-client wifi</p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 100.0%;"><colgroup><col style="width: 21.9142%;"/><col style="width: 78.0858%;"/></colgroup><tbody><tr><th style="text-align: center;" colspan="2" class="confluenceTh">Command parameters</th></tr><tr><th class="confluenceTh">Parameter</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>duration</strong> (<em>time interval</em>)</td><td class="confluenceTd">Length of time after which the command will time out if no AP is found. Unlimited by default.</td></tr><tr><td class="confluenceTd"><strong>interval</strong> (<em>time interval</em>)</td><td class="confluenceTd">Time interval at which to update command output. Default: 1s.</td></tr><tr><td class="confluenceTd"><strong>mac-address</strong> (<em>MAC</em>)</td><td class="confluenceTd">Only attempt connecting to AP with the specified MAC (BSSID). Not set by default.</td></tr><tr><td class="confluenceTd"><strong>number</strong> (<em>string</em>)</td><td class="confluenceTd">Name or internal id of the interface with which to attempt a connection. Not set by default.</td></tr><tr><td class="confluenceTd"><strong>ssid </strong>(<em>string</em>)</td><td class="confluenceTd">Only attempt to connect to APs with the specified SSID. Not set by default.</td></tr></tbody></table></div><h2 id="WiFi-Radios.1">Radios</h2><p>Information about the capabilities of each radio can be gained by running the `/interface/wifi/radio print detail` command.</p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 71.1082%;"><colgroup><col style="width: 30.2693%;"/><col style="width: 69.7307%;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>2g-channels</strong> (<em>list of </em><em>integers</em>)</td><td class="confluenceTd">Frequencies supported in the 2.4GHz band.</td></tr><tr><td class="confluenceTd"><strong>5g-channels</strong> (<em>list of integers</em>)</td><td class="confluenceTd">Frequencies supported in the 5GHz band.</td></tr><tr><td class="confluenceTd"><strong>bands</strong> (<em>list of strings</em>)</td><td class="confluenceTd">Supported frequency bands, wireless standards, and channel widths.</td></tr><tr><td class="confluenceTd"><strong>ciphers</strong> (<em>list of strings</em>)</td><td class="confluenceTd">Supported encryption ciphers.</td></tr><tr><td class="confluenceTd"><strong>countries</strong> (<em>list of strings</em>)</td><td class="confluenceTd">Regulatory domains supported by the interface.</td></tr><tr><td class="confluenceTd"><strong>hw-caps </strong>(<em>list of strings</em>)</td><td class="confluenceTd">Additional supported features (e.g. sniffer, qos-classifier-dscp).</td></tr><tr><td class="confluenceTd"><strong>hw-type </strong>(<em>string</em>)</td><td class="confluenceTd">Radio hardware model number.</td></tr><tr><td class="confluenceTd"><strong>max-interfaces </strong>(<em>integer</em>)</td><td class="confluenceTd">Maximum number of logical interfaces.</td></tr><tr><td class="confluenceTd"><strong>max-peers </strong>(<em>integer</em>)</td><td class="confluenceTd">Maximum number of associated peers (connected stations).</td></tr><tr><td class="confluenceTd"><strong>max-station-interfaces </strong>(<em>integer</em>)</td><td class="confluenceTd">Maximum number of logical interfaces in station mode.</td></tr><tr><td class="confluenceTd"><strong>max-vlans </strong>(<em>integer</em>)</td><td class="confluenceTd">Maximum number of different per-user VLANs.</td></tr><tr><td class="confluenceTd"><strong>min-antenna-gain</strong> (<em>integer</em>)</td><td class="confluenceTd">Minimum antenna gain permitted for the interface.</td></tr><tr><td class="confluenceTd"><strong>phy-id</strong> (<em>string</em>)</td><td class="confluenceTd"><p>A unique identifier.</p></td></tr><tr><td class="confluenceTd"><strong>radio-mac</strong> (<em>MAC</em>)</td><td class="confluenceTd">MAC address of the radio interface. Can be used to match radios to interface configurations.</td></tr><tr><td class="confluenceTd"><strong>rx-chains</strong> (<em>list of integers</em>)</td><td class="confluenceTd">IDs for radio chains available for receiving radio signals.</td></tr><tr><td class="confluenceTd"><strong>tx-chains</strong> (<em>list of integers</em>)</td><td class="confluenceTd">IDs for radio chains available for transmitting radio signals.</td></tr></tbody></table></div><h2 id="WiFi-Registrationtable.1">Registration table</h2><p>The registration table contains read-only information about associated wireless devices.</p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 71.504%;"><colgroup><col style="width: 29.6399%;"/><col style="width: 70.3586%;"/></colgroup><tbody><tr><th class="confluenceTh">Parameter</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>authorized</strong> (<em>boolean</em>) (A)</td><td class="confluenceTd">True when the peer has successfully authenticated.</td></tr><tr><td class="confluenceTd"><strong>bytes</strong> (<em>list of integers</em>)</td><td class="confluenceTd">Number of bytes in packets transmitted to a peer and received from it.</td></tr><tr><td class="confluenceTd"><strong>interface</strong> (<em>string</em>)</td><td class="confluenceTd">Name of the interface, which was used to associate with the peer.</td></tr><tr><td class="confluenceTd"><strong>mac-address</strong> (<em>MAC</em>)</td><td class="confluenceTd">The MAC address of the peer.</td></tr><tr><td class="confluenceTd"><strong>packets</strong> (<em>list of integers</em>)</td><td class="confluenceTd">Number of packets transmitted to a peer and received from it.</td></tr><tr><td class="confluenceTd"><strong>rx-rate</strong> <em>(string)</em></td><td class="confluenceTd">Bitrate of received transmissions from peer.</td></tr><tr><td class="confluenceTd"><strong>signal</strong> (<em>integer)</em></td><td class="confluenceTd"><p>Strength of signal received from the peer (in dBm).</p></td></tr><tr><td class="confluenceTd"><strong>tx-rate</strong> (<em>string)</em></td><td class="confluenceTd">Bitrate used for transmitting to the peer.</td></tr><tr><td class="confluenceTd"><strong>uptime</strong> (<em>time interval)</em></td><td class="confluenceTd">Time since association.</td></tr></tbody></table></div><h2 id="WiFi-CAPsMANGlobalConfiguration">CAPsMAN Global Configuration</h2><p>Menu: /interface/wifi/capsman</p><div class="table-wrap"><table class="relative-table wrapped confluenceTable"><colgroup><col style="width: 374.0px;"/><col style="width: 1173.0px;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>ca-certificate</strong><em> (auto </em>| <em>certificate name</em> <em>)</em></td><td class="confluenceTd"><span style="color: rgb(23,43,77);">Device CA certificate, CAPsMAN server requires a certificate, certificate on CAP is optional.</span></td></tr><tr><td class="confluenceTd"><strong>certificate</strong> <span style="color: rgb(23,43,77);">(</span><em style="text-align: left;">auto | certificate name | none</em><span style="color: rgb(23,43,77);">; Default:<span> </span></span><strong style="text-align: left;">none</strong><span style="color: rgb(23,43,77);">)</span></td><td class="confluenceTd"><span style="color: rgb(23,43,77);">Device certificate</span></td></tr><tr><td class="confluenceTd"><strong>enabled</strong> <em>(no</em> | <em>yes</em>)</td><td class="confluenceTd"><p><span style="color: rgb(23,43,77);">Disable or enable CAPsMAN functionality</span></p></td></tr><tr><td class="confluenceTd"><p><strong>package-path</strong> <span style="color: rgb(23,43,77);">(</span><em style="text-align: left;">string |</em><span style="color: rgb(23,43,77);">; Default: )</span></p></td><td style="text-align: left;" class="confluenceTd">Folder location for the RouterOS packages. For example, use "/upgrade" to specify the upgrade folder from the files section. If an empty string is set, CAPsMAN can use built-in RouterOS packages, note that in this case only CAPs with the same architecture as CAPsMAN will be upgraded.</td></tr><tr><td class="confluenceTd"><p><strong>require-peer-certificate</strong> <span style="color: rgb(23,43,77);">(</span><em style="text-align: left;">yes | no</em><span style="color: rgb(23,43,77);">; Default:<span> </span></span><strong style="text-align: left;">no</strong><span style="color: rgb(23,43,77);">)</span></p></td><td class="confluenceTd"><p><span style="color: rgb(23,43,77);">Require all connecting CAPs to have a valid certificate</span></p></td></tr><tr><td class="confluenceTd"><p><strong>upgrade-policy</strong> (<em style="text-align: left;">none | require-same-version | suggest-same-upgrade</em><span style="color: rgb(23,43,77);">; Default:<span> </span></span><strong style="text-align: left;">none</strong><span style="color: rgb(23,43,77);">)</span></p></td><td class="confluenceTd"><p><span style="color: rgb(23,43,77);">Upgrade policy options</span></p><ul style="text-align: left;"><li>none - do not perform upgrade</li><li>require-same-version - CAPsMAN suggests to upgrade the CAP RouterOS version and, if it fails it will not provision the CAP. (Manual provision is still possible)</li><li>suggest-same-version - CAPsMAN suggests to upgrade the CAP RouterOS version and if it fails it will still be provisioned</li></ul></td></tr><tr><td class="confluenceTd"><strong>interfaces</strong> <em>(all | interface name | none; <span style="color: rgb(23,43,77);">Default: </span><strong style="text-align: left;">all</strong>)</em></td><td class="confluenceTd">Interfaces on which CAPsMAN will listen for CAP connections</td></tr></tbody></table></div><h2 id="WiFi-CAPsMANProvisioning">CAPsMAN Provisioning</h2><p>Provisioning rules for matching radios are configured in<span> <strong>/interface/wifi/provisioning/</strong></span><span> </span>menu:</p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 99.0591%;"><colgroup><col style="width: 22.8404%;"/><col style="width: 77.1225%;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>action</strong><span> </span>(<em>create-disabled | create-enabled | create-dynamic-enabled | none</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Action to take if rule matches are specified by the following settings:<ul><li><strong>create-disabled</strong><span> </span>- create disabled static interfaces for radio. I.e., the interfaces will be bound to the radio, but the radio will not be operational until the interface is manually enabled;</li><li><strong>create-enabled</strong><span> </span>- create enabled static interfaces. I.e., the interfaces will be bound to the radio and the radio will be operational;</li><li><strong>create-dynamic-enabled</strong><span> </span>- create enabled dynamic interfaces. I.e., the interfaces will be bound to the radio, and the radio will be operational;</li><li><strong>none</strong><span> </span>- do nothing, leaves radio in the non-provisioned state;</li></ul></td></tr><tr><td class="confluenceTd"><strong>comment</strong><span> </span>(<em>string</em>; Default: )</td><td class="confluenceTd">Short description of the Provisioning rule</td></tr><tr><td class="confluenceTd"><strong>common-name-regexp</strong><span> </span>(<em>string</em>; Default: )</td><td class="confluenceTd">Regular expression to match radios by common name. Each CAP's common name identifier can be found under "/interface/wifi/radio" as value "REMOTE-CAP-NAME"</td></tr><tr><td class="confluenceTd"><strong>supported-bands</strong><span> </span>(<em>2ghz-ax | 2ghz-g | 2ghz-n | 5ghz-a | 5ghz-ac | 5ghz-ax | 5ghz-n</em>; Default: )</td><td class="confluenceTd">Match radios by supported wireless modes. </td></tr><tr><td class="confluenceTd"><strong>identity-regexp</strong><span> </span>(<em>string</em>; Default: )</td><td class="confluenceTd">Regular expression to match radios by router identity</td></tr><tr><td class="confluenceTd"><strong>address-ranges</strong><span> </span>(<em>IpAddressRange[,IpAddressRanges] max 100x</em>; Default:<span> </span><strong>""</strong>)</td><td class="confluenceTd">Match CAPs with IPs within the configured address range. Will only work for CAPs that joined CAPsMAN using IP, not MAC address.</td></tr><tr><td class="confluenceTd"><strong>master-configuration</strong><span> </span>(<em>string</em>; Default: )</td><td class="confluenceTd">If<span> </span><strong>action</strong><span> </span>specifies to create interfaces, then a new master interface with its configuration set to this configuration profile will be created</td></tr><tr><td class="confluenceTd"><strong>name-format</strong><span> </span>(<em>string</em>)</td><td class="confluenceTd"><p>Base string to use when constructing names of provisioned interfaces. Each new interface will be created by taking the base string and appending a number to the end of it, a number will only be appended if the string is not unique.</p><p>If included in the string, the character sequence <strong>%I </strong>will be replaced by the system identity of the cAP, <strong>%C </strong>will be replaced with the cAP's TLS certificate's Common Name, <strong>%R</strong>, or <strong>%r</strong> for lowercase, will be replaced with the CAP's radio MAC</p><p>Default: "cap-wifi"</p></td></tr><tr><td class="confluenceTd"><strong>radio-mac</strong><span> </span>(<em>MAC address</em>)</td><td class="confluenceTd">MAC address of radio to be matched. No default value.</td></tr><tr><td class="confluenceTd"><strong>slave-configurations</strong><span> </span>(<em>string</em>; Default: )</td><td class="confluenceTd"><p>If<span> the </span><strong>action</strong><span> </span>specifies to create interfaces, then a new slave interface for each configuration profile in this list is created.</p></td></tr><tr><td class="confluenceTd"><strong>disabled</strong> (<em>yes</em> <em>| no</em>; Default: <strong>no</strong>) </td><td class="confluenceTd"><p>Specifies if the provision rule is disabled.</p></td></tr></tbody></table></div><h2 id="WiFi-CAPconfiguration">CAP configuration</h2><p>Menu: /interface/wifi/cap</p><div class="table-wrap"><table class="relative-table wrapped confluenceTable"><colgroup><col style="width: 374.0px;"/><col style="width: 1173.0px;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>caps-man-addresses</strong><em> <span style="color: rgb(32,33,34);">(</span>list of IP addresses<span style="color: rgb(32,33,34);">; Default:<span> </span></span><strong>empty</strong><span style="color: rgb(32,33,34);">)</span></em></td><td class="confluenceTd"><span style="color: rgb(32,33,34);">List of Manager IP addresses that CAP will attempt to contact during discovery</span></td></tr><tr><td class="confluenceTd"><strong>caps-man-names</strong> <span style="color: rgb(23,43,77);">(</span><span style="color: rgb(23,43,77);">)</span></td><td class="confluenceTd"><span style="color: rgb(32,33,34);">An ordered list of CAPs Manager names that the CAP will connect to, if empty - CAP does not check Manager name</span></td></tr><tr><td class="confluenceTd"><strong>discovery-interfaces</strong> <span style="color: rgb(32,33,34);">(</span><em>list of interfaces</em><span style="color: rgb(32,33,34);">;</span><span style="color: rgb(32,33,34);">)</span></td><td class="confluenceTd"><span style="color: rgb(32,33,34);">List of interfaces over which CAP should attempt to discover Manager</span></td></tr><tr><td class="confluenceTd"><p><strong>lock-to-caps-man</strong> <span style="color: rgb(23,43,77);">(<em>no</em> | <em>yes; </em>Default: <strong>no</strong></span><span style="color: rgb(23,43,77);">)</span></p></td><td style="text-align: left;" class="confluenceTd">Sets, if CAP should lock to the first CAPsMAN it connects to</td></tr><tr><td class="confluenceTd"><p><strong>slaves-static</strong> <span style="color: rgb(23,43,77);">(</span><span style="color: rgb(23,43,77);">)</span></p></td><td class="confluenceTd">Creates Static Virtual Interfaces, allows the possibility to assign IP configuration to those interfaces. MAC address is used to remember each static-interface when applying the configuration from the CAPsMAN.</td></tr><tr><td class="confluenceTd"><p><strong>caps-man-certificate-common-names </strong>()</p></td><td class="confluenceTd">List of Manager certificate CommonNames that CAP will connect to, if empty - CAP does not check Manager certificate CommonName</td></tr><tr><td class="confluenceTd"><strong>certificate </strong>()</td><td class="confluenceTd">Certificate to use for authenticating</td></tr><tr><td class="confluenceTd"><strong>enabled </strong>(<em>yes | no</em><span style="color: rgb(32,33,34);">; Default:<span> </span></span><strong>no</strong><span style="color: rgb(32,33,34);">)</span></td><td class="confluenceTd"><span style="color: rgb(32,33,34);">Disable or enable the CAP feature</span></td></tr><tr><td class="confluenceTd"><strong>current-caps-man-address ()</strong></td><td class="confluenceTd"><span style="color: rgb(32,33,34);">Shows currently used CAPsMAN address (available since 7.15)</span></td></tr><tr><td class="confluenceTd"><strong>current-caps-man-identity ()</strong></td><td class="confluenceTd"><span style="color: rgb(32,33,34);"><span style="color: rgb(32,33,34);">Shows currently used CAPsMAN identity (available since 7.15)</span></span></td></tr><tr><td class="confluenceTd"><strong>slaves-datapath</strong> ()</td><td class="confluenceTd"><br/></td></tr></tbody></table></div><div class="simple-translate-light-theme"><div><div class="simple-translate-panel" style="width: 300.0px;height: 200.0px;top: 0.0px;left: 0.0px;font-size: 13.0px;"><div class="simple-translate-result-wrapper" style="overflow: hidden;"><div class="simple-translate-result-contents"><p class="simple-translate-candidate"><br/></p></div></div></div></div></div>
</div>
<div style="padding: 10px 0;">
<a href="https://help.mikrotik.com/docs/display/ROS/WiFi">View Online</a>
·
<a href="https://help.mikrotik.com/docs/pages/diffpagesbyversion.action?pageId=224559120&revisedVersion=33&originalVersion=32">View Changes Online</a>
</div>
</div>Guntis G.2023-11-13T13:33:24ZS+RJ10 general guidanceIngus Raudiņštag:help.mikrotik.com,2009:page-240156916-82024-03-27T14:11:07Z2024-03-27T13:53:45Z<div class="feed"> <p>
Page
<b>edited</b> by
<a href=" https://help.mikrotik.com/docs/display/~ingus
">Ingus Raudiņš</a>
</p>
<div style="border-top: 1px solid #ddd; border-bottom: 1px solid #ddd; padding: 10px;">
<h2 id="S+RJ10generalguidance-/*<![CDATA[*/div.rbtoc1711701163049{padding:0px;}div.rbtoc1711701163049ul{margin-left:0px;}div.rbtoc1711701163049li{margin-left:0px;padding-left:0px;}/*]]>*/#S+RJ10generalguidance-Summary#S+RJ10generalguidance-SummaryGeneralGuidance#"><span class="mw-headline"><style type='text/css'>/*<![CDATA[*/
div.rbtoc1711701163049 {padding: 0px;}
div.rbtoc1711701163049 ul {margin-left: 0px;}
div.rbtoc1711701163049 li {margin-left: 0px;padding-left: 0px;}
/*]]>*/</style><div class='toc-macro rbtoc1711701163049'>
<ul class='toc-indentation'>
<li><a href='#S+RJ10generalguidance-'></a></li>
<li><a href='#S+RJ10generalguidance-Summary'>Summary</a></li>
<li><a href='#S+RJ10generalguidance-GeneralGuidance'>General Guidance</a>
<ul class='toc-indentation'>
<li><a href='#S+RJ10generalguidance-Productspecification'>Product specification</a></li>
<li><a href='#S+RJ10generalguidance-S+RJ10Positioningindevices'>S+RJ10 Positioning in devices</a></li>
</ul>
</li>
<li><a href='#S+RJ10generalguidance-UsingtheS+RJ10SidebySideorwithpassivecoolingdevices'>Using the S+RJ10 Side by Side or with passive cooling devices</a></li>
</ul>
</div></span></h2><h2 id="S+RJ10generalguidance-Summary"><span class="mw-headline">Summary</span></h2><p><span class="mw-headline"><a class="external-link" href="https://mikrotik.com/product/s_rj10" rel="nofollow" style="text-decoration: none;">MikroTik S+RJ10</a><span style="color: rgb(32,33,34);"><span> </span>is a unique 6-speed RJ-45 SFP+ module based on a Marvell 88X3310P transceiver. It offers up to 10 Gbps speeds using twisted-pair copper cables. All the current MikroTik devices with an SFP+ cage support the S+RJ10 module. This article serves as a guideline of S+RJ10 usage in MikroTik devices with both passive and active cooling.</span></span></p><h2 id="S+RJ10generalguidance-GeneralGuidance"><span class="mw-headline">General Guidance</span></h2><h3 id="S+RJ10generalguidance-Productspecification"><span class="mw-headline">Product specification</span></h3><p>The average power consumption of the transceiver is 2.7 W (10GBASE-T, 30 m link) which is relatively high compared with<span> the </span><a class="external-link" href="https://mikrotik.com/product/Splus85DLC03D" rel="nofollow" style="text-decoration: none;">S+85DLC03D</a><span> </span>optical module with a maximum 0.8W power consumption. The operating temperature is 0 to +70 C, but the transceiver itself can heat up to 90 C.</p><h3 id="S+RJ10generalguidance-S+RJ10Positioningindevices"><span class="mw-headline">S+RJ10 Positioning in devices</span></h3><p>Due to high operating temperatures, it is recommended to use S+RJ10 transceivers while an optical transceiver or an unused SFP+ interface is in between them. Take a look at the transceivers capable distance<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/MikroTik+wired+interface+compatibility#MikroTikwiredinterfacecompatibility-S+RJ10" rel="nofollow">comparison table</a>.</p><p>As mentioned, S+RJ10 heat up more than regular transceivers, and keeping them side by side can result in overheating, especially in devices with 4 linear SFP cages. It is recommended to place S+RJ10 in every second interface while keeping an optical transceiver or an empty port in between them.</p><p><span class="confluence-embedded-file-wrapper"><img class="confluence-embedded-image" draggable="false" src="https://help.mikrotik.com/docs/download/attachments/240156916/20190129_125436.jpg?version=1&modificationDate=1711547625557&api=v2" data-image-src="https://help.mikrotik.com/docs/download/attachments/240156916/20190129_125436.jpg?version=1&modificationDate=1711547625557&api=v2" data-unresolved-comment-count="0" data-linked-resource-id="240156913" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="20190129_125436.jpg" data-base-url="https://help.mikrotik.com/docs" data-linked-resource-content-type="image/jpeg" data-linked-resource-container-id="240156916" data-linked-resource-container-version="8" alt=""></span></p><p>Even when using devices that come with separated SFP+ cages, for example, CRS309-1G-8S+, it is still not recommended to deploy the S+RJ10 transceivers beside each other. Use S+RJ10 in every second interface to avoid transceivers overheating which may cause unpredictable behavior. </p><p><span class="confluence-embedded-file-wrapper confluence-embedded-manual-size"><img class="confluence-embedded-image" draggable="false" height="150" src="https://help.mikrotik.com/docs/download/attachments/240156916/20190129_125301.jpg?version=1&modificationDate=1711547625527&api=v2" data-image-src="https://help.mikrotik.com/docs/download/attachments/240156916/20190129_125301.jpg?version=1&modificationDate=1711547625527&api=v2" data-unresolved-comment-count="0" data-linked-resource-id="240156914" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="20190129_125301.jpg" data-base-url="https://help.mikrotik.com/docs" data-linked-resource-content-type="image/jpeg" data-linked-resource-container-id="240156916" data-linked-resource-container-version="8" alt="" aria-label="Recommended S+RJ10 placement"><span class='confluence-embedded-image-title' aria-hidden='true'>Recommended S+RJ10 placement</span></span><span class="confluence-embedded-file-wrapper confluence-embedded-manual-size"><img class="confluence-embedded-image" draggable="false" height="150" src="https://help.mikrotik.com/docs/download/attachments/240156916/800px-20190129_125325.jpg?version=1&modificationDate=1711547625502&api=v2" data-image-src="https://help.mikrotik.com/docs/download/attachments/240156916/800px-20190129_125325.jpg?version=1&modificationDate=1711547625502&api=v2" data-unresolved-comment-count="0" data-linked-resource-id="240156915" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="800px-20190129_125325.jpg" data-base-url="https://help.mikrotik.com/docs" data-linked-resource-content-type="image/jpeg" data-linked-resource-container-id="240156916" data-linked-resource-container-version="8" alt="" aria-label="It is not recommended to place transceivers side by side"><span class='confluence-embedded-image-title' aria-hidden='true'>It is not recommended to place transceivers side by side</span></span></p><p>Devices that come with 4 or 8-block SFP+ cages are not exceptions. It is recommended to use one S+RJ10 transceiver per 4xSFP+ cage block and avoid placing them side by side. Keep at least one vertical row empty(without S+RJ10) after plugging the S+RJ10 transceiver.</p><p><span class="confluence-embedded-file-wrapper confluence-embedded-manual-size"><img class="confluence-embedded-image" draggable="false" height="150" src="https://help.mikrotik.com/docs/download/attachments/240156916/20190130_134631.jpg?version=1&modificationDate=1711547973558&api=v2" data-image-src="https://help.mikrotik.com/docs/download/attachments/240156916/20190130_134631.jpg?version=1&modificationDate=1711547973558&api=v2" data-unresolved-comment-count="0" data-linked-resource-id="240156918" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="20190130_134631.jpg" data-base-url="https://help.mikrotik.com/docs" data-linked-resource-content-type="image/jpeg" data-linked-resource-container-id="240156916" data-linked-resource-container-version="8" alt="" aria-label="Recommended S+RJ10 placement"><span class='confluence-embedded-image-title' aria-hidden='true'>Recommended S+RJ10 placement</span></span><span class="confluence-embedded-file-wrapper confluence-embedded-manual-size"><img class="confluence-embedded-image" draggable="false" height="150" src="https://help.mikrotik.com/docs/download/attachments/240156916/20190130_134505.jpg?version=1&modificationDate=1711548010467&api=v2" data-image-src="https://help.mikrotik.com/docs/download/attachments/240156916/20190130_134505.jpg?version=1&modificationDate=1711548010467&api=v2" data-unresolved-comment-count="0" data-linked-resource-id="240156919" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="20190130_134505.jpg" data-base-url="https://help.mikrotik.com/docs" data-linked-resource-content-type="image/jpeg" data-linked-resource-container-id="240156916" data-linked-resource-container-version="8" alt="" aria-label="We do not recommend to place transceivers side by side"><span class='confluence-embedded-image-title' aria-hidden='true'>We do not recommend to place transceivers side by side</span></span></p><h2 id="S+RJ10generalguidance-UsingtheS+RJ10SidebySideorwithpassivecoolingdevices"><span class="mw-headline">Using the S+RJ10 Side by Side or with passive cooling devices</span></h2><p>There might be situations when it is not possible to use the recommended layout of the transceivers. In such cases where two or more S+RJ10 transceivers are plugged in beside one another or modules are used in passive cooling devices, the network administrator has to ensure additional cooling. The airflow around the device should be increased or the overall ambient temperature should be lowered to keep the temperature of the transceivers within the recommended range.</p><p><br/></p><p><br/></p><p><br/></p>
</div>
<div style="padding: 10px 0;">
<a href="https://help.mikrotik.com/docs/pages/viewpage.action?pageId=240156916">View Online</a>
·
<a href="https://help.mikrotik.com/docs/pages/diffpagesbyversion.action?pageId=240156916&revisedVersion=8&originalVersion=7">View Changes Online</a>
</div>
</div>Ingus Raudiņš2024-03-27T13:53:45ZDHCPOlga Ļ.tag:help.mikrotik.com,2009:page-24805500-402024-03-27T12:39:50Z2020-04-23T09:30:19Z<div class="feed"> <p>
Page
<b>edited</b> by
<a href=" https://help.mikrotik.com/docs/display/~olga
">Olga Ļ.</a>
</p>
<div style="border-top: 1px solid #ddd; border-bottom: 1px solid #ddd; padding: 10px;">
<p><style type='text/css'>/*<![CDATA[*/
div.rbtoc1711701163198 {padding: 0px;}
div.rbtoc1711701163198 ul {margin-left: 0px;}
div.rbtoc1711701163198 li {margin-left: 0px;padding-left: 0px;}
/*]]>*/</style><div class='toc-macro rbtoc1711701163198'>
<ul class='toc-indentation'>
<li><a href='#DHCP-DHCPClient'>DHCP Client</a>
<ul class='toc-indentation'>
<li><a href='#DHCP-Summary'>Summary</a></li>
<li><a href='#DHCP-DHCPOptions'>DHCP Options</a></li>
<li><a href='#DHCP-Properties'>Properties</a></li>
<li><a href='#DHCP-ConfigurationExamples'>Configuration Examples</a>
<ul class='toc-indentation'>
<li><a href='#DHCP-SimpleDHCPclient'>Simple DHCP client</a></li>
<li><a href='#DHCP-LeaseScriptExampleLeasescriptexample'>Lease script example</a></li>
<li><a href='#DHCP-Resolvedefaultgatewaywhen'router'(option3)isfromadifferentsubnet'>Resolve default gateway when 'router' (option3) is from a different subnet</a></li>
</ul>
</li>
</ul>
</li>
<li><a href='#DHCP-DHCPv6Client'>DHCPv6 Client</a>
<ul class='toc-indentation'>
<li><a href='#DHCP-Summary.1'>Summary</a></li>
<li><a href='#DHCP-Properties.1'>Properties</a></li>
<li><a href='#DHCP-Script'>Script</a></li>
<li><a href='#DHCP-IAID'>IAID</a></li>
<li><a href='#DHCP-ConfigurationExamples.1'>Configuration Examples</a>
<ul class='toc-indentation'>
<li><a href='#DHCP-SimpleDHCPv6client'>Simple DHCPv6 client</a></li>
<li><a href='#DHCP-UsereceivedprefixforlocalRA'>Use received prefix for local RA</a></li>
</ul>
</li>
</ul>
</li>
<li><a href='#DHCP-DHCPServer'>DHCP Server</a>
<ul class='toc-indentation'>
<li><a href='#DHCP-Summary.2'>Summary</a></li>
<li><a href='#DHCP-DHCPServerProperties'>DHCP Server Properties</a></li>
<li><a href='#DHCP-Leases'>Leases</a>
<ul class='toc-indentation'>
<li><a href='#DHCP-Menuspecificcommands'>Menu specific commands</a></li>
<li><a href='#DHCP-StoreConfiguration'>Store Configuration</a></li>
<li><a href='#DHCP-Ratelimiting'>Rate limiting</a></li>
</ul>
</li>
<li><a href='#DHCP-Network'>Network</a></li>
<li><a href='#DHCP-RADIUSSupport'>RADIUS Support</a></li>
<li><a href='#DHCP-Alerts'>Alerts</a></li>
<li><a href='#DHCP-DHCPOptions.1'>DHCP Options</a>
<ul class='toc-indentation'>
<li><a href='#DHCP-DHCPOptionSets'>DHCP Option Sets</a></li>
<li><a href='#DHCP-Example'>Example</a></li>
</ul>
</li>
<li><a href='#DHCP-VendorClasses'>Vendor Classes</a>
<ul class='toc-indentation'>
<li><a href='#DHCP-Example.1'>Example</a></li>
</ul>
</li>
<li><a href='#DHCP-Genericmatcher'>Generic matcher</a></li>
<li><a href='#DHCP-ConfigurationExamples.2'>Configuration Examples</a>
<ul class='toc-indentation'>
<li><a href='#DHCP-Setup'>Setup</a></li>
<li><a href='#DHCP-Manualconfiguration'>Manual configuration</a></li>
</ul>
</li>
</ul>
</li>
<li><a href='#DHCP-DHCPv6Server'>DHCPv6 Server</a>
<ul class='toc-indentation'>
<li><a href='#DHCP-Summary.3'>Summary</a></li>
<li><a href='#DHCP-General'>General</a></li>
<li><a href='#DHCP-DHCPv6ServerProperties'>DHCPv6 Server Properties</a></li>
<li><a href='#DHCP-Bindings'>Bindings</a>
<ul class='toc-indentation'>
<li><a href='#DHCP-Ratelimiting.1'>Rate limiting</a></li>
</ul>
</li>
<li><a href='#DHCP-RADIUSSupport.1'>RADIUS Support</a></li>
<li><a href='#DHCP-ConfigurationExample'>Configuration Example</a>
<ul class='toc-indentation'>
<li><a href='#DHCP-EnablingIPv6Prefixdelegation'>Enabling IPv6 Prefix delegation</a></li>
</ul>
</li>
</ul>
</li>
<li><a href='#DHCP-DHCPRelay'>DHCP Relay</a>
<ul class='toc-indentation'>
<li><a href='#DHCP-Summary.4'>Summary</a></li>
<li><a href='#DHCP-Properties.2'>Properties</a></li>
<li><a href='#DHCP-ConfigurationExample.1'>Configuration Example</a></li>
<li><a href='#DHCP-DHCPRelaywithVRF(introducedin7.15)'>DHCP Relay with VRF (introduced in 7.15)</a></li>
</ul>
</li>
</ul>
</div></p><h1 id="DHCP-DHCPClient">DHCP Client</h1><h2 id="DHCP-Summary">Summary</h2><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip dhcp-client</pre>
</div></div><p><span style="color: rgb(34,34,34);">The DHCP (Dynamic Host Configuration Protocol) is used for the easy distribution of IP addresses in a network. The MikroTik RouterOS implementation includes both server and client parts and is compliant with RFC 2131.</span></p><p>The MikroTik RouterOS DHCP client may be enabled on any Ethernet-like interface at a time. The client will accept an address, netmask, default gateway, and two DNS server addresses. The received IP address will be added to the interface with the respective netmask. The default gateway will be added to the routing table as a dynamic entry. Should the DHCP client be disabled or not renew an address, the dynamic default route will be removed. If there is already a default route installed prior to the DHCP client obtaining one, the route obtained by the DHCP client would be shown as invalid.</p><p>RouterOS DHCP client asks for the following options:</p><ul><li>option 1 - SUBNET_MASK,</li><li>option 3 - GATEWAY_LIST,</li><li>option 6 - TAG_DNS_LIST,</li><li>option 33 - STATIC_ROUTE,</li><li>option 42 - NTP_LIST,</li><li>option 121 - CLASSLESS_ROUTE,</li></ul><h2 id="DHCP-DHCPOptions">DHCP Options</h2><p>DHCP client has the possibility to set up options that are sent to the DHCP server. For example, hostname and MAC address. The syntax is the same as for DHCP server options.</p><p>Currently, there are three variables that can be used in options:</p><ul><li>HOSTNAME;</li><li>CLIENT_MAC - client interface MAC address;</li><li>CLIENT_DUID - client DIUD of the router, same as used for the DHCPv6 client. In conformance with RFC4361</li></ul><p>DHCP client default options include these default Options:</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col style="width: 100.0px;"/><col style="width: 53.0px;"/><col style="width: 146.0px;"/></colgroup><tbody><tr><th class="confluenceTh">Name</th><th class="confluenceTh">code</th><th class="confluenceTh">value</th></tr><tr><td class="confluenceTd">clientid_duid</td><td class="confluenceTd">61</td><td class="confluenceTd">0xff$(CLIENT_DUID)</td></tr><tr><td class="confluenceTd">clientid</td><td class="confluenceTd">61</td><td class="confluenceTd">0x01$(CLIENT_MAC)</td></tr><tr><td class="confluenceTd">hostname</td><td class="confluenceTd">12</td><td class="confluenceTd">$(HOSTNAME)</td></tr></tbody></table></div><h2 id="DHCP-Properties"><span class="mw-headline">Properties</span></h2><div class="table-wrap"><table class="wrapped relative-table confluenceTable" style="width: 70.2115%;"><colgroup><col style="width: 19.6278%;"/><col style="width: 80.3722%;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>add-default-route</strong> (<em>yes | no | special-classless</em>; Default: <strong>yes</strong>)</td><td class="confluenceTd">Whether to install default route in routing table received from DHCP server. By default, the RouterOS client complies with RFC and ignores option 3 if classless option 121 is received. To force the client not to ignore option 3 set <em>special-classless</em>. This parameter is available in v6rc12+<ul><li><strong>yes</strong> - adds classless route if received, if not then add default route (old behavior)</li><li><strong>special-classless</strong> - adds both classless routes if received and a default route (MS style)</li></ul></td></tr><tr><td class="confluenceTd"><strong>client-id</strong> (<em>string</em>; Default: )</td><td class="confluenceTd">Corresponds to the settings suggested by the network administrator or ISP. If not specified, the client's MAC address will be sent</td></tr><tr><td class="confluenceTd"><strong>comment</strong> (<em>string</em>; Default: )</td><td class="confluenceTd">Short description of the client</td></tr><tr><td class="confluenceTd"><strong>default-route-distance</strong> (<em>integer:0..255</em>; Default: )</td><td class="confluenceTd">Distance of default route. Applicable if <code>add-default-route</code> is set to <code>yes</code>.</td></tr><tr><td class="confluenceTd"><strong>disabled</strong> (<em>yes | no</em>; Default: <strong>yes</strong>)</td><td class="confluenceTd"><br/></td></tr><tr><td class="confluenceTd"><strong>host-name</strong> (<em>string</em>; Default: )</td><td class="confluenceTd">The hostname of the client is sent to a DHCP server. If not specified, the client's system identity will be used.</td></tr><tr><td class="confluenceTd"><strong>interface</strong> (<em>string</em>; Default: )</td><td class="confluenceTd">The interface on which the DHCP client will be running.</td></tr><tr><td class="confluenceTd"><strong>script</strong> (<em>script</em>; Default: )</td><td class="confluenceTd">Execute script when DHCP client obtains a new lease or loses an existing one. This parameter is available in v6.39rc33+ These are available variables that are accessible for the event script:<ul><li>bound - 1 - lease is added/changed; 0 - lease is removed</li><li>server-address - server address</li><li>lease-address - lease address provided by a server</li><li>interface - name of the interface on which the client is configured</li><li>gateway-address - gateway address provided by a server</li><li>vendor-specific - stores value of option 43 received from DHCP server</li><li>lease-options - an array of received options</li></ul><a href="#DHCP-LeaseScriptExample"> <code>Example >></code></a></td></tr><tr><td class="confluenceTd"><strong>use-peer-dns</strong> (<em>yes | no</em>; Default: <strong>yes</strong>)</td><td class="confluenceTd">Whether to accept the <a href="https://help.mikrotik.com/docs/display/ROS/DNS" rel="nofollow"> DNS </a> settings advertised by <a href="https://help.mikrotik.com/docs/display/ROS/DHCP#DHCP-DHCPServer" rel="nofollow"> DHCP Server</a>. (Will override the settings put in the <code>/ip dns</code> submenu.</td></tr><tr><td class="confluenceTd"><strong>use-peer-ntp</strong> (<em>yes | no</em>; Default: <strong>yes</strong>)</td><td class="confluenceTd">Whether to accept the <a class="external-link" href="https://wiki.mikrotik.com/wiki/Manual:System/Time#NTP_client_and_server" rel="nofollow" title="Manual:System/Time"> NTP</a> settings advertised by <a href="https://help.mikrotik.com/docs/display/ROS/DHCP#DHCP-DHCPServer" rel="nofollow"> DHCP Server</a>. (Will override the settings put in the <code>/system ntp client</code> submenu)</td></tr></tbody></table></div><p><strong>Read-only properties</strong></p><div class="table-wrap"><table class="wrapped relative-table confluenceTable" style="width: 70.2115%;"><colgroup><col style="width: 19.7282%;"/><col style="width: 80.2718%;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>address</strong> (<em>IP/Netmask</em>)</td><td class="confluenceTd">IP address and netmask, which is assigned to DHCP Client from the Server</td></tr><tr><td class="confluenceTd"><strong>dhcp-server</strong> (<em>IP</em>)</td><td class="confluenceTd">The IP address of the DHCP server.</td></tr><tr><td class="confluenceTd"><strong>expires-after</strong> (<em>time</em>)</td><td class="confluenceTd">A time when the lease expires (specified by the DHCP server).</td></tr><tr><td class="confluenceTd"><strong>gateway</strong> (<em>IP</em>)</td><td class="confluenceTd">The IP address of the gateway which is assigned by the DHCP server</td></tr><tr><td class="confluenceTd"><strong>invalid</strong> (<em>yes | no</em>)</td><td class="confluenceTd">Shows whether a configuration is invalid.</td></tr><tr><td class="confluenceTd"><strong>netmask</strong> (<em>IP</em>)</td><td class="confluenceTd"><br/></td></tr><tr><td class="confluenceTd"><strong>primary-dns</strong> (<em>IP</em>)</td><td class="confluenceTd">The IP address of the first DNS resolver, which was assigned by the DHCP server</td></tr><tr><td class="confluenceTd"><strong>primary-ntp</strong> (<em>IP</em>)</td><td class="confluenceTd">The IP address of the primary NTP server, assigned by the DHCP server</td></tr><tr><td class="confluenceTd"><strong>secondary-dns</strong> (<em>IP</em>)</td><td class="confluenceTd">The IP address of the second DNS resolver, assigned by the DHCP server</td></tr><tr><td class="confluenceTd"><strong>secondary-ntp</strong> (<em>IP</em>)</td><td class="confluenceTd">The IP address of the secondary NTP server, assigned by the DHCP server</td></tr><tr><td class="confluenceTd"><strong>status</strong> (<em>bound | error | rebinding... | requesting... | searching... | stopped</em>)</td><td class="confluenceTd">Shows the status of the DHCP Client</td></tr></tbody></table></div><p><strong><span class="mw-headline">Menu specific commands</span></strong></p><div class="table-wrap"><table class="wrapped relative-table confluenceTable" style="width: 70.2115%;"><colgroup><col style="width: 19.7625%;"/><col style="width: 80.2375%;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>release</strong> (<em>numbers</em>)</td><td class="confluenceTd">Release current binding and restart the DHCP client</td></tr><tr><td class="confluenceTd"><strong>renew</strong> (<em>numbers</em>)</td><td class="confluenceTd">Renew current leases. If the renewal operation was not successful, the client tries to reinitialize the lease (i.e. it starts the lease request procedure (rebind) as if it had not received an IP address yet)</td></tr></tbody></table></div><h2 id="DHCP-ConfigurationExamples">Configuration Examples</h2><h3 id="DHCP-SimpleDHCPclient">Simple DHCP client</h3><p>Add a DHCP client on the ether1 interface:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip dhcp-client add interface=ether1 disabled=no</pre>
</div></div><p>After the interface is added, you can use the "print" or "print detail" command to see what parameters the DHCP client acquired:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] ip dhcp-client> print detail
Flags: X - disabled, I - invalid
0 interface=ether1 add-default-route=yes use-peer-dns=yes use-peer-ntp=yes
status=bound address=192.168.0.65/24 gateway=192.168.0.1
dhcp-server=192.168.0.1 primary-dns=192.168.0.1 primary-ntp=192.168.0.1
expires-after=9m44s
[admin@MikroTik] ip dhcp-client></pre>
</div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>If the interface used by the DHCP client is part of the VRF configuration, then the default route and other received routes from the DHCP server will be added to the VRF routing table.</p></div></div><p>DHCP client status can be checked with:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip dhcp-client print detail </pre>
</div></div><h3 id="DHCP-LeaseScriptExampleLeasescriptexample"><span class="confluence-anchor-link" id="DHCP-LeaseScriptExample"></span>Lease script example</h3><p>It is possible to execute a script when a DHCP client obtains a new lease or loses an existing one. This is an example script that automatically adds a default route with routing-table=WAN1 and removes it when the lease expires or is removed.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=ether2 script="{\r\
\n :local rmark \"WAN1\"\r\
\n :local count [/ip route print count-only where comment=\"WAN1\"]\r\
\n :if (\$bound=1) do={\r\
\n :if (\$count = 0) do={\r\
\n /ip route add gateway=\$\"gateway-address\" comment=\"WAN1\" routing-table=\$rmark\r\
\n } else={\r\
\n :if (\$count = 1) do={\r\
\n :local test [/ip route find where comment=\"WAN1\"]\r\
\n :if ([/ip route get \$test gateway] != \$\"gateway-address\") do={\r\
\n /ip route set \$test gateway=\$\"gateway-address\"\r\
\n }\r\
\n } else={\r\
\n :error \"Multiple routes found\"\r\
\n }\r\
\n }\r\
\n } else={\r\
\n /ip route remove [find comment=\"WAN1\"]\r\
\n }\r\
\n}\r\
\n"</pre>
</div></div><h3 id="DHCP-Resolvedefaultgatewaywhen'router'(option3)isfromadifferentsubnet">Resolve default <span class="mw-headline">gateway when 'router' (option3) is from a different subnet</span></h3><p>In some cases, administrators tend to set the 'router' option which cannot be resolved with offered IP's subnet. For example, the DHCP server offers 192.168.88.100/24 to the client, and option 3 is set to 172.16.1.1. This will result in an unresolved default route:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence"> # DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 DS 0.0.0.0/0 172.16.1.1 1
1 ADC 192.168.88.0/24 192.168.88.100 ether1 </pre>
</div></div><p><span style="letter-spacing: 0.0px;">To fix this we need to add /32 route to resolve the gateway over ether1, which can be done by the running script below each time the DHCP client gets an address</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/system script add name="dhcpL" source={ /ip address add address=($"lease-address" . "/32") network=$"gateway-address" interface=$interface }</pre>
</div></div><p><span style="letter-spacing: 0.0px;">Now we can further extend the script, to check if the address already exists, and remove the old one if changes are needed</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/system script add name="dhcpL" source={
/ip address {
:local ipId [find where comment="dhcpL address"]
:if ($ipId != "") do={
:if (!([get $ipId address] = ($"lease-address" . "/32") && [get $ipId network]=$"gateway-address" )) do={
remove $ipId;
add address=($"lease-address" . "/32") network=$"gateway-address" \
interface=$interface comment="dhcpL address"
}
} else={
add address=($"lease-address" . "/32") network=$"gateway-address" \
interface=$interface comment="dhcpL address"
}
}
}</pre>
</div></div><h1 id="DHCP-DHCPv6Client">DHCPv6 Client</h1><h2 id="DHCP-Summary.1"><span class="mw-headline">Summary</span></h2><p><strong>Sub-menu:</strong><span> </span><code>/ipv6 dhcp-client</code></p><p>DHCP-client in RouterOS is capable of being a DHCPv6-client and DHCP-PD client. So it is able to get a prefix from the DHCP-PD server as well as the DHCPv6 stateful address from the DHCPv6 server.</p><h2 id="DHCP-Properties.1"><span class="mw-headline">Properties</span></h2><div class="table-wrap"><table class="wrapped relative-table confluenceTable" style="margin-left: 14.4318px;width: 60.8761%;"><colgroup><col style="width: 28.2958%;"/><col style="width: 71.7042%;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>add-default-route</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Whether to add default IPv6 route after a client connects.</td></tr><tr><td class="confluenceTd"><strong>comment</strong><span> </span>(<em>string</em>; Default: )</td><td class="confluenceTd">Short description of the client</td></tr><tr><td class="confluenceTd"><strong>disabled</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd"><br/></td></tr><tr><td class="confluenceTd"><strong>interface</strong><span> </span>(<em>string</em>; Default: )</td><td class="confluenceTd">The interface on which the DHCPv6 client will be running.</td></tr><tr><td class="confluenceTd"><strong>pool-name</strong><span> </span>(<em>string</em>; Default: )</td><td class="confluenceTd">Name of the<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/IP+Pools#IPPools-IPv6Pool" rel="nofollow">IPv6 pool</a><span> </span>in which received IPv6 prefix will be added</td></tr><tr><td class="confluenceTd"><strong>pool-prefix-length</strong><span> </span>(<em>string</em>; Default: )</td><td class="confluenceTd">Prefix length parameter that will be set for<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/IP+Pools#IPPools-IPv6Pool" rel="nofollow">IPv6 pool</a><span> </span>in which received IPv6 prefix is added. <span style="color: rgb(63,67,80);text-decoration: none;">Prefix length must be greater or equal as the length of received prefix</span>, otherwise, prefix-length will be set to received prefix length + 8 bits.</td></tr><tr><td class="confluenceTd"><strong>prefix-hint</strong><span> </span>(<em>string</em>; Default: )</td><td class="confluenceTd">Include a preferred prefix length.</td></tr><tr><td class="confluenceTd"><strong>request</strong><span> </span>(<em>prefix, address</em>; Default: )</td><td class="confluenceTd">to choose if the DHCPv6 request will ask for the address or the IPv6 prefix, or both.</td></tr><tr><td class="confluenceTd"><strong>script</strong><span> </span>(<em>string</em>; Default: )</td><td class="confluenceTd">Run this script on the DHCP-client status change. Available variables:<ul><li>pd-valid<span> </span>- if the prefix is acquired by the client;</li><li>pd-prefix<span> </span>- the prefix acquired by the client if any;</li><li>na-valid<span> </span>- if the address is acquired by the client;</li><li>na-address<span> </span>- the address acquired by the client if any.</li><li>options<span> </span>- array of received options (only ROSv7)</li></ul></td></tr><tr><td class="confluenceTd"><strong>use-peer-dns</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>yes</strong>)</td><td class="confluenceTd">Whether to accept the DNS settings advertised by the IPv6 DHCP Server.</td></tr></tbody></table></div><p><strong><span class="mw-headline">Read-only properties</span></strong></p><div class="table-wrap"><table class="wrapped relative-table confluenceTable" style="margin-left: 14.4318px;width: 60.8459%;"><colgroup><col style="width: 28.2233%;"/><col style="width: 71.7767%;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>duid</strong><span> </span>(<em>string</em>)</td><td class="confluenceTd">Auto-generated DUID that is sent to the server. DUID is generated using one of the MAC addresses available on the router.</td></tr><tr><td class="confluenceTd"><strong>request</strong><span> </span>(<em>list</em>)</td><td class="confluenceTd">specifies what was requested - prefix, address, or both.</td></tr><tr><td class="confluenceTd"><strong>dynamic</strong><span> </span>(<em>yes | no</em>)</td><td class="confluenceTd"><br/></td></tr><tr><td class="confluenceTd"><strong>expires-after</strong><span> </span>(<em>time</em>)</td><td class="confluenceTd">A time when the IPv6 prefix expires (specified by the DHCPv6 server).</td></tr><tr><td class="confluenceTd"><strong>invalid</strong><span> </span>(<em>yes | no</em>)</td><td class="confluenceTd">Shows whether a configuration is invalid.</td></tr><tr><td class="confluenceTd"><strong>prefix</strong><span> </span>(<em>IPv6 prefix</em>)</td><td class="confluenceTd">Shows received IPv6 prefix from DHCPv6-PD server</td></tr><tr><td class="confluenceTd"><strong>status</strong><span> </span>(<em>stopped | searching | requesting... | bound | renewing | rebinding | error | stopping</em>)</td><td class="confluenceTd">Shows the status of DHCPv6 Client:<ul><li><strong>stopped</strong><span> </span>- dhcpv6 client is stopped</li><li><strong>searching</strong><span> </span>- sending "solicit" and trying to get "advertise"</li><li><strong>requesting</strong><span> </span>- sent "request" waiting for "reply"</li><li><strong>bound</strong><span> </span>- received "reply". Prefix assigned.</li><li><strong>renewing</strong><span> </span>- sent "renew", waiting for "reply"</li><li><strong>rebinding</strong><span> </span>- sent "rebind", waiting for "reply"</li><li><strong>error</strong><span> </span>- reply was not received in time or some other error occurred.</li><li><strong>stopping</strong><span> </span>- sent "release"</li></ul></td></tr></tbody></table></div><p><strong><span class="mw-headline">Menu specific commands</span></strong></p><div class="table-wrap"><table class="wrapped relative-table confluenceTable" style="margin-left: 14.4318px;width: 60.8761%;"><colgroup><col style="width: 28.3537%;"/><col style="width: 71.6463%;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>release</strong><span> </span>(<em>numbers</em>)</td><td class="confluenceTd">Release current binding and restart DHCPv6 client</td></tr><tr><td class="confluenceTd"><strong>renew</strong><span> </span>(<em>numbers</em>)</td><td class="confluenceTd">Renew current leases. If the renewal operation was not successful, the client tries to reinitialize the lease (i.e. it starts the lease request procedure (rebind) as if it had not received an IP address yet)</td></tr></tbody></table></div><h2 id="DHCP-Script"><span class="mw-headline">Script</span></h2><p>It is possible to add a script that will be executed when a prefix or an address is acquired and applied or expires and is removed using the DHCP client. There are separated sets of variables that will have the value set by the client depending on prefix or address status change as the client can acquire both and each of them can have a different effect on the router configuration.</p><p>Available variables for dhcp-client</p><ul><li>pd-valid<span> </span>- value - 1 or 0 - if prefix is acquired and it is applied or not</li><li>pd-prefix<span> </span>- value ipv6/num (ipv6 prefix with mask) - the prefix inself</li><li>na-valid<span> </span>- value - 1 or 0 - if address is acquired and it is applied or not</li><li>na-address<span> </span>- value - ipv6 address - the address</li></ul><h2 id="DHCP-IAID">IAID</h2><p>To determine what IAID will be used, convert the internal ID of an interface on which the DHCP client is running from hex to decimal.</p><p>For example, the DHCP client is running on interface PPPoE-out1. To get internal ID use the following command:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@t36] /interface> :put [find name="pppoe-out1"]
*15</pre>
</div></div><p><br/></p><p>Now convert hex value 15 to decimal and you get IAID=21</p><h2 id="DHCP-ConfigurationExamples.1"><span class="mw-headline">Configuration Examples</span></h2><h3 id="DHCP-SimpleDHCPv6client">Simple DHCPv6 client</h3><p>This simple example demonstrates how to enable dhcp client to receive IPv6 prefix and add it to the pool.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ipv6 dhcp-client add request=prefix pool-name=test-ipv6 pool-prefix-length=64 interface=ether13
</pre>
</div></div><p><br/></p><p>Detailed print should show status of the client and we can verify if prefix is received</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@x86-test] /ipv6 dhcp-client> print detail
Flags: D - dynamic, X - disabled, I - invalid
0 interface=bypass pool-name="test-ipv6" pool-prefix-length=64 status=bound
prefix=2001:db8:7501:ff04::/62 expires-after=2d23h11m53s request=prefix</pre>
</div></div><p><br/></p><p>Notice that server gave us prefix 2a02:610:7501:ff04::/62 . And it should be also added to ipv6 pools</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] /ipv6 pool> print
Flags: D - dynamic
# NAME PREFIX REQUEST PREFIX-LENGTH
0 D test-ipv6 2001:db8:7501:ff04::/62 prefix 64
</pre>
</div></div><p><span>It works! Now you can use this pool, for example, for pppoe clients.</span></p><h3 id="DHCP-UsereceivedprefixforlocalRA"><span class="mw-headline">Use received prefix for local RA</span></h3><p>Consider following setup:</p><p><span class="confluence-embedded-file-wrapper"><img class="confluence-embedded-image" draggable="false" src="https://help.mikrotik.com/docs/download/attachments/24805500/Dhcpv6-pd-example.jpg?version=1&modificationDate=1657264950828&api=v2" data-image-src="https://help.mikrotik.com/docs/download/attachments/24805500/Dhcpv6-pd-example.jpg?version=1&modificationDate=1657264950828&api=v2" data-unresolved-comment-count="0" data-linked-resource-id="135856337" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="Dhcpv6-pd-example.jpg" data-base-url="https://help.mikrotik.com/docs" data-linked-resource-content-type="image/jpeg" data-linked-resource-container-id="24805500" data-linked-resource-container-version="40" alt=""></span></p><ul><li>ISP is routing prefix 2001:DB8::/62 to the router R1</li><li>Router R1 runs DHCPv6 server to delegate /64 prefixes to the customer routers CE1 CE2</li><li>DHCP client on routers CE1 and CE2 receives delegated /64 prefix from the DHCP server (R1).</li><li>Client routers uses received prefix to set up RA on the local interface</li></ul><p><br/></p><p><strong>Configuration</strong></p><p><br/><strong>R1</strong></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ipv6 route
add gateway=fe80::1:1%to-ISP
/ipv6 pool
add name=myPool prefix=2001:db8::/62 prefix-length=64
/ipv6 dhcp-server
add address-pool=myPool disabled=no interface=to-CE-routers lease-time=3m name=server1</pre>
</div></div><p style="margin-left: 20.0px;"><br/></p><p><br/><strong>CE1</strong></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ipv6 dhcp-client
add interface=to-R1 request=prefix pool-name=my-ipv6
/ipv6 address
add address=::1/64 from-pool=my-ipv6 interface=to-clients advertise=yes
</pre>
</div></div><p style="margin-left: 20.0px;"><br/></p><p><strong>CE2</strong></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ipv6 dhcp-client
add interface=to-R1 request=prefix pool-name=my-ipv6
/ipv6 address add address=::1/64 from-pool=my-ipv6 interface=to-clients advertise=yes</pre>
</div></div><p style="margin-left: 20.0px;"><br/></p><p><br/><strong>Check the status</strong></p><p>After configuration is complete we can verify that each CE router received its own prefix</p><p>On server:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@R1] /ipv6 dhcp-server binding> print
Flags: X - disabled, D - dynamic
# ADDRESS DUID IAID SERVER STATUS
1 D 2001:db8:1::/64 0019d1393536 566 server1 bound
2 D 2001:db8:2::/64 0019d1393535 565 server1 bound</pre>
</div></div><p style="margin-left: 20.0px;"><br/></p><p>On client:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@CE1] /ipv6 dhcp-client> print
Flags: D - dynamic, X - disabled, I - invalid
# INTERFACE STATUS REQUEST PREFIX
0 to-R1 bound prefix 2001:db8:1::/64
[admin@CE1] /ipv6 dhcp-client> /ipv6 pool print
Flags: D - dynamic
# NAME PREFIX PREFIX-LENGTH
0 D my-ipv6 2001:db8:1::/64 64</pre>
</div></div><p style="margin-left: 20.0px;"><br/></p><p>We can also see that IPv6 address was automatically added from the prefix pool:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@CE1] /ipv6 address> print
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local
# ADDRESS FROM-POOL INTERFACE ADVERTISE 0 G 2001:db8:1::1/64 to-clients yes
..</pre>
</div></div><p style="margin-left: 20.0px;"><br/></p><p>And pool usage shows that 'Address' is allocating the pool</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@CE1] /ipv6 pool used> print
POOL PREFIX OWNER INFO
my-ipv6 2001:db8:1::/64 Address to-clients</pre>
</div></div><h1 id="DHCP-DHCPServer"><span style="font-size: 24.0px;letter-spacing: -0.01em;">DHCP Server</span></h1><h2 id="DHCP-Summary.2"><span style="font-size: 24.0px;letter-spacing: -0.01em;">Summary</span></h2><p>The DHCP (Dynamic Host Configuration Protocol) is used for the easy distribution of IP addresses in a network. The MikroTik RouterOS implementation includes both server and client parts and is compliant with RFC 2131.</p><p>The router supports an individual server for each Ethernet-like interface. The MikroTik RouterOS DHCP server supports the basic functions of giving each requesting client an IP address/netmask lease, default gateway, domain name, DNS-server(s) and WINS-server(s) (for Windows clients) information (set up in the DHCP networks submenu)</p><p>In order for the DHCP server to work, IP pools must also be configured (do not include the DHCP server's own IP address into the pool range) and the DHCP networks.</p><p>It is also possible to hand out leases for DHCP clients using the RADIUS server; the supported parameters for a RADIUS server are as follows:</p><p><br/>Access-Request:</p><ul class="bullets"><li>NAS-Identifier - router identity</li><li>NAS-IP-Address - IP address of the router itself</li><li>NAS-Port - unique session ID</li><li>NAS-Port-Type - Ethernet</li><li>Calling-Station-Id - client identifier (active-client-id)</li><li>Framed-IP-Address - IP address of the client (active-address)</li><li>Called-Station-Id - the name of DHCP server</li><li>User-Name - MAC address of the client (active-mac-address)</li><li>Password - " "</li></ul><p>Access-Accept:</p><ul class="bullets"><li>Framed-IP-Address - IP address that will be assigned to a client</li><li>Framed-Pool - IP pool from which to assign an IP address to a client</li><li>Rate-Limit - Datarate limitation for DHCP clients. Format is: rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time][priority] [rx-rate-min[/tx-rate-min]]]]. All rates should be numbers with optional 'k' (1,000s) or 'M' (1,000,000s). If tx-rate is not specified, rx-rate is as tx-rate too. Same goes for tx-burst-rate and tx-burst-threshold and tx-burst-time. If both rx-burst-threshold and tx-burst-threshold are not specified (but burst-rate is specified), rx-rate and tx-rate are used as burst thresholds. If both rx-burst-time and tx-burst-time are not specified, 1s is used as default. Priority takes values 1..8, where 1 implies the highest priority, but 8 - the lowest. If rx-rate-min and tx-rate-min are not specified rx-rate and tx-rate values are used. The rx-rate-min and tx-rate-min values can not exceed rx-rate and tx-rate values.</li><li>Ascend-Data-Rate - TX/RX data rate limitation if multiple attributes are provided, first limits tx data rate, second - RX data rate. If used together with Ascend-Xmit-Rate, specifies RX rate. 0 if unlimited</li><li>Ascend-Xmit-Rate - tx data rate limitation. It may be used to specify the TX limit only instead of sending two sequential Ascend-Data-Rate attributes (in that case Ascend-Data-Rate will specify the receive rate). 0 if unlimited</li><li>Session-Timeout - max lease time (lease-time)</li></ul><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p><span style="color: rgb(34,34,34);">DHCP server requires a real interface to receive raw ethernet packets. If the interface is a Bridge interface, then the Bridge must have a real interface attached as a port to that bridge which will receive the raw ethernet packets. It cannot function correctly on a dummy (empty bridge) interface.</span></p></div></div><h2 id="DHCP-DHCPServerProperties"><span>DHCP Server P</span><span class="mw-headline">roperties</span></h2><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 98.4977%;"><colgroup><col style="width: 27.3701%;"/><col style="width: 72.5886%;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>add-arp</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Whether to add dynamic ARP entry. If set to <strong>no</strong> either<span> </span>ARP mode<span> </span>should be enabled on that interface or static<span> </span>ARP<span> </span>entries should be administratively defined in<span> </span><em>/ip arp</em><span> </span>submenu.</td></tr><tr><td class="confluenceTd"><strong>address-pool</strong><span> </span>(<em>string | static-only</em>; Default:<span> </span><strong>static-only</strong>)</td><td class="confluenceTd">IP pool, from which to take IP addresses for the clients. If set to<span> </span><strong>static-only</strong>, then only the clients that have a static lease (added in<span> the </span>lease<span> </span>submenu) will be allowed.</td></tr><tr><td class="confluenceTd"><strong>allow-dual-stack-queue</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>yes</strong>)</td><td class="confluenceTd">Creates a single simple queue entry for both IPv4 and IPv6 addresses, and uses the MAC address and DUID for identification. Requires<span> </span>IPv6 DHCP Server<span> </span>to have this option enabled as well to work properly.</td></tr><tr><td class="confluenceTd"><strong>always-broadcast</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd"><p>Changes whether to force broadcast DHCP replies:</p><ul><li>no - replies are sent based on the client's broadcast flag. If the server sends three consecutive offers, the third and forth offer will be sent as a broadcast;</li><li>yes - replies are always broadcasted even when the client has not specified the broadcast flag.</li></ul></td></tr><tr><td class="confluenceTd"><strong>authoritative</strong><span> </span>(<em>after-10sec-delay | after-2sec-delay | yes | no</em>; Default:<span> </span><strong>yes</strong>)</td><td class="confluenceTd">Option changes the way how a server responds to DHCP requests:<ul><li>yes<span> </span>- replies to clients' requests for an address that is not available from this server, DHCP server will send a negative acknowledgment (DHCPNAK);</li><li>no<span> </span>- DHCP server ignores clients' requests for addresses that are not available from this server;</li></ul><ul><li>after-10sec-delay<span> </span>- requests with "secs < 10" will be processed as in "no" setting case and requests with "secs >= 10" will be processed as in "yes" case;</li></ul><ul><li>after-2sec-delay<span> </span>- requests with "secs < 2" will be processed as in "no" setting case and requests with "secs >= 2" will be processed as in "yes" case;</li></ul><p><br/></p>If all requests with "secs < x" should be ignored, then<span> </span><strong>delay-threshold=x</strong><span> </span>setting should be used.</td></tr><tr><td class="confluenceTd"><strong>bootp-lease-time</strong><span> </span>(<em>forever | lease-time | time</em>; Default:<span> <strong>forever</strong></span>)</td><td class="confluenceTd">Accepts two predefined options or time value:<ul><li>forever<span> </span>- lease never expires</li><li>lease-time<span> </span>- use time from lease-time parameter</li></ul></td></tr><tr><td class="confluenceTd"><strong>bootp-support</strong><span> </span>(<em>none | static | dynamic</em>; Default:<span> </span><strong>static</strong>)</td><td class="confluenceTd">Support for BOOTP clients:<ul><li>none<span> </span>- do not respond to BOOTP requests</li><li>static<span> </span>- offer only static leases to BOOTP clients</li><li>dynamic<span> </span>- offer static and dynamic leases for BOOTP clients</li></ul></td></tr><tr><td class="confluenceTd"><strong>client-mac-limit</strong><span> </span>(<em>integer | unlimited</em>; Default:<span> </span><strong>unlimited</strong>)</td><td class="confluenceTd">Specifies whether to limit a specific number of clients per single MAC address or leave<span> </span>unlimited. Note that this setting should not be used in relay setups.</td></tr><tr><td class="confluenceTd"><strong>conflict-detection</strong><span> </span>(<em>yes | no</em>; Default:<span> <strong>yes</strong></span>)</td><td class="confluenceTd">Allows disabling/enabling conflict detection. If the option is enabled, then whenever the server tries to assign a lease it will send ICMP and ARP messages to detect whether such an address in the network already exists. If any of the above get a reply address is considered already used. </td></tr><tr><td class="confluenceTd"><strong>delay-threshold</strong><span> </span>(<em>time | none</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">If the sec's field in the DHCP packet is smaller than the delay threshold, then this packet is ignored. If set to<span> </span><strong>none</strong><span> </span>- there is no threshold (all DHCP packets are processed)</td></tr><tr><td class="confluenceTd"><strong>dhcp-option-set</strong><span> </span>(<em>name | none</em>; Default:<span> <strong>none</strong></span>)</td><td class="confluenceTd">Use a custom set of DHCP options defined in the option sets menu.</td></tr><tr><td class="confluenceTd"><strong>insert-queue-before</strong><span> </span>(<em>bottom | first | name</em>; Default:<span> <strong>first</strong></span>)</td><td class="confluenceTd">Specify where to place dynamic simple queue entries for static DCHP leases with<span> a </span>rate-limit<span> </span>parameter set.</td></tr><tr><td class="confluenceTd"><strong>interface</strong><span> </span>(<em>string</em>; Default:<span> </span>)</td><td class="confluenceTd">The interface on which the DHCP server will be running.</td></tr><tr><td class="confluenceTd"><strong>lease-script</strong><span> </span>(<em>string</em>; Default:<span> </span><strong>""</strong>)</td><td class="confluenceTd">A script that will be executed after a lease is assigned or de-assigned. Internal "global" variables that can be used in the script:<ul><li>leaseBound<span> </span>- set to "1" if bound, otherwise set to "0"</li><li>leaseServerName<span> </span>- DHCP server name</li><li>leaseActMAC<span> </span>- active mac address</li><li>leaseActIP<span> </span>- active IP address</li><li>lease-hostname<span> </span>- client hostname</li><li>lease-options<span> </span>- an array of received options</li></ul></td></tr><tr><td class="confluenceTd"><strong>lease-time</strong><span> </span>(<em>time</em>; Default:<span> <strong>3</strong></span><strong>0m</strong>)</td><td class="confluenceTd">The time that a client may use the assigned address. The client will try to renew this address after half of this time and will request a new address after the time limit expires.</td></tr><tr><td class="confluenceTd"><strong>name</strong><span> </span>(<em>string</em>; Default:<span> </span>)</td><td class="confluenceTd">Reference name</td></tr><tr><td class="confluenceTd"><span style="color: rgb(0,0,0);"><strong>parent-queue</strong> (<em>string | none</em>; Default: <strong>none</strong>)</span></td><td class="confluenceTd">A dynamically created queue for this lease will be configured as a child queue of the specified parent queue.</td></tr><tr><td class="confluenceTd"><strong>relay</strong><span> </span>(<em>IP</em>; Default:<span> </span><strong>0.0.0.0</strong>)</td><td class="confluenceTd">The IP address of the relay this DHCP server should process requests from:<ul><li>0.0.0.0<span> </span>- the DHCP server will be used only for direct requests from clients (no DHCP relay allowed)</li><li>255.255.255.255<span> </span>- the DHCP server should be used for any incoming request from a DHCP relay except for those, which are processed by another DHCP server that exists in the<span> </span><code>/ip dhcp-server</code><span> </span>submenu.</li></ul></td></tr><tr><td class="confluenceTd"><span style="color: rgb(0,0,0);"><strong>server-address</strong> (<em>IP</em>; Default: <strong>0.0.0.0</strong>)</span></td><td class="confluenceTd"><span style="color: rgb(0,0,0);">The IP address of the server to use in the next step of the client's bootstrap process (For example, to assign a specific server address in case several addresses are assigned to the interface)</span></td></tr><tr><td class="confluenceTd"><strong>use-framed-as-classless</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>yes</strong>)</td><td class="confluenceTd">Forward RADIUS Framed-Route as a DHCP Classless-Static-Route to DHCP-client. Whenever both Framed-Route and Classless-Static-Route are received Classless-Static-Route is preferred.</td></tr><tr><td class="confluenceTd"><strong>use-radius</strong><span> </span>(<em>yes | no | accounting</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Whether to use RADIUS server:<ul><li>no<span> </span>- do not use RADIUS;</li><li>yes<span> </span>- use RADIUS for accounting and lease;</li><li>accounting<span> </span>- use RADIUS for accounting only.</li></ul></td></tr></tbody></table></div><h2 id="DHCP-Leases"><span style="color: rgb(34,34,34);">Leases</span></h2><p><strong>Sub-menu:</strong> <code>/ip dhcp-server lease</code></p><p>DHCP server lease submenu is used to monitor and manage server leases. The issued leases are shown here as dynamic entries. You can also add static leases to issue a specific IP address to a particular client (identified by MAC address).</p><p>Generally, the DHCP lease is allocated as follows:</p><ul class="bullets"><li>an unused lease is in the "waiting" state</li><li>if a client asks for an IP address, the server chooses one</li><li>if the client receives a statically assigned address, the lease becomes offered, and then bound with the respective lease time</li><li>if the client receives a dynamic address (taken from an IP address pool), the router sends a ping packet and waits for an answer for 0.5 seconds. During this time, the lease is marked testing</li><li>in the case where the address does not respond, the lease becomes offered and then bound with the respective lease time</li><li>in other cases, the lease becomes busy for the lease time (there is a command to retest all busy addresses), and the client's request remains unanswered (the client will try again shortly)</li></ul><p>A client may free the leased address. The dynamic lease is removed, and the allocated address is returned to the address pool. But the static lease becomes busy until the client reacquires the address.</p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p><span style="color: rgb(34,34,34);">IP addresses assigned statically are not probed!</span></p></div></div><p><br/></p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="margin-left: 21.0px;width: 98.4977%;"><colgroup><col style="width: 27.3816%;"/><col style="width: 72.619%;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>address</strong><span> </span>(<em>IP</em>; Default:<span> <strong>0.0.0.0</strong></span>)</td><td class="confluenceTd">Specify IP address (or ip pool) for static lease. If set to<span> </span><strong>0.0.0.0</strong><span> </span>- a pool from the DHCP server will be used</td></tr><tr><td class="confluenceTd"><strong>address-list</strong><span> </span>(<em>string</em>; Default:<span> <strong>none</strong></span>)</td><td class="confluenceTd">Address list to which address will be added if the lease is bound.</td></tr><tr><td class="confluenceTd"><strong>allow-dual-stack-queue</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>yes</strong>)</td><td class="confluenceTd">Creates a single simple queue entry for both IPv4 and IPv6 addresses, and uses the MAC address and DUID for identification. Requires<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/DHCP#DHCP-DHCPv6Server" rel="nofollow">IPv6 DHCP Server</a><span> </span>to have this option enabled as well to work properly.</td></tr><tr><td class="confluenceTd"><strong>always-broadcast</strong><span> </span>(<em>yes | no</em>; Default: <strong>no</strong>)</td><td class="confluenceTd"><p>Changes whether to force broadcast DHCP replies:</p><ul><li>no - replies are sent based on the client's broadcast flag. If the server sends three consecutive offers, the third and forth offer will be sent as a broadcast;</li><li>yes - replies are always broadcasted even when the client has not specified the broadcast flag.</li></ul></td></tr><tr><td class="confluenceTd"><strong>block-access</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Block access for this client</td></tr><tr><td class="confluenceTd"><strong>client-id</strong><span> </span>(<em>string</em>; Default:<span> <strong>none</strong></span>)</td><td class="confluenceTd">If specified, must match the DHCP 'client identifier' option of the request</td></tr><tr><td class="confluenceTd"><strong>dhcp-option</strong><span> </span>(<em>string</em>; Default:<span> <strong>none</strong></span>)</td><td class="confluenceTd">Add additional DHCP options from<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/DHCP#DHCP-DHCPOptions.1" rel="nofollow">option list</a>.</td></tr><tr><td class="confluenceTd"><strong>dhcp-option-set</strong><span> </span>(<em>string</em>; Default:<span> <strong>none</strong></span>)</td><td class="confluenceTd">Add an additional set of DHCP options.</td></tr><tr><td class="confluenceTd"><strong>insert-queue-before</strong><span> </span>(<em>bottom | first | name</em>; Default:<span> <strong>first</strong></span>)</td><td class="confluenceTd">Specify where to place dynamic simple queue entries for static DCHP leases with<span> </span>rate-limit<span> </span>parameter set.</td></tr><tr><td class="confluenceTd"><strong>lease-time</strong><span> </span>(<em>time</em>; Default:<span> </span><strong>0s</strong>)</td><td class="confluenceTd">Time that the client may use the address. If set to<span> </span><strong>0s</strong><span> </span>lease will never expire.</td></tr><tr><td class="confluenceTd"><strong>mac-address</strong><span> </span>(<em>MAC</em>; Default:<span> </span><strong>00:00:00:00:00:00</strong>)</td><td class="confluenceTd">If specified, must match the MAC address of the client</td></tr><tr><td class="confluenceTd"><span style="color: rgb(0,0,0);"><strong>parent-queue</strong> (<em>string | none</em>; Default: <strong>none</strong>)</span></td><td class="confluenceTd">A dynamically created queue for this lease will be configured as a child queue of the specified parent queue.</td></tr><tr><td class="confluenceTd"><span style="color: rgb(0,0,0);"><strong>queue-type</strong> (<em>default, ethernet-default, multi-queue-ethernet-default, pcq-download-default, synchronous-default, default-small, hotspot-default, only-hardware-queue, pcq-upload-default, wireless-default</em>)</span></td><td class="confluenceTd"><span style="color: rgb(0,0,0);">Queue type that can be assigned to the specific lease</span></td></tr><tr><td class="confluenceTd"><span style="color: rgb(0,51,102);"><strong>rate-limit</strong> (<em>integer[/integer] [integer[/integer] [integer[/integer] [integer[/integer]]]];</em>; Default: )</span></td><td class="confluenceTd">Adds a dynamic simple queue to limit IP's bandwidth to a specified rate. Requires the lease to be static. Format is: rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time]]]]. All rates should be numbers with optional 'k' (1,000s) or 'M' (1,000,000s). If tx-rate is not specified, rx-rate is as tx-rate too. Same goes for tx-burst-rate and tx-burst-threshold and tx-burst-time. If both rx-burst-threshold and tx-burst-threshold are not specified (but burst-rate is specified), rx-rate and tx-rate is used as burst thresholds. If both rx-burst-time and tx-burst-time are not specified, 1s is used as default.</td></tr><tr><td class="confluenceTd"><span style="color: rgb(0,0,0);"><em><strong>routes</strong></em> ([dst-address/mask] [gateway] [distance]; Default: <em><strong>none</strong></em>)</span></td><td class="confluenceTd"><p><span style="color: rgb(0,0,0);">Routes that appear on the server when the client is connected. It is possible to specify multiple routes separated by commas. This setting will be ignored for OpenVPN.</span></p></td></tr><tr><td class="confluenceTd"><strong>server</strong><span> </span>(<em>string</em>)</td><td class="confluenceTd">Server name which serves this client</td></tr><tr><td class="confluenceTd"><strong>use-src-mac<span> </span>(<em>yes | no</em>; Default:<span> </span>no)</strong></td><td class="confluenceTd">When this option is set server uses the source MAC address instead of the received CHADDR to assign the address.</td></tr></tbody></table></div><h3 id="DHCP-Menuspecificcommands"><span class="mw-headline">Menu specific commands</span></h3><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 77.8319%;"><colgroup><col style="width: 7.68242%;"/><col style="width: 92.3176%;"/></colgroup><tbody><tr><td class="confluenceTd"><strong>check-status</strong><span> </span>(<em>id</em>)</td><td class="confluenceTd">Check the status of a given busy (status is conflict or declined) dynamic lease, and free it in case of no response</td></tr><tr><td class="confluenceTd"><strong>make-static</strong><span> </span>(<em>id</em>)</td><td class="confluenceTd">Convert a dynamic lease to a static one</td></tr></tbody></table></div><h3 id="DHCP-StoreConfiguration"><span class="mw-headline">Store Configuration</span></h3><p><strong>Sub-menu:</strong> <code>/ip dhcp-server config</code></p><p><strong>Store Leases On Disk:</strong> The configuration of how often the DHCP leases will be stored on disk. If they would be saved on a disk on every lease change, a lot of disk writes would happen which is very bad for Compact Flash (especially, if lease times are very short). To minimize writes on disk, all changes are saved on disk every store-leases-disk seconds. Additionally, leases are always stored on disk on graceful shutdown and reboot.</p><p><span style="color: rgb(34,34,34);">Manual changes to leases - addition/removal of a static lease, removal of a dynamic lease will cause changes to be pushed for this lease to storage.</span></p><p><strong>Accounting:</strong> The accounting parameter in the DHCP server configuration enables or disables accounting for DHCP leases. When accounting is enabled, the DHCP server logs information about IP address assignments and lease renewals. This information can be useful for tracking and monitoring network usage, analyzing traffic patterns, or generating reports on IP address allocations.</p><p><strong>Interim-update:</strong> The interim-update parameter determines whether the DHCP server sends periodic updates to the accounting server during a lease. These updates provide information about the lease duration, usage, and other relevant details. Enabling interim updates allows for more accurate tracking of lease activity.</p><p><strong>Radius-password:</strong> The radius-password parameter is used to set the password for the RADIUS (Remote Authentication Dial-In User Service) server. RADIUS is a networking protocol commonly used for providing centralized authentication, authorization, and accounting for network access. When configuring the DHCP server to communicate with a RADIUS server for authentication or accounting purposes, you need to specify the correct password to establish a secure connection. This parameter ensures that the DHCP server can authenticate with the RADIUS server using the specified password.</p><h3 id="DHCP-Ratelimiting"><span style="letter-spacing: -0.006em;">Rate limiting</span></h3><p>It is possible to set the bandwidth to a specific IPv4 address by using DHCPv4 leases. This can be done by setting a rate limit on the DHCPv4 lease itself, by doing this a dynamic simple queue rule will be added for the IPv4 address that corresponds to the DHCPv4 lease. By using the<em> rate-limit</em> parameter you can conveniently limit a user's bandwidth.</p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>For any queues to work properly, the traffic must not be FastTracked, make sure your Firewall does not FastTrack traffic that you want to limit.</p></div></div><p><br/>First, make the DHCPv4 lease static, otherwise, it will not be possible to set a rate limit to a DHCPv4 lease:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > /ip dhcp-server lease print
Flags: X - disabled, R - radius, D - dynamic, B - blocked
# ADDRESS MAC-ADDRESS HOST-NAME SERVER RATE-LIMIT STATUS
0 D 192.168.88.254 6C:3B:6B:7C:41:3E MikroTik DHCPv4_Server bound
[admin@MikroTik] > /ip dhcp-server lease make-static 0
[admin@MikroTik] > /ip dhcp-server lease print
Flags: X - disabled, R - radius, D - dynamic, B - blocked
# ADDRESS MAC-ADDRESS HOST-NAME SERVER RATE-LIMIT STATUS
0 192.168.88.254 6C:3B:6B:7C:41:3E MikroTik DHCPv4_Server bound</pre>
</div></div><p><br/>Then you can set a rate to a DHCPv4 lease that will create a new dynamic simple queue entry:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > /ip dhcp-server lease set 0 rate-limit=10M/10M
[admin@MikroTik] > /queue simple print
Flags: X - disabled, I - invalid, D - dynamic
0 D name="dhcp-ds<6C:3B:6B:7C:41:3E>" target=192.168.88.254/32 parent=none packet-marks="" priority=8/8 queue=default-small/default-small limit-at=10M/10M max-limit=10M/10M burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s
bucket-size=0.1/0.1</pre>
</div></div><p><br/></p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>By default allow-dual-stack-queue is enabled, this will add a single dynamic simple queue entry for both DCHPv6 binding and DHCPv4 lease, without this option enabled separate dynamic simple queue entries will be added for IPv6 and IPv4.</p></div></div><p>If<em> allow-dual-stack-queue</em> is enabled, then a single dynamic simple queue entry will be created containing both IPv4 and IPv6 addresses:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > /queue simple print
Flags: X - disabled, I - invalid, D - dynamic
0 D name="dhcp-ds<6C:3B:6B:7C:41:3E>" target=192.168.88.254/32,fdb4:4de7:a3f8:418c::/66 parent=none packet-marks="" priority=8/8 queue=default-small/default-small limit-at=10M/10M max-limit=10M/10M burst-limit=0/0 burst-threshold=0/0
burst-time=0s/0s bucket-size=0.1/0.1 </pre>
</div></div><h2 id="DHCP-Network">Network</h2><p><strong>Sub-menu:</strong> <code>/ip dhcp-server network</code></p><p><strong><span class="mw-headline">Properties</span></strong></p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="margin-left: 18.0781px;width: 98.4729%;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>address</strong><span> </span>(<em>IP/netmask</em>; Default: )</td><td class="confluenceTd">the network DHCP server(s) will lease addresses from</td></tr><tr><td class="confluenceTd"><strong>boot-file-name</strong><span> </span>(<em>string</em>; Default: )</td><td class="confluenceTd">Boot filename</td></tr><tr><td class="confluenceTd"><strong>caps-manager</strong><span> </span>(<em>string</em>; Default: )</td><td class="confluenceTd">A comma-separated list of IP addresses for one or more CAPsMAN system managers. DHCP Option 138 (capwap) will be used.</td></tr><tr><td class="confluenceTd"><strong>dhcp-option</strong><span> </span>(<em>string</em>; Default: )</td><td class="confluenceTd">Add additional DHCP options from<span> the </span>option list.</td></tr><tr><td class="confluenceTd"><strong>dhcp-option-set</strong><span> </span>(<em>string</em>; Default: )</td><td class="confluenceTd">Add an additional set of DHCP options.</td></tr><tr><td class="confluenceTd"><strong>dns-none</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">If set, then DHCP Server will not pass dynamic DNS servers configured on the router to the DHCP clients if no DNS Server in<span> </span>DNS-server<span> </span>is set. By default, if there are no DNS servers configured, then the dynamic DNS Servers will be passed to DHCP clients.</td></tr><tr><td class="confluenceTd"><strong>dns-server</strong><span> </span>(<em>string</em>; Default: )</td><td class="confluenceTd">the DHCP client will use these as the default DNS servers. Two comma-separated DNS servers can be specified to be used by the DHCP client as primary and secondary DNS servers</td></tr><tr><td class="confluenceTd"><strong>domain</strong><span> </span>(<em>string</em>; Default: )</td><td class="confluenceTd">The DHCP client will use this as the 'DNS domain' setting for the network adapter.</td></tr><tr><td class="confluenceTd"><strong>gateway</strong><span> </span>(<em>IP</em>; Default:<span> </span><strong>0.0.0.0</strong>)</td><td class="confluenceTd">The default gateway to be used by<span> </span>DHCP Client.</td></tr><tr><td class="confluenceTd"><strong>netmask</strong><span> </span>(<em>integer: 0..32</em>; Default:<span> </span><strong>0</strong>)</td><td class="confluenceTd">The actual network mask is to be used by the DHCP client. If set to '0' - netmask from network address will be used.</td></tr><tr><td class="confluenceTd"><strong>next-server</strong><span> </span>(<em>IP</em>; Default: )</td><td class="confluenceTd">The IP address of the next server to use in bootstrap.</td></tr><tr><td class="confluenceTd"><strong>ntp-server</strong><span> </span>(<em>IP</em>; Default: )</td><td class="confluenceTd">the DHCP client will use these as the default NTP servers. Two comma-separated NTP servers can be specified to be used by the DHCP client as primary and secondary NTP servers</td></tr><tr><td class="confluenceTd"><strong>wins-server</strong><span> </span>(<em>IP</em>; Default: )</td><td class="confluenceTd">The Windows DHCP client will use these as the default WINS servers. Two comma-separated WINS servers can be specified to be used by the DHCP client as primary and secondary WINS servers</td></tr></tbody></table></div><h2 id="DHCP-RADIUSSupport">RADIUS Support</h2><p><span style="color: rgb(34,34,34);">Since RouterOS v6.43 it is possible to use RADIUS to assign a rate limit per lease, to do so you need to pass the<span> </span></span>Mikrotik-Rate-Limit<span style="color: rgb(34,34,34);"><span> </span>attribute from your RADIUS Server for your lease. To achieve this you first need to set your DHCPv4 Server to use RADIUS for assigning leases. Below is an example of how to set it up:</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/radius
add address=10.0.0.1 secret=VERYsecret123 service=dhcp
/ip dhcp-server
set dhcp1 use-radius=yes</pre>
</div></div><p><span class="auto-cursor-target" style="color: rgb(34,34,34);"><span style="color: rgb(34,34,34);">After that, you need to tell your RADIUS Server to pass the<span> </span></span>Mikrotik-Rate-Limit<span style="color: rgb(34,34,34);"><span> </span>attribute. In case you are using FreeRADIUS with MySQL, then you need to add appropriate entries into<span> </span></span><strong>radcheck</strong><span style="color: rgb(34,34,34);"><span> </span>and<span> </span></span><strong>radreply</strong><span style="color: rgb(34,34,34);"><span> </span>tables for a MAC address, that is being used for your DHCPv4 Client. Below is an example for table entries:</span></span></p>Error rendering macro 'code': Invalid value specified for parameter '[Ljava.lang.Object;@7be982e4'<pre>INSERT INTO `radcheck` (`username`, `attribute`, `op`, `value`) VALUES
('00:0C:42:00:D4:64', 'Auth-Type', ':=', 'Accept'),
INSERT INTO `radreply` (`username`, `attribute`, `op`, `value`) VALUES
('00:0C:42:00:D4:64', 'Framed-IP-Address', '=', '192.168.88.254'),
('00:0C:42:00:D4:64', 'Mikrotik-Rate-Limit', '=', '10M'),</pre><h2 id="DHCP-Alerts"><span class="auto-cursor-target" style="color: rgb(34,34,34);"><span class="auto-cursor-target" style="color: rgb(34,34,34);">Alerts</span></span></h2><p>To find any rogue DHCP servers as soon as they appear in your network, the DHCP Alert tool can be used. It will monitor the interface for all DHCP replies and check if this reply comes from a valid DHCP server. If a reply from an unknown DHCP server is detected, an alert gets triggered:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] ip dhcp-server alert>/log print
00:34:23 dhcp,critical,error,warning,info,debug dhcp alert on Public:
discovered unknown dhcp server, mac 00:02:29:60:36:E7, ip 10.5.8.236
[admin@MikroTik] ip dhcp-server alert></pre>
</div></div><p>When the system alerts about a rogue DHCP server, it can execute a custom script.</p><p>As DHCP replies can be unicast, the rogue DHCP detector may not receive any offer to other DHCP clients at all. To deal with this, the rogue DHCP detector acts as a DHCP client as well - it sends out DHCP discover requests once a minute.</p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>The DHCP alert is not recommended on devices that are configured as DHCP clients. Since the alert itself generates DHCP discovery packets, it can affect the operation of the DHCP client itself. Use this feature only on devices that are DHCP servers or using a static IP address.</p></div></div><p><strong><span class="mw-headline">Sub-menu: </span></strong><span class="mw-headline"><code>/ip dhcp-server alert</code></span></p><p><strong><span class="mw-headline">Properties</span></strong></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 16.7969px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>alert-timeout </strong>(none | time; Default: 1h)</td><td class="confluenceTd">Time after which the alert will be forgotten. If after that time the same server is detected, a new alert will be generated. If set to<span> </span><strong>none</strong><span> </span>timeout will never expire.</td></tr><tr><td class="confluenceTd"><strong>interface</strong><span> </span>(<em>string</em>; Default:<span> </span>)</td><td class="confluenceTd">Interface, on which to run rogue DHCP server finder.</td></tr><tr><td class="confluenceTd"><strong>on-alert</strong><span> </span>(<em>string</em>; Default:<span> </span>)</td><td class="confluenceTd">Script to run, when an unknown DHCP server is detected.</td></tr><tr><td class="confluenceTd"><strong>valid-server </strong>(<em>string</em>; Default:<span> </span>)</td><td class="confluenceTd">List of MAC addresses of valid DHCP servers.</td></tr></tbody></table></div><p><strong><span class="mw-headline">Read-only properties</span></strong></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 16.7969px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>unknown-server </strong>(<em>string</em>)</td><td class="confluenceTd">List of MAC addresses of detected unknown DHCP servers. The server is removed from this list after alert-timeout</td></tr></tbody></table></div><p><strong><span class="mw-headline">Menu specific commands</span></strong></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 16.7969px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>reset-alert </strong>(<em>id</em>)</td><td class="confluenceTd">Clear all alerts on an interface</td></tr></tbody></table></div><h2 id="DHCP-DHCPOptions.1">DHCP Options</h2><p><strong>Sub-menu:</strong> <code>/ip dhcp-server option</code></p><p>With the help of the DHCP Option list, it is possible to define additional custom options for DHCP Server to advertise. Option precedence is as follows:</p><ul><li>radius,</li><li>lease,</li><li>server,</li><li>network.</li></ul><p><span style="color: rgb(34,34,34);">This is the order in which the client option request will be filled in.</span></p><p>According to the DHCP protocol, a parameter is returned to the DHCP client only if it requests this parameter, specifying the respective code in the DHCP request Parameter-List (code 55) attribute. If the code is not included in the Parameter-List attribute, the DHCP server will not send it to the DHCP client, but<strong> since RouterOS v7.1rc5 it is possible to force the DHCP option</strong> from the server-side even if the DHCP-client does not request such parameter:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">ip/dhcp-server/option/set force=yes</pre>
</div></div><p><strong><span class="mw-headline">Properties</span></strong></p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="margin-left: 23.1719px;width: 102.071%;"><colgroup><col style="width: 10.899%;"/><col style="width: 89.0612%;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>code</strong><span> </span>(<em>integer:1..254</em>; Default:<span> </span>)</td><td class="confluenceTd">dhcp option code. All codes are available at<span> </span><a class="external-link" href="http://www.iana.org/assignments/bootp-dhcp-parameters" rel="nofollow" style="text-decoration: none;">http://www.iana.org/assignments/bootp-dhcp-parameters</a></td></tr><tr><td class="confluenceTd"><strong>name</strong><span> </span>(<em>string</em>; Default:<span> </span>)</td><td class="confluenceTd">Descriptive name of the option</td></tr><tr><td class="confluenceTd"><strong>value</strong><span> </span>(<em>string</em>; Default:<span> </span>)</td><td class="confluenceTd">Parameter's value. Available data types for options are:<ul><li style="list-style-type: none;"><ul><li>'test' -> ASCII to Hex 0x74657374</li><li>'10.10.10.10' -> Unicode IP to Hex 0x0a0a0a0a</li><li>s'10.10.10.10' -> ASCII to hex 0x31302e31302e31302e3130</li><li>s'160' -> ASCII to hex 0x313630</li><li>'10' -> Decimal to Hex 0x0a</li><li>0x0a0a -> No conversion</li><li>$(VARIABLE) -> hardcoded values</li></ul></li></ul><p>RouterOS has predefined variables that can be used:</p><ul><li>HOSTNAME - client hostname</li><li>RADIUS_MT_STR1 - from radius MT attr nr. 24</li><li>RADIUS_MT_STR2 - from radius MT attr nr. 25</li><li>REMOTE_ID - agent remote-id</li><li>NETWORK_GATEWAY - the first gateway from '<em>/ip dhcp-server network</em>', note that this option won't work if used from lease</li></ul><p><br/>Now it is also possible to combine data types into one, for example: "0x01'vards'$(HOSTNAME)"</p><p>For example if HOSTNAME is 'kvm', then raw value will be 0x0176617264736b766d.</p></td></tr><tr><td class="confluenceTd"><strong>raw-value</strong><span> </span>(<em>HEX string</em><span> </span>)</td><td class="confluenceTd">Read-only field which shows raw DHCP option value (the format actually sent out)</td></tr></tbody></table></div><h3 id="DHCP-DHCPOptionSets">DHCP Option Sets</h3><p><strong>Sub-menu:</strong> <code>/ip dhcp-server option sets</code></p><p><span style="color: rgb(34,34,34);">This menu allows combining multiple options in option sets, which later can be used to override the default DHCP server option set.</span></p><h3 id="DHCP-Example">Example</h3><p><strong>Classless Route</strong></p><p>A classless route adds a specified route in the clients routing table. In our example, it will add</p><ul><li>dst-address=160.0.0.0/24 gateway=10.1.101.1</li><li>dst-address=0.0.0.0/0 gateway=10.1.101.1</li></ul><p><br/>According to RFC 3442: The first part is the netmask ("18" = netmask /24). Second part is significant part of destination network ("A00000" = 160.0.0). Third part is IP address of gateway ("0A016501" = 10.1.101.1). Then There are parts of the default route, destination netmask (0x00 = 0.0.0.0/0) followed by default route (0x0A016501 = 10.1.101.1)</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip dhcp-server option
add code=121 name=classless value=0x18A000000A016501000A016501
/ip dhcp-server network
set 0 dhcp-option=classless</pre>
</div></div><p>Result:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf,
m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 10.1.101.1 0
1 ADS 160.0.0.0/24 10.1.101.1 0</pre>
</div></div><p><br/></p><p><span style="color: rgb(34,34,34);">A much more robust way would be to use built-in variables</span><span style="color: rgb(34,34,34);">, the previous example can be rewritten as:</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip dhcp-server option
add name=classless code=121 value="0x18A00000\$(NETWORK_GATEWAY)0x00\$(NETWORK_GATEWAY)"</pre>
</div></div><p><br/></p><p><strong>Auto proxy config</strong></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip dhcp-server option
add code=252 name=auto-proxy-config value="'https://autoconfig.something.lv/wpad.dat'"</pre>
</div></div><h2 id="DHCP-VendorClasses"><span style="color: rgb(34,34,34);">Vendor Classes</span></h2><p><span style="color: rgb(34,34,34);">Since the 6.45beta6 version RouterOS support vendor class, ID matcher. The vendor class is used by DHCP clients to optionally identify the vendor and configuration.</span></p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Vendor-class-id matcher changes to generic matcher since RouterOS v7.4beta4.</p></div></div><h3 id="DHCP-Example.1"><span style="color: rgb(34,34,34);">Example</span></h3><p>In the following configuration example, we will give an IP address from a particular pool for an Android-based mobile phone. We will use the RouterBOARD with a default configuration</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool-for-VID ranges=172.16.16.10-172.16.16.120</pre>
</div></div><p style="margin-left: 20.0px;"><br/></p><p>Configure<span> </span><code>vendor-class-id</code><span> </span>matcher. DHCP servers configuration remains the default</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dhcp-server vendor-class-id
add address-pool=pool-for-VID name=samsung server=defconf vid=android-dhcp-9</pre>
</div></div><p style="margin-left: 20.0px;"><br/></p><p>Connect your mobile phone to the device to receive an IP address from the 172.16.16.0 network</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@mikrotik] > /ip dhcp-server lease print detail
Flags: X - disabled, R - radius, D - dynamic, B - blocked
0 D address=172.16.16.120 mac-address=30:07:4D:F5:07:49 client-id="1:30:7:4d:f5:7:49" address-lists="" server=defconf dhcp-option=""
status=bound expires-after=8m55s last-seen=1m5s active-address=172.16.16.120 active-mac-address=30:07:4D:F5:07:49
active-client-id="1:30:7:4d:f5:7:49" active-server=defconf host-name="Galaxy-S8"</pre>
</div></div><p style="margin-left: 20.0px;"><br/></p><p>If you do not know your devices Vendor Class ID, you can turn on DHCP debug logs with<span> </span><code>/system logging add topics=dhcp</code>. Then in the logging entries, you will see<span> </span><strong>Class-ID</strong></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">10:30:31 dhcp,debug,packet defconf received request with id 4238230732 from 0.0.0.0
10:30:31 dhcp,debug,packet secs = 3
10:30:31 dhcp,debug,packet ciaddr = 0.0.0.0
10:30:31 dhcp,debug,packet chaddr = 30:07:4D:F5:07:49
10:30:31 dhcp,debug,packet Msg-Type = request
10:30:31 dhcp,debug,packet Client-Id = 01-30-07-4D-F5-07-49
10:30:31 dhcp,debug,packet Address-Request = 172.16.16.120
10:30:31 dhcp,debug,packet Server-Id = 192.168.88.1
10:30:31 dhcp,debug,packet Max-DHCP-Message-Size = 1500
10:30:31 dhcp,debug,packet Class-Id = "android-dhcp-9"
10:30:31 dhcp,debug,packet Host-Name = "Galaxy-S8"
10:30:31 dhcp,debug,packet Parameter-List = Subnet-Mask,Router,Domain-Server,Domain-Name,Interface-MTU,Broadcast-Address,Address-Time,Ren
ewal-Time,Rebinding-Time,Vendor-Specific
10:30:31 dhcp,info defconf assigned 172.16.16.120 to 30:07:4D:F5:07:49
10:30:31 dhcp,debug,packet defconf sending ack with id 4238230732 to 172.16.16.120
10:30:31 dhcp,debug,packet ciaddr = 0.0.0.0
10:30:31 dhcp,debug,packet yiaddr = 172.16.16.120
10:30:31 dhcp,debug,packet siaddr = 192.168.88.1
10:30:31 dhcp,debug,packet chaddr = 30:07:4D:F5:07:49
10:30:31 dhcp,debug,packet Msg-Type = ack
10:30:31 dhcp,debug,packet Server-Id = 192.168.88.1
10:30:31 dhcp,debug,packet Address-Time = 600
10:30:31 dhcp,debug,packet Domain-Server = 192.168.88.1,10.155.0.1,10.155.0.126 </pre>
</div></div><h2 id="DHCP-Genericmatcher">Generic matcher</h2><p>Since RouterOS 7.4beta4 (2022-Jun-15 14:04) the vendor-id matcher is converted to a generic matcher. The genric matcher allows matching any of the DHCP options.</p><p>And an example to match DHCP option 60 similar to vendor-id-class matcher:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip dhcp-server matcher
add address-pool=pool1 code=60 name=test value=android-dhcp-11</pre>
</div></div><p class="auto-cursor-target">Match the client-id with option 61 configured as hex value:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip dhcp-server matcher
add address-pool=pool1 code=61 name=test value=0x016c3b6bed8364</pre>
</div></div><p class="auto-cursor-target">Match the code 12 using the string:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip dhcp-server matcher
add address-pool=testpool code=12 name=test server=dhcp1 value="MikroTik"</pre>
</div></div><h2 id="DHCP-ConfigurationExamples.2">Configuration Examples</h2><h3 id="DHCP-Setup">Setup</h3><p>To simply configure DHCP server you can use a<span> </span><code>setup</code><span> </span>command.</p><p>First, you configure an IP address on the interface:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > /ip address add address=192.168.88.1/24 interface=ether3 disabled=no</pre>
</div></div><p style="margin-left: 20.0px;"><br/></p><p>Then you use<span> </span><code>setup</code><span> a </span>command which will automatically ask necessary parameters:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > /ip dhcp-server setup
Select interface to run DHCP server on
dhcp server interface: ether3
Select network for DHCP addresses
dhcp address space: 192.168.88.0/24
Select gateway for given network
gateway for dhcp network: 192.168.88.1
Select pool of ip addresses given out by DHCP server
addresses to give out: 192.168.88.2-192.168.88.254
Select DNS servers
dns servers: 10.155.126.1,10.155.0.1,
Select lease time
lease time: 10m</pre>
</div></div><p style="margin-left: 20.0px;"><br/></p><p>That is all. You have configured an active DHCP server.</p><h3 id="DHCP-Manualconfiguration">Manual configuration</h3><p>To configure the DHCP server manually to respond to local requests you have to configure the following:</p><ul><li>An <strong>IP pool</strong> for addresses to be given out, make sure that your gateway/DHCP server address is not part of the pool.</li></ul><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip pool add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254</pre>
</div></div><ul><li><span style="letter-spacing: 0.0px;">A</span><strong style="letter-spacing: 0.0px;"> network </strong><span style="letter-spacing: 0.0px;">indicating subnets that DHCP-server will lease addresses from, among other information, like a gateway, DNS-server, NTP-server, DHCP options, etc.</span></li></ul><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1</pre>
</div></div><ul><li><span style="letter-spacing: 0.0px;">In our case, the device itself is serving as the gateway, so we'll add the </span><strong style="letter-spacing: 0.0px;">address</strong><span style="letter-spacing: 0.0px;"> to the bridge interface:</span></li></ul><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip address add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0</pre>
</div></div><ul><li><span style="letter-spacing: 0.0px;">And finally, add </span><strong style="letter-spacing: 0.0px;">DHCP Server</strong><span style="letter-spacing: 0.0px;">, here we will add the previously created address</span><strong style="letter-spacing: 0.0px;"> pool</strong><span style="letter-spacing: 0.0px;">, and specify on which </span><strong style="letter-spacing: 0.0px;">interface</strong><span style="letter-spacing: 0.0px;"> the DHCP server should work on</span></li></ul><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip dhcp-server add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1</pre>
</div></div><h1 id="DHCP-DHCPv6Server"><span style="font-size: 24.0px;letter-spacing: -0.01em;">DHCPv6 Server</span></h1><h2 id="DHCP-Summary.3"><span class="mw-headline">Summary</span></h2><p><strong>Standards:</strong><span> </span><code>RFC 3315, RFC 3633</code></p><p>Single DUID is used for client and server identification, only IAID will vary between clients corresponding to their assigned interface.</p><p>Client binding creates a dynamic pool with a timeout set to binding's expiration time (note that now dynamic pools can have a timeout), which will be updated every time binding gets renewed.</p><p>When a client is bound to a prefix, the DHCP server adds routing information to know how to reach the assigned prefix.</p><p>Client bindings in the server do not show MAC address anymore (as it was in v5.8), DUID (hex) and IAID are used instead. After upgrade, MAC addresses will be converted to DUIDs automatically, but due to unknown DUID type and unknown IAID, they should be further updated by the user;</p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>RouterOS DHCPv6 server can only delegate IPv6 prefixes, not addresses.</p></div></div><h2 id="DHCP-General"><span class="mw-headline">General</span></h2><p><strong>Sub-menu:</strong><span> </span><code>/ipv6 dhcp-server</code></p><p>This sub-menu lists and allows to configure DHCP-PD servers.</p><h2 id="DHCP-DHCPv6ServerProperties">DHCPv6 Server Properties</h2><div class="table-wrap"><table class="wrapped relative-table confluenceTable" style="width: 103.776%;"><colgroup><col style="width: 20.937%;"/><col style="width: 79.063%;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>address-pool</strong><span> </span>(<em>enum | static-only</em>; Default:<span> </span><strong>static-only</strong>)</td><td class="confluenceTd"><a href="https://help.mikrotik.com/docs/display/ROS/IP+Pools#IPPools-IPv6Pool" rel="nofollow">IPv6 pool</a>, from which to take IPv6 prefix for the clients.</td></tr><tr><td class="confluenceTd"><strong><strong style="text-align: left;">allow-dual-stack-queue</strong><span style="color: rgb(23,43,77);"> </span></strong><span style="color: rgb(23,43,77);">(</span><em style="text-align: left;">yes | no</em><span style="color: rgb(23,43,77);">; Default:</span><strong><span style="color: rgb(23,43,77);"> </span><strong style="text-align: left;">yes</strong></strong><span style="color: rgb(23,43,77);">)</span></td><td class="confluenceTd"><span style="color: rgb(23,43,77);">Creates a single simple queue entry for both IPv4 and IPv6 addresses, and uses the MAC address and DUID for identification. Requires</span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(23,43,77);">IPv6 DHCP Server</span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(23,43,77);">to have this option enabled as well to work properly.</span></td></tr><tr><td class="confluenceTd"><strong>binding-script</strong><span> </span>(<em>string</em>; Default: )</td><td class="confluenceTd">A script that will be executed after binding is assigned or de-assigned. Internal "global" variables that can be used in the script:<ul><li>bindingBound<span> </span>- set to "1" if bound, otherwise set to "0"</li><li>bindingServerName<span> </span>- dhcp server name</li><li>bindingDUID<span> </span>- DUID</li><li>bindingAddress<span> </span>- active address</li><li>bindingPrefix<span> </span>- active prefix</li></ul></td></tr><tr><td class="confluenceTd"><strong style="text-align: left;">dhcp-option</strong><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(23,43,77);">(</span><em style="text-align: left;">string</em><span style="color: rgb(23,43,77);">; Default:</span><span style="color: rgb(23,43,77);"><span> </span><strong>none</strong></span><span style="color: rgb(23,43,77);">)</span></td><td class="confluenceTd"><span style="color: rgb(23,43,77);">Add additional DHCP options from</span><span style="color: rgb(23,43,77);"> </span><a href="https://help.mikrotik.com/docs/display/ROS/DHCP#DHCP-DHCPOptions.1" rel="nofollow" style="text-align: left;">option list</a><span style="color: rgb(23,43,77);">.</span></td></tr><tr><td class="confluenceTd"><strong>disabled</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Whether DHCP-PD server participates in the prefix assignment process.</td></tr><tr><td class="confluenceTd"><strong>interface</strong><span> </span>(<em>string</em>; Default: )</td><td class="confluenceTd">The interface on which server will be running.</td></tr><tr><td class="confluenceTd"><strong>lease-time</strong><span> </span>(<em>time</em>; Default:<span> </span><strong>3d</strong>)</td><td class="confluenceTd">The time that a client may use the assigned address. The client will try to renew this address after half of this time and will request a new address after the time limit expires.</td></tr><tr><td class="confluenceTd"><strong>name</strong><span> </span>(<em>string</em>; Default: )</td><td class="confluenceTd">Reference name</td></tr></tbody></table></div><p><strong>Read-only Properties</strong></p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 95.7369%;"><colgroup><col style="width: 22.6562%;"/><col style="width: 77.3438%;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>dynamic</strong><span> </span>(<em>yes | no</em>)</td><td class="confluenceTd"><br/></td></tr><tr><td class="confluenceTd"><strong>invalid</strong><span> </span>(<em>yes | no</em>)</td><td class="confluenceTd"><br/></td></tr></tbody></table></div><h2 id="DHCP-Bindings"><span class="mw-headline">Bindings</span></h2><p><strong>Sub-menu:</strong><span> </span><code>/ipv6 dhcp-server binding</code></p><p>DUID is used only for dynamic bindings, so if it changes then the client will receive a different prefix than previously.</p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 95.4933%;"><colgroup><col style="width: 22.544%;"/><col style="width: 77.456%;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>address</strong><span> </span>(<em>IPv6 prefix</em>; Default: )</td><td class="confluenceTd">IPv6 prefix that will be assigned to the client</td></tr><tr><td class="confluenceTd"><strong>allow-dual-stack-queue</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>yes</strong>)</td><td class="confluenceTd">Creates a single simple queue entry for both IPv4 and IPv6 addresses, uses the MAC address and DUID for identification. Requires<span> </span>IPv4 DHCP Server<span> </span>to have this option enabled as well to work properly.</td></tr><tr><td class="confluenceTd"><strong>comment</strong><span> </span>(<em>string</em>; Default: )</td><td class="confluenceTd">Short description of an item.</td></tr><tr><td class="confluenceTd"><strong>disabled</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Whether an item is disabled</td></tr><tr><td class="confluenceTd"><strong>dhcp-option</strong><span> </span>(<em>string</em>; Default: )</td><td class="confluenceTd">Add additional DHCP options from<span> the </span>option list.</td></tr><tr><td class="confluenceTd"><strong>dhcp-option-set</strong><span> </span>(<em>string</em>; Default: )</td><td class="confluenceTd">Add an additional set of DHCP options.</td></tr><tr><td class="confluenceTd"><strong>life-time</strong><span> </span>(<em>time</em>; Default:<span> </span><strong>3d</strong>)</td><td class="confluenceTd">The time period after which binding expires.</td></tr><tr><td class="confluenceTd"><strong>duid</strong><span> </span>(<em>hex string</em>; Default: )</td><td class="confluenceTd">DUID value. Should be specified only in hexadecimal format.</td></tr><tr><td class="confluenceTd"><strong>iaid</strong><span> </span>(<em>integer [0..4294967295]</em>; Default: )</td><td class="confluenceTd">Identity Association Identifier, part of the Client ID.</td></tr><tr><td class="confluenceTd"><strong>prefix-pool</strong><span> </span>(<em>string</em>; Default: )</td><td class="confluenceTd">Prefix pool that is being advertised to the DHCPv6 Client.</td></tr><tr><td class="confluenceTd"><strong>rate-limit</strong><span> </span>(<em>integer[/integer] [integer[/integer] [integer[/integer] [integer[/integer]]]]</em>; Default: )</td><td class="confluenceTd">Adds a dynamic simple queue to limit IP's bandwidth to a specified rate. Requires the lease to be static. Format is: rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time]]]]. All rates should be numbers with optional 'k' (1,000s) or 'M' (1,000,000s). If tx-rate is not specified, rx-rate is as tx-rate too. Same goes for tx-burst-rate and tx-burst-threshold and tx-burst-time. If both rx-burst-threshold and tx-burst-threshold are not specified (but burst-rate is specified), rx-rate and tx-rate is used as burst thresholds. If both rx-burst-time and tx-burst-time are not specified, 1s is used as default.</td></tr><tr><td class="confluenceTd"><strong>server</strong><span> </span>(<em>string | all</em>; Default:<span> </span><strong>all</strong>)</td><td class="confluenceTd">Name of the server. If set to<span> </span><strong>all</strong>, then binding applies to all created DHCP-PD servers.</td></tr></tbody></table></div><p><strong>Read-only properties</strong></p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 95.6151%;"><colgroup><col style="width: 22.7276%;"/><col style="width: 77.2724%;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>dynamic</strong><span> </span>(<em>yes | no</em>)</td><td class="confluenceTd">Whether an item is dynamically created.</td></tr><tr><td class="confluenceTd"><strong>expires-after</strong><span> </span>(<em>time</em>)</td><td class="confluenceTd">The time period after which binding expires.</td></tr><tr><td class="confluenceTd"><strong>last-seen</strong><span> </span>(<em>time</em>)</td><td class="confluenceTd">Time period since the client was last seen.</td></tr><tr><td class="confluenceTd"><strong>status</strong><span> </span>(<em>waiting | offered | bound</em>)</td><td class="confluenceTd">Three status values are possible:<ul><li><strong>waiting</strong><span> </span>- Shown for static bindings if it is not used. For dynamic bindings this status is shown if it was used previously, the server will wait 10 minutes to allow an old client to get this binding, otherwise binding will be cleared and prefix will be offered to other clients.</li><li><strong>offered</strong><span> </span>- if<span> </span><strong>solicit</strong><span> </span>message was received, and the server responded with<span> </span><strong>advertise</strong><span> a </span>message, but<span> the </span><strong>request</strong><span> </span>was not received. During this state client have 2 minutes to get this binding, otherwise, it is freed or changed status to<span> </span><strong>waiting</strong><span> </span>for static bindings.</li><li><strong>bound</strong><span> </span>- currently bound.</li></ul></td></tr></tbody></table></div><p>For example, dynamically assigned /62 prefix</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@RB493G] /ipv6 dhcp-server binding> print detail
Flags: X - disabled, D - dynamic
0 D address=2a02:610:7501:ff00::/62 duid="1605fcb400241d1781f7" iaid=0
server=local-dhcp life-time=3d status=bound expires-after=2d23h40m10s
last-seen=19m50s
1 D address=2a02:610:7501:ff04::/62 duid="0019d1393535" iaid=2
server=local-dhcp life-time=3d status=bound expires-after=2d23h43m47s
last-seen=16m13s</pre>
</div></div><p><strong><span class="mw-headline">Menu specific commands</span></strong></p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 96.5895%;"><colgroup><col style="width: 23.9277%;"/><col style="width: 76.0723%;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>make-static</strong><span> </span>()</td><td class="confluenceTd">Set dynamic binding as static.</td></tr></tbody></table></div><h3 id="DHCP-Ratelimiting.1"><span class="mw-headline">Rate limiting</span></h3><p>It is possible to set the bandwidth to a specific IPv6 address by using DHCPv6 bindings. This can be done by setting a rate limit on the DHCPv6 binding itself, by doing this a dynamic simple queue rule will be added for the IPv6 address that corresponds to the DHCPv6 binding. By using the<span> </span><code>rate-limit</code><span> the </span>parameter you can conveniently limit a user's bandwidth.</p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>For any queues to work properly, the traffic must not be FastTracked, make sure your Firewall does not FastTrack traffic that you want to limit.</p></div></div><p class="auto-cursor-target"><span>First, make the DHCPv6 binding static, otherwise, it will not be possible to set a rate limit to a DHCPv6 binding:</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > /ipv6 dhcp-server binding print
Flags: X - disabled, D - dynamic
# ADDRESS DUID SERVER STATUS
0 D fdb4:4de7:a3f8:418c::/66 0x6c3b6b7c413e DHCPv6_Server bound
[admin@MikroTik] > /ipv6 dhcp-server binding make-static 0
[admin@MikroTik] > /ipv6 dhcp-server binding print
Flags: X - disabled, D - dynamic
# ADDRESS DUID SERVER STATUS
0 fdb4:4de7:a3f8:418c::/66 0x6c3b6b7c413e DHCPv6_Server bound
</pre>
</div></div><p><span>Then you need can set a rate to a DHCPv6 binding that will create a new dynamic simple queue entry:</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > /ipv6 dhcp-server binding set 0 rate-limit=10M/10
[admin@MikroTik] > /queue simple print
Flags: X - disabled, I - invalid, D - dynamic
0 D name="dhcp<6c3b6b7c413e fdb4:4de7:a3f8:418c::/66>" target=fdb4:4de7:a3f8:418c::/66 parent=none packet-marks="" priority=8/8 queue=default
-small/default-small limit-at=10M/10M max-limit=10M/10M burst-limit=0/0
burst-threshold=0/0 burst-time=0s/0s bucket-size=0.1/0.1</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>By default <code>allow-dual-stack-queue</code> is enabled, this will add a single dynamic simple queue entry for both DCHPv6 binding and DHCPv4 lease, without this option enabled separate dynamic simple queue entries will be added for IPv6 and IPv4.</p></div></div><p>If<span> </span><code>allow-dual-stack-queue</code><span> </span>is enabled, then a single dynamic simple queue entry will be created containing both IPv4 and IPv6 addresses:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > /queue simple print
Flags: X - disabled, I - invalid, D - dynamic
0 D name="dhcp-ds<6C:3B:6B:7C:41:3E>" target=192.168.1.200/32,fdb4:4de7:a3f8:418c::/66 parent=none packet-marks="" priority=8/8 queue=default
-small/default-small limit-at=10M/10M max-limit=10M/10M
burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s bucket-size=0.1/0.1</pre>
</div></div><h2 id="DHCP-RADIUSSupport.1"><span class="mw-headline">RADIUS Support</span></h2><p>Since RouterOS v6.43 it is possible to use RADIUS to assign a rate-limit per DHCPv6 binding, to do so you need to pass the<span> </span>Mikrotik-Rate-Limit<span> </span>attribute from your RADIUS Server for your DHCPv6 binding. To achieve this you first need to set your DHCPv6 Server to use RADIUS for assigning bindings. Below is an example of how to set it up:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/radius
add address=10.0.0.1 secret=VERYsecret123 service=dhcp
/ipv6 dhcp-server
set dhcp1 use-radius=yes</pre>
</div></div><p>After that, you need to tell your RADIUS Server to pass the<span> </span>Mikrotik-Rate-Limit<span> </span>attribute. In case you are using FreeRADIUS with MySQL, then you need to add appropriate entries into<span> </span><strong>radcheck</strong><span> </span>and<span> </span><strong>radreply</strong><span> </span>tables for a MAC address, that is being used for your DHCPv6 Client. Below is an example for table entries:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">INSERT INTO `radcheck` (`username`, `attribute`, `op`, `value`) VALUES
('000c4200d464', 'Auth-Type', ':=', 'Accept'),
INSERT INTO `radreply` (`username`, `attribute`, `op`, `value`) VALUES
('000c4200d464', 'Delegated-IPv6-Prefix', '=', 'fdb4:4de7:a3f8:418c::/66'),
('000c4200d464', 'Mikrotik-Rate-Limit', '=', '10M');</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>By default<span> </span>allow-dual-stack-queue<span> </span>is enabled and will add a single dynamic queue entry if the MAC address from the IPv4 lease (or DUID, if the DHCPv4 Client supports<span> </span><code>Node-specific Client Identifiers</code><span> </span>from RFC4361), but DUID from DHCPv6 Client is not always based on the MAC address from the interface on which the DHCPv6 client is running on, DUID is generated on a per-device basis. For this reason, a single dynamic queue entry might not be created, separate dynamic queue entries might be created instead.</p></div></div><h2 id="DHCP-ConfigurationExample"><span class="mw-headline">Configuration Example</span></h2><h3 id="DHCP-EnablingIPv6Prefixdelegation"><span class="mw-headline">Enabling IPv6 Prefix delegation</span></h3><p>Let's consider that we already have a running DHCP server.</p><p>To enable IPv6 prefix delegation, first, we need to create an address pool:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ipv6 pool add name=myPool prefix=2001:db8:7501::/60 prefix-length=62
</pre>
</div></div><p><span>Notice that prefix-length is 62 bits, which means that clients will receive /62 prefixes from the /60 pool.</span></p><p>The next step is to enable DHCP-PD:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ipv6 dhcp-server add name=myServer address-pool=myPool interface=local</pre>
</div></div><p style="margin-left: 20.0px;"><br/></p><p><br/>To test our server we will set up wide-dhcpv6 on an ubuntu machine:</p><ul><li>install wide-dhcpv6-client</li><li>edit "/etc/wide-dhcpv6/dhcp6c.conf" as above</li></ul><div class="confluence-information-macro confluence-information-macro-tip"><span class="aui-icon aui-icon-small aui-iconfont-approve confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>You can use also RouterOS as a DHCP-PD client.</p></div></div><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">interface eth2{
send ia-pd 0;
};
id-assoc pd {
prefix-interface eth3{
sla-id 1;
sla-len 2;
};
};</pre>
</div></div><ul><li>Run DHCP-PD client:</li></ul><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">sudo dhcp6c -d -D -f eth2</pre>
</div></div><ul><li>Verify that prefix was added to the:</li></ul><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">mrz@bumba:/media/aaa$ ip -6 addr
..
2: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:db8:7501:1:200:ff:fe00:0/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::224:1dff:fe17:81f7/64 scope link
valid_lft forever preferred_lft forever</pre>
</div></div><ul><li>You can make binding to specific client static so that it always receives the same prefix:</li></ul><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@RB493G] /ipv6 dhcp-server binding> print
Flags: X - disabled, D - dynamic
# ADDRESS DU IAID SER.. STATUS 0 D 2001:db8:7501:1::/62 16 0 loc.. bound
[admin@RB493G] /ipv6 dhcp-server binding> make-static 0</pre>
</div></div><ul><li>DHCP-PD also installs a route to assigned prefix into IPv6 routing table:</li></ul><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@RB493G] /ipv6 route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable
# DST-ADDRESS GATEWAY DISTANCE
...
2 ADS 2001:db8:7501:1::/62 fe80::224:1dff:fe17:8... 1</pre>
</div></div><h1 id="DHCP-DHCPRelay"><span style="font-size: 24.0px;letter-spacing: -0.01em;">DHCP Relay</span></h1><h2 id="DHCP-Summary.4">Summary</h2><p><strong>Sub-menu:</strong><span> </span><code>/ip dhcp-relay</code></p><p><span style="color: rgb(34,34,34);">The purpose of the DHCP relay is to act as a proxy between DHCP clients and the DHCP server. It is useful in networks where the DHCP server is not on the same broadcast domain as the DHCP client.</span></p><p><span style="color: rgb(34,34,34);">DHCP relay does not choose the particular DHCP server in the DHCP-server list, it just sends the incoming request to all the listed servers.</span></p><h2 id="DHCP-Properties.2"><span class="mw-headline">Properties</span></h2><div class="table-wrap"><table class="wrapped confluenceTable"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>add-relay-info</strong> (<em>yes | no</em>; Default: <strong>no</strong>)</td><td class="confluenceTd">Adds DHCP relay agent information if enabled according to RFC 3046. Agent Circuit ID Sub-option contains mac address of an interface, Agent Remote ID Sub-option contains MAC address of the client from which request was received.</td></tr><tr><td class="confluenceTd"><strong>delay-threshold</strong> (<em>time | none</em>; Default: <strong>none</strong>)</td><td class="confluenceTd">If secs field in DHCP packet is smaller than delay-threshold, then this packet is ignored</td></tr><tr><td class="confluenceTd"><strong>dhcp-server</strong> (<em>string</em>; Default: )</td><td class="confluenceTd">List of DHCP servers' IP addresses which should the DHCP requests be forwarded to</td></tr><tr><td class="confluenceTd"><strong>interface</strong> (<em>string</em>; Default: )</td><td class="confluenceTd">Interface name the DHCP relay will be working on.</td></tr><tr><td class="confluenceTd"><strong>local-address</strong> (<em>IP</em>; Default: <strong>0.0.0.0</strong>)</td><td class="confluenceTd">The unique IP address of this DHCP relay needed for DHCP server to distinguish relays. If set to <strong>0.0.0.0</strong> - the IP address will be chosen automatically</td></tr><tr><td class="confluenceTd"><strong>relay-info-remote-id</strong> (<em>string</em>; Default: )</td><td class="confluenceTd">specified string will be used to construct Option 82 instead of client's MAC address. Option 82 consist of: interface from which packets was received + client mac address or <strong>relay-info-remote-id</strong></td></tr><tr><td class="confluenceTd"><strong>name</strong> (<em>string</em>; Default: )</td><td class="confluenceTd">Descriptive name for the relay</td></tr></tbody></table></div><h2 id="DHCP-ConfigurationExample.1"><span style="color: rgb(34,34,34);">Configuration Example<br/></span></h2><p>Let us consider that you have several IP networks 'behind' other routers, but you want to keep all DHCP servers on a single router. To do this, you need a DHCP relay on your network which will relay DHCP requests from clients to the DHCP server.</p><p>This example will show you how to configure a DHCP server and a DHCP relay that serves 2 IP networks - 192.168.1.0/24 and 192.168.2.0/24 that are behind a router DHCP-Relay.</p><p><span class="confluence-embedded-file-wrapper"><img class="confluence-embedded-image" draggable="false" src="https://help.mikrotik.com/docs/download/attachments/24805500/DHCPrelay.png?version=1&modificationDate=1587718227300&api=v2" data-image-src="https://help.mikrotik.com/docs/download/attachments/24805500/DHCPrelay.png?version=1&modificationDate=1587718227300&api=v2" data-unresolved-comment-count="0" data-linked-resource-id="24805513" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="DHCPrelay.png" data-base-url="https://help.mikrotik.com/docs" data-linked-resource-content-type="image/png" data-linked-resource-container-id="24805500" data-linked-resource-container-version="40" alt=""></span></p><p><strong>IP Address Configuration</strong></p><p>IP addresses of DHCP-Server:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@DHCP-Server] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.0.1/24 192.168.0.0 192.168.0.255 To-DHCP-Relay
1 10.1.0.2/24 10.1.0.0 10.1.0.255 Public
[admin@DHCP-Server] ip address></pre>
</div></div><p><span style="letter-spacing: 0.0px;">IP addresses of DHCP-Relay:</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@DHCP-Relay] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.0.2/24 192.168.0.0 192.168.0.255 To-DHCP-Server
1 192.168.1.1/24 192.168.1.0 192.168.1.255 Local1
2 192.168.2.1/24 192.168.2.0 192.168.2.255 Local2
[admin@DHCP-Relay] ip address></pre>
</div></div><p><br/></p><p><strong>DHCP Server Setup</strong></p><p>To setup 2 DHCP Servers on the DHCP-Server router add 2 pools. For networks 192.168.1.0/24 and 192.168.2.0:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip pool add name=Local1-Pool ranges=192.168.1.11-192.168.1.100
/ip pool add name=Local2-Pool ranges=192.168.2.11-192.168.2.100
[admin@DHCP-Server] ip pool> print
# NAME RANGES
0 Local1-Pool 192.168.1.11-192.168.1.100
1 Local2-Pool 192.168.2.11-192.168.2.100
[admin@DHCP-Server] ip pool></pre>
</div></div><p><br/></p><p>Create DHCP Servers:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip dhcp-server add interface=To-DHCP-Relay relay=192.168.1.1 \
address-pool=Local1-Pool name=DHCP-1 disabled=no
/ip dhcp-server add interface=To-DHCP-Relay relay=192.168.2.1 \
address-pool=Local2-Pool name=DHCP-2 disabled=no
[admin@DHCP-Server] ip dhcp-server> print
Flags: X - disabled, I - invalid
# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
0 DHCP-1 To-DHCP-Relay 192.168.1.1 Local1-Pool 3d00:00:00
1 DHCP-2 To-DHCP-Relay 192.168.2.1 Local2-Pool 3d00:00:00
[admin@DHCP-Server] ip dhcp-server></pre>
</div></div><p style="margin-left: 20.0px;"><br/></p><p>Configure respective networks:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip dhcp-server network add address=192.168.1.0/24 gateway=192.168.1.1 \
dns-server=159.148.60.20
/ip dhcp-server network add address=192.168.2.0/24 gateway=192.168.2.1 \
dns-server 159.148.60.20
[admin@DHCP-Server] ip dhcp-server network> print
# ADDRESS GATEWAY DNS-SERVER WINS-SERVER DOMAIN
0 192.168.1.0/24 192.168.1.1 159.148.60.20
1 192.168.2.0/24 192.168.2.1 159.148.60.20
[admin@DHCP-Server] ip dhcp-server network></pre>
</div></div><p style="margin-left: 20.0px;"><br/></p><p><strong>DHCP Relay Config</strong></p><p>Configuration of DHCP-Server is done. Now let's configure DHCP-Relay:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip dhcp-relay add name=Local1-Relay interface=Local1 \
dhcp-server=192.168.0.1 local-address=192.168.1.1 disabled=no
/ip dhcp-relay add name=Local2-Relay interface=Local2 \
dhcp-server=192.168.0.1 local-address=192.168.2.1 disabled=no
[admin@DHCP-Relay] ip dhcp-relay> print
Flags: X - disabled, I - invalid
# NAME INTERFACE DHCP-SERVER LOCAL-ADDRESS
0 Local1-Relay Local1 192.168.0.1 192.168.1.1
1 Local2-Relay Local2 192.168.0.1 192.168.2.1
[admin@DHCP-Relay] ip dhcp-relay></pre>
</div></div><h2 id="DHCP-DHCPRelaywithVRF(introducedin7.15)">DHCP Relay with VRF (introduced in 7.15)</h2><p class="auto-cursor-target">Let's take the previous setup but we'll consider that the interface to the DHCP server and interfaces to DHCP clients are added in VRF:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip vrf
add interfaces=To-DHCP-Server name=vrf_server
add interfaces=Local2 name=vrf2
add interfaces=Local1 name=vrf1</pre>
</div></div><p class="auto-cursor-target">In the DHCP-relay configuration dhcp-server-vrf should be added:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip dhcp-relay/set dhcp-server-vrf=vrf_server numbers=0,1</pre>
</div></div><p class="auto-cursor-target">Due to VRF configuration there are several routing-tables - we should add additional routes:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip route
add disabled=no distance=1 dst-address=192.168.0.0/24 gateway=To-DHCP-Server@vrf_server pref-src="" routing-table=vrf1 scope=10 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=192.168.0.0/24 gateway=To-DHCP-Server@vrf_server pref-src="" routing-table=vrf2 scope=10 suppress-hw-offload=no \
target-scope=10
add disabled=no dst-address=192.168.1.0/24 gateway=Local1@vrf1 routing-table=vrf_server suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.2.0/24 gateway=Local2@vrf2 pref-src="" routing-table=vrf_server scope=30 suppress-hw-offload=no \
target-scope=10</pre>
</div></div><p class="auto-cursor-target">To achieve successful DHCP-server - DHCP-relay communication we should add NAT rules:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.2.1 dst-port=67 in-interface=To-DHCP-Server protocol=udp src-address=192.168.0.1 to-addresses=\
192.168.0.2
add action=dst-nat chain=dstnat dst-address=192.168.1.1 dst-port=67 in-interface=To-DHCP-Server protocol=udp src-address=192.168.0.1 to-addresses=\
192.168.0.2</pre>
</div></div>
</div>
<div style="padding: 10px 0;">
<a href="https://help.mikrotik.com/docs/display/ROS/DHCP">View Online</a>
·
<a href="https://help.mikrotik.com/docs/pages/diffpagesbyversion.action?pageId=24805500&revisedVersion=40&originalVersion=39">View Changes Online</a>
</div>
</div>Olga Ļ.2020-04-23T09:30:19ZVirtual Routing and Forwarding (VRF)Olga Ļ.tag:help.mikrotik.com,2009:page-328206-662024-03-27T12:38:38Z2019-09-30T15:39:28Z<div class="feed"> <p>
Page
<b>edited</b> by
<a href=" https://help.mikrotik.com/docs/display/~olga
">Olga Ļ.</a>
</p>
<div style="border-top: 1px solid #ddd; border-bottom: 1px solid #ddd; padding: 10px;">
<p><span class="mw-headline"><style type='text/css'>/*<![CDATA[*/
div.rbtoc1711701163316 {padding: 0px;}
div.rbtoc1711701163316 ul {margin-left: 0px;}
div.rbtoc1711701163316 li {margin-left: 0px;padding-left: 0px;}
/*]]>*/</style><div class='toc-macro rbtoc1711701163316'>
<ul class='toc-indentation'>
<li><a href='#VirtualRoutingandForwarding(VRF)-Description'>Description</a></li>
<li><a href='#VirtualRoutingandForwarding(VRF)-Configuration'>Configuration</a></li>
<li><a href='#VirtualRoutingandForwarding(VRF)-Supportedfeatures'>Supported features</a></li>
<li><a href='#VirtualRoutingandForwarding(VRF)-Examples'>Examples</a>
<ul class='toc-indentation'>
<li><a href='#VirtualRoutingandForwarding(VRF)-SimpleVRF-Litesetup'>Simple VRF-Lite setup</a></li>
<li><a href='#VirtualRoutingandForwarding(VRF)-StaticVRF-LiteConnectedrouteleaking'>Static VRF-Lite Connected route leaking</a></li>
<li><a href='#VirtualRoutingandForwarding(VRF)-DynamicVrf-Literouteleaking'>Dynamic Vrf-Lite route leaking</a></li>
<li><a href='#VirtualRoutingandForwarding(VRF)-DynamicVrf-Literouteleaking(oldworkaround)'>Dynamic Vrf-Lite route leaking (old workaround)</a></li>
<li><a href='#VirtualRoutingandForwarding(VRF)-ThesimplestMPLSVPNsetup'>The simplest MPLS VPN setup</a>
<ul class='toc-indentation'>
<li><a href='#VirtualRoutingandForwarding(VRF)-CE1Router'>CE1 Router</a></li>
<li><a href='#VirtualRoutingandForwarding(VRF)-CE2Router'>CE2 Router</a></li>
<li><a href='#VirtualRoutingandForwarding(VRF)-PE1Router'>PE1 Router</a></li>
<li><a href='#VirtualRoutingandForwarding(VRF)-PE2Router(Cisco)'>PE2 Router (Cisco)</a></li>
</ul>
</li>
<li><a href='#VirtualRoutingandForwarding(VRF)-Amorecomplicatedsetup(changesonly)'>A more complicated setup (changes only)</a>
<ul class='toc-indentation'>
<li><a href='#VirtualRoutingandForwarding(VRF)-CE1Router,cust-one'>CE1 Router, cust-one</a></li>
<li><a href='#VirtualRoutingandForwarding(VRF)-CE2Router,cust-one'>CE2 Router, cust-one</a></li>
<li><a href='#VirtualRoutingandForwarding(VRF)-PE1Router.1'>PE1 Router</a></li>
</ul>
</li>
<li><a href='#VirtualRoutingandForwarding(VRF)-Variation:replacetheCiscowithanotherMT'>Variation: replace the Cisco with another MT</a>
<ul class='toc-indentation'>
<li><a href='#VirtualRoutingandForwarding(VRF)-PE2Mikrotikconfig'>PE2 Mikrotik config</a></li>
</ul>
</li>
</ul>
</li>
<li><a href='#VirtualRoutingandForwarding(VRF)-References'>References</a></li>
</ul>
</div></span></p><h1 id="VirtualRoutingandForwarding(VRF)-Description"><span class="mw-headline">Description</span></h1><p>RouterOS allows to create multiple Virtual Routing and Forwarding instances on a single router. This is useful for BGP-based MPLS VPNs. Unlike BGP VPLS, which is OSI Layer 2 technology, BGP VRF VPNs work in Layer 3 and as such exchange IP prefixes between routers. VRFs solve the problem of overlapping IP prefixes and provide the required privacy (via separated routing for different VPNs).</p><p>It is possible to set up vrf-lite setups or use multi-protocol BGP with VPNv4 address family to distribute routes from VRF routing tables - not only to other routers, but also to different routing tables in the router itself.</p><h1 id="VirtualRoutingandForwarding(VRF)-Configuration">Configuration</h1><p>VRF table is created in<span> </span><strong><span style="color: rgb(0,0,255);"><code>/ip vrf</code></span></strong> menu. After the VRF config is created routing table mapping is added (a dynamic table with the same name is created). Each active VRF will always have a mapped routing table.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@arm-bgp] /ip/vrf> print
Flags: X - disabled; * - builtin
0 * name="main" interfaces=all
[admin@arm-bgp] /routing/table> print
Flags: D - dynamic; X - disabled, I - invalid; U - used
0 D name="main" fib
</pre>
</div></div><p>Note that the order of the added VRFs is significant. To properly match which interface will belong to the VRF care must be taken to place VRFs in the correct order (matching is done starting from the top entry, just like firewall rules).</p><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Since each VRF has mapped routing table, count of max unique VRFs is also limited to 4096.</p></div></div><p><br/></p><p>Let's look at the following example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@arm-bgp] /ip/vrf> print
Flags: X - disabled; * - builtin
0 * name="main" interfaces=all
1 name="myVrf" interfaces=lo_vrf </pre>
</div></div><p>Since the first entry is matching all the interfaces, the second VRF will not have any interfaces added. To fix the problem order of the entries must be changed.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@arm-bgp] /ip/vrf> move 1 0
[admin@arm-bgp] /ip/vrf> print
Flags: X - disabled; * - builtin
0 name="myVrf" interfaces=lo_vrf
1 * name="main" interfaces=all </pre>
</div></div><p>Connected routes from the interfaces assigned to the VRF will be installed in the right routing table automatically.</p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>When the interface is assigned to the VRF as well as connected routes it does not mean that RouterOS services will magically know which VRF to use just by specifying the IP address in the configuration. Each service needs VRF support to be added and explicit configuration. Whether the service has VRF support and has VRF configuration options refer to appropriate service documentation.</p></div></div><p>For example, let's make an SSH service to listen for connections on the interfaces belonging to the VRF:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@arm-bgp] /ip/service> set ssh vrf=myVrf
[admin@arm-bgp] /ip/service> print
Flags: X, I - INVALID
Columns: NAME, PORT, CERTIFICATE, VRF
# NAME PORT CERTIFICATE VRF
0 telnet 23 main
1 ftp 21
2 www 80 main
3 ssh 22 myVrf
4 X www-ssl 443 none main
5 api 8728 main
6 winbox 8291 main
7 api-ssl 8729 none main </pre>
</div></div><p>Adding routes to the VRF is as simple as specifying the routing-table parameter when adding the route and specifying in which routing table to resolve the gateway by specifying <span style="color: rgb(255,102,0);">@name</span> after the gateway IP:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip route add dst-address=192.168.1.0/24 gateway=172.16.1.1@myVrf routing-table=myVrf</pre>
</div></div><p>Traffic leaking between VRFs is possible if the gateway is explicitly set to be resolved in another VRF, for example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence"># add route in the myVrf, but resolve the gateway in the main table
/ip route add dst-address=192.168.1.0/24 gateway=172.16.1.1@main routing-table=myVrf
# add route in the main table, but resolve the gateway in the myVrf
/ip route add dst-address=192.168.1.0/24 gateway=172.16.1.1@myVrf</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>If the gateway configuration does not have an explicitly configured table to be resolved in, then it is considered, that gateway should be resolved in the "main" table.</p></div></div><h1 id="VirtualRoutingandForwarding(VRF)-Supportedfeatures">Supported features</h1><p>Different services can be placed in specific VRF on which the service is listening for incoming or creating outgoing connections. By default, all services are using the <span style="color: rgb(153,51,102);"><code>main</code></span> table, but it can be changed with a separate <span style="color: rgb(51,153,102);"><code>vrf</code></span> parameter or by specifying the VRF name separated by "@" at the end of the IP address.</p><p>Below is the list of supported services.</p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 32.8849%;"><colgroup><col style="width: 17.2739%;"/><col style="width: 14.8364%;"/><col style="width: 67.8764%;"/></colgroup><thead><tr><th style="text-align: left;" class="confluenceTh"><p>Feature</p></th><th style="text-align: left;" class="confluenceTh"><p>Support</p></th><th style="text-align: left;" class="confluenceTh"><p>Comment</p></th></tr></thead><tbody><tr><td style="text-align: left;" class="confluenceTd"><strong><a href="https://help.mikrotik.com/docs/display/ROS/BGP" rel="nofollow">BGP</a></strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef">+</td><td style="text-align: left;" class="confluenceTd"><div class="content-wrapper"><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/routing bgp template
add name=bgp-template1 vrf=vrf1
/routing bgp vpls
add name=bgp-vpls1 site-id=10 vrf=vrf1
/routing bgp vpn
add label-allocation-policy=per-vrf vrf=vrf1</pre>
</div></div></div></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong><a href="https://help.mikrotik.com/docs/display/ROS/E-mail" rel="nofollow">E-mail</a></strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">+</td><td style="text-align: left;" class="confluenceTd"><div class="content-wrapper"><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/tool e-mail
set address=192.168.88.1 vrf=vrf1</pre>
</div></div></div></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong><a href="https://help.mikrotik.com/docs/display/ROS/Services" rel="nofollow">IP Services</a></strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef">+</td><td style="text-align: left;" class="confluenceTd"><div class="content-wrapper"><p class="auto-cursor-target">VRF is supported for <code>telnet</code>, <code>www</code>, <code>ssh</code>, <code>www-ssl</code>, <code>api</code>, <code>winbox</code>, <code>api-ssl</code> services. The <code>ftp</code> service does not support changing the VRF.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip service
set telnet vrf=vrf1</pre>
</div></div></div></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong><a href="https://help.mikrotik.com/docs/display/ROS/L2TP" rel="nofollow">L2TP Client</a></strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef">+</td><td style="text-align: left;" class="confluenceTd"><div class="content-wrapper"><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface l2tp-client
add connect-to=192.168.88.1@vrf1 name=l2tp-out1 user=l2tp-client </pre>
</div></div></div></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong><a href="https://help.mikrotik.com/docs/display/ROS/Mpls+Overview" rel="nofollow">MPLS</a></strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef">+</td><td style="text-align: left;" class="confluenceTd"><div class="content-wrapper"><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/mpls ldp
add vrf=vrf1</pre>
</div></div></div></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong><a href="https://help.mikrotik.com/docs/display/ROS/Netwatch" rel="nofollow">Netwatch</a></strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: left;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><p style="text-align: center;" title="">+</p></td><td style="text-align: left;" class="confluenceTd"><div class="content-wrapper"><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/tool netwatch
add host=192.168.88.1@vrf1</pre>
</div></div></div></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong><a href="https://help.mikrotik.com/docs/pages/viewpage.action?pageId=40992869" rel="nofollow">NTP</a></strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: left;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><p style="text-align: center;" title="">+</p></td><td style="text-align: left;" class="confluenceTd"><div class="content-wrapper"><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/system ntp client
set vrf=vrf1
/system ntp server
set vrf=vrf1</pre>
</div></div></div></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong><a href="https://help.mikrotik.com/docs/display/ROS/OSPF" rel="nofollow">OSPF</a></strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: left;" data-highlight-colour="#e3fcef"><p style="text-align: center;" title="">+</p></td><td style="text-align: left;" class="confluenceTd"><div class="content-wrapper"><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/routing ospf instance
add disabled=no name=ospf-instance-1 vrf=vrf1</pre>
</div></div></div></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong><a href="https://help.mikrotik.com/docs/display/ROS/Ping" rel="nofollow">ping</a></strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: left;" data-highlight-colour="#e3fcef"><p style="text-align: center;" title="">+</p></td><td style="text-align: left;" class="confluenceTd"><div class="content-wrapper"><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ping 192.168.88.1 vrf=vrf1</pre>
</div></div></div></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong><a href="https://help.mikrotik.com/docs/display/ROS/RADIUS" rel="nofollow">RADIUS</a></strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: left;" data-highlight-colour="#e3fcef"><p style="text-align: center;" title="">+</p></td><td style="text-align: left;" class="confluenceTd"><div class="content-wrapper"><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/radius add address=192.168.88.1@vrf1
/radius incoming set vrf=vrf1</pre>
</div></div></div></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong><a href="https://help.mikrotik.com/docs/display/ROS/RIP" rel="nofollow">RIP</a></strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: left;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><p style="text-align: center;" title="">+</p></td><td style="text-align: left;" class="confluenceTd"><div class="content-wrapper"><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/routing rip instance
add name=rip-instance-1 vrf=vrf1</pre>
</div></div></div></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong><a href="https://help.mikrotik.com/docs/display/ROS/RPKI" rel="nofollow">RPKI</a></strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: left;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><p style="text-align: center;" title="">+</p></td><td style="text-align: left;" class="confluenceTd"><div class="content-wrapper"><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/routing rpki
add vrf=vrf1</pre>
</div></div></div></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong><a href="https://help.mikrotik.com/docs/display/ROS/SNMP" rel="nofollow">SNMP</a></strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: left;" data-highlight-colour="#e3fcef"><p style="text-align: center;" title="">+</p></td><td style="text-align: left;" class="confluenceTd"><div class="content-wrapper"><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/snmp
set vrf=vrf1</pre>
</div></div></div></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong><a href="https://help.mikrotik.com/docs/display/ROS/EoIP" rel="nofollow">EoIP</a></strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: left;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><p style="text-align: center;" title="">+</p></td><td style="text-align: left;" class="confluenceTd"><div class="content-wrapper"><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface eoip
add remote-address=192.168.1.1@vrf1</pre>
</div></div></div></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong><a href="https://help.mikrotik.com/docs/display/ROS/IPIP" rel="nofollow">IPIP</a></strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: left;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><p style="text-align: center;" title="">+</p></td><td style="text-align: left;" class="confluenceTd"><div class="content-wrapper"><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ipip
add remote-address=192.168.1.1@vrf1</pre>
</div></div></div></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong><a href="https://help.mikrotik.com/docs/display/ROS/GRE" rel="nofollow">GRE</a></strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: left;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><p style="text-align: center;" title="">+</p></td><td style="text-align: left;" class="confluenceTd"><div class="content-wrapper"><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface gre
add remote-address=192.168.1.1@vrf1</pre>
</div></div></div></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong><a href="https://help.mikrotik.com/docs/display/ROS/SSTP#SSTP-SSTPClient" rel="nofollow">SSTP-client</a></strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: left;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><p style="text-align: center;" title="">+</p></td><td style="text-align: left;" class="confluenceTd"><div class="content-wrapper"><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface sstp-client
add connect-to=192.168.1.1@vrf1</pre>
</div></div></div></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong><a href="https://help.mikrotik.com/docs/display/ROS/OpenVPN#OpenVPN-OVPNClient" rel="nofollow">OVPN-client</a></strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: left;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><p style="text-align: center;" title="">+</p></td><td style="text-align: left;" class="confluenceTd"><div class="content-wrapper"><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ovpn-client
add connect-to=192.168.1.1@vrf1</pre>
</div></div></div></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong><span style="color: rgb(23,43,77);">L2TP-ether</span></strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: left;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><p style="text-align: center;" title="">+</p></td><td style="text-align: left;" class="confluenceTd"><div class="content-wrapper"><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface l2tp-ether
add connect-to=192.168.2.2@vrf</pre>
</div></div></div></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong><span style="color: rgb(23,43,77);"><a href="https://help.mikrotik.com/docs/display/ROS/VXLAN" rel="nofollow">VXLAN</a></span></strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: left;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><p style="text-align: center;" title="">+</p></td><td style="text-align: left;" class="confluenceTd"><div class="content-wrapper"><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface vxlan
add vni=10 vrf=vrf1</pre>
</div></div></div></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong><span style="color: rgb(23,43,77);"><a href="https://help.mikrotik.com/docs/display/ROS/Fetch" rel="nofollow">Fetch</a></span></strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: left;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><p style="text-align: center;" title="">+</p></td><td style="text-align: left;" class="confluenceTd"><div class="content-wrapper"><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/tool/fetch
address=10.155.28.236@vrf1 mode=ftp src-path=my_file.pcap user=admin password=""</pre>
</div></div></div></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong><span style="color: rgb(23,43,77);"><a href="https://help.mikrotik.com/docs/display/ROS/DNS">DNS</a></span></strong></td><td class="highlight-#ffe380 confluenceTd" style="text-align: left;" data-highlight-colour="#ffe380"><p style="text-align: center;" title="">+</p><p style="text-align: center;" title=""><span style="color: rgb(23,43,77);">Starting from RouterOS v7.15</span></p></td><td style="text-align: left;" class="confluenceTd"><div class="content-wrapper"><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip dns set vrf=vrf1</pre>
</div></div></div></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong><span style="color: rgb(23,43,77);"><a href="https://help.mikrotik.com/docs/display/ROS/DHCP">DHCP-Relay</a></span></strong></td><td class="highlight-#ffe380 confluenceTd" style="text-align: left;" data-highlight-colour="#ffe380"><p style="text-align: center;" title="">+</p><p style="text-align: center;" title=""><span style="color: rgb(23,43,77);">Starting from RouterOS v7.15</span></p></td><td style="text-align: left;" class="confluenceTd"><div class="content-wrapper"><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip dhcp-relay set dhcp-server-vrf=vrf1</pre>
</div></div><em>If dhcp-client is in vrf - special parameter in </em><em>"ip dhcp-relay" configuration is not needed</em></div></td></tr></tbody></table></div><h1 id="VirtualRoutingandForwarding(VRF)-Examples"><span class="mw-headline">Examples</span></h1><h2 id="VirtualRoutingandForwarding(VRF)-SimpleVRF-Litesetup"><span class="mw-headline">Simple VRF-Lite setup</span></h2><p><span class="mw-headline">Let's consider a setup where we need two customer VRFs that require access to the internet:<br/></span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip address
add address=172.16.1.2/24 interface=public
add address=192.168.1.1/24 interface=ether1
add address=192.168.2.1/24 interface=ether2
/ip route
add gateway=172.16.1.1
# add VRF configuration
/ip vrf
add name=cust_a interface=ether1 place-before 0
add name=cust_b interface=ether2 place-before 0
# add vrf routes
/ip route
add gateway=172.16.1.1@main routing-table=cust_a
add gateway=172.16.1.1@main routing-table=cust_b
# masquerade local source
/ip firewall nat add chain=srcnat out-interface=public action=masquerade</pre>
</div></div><p>It might be necessary to ensure that packets coming in the "public" interface can actually reach the correct VRF. <br/>This can be solved by marking new connections originated by the VRF customers and steering the traffic by routing marks of incoming packets on the "public" interface.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence"># mark new customer connections
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new new-connection-mark=\
cust_a_conn src-address=192.168.1.0/24 passthrough=no
add action=mark-connection chain=prerouting connection-state=new new-connection-mark=\
cust_b_conn src-address=192.168.2.0/24 passthrough=no
# mark routing
/ip firewall mangle
add action=mark-routing chain=prerouting connection-mark=cust_a_conn \
in-interface=public new-routing-mark=cust_a
add action=mark-routing chain=prerouting connection-mark=cust_b_conn \
in-interface=public new-routing-mark=cust_b</pre>
</div></div><h2 id="VirtualRoutingandForwarding(VRF)-StaticVRF-LiteConnectedrouteleaking"><span>Static VRF-Lite Connected route leaking</span></h2><p>Sometimes it is necessary to access directly connected resources from another vrf. In our example setup we have two connected networks each in its own VRF. And we want to allow client1 to be able to access client2.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: text; gutter: false; theme: Confluence" data-theme="Confluence"> +-----------------+
|+-vrf1-+ +-vrf2-+|
client1(*.2)-------||ip *.1| |ip *.1||-------client2(*.2)
(10.11.0.0/24) |+------+ +------+| (10.12.0.0/24)
+-----------------+</pre>
</div></div><p><br/></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip address
add address=10.11.0.1/24 interface=sfp-sfpplus1
add address=10.12.0.1/24 interface=sfp-sfpplus2
# add VRF configuration
/ip vrf
add name=vrfTest1 interface=sfp-sfpplus1 place-before 0
add name=vrfTest2 interface=sfp-sfpplus2 place-before 0
</pre>
</div></div><p>We can say that connected network is reachable on specific vrf by setting gateway "interface@vrf"</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence"># add vrf routes
/ip route
add dst-address=10.11.0.0/24 gateway="sfp-sfpplus1@vrfTest1" routing-table=vrfTest2
add dst-address=10.12.0.0/24 gateway="sfp-sfpplus2@vrfTest2" routing-table=vrfTest1
</pre>
</div></div><p>Verify routes and reachability:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: text; gutter: false; theme: Confluence" data-theme="Confluence">[admin@CCR2004_2XS] /ip/route> print detail
Flags: D - dynamic; X - disabled, I - inactive, A - active;
c - connect, s - static, r - rip, b - bgp, o - ospf, i - is-is, d - dhcp, v - vpn, m - modem, y - bgp-mpls-vpn; H - hw-offloaded; + - ecmp
DAc dst-address=111.11.0.0/24 routing-table=vrfTest1 gateway=sfp-sfpplus1@vrfTest1 immediate-gw=sfp-sfpplus1 distance=0 scope=10 suppress-hw-offload=no
local-address=111.11.0.1%sfp-sfpplus1@vrfTest1
1 As dst-address=111.12.0.0/24 routing-table=vrfTest1 pref-src="" gateway=vrfTest2 immediate-gw=vrfTest2 distance=1 scope=30 target-scope=10
suppress-hw-offload=no
2 As dst-address=111.11.0.0/24 routing-table=vrfTest2 pref-src="" gateway=vrfTest1 immediate-gw=vrfTest1 distance=1 scope=30 target-scope=10
suppress-hw-offload=no
DAc dst-address=111.12.0.0/24 routing-table=vrfTest2 gateway=sfp-sfpplus2@vrfTest2 immediate-gw=sfp-sfpplus2 distance=0 scope=10 suppress-hw-offload=no
local-address=111.12.0.1%sfp-sfpplus2@vrfTest2
</pre>
</div></div><p><br/></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: text; gutter: false; theme: Confluence" data-theme="Confluence">[admin@cl2] > /ping 111.11.0.2 src-address=111.12.0.2
SEQ HOST SIZE TTL TIME STATUS
0 111.11.0.2 56 64 67us
1 111.11.0.2 56 64 61us
sent=2 received=2 packet-loss=0% min-rtt=61us avg-rtt=64u
</pre>
</div></div><p><br/></p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Keep in mind that trying to leak overlapping networks will not work.</p></div></div><p>But now what if we want to access routers local address located in another vrf?</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: text; gutter: false; theme: Confluence" data-theme="Confluence">[admin@cl2] > /ping 111.11.0.1 src-address=111.12.0.2
SEQ HOST SIZE TTL TIME STATUS
0 111.11.0.1 timeout
1 111.11.0.1 timeout
sent=2 received=0 packet-loss=100%
</pre>
</div></div><p>Approach with "interface@vrf" gateways works only when router is forwarding packets. To access local vrf addresses we need to route to the vrf interface.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence"># add vrf routes
/ip route
add dst-address=10.11.0.0/24 gateway=vrfTest1@vrfTest1 routing-table=vrfTest2
add dst-address=10.12.0.0/24 gateway=vrfTest2@vrfTest2 routing-table=vrfTest1
</pre>
</div></div><p><br/></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: text; gutter: false; theme: Confluence" data-theme="Confluence">[admin@cl2] > /ping 111.11.0.1 src-address=111.12.0.2
SEQ HOST SIZE TTL TIME STATUS
0 111.11.0.1 56 64 67us
1 111.11.0.1 56 64 61us
sent=2 received=2 packet-loss=0% min-rtt=61us avg-rtt=64u
</pre>
</div></div><p><br/></p><h2 id="VirtualRoutingandForwarding(VRF)-DynamicVrf-Literouteleaking"><span>Dynamic Vrf-Lite route leaking</span></h2><p><span>With large enough setups static route leaking is not sufficient. Let's consider we have the same setup as in static route leaking example plus ipv6 addresses, just for demonstration.</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip address
add address=10.11.0.1/24 interface=sfp-sfpplus1
add address=10.12.0.1/24 interface=sfp-sfpplus2
# add VRF configuration
/ip vrf
add name=vrfTest1 interface=sfp-sfpplus1 place-before 0
add name=vrfTest2 interface=sfp-sfpplus2 place-before 0
/ipv6 address
add address=2001:1::1 advertise=no interface=sfp-sfpplus1
add address=2001:2::1 advertise=no interface=sfp-sfpplus2
</pre>
</div></div><p><span>We can use BGP VPN to leak local routes without actually establishing BGP session.</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/routing bgp vpn
add export.redistribute=connected .route-targets=1:1 import.route-targets=1:2 label-allocation-policy=per-vrf name=bgp-mpls-vpn-1 \
route-distinguisher=1.2.3.4:1 vrf=vrfTest1
add export.redistribute=connected .route-targets=1:2 import.route-targets=1:1 label-allocation-policy=per-vrf name=bgp-mpls-vpn-2 \
route-distinguisher=1.2.3.4:1 vrf=vrfTest2</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Be careful with import/export route targets, if not set up properly local vrf routes from itself will be imported.</p></div></div><p><br/></p><p><span>Now we can see that connected routes between VRFs are exchanged</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: text; gutter: false; theme: Confluence" data-theme="Confluence">[admin@CCR2004_2XS] > /routing route print where dst-address in 111.0.0.0/8 && afi=ip4
...
Ac afi=ip4 contribution=active dst-address=111.11.0.0/24 routing-table=vrfTest1 gateway=sfp-sfpplus1@vrfTest1 immediate-gw=sfp-sfpplus1 distance=0 scope=10
belongs-to="connected" local-address=111.11.0.1%sfp-sfpplus1@vrfTest1
debug.fwp-ptr=0x202421E0
Ay afi=ip4 contribution=best-candidate dst-address=111.12.0.0/24 routing-table=vrfTest1 label=17 gateway=vrfTest2@vrfTest2 immediate-gw=sfp-sfpplus2
distance=200 scope=40 target-scope=10 belongs-to="bgp-mpls-vpn-1-bgp-mpls-vpn-2-connected-export-import"
bgp.ext-communities=rt:1:2 .atomic-aggregate=no .origin=incomplete
debug.fwp-ptr=0x202425A0
Ay afi=ip4 contribution=best-candidate dst-address=111.11.0.0/24 routing-table=vrfTest2 label=16 gateway=vrfTest1@vrfTest1 immediate-gw=sfp-sfpplus1
distance=200 scope=40 target-scope=10 belongs-to="bgp-mpls-vpn-2-bgp-mpls-vpn-1-connected-export-import"
bgp.ext-communities=rt:1:1 .atomic-aggregate=no .origin=incomplete
debug.fwp-ptr=0x202424E0
Ac afi=ip4 contribution=active dst-address=111.12.0.0/24 routing-table=vrfTest2 gateway=sfp-sfpplus2@vrfTest2 immediate-gw=sfp-sfpplus2 distance=0 scope=10
belongs-to="connected" local-address=111.12.0.1%sfp-sfpplus2@vrfTest2
debug.fwp-ptr=0x20242240
</pre>
</div></div><p><span>And IPv6 too:</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: text; gutter: false; theme: Confluence" data-theme="Confluence">[admin@CCR2004_2XS] /routing/route> print detail where dst-address in 2001::/8 && afi=ip6
...
Ac afi=ip6 contribution=active dst-address=2001:1::/64 routing-table=vrfTest1 gateway=sfp-sfpplus1@vrfTest1 immediate-gw=sfp-sfpplus1 distance=0 scope=10
belongs-to="connected" local-address=2001:1::1%sfp-sfpplus1@vrfTest1
debug.fwp-ptr=0x20242300
Ay afi=ip6 contribution=active dst-address=2001:2::/64 routing-table=vrfTest1 label=17 gateway=vrfTest2@vrfTest2 immediate-gw=sfp-sfpplus2 distance=200
scope=40 target-scope=10 belongs-to="bgp-mpls-vpn-1-bgp-mpls-vpn-2-connected-export-import"
bgp.ext-communities=rt:1:2 .atomic-aggregate=no .origin=incomplete
debug.fwp-ptr=0x202425A0
Ay afi=ip6 contribution=active dst-address=2001:1::/64 routing-table=vrfTest2 label=16 gateway=vrfTest1@vrfTest1 immediate-gw=sfp-sfpplus1 distance=200
scope=40 target-scope=10 belongs-to="bgp-mpls-vpn-2-bgp-mpls-vpn-1-connected-export-import"
bgp.ext-communities=rt:1:1 .atomic-aggregate=no .origin=incomplete
debug.fwp-ptr=0x202424E0
Ac afi=ip6 contribution=active dst-address=2001:2::/64 routing-table=vrfTest2 gateway=sfp-sfpplus2@vrfTest2 immediate-gw=sfp-sfpplus2 distance=0 scope=10
belongs-to="connected" local-address=2001:2::1%sfp-sfpplus2@vrfTest2
debug.fwp-ptr=0x20242360
</pre>
</div></div><h2 id="VirtualRoutingandForwarding(VRF)-DynamicVrf-Literouteleaking(oldworkaround)"><span>Dynamic Vrf-Lite route leaking (old workaround)</span></h2><p>Before ROS v7.14 there were no mechanism to leak routes from one VRF instance to another within the same router.</p><p>As a workaround, it was possible to create a tunnel between two locally configure loopback addresses and assign each tunnel endpoint to its own VRF. Then it is possible to run either dynamic routing protocols or set up static routes to leak between both VRFs.</p><p>The downside of this approach is that tunnel must be created between each VRF where routes should be leaked (create a full mesh), which significantly complicates configuration even if there are just several VRFs, not to mention more complicated setups.</p><p>For example, to leak routes between 5 VRFs it would require <span>n * ( n – 1) / 2 connections, which will lead to the setup with 20 tunnel endpoints and 20 OSPF instances on one router.</span></p><p>Example config with two VRFs of this method:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
add name=dummy_custC
add name=dummy_custB
add name=lo1
add name=lo2
/ip address
add address=111.255.255.1 interface=lo1 network=111.255.255.1
add address=111.255.255.2 interface=lo2 network=111.255.255.2
add address=172.16.1.0/24 interface=dummy_custC network=172.16.1.0
add address=172.16.2.0/24 interface=dummy_custB network=172.16.2.0
/interface ipip
add local-address=111.255.255.1 name=ipip-tunnel1 remote-address=111.255.255.2
add local-address=111.255.255.2 name=ipip-tunnel2 remote-address=111.255.255.1
/ip address
add address=192.168.1.1/24 interface=ipip-tunnel1 network=192.168.1.0
add address=192.168.1.2/24 interface=ipip-tunnel2 network=192.168.1.0
/ip vrf
add interfaces=ipip-tunnel1,dummy_custC name=custC
add interfaces=ipip-tunnel2,dummy_custB name=custB
/routing ospf instance
add disabled=no name=i2_custB redistribute=connected,static,copy router-id=192.168.1.1 routing-table=custB vrf=custB
add disabled=no name=i2_custC redistribute=connected router-id=192.168.1.2 routing-table=custC vrf=custC
/routing ospf area
add disabled=no instance=i2_custB name=custB_bb
add disabled=no instance=i2_custC name=custC_bb
/routing ospf interface-template
add area=custB_bb disabled=no networks=192.168.1.0/24
add area=custC_bb disabled=no networks=192.168.1.0/24
</pre>
</div></div><p>Result:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@rack1_b36_CCR1009] /routing/ospf/neighbor> print
Flags: V - virtual; D - dynamic
0 D instance=i2_custB area=custB_bb address=192.168.1.1 priority=128 router-id=192.168.1.2 dr=192.168.1.1 bdr=192.168.1.2
state="Full" state-changes=6 adjacency=41m28s timeout=33s
1 D instance=i2_custC area=custC_bb address=192.168.1.2 priority=128 router-id=192.168.1.1 dr=192.168.1.1 bdr=192.168.1.2
state="Full" state-changes=6 adjacency=41m28s timeout=33s
[admin@rack1_b36_CCR1009] /ip/route> print where routing-table=custB
Flags: D - DYNAMIC; A - ACTIVE; c, s, o, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAo 172.16.1.0/24 192.168.1.1%ipip-tunnel2@custB 110
DAc 172.16.2.0/24 dummy_custB@custB 0
DAc 192.168.1.0/24 ipip-tunnel2@custB 0
[admin@rack1_b36_CCR1009] > /ip route/print where routing-table=custC
Flags: D - DYNAMIC; A - ACTIVE; c, o, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAc 172.16.1.0/24 dummy_custC@custC 0
DAo 172.16.2.0/24 192.168.1.2%ipip-tunnel1@custC 110
DAc 192.168.1.0/24 ipip-tunnel1@custC 0
</pre>
</div></div><p><br/></p><h2 id="VirtualRoutingandForwarding(VRF)-ThesimplestMPLSVPNsetup"><span class="mw-headline">The simplest MPLS VPN setup</span></h2><p><span class="confluence-embedded-file-wrapper image-center-wrapper"><img class="confluence-embedded-image image-center" draggable="false" src="https://help.mikrotik.com/docs/download/attachments/328206/L3vpn-simple.png?version=2&modificationDate=1621329532209&api=v2" data-image-src="https://help.mikrotik.com/docs/download/attachments/328206/L3vpn-simple.png?version=2&modificationDate=1621329532209&api=v2" data-unresolved-comment-count="0" data-linked-resource-id="40992769" data-linked-resource-version="2" data-linked-resource-type="attachment" data-linked-resource-default-alias="L3vpn-simple.png" data-base-url="https://help.mikrotik.com/docs" data-linked-resource-content-type="image/png" data-linked-resource-container-id="328206" data-linked-resource-container-version="66" alt=""></span></p><p>In this example, a rudimentary MPLS backbone (consisting of two Provider Edge (PE) routers PE1 and PE2) is created and configured to forward traffic between Customer Edge (CE) routers CE1 and CE2 routers that belong to<span> </span><em>cust-one</em><span> </span>VPN.</p><h3 id="VirtualRoutingandForwarding(VRF)-CE1Router"><span class="mw-headline">CE1 Router</span></h3><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip address add address=10.1.1.1/24 interface=ether1
# use static routing
/ip route add dst-address=10.3.3.0/24 gateway=10.1.1.2</pre>
</div></div><p style="margin-left: 20.0px;"><br/></p><h3 id="VirtualRoutingandForwarding(VRF)-CE2Router"><span class="mw-headline">CE2 Router</span></h3><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip address add address=10.3.3.4/24 interface=ether1
/ip route add dst-address=10.1.1.0/24 gateway=10.3.3.3</pre>
</div></div><p style="margin-left: 20.0px;"><br/></p><h3 id="VirtualRoutingandForwarding(VRF)-PE1Router"><span class="mw-headline">PE1 Router</span></h3><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge add name=lobridge
/ip address add address=10.1.1.2/24 interface=ether1
/ip address add address=10.2.2.2/24 interface=ether2
/ip address add address=10.5.5.2/32 interface=lobridge
/ip vrf add name=cust-one interfaces=ether1
/mpls ldp add enabled=yes transport-address=10.5.5.2 lsr-id=10.5.5.2
/mpls ldp interface add interface=ether2
/routing bgp template set default as=65000
/routing bgp vpn
add vrf=cust-one \
route-distinguisher=1.1.1.1:111 \
import.route-targets=1.1.1.1:111 \
import.router-id=cust-one \
export.redistribute=connected \
export.route-targets=1.1.1.1:111 \
label-allocation-policy=per-vrf
/routing bgp connection
add template=default remote.address=10.5.5.3 address-families=vpnv4 local.address=10.5.5.2
# add route to the remote BGP peer's loopback address
/ip route add dst-address=10.5.5.3/32 gateway=10.2.2.3</pre>
</div></div><p><br/></p><p style="margin-left: 20.0px;"><br/></p><h3 id="VirtualRoutingandForwarding(VRF)-PE2Router(Cisco)"><span class="mw-headline">PE2 Router (Cisco)</span></h3><p style="margin-left: 20.0px;"><span style="font-size: 16.0px;font-weight: bold;letter-spacing: -0.006em;"> </span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">ip vrf cust-one
rd 1.1.1.1:111
route-target export 1.1.1.1:111
route-target import 1.1.1.1:111
exit
interface Loopback0
ip address 10.5.5.3 255.255.255.255
mpls ldp router-id Loopback0 force
mpls label protocol ldp
interface FastEthernet0/0
ip address 10.2.2.3 255.255.255.0
mpls ip
interface FastEthernet1/0
ip vrf forwarding cust-one
ip address 10.3.3.3 255.255.255.0
router bgp 65000
neighbor 10.5.5.2 remote-as 65000
neighbor 10.5.5.2 update-source Loopback0
address-family vpnv4
neighbor 10.5.5.2 activate
neighbor 10.5.5.2 send-community both
exit-address-family
address-family ipv4 vrf cust-one
redistribute connected
exit-address-family
ip route 10.5.5.2 255.255.255.255 10.2.2.2
</pre>
</div></div><p style="margin-left: 20.0px;"><span style="font-size: 16.0px;font-weight: bold;letter-spacing: -0.006em;">Results</span></p><p>Check that VPNv4 route redistribution is working:</p><p style="margin-left: 20.0px;"><span style="letter-spacing: 0.0px;"> </span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@PE1] /routing/route> print detail where afi="vpn4"
Flags: X - disabled, F - filtered, U - unreachable, A - active;
c - connect, s - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpn, m - modem, a - ldp-address, l - l
dp-mapping, g - slaac, y - bgp-mpls-vpn;
H - hw-offloaded; + - ecmp, B - blackhole
Ab afi=vpn4 contribution=active dst-address=111.16.0.0/24&1.1.1.1:111 routing-table=main label=16
gateway=111.111.111.4 immediate-gw=111.13.0.2%ether9 distance=200 scope=40 target-scope=30
belongs-to="bgp-VPN4-111.111.111.4"
bgp.peer-cache-id=*2C00011 .as-path="65511" .ext-communities=rt:1.1.1.1:111 .local-pref=100
.atomic-aggregate=yes .origin=igp
debug.fwp-ptr=0x202427E0
[admin@PE1] /routing/bgp/advertisements> print
0 peer=to-pe2-1 dst=10.1.1.0/24 local-pref=100 origin=2 ext-communities=rt:1.1.1.1:111 atomic-aggregate=yes
</pre>
</div></div><p style="margin-left: 20.0px;"><span style="letter-spacing: 0.0px;">Check that the 10.3.3.0 is installed in IP routes, in the cust-one route table:</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@PE1] > /ip route print where routing-table="cust-one"
Flags: D - DYNAMIC; A - ACTIVE; c, b, y - BGP-MPLS-VPN
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
0 ADC 10.1.1.0/24 ether1@cust-one 0
1 ADb 10.3.3.0/24 10.5.5.3 20 </pre>
</div></div><p style="margin-left: 20.0px;"><br/></p><p>Let's take a closer look at IP routes in cust-one VRF. The 10.1.1.0/24 IP prefix is a connected route that belongs to an interface that was configured to belong to cust-one VRF. The 10.3.3.0/24 IP prefix was advertised via BGP as a VPNv4 route from PE2 and is imported in this VRF routing table, because our configured<span> </span><strong>import-route-targets</strong><span> </span>matched the BGP extended communities attribute it was advertised with.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@PE1] /routing/route> print detail where routing-table="cust-one"
Flags: X - disabled, F - filtered, U - unreachable, A - active;
c - connect, s - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpn, m - modem, a - ldp-address, l - l
dp-mapping, g - slaac, y - bgp-mpls-vpn;
H - hw-offloaded; + - ecmp, B - blackhole
Ac afi=ip4 contribution=active dst-address=10.1.1.0/24 routing-table=cust-one
gateway=ether1@cust-one immediate-gw=ether1 distance=0 scope=10 belongs-to="connected"
local-address=10.1.1.2%ether1@cust-one
debug.fwp-ptr=0x202420C0
Ay afi=ip4 contribution=active dst-address=10.3.3.0/24 routing-table=cust-one label=16
gateway=10.5.5.3 immediate-gw=10.2.2.3%ether2 distance=20 scope=40 target-scope=30
belongs-to="bgp-mpls-vpn-1-bgp-VPN4-10.5.5.3-import"
bgp.peer-cache-id=*2C00011 .ext-communities=rt:1.1.1.1:111 .local-pref=100
.atomic-aggregate=yes .origin=igp
debug.fwp-ptr=0x20242840
[admin@PE1] /routing/route> print detail where afi="vpn4"
Flags: X - disabled, F - filtered, U - unreachable, A - active;
c - connect, s - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpn, m - modem, a - ldp-address, l - l
dp-mapping, g - slaac, y - bgp-mpls-vpn;
H - hw-offloaded; + - ecmp, B - blackhole
Ay afi=vpn4 contribution=active dst-address=10.1.1.0/24&1.1.1.1:111 routing-table=main label=19
gateway=ether1@cust-one immediate-gw=ether1 distance=200 scope=40 target-scope=10
belongs-to="bgp-mpls-vpn-1-connected-export"
bgp.ext-communities=rt:1.1.1.1:1111 .atomic-aggregate=no .origin=incomplete
debug.fwp-ptr=0x202426C0
Ab afi=vpn4 contribution=active dst-address=10.3.3.0/24&1.1.1.1:111 routing-table=main label=16
gateway=10.5.5.3 immediate-gw=10.2.2.3%ether2 distance=200 scope=40 target-scope=30
belongs-to="bgp-VPN4-10.5.5.3"
bgp.peer-cache-id=*2C00011 .ext-communities=rt:1.1.1.1:111 .local-pref=100
.atomic-aggregate=yes .origin=igp
debug.fwp-ptr=0x202427E0
</pre>
</div></div><p style="margin-left: 20.0px;"><br/></p><p>The same for Cisco:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">PE2#show ip bgp vpnv4 all
BGP table version is 5, local router ID is 10.5.5.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1.1.1.1:111 (default for vrf cust-one)
*>i10.1.1.0/24 10.5.5.2 100 0 ?
*> 10.3.3.0/24 0.0.0.0 0 32768 ?
PE2#show ip route vrf cust-one
Routing Table: cust-one
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets
B 10.1.1.0 [200/0] via 10.5.5.2, 00:05:33
10.0.0.0/24 is subnetted, 1 subnets
C 10.3.3.0 is directly connected, FastEthernet1/0</pre>
</div></div><p style="margin-left: 20.0px;"><br/></p><p>You should be able to ping from CE1 to CE2 and vice versa.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@CE1] > /ping 10.3.3.4
10.3.3.4 64 byte ping: ttl=62 time=18 ms
10.3.3.4 64 byte ping: ttl=62 time=13 ms
10.3.3.4 64 byte ping: ttl=62 time=13 ms
10.3.3.4 64 byte ping: ttl=62 time=14 ms
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 13/14.5/18 ms</pre>
</div></div><p style="margin-left: 20.0px;"><br/></p><h2 id="VirtualRoutingandForwarding(VRF)-Amorecomplicatedsetup(changesonly)"><span class="mw-headline">A more complicated setup (changes only)</span></h2><p><span class="confluence-embedded-file-wrapper image-center-wrapper"><img class="confluence-embedded-image image-center" draggable="false" src="https://help.mikrotik.com/docs/download/attachments/328206/800px-L3vpn-two-customers.png?version=2&modificationDate=1621329573471&api=v2" data-image-src="https://help.mikrotik.com/docs/download/attachments/328206/800px-L3vpn-two-customers.png?version=2&modificationDate=1621329573471&api=v2" data-unresolved-comment-count="0" data-linked-resource-id="40992772" data-linked-resource-version="2" data-linked-resource-type="attachment" data-linked-resource-default-alias="800px-L3vpn-two-customers.png" data-base-url="https://help.mikrotik.com/docs" data-linked-resource-content-type="image/png" data-linked-resource-container-id="328206" data-linked-resource-container-version="66" alt=""></span></p><p>As opposed to the simplest setup, in this example, we have two customers: cust-one and cust-two.</p><p>We configure two VPNs for them, cust-one and cust-two respectively, and exchange all routes between them. (This is also called "route leaking").</p><p>Note that this could be not the most typical setup, because routes are usually not exchanged between different customers. In contrast, by default, it should not be possible to gain access from one VRF site to a different VRF site in another VPN. (This is the "Private" aspect of VPNs.) Separate routing is a way to provide privacy, and it is also required to solve the problem of overlapping IP network prefixes. Route exchange is in direct conflict with these two requirements but may sometimes be needed (e.g. temp. solution when two customers are migrating to a single network infrastructure).</p><h3 id="VirtualRoutingandForwarding(VRF)-CE1Router,cust-one"><span class="mw-headline">CE1 Router,<span> </span><em>cust-one</em></span></h3><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip route add dst-address=10.4.4.0/24 gateway=10.1.1.2</pre>
</div></div><p style="margin-left: 20.0px;"><br/></p><h3 id="VirtualRoutingandForwarding(VRF)-CE2Router,cust-one"><span class="mw-headline">CE2 Router,<span> </span><em>cust-one</em></span></h3><p style="margin-left: 20.0px;"><span style="font-size: 16.0px;font-weight: bold;letter-spacing: -0.006em;"> </span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip route add dst-address=10.4.4.0/24 gateway=10.3.3.3
</pre>
</div></div><p><span style="font-size: 16.0px;font-weight: bold;letter-spacing: -0.006em;">CE1 Router,</span><em style="font-size: 16.0px;font-weight: bold;letter-spacing: -0.006em;">cust-two</em></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip address add address=10.4.4.5 interface=ether1
/ip route add dst-address=10.1.1.0/24 gateway=10.3.3.3
/ip route add dst-address=10.3.3.0/24 gateway=10.3.3.3</pre>
</div></div><p style="margin-left: 20.0px;"><br/></p><h3 id="VirtualRoutingandForwarding(VRF)-PE1Router.1"><span class="mw-headline">PE1 Router</span></h3><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence"># replace the old BGP VPN with this:
/routing bgp vpn
add vrf=cust-one \
export.redistribute=connected \
route-distinguisher=1.1.1.1:111 \
import.route-targets=1.1.1.1:111,2.2.2.2:222 \
export.route-targets=1.1.1.1:111
</pre>
</div></div><p style="margin-left: 20.0px;"><span style="font-size: 16.0px;font-weight: bold;letter-spacing: -0.006em;">PE2 Router (Cisco)</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">ip vrf cust-one
rd 1.1.1.1:111
route-target export 1.1.1.1:111
route-target import 1.1.1.1:111
route-target import 2.2.2.2:222
exit
ip vrf cust-two
rd 2.2.2.2:222
route-target export 2.2.2.2:222
route-target import 1.1.1.1:111
route-target import 2.2.2.2:222
exit
interface FastEthernet2/0
ip vrf forwarding cust-two
ip address 10.4.4.3 255.255.255.0
router bgp 65000
address-family ipv4 vrf cust-two
redistribute connected
exit-address-family</pre>
</div></div><p style="margin-left: 20.0px;"><br/></p><h2 id="VirtualRoutingandForwarding(VRF)-Variation:replacetheCiscowithanotherMT"><span class="mw-headline">Variation: replace the Cisco with another MT</span></h2><h3 id="VirtualRoutingandForwarding(VRF)-PE2Mikrotikconfig"><span class="mw-headline">PE2 Mikrotik config</span></h3><p style="margin-left: 20.0px;"><span style="font-size: 16.0px;font-weight: bold;letter-spacing: -0.006em;"> </span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge add name=lobridge
/ip address
add address=10.2.2.3/24 interface=ether1
add address=10.3.3.3/24 interface=ether2
add address=10.4.4.3/24 interface=ether3
add address=10.5.5.3/32 interface=lobridge
/ip vrf
add name=cust-one interfaces=ether2
add name=cust-two interfaces=ether3
/mpls ldp add enabled=yes transport-address=10.5.5.3
/mpls ldp interface add interface=ether1
/routing bgp template set default as=65000
/routing bgp vpn
add vrf=cust-one \
export.redistribute=connected \
route-distinguisher=1.1.1.1:111 \
import.route-targets=1.1.1.1:111,2.2.2.2:222 \
export.route-targets=1.1.1.1:111 \
add vrf=cust-two \
export.redistribute=connected \
route-distinguisher=2.2.2.2:222 \
import.route-targets=1.1.1.1:111,2.2.2.2:222 \
export.route-targets=2.2.2.2:222 \
/routing bgp connection
add template=default remote.address=10.5.5.2 address-families=vpnv4 local.address=10.5.5.3
# add route to the remote BGP peer's loopback address
/ip route add dst-address=10.5.5.2/32 gateway=10.2.2.2
</pre>
</div></div><p style="margin-left: 20.0px;"><span style="font-size: 16.0px;font-weight: bold;letter-spacing: -0.006em;">Results</span></p><p>The output of<span> </span><strong>/ip route print</strong><span> </span>now is interesting enough to deserve detailed observation.</p><p style="margin-left: 20.0px;"><span style="letter-spacing: 0.0px;"> </span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@PE2] /ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADb 10.1.1.0/24 10.5.5.2 recurs... 20
1 ADC 10.3.3.0/24 10.3.3.3 ether2 0
2 ADb 10.4.4.0/24 20
3 ADb 10.1.1.0/24 10.5.5.2 recurs... 20
4 ADb 10.3.3.0/24 20
5 ADC 10.4.4.0/24 10.4.4.3 ether3 0
6 ADC 10.2.2.0/24 10.2.2.3 ether1 0
7 A S 10.5.5.2/32 10.2.2.2 reacha... 1
8 ADC 10.5.5.3/32 10.5.5.3 lobridge 0
</pre>
</div></div><p style="margin-left: 20.0px;"><span style="letter-spacing: 0.0px;">The route 10.1.1.0/24 was received from a remote BGP peer and is installed in both VRF routing tables.</span></p><p>The routes 10.3.3.0/24 and 10.4.4.0/24 are also installed in both VRF routing tables. Each is a connected route in one table and a BGP route in another table. This has nothing to do with their being advertised via BGP. They are simply being "advertised" to the local VPNv4 route table and locally reimported after that. Import and export<span> </span><strong>route-targets</strong><span> </span>determine in which tables they will end up.</p><p>This can be deduced from its attributes - they don't have the usual BGP properties. (Route 10.4.4.0/24.)</p><p style="margin-left: 20.0px;"><span style="font-size: 20.0px;letter-spacing: -0.008em;"> </span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@PE2] /routing/route> print detail where routing-table=cust-one
...
</pre>
</div></div><p><br/></p><h1 id="VirtualRoutingandForwarding(VRF)-References"><span style="font-size: 24.0px;letter-spacing: -0.01em;">References</span></h1><p><a class="external-link" href="http://www.ietf.org/rfc/rfc4364.txt" rel="nofollow" style="text-decoration: none;">RFC 4364: BGP/MPLS IP Virtual Private Networks (VPNs)</a></p><p>MPLS Fundamentals, chapter 7,<span> </span><em>Luc De Ghein</em>, Cisco Press 2006</p><p><br/></p>
</div>
<div style="padding: 10px 0;">
<a href="https://help.mikrotik.com/docs/pages/viewpage.action?pageId=328206">View Online</a>
·
<a href="https://help.mikrotik.com/docs/pages/diffpagesbyversion.action?pageId=328206&revisedVersion=66&originalVersion=65">View Changes Online</a>
</div>
</div>Olga Ļ.2019-09-30T15:39:28ZCRS1xx/2xx series switchesGuntis G.tag:help.mikrotik.com,2009:page-103841835-82024-03-27T09:55:47Z2022-01-14T11:06:12Z<div class="feed"> <p>
Page
<b>edited</b> by
<a href=" https://help.mikrotik.com/docs/display/~guntis
">Guntis G.</a>
- "typos"
</p>
<div style="border-top: 1px solid #ddd; border-bottom: 1px solid #ddd; padding: 10px;">
<p><style type='text/css'>/*<![CDATA[*/
div.rbtoc1711701163426 {padding: 0px;}
div.rbtoc1711701163426 ul {margin-left: 0px;}
div.rbtoc1711701163426 li {margin-left: 0px;padding-left: 0px;}
/*]]>*/</style><div class='toc-macro rbtoc1711701163426'>
<ul class='toc-indentation'>
<li><a href='#CRS1xx/2xxseriesswitches-Summary'>Summary</a></li>
<li><a href='#CRS1xx/2xxseriesswitches-CloudRouterSwitchmodels'>Cloud Router Switch models</a></li>
<li><a href='#CRS1xx/2xxseriesswitches-AbbreviationsandExplanations'>Abbreviations and Explanations</a></li>
<li><a href='#CRS1xx/2xxseriesswitches-PortSwitching'>Port Switching</a>
<ul class='toc-indentation'>
<li><a href='#CRS1xx/2xxseriesswitches-Multipleswitchgroups'>Multiple switch groups</a></li>
</ul>
</li>
<li><a href='#CRS1xx/2xxseriesswitches-GlobalSettings'>Global Settings</a></li>
<li><a href='#CRS1xx/2xxseriesswitches-PortSettings'>Port Settings</a></li>
<li><a href='#CRS1xx/2xxseriesswitches-ForwardingDatabases'>Forwarding Databases</a>
<ul class='toc-indentation'>
<li><a href='#CRS1xx/2xxseriesswitches-UnicastFDB'>Unicast FDB</a></li>
<li><a href='#CRS1xx/2xxseriesswitches-MulticastFDB'>Multicast FDB</a></li>
<li><a href='#CRS1xx/2xxseriesswitches-ReservedFDB'>Reserved FDB</a></li>
</ul>
</li>
<li><a href='#CRS1xx/2xxseriesswitches-VLAN'>VLAN</a>
<ul class='toc-indentation'>
<li><a href='#CRS1xx/2xxseriesswitches-VLANTable'>VLAN Table</a></li>
<li><a href='#CRS1xx/2xxseriesswitches-EgressVLANTag'>Egress VLAN Tag</a></li>
<li><a href='#CRS1xx/2xxseriesswitches-Ingress/EgressVLANTranslation'>Ingress/Egress VLAN Translation</a></li>
<li><a href='#CRS1xx/2xxseriesswitches-ProtocolBasedVLAN'>Protocol Based VLAN</a></li>
<li><a href='#CRS1xx/2xxseriesswitches-MACBasedVLAN'>MAC Based VLAN</a></li>
<li><a href='#CRS1xx/2xxseriesswitches-1:1VLANSwitching'>1:1 VLAN Switching</a></li>
</ul>
</li>
<li><a href='#CRS1xx/2xxseriesswitches-PortIsolation/Leakage'>Port Isolation/Leakage</a></li>
<li><a href='#CRS1xx/2xxseriesswitches-Trunking'>Trunking</a></li>
<li><a href='#CRS1xx/2xxseriesswitches-QualityofService'>Quality of Service</a>
<ul class='toc-indentation'>
<li><a href='#CRS1xx/2xxseriesswitches-Shaper'>Shaper</a></li>
<li><a href='#CRS1xx/2xxseriesswitches-IngressPortPolicer'>Ingress Port Policer</a></li>
<li><a href='#CRS1xx/2xxseriesswitches-QoSGroup'>QoS Group</a></li>
<li><a href='#CRS1xx/2xxseriesswitches-DSCPQoSMap'>DSCP QoS Map</a></li>
<li><a href='#CRS1xx/2xxseriesswitches-DSCPToDSCPMap'>DSCP To DSCP Map</a></li>
<li><a href='#CRS1xx/2xxseriesswitches-PolicerQoSMap'>Policer QoS Map</a></li>
</ul>
</li>
<li><a href='#CRS1xx/2xxseriesswitches-AccessControlList'>Access Control List</a>
<ul class='toc-indentation'>
<li><a href='#CRS1xx/2xxseriesswitches-ACLPolicer'>ACL Policer</a></li>
</ul>
</li>
<li><a href='#CRS1xx/2xxseriesswitches-Seealso'>See also</a></li>
</ul>
</div></p><h1 id="CRS1xx/2xxseriesswitches-Summary"><span class="mw-headline">Summary</span></h1><hr/><p>The Cloud Router Switch series are highly integrated switches with high-performance MIPS CPU and feature-rich packet processors. The CRS switches can be designed into various Ethernet applications including unmanaged switch, Layer 2 managed switch, carrier switch, and wireless/wired unified packet processing. See <a href="https://help.mikrotik.com/docs/pages/viewpage.action?pageId=103841836" rel="nofollow">Cloud Router Switch</a> configuration examples</p><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>This article applies to CRS1xx and CRS2xx series switches and not to CRS3xx series switches. For CRS3xx series devices, read the<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/CRS3xx%2C+CRS5xx%2C+CCR2116%2C+CCR2216+switch+chip+features" rel="nofollow">CRS3xx, CRS5xx series switches and CCR2116, CCR2216 routers</a><span> </span>manual.</p></div></div><p><br/></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Features</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>Forwarding</strong></td><td class="confluenceTd"><ul class="bullets"><li>Configurable ports for switching or routing</li><li>Full non-blocking wire-speed switching</li><li>Up to 16k MAC entries in Unicast FDB for Layer 2 unicast forwarding</li><li>Up to 1k MAC entries in Multicast FDB for multicast forwarding</li><li>Up to 256 MAC entries in Reserved FDB for control and management purposes</li><li>All Forwarding Databases support IVL and SVL</li><li>Configurable Port-based MAC learning limit</li><li>Jumbo frame support (CRS1xx: 4064 Bytes; CRS2xx: 9204 Bytes)</li><li>IGMP Snooping support</li></ul></td></tr><tr><td class="confluenceTd"><strong>Mirroring</strong></td><td class="confluenceTd"><ul class="bullets"><li>Various types of mirroring:<ul class="bullets"><li>Port-based mirroring</li><li>VLAN-based mirroring</li><li>MAC-based mirroring</li></ul></li><li>2 independent mirroring analyzer ports</li></ul></td></tr><tr><td class="confluenceTd"><strong>VLAN</strong></td><td class="confluenceTd"><ul class="bullets"><li>Fully compatible with IEEE802.1Q and IEEE802.1ad VLAN</li><li>4k active VLANs</li><li>Flexible VLAN assignment:<ul class="bullets"><li>Port-based VLAN</li><li>Protocol-based VLAN</li><li>MAC-based VLAN</li></ul></li><li>From any to any VLAN translation and swapping</li><li>1:1 VLAN switching - VLAN to port mapping</li><li>VLAN filtering</li></ul></td></tr><tr><td class="confluenceTd"><strong>Port Isolation and Leakage</strong></td><td class="confluenceTd"><ul class="bullets"><li>Applicable for Private VLAN implementation</li><li>3 port profile types: Promiscuous, Isolated, and Community</li><li>Up to 28 Community profiles</li><li>Leakage profiles allow bypassing egress VLAN filtering</li></ul></td></tr><tr><td class="confluenceTd"><strong>Trunking</strong></td><td class="confluenceTd"><ul class="bullets"><li>Supports static link aggregation groups</li><li>Up to 8 Port Trunk groups</li><li>Up to 8 member ports per Port Trunk group</li><li>Hardware automatic failover and load balancing</li></ul></td></tr><tr><td class="confluenceTd"><strong>Quality of Service (QoS)</strong></td><td class="confluenceTd"><ul class="bullets"><li>Flexible QoS classification and assignment:<ul class="bullets"><li>Port-based</li><li>MAC-based</li><li>VLAN-based</li><li>Protocol-based</li><li>PCP/DEI based</li><li>DSCP based</li><li>ACL based</li></ul></li><li>QoS remarking and remapping for QoS domain translation between a service provider and client networks</li><li>Overriding of each QoS assignment according to the configured priority</li></ul></td></tr><tr><td class="confluenceTd"><strong>Shaping and Scheduling</strong></td><td class="confluenceTd"><ul class="bullets"><li>8 queues on each physical port</li><li>Shaping per port, per queue, per queue group</li></ul></td></tr><tr><td class="confluenceTd"><strong>Access Control List</strong></td><td class="confluenceTd"><ul class="bullets"><li>Ingress and Egress ACL tables</li><li>Up to 128 ACL rules (limited by RouterOS)</li><li>Classification based on ports, L2, L3, L4 protocol header fields</li><li>ACL actions include filtering, forwarding, and modifying the protocol header fields</li></ul></td></tr></tbody></table></div><h1 id="CRS1xx/2xxseriesswitches-CloudRouterSwitchmodels"><span class="mw-headline">Cloud Router Switch models</span></h1><hr/><p>This table clarifies the main differences between Cloud Router Switch models.</p><div class="table-wrap"><table class="wrapped confluenceTable" style="text-align: center;"><tbody><tr><td class="highlight-grey confluenceTd" title="Background color :" data-highlight-colour="grey"><strong title=""><u>Model</u></strong></td><td class="highlight-grey confluenceTd" title="Background color :" data-highlight-colour="grey"><strong title="">Switch Chip</strong></td><td class="highlight-grey confluenceTd" title="Background color :" data-highlight-colour="grey"><strong title="">CPU</strong></td><td class="highlight-grey confluenceTd" title="Background color :" data-highlight-colour="grey"><strong title="">Wireless</strong></td><td class="highlight-grey confluenceTd" title="Background color :" data-highlight-colour="grey"><strong title="">SFP+ port</strong></td><td class="highlight-grey confluenceTd" title="Background color :" data-highlight-colour="grey"><strong title="">Access Control List</strong></td><td class="highlight-grey confluenceTd" title="Background color :" data-highlight-colour="grey"><strong title="">Jumbo Frame (Bytes)</strong></td></tr><tr><td class="highlight-grey confluenceTd" title="Background color :" data-highlight-colour="grey"><strong>CRS105-5S-FB</strong></td><td class="confluenceTd">QCA-8511</td><td class="confluenceTd">400MHz</td><td class="confluenceTd">-</td><td class="confluenceTd">-</td><td class="confluenceTd">+</td><td class="confluenceTd">9204</td></tr><tr><td class="highlight-grey confluenceTd" title="Background color :" data-highlight-colour="grey"><strong>CRS106-1C-5S</strong></td><td class="confluenceTd">QCA-8511</td><td class="confluenceTd">400MHz</td><td class="confluenceTd">-</td><td class="confluenceTd">-</td><td class="confluenceTd">+</td><td class="confluenceTd">9204</td></tr><tr><td class="highlight-grey confluenceTd" title="Background color :" data-highlight-colour="grey"><strong>CRS112-8G-4S</strong></td><td class="confluenceTd">QCA-8511</td><td class="confluenceTd">400MHz</td><td class="confluenceTd">-</td><td class="confluenceTd">-</td><td class="confluenceTd">+</td><td class="confluenceTd">9204</td></tr><tr><td class="highlight-grey confluenceTd" title="Background color :" data-highlight-colour="grey"><strong>CRS210-8G-2S+</strong></td><td class="confluenceTd">QCA-8519</td><td class="confluenceTd">400MHz</td><td class="confluenceTd">-</td><td class="confluenceTd">+</td><td class="confluenceTd">+</td><td class="confluenceTd">9204</td></tr><tr><td class="highlight-grey confluenceTd" title="Background color :" data-highlight-colour="grey"><strong>CRS212-1G-10S-1S+</strong></td><td class="confluenceTd">QCA-8519</td><td class="confluenceTd">400MHz</td><td class="confluenceTd">-</td><td class="confluenceTd">+</td><td class="confluenceTd">+</td><td class="confluenceTd">9204</td></tr><tr><td class="highlight-grey confluenceTd" title="Background color :" data-highlight-colour="grey"><strong>CRS226-24G-2S+</strong></td><td class="confluenceTd">QCA-8519</td><td class="confluenceTd">400MHz</td><td class="confluenceTd">-</td><td class="confluenceTd">+</td><td class="confluenceTd">+</td><td class="confluenceTd">9204</td></tr><tr><td class="highlight-grey confluenceTd" title="Background color :" data-highlight-colour="grey"><strong>CRS125-24G-1S</strong></td><td class="confluenceTd">QCA-8513L</td><td class="confluenceTd">600MHz</td><td class="confluenceTd">-</td><td class="confluenceTd">-</td><td class="confluenceTd">-</td><td class="confluenceTd">4064</td></tr><tr><td class="highlight-grey confluenceTd" title="Background color :" data-highlight-colour="grey"><strong>CRS125-24G-1S-2HnD</strong></td><td class="confluenceTd">QCA-8513L</td><td class="confluenceTd">600MHz</td><td class="confluenceTd">+</td><td class="confluenceTd">-</td><td class="confluenceTd">-</td><td class="confluenceTd">4064</td></tr><tr><td class="highlight-grey confluenceTd" title="Background color :" data-highlight-colour="grey"><strong>CRS109-8G-1S-2HnD</strong></td><td class="confluenceTd">QCA-8513L</td><td class="confluenceTd">600MHz</td><td class="confluenceTd">+</td><td class="confluenceTd">-</td><td class="confluenceTd">-</td><td class="confluenceTd">4064</td></tr></tbody></table></div><h1 id="CRS1xx/2xxseriesswitches-AbbreviationsandExplanations"><span class="mw-headline">Abbreviations and Explanations</span></h1><hr/><p>CVID - Customer VLAN id: inner VLAN tag id of the IEEE 802.1ad frame</p><p>SVID - Service VLAN id: outer VLAN tag id of the IEEE 802.1ad frame</p><p>IVL - Independent VLAN learning - learning/lookup is based on both MAC addresses and VLAN IDs.</p><p>SVL - Shared VLAN learning - learning/lookup is based on MAC addresses - not on VLAN IDs.</p><p>TPID - Tag Protocol Identifier</p><p>PCP - Priority Code Point: a 3-bit field which refers to the IEEE 802.1p priority</p><p>DEI - Drop Eligible Indicator</p><p>DSCP - Differentiated services Code Point</p><p>Drop precedence - internal CRS switch QoS attribute used for packet enqueuing or dropping.</p><h1 id="CRS1xx/2xxseriesswitches-PortSwitching"><span class="mw-headline">Port Switching</span></h1><hr/><p>To set up port switching on CRS1xx/2xx series switches, check the<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeHardwareOffloading" rel="nofollow">Bridge Hardware Offloading</a><span> </span>page.</p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Dynamic reserved VLAN entries (VLAN4091; VLAN4090; VLAN4089; etc.) are created in the CRS switch when switched port groups are added when a hardware offloaded bridge is created. These VLANs are necessary for internal operation and have lower precedence than user-configured VLANs.</p></div></div><h2 id="CRS1xx/2xxseriesswitches-Multipleswitchgroups"><span class="mw-headline">Multiple switch groups</span></h2><p>The CRS1xx/2xx series switches allow you to use multiple bridges with hardware offloading, this allows you to easily isolate multiple switch groups. This can be done by simply creating multiple bridges and enabling hardware offloading.</p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Multiple hardware offloaded bridge configuration is designed as a fast and simple port isolation solution, but it limits a part of the VLAN functionality supported by the CRS switch chip. For advanced configurations use one bridge within the CRS switch chip for all ports, configure VLANs, and isolate port groups with port isolation profile configuration.</p></div></div><p><br/></p><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>CRS1xx/2xx series switches can run multiple hardware offloaded bridges with (R)STP enabled, but it is not recommended since the device is not designed to run multiple (R)STP instances on a hardware level. To isolate multiple switch groups and have (R)STP enabled you should isolate port groups with port isolation profile configuration.</p></div></div><h1 id="CRS1xx/2xxseriesswitches-GlobalSettings"><span class="mw-headline">Global Settings</span></h1><hr/><p><span class="mw-headline">The CRS switch chip is configurable from the<span> </span><span style="color: rgb(51,153,102);"><code>/interface ethernet switch</code></span><span> </span>console menu.</span></p><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch</code></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>name</strong><span> </span>(<em>string value</em>; Default:<span> </span><strong>switch1</strong>)</td><td class="confluenceTd">Name of the switch.</td></tr><tr><td class="confluenceTd"><strong>bridge-type</strong><span> </span>(<em>customer-vid-used-as-lookup-vid | service-vid-used-as-lookup-vid</em>; Default:<span> </span><strong>customer-vid-used-as-lookup-vid</strong>)</td><td class="confluenceTd">The bridge type defines which VLAN tag is used as Lookup-VID. Lookup-VID serves as the VLAN key for all VLAN-based lookups.</td></tr><tr><td class="confluenceTd"><strong>mac-level-isolation</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>yes</strong>)</td><td class="confluenceTd">Globally enables or disables MAC level isolation. Once enabled, the switch will check the source and destination MAC address entries and their<span> </span><code><span style="color: rgb(51,153,102);">isolation-profile</span></code><span> </span>from the unicast forwarding table. By default, the switch will learn MAC addresses and place them into a<span> </span><span style="color: rgb(51,153,102);"><code>promiscuous</code></span><span> </span>isolation profile. Other isolation profiles can be used when creating static unicast entries. If the source or destination MAC address is located on a<span> </span><span style="color: rgb(51,153,102);"><code>promiscuous</code></span><span> </span>isolation profile, the packet is forwarded. If both source and destination MAC addresses are located on the same<span> </span><span style="color: rgb(51,153,102);"><code>community1</code></span><span> </span>or<span> </span><span style="color: rgb(51,153,102);"><code>community2</code></span><span> </span>isolation profile, the packet is forwarded. The packet is dropped when the source and destination MAC address isolation profile is<span> </span><span style="color: rgb(51,153,102);"><code>isolated</code></span>, or when the source and destination MAC address isolation profiles are from different communities (e.g. source MAC address is<span> </span><span style="color: rgb(51,153,102);"><code>community1</code></span><span> </span>and destination MAC address is<span> </span><span style="color: rgb(51,153,102);"><code>community2</code></span>). When MAC level isolation is globally disabled, the isolation is bypassed.</td></tr><tr><td class="confluenceTd"><strong>use-svid-in-one2one-vlan-lookup</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Whether to use service VLAN ID for 1:1 VLAN switching lookup.</td></tr><tr><td class="confluenceTd"><strong>use-cvid-in-one2one-vlan-lookup</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>yes</strong>)</td><td class="confluenceTd">Whether to use customer VLAN ID for 1:1 VLAN switching lookup.</td></tr><tr><td class="confluenceTd"><strong>multicast-lookup-mode</strong><p>(<em>dst-ip-and-vid-for-ipv4 | dst-mac-and-vid-always</em>;</p>Default:<strong>dst-ip-and-vid-for-ipv4</strong>)</td><td class="confluenceTd">Lookup mode for IPv4 multicast bridging.<ul class="bullets"><li>dst-mac-and-vid-always<span> </span>- For all packet types lookup key is the destination MAC and VLAN ID.</li><li>dst-ip-and-vid-for-ipv4<span> </span>- For IPv4 packets lookup key is the destination IP and VLAN ID. For other packet types, the lookup key is the destination MAC and VLAN ID.</li></ul></td></tr><tr><td class="confluenceTd"><strong>unicast-fdb-timeout</strong><span> </span>(<em>time interval</em>; Default:<span> </span><strong>5m</strong>)</td><td class="confluenceTd">Timeout for Unicast FDB entries.</td></tr><tr><td class="confluenceTd"><strong>override-existing-when-ufdb-full</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enable or disable to override existing entry which has the lowest aging value when UFDB is full.</td></tr></tbody></table></div><p><br/></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>drop-if-no-vlan-assignment-on-ports</strong><span> </span>(<em>ports</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Ports which drop frames if no MAC-based, Protocol-based VLAN assignment or Ingress VLAN Translation is applied.</td></tr><tr><td class="confluenceTd"><strong>drop-if-invalid-or-src-port-<br/>-not-member-of-vlan-on-ports</strong><br/>(<em>ports</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Ports that drop invalid and other port VLAN ID frames.</td></tr><tr><td class="confluenceTd"><strong>unknown-vlan-lookup-mode</strong><span> </span>(<em>ivl | svl</em>; Default:<span> </span><strong>svl</strong>)</td><td class="confluenceTd">Lookup and learning mode for packets with invalid VLAN.</td></tr><tr><td class="confluenceTd"><strong>forward-unknown-vlan</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>yes</strong>)</td><td class="confluenceTd">Whether to allow forwarding VLANs that are not members of the VLAN table.</td></tr></tbody></table></div><p><br/></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>bypass-vlan-ingress-filter-for</strong><span> </span>(<em>protocols</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Protocols that are excluded from Ingress VLAN filtering. These protocols are not dropped if they have invalid VLAN. (arp, dhcpv4, dhcpv6,<br/>eapol, igmp, mld, nd, pppoe-discovery, ripv1)</td></tr><tr><td class="confluenceTd"><strong>bypass-ingress-port-policing-for</strong><span> </span>(<em>protocols</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Protocols that are excluded from Ingress Port Policing. (arp, dhcpv4, dhcpv6, eapol, igmp, mld, nd, pppoe-discovery, ripv1)</td></tr><tr><td class="confluenceTd"><strong>bypass-l2-security-check-filter-for</strong><span> </span>(<em>protocols</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Protocols that are excluded from Policy rule security check. (arp, dhcpv4, dhcpv6, eapol, igmp, mld, nd, pppoe-discovery, ripv1)</td></tr></tbody></table></div><p><br/></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>ingress-mirror0</strong><span> </span>(<em>port | trunk,format</em>; Default:<span> </span><strong>none,modified</strong>)</td><td class="confluenceTd">The first ingress mirroring analyzer port or trunk and mirroring format:<ul class="bullets"><li>analyzer-configured<span> </span>- The packet is the same as the packet to the destination. VLAN format is modified based on the VLAN configurations of the analyzer port.</li><li>modified<span> </span>- The packet is the same as the packet to the destination. VLAN format is modified based on the VLAN configurations of the egress port.</li><li>original<span> </span>- Traffic is mirrored without any change to the original incoming packet format. But the service VLAN tag is stripped in the edge port.</li></ul></td></tr><tr><td class="confluenceTd"><strong>ingress-mirror1</strong><span> </span>(<em>port | trunk,format</em>; Default:<span> </span><strong>none,modified</strong>)</td><td class="confluenceTd">The second ingress mirroring analyzer port or trunk and mirroring format:<ul class="bullets"><li>analyzer-configured<span> </span>- The packet is the same as the packet to the destination. VLAN format is modified based on the VLAN configurations of the analyzer port.</li><li>modified<span> </span>- The packet is the same as the packet to the destination. VLAN format is modified based on the VLAN configurations of the egress port.</li><li>original<span> </span>- Traffic is mirrored without any change to the original incoming packet format. But the service VLAN tag is stripped in the edge port.</li></ul></td></tr><tr><td class="confluenceTd"><strong>ingress-mirror-ratio</strong><span> </span>(<em>1/32768..1/1</em>; Default:<span> </span><strong>1/1</strong>)</td><td class="confluenceTd">The proportion of ingress mirrored packets compared to all packets.</td></tr><tr><td class="confluenceTd"><strong>egress-mirror0</strong><span> </span>(<em>port | trunk,format</em>; Default:<span> </span><strong>none,modified</strong>)</td><td class="confluenceTd">The first egress mirroring analyzer port or trunk and mirroring format:<ul class="bullets"><li>analyzer-configured<span> </span>- The packet is the same as the packet to the destination. VLAN format is modified based on the VLAN configurations of the analyzer port.</li><li>modified<span> </span>- The packet is the same as the packet to the destination. VLAN format is modified based on the VLAN configurations of the egress port.</li><li>original<span> </span>- Traffic is mirrored without any change to the original incoming packet format. But the service VLAN tag is stripped in the edge port.</li></ul></td></tr><tr><td class="confluenceTd"><strong>egress-mirror1</strong><span> </span>(<em>port | trunk,format</em>; Default:<span> </span><strong>none,modified</strong>)</td><td class="confluenceTd">The second egress mirroring analyzer port or trunk and mirroring format:<ul class="bullets"><li>analyzer-configured<span> </span>- The packet is the same as the packet to the destination. VLAN format is modified based on the VLAN configurations of the analyzer port.</li><li>modified<span> </span>- The packet is the same as the packet to the destination. VLAN format is modified based on the VLAN configurations of the egress port.</li><li>original<span> </span>- Traffic is mirrored without any change to the original incoming packet format. But the service VLAN tag is stripped in the edge port.</li></ul></td></tr><tr><td class="confluenceTd"><strong>egress-mirror-ratio</strong><span> </span>(<em>1/32768..1/1</em>; Default:<span> </span><strong>1/1</strong>)</td><td class="confluenceTd">Proportion of egress mirrored packets compared to all packets.</td></tr><tr><td class="confluenceTd"><strong>mirror-egress-if-ingress-mirrored</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">When a packet is applied to both ingress and egress mirroring, only ingress mirroring is performed on the packet, if this setting is disabled. If this<br/>setting is enabled both mirroring types are applied.</td></tr><tr><td class="confluenceTd"><strong>mirror-tx-on-mirror-port</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd"><br/></td></tr><tr><td class="confluenceTd"><strong>mirrored-packet-qos-priority</strong><span> </span>(<em>0..7</em>; Default:<span> </span><strong>0</strong>)</td><td class="confluenceTd">Remarked priority in mirrored packets.</td></tr><tr><td class="confluenceTd"><strong>mirrored-packet-drop-precedence</strong><span> </span>(<em>drop | green | red | yellow</em>; Default:<span> </span><strong>green</strong>)</td><td class="confluenceTd">Remarked drop precedence in mirrored packets. This QoS attribute is used for mirrored packet enqueuing or dropping.</td></tr><tr><td class="confluenceTd"><strong>fdb-uses</strong><span> </span>(<em>mirror0 | mirror1</em>; Default:<span> </span><strong>mirror0</strong>)</td><td class="confluenceTd">Analyzer port used for FDB-based mirroring.</td></tr><tr><td class="confluenceTd"><strong>vlan-uses</strong><span> </span>(<em>mirror0 | mirror1</em>; Default:<span> </span><strong>mirror0</strong>)</td><td class="confluenceTd">Analyzer port used for VLAN-based mirroring.</td></tr></tbody></table></div><h1 id="CRS1xx/2xxseriesswitches-PortSettings"><span class="mw-headline">Port Settings</span></h1><hr/><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch port</code></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>vlan-type</strong><span> </span>(<em>edge-port | network-port</em>; Default:<span> </span><strong>network-port</strong>)</td><td class="confluenceTd">Port VLAN type specifies whether VLAN ID is used in UFDB learning. The network port learns VLAN ID in UFDB, edge port does not - VLAN 0. It can be observed only in IVL learning mode.</td></tr><tr><td class="confluenceTd"><strong>isolation-leakage-profile-override</strong><span> </span>(<em>yes | no</em>; Default:<p><strong>!isolation-leakage-profile-override</strong>)</p><strong>isolation-leakage-profile</strong><span> </span>(<em>0..31</em>;)</td><td class="confluenceTd">Custom port profile for port isolation/leakage configurations.<ul class="bullets"><li>Port-level isolation profile 0. Uplink port - allows the port to communicate with all ports in the device.</li><li>Port-level isolation profile 1. Isolated port - allows the port to communicate only with uplink ports.</li><li>Port-level isolation profile 2 - 31. Community port - allows communication among the same community ports and uplink ports.</li></ul></td></tr><tr><td class="confluenceTd"><strong>learn-override</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>!learn-override</strong>)<br/><strong>learn-limit</strong><span> </span>(<em>1..1023</em>; Default:<span> </span><strong>!learn-limit</strong>)</td><td class="confluenceTd">Enable or disable MAC address learning and set the MAC limit on the port. MAC learning limit is disabled by default when !learn-override and !learn-limit are set. Property<span> </span>learn-override<span> </span>is replaced with<span> </span>learn<span> </span>under<span> </span><span style="color: rgb(51,153,102);"><code>/interface bridge port</code></span><span> </span>menu since RouterOS v6.42.</td></tr><tr><td class="confluenceTd"><strong>drop-when-ufdb-entry-src-drop</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>yes</strong>)</td><td class="confluenceTd">Enable or disable to drop packets when UFDB entry has action<span> </span>src-drop.</td></tr><tr><td class="confluenceTd"><strong>allow-unicast-loopback</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Unicast loopback on port. When enabled, it permits sending back when the source port and destination port are the same for known unicast packets.</td></tr><tr><td class="confluenceTd"><strong>allow-multicast-loopback</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Multicast loopback on port. When enabled, it permits sending back when the source port and destination port are the same for registered multicast or broadcast packets.</td></tr><tr><td class="confluenceTd"><strong>action-on-static-station-move</strong><span> </span>(<em>copy-to-cpu | drop | forward | redirect-to-cpu</em>; Default:<span> </span><strong>forward</strong>)</td><td class="confluenceTd">Action for packets when UFDB already contains a static entry with such MAC but with a different port.</td></tr><tr><td class="confluenceTd"><strong>drop-dynamic-mac-move</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Prevents MAC relearning until UFDB timeout if MAC is already learned on another port.</td></tr></tbody></table></div><p><br/></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>allow-fdb-based-vlan-translate</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enable or disable MAC-based VLAN translation on the port.</td></tr><tr><td class="confluenceTd"><strong>allow-mac-based-service-vlan-assignment-for</strong><span> </span>(<em>all-frames | none |</em><p><em>tagged-frame-only | untagged-and-priority-tagged-frame-only</em>; Default:</p><strong>none</strong>)</td><td class="confluenceTd">Frame type for which applies MAC-based service VLAN translation.</td></tr><tr><td class="confluenceTd"><strong>allow-mac-based-customer-vlan-assignment-for</strong><span> </span>(<em>all-frames | none |</em><p><em>tagged-frame-only | untagged-and-priority-tagged-frame-only</em>; Default:</p><strong>none</strong>)</td><td class="confluenceTd">Frame type for which applies MAC-based customer VLAN translation.</td></tr><tr><td class="confluenceTd"><strong>default-customer-pcp</strong><span> </span>(<em>0..7</em>; Default:<span> </span><strong>0</strong>)</td><td class="confluenceTd">Default customer PCP of the port.</td></tr><tr><td class="confluenceTd"><strong>default-service-pcp</strong><span> </span>(<em>0..7</em>; Default:<span> </span><strong>0</strong>)</td><td class="confluenceTd">Default service PCP of the port.</td></tr><tr><td class="confluenceTd"><strong>pcp-propagation-for-initial-pcp</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enables or disables PCP propagation for initial PCP assignment on ingress.<ul class="bullets"><li>If the port<span> </span>vlan-type<span> </span>is Edge port, the service PCP is copied from the customer PCP.</li><li>If the port<span> </span>vlan-type<span> </span>is a Network port, the customer PCP is copied from the service PCP.</li></ul></td></tr><tr><td class="confluenceTd"><strong>filter-untagged-frame</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Whether to filter untagged frames on the port.</td></tr><tr><td class="confluenceTd"><strong>filter-priority-tagged-frame</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Whether to filter tagged frames with priority on the port.</td></tr><tr><td class="confluenceTd"><strong>filter-tagged-frame</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Whether to filter tagged frames on the port.</td></tr></tbody></table></div><p><br/></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>egress-vlan-tag-table-lookup-key</strong><span> </span>(<em>according-to-bridge-type | egress-vid</em>; Default:<span> </span><strong>egress-vid</strong>)</td><td class="confluenceTd">Egress VLAN table (VLAN Tagging) lookup:<ul class="bullets"><li>egress-vid<span> </span>- Lookup VLAN ID is CVID when Edge port is configured, SVID when Network port is configured.</li><li>according-to-bridge-type<span> </span>- Lookup VLAN ID is CVID when customer VLAN bridge is configured, SVID when service VLAN bridge is configured. The Customer tag is unmodified for Edge port in service VLAN bridge.</li></ul></td></tr><tr><td class="confluenceTd"><strong>egress-vlan-mode</strong><span> </span>(<em>tagged | unmodified | untagged</em>; Default:<span> </span><strong>unmodified</strong>)</td><td class="confluenceTd">Egress VLAN tagging action on the port.</td></tr><tr><td class="confluenceTd"><strong>egress-pcp-propagation</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enables or disables egress PCP propagation.<ul class="bullets"><li>If the port<span> </span>vlan-type<span> </span>is Edge port, the service PCP is copied from the customer PCP.</li><li>If the port<span> </span>vlan-type<span> </span>is Network port, the customer PCP is copied from the service PCP.</li></ul></td></tr></tbody></table></div><p><br/></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>ingress-mirror-to</strong><span> </span>(<em>mirror0 | mirror1 | none</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Analyzer port for port-based ingress mirroring.</td></tr><tr><td class="confluenceTd"><strong>ingress-mirroring-according-to-vlan</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd"><br/></td></tr><tr><td class="confluenceTd"><strong>egress-mirror-to</strong><span> </span>(<em>mirror0 | mirror1 | none</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Analyzer port for port-based egress mirroring.</td></tr></tbody></table></div><p><br/></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>qos-scheme-precedence</strong><span> </span>(<em>da-based | dscp-based | ingress-acl-based | pcp-based | protocol-based | sa-based | vlan-based</em>; Default:<span> </span><strong>pcp-based, sa-based, da-based, dscp-based, protocol-based, vlan-based</strong>)</td><td class="confluenceTd">Specifies applied QoS assignment schemes on the ingress of the port.<ul class="bullets"><li>da-based</li><li>dscp-based</li><li>ingress-acl-based</li><li>pcp-based</li><li>protocol-based</li><li>sa-based</li><li>vlan-based</li></ul></td></tr><tr><td class="confluenceTd"><strong>pcp-or-dscp-based-qos-change-dei</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enable or disable PCP or DSCP based DEI change on port.</td></tr><tr><td class="confluenceTd"><strong>pcp-or-dscp-based-qos-change-pcp</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enable or disable PCP or DSCP based PCP change on port.</td></tr><tr><td class="confluenceTd"><strong>pcp-or-dscp-based-qos-change-dscp</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enable or disable PCP or DSCP based DSCP change on port.</td></tr><tr><td class="confluenceTd"><strong>dscp-based-qos-dscp-to-dscp-mapping</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>yes</strong>)</td><td class="confluenceTd">Enable or disable DSCP to internal DSCP mapping on port.</td></tr><tr><td class="confluenceTd"><strong>pcp-based-qos-drop-precedence-mapping</strong><span> </span>(<em>PCP/DEI-range:drop-precedence</em>; Default:<span> </span><strong>0-15:green</strong>)</td><td class="confluenceTd">The new value of drop precedence for the PCP/DEI to drop precedence (drop | green | red | yellow) mapping. Multiple mappings are allowed separated by a comma e.g. "0-7:yellow,8-15:red".</td></tr><tr><td class="confluenceTd"><strong>pcp-based-qos-dscp-mapping</strong><span> </span>(<em>PCP/DEI-range:DEI</em>; Default:<span> </span><strong>0-15:0</strong>)</td><td class="confluenceTd">The new value of DSCP for the PCP/DEI to DSCP (0..63) mapping. Multiple mappings are allowed separated by a comma e.g. "0-7:25,8-15:50".</td></tr><tr><td class="confluenceTd"><strong>pcp-based-qos-dei-mapping</strong><span> </span>(<em>PCP/DEI-range:DEI</em>; Default:<span> </span><strong>0-15:0</strong>)</td><td class="confluenceTd">The new value of DEI for the PCP/DEI to DEI (0..1) mapping. Multiple mappings are allowed separated by a comma e.g. "0-7:0,8-15:1".</td></tr><tr><td class="confluenceTd"><strong>pcp-based-qos-pcp-mapping</strong><span> </span>(<em>PCP/DEI-range:DEI</em>; Default:<span> </span><strong>0-15:0</strong>)</td><td class="confluenceTd">The new value of PCP for the PCP/DEI to PCP (0..7) mapping. Multiple mappings are allowed separated by a comma e.g. "0-7:3,8-15:4".</td></tr><tr><td class="confluenceTd"><strong>pcp-based-qos-priority-mapping</strong><span> </span>(<em>PCP/DEI-range:DEI</em>; Default:<span> </span><strong>0-15:0</strong>)</td><td class="confluenceTd">The new value of internal priority for the PCP/DEI to priority (0..15) mapping. Multiple mappings are allowed separated by a comma e.g. "0-7:5,8-15:15".</td></tr></tbody></table></div><p><br/></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>priority-to-queue</strong><span> </span>(<em>priority-range:queue</em>; Default:<span> </span><strong>0-15:0,1:1,2:2,3:3</strong>)</td><td class="confluenceTd">Internal priority (0..15) mapping to queue (0..7) per port.</td></tr><tr><td class="confluenceTd"><strong>per-queue-scheduling</strong><span> </span>(<em>Scheduling-type:Weight</em>;<p>Default:<span> </span><strong>wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,</strong></p><strong>wrr-group0:64,wrr-group0:128</strong>)</td><td class="confluenceTd">Set port to use either strict or weighted round robin policy for traffic shaping for each queue group, each queue is separated by a comma.</td></tr></tbody></table></div><p><br/></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>ingress-customer-tpid-override</strong><span> </span>(<em>yes | no</em>;<p>Default:<strong>!ingress-customer-tpid-override</strong>)</p><strong>ingress-customer-tpid</strong><span> </span>(<em>0..10000</em>; Default:<span> </span><strong>0x8100</strong>)</td><td class="confluenceTd">Ingress customer TPID override allows accepting specific frames with a custom customer tag TPID. The default value is for the tag of 802.1Q frames.</td></tr><tr><td class="confluenceTd"><strong>egress-customer-tpid-override</strong><span> </span>(<em>yes | no</em>; Default:<p><strong>!egress-customer-tpid-override</strong>)<br/><strong>egress-customer-tpid</strong><span> </span>(<em>0..10000</em>; Default:</p><strong>0x8100</strong>)</td><td class="confluenceTd">Egress customer TPID override allows custom identification for egress frames with a customer tag. The default value is for the tag of 802.1Q frames.</td></tr><tr><td class="confluenceTd"><strong>ingress-service-tpid-override</strong><span> </span>(<em>yes | no</em>; Default:<p><strong>!ingress-service-tpid-override</strong>)</p><strong>ingress-service-tpid</strong><span> </span>(<em>0..10000</em>; Default:<span> </span><strong>0x88A8</strong>)</td><td class="confluenceTd">Ingress service TPID override allows accepting specific frames with a custom service tag TPID. The default value is for the service tag of 802.1AD frames.</td></tr><tr><td class="confluenceTd"><strong>egress-service-tpid-override</strong><span> </span>(<em>yes | no</em>; Default:<p><strong>!egress-service-tpid-override</strong>)<br/><strong>egress-service-tpid</strong><span> </span>(<em>0..10000</em>; Default:</p><strong>0x88A8</strong>)</td><td class="confluenceTd">Egress service TPID override allows custom identification for egress frames with a service tag. The default value is for the service tag of 802.1AD frames.</td></tr></tbody></table></div><p><br/></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>custom-drop-counter-includes</strong><span> </span>(<em>counters</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Custom include to count dropped packets for switch port<span> </span>custom-drop-packet<span> </span>counter.<ul><li><strong>device-loopback</strong></li><li><strong>fdb-hash-violation</strong></li><li><strong>exceeded-port-learn-limitation</strong></li><li><strong>dynamic-station-move</strong></li><li><strong>static-station-move</strong></li><li><strong>ufdb-source-drop</strong></li><li><strong>host-source-drop</strong></li><li><strong>unknown-host</strong></li><li><strong>ingress-vlan-filtered</strong></li></ul></td></tr><tr><td class="confluenceTd"><strong>queue-custom-drop-counter0-includes</strong><span> </span>(<em>counters</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Custom include to count dropped packets for switch port<span> </span>tx-queue-custom0-drop-packet<p>and bytes for<span> </span>tx-queue-custom0-drop-byte<span> </span>counters.</p><ul><li><strong>red</strong></li><li><strong>yellow</strong></li><li><strong>green</strong></li><li><strong>queue0</strong></li><li><strong>...</strong></li><li><strong>queue7</strong></li></ul></td></tr><tr><td class="confluenceTd"><strong>queue-custom-drop-counter1-includes</strong><span> </span>(<em>counters</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Custom include to count dropped packets for switch port<span> </span>tx-queue-custom1-drop-packet<p>and bytes for<span> </span>tx-queue-custom1-drop-byte<span> </span>counters.</p><ul><li><strong>red</strong></li><li><strong>yellow</strong></li><li><strong>green</strong></li><li><strong>queue0</strong></li><li><strong>...</strong></li><li><strong>queue7</strong></li></ul></td></tr><tr><td class="confluenceTd"><strong>policy-drop-counter-includes</strong><span> </span>(<em>counters</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Custom include to count dropped packets for switch port<span> </span>policy-drop-packet<span> </span>counter.<ul><li><strong>ingress-policing</strong></li><li><strong>ingress-acl</strong></li><li><strong>egress-policing</strong></li><li><strong>egress-acl</strong></li></ul></td></tr></tbody></table></div><h1 id="CRS1xx/2xxseriesswitches-ForwardingDatabases"><span class="mw-headline">Forwarding Databases</span></h1><hr/><h2 id="CRS1xx/2xxseriesswitches-UnicastFDB"><span class="mw-headline">Unicast FDB</span></h2><p><span class="mw-headline">The unicast forwarding database supports up to 16318 MAC entries.</span></p><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch unicast-fdb</code></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>action</strong><span> </span>(<em>action</em>; Default:<span> </span><strong>forward</strong>)</td><td class="confluenceTd">Action for UFDB entry:<ul class="bullets"><li>dst-drop<span> </span>- Packets are dropped when their destination MAC matches the entry.</li><li>dst-redirect-to-cpu<span> </span>- Packets are redirected to the CPU when their destination MAC matches the entry.</li><li>forward<span> </span>- Packets are forwarded.</li><li>src-and-dst-drop<span> </span>- Packets are dropped when their source MAC or destination MAC matches the entry.</li><li>src-and-dst-redirect-to-cpu<span> </span>- Packets are redirected to CPU when their source MAC or destination MAC matches the entry.</li><li>src-drop<span> </span>- Packets are dropped when their source MAC matches the entry.</li><li>src-redirect-to-cpu<span> </span>- Packets are redirected to the CPU when their source MAC matches the entry.</li></ul></td></tr><tr><td class="confluenceTd"><strong>disabled</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enables or disables Unicast FDB entry.</td></tr><tr><td class="confluenceTd"><strong>isolation-profile</strong><span> </span>(<em>community1 | community2 | isolated | promiscuous</em>; Default:<span> </span><strong>promiscuous</strong>)</td><td class="confluenceTd">MAC level isolation profile.</td></tr><tr><td class="confluenceTd"><strong>mac-address</strong><span> </span>(<em>MAC address</em>)</td><td class="confluenceTd">The<span> </span>action<span> </span>command applies to the packet when the destination MAC or source MAC matches the entry.</td></tr><tr><td class="confluenceTd"><strong>mirror</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enables or disables mirroring based on source MAC or destination MAC.</td></tr><tr><td class="confluenceTd"><strong>port</strong><span> </span>(<em>port</em>)</td><td class="confluenceTd">Matching port for the Unicast FDB entry.</td></tr><tr><td class="confluenceTd"><strong>qos-group</strong><span> </span>(<em>none</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Defined QoS group from<span> </span>QoS group<span> </span>menu.</td></tr><tr><td class="confluenceTd"><strong>svl</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Unicast FDB learning mode:<ul class="bullets"><li>Shared VLAN Learning (svl) - learning/lookup is based on MAC addresses - not on VLAN IDs.</li><li>Independent VLAN Learning (ivl) - learning/lookup is based on both MAC addresses and VLAN IDs.</li></ul></td></tr><tr><td class="confluenceTd"><strong>vlan-id</strong><span> </span>(<em>0..4095</em>)</td><td class="confluenceTd">Unicast FDB lookup/learning VLAN id.</td></tr></tbody></table></div><h2 id="CRS1xx/2xxseriesswitches-MulticastFDB"><span class="mw-headline">Multicast FDB</span></h2><p><span class="mw-headline">CRS125 switch-chip supports up to 1024 entries in MFDB for multicast forwarding. For each multicast packet, destination MAC or destination IP lookup is performed in MFDB. MFDB entries are not automatically learned and can only be configured.</span></p><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch multicast-fdb</code></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>address</strong><span> </span>(<em>X.X.X.X | XX:XX:XX:XX:XX:XX</em>)</td><td class="confluenceTd">Matching IP address or MAC address for multicast packets.</td></tr><tr><td class="confluenceTd"><strong>bypass-vlan-filter</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Allow to bypass VLAN filtering for matching multicast packets.</td></tr><tr><td class="confluenceTd"><strong>disabled</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enables or disables Multicast FDB entry.</td></tr><tr><td class="confluenceTd"><strong>ports</strong><span> </span>(<em>ports</em>)</td><td class="confluenceTd">Member ports for multicast traffic.</td></tr><tr><td class="confluenceTd"><strong>qos-group</strong><span> </span>(<em>none</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Defined QoS group from<span> </span>QoS group<span> </span>menu.</td></tr><tr><td class="confluenceTd"><strong>svl</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Multicast FDB learning mode:<ul class="bullets"><li>Shared VLAN Learning (svl) - learning/lookup is based on MAC addresses - not on VLAN IDs.</li><li>Independent VLAN Learning (ivl) - learning/lookup is based on both MAC addresses and VLAN IDs.</li></ul></td></tr><tr><td class="confluenceTd"><strong>vlan-id</strong><span> </span>(<em>0..4095</em>; Default:<span> </span><strong>0</strong>)</td><td class="confluenceTd">Multicast FDB lookup VLAN ID. If the VLAN learning mode is IVL, VLAN id is lookup id, otherwise VLAN id = 0.</td></tr></tbody></table></div><h2 id="CRS1xx/2xxseriesswitches-ReservedFDB"><span class="mw-headline">Reserved FDB</span></h2><p><span class="mw-headline">Cloud Router Switch supports 256 RFDB entries. Each RFDB entry can store either Layer2 unicast or multicast MAC address with specific commands.</span></p><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch reserved-fdb</code></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>action</strong><span> </span>(<em>copy-to-cpu | drop | forward | redirect-to-cpu</em>; Default:<span> </span><strong>forward</strong>)</td><td class="confluenceTd">Action for RFDB entry:<ul class="bullets"><li>copy-to-cpu<span> </span>- Packets are copied to the CPU when their destination MAC matches the entry.</li><li>drop<span> </span>- Packets are dropped when their destination MAC matches the entry.</li><li>forward<span> </span>- Packets are forwarded when their destination MAC matches the entry.</li><li>redirect-to-cpu<span> </span>- Packets are redirected to CPU when their destination MAC matches the entry.</li></ul></td></tr><tr><td class="confluenceTd"><strong>bypass-ingress-port-policing</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Allow to bypass Ingress Port Policer for matching packets.</td></tr><tr><td class="confluenceTd"><strong>bypass-ingress-vlan-filter</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Allow to bypass VLAN filtering for matching packets.</td></tr><tr><td class="confluenceTd"><strong>disabled</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enables or disables Reserved FDB entry.</td></tr><tr><td class="confluenceTd"><strong>mac-address</strong><span> </span>(<em>MAC address</em>; Default:<span> </span><strong>00:00:00:00:00:00</strong>)</td><td class="confluenceTd">Matching MAC address for Reserved FDB entry.</td></tr><tr><td class="confluenceTd"><strong>qos-group</strong><span> </span>(<em>none</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Defined QoS group from<span> </span>QoS group<span> </span>menu.</td></tr></tbody></table></div><h1 id="CRS1xx/2xxseriesswitches-VLAN"><span class="mw-headline">VLAN</span></h1><hr/><h2 id="CRS1xx/2xxseriesswitches-VLANTable"><span class="mw-headline">VLAN Table</span></h2><p><span class="mw-headline">The VLAN table supports 4096 VLAN entries for storing VLAN member information as well as other VLAN information such as QoS, isolation, forced VLAN, learning, and mirroring.</span></p><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch vlan</code></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>disabled</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Indicate whether the VLAN entry is disabled. Only enabled entry is applied to the lookup process and forwarding decision.</td></tr><tr><td class="confluenceTd"><strong>flood</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enables or disables forced VLAN flooding per VLAN. If the feature is<p>enabled, the result of the destination MAC lookup in the UFDB or MFDB is ignored,</p>and the packet is forced to flood in the VLAN.</td></tr><tr><td class="confluenceTd"><strong>ingress-mirror</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enable the ingress mirror per VLAN to support the VLAN-based mirror function.</td></tr><tr><td class="confluenceTd"><strong>learn</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>yes</strong>)</td><td class="confluenceTd">Enables or disables source MAC learning for VLAN.</td></tr><tr><td class="confluenceTd"><strong>ports</strong><span> </span>(<em>ports</em>)</td><td class="confluenceTd">Member ports of the VLAN.</td></tr><tr><td class="confluenceTd"><strong>qos-group</strong><span> </span>(<em>none</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Defined QoS group from<span> </span>QoS group<span> </span>menu.</td></tr><tr><td class="confluenceTd"><strong>svl</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">FDB lookup mode for lookup in UFDB and MFDB.<ul class="bullets"><li>Shared VLAN Learning (svl) - learning/lookup is based on MAC addresses - not on VLAN IDs.</li><li>Independent VLAN Learning (ivl) - learning/lookup is based on both MAC addresses and VLAN IDs.</li></ul></td></tr><tr><td class="confluenceTd"><strong>vlan-id</strong><span> </span>(<em>0..4095</em>)</td><td class="confluenceTd">VLAN ID of the VLAN member entry.</td></tr></tbody></table></div><h2 id="CRS1xx/2xxseriesswitches-EgressVLANTag"><span class="mw-headline">Egress VLAN Tag</span></h2><p>Egress packets can be assigned different VLAN tag formats. The VLAN tags can be removed, added, or remained as is when the packet is sent to the egress port (destination port). Each port has dedicated control of the egress VLAN tag format. The tag formats include:</p><ul><li>Untagged</li><li>Tagged</li><li>Unmodified</li></ul><p>The Egress VLAN Tag table includes 4096 entries for VLAN tagging selection.</p><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch egress-vlan-tag</code></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>disabled</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enables or disables Egress VLAN Tag table entry.</td></tr><tr><td class="confluenceTd"><strong>tagged-ports</strong><span> </span>(<em>ports</em>)</td><td class="confluenceTd">Ports that are tagged in egress.</td></tr><tr><td class="confluenceTd"><strong>vlan-id</strong><span> </span>(<em>0..4095</em>)</td><td class="confluenceTd">VLAN ID which is tagged in egress.</td></tr></tbody></table></div><h2 id="CRS1xx/2xxseriesswitches-Ingress/EgressVLANTranslation"><span class="mw-headline">Ingress/Egress VLAN Translation</span></h2><p>The Ingress VLAN Translation table allows for up to 15 entries for each port. One or multiple fields can be selected from the packet header for lookup in the Ingress VLAN Translation table. The S-VLAN or C-VLAN or both configured in the first matched entry are assigned to the packet.</p><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch ingress-vlan-translation</code></p><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch egress-vlan-translation</code></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>customer-dei</strong><span> </span>(<em>0..1</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Matching DEI of the customer tag.</td></tr><tr><td class="confluenceTd"><strong>customer-pcp</strong><span> </span>(<em>0..7</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Matching PCP of the customer tag.</td></tr><tr><td class="confluenceTd"><strong>customer-vid</strong><span> </span>(<em>0..4095</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Matching the VLAN ID of the customer tag.</td></tr><tr><td class="confluenceTd"><strong>customer-vlan-format</strong><span> </span>(<em>any | priority-tagged-or-tagged | tagged | untagged-or-tagged</em>; Default:<strong>any</strong>)</td><td class="confluenceTd">Type of frames with customer tag for which VLAN translation rule is valid.</td></tr><tr><td class="confluenceTd"><strong>disabled</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enables or disables VLAN translation entry.</td></tr><tr><td class="confluenceTd"><strong>new-customer-vid</strong><span> </span>(<em>0..4095</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">The new customer VLAN ID replaces the matching customer VLAN ID. If set to 4095 and ingress VLAN translation is used, then traffic is dropped.</td></tr><tr><td class="confluenceTd"><strong>new-service-vid</strong><span> </span>(<em>0..4095</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">The new service VLAN ID replaces the matching service VLAN ID.</td></tr><tr><td class="confluenceTd"><strong>pcp-propagation</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enables or disables PCP propagation.<ul class="bullets"><li>If the port type is Edge, the customer PCP is copied from the service PCP.</li><li>If the port type is Network, the service PCP is copied from the customer PCP.</li></ul></td></tr><tr><td class="confluenceTd"><strong>ports</strong><span> </span>(<em>ports</em>)</td><td class="confluenceTd">Matching switch ports for VLAN translation rule.</td></tr><tr><td class="confluenceTd"><strong>protocol</strong><span> </span>(<em>protocols</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Matching Ethernet protocol.<span> </span><em>(only for Ingress VLAN Translation)</em></td></tr><tr><td class="confluenceTd"><strong>sa-learning</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enables or disables source MAC learning after VLAN translation.<span> </span><em>(only for Ingress VLAN Translation)</em></td></tr><tr><td class="confluenceTd"><strong>service-dei</strong><span> </span>(<em>0..1</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Matching DEI of the service tag.</td></tr><tr><td class="confluenceTd"><strong>service-pcp</strong><span> </span>(<em>0..7</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Matching PCP of the service tag.</td></tr><tr><td class="confluenceTd"><strong>service-vid</strong><span> </span>(<em>0..4095</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Matching VLAN ID of the service tag.</td></tr><tr><td class="confluenceTd"><strong>service-vlan-format</strong><span> </span>(<em>any | priority-tagged-or-tagged | tagged | untagged-or-tagged</em>; Default:<strong>any</strong>)</td><td class="confluenceTd">Type of frames with service tag for which VLAN translation rule is valid.</td></tr></tbody></table></div><p>Below is a table of traffic that triggers a rule that has a certain VLAN format set, note that traffic that is tagged with VLAN ID 0 is a special case that is also taken into account.</p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>any</strong></td><td class="confluenceTd">Accepts:<ul><li>Untagged traffic</li><li>Tagged traffic</li><li>Tagged traffic with priority set</li><li>VLAN 0 traffic</li><li>VLAN 0 traffic with priority set</li></ul></td></tr><tr><td class="confluenceTd"><strong>priority-tagged-or-tagged</strong></td><td class="confluenceTd">Accepts:<ul><li>Tagged traffic</li><li>Tagged traffic with priority set</li><li>VLAN 0 traffic</li><li>VLAN 0 traffic with priority set</li></ul></td></tr><tr><td class="confluenceTd"><strong>tagged</strong></td><td class="confluenceTd">Accepts:<ul><li>Tagged traffic</li><li>Tagged traffic with priority set</li></ul></td></tr><tr><td class="confluenceTd"><strong>untagged-or-tagged</strong></td><td class="confluenceTd">Accepts:<ul><li>Untagged traffic</li><li>Tagged traffic</li><li>Tagged traffic with priority set</li></ul></td></tr></tbody></table></div><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>If <span style="color: rgb(51,153,102);"><code>VLAN-format</code></span> is set to <span style="color: rgb(51,153,102);"><code>any</code></span>, then <span style="color: rgb(51,153,102);"><code>customer-vid</code></span><code>/</code><span style="color: rgb(51,153,102);"><code>service-vid</code> </span>set to <span style="color: rgb(51,153,102);"><code>0</code></span> will trigger the switch rule with VLAN 0 traffic. In this case, the switch rule will be looking for untagged traffic or traffic with a VLAN 0 tag, and only <span style="color: rgb(51,153,102);"><code>untagged-or-tagged</code></span> will filter out VLAN 0 traffic in this case.</p></div></div><h2 id="CRS1xx/2xxseriesswitches-ProtocolBasedVLAN"><span class="mw-headline">Protocol Based VLAN</span></h2><p><span class="mw-headline">Protocol Based VLAN table is used to assign VID and QoS attributes to related protocol packets per port.</span></p><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch protocol-based-vlan</code></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>disabled</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enables or disables Protocol Based VLAN entry.</td></tr><tr><td class="confluenceTd"><strong>frame-type</strong><span> </span>(<em>ethernet | llc | rfc-1042</em>; Default:<span> </span><strong>ethernet</strong>)</td><td class="confluenceTd">Encapsulation type of the matching frames.</td></tr><tr><td class="confluenceTd"><strong>new-customer-vid</strong><span> </span>(<em>0..4095</em>; Default:<span> </span><strong>0</strong>)</td><td class="confluenceTd">The new customer VLAN ID replaces the original customer VLAN ID for the specified protocol. If set to 4095, then traffic is dropped.</td></tr><tr><td class="confluenceTd"><strong>new-service-vid</strong><span> </span>(<em>0..4095</em>; Default:<span> </span><strong>0</strong>)</td><td class="confluenceTd">The new service VLAN ID replaces the original service VLAN ID for the specified protocol.</td></tr><tr><td class="confluenceTd"><strong>ports</strong><span> </span>(<em>ports</em>)</td><td class="confluenceTd">Matching switch ports for Protocol-based VLAN rule.</td></tr><tr><td class="confluenceTd"><strong>protocol</strong><span> </span>(<em>protocol</em>; Default:<span> </span><strong>0</strong>)</td><td class="confluenceTd">Matching protocol for Protocol-based VLAN rule.</td></tr><tr><td class="confluenceTd"><strong>qos-group</strong><span> </span>(<em>none</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Defined QoS group from<span> </span>QoS group<span> </span>menu.</td></tr><tr><td class="confluenceTd"><strong>set-customer-vid-for</strong><span> </span>(<em>all | none | tagged | untagged-or-priority-tagged</em>; Default:<span> </span><strong>all</strong>)</td><td class="confluenceTd">Customer VLAN ID assignment command for different packet types.</td></tr><tr><td class="confluenceTd"><strong>set-qos-for</strong><span> </span>(<em>all | none | tagged | untagged-or-priority-tagged</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Frame type for which QoS assignment command applies.</td></tr><tr><td class="confluenceTd"><strong>set-service-vid-for</strong><span> </span>(<em>all | none | tagged | untagged-or-priority-tagged</em>; Default:<span> </span><strong>all</strong>)</td><td class="confluenceTd">Service VLAN ID assignment command for different packet types.</td></tr></tbody></table></div><h2 id="CRS1xx/2xxseriesswitches-MACBasedVLAN"><span class="mw-headline">MAC Based VLAN</span></h2><p><span class="mw-headline">MAC Based VLAN table is used to assign VLAN based on the source MAC.</span></p><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch mac-based-vlan</code></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>disabled</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enables or disables MAC Based VLAN entry.</td></tr><tr><td class="confluenceTd"><strong>new-customer-vid</strong><span> </span>(<em>0..4095</em>; Default:<span> </span><strong>0</strong>)</td><td class="confluenceTd">The new customer VLAN ID replaces the original service VLAN ID for matched packets. If set to 4095, then traffic is dropped.</td></tr><tr><td class="confluenceTd"><strong>new-service-vid</strong><span> </span>(<em>0..4095</em>; Default:<span> </span><strong>0</strong>)</td><td class="confluenceTd">The new service VLAN ID replaces the original service VLAN ID for matched packets.</td></tr><tr><td class="confluenceTd"><strong>src-mac-address</strong><span> </span>(<em>MAC address</em>)</td><td class="confluenceTd">Matching source MAC address for MAC based VLAN rule.</td></tr></tbody></table></div><p><br/></p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>All CRS1xx/2xx series switches support up to 1024 MAC Based VLAN table entries.</p></div></div><h2 id="CRS1xx/2xxseriesswitches-1:1VLANSwitching"><span class="mw-headline">1:1 VLAN Switching</span></h2><p><span class="mw-headline">1:1 VLAN switching can be used to replace the regular L2 bridging for matched packets. When a packet hits a 1:1 VLAN switching table entry, the destination port information in the entry is assigned to the packet. The matched destination information in the UFDB and MFDB entry no longer applies to the packet.</span></p><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch one2one-vlan-switching</code></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>customer-vid</strong><span> </span>(<em>0..4095</em>; Default:<span> </span><strong>0</strong>)</td><td class="confluenceTd">Matching customer VLAN id for 1:1 VLAN switching.</td></tr><tr><td class="confluenceTd"><strong>disabled</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enables or disables 1:1 VLAN switching table entry.</td></tr><tr><td class="confluenceTd"><strong>dst-port</strong><span> </span>(<em>port</em>)</td><td class="confluenceTd">Destination port for matched 1:1 VLAN switching packets.</td></tr><tr><td class="confluenceTd"><strong>service-vid</strong><span> </span>(<em>0..4095</em>; Default:<span> </span><strong>0</strong>)</td><td class="confluenceTd">Matching customer VLAN id for 1:1 VLAN switching.</td></tr></tbody></table></div><h1 id="CRS1xx/2xxseriesswitches-PortIsolation/Leakage"><span class="mw-headline">Port Isolation/Leakage</span></h1><hr/><p><span style="letter-spacing: 0.0px;">The CRS switches support flexible multi-level isolation features, which can be used for user access control, traffic engineering and advanced security and network management. The isolation features provide an organized fabric structure allowing user to easily program and control the access by port, MAC address, VLAN, protocol, flow, and frame type. The following isolation and leakage features are supported:</span></p><ul><li>Port-level isolation</li><li>MAC-level isolation</li><li>VLAN-level isolation</li><li>Protocol-level isolation</li><li>Flow-level isolation</li><li>Free combination of the above</li></ul><p>Port-level isolation supports different control schemes on the source port and destination port. Each entry can be programmed with access control for either the source port or the destination port.</p><ul><li>When the entry is programmed with source port access control, the entry is</li></ul><p>applied to the ingress packets.</p><ul><li>When the entry is programmed with destination port access control, the entry</li></ul><p>is applied to the egress packets.</p><p>Port leakage allows bypassing egress VLAN filtering on the port. A leaky port is allowed to access other ports for various applications such as security, network control, and management. Note: When both isolation and leakage are applied to the same port, the port is isolated.</p><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch port-isolation</code></p><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch port-leakage</code></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>disabled</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enables or disables port isolation/leakage entry.</td></tr><tr><td class="confluenceTd"><strong>flow-id</strong><span> </span>(<em>0..63</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd"><br/></td></tr><tr><td class="confluenceTd"><strong>forwarding-type</strong><span> </span>(<em>bridged; routed</em>; Default:<span> </span><strong>bridged,routed</strong>)</td><td class="confluenceTd">Matching traffic forwarding type on Cloud Router Switch.</td></tr><tr><td class="confluenceTd"><strong>mac-profile</strong><span> </span>(<em>community1 | community2 | isolated | promiscuous</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Matching MAC isolation/leakage profile.</td></tr><tr><td class="confluenceTd"><strong>port-profile</strong><span> </span>(<em>0..31</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Matching Port isolation/leakage profile.</td></tr><tr><td class="confluenceTd"><strong>ports</strong><span> </span>(<em>ports</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Isolated/leaked ports.</td></tr><tr><td class="confluenceTd"><strong>protocol-type</strong><span> </span>(<em>arp; nd; dhcpv4; dhcpv6; ripv1</em>; Default:<span> </span><strong>arp,nd,dhcpv4,dhcpv6,ripv1</strong>)</td><td class="confluenceTd">Included protocols for isolation/leakage.</td></tr><tr><td class="confluenceTd"><strong>registration-status</strong><span> </span>(<em>known; unknown</em>; Default:<span> </span><strong>known,unknown</strong>)</td><td class="confluenceTd">Registration status for matching packets. Known are present in UFDB and MFDB, and unknown are not.</td></tr><tr><td class="confluenceTd"><strong>traffic-type</strong><span> </span>(<em>unicast; multicast; broadcast</em>; Default:<span> </span><strong>unicast,multicast,broadcast</strong>)</td><td class="confluenceTd">Matching traffic type.</td></tr><tr><td class="confluenceTd"><strong>type</strong><span> </span>(<em>dst | src</em>; Default:<span> </span><strong>src</strong>)</td><td class="confluenceTd">Lookup type of the isolation/leakage entry:<ul class="bullets"><li>src<span> </span>- Entry applies to ingress packets of the ports.</li><li>dst<span> </span>- Entry applies to egress packets of the ports.</li></ul></td></tr><tr><td class="confluenceTd"><strong>vlan-profile</strong><span> </span>(<em>community1 | community2 | isolated | promiscuous</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Matching VLAN isolation/leakage profile.</td></tr></tbody></table></div><h1 id="CRS1xx/2xxseriesswitches-Trunking"><span class="mw-headline">Trunking</span></h1><hr/><p><span class="mw-headline">The Trunking in the Cloud Router Switches provides static link aggregation groups with hardware automatic failover and load balancing. IEEE802.3ad and IEEE802.1ax compatible Link Aggregation Control Protocol is not supported. Up to 8 Trunk groups are supported with up to 8 Trunk member ports per Trunk group. CRS Port Trunking calculates transmit-hash based on all following parameters: L2 src-dst MAC + L3 src-dst IP + L4 src-dst Port.</span></p><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch trunk</code></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>disabled</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enables or disables port trunking entry.</td></tr><tr><td class="confluenceTd"><strong>member-ports</strong><span> </span>(<em>ports</em>)</td><td class="confluenceTd">Member ports of the Trunk group.</td></tr><tr><td class="confluenceTd"><strong>name</strong><span> </span>(<em>string value</em>; Default:<span> </span><strong>trunkX</strong>)</td><td class="confluenceTd">Name of the Trunk group.</td></tr></tbody></table></div><h1 id="CRS1xx/2xxseriesswitches-QualityofService"><span class="mw-headline">Quality of Service</span></h1><hr/><h2 id="CRS1xx/2xxseriesswitches-Shaper"><span class="mw-headline">Shaper</span></h2><p>Traffic shaping restricts the rate and burst size of the flow which is transmitted out from the interface. The shaper is implemented by a token bucket. If the packet exceeds the maximum rate or the burst size, which means not enough token for the packet, the packet is stored to buffer until there is enough token to transmit it.</p><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch shaper</code></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>burst</strong><span> </span>(<em>integer</em>; Default:<span> </span><strong>100k</strong>)</td><td class="confluenceTd">Maximum data rate which can be transmitted while the burst is allowed.</td></tr><tr><td class="confluenceTd"><strong>disabled</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enables or disables traffic shaper entry.</td></tr><tr><td class="confluenceTd"><strong>meter-unit</strong><span> </span>(<em>bit | packet</em>; Default:<span> </span><strong>bit</strong>)</td><td class="confluenceTd">Measuring units for traffic shaper rate.</td></tr><tr><td class="confluenceTd"><strong>port</strong><span> </span>(<em>port</em>)</td><td class="confluenceTd">Physical port for traffic shaper.</td></tr><tr><td class="confluenceTd"><strong>rate</strong><span> </span>(<em>integer</em>; Default:<span> </span><strong>1M</strong>)</td><td class="confluenceTd">Maximum data rate limit.</td></tr><tr><td class="confluenceTd"><strong>target</strong><span> </span>(<em>port | queueX | wrr-groupX</em>; Default:<span> </span><strong>port</strong>)</td><td class="confluenceTd">Three levels of shapers are supported on each port (including CPU port):<ul class="bullets"><li>Port level<span> </span>- Entry applies to the port of the switch-chip.</li><li>WRR group level<span> </span>- Entry applies to one of the 2 Weighted Round Robin queue groups (wrr-group0, wrr-group1) on the port.</li><li>Queue level<span> </span>- Entry applies to one of the 8 queues (queue0 - queue7) on the port.</li></ul></td></tr></tbody></table></div><h2 id="CRS1xx/2xxseriesswitches-IngressPortPolicer"><span class="mw-headline">Ingress Port Policer</span></h2><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch ingress-port-policer</code></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>burst</strong><span> </span>(<em>integer</em>; Default:<span> </span><strong>100k</strong>)</td><td class="confluenceTd">Maximum data rate which can be transmitted while the burst is allowed.</td></tr><tr><td class="confluenceTd"><strong>disabled</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enables or disables ingress port policer entry.</td></tr><tr><td class="confluenceTd"><strong>meter-len</strong><span> </span>(<em>layer-1 | layer-2 | layer-3</em>; Default:<span> </span><strong>layer-1</strong>)</td><td class="confluenceTd">Packet classification which sets the packet byte length for metering.<ul class="bullets"><li>layer-1<span> </span>- includes entire layer-2 frame + FCS + inter-packet gap + preamble.</li><li>layer-2<span> </span>- includes layer-2 frame + FCS.</li><li>layer-3<span> </span>- includes only layer-3 + ethernet padding without layer-2 header and FCS.</li></ul></td></tr><tr><td class="confluenceTd"><strong>meter-unit</strong><span> </span>(<em>bit | packet</em>; Default:<span> </span><strong>bit</strong>)</td><td class="confluenceTd">Measuring units for traffic ingress port policer rate.</td></tr><tr><td class="confluenceTd"><strong>new-dei-for-yellow</strong><span> </span>(<em>0..1 | remap</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Remarked DEI for exceeded traffic if yellow-action is remark.</td></tr><tr><td class="confluenceTd"><strong>new-dscp-for-yellow</strong><span> </span>(<em>0..63 | remap</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Remarked DSCP for exceeded traffic if yellow-action is remark.</td></tr><tr><td class="confluenceTd"><strong>new-pcp-for-yellow</strong><span> </span>(<em>0..7 | remap</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Remarked PCP for exceeded traffic if yellow-action is remark.</td></tr><tr><td class="confluenceTd"><strong>packet-types</strong><span> </span>(<em>packet-types</em>; Default:<span> </span><strong>all types from description</strong>)</td><td class="confluenceTd">Matching packet types for which ingress port policer entry is valid.</td></tr><tr><td class="confluenceTd"><strong>port</strong><span> </span>(<em>port</em>)</td><td class="confluenceTd">Physical port or trunk for ingress port policer entry.</td></tr><tr><td class="confluenceTd"><strong>rate</strong><span> </span>(<em>integer</em>)</td><td class="confluenceTd">Maximum data rate limit.</td></tr><tr><td class="confluenceTd"><strong>yellow-action</strong><span> </span>(<em>drop | forward | remark</em>; Default:<span> </span><strong>drop</strong>)</td><td class="confluenceTd">Performed action for exceeded traffic.</td></tr></tbody></table></div><h2 id="CRS1xx/2xxseriesswitches-QoSGroup"><span class="mw-headline">QoS Group</span></h2><p><span class="mw-headline">The global QoS group table is used for VLAN-based, Protocol-based, and MAC-based QoS group assignment configuration.</span></p><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch qos-group</code></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>dei</strong><span> </span>(<em>0..1</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">The new value of DEI for the QoS group.</td></tr><tr><td class="confluenceTd"><strong>disabled</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enables or disables protocol QoS group entry.</td></tr><tr><td class="confluenceTd"><strong>drop-precedence</strong><span> </span>(<em>drop | green | red | yellow</em>; Default:<span> </span><strong>green</strong>)</td><td class="confluenceTd">Drop precedence is an internal QoS attribute used for packet enqueuing or dropping.</td></tr><tr><td class="confluenceTd"><strong>dscp</strong><span> </span>(<em>0..63</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">The new value of DSCP for the QoS group.</td></tr><tr><td class="confluenceTd"><strong>name</strong><span> </span>(<em>string value</em>; Default:<span> </span><strong>groupX</strong>)</td><td class="confluenceTd">Name of the QoS group.</td></tr><tr><td class="confluenceTd"><strong>pcp</strong><span> </span>(<em>0..7</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">The new value of PCP for the QoS group.</td></tr><tr><td class="confluenceTd"><strong>priority</strong><span> </span>(<em>0..15</em>; Default:<span> </span><strong>0</strong>)</td><td class="confluenceTd">Internal priority is a local significance of priority for classifying traffic to different egress queues on a port. (1 is highest, 15 is lowest)</td></tr></tbody></table></div><h2 id="CRS1xx/2xxseriesswitches-DSCPQoSMap"><span class="mw-headline">DSCP QoS Map</span></h2><p><span class="mw-headline">The global DSCP to QOS mapping table is used for mapping from the DSCP of the packet to new QoS attributes configured in the table.</span></p><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch dscp-qos-map</code></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>dei</strong><span> </span>(<em>0..1</em>)</td><td class="confluenceTd">The new value of DEI for the DSCP to QOS mapping entry.</td></tr><tr><td class="confluenceTd"><strong>drop-precedence</strong><span> </span>(<em>drop | green | red | yellow</em>)</td><td class="confluenceTd">The new value of Drop precedence for the DSCP to QOS mapping entry.</td></tr><tr><td class="confluenceTd"><strong>pcp</strong><span> </span>(<em>0..7</em>)</td><td class="confluenceTd">The new value of PCP for the DSCP to QOS mapping entry.</td></tr><tr><td class="confluenceTd"><strong>priority</strong><span> </span>(<em>0..15</em>)</td><td class="confluenceTd">The new value of internal priority for the DSCP to QOS mapping entry.</td></tr></tbody></table></div><h2 id="CRS1xx/2xxseriesswitches-DSCPToDSCPMap"><span class="mw-headline">DSCP To DSCP Map</span></h2><p><span class="mw-headline">The global DSCP to DSCP mapping table is used for mapping from the packet's original DSCP to the new DSCP value configured in the table.</span></p><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch dscp-to-dscp</code></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>new-dscp</strong><span> </span>(<em>0..63</em>)</td><td class="confluenceTd">The new value of DSCP for the DSCP to DSCP mapping entry.</td></tr></tbody></table></div><h2 id="CRS1xx/2xxseriesswitches-PolicerQoSMap"><span class="mw-headline">Policer QoS Map</span></h2><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch policer-qos-map</code></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>dei-for-red</strong><span> </span>(<em>0..1</em>; Default:<span> </span><strong>0</strong>)</td><td class="confluenceTd">Policer DEI remapping value for red packets.</td></tr><tr><td class="confluenceTd"><strong>dei-for-yellow</strong><span> </span>(<em>0..1</em>; Default:<span> </span><strong>0</strong>)</td><td class="confluenceTd">Policer DEI remapping value for yellow packets.</td></tr><tr><td class="confluenceTd"><strong>dscp-for-red</strong><span> </span>(<em>0..63</em>; Default:<span> </span><strong>0</strong>)</td><td class="confluenceTd">Policer DSCP remapping value for red packets.</td></tr><tr><td class="confluenceTd"><strong>dscp-for-yellow</strong><span> </span>(<em>0..63</em>; Default:<span> </span><strong>0</strong>)</td><td class="confluenceTd">Policer DSCP remapping value for yellow packets.</td></tr><tr><td class="confluenceTd"><strong>pcp-for-red</strong><span> </span>(<em>0..7</em>; Default:<span> </span><strong>0</strong>)</td><td class="confluenceTd">Policer PCP remapping value for red packets.</td></tr><tr><td class="confluenceTd"><strong>pcp-for-yellow</strong><span> </span>(<em>0..7</em>; Default:<span> </span><strong>0</strong>)</td><td class="confluenceTd">Policer PCP remapping value for yellow packets.</td></tr></tbody></table></div><h1 id="CRS1xx/2xxseriesswitches-AccessControlList"><span class="mw-headline">Access Control List</span></h1><hr/><p>Access Control List contains of ingress policy and egress policy engines and allows configuration of up to 128 policy rules (limited by RouterOS). It is an advanced tool for wire-speed packet filtering, forwarding, shaping, and modifying based on Layer2, Layer3, and Layer4 protocol header field conditions.</p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>See the Summary section for Access Control List supported Cloud Router Switch devices.</p></div></div><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Due to hardware limitations, it is not possible to match broadcast/multicast traffic on specific ports. You should use port isolation, drop traffic on ingress ports, or use VLAN filtering to prevent certain broadcast/multicast traffic from being forwarded.</p></div></div><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch acl</code></p><p>ACL condition part for MAC-related fields of packets.</p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>disabled</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enables or disables ACL entry.</td></tr><tr><td class="confluenceTd"><strong>table</strong><span> </span>(<em>egress | ingress</em>; Default:<span> </span><strong>ingress</strong>)</td><td class="confluenceTd">Selects the policy table for incoming or outgoing packets.</td></tr><tr><td class="confluenceTd"><strong>invert-match</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Inverts the whole ACL rule matching.</td></tr><tr><td class="confluenceTd"><strong>src-ports</strong><span> </span>(<em>ports,trunks</em>)</td><td class="confluenceTd">Matching physical source ports or trunks.</td></tr><tr><td class="confluenceTd"><strong>dst-ports</strong><span> </span>(<em>ports,trunks</em>)</td><td class="confluenceTd">Matching physical destination ports or trunks. It is not possible to match broadcast/multicast traffic on the egress port due to a hardware limitation.</td></tr><tr><td class="confluenceTd"><strong>mac-src-address</strong><span> </span>(<em>MAC address/Mask</em>)</td><td class="confluenceTd">Source MAC address and mask.</td></tr><tr><td class="confluenceTd"><strong>mac-dst-address</strong><span> </span>(<em>MAC address/Mask</em>)</td><td class="confluenceTd">Destination MAC address and mask.</td></tr><tr><td class="confluenceTd"><strong>dst-addr-registered</strong><span> </span>(<em>yes | no</em>)</td><td class="confluenceTd">Defines whether to match packets with registered state - packets whose destination MAC address is in UFDB/MFDB/RFDB. Valid only in the egress table.</td></tr><tr><td class="confluenceTd"><strong>mac-protocol</strong><span> </span>(<em>802.2 | arp | homeplug-av | ip | ip-or-ipv6 | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | non-ip | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan or integer: 0..65535 decimal format or 0x0000-0xffff hex format</em>)</td><td class="confluenceTd">Ethernet payload type (MAC-level protocol)<ul><li><strong>802.2</strong><span> </span>- 802.2 Frames (0x0004)</li><li><strong>arp</strong><span> </span>- Address Resolution Protocol (0x0806)</li><li><strong>homeplug-av</strong><span> </span>- HomePlug AV MME (0x88E1)</li><li><strong>ip</strong><span> </span>- Internet Protocol version 4 (0x0800)</li><li><strong>ip-or-ipv6</strong><span> </span>- IPv4 or IPv6 (0x0800 or 0x86DD)</li><li><strong>ipv6</strong><span> </span>- Internet Protocol Version 6 (0x86DD)</li><li><strong>ipx</strong><span> </span>- Internetwork Packet Exchange (0x8137)</li><li><strong>lldp</strong><span> </span>- Link Layer Discovery Protocol (0x88CC)</li><li><strong>loop-protect</strong><span> </span>- Loop Protect Protocol (0x9003)</li><li><strong>mpls-multicast</strong><span> </span>- MPLS multicast (0x8848)</li><li><strong>mpls-unicast</strong><span> </span>- MPLS unicast (0x8847)</li><li><strong>non-ip</strong><span> </span>- Not Internet Protocol version 4 (not 0x0800)</li><li><strong>packing-compr</strong><span> </span>- Encapsulated packets with compressed<span> </span><a class="external-link" href="https://wiki.mikrotik.com/wiki/Manual:IP/Packing" rel="nofollow" style="text-decoration: none;" title="Manual:IP/Packing">IP packing</a><span> </span>(0x9001)</li><li><strong>packing-simple</strong><span> </span>- Encapsulated packets with simple<span> </span><a class="external-link" href="https://wiki.mikrotik.com/wiki/Manual:IP/Packing" rel="nofollow" style="text-decoration: none;" title="Manual:IP/Packing">IP packing</a><span> </span>(0x9000)</li><li><strong>pppoe</strong><span> </span>- PPPoE Session Stage (0x8864)</li><li><strong>pppoe-discovery</strong><span> </span>- PPPoE Discovery Stage (0x8863)</li><li><strong>rarp</strong><span> </span>- Reverse Address Resolution Protocol (0x8035)</li><li><strong>service-vlan</strong><span> </span>- Provider Bridging (IEEE 802.1ad) & Shortest Path Bridging IEEE 802.1aq (0x88A8)</li><li><strong>vlan</strong><span> </span>- VLAN-tagged frame (IEEE 802.1Q) and Shortest Path Bridging IEEE 802.1aq with NNI compatibility (0x8100)</li></ul></td></tr><tr><td class="confluenceTd"><strong>drop-precedence</strong><span> </span>(<em>drop | green | red | yellow</em>)</td><td class="confluenceTd">Matching internal drop precedence. Valid only in the egress table.</td></tr><tr><td class="confluenceTd"><strong>custom-fields</strong></td><td class="confluenceTd"><br/></td></tr></tbody></table></div><p>ACL condition part for VLAN-related fields of packets.</p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>lookup-vid</strong><span> </span>(<em>0..4095</em>)</td><td class="confluenceTd">VLAN id used in lookup. It can be changed before reaching the egress table.</td></tr><tr><td class="confluenceTd"><strong>service-vid</strong><span> </span>(<em>0-4095</em>)</td><td class="confluenceTd">Matching service VLAN id.</td></tr><tr><td class="confluenceTd"><strong>service-pcp</strong><span> </span>(<em>0..7</em>)</td><td class="confluenceTd">Matching service PCP.</td></tr><tr><td class="confluenceTd"><strong>service-dei</strong><span> </span>(<em>0..1</em>)</td><td class="confluenceTd">Matching service DEI.</td></tr><tr><td class="confluenceTd"><strong>service-tag</strong><span> </span>(<em>priority-tagged | tagged | tagged-or-priority-tagged | untagged</em>)</td><td class="confluenceTd">Format of the service tag.</td></tr><tr><td class="confluenceTd"><strong>customer-vid</strong><span> </span>(<em>0-4095</em>)</td><td class="confluenceTd">Matching customer VLAN ID.</td></tr><tr><td class="confluenceTd"><strong>customer-pcp</strong><span> </span>(<em>0..7</em>)</td><td class="confluenceTd">Matching customer PCP.</td></tr><tr><td class="confluenceTd"><strong>customer-dei</strong><span> </span>(<em>0..1</em>)</td><td class="confluenceTd">Matching customer DEI.</td></tr><tr><td class="confluenceTd"><strong>customer-tag</strong><span> </span>(<em>priority-tagged | tagged | tagged-or-priority-tagged | untagged</em>)</td><td class="confluenceTd">Format of the customer tag.</td></tr><tr><td class="confluenceTd"><strong>priority</strong><span> </span>(<em>0..15</em>)</td><td class="confluenceTd">Matching internal priority. Valid only in the egress table.</td></tr></tbody></table></div><p>ACL condition part for IPv4 and IPv6 related fields of packets.</p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>ip-src</strong><span> </span>(<em>IPv4/0..32</em>)</td><td class="confluenceTd">Matching source IPv4 address.</td></tr><tr><td class="confluenceTd"><strong>ip-dst</strong><span> </span>(<em>IPv4/0..32</em>)</td><td class="confluenceTd">Matching destination IPv4 address.</td></tr><tr><td class="confluenceTd"><strong>ip-protocol</strong><span> </span>(<em>tcp | udp | udp-lite | other</em>)</td><td class="confluenceTd">IP protocol type.</td></tr><tr><td class="confluenceTd"><strong>src-l3-port</strong><span> </span>(<em>0-65535</em>)</td><td class="confluenceTd">Matching Layer3 source port.</td></tr><tr><td class="confluenceTd"><strong>dst-l3-port</strong><span> </span>(<em>0-65535</em>)</td><td class="confluenceTd">Matching Layer3 destination port.</td></tr><tr><td class="confluenceTd"><strong>ttl</strong><span> </span>(<em>0 | 1 | max | other</em>)</td><td class="confluenceTd">Matching TTL field of the packet.</td></tr><tr><td class="confluenceTd"><strong>dscp</strong><span> </span>(<em>0..63</em>)</td><td class="confluenceTd">Matching DSCP field of the packet.</td></tr><tr><td class="confluenceTd"><strong>ecn</strong><span> </span>(<em>0..3</em>)</td><td class="confluenceTd">Matching ECN field of the packet.</td></tr><tr><td class="confluenceTd"><strong>fragmented</strong><span> </span>(<em>yes | no</em>)</td><td class="confluenceTd">Whether to match fragmented packets.</td></tr><tr><td class="confluenceTd"><strong>first-fragment</strong><span> </span>(<em>yes | no</em>)</td><td class="confluenceTd">YES matches not fragmented and the first fragments, NO matches other fragments.</td></tr><tr><td class="confluenceTd"><strong>ipv6-src</strong><span> </span>(<em>IPv6/0..128</em>)</td><td class="confluenceTd">Matching source IPv6 address.</td></tr><tr><td class="confluenceTd"><strong>ipv6-dst</strong><span> </span>(<em>IPv6/0..128</em>)</td><td class="confluenceTd">Matching destination IPv6 address.</td></tr><tr><td class="confluenceTd"><strong>mac-isolation-profile</strong><span> </span>(<em>community1 | community2 | isolated | promiscuous</em>)</td><td class="confluenceTd">Matches isolation profile based on UFDB. Valid only in the egress policy table.</td></tr><tr><td class="confluenceTd"><strong>src-mac-addr-state</strong><span> </span>(<em>dynamic-station-move | sa-found | sa-not-found | static-station-move</em>)</td><td class="confluenceTd">Defines whether to match packets with registered state - packets whose destination MAC address is in UFDB/MFDB/RFDB. Valid only in the egress policy table.</td></tr><tr><td class="confluenceTd"><strong>flow-id</strong><span> </span>(<em>0..63</em>)</td><td class="confluenceTd"><br/></td></tr></tbody></table></div><p>ACL rule action part.</p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>action</strong><span> </span>(<em>copy-to-cpu | drop | forward |</em><p><em>redirect-to-cpu | send-to-new-dst-ports</em>; Default:</p><strong>forward</strong>)</td><td class="confluenceTd"><ul class="bullets"><li>copy-to-cpu<span> </span>- Packets are copied to the CPU if they match the ACL conditions.</li><li>drop<span> </span>- Packets are dropped if they match the ACL conditions.</li><li>forward<span> </span>- Packets are forwarded if they match the ACL conditions.</li><li>redirect-to-cpu<span> </span>- Packets are redirected to the CPU if they match the ACL conditions.</li><li>send-to-new-dst-ports<span> </span>- Packets are sent to new destination ports if they match the ACL conditions.</li></ul></td></tr><tr><td class="confluenceTd"><strong>new-dst-ports</strong><span> </span>(<em>ports,trunks</em>)</td><td class="confluenceTd">If the action is "send-to-new-dst-ports", then this property sets which ports/trunks are the new destinations.</td></tr><tr><td class="confluenceTd"><strong>mirror-to</strong><span> </span>(<em>mirror0 | mirror1</em>)</td><td class="confluenceTd">Mirroring destination for ACL packets.</td></tr><tr><td class="confluenceTd"><strong>policer</strong><span> </span>(<em>policer</em>)</td><td class="confluenceTd">Applied ACL Policer for ACL packets.</td></tr><tr><td class="confluenceTd"><strong>src-mac-learn</strong><span> </span>(<em>yes | no</em>)</td><td class="confluenceTd">Whether to learn the source MAC of the matched ACL packets. Valid only in the ingress policy table.</td></tr><tr><td class="confluenceTd"><strong>new-service-vid</strong><span> </span>(<em>0..4095</em>)</td><td class="confluenceTd">New service VLAN ID for ACL packets.</td></tr><tr><td class="confluenceTd"><strong>new-service-pcp</strong><span> </span>(<em>0..7</em>)</td><td class="confluenceTd">New service PCP for ACL packets.</td></tr><tr><td class="confluenceTd"><strong>new-service-dei</strong><span> </span>(<em>0..1</em>)</td><td class="confluenceTd">New service DEI for ACL packets.</td></tr><tr><td class="confluenceTd"><strong>new-customer-vid</strong><span> </span>(<em>0..4095</em>)</td><td class="confluenceTd">New customer VLAN ID for ACL packets. If set to 4095, then traffic is dropped.</td></tr><tr><td class="confluenceTd"><strong>new-customer-pcp</strong><span> </span>(<em>0..7</em>)</td><td class="confluenceTd">New customer PCP for ACL packets.</td></tr><tr><td class="confluenceTd"><strong>new-customer-dei</strong><span> </span>(<em>0..1</em>)</td><td class="confluenceTd">New customer DEI for ACL packets.</td></tr><tr><td class="confluenceTd"><strong>new-dscp</strong><span> </span>(<em>0..63</em>)</td><td class="confluenceTd">New DSCP for ACL packets.</td></tr><tr><td class="confluenceTd"><strong>new-priority</strong><span> </span>(<em>0..15</em>)</td><td class="confluenceTd">New internal priority for ACL packets.</td></tr><tr><td class="confluenceTd"><strong>new-drop-precedence</strong><span> </span>(<em>drop | green | red | yellow</em>)</td><td class="confluenceTd">New internal drop precedence for ACL packets.</td></tr><tr><td class="confluenceTd"><strong>new-registered-state</strong><span> </span>(<em>yes | no</em>)</td><td class="confluenceTd">Whether to modify packet status. YES sets packet status to registered, NO - unregistered. Valid only in the ingress policy table.</td></tr><tr><td class="confluenceTd"><strong>new-flow-id</strong><span> </span>(<em>0..63</em>)</td><td class="confluenceTd"><br/></td></tr></tbody></table></div><p>Filter bypassing part for ACL packets.</p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>attack-filter-bypass</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd"><br/></td></tr><tr><td class="confluenceTd"><strong>ingress-vlan-filter-bypass</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Allows bypassing ingress VLAN filtering in the VLAN table for matching packets. This applies only to the ingress policy table.</td></tr><tr><td class="confluenceTd"><strong>egress-vlan-filter-bypass</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Allows bypassing egress VLAN filtering in the VLAN table for matching packets. This applies only to the ingress policy table.</td></tr><tr><td class="confluenceTd"><strong>isolation-filter-bypass</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Allows bypassing the Isolation table for matching packets. This applies only to the ingress policy table.</td></tr><tr><td class="confluenceTd"><strong>egress-vlan-translate-bypass</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Allows bypassing egress VLAN translation table for matching packets.</td></tr></tbody></table></div><h2 id="CRS1xx/2xxseriesswitches-ACLPolicer"><span class="mw-headline">ACL Policer</span></h2><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch acl policer</code></p><div class="table-wrap"><table class="wrapped confluenceTable" style="margin-left: 13.7188px;"><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>name</strong><span> </span>(<em>string</em>; Default:<span> </span><strong>policerX</strong>)</td><td class="confluenceTd">Name of the Policer used in ACL.</td></tr><tr><td class="confluenceTd"><strong>yellow-rate</strong><span> </span>(<em>integer</em>)</td><td class="confluenceTd">Maximum data rate limit for packets with yellow drop precedence.</td></tr><tr><td class="confluenceTd"><strong>yellow-burst</strong><span> </span>(<em>integer</em>; Default:<span> </span><strong>0</strong>)</td><td class="confluenceTd">Maximum data rate which can be transmitted while the burst is allowed for packets with yellow drop precedence.</td></tr><tr><td class="confluenceTd"><strong>red-rate</strong><span> </span>(<em>integer</em>); Default:<span> </span><strong>0</strong>)</td><td class="confluenceTd">Maximum data rate limit for packets with red drop precedence.</td></tr><tr><td class="confluenceTd"><strong>red-burst</strong><span> </span>(<em>integer</em>; Default:<span> </span><strong>0</strong>)</td><td class="confluenceTd">Maximum data rate which can be transmitted while the burst is allowed for packets with red drop precedence.</td></tr><tr><td class="confluenceTd"><strong>meter-unit</strong><span> </span>(<em>bit | packet</em>; Default:<span> </span><strong>bit</strong>)</td><td class="confluenceTd">Measuring units for ACL traffic rate.</td></tr><tr><td class="confluenceTd"><strong>meter-len</strong><span> </span>(<em>layer-1 | layer-2 | layer-3</em>; Default:<span> </span><strong>layer-1</strong>)</td><td class="confluenceTd">Packet classification which sets the packet byte length for metering.<ul class="bullets"><li>layer-1<span> </span>- includes entire layer-2 frame + FCS + inter-packet gap + preamble.</li><li>layer-2<span> </span>- includes layer-2 frame + FCS.</li><li>layer-3<span> </span>- includes only layer-3 + ethernet padding without layer-2 header and FCS.</li></ul></td></tr><tr><td class="confluenceTd"><strong>color-awareness</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">YES makes the policer to take into account pre-colored drop precedence, NO - ignores drop precedence.</td></tr><tr><td class="confluenceTd"><strong>bucket-coupling</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd"><br/></td></tr><tr><td class="confluenceTd"><strong>yellow-action</strong><span> </span>(<em>drop | forward | remark</em>; Default:<span> </span><strong>drop</strong>)</td><td class="confluenceTd">Performed action for exceeded traffic with yellow drop precedence.</td></tr><tr><td class="confluenceTd"><strong>new-dei-for-yellow</strong><span> </span>(<em>0..1 | remap</em>)</td><td class="confluenceTd">New DEI for yellow drop precedence packets.</td></tr><tr><td class="confluenceTd"><strong>new-pcp-for-yellow</strong><span> </span>(<em>0..7 | remap</em>)</td><td class="confluenceTd">New PCP for yellow drop precedence packets.</td></tr><tr><td class="confluenceTd"><strong>new-dscp-for-yellow</strong><span> </span>(<em>0..63 | remap</em>)</td><td class="confluenceTd">New DSCP for yellow drop precedence packets.</td></tr><tr><td class="confluenceTd"><strong>red-action</strong><span> </span>(<em>drop | forward | remark</em>; Default:<span> </span><strong>drop</strong>)</td><td class="confluenceTd">Performed action for exceeded traffic with red drop precedence.</td></tr><tr><td class="confluenceTd"><strong>new-dei-for-red</strong><span> </span>(<em>0..1 | remap</em>)</td><td class="confluenceTd">New DEI for red drop precedence packets.</td></tr><tr><td class="confluenceTd"><strong>new-pcp-for-red</strong><span> </span>(<em>0..7 | remap</em>)</td><td class="confluenceTd">New PCP for red drop precedence packets.</td></tr><tr><td class="confluenceTd"><strong>new-dscp-for-red</strong><span> </span>(<em>0..63 | remap</em>)</td><td class="confluenceTd">New DSCP for red drop precedence packets.</td></tr></tbody></table></div><h1 id="CRS1xx/2xxseriesswitches-Seealso"><span class="mw-headline">See also</span></h1><hr/><ul><li><a href="https://help.mikrotik.com/docs/pages/viewpage.action?pageId=103841836" rel="nofollow">CRS1xx/2xx series switches examples</a></li><li><a class="external-link" href="https://wiki.mikrotik.com/wiki/Manual:CRS_Router" rel="nofollow" style="text-decoration: none;" title="Manual:CRS Router">CRS Router</a></li><li><a class="external-link" href="https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_VLANs_with_Trunks" rel="nofollow" style="text-decoration: none;" title="Manual:CRS1xx/2xx VLANs with Trunks">CRS1xx/2xx VLANs with Trunks</a></li><li><a href="https://help.mikrotik.com/docs/display/ROS/Basic+VLAN+switching" rel="nofollow">Basic VLAN switching</a></li><li><a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeHardwareOffloading" rel="nofollow">Bridge Hardware Offloading</a></li><li><a href="https://help.mikrotik.com/docs/display/ROS/Spanning+Tree+Protocol" rel="nofollow">Spanning Tree Protocol</a></li><li><a href="https://help.mikrotik.com/docs/pages/viewpage.action?pageId=59277403" rel="nofollow">IGMP Snooping</a></li><li><a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-DHCPSnoopingandDHCPOption82" rel="nofollow">DHCP Snooping and Option 82</a></li><li><a href="https://help.mikrotik.com/docs/display/ROS/MTU+in+RouterOS" rel="nofollow">MTU on RouterBOARD</a></li><li><a href="https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration" rel="nofollow">Layer2 misconfiguration</a></li></ul>
</div>
<div style="padding: 10px 0;">
<a href="https://help.mikrotik.com/docs/pages/viewpage.action?pageId=103841835">View Online</a>
·
<a href="https://help.mikrotik.com/docs/pages/diffpagesbyversion.action?pageId=103841835&revisedVersion=8&originalVersion=7">View Changes Online</a>
</div>
</div>Guntis G.2022-01-14T11:06:12ZBridging and SwitchingGuntis G.tag:help.mikrotik.com,2009:page-328068-1172024-03-26T15:50:33Z2019-09-30T09:58:39Z<div class="feed"> <p>
Page
<b>edited</b> by
<a href=" https://help.mikrotik.com/docs/display/~guntis
">Guntis G.</a>
</p>
<div style="border-top: 1px solid #ddd; border-bottom: 1px solid #ddd; padding: 10px;">
<div class="contentLayout2">
<div class="columnLayout two-left-sidebar" data-layout="two-left-sidebar">
<div class="cell aside" data-type="aside">
<div class="innerCell">
<div class="panel" style="border-width: 1px;"><div class="panelHeader" style="border-bottom-width: 1px;"><b>Other resources:</b></div><div class="panelContent">
<p>
<div class="plugin_pagetree">
<ul role="list" aria-busy="true" class="plugin_pagetree_children_list plugin_pagetree_children_list_noleftspace">
<div class="plugin_pagetree_children">
</div>
</ul>
<fieldset class="hidden">
<input type="hidden" name="treeId" value="">
<input type="hidden" name="treeRequestId" value="/docs/plugins/pagetree/naturalchildren.action?decorator=none&excerpt=false&sort=position&reverse=false&disableLinks=false&expandCurrent=false&placement=">
<input type="hidden" name="treePageId" value="328068">
<input type="hidden" name="noRoot" value="false">
<input type="hidden" name="rootPageId" value="328068">
<input type="hidden" name="rootPage" value="">
<input type="hidden" name="startDepth" value="0">
<input type="hidden" name="spaceKey" value="ROS" >
<input type="hidden" name="i18n-pagetree.loading" value="Loading...">
<input type="hidden" name="i18n-pagetree.error.permission" value="Unable to load page tree. It seems that you do not have permission to view the root page.">
<input type="hidden" name="i18n-pagetree.eeror.general" value="There was a problem retrieving the page tree. Please check the server log file for more information.">
<input type="hidden" name="loginUrl" value="/docs/login.action?os_destination=%2Fspaces%2Fcreaterssfeed.action%3Ftypes%3Dpage%26spaces%3DROS%26maxResults%3D15%26title%3D%255BRouterOS%255D%2BPages%2BFeed%26amp%3BpublicFeed%3Dtrue&permissionViolation=true">
<input type="hidden" name="mobile" value="false">
<input type="hidden" name="placement" value="">
<fieldset class="hidden">
<input type="hidden" name="ancestorId" value="328068">
</fieldset>
</fieldset>
</div>
</p>
</div></div></div>
</div>
<div class="cell normal" data-type="normal">
<div class="innerCell">
<p><br/></p></div>
</div>
</div>
<div class="columnLayout single" data-layout="single">
<div class="cell normal" data-type="normal">
<div class="innerCell">
<p><span class="mw-headline"><style type='text/css'>/*<![CDATA[*/
div.rbtoc1711701163675 {padding: 0px;}
div.rbtoc1711701163675 ul {margin-left: 0px;}
div.rbtoc1711701163675 li {margin-left: 0px;padding-left: 0px;}
/*]]>*/</style><div class='toc-macro rbtoc1711701163675'>
<ul class='toc-indentation'>
<li><a href='#BridgingandSwitching-Summary'>Summary</a></li>
<li><a href='#BridgingandSwitching-BridgeInterfaceSetup'>Bridge Interface Setup</a>
<ul class='toc-indentation'>
<li><a href='#BridgingandSwitching-Example'>Example</a></li>
<li><a href='#BridgingandSwitching-BridgeMonitoring'>Bridge Monitoring</a></li>
</ul>
</li>
<li><a href='#BridgingandSwitching-SpanningTreeProtocol'>Spanning Tree Protocol</a>
<ul class='toc-indentation'>
<li><a href='#BridgingandSwitching-Per-portSTP'>Per-port STP</a>
<ul class='toc-indentation'>
<li><a href='#BridgingandSwitching-Createedgeports'>Create edge ports</a></li>
<li><a href='#BridgingandSwitching-DropreceivedBPDUs'>Drop received BPDUs</a></li>
<li><a href='#BridgingandSwitching-EnableBPDUguard'>Enable BPDU guard</a></li>
<li><a href='#BridgingandSwitching-EnableRootguard'>Enable Root guard</a></li>
</ul>
</li>
</ul>
</li>
<li><a href='#BridgingandSwitching-BridgeSettings'>Bridge Settings</a></li>
<li><a href='#BridgingandSwitching-PortSettings'>Port Settings</a>
<ul class='toc-indentation'>
<li><a href='#BridgingandSwitching-Example.1'>Example</a></li>
<li><a href='#BridgingandSwitching-Interfacelists'>Interface lists</a></li>
<li><a href='#BridgingandSwitching-BridgePortMonitoring'>Bridge Port Monitoring</a></li>
</ul>
</li>
<li><a href='#BridgingandSwitching-HostsTable'>Hosts Table</a>
<ul class='toc-indentation'>
<li><a href='#BridgingandSwitching-Monitoring'>Monitoring</a></li>
<li><a href='#BridgingandSwitching-Staticentries'>Static entries</a></li>
</ul>
</li>
<li><a href='#BridgingandSwitching-MulticastTable'>Multicast Table</a>
<ul class='toc-indentation'>
<li><a href='#BridgingandSwitching-Staticentries.1'>Static entries</a></li>
</ul>
</li>
<li><a href='#BridgingandSwitching-BridgeHardwareOffloading'>Bridge Hardware Offloading</a>
<ul class='toc-indentation'>
<li><a href='#BridgingandSwitching-Example.2'>Example</a></li>
</ul>
</li>
<li><a href='#BridgingandSwitching-BridgeVLANFiltering'>Bridge VLAN Filtering</a>
<ul class='toc-indentation'>
<li><a href='#BridgingandSwitching-BridgeVLANtable'>Bridge VLAN table</a></li>
<li><a href='#BridgingandSwitching-Bridgeportsettings'>Bridge port settings</a></li>
<li><a href='#BridgingandSwitching-Bridgehosttable'>Bridge host table</a></li>
<li><a href='#BridgingandSwitching-VLANExample-TrunkandAccessPorts'>VLAN Example - Trunk and Access Ports</a></li>
<li><a href='#BridgingandSwitching-VLANExample-TrunkandHybridPorts'>VLAN Example - Trunk and Hybrid Ports</a></li>
<li><a href='#BridgingandSwitching-VLANExample-InterVLANRoutingbyBridge'>VLAN Example - InterVLAN Routing by Bridge</a></li>
<li><a href='#BridgingandSwitching-Managementaccessconfiguration'>Management access configuration</a>
<ul class='toc-indentation'>
<li><a href='#BridgingandSwitching-UntaggedaccesswithoutVLANfiltering'>Untagged access without VLAN filtering</a></li>
<li><a href='#BridgingandSwitching-TaggedaccesswithoutVLANfiltering'>Tagged access without VLAN filtering</a></li>
<li><a href='#BridgingandSwitching-TaggedaccesswithVLANfiltering'>Tagged access with VLAN filtering</a></li>
<li><a href='#BridgingandSwitching-UntaggedaccesswithVLANfiltering'>Untagged access with VLAN filtering</a></li>
<li><a href='#BridgingandSwitching-ChanginguntaggedVLANforthebridgeinterface'>Changing untagged VLAN for the bridge interface</a></li>
</ul>
</li>
<li><a href='#BridgingandSwitching-VLANTunneling(QinQ)'>VLAN Tunneling (QinQ)</a></li>
<li><a href='#BridgingandSwitching-Tagstacking'>Tag stacking</a></li>
<li><a href='#BridgingandSwitching-MVRP'>MVRP</a>
<ul class='toc-indentation'>
<li><a href='#BridgingandSwitching-PropertyReference'>Property Reference</a></li>
</ul>
</li>
</ul>
</li>
<li><a href='#BridgingandSwitching-FastForward'>Fast Forward</a></li>
<li><a href='#BridgingandSwitching-IGMP/MLDSnooping'>IGMP/MLD Snooping</a></li>
<li><a href='#BridgingandSwitching-DHCPSnoopingandDHCPOption82'>DHCP Snooping and DHCP Option 82</a></li>
<li><a href='#BridgingandSwitching-ControllerBridgeandPortExtender'>Controller Bridge and Port Extender</a></li>
<li><a href='#BridgingandSwitching-BridgeFirewall'>Bridge Firewall</a>
<ul class='toc-indentation'>
<li><a href='#BridgingandSwitching-BridgePacketFilter'>Bridge Packet Filter</a></li>
<li><a href='#BridgingandSwitching-BridgeNAT'>Bridge NAT</a></li>
</ul>
</li>
<li><a href='#BridgingandSwitching-Seealso'>See also</a></li>
</ul>
</div></span></p><h1 id="BridgingandSwitching-Summary"><span class="mw-headline">Summary</span></h1><hr/><p><span class="confluence-embedded-file-wrapper image-center-wrapper"><img class="confluence-embedded-image image-center" draggable="false" src="https://help.mikrotik.com/docs/download/attachments/328068/bridge_diagram.png?version=1&modificationDate=1639739272010&api=v2" data-image-src="https://help.mikrotik.com/docs/download/attachments/328068/bridge_diagram.png?version=1&modificationDate=1639739272010&api=v2" data-unresolved-comment-count="0" data-linked-resource-id="100007969" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="bridge_diagram.png" data-base-url="https://help.mikrotik.com/docs" data-linked-resource-content-type="image/png" data-linked-resource-container-id="328068" data-linked-resource-container-version="117" alt=""></span></p><p>Ethernet-like networks (Ethernet, Ethernet over IP, IEEE 802.11 in ap-bridge or bridge mode, WDS, VLAN) can be connected together using MAC bridges. The bridge feature allows the interconnection of hosts connected to separate LANs (using EoIP, geographically distributed networks can be bridged as well if any kind of IP network interconnection exists between them) as if they were attached to a single LAN. As bridges are transparent, they do not appear in the traceroute list, and no utility can make a distinction between a host working in one LAN and a host working in another LAN if these LANs are bridged. However, depending on the way the LANs are interconnected, latency and data rate between hosts may vary.</p><p>Network loops may emerge (intentionally or not) in complex topologies. Without any special treatment, loops would prevent the network from functioning normally, as they would lead to avalanche-like packet multiplication. Each bridge runs an algorithm that calculates how the loop can be prevented. (R/M)STP allows bridges to communicate with each other, so they can negotiate a loop-free topology. All other alternative connections that would otherwise form loops are put on standby, so that should the main connection fail, another connection could take its place. This algorithm exchanges configuration messages (BPDU - Bridge Protocol Data Unit) periodically, so that all bridges are updated with the newest information about changes in a network topology. (R/M)STP selects a root bridge which is responsible for network reconfiguration, such as blocking and opening ports on other bridges. The root bridge is the bridge with the lowest bridge ID.</p><h1 id="BridgingandSwitching-BridgeInterfaceSetup"><span class="mw-headline">Bridge Interface Setup</span></h1><hr/><p><span style="letter-spacing: 0.0px;">To combine a number of networks into one bridge, a bridge interface should be created. Later, all the desired interfaces should be set up as its ports. One MAC address from slave (secondary) ports will be assigned to the bridge interface. The MAC address will be chosen automatically, depending on the "<span style="color: rgb(51,153,102);">port-number</span>", and it can change after a reboot. To avoid unwanted MAC address changes, it is recommended to disable "<code><span style="color: rgb(51,153,102);">auto-mac</span></code>" and manually specifying the MAC address by using "<code><span style="color: rgb(51,153,102);">admin-mac</span></code>".</span></p><p><strong style="letter-spacing: 0.0px;">Sub-menu:</strong><span style="letter-spacing: 0.0px;"> </span><code style="letter-spacing: 0.0px;">/interface bridge</code></p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 100.0%;"><colgroup><col style="width: 24.0227%;"/><col style="width: 75.9773%;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>add-dhcp-option82</strong><span> </span>(<em>yes </em>|<em> no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Whether to add DHCP Option-82 information (Agent Remote ID and Agent Circuit ID) to DHCP packets. Can be used together with Option-82 capable DHCP server to assign IP addresses and implement policies. This property only has an effect when<span> </span><span style="color: rgb(51,153,102);"><code>dhcp-snooping</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>yes</code></span>.</td></tr><tr><td class="confluenceTd"><strong>admin-mac</strong><span> </span>(<em>MAC address</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Static MAC address of the bridge. This property only has an effect when<span> </span><span style="color: rgb(51,153,102);"><code>auto-mac</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>no</code></span>.</td></tr><tr><td class="confluenceTd"><strong>ageing-time</strong><span> </span>(<em>time</em>; Default:<span> </span><strong>00:05:00</strong>)</td><td class="confluenceTd">How long a host's information will be kept in the bridge database.</td></tr><tr><td class="confluenceTd"><strong>arp</strong><span> </span>(<em>disabled </em>|<em> enabled </em>|<em> local-proxy-arp | proxy-arp | reply-only</em>; Default:<span> </span><strong>enabled</strong>)</td><td class="confluenceTd">Address Resolution Protocol setting<ul><li><span style="color: rgb(51,153,102);"><code>disabled</code> </span>- the interface will not use ARP</li><li><span style="color: rgb(51,153,102);"><code>enabled</code> </span>- the interface will use ARP</li><li><span style="color: rgb(51,153,102);"><code>local-proxy-arp</code></span> - <span style="color: rgb(34,34,34);"><span> </span>the router performs proxy ARP on the interface and sends replies to the same interface</span></li><li><span style="color: rgb(51,153,102);"><code>proxy-arp</code></span><span> </span>- <span style="color: rgb(34,34,34);">the router performs proxy ARP on the interface and sends replies to other interfaces</span></li><li><span style="color: rgb(51,153,102);"><code>reply-only</code></span><span> </span>- t<span style="color: rgb(13,13,13);">he interface will only respond to requests originating from matching IP address/MAC address combinations that are entered as static entries in the IP/ARP table. No dynamic entries will be automatically stored in the IP/ARP table. Therefore, for communications to be successful, a valid static entry must already exist.</span></li></ul></td></tr><tr><td class="confluenceTd"><strong>arp-timeout</strong><span> </span>(<em>auto | integer</em>; Default:<span> </span><strong>auto</strong>)</td><td class="confluenceTd">How long the ARP record is kept in the ARP table after no packets are received from IP address. Value<span> </span><span style="color: rgb(51,153,102);"><code>auto</code> </span>equals to the value of<span> </span><span style="color: rgb(51,153,102);"><code>arp-timeout</code></span><span> </span>in<span> </span><code><span style="color: rgb(51,153,102);">ip/settings</span></code>, default is <span style="color: rgb(51,153,102);">30s</span>.</td></tr><tr><td class="confluenceTd"><strong>auto-mac</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>yes</strong>)</td><td class="confluenceTd">Automatically select one MAC address of bridge ports as a bridge MAC address, bridge MAC will be chosen from the first added bridge port. After a device reboots, the bridge MAC can change depending on the port-number.</td></tr><tr><td class="confluenceTd"><strong>comment</strong><span> </span>(<em>string</em>; Default: )</td><td class="confluenceTd">Short description of the interface.</td></tr><tr><td class="confluenceTd"><strong>dhcp-snooping</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enables or disables DHCP Snooping on the bridge.</td></tr><tr><td class="confluenceTd"><strong>disabled</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Changes whether the bridge is disabled.</td></tr><tr><td class="confluenceTd"><strong>ether-type</strong><span> </span>(<em>0x9100 | 0x8100 | 0x88a8</em>; Default:<span> </span><strong>0x8100</strong>)</td><td class="confluenceTd">Changes the EtherType, which will be used to determine if a packet has a VLAN tag. Packets that have a matching EtherType are considered as tagged packets. This property only has an effect when<span> </span><span style="color: rgb(51,153,102);"><code>vlan-filtering</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>yes</code></span>.</td></tr><tr><td class="confluenceTd"><strong>fast-forward</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>yes</strong>)</td><td class="confluenceTd">Special and faster case of<span> </span>Fast Path<span> </span>which works only on bridges with 2 interfaces (enabled by default only for new bridges). More details can be found in the<span> </span>Fast Forward<span> </span>section.</td></tr><tr><td class="confluenceTd"><strong>forward-delay</strong><span> </span>(<em>time</em>; Default:<span> </span><strong>00:00:15</strong>)</td><td class="confluenceTd">The time which is spent during the initialization phase of the bridge interface (i.e., after router startup or enabling the interface) in the listening/learning state before the bridge will start functioning normally.</td></tr><tr><td class="confluenceTd"><strong>frame-types</strong><span> </span>(<em>admit-all | admit-only-untagged-and-priority-tagged | admit-only-vlan-tagged</em>; Default:<span> </span><strong>admit-all</strong>)</td><td class="confluenceTd">Specifies allowed frame types on a bridge port. This property only has an effect when<span> </span><span style="color: rgb(51,153,102);"><code>vlan-filtering</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>yes</code></span>.</td></tr><tr><td class="confluenceTd"><strong>igmp-snooping</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enables multicast group and port learning to prevent multicast traffic from flooding all interfaces in a bridge.</td></tr><tr><td class="confluenceTd"><strong>igmp-version</strong><span> </span>(<em>2 | 3</em>; Default:<span> </span><strong>2</strong>)</td><td class="confluenceTd"><span style="color: rgb(23,43,77);">Selects the IGMP version in which IGMP membership queries will be generated when the bridge interface is acting as an IGMP querier. This property only has an effect when</span><span style="color: rgb(23,43,77);"><span> </span><span style="color: rgb(51,153,102);"><code>igmp-snooping</code></span> and <span style="color: rgb(51,153,102);"><code>multicast-querier</code></span> is set to <span style="color: rgb(51,153,102);"><code>yes</code></span>.</span></td></tr><tr><td class="confluenceTd"><strong>ingress-filtering</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>yes</strong>)</td><td class="confluenceTd">Enables or disables VLAN ingress filtering, which checks if the ingress port is a member of the received VLAN ID in the bridge VLAN table. By default, VLANs that don't exist in the bridge VLAN table are dropped before they are sent out (egress), but this property allows you to drop the packets when they are received (ingress). Should be used with<code> <span style="color: rgb(51,153,102);">frame-types</span></code><span> </span>to specify if the ingress traffic should be tagged or untagged. This property only has an effect when<span> </span><span style="color: rgb(51,153,102);"><code>vlan-filtering</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>yes</code></span>. The setting is enabled by default since RouterOS v7.</td></tr><tr><td class="confluenceTd"><strong>l2mtu</strong><span> </span>(<em>read-only</em>; Default: )</td><td class="confluenceTd">L2MTU indicates the maximum size of the frame without a MAC header that can be sent by this interface. The L2MTU value will be automatically set by the bridge and it will use the lowest L2MTU value of any associated bridge port. This value cannot be manually changed.</td></tr><tr><td class="confluenceTd"><strong>last-member-interval</strong><span> </span>(<em>time</em>; Default:<span> </span><strong>1s</strong>)</td><td class="confluenceTd"><p style="text-align: left;"><span style="color: rgb(23,43,77);">When the last client on the bridge port unsubscribes to a multicast group and the bridge is acting as an active querier, the bridge will send group-specific IGMP/MLD query, to make sure that no other client is still subscribed. The setting changes the response time for these queries. In case no membership reports are received in a certain time period (<code><span style="color: rgb(51,153,102);">last-member-interval</span></code><span> </span>*<span> </span><code><span style="color: rgb(51,153,102);">last-member-query-count</span></code>), the multicast group is removed from the multicast database (MDB).</span></p><p style="text-align: left;">If the bridge port is configured with<span> </span><span style="color: rgb(51,153,102);">fast-leave</span>, the multicast group is removed right away without sending any queries.</p><p style="text-align: left;"><span style="color: rgb(23,43,77);">This property only has an effect when</span> <span style="color: rgb(51,153,102);"><code>igmp-snooping</code></span><span> </span>and<span> </span><span style="color: rgb(51,153,102);"><code>multicast-querier</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>yes</code></span>.</p></td></tr><tr><td class="confluenceTd"><strong>last-member-query-count</strong><span> </span>(<em>integer: 0..4294967295</em>; Default:<span> </span><strong>2</strong>)</td><td class="confluenceTd"><span style="color: rgb(23,43,77);">How many times should</span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(51,153,102);"><code>last-member-interval</code></span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(23,43,77);">pass until the IGMP/MLD snooping bridge stops forwarding a certain multicast stream. This property only has an effect when </span><span style="color: rgb(51,153,102);"><code>igmp-snooping</code></span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(23,43,77);">and</span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(51,153,102);"><code>multicast-querier</code></span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(23,43,77);">is set to</span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(51,153,102);"><code>yes</code></span><span style="color: rgb(23,43,77);">.</span></td></tr><tr><td class="confluenceTd"><strong>max-hops</strong><span> </span>(<em>integer: 6..40</em>; Default:<span> </span><strong>20</strong>)</td><td class="confluenceTd">Bridge count which BPDU can pass in an MSTP enabled network in the same region before BPDU is being ignored. This property only has an effect when<span> </span><span style="color: rgb(51,153,102);"><code>protocol-mode</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>mstp</code></span>.</td></tr><tr><td class="confluenceTd"><strong>max-message-age</strong><span> </span>(<em>time: 6s..40s</em>; Default:<span> </span><strong>00:00:20</strong>)</td><td class="confluenceTd"><span style="color: rgb(34,34,34);">Changes the Max Age value in BPDU packets, which is transmitted by the root bridge. A root bridge sends a BPDUs with Max Age set to<span> </span></span><span style="color: rgb(51,153,102);"><code>max-message-age </code></span><span style="color: rgb(34,34,34);">value and a Message Age of 0. Every sequential bridge will increment the Message Age before sending their BPDUs. Once a bridge receives a BPDU where Message Age is equal or greater than Max Age, the BPDU is ignored.</span> This property only has an effect when<span> </span><span style="color: rgb(51,153,102);"><code>protocol-mode</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>stp</code> </span>or<span> </span><span style="color: rgb(51,153,102);"><code>rstp</code></span>.</td></tr><tr><td class="confluenceTd"><strong>membership-interval</strong><span> </span>(<em>time</em>; Default:<span> </span><strong>4m20s</strong>)</td><td class="confluenceTd"><span style="color: rgb(23,43,77);">The amount of time after an entry in the Multicast Database (MDB) is removed if no IGMP/MLD membership reports are received on a bridge port. This property only has an effect when</span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(51,153,102);"><code>igmp-snooping</code></span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(23,43,77);">is set to</span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(51,153,102);"><code>yes</code></span><span style="color: rgb(23,43,77);">.</span></td></tr><tr><td class="confluenceTd"><strong>mld-version</strong><span> </span>(<em>1 | 2</em>; Default:<span> </span><strong>1</strong>)</td><td class="confluenceTd"><span style="color: rgb(23,43,77);">Selects the MLD version in which MLD membership queries will be generated, when the bridge interface is acting as an MLD querier. This property only has an effect when the bridge has an active IPv6 address,<span> </span></span><span style="color: rgb(51,153,102);"><code>igmp-snooping</code></span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(23,43,77);">and</span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(51,153,102);"><code>multicast-querier</code></span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(23,43,77);">is set to</span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(51,153,102);"><code>yes</code></span><span style="color: rgb(23,43,77);">.</span></td></tr><tr><td class="confluenceTd"><strong>mtu</strong><span> </span>(<em>integer</em>; Default:<span> </span><strong>auto</strong>)</td><td class="confluenceTd"><p>Maximum transmission unit, by default, the bridge will set MTU automatically and it will use the lowest MTU value of any associated bridge port. The default bridge MTU value without any bridge ports added is 1500. The MTU value can be set manually, but it cannot exceed the bridge L2MTU or the lowest bridge port L2MTU. If a new bridge port is added with L2MTU which is smaller than the <code><span style="color: rgb(51,153,102);">actual-mtu</span></code> of the bridge (set by the<span> </span><span style="color: rgb(51,153,102);"><code>mtu</code></span> property), then manually set value will be ignored and the bridge will act as if<span> </span><span style="color: rgb(51,153,102);"><code>mtu=auto</code></span><span> </span>is set.</p><p>When adding VLAN interfaces on the bridge, and when VLAN is using higher MTU than default 1500, it is recommended to set manually the MTU of the bridge.</p></td></tr><tr><td class="confluenceTd"><strong>multicast-querier</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd"><p style="text-align: left;">Multicast querier generates periodic IGMP/MLD general membership queries to which all IGMP/MLD capable devices respond with an IGMP/MLD membership report, usually a PIM (multicast) router or IGMP proxy generates these queries.</p><p style="text-align: left;">By using this property you can make an IGMP/MLD snooping enabled bridge to generate IGMP/MLD general membership queries. This property should be used whenever there is no active querier (PIM router or IGMP proxy) in a Layer2 network. Without a multicast querier in a Layer2 network, the Multicast Database (MDB) is not being updated, the learned entries will timeout and IGMP/MLD snooping will not function properly.</p><p style="text-align: left;">Only untagged IGMP/MLD general membership queries are generated, IGMP queries are sent with IPv4 0.0.0.0 source address, MLD queries are sent with IPv6 link-local address of the bridge interface. The bridge will not send queries if an external IGMP/MLD querier is detected (see the monitoring values<span> </span><code>igmp-querier</code><span> </span>and<span> </span><code>mld-querier</code>).</p><p style="text-align: left;">This property only has an effect when<span> </span><span style="color: rgb(51,153,102);"><code>igmp-snooping</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>yes</code></span>.</p></td></tr><tr><td class="confluenceTd"><strong>multicast-router</strong><span> </span>(<em>disabled | permanent | temporary-query</em>; Default:<span> </span><strong>temporary-query</strong>)</td><td class="confluenceTd"><span style="color: rgb(23,43,77);">A multicast router port is a port where a multicast router or querier is connected. On this port, unregistered multicast streams and IGMP/MLD membership reports will be sent. This setting changes the state of the multicast router for a bridge interface itself. This property can be used to send IGMP/MLD membership reports to the bridge interface for further multicast routing or proxying. This property only has an effect when</span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(51,153,102);"><code>igmp-snooping</code></span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(23,43,77);">is set to</span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(51,153,102);"><code>yes</code></span><span style="color: rgb(23,43,77);">.</span><ul style="text-align: left;"><li><span style="color: rgb(51,153,102);"><code>disabled</code> </span>- disabled multicast router state on the bridge interface. Unregistered multicast and IGMP/MLD membership reports are not sent to the bridge interface regardless of what is configured on the bridge interface.</li><li><span style="color: rgb(51,153,102);"><code>permanent</code> </span>- enabled multicast router state on the bridge interface. Unregistered multicast and IGMP/MLD membership reports are sent to the bridge interface itself regardless of what is configured on the bridge interface.</li><li><span style="color: rgb(51,153,102);"><code>temporary-query</code></span><span> </span>- automatically detect multicast router state on the bridge interface using IGMP/MLD queries.</li></ul></td></tr><tr><td class="confluenceTd"><strong>name</strong><span> </span>(<em>text</em>; Default:<span> </span><strong>bridgeN</strong>)</td><td class="confluenceTd">Name of the bridge interface.</td></tr><tr><td class="confluenceTd"><strong>port-cost-mode</strong><span> </span>(<em>long | short</em>; Default:<span> </span><strong>long</strong>)</td><td class="confluenceTd"><p><span style="letter-spacing: 0.0px;">Changes the port path-cost and internal-path-cost mode for bridged ports, utilizing automatic values based on interface speed. This setting does not impact bridged ports with manually configured </span><span style="color: rgb(51,153,102);"><code>path-cost</code></span><span style="letter-spacing: 0.0px;"> or </span><code style="letter-spacing: 0.0px;"><span style="color: rgb(51,153,102);">internal-path-cost</span></code><span style="letter-spacing: 0.0px;"> properties. Below are examples illustrating the path-costs corresponding to specific data rates (with proportionate calculations for intermediate rates):</span></p><div class="table-wrap"><table class="wrapped confluenceTable" data-mce-resize="false"><colgroup><col/><col/><col/></colgroup><tbody><tr><th scope="col" class="confluenceTh">Data rate</th><th scope="col" class="confluenceTh">Long</th><th scope="col" class="confluenceTh">Short</th></tr><tr><td class="confluenceTd">10 Mbps</td><td class="confluenceTd">2,000,000</td><td class="confluenceTd">100</td></tr><tr><td class="confluenceTd">100 Mbps</td><td class="confluenceTd">200,000</td><td class="confluenceTd">19</td></tr><tr><td class="confluenceTd">1 Gbps</td><td class="confluenceTd">20,000</td><td class="confluenceTd">4</td></tr><tr><td class="confluenceTd">10 Gbps</td><td class="confluenceTd">2,000</td><td class="confluenceTd">2</td></tr><tr><td class="confluenceTd">25 Gbps</td><td class="confluenceTd">800</td><td class="confluenceTd">1</td></tr><tr><td class="confluenceTd">40 Gbps</td><td class="confluenceTd">500</td><td class="confluenceTd">1</td></tr><tr><td class="confluenceTd">50 Gbps</td><td class="confluenceTd">400</td><td class="confluenceTd">1</td></tr><tr><td class="confluenceTd">100 Gbps</td><td class="confluenceTd">200</td><td class="confluenceTd">1</td></tr></tbody></table></div><p>For bonded interfaces, the highest path-cost among all bonded member ports is applied, this value remains unaffected by the total link speed of the bonding.</p><p>For virtual interfaces (<span style="color: rgb(15,15,15);">such as</span> VLAN, EoIP, VXLAN), as well as wifi, wireless, and 60GHz interfaces, a path-cost of 20,000 is assigned for long mode, and 10 for short mode.</p><p>For dynamically bridged interfaces (e.g. wifi, wireless, PPP, VPLS), the path-cost defaults to 20,000 for long mode and 10 for short mode. However, this can be manually overridden by the service that dynamically adds interfaces to bridge, for instance, by using the CAPsMAN <code><span style="color: rgb(51,153,102);">datapath.bridge-cost</span></code> setting.</p><p>Use <a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgePortMonitoring" rel="nofollow">port monitor</a> to observe the applied path-cost.</p><p><span style="color: rgb(23,43,77);">This property has an effect when <span style="color: rgb(51,153,102);"><code>protocol-mode</code></span> is set to <span style="color: rgb(51,153,102);"><code>stp</code></span>, <span style="color: rgb(51,153,102);"><code>rstp</code></span>, or <code><span style="color: rgb(51,153,102);">mstp</span></code>.</span></p></td></tr><tr><td class="confluenceTd"><strong>priority</strong><span> </span>(<em>integer: 0..65535 decimal format or 0x0000-0xffff hex format</em>; Default:<span> </span><strong>32768 / 0x8000</strong>)</td><td class="confluenceTd">Bridge priority, used by R/STP to determine root bridge, used by MSTP to determine CIST and IST regional root bridge. This property has no effect when<span> </span><span style="color: rgb(51,153,102);"><code>protocol-mode</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>none</code></span>.</td></tr><tr><td class="confluenceTd"><strong>protocol-mode</strong><span> </span>(<em>none | rstp | stp | mstp</em>; Default:<span> </span><strong>rstp</strong>)</td><td class="confluenceTd">Select Spanning tree protocol (STP) or Rapid spanning tree protocol (RSTP) to ensure a loop-free topology for any bridged LAN. RSTP provides a faster spanning tree convergence after a topology change. Select MSTP to ensure loop-free topology across multiple VLANs. Since RouterOS v6.43 it is possible to forward Reserved MAC addresses that are in<span> the </span><strong>01:80:C2:00:00:0X</strong><span> </span>range, this can be done by setting the<span> </span><span style="color: rgb(51,153,102);"><code>protocol-mode</code></span><span> </span>to<span> </span><span style="color: rgb(51,153,102);"><code>none</code></span>.</td></tr><tr><td class="confluenceTd"><strong>pvid</strong><span> </span>(<em>integer: 1..4094</em>; Default:<span> </span><strong>1</strong>)</td><td class="confluenceTd">Port VLAN ID (pvid) specifies which VLAN the untagged ingress traffic is assigned to. It applies e.g. to frames sent from bridge IP and destined to a bridge port. This property only has an effect when<span> </span><span style="color: rgb(51,153,102);"><code>vlan-filtering</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>yes</code></span>.</td></tr><tr><td class="confluenceTd"><strong>querier-interval</strong><span> </span>(<em>time</em>; Default:<span> </span><strong>4m15s</strong>)</td><td class="confluenceTd">Changes the timeout period for detected querier and multicast-router ports. This property only has an effect when<span> </span><span style="color: rgb(51,153,102);"><code>igmp-snooping</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>yes</code></span>.</td></tr><tr><td class="confluenceTd"><strong>query-interval</strong><span> </span>(<em>time</em>; Default:<span> </span><strong>2m5s</strong>)</td><td class="confluenceTd"><span style="color: rgb(23,43,77);">Changes the interval on how often IGMP/MLD general membership queries are sent out when the bridge interface is acting as an IGMP/MLD querier. The interval takes place when the last startup query is sent. This property only has an effect when</span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(51,153,102);"><code>igmp-snooping</code></span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(23,43,77);">and</span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(51,153,102);"><code>multicast-querier</code></span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(23,43,77);">is set to</span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(51,153,102);"><code>yes</code></span><span style="color: rgb(23,43,77);">.</span></td></tr><tr><td class="confluenceTd"><strong>query-response-interval</strong><span> </span>(<em>time</em>; Default:<span> </span><strong>10s</strong>)</td><td class="confluenceTd"><span style="color: rgb(23,43,77);">The setting changes the response time for general IGMP/MLD queries when the bridge is active as an IGMP/MLD querier.<span> </span></span><span style="color: rgb(23,43,77);">This property only has an effect when</span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(51,153,102);"><code>igmp-snooping</code></span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(23,43,77);">and</span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(51,153,102);"><code>multicast-querier</code></span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(23,43,77);">is set to</span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(51,153,102);"><code>yes</code></span><span style="color: rgb(23,43,77);">.</span></td></tr><tr><td class="confluenceTd"><strong>region-name</strong><span> </span>(<em>text</em>; Default: )</td><td class="confluenceTd">MSTP region name. This property only has an effect when<span> </span><span style="color: rgb(51,153,102);"><code>protocol-mode</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>mstp</code></span>.</td></tr><tr><td class="confluenceTd"><strong>region-revision</strong><span> </span>(<em>integer: 0..65535</em>; Default:<span> </span><strong>0</strong>)</td><td class="confluenceTd">MSTP configuration revision number. This property only has an effect when<span> </span><span style="color: rgb(51,153,102);"><code>protocol-mode</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>mstp</code></span>.</td></tr><tr><td class="confluenceTd"><strong>startup-query-count</strong><span> </span>(<em>integer: 0..4294967295</em>; Default:<span> </span><strong>2</strong>)</td><td class="confluenceTd">Specifies how many times general IGMP/MLD queries must be sent when bridge interface is enabled or active querier timeouts. This property only has an effect when<span> </span><span style="color: rgb(51,153,102);"><code>igmp-snooping</code></span><span> </span>and<span> </span><span style="color: rgb(51,153,102);"><code>multicast-querier</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>yes</code></span>.</td></tr><tr><td class="confluenceTd"><strong>startup-query-interval</strong><span> </span>(<em>time</em>; Default:<span> </span><strong>31s250ms</strong>)</td><td class="confluenceTd">Specifies the interval between startup general IGMP/MLD queries. This property only has an effect when<span> </span><span style="color: rgb(51,153,102);"><code>igmp-snooping</code></span><span> </span>and<span> </span><span style="color: rgb(51,153,102);"><code>multicast-querier</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>yes</code></span>.</td></tr><tr><td class="confluenceTd"><strong>transmit-hold-count</strong><span> </span>(<em>integer: 1..10</em>; Default:<span> </span><strong>6</strong>)</td><td class="confluenceTd">The Transmit Hold Count used by the Port Transmit state machine to limit the transmission rate.</td></tr><tr><td class="confluenceTd"><strong>vlan-filtering</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Globally enables or disables VLAN functionality for the bridge.</td></tr></tbody></table></div><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Changing certain properties can cause the bridge to temporarily disable all ports. This must be taken into account whenever changing such properties on production environments since it can cause all packets to be temporarily dropped. Such properties include <span style="color: rgb(51,153,102);"><code>vlan-filtering</code></span>, <span style="color: rgb(51,153,102);"><code>protocol-mode</code></span>, <span style="color: rgb(51,153,102);"><code>igmp-snooping</code></span>, <span style="color: rgb(51,153,102);"><code>fast-forward</code></span> and others.</p></div></div><h2 id="BridgingandSwitching-Example"><span class="mw-headline">Example </span></h2><p>To add and enable a bridge interface that will forward L2 packets:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > interface bridge add
[admin@MikroTik] > interface bridge print
Flags: X - disabled, R - running
0 R name="bridge1" mtu=auto actual-mtu=1500 l2mtu=65535 arp=enabled arp-timeout=auto mac-address=5E:D2:42:95:56:7F protocol-mode=rstp fast-forward=yes
igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no
dhcp-snooping=no </pre>
</div></div><h2 id="BridgingandSwitching-BridgeMonitoring"><span class="mw-headline">Bridge Monitoring</span></h2><p><span class="mw-headline">To monitor the current status of a bridge interface, use the </span><span style="color: rgb(128,0,128);"><code>monitor</code></span> <span class="mw-headline">command.</span></p><p><strong>Sub-menu:</strong><span> </span><code>/interface bridge monitor</code></p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>current-mac-address</strong><span> </span>(<em>MAC address</em>)</td><td class="confluenceTd">Current MAC address of the bridge</td></tr><tr><td class="confluenceTd"><strong>designated-port-count</strong><span> </span>(<em>integer</em>)</td><td class="confluenceTd">Number of designated bridge ports</td></tr><tr><td colspan="1" class="confluenceTd"><strong>igmp-querier</strong> (<em>none </em>| <em>interface & IPv4 address</em>)</td><td colspan="1" class="confluenceTd">Shows a bridge port and source IP address from the detected IGMP querier. Only shows detected external IGMP querier, local bridge IGMP querier (including IGMP proxy and PIM) will not be displayed. Monitoring value appears only when <code><span style="color: rgb(51,153,102);">igmp-snooping</span></code> is enabled.</td></tr><tr><td colspan="1" class="confluenceTd"><strong>mld-querier</strong> (<em>none </em>| <em>interface & IPv6 address</em>)</td><td colspan="1" class="confluenceTd">Shows a bridge port and source IPv6 address from the detected MLD querier. Only shows detected external MLD querier, local bridge MLD querier will not be displayed. Monitoring value appears only when <code><span style="color: rgb(51,153,102);">igmp-snooping</span></code> is enabled and the bridge has an active IPv6 address.</td></tr><tr><td colspan="1" class="confluenceTd"><strong>multicast-router</strong><span> </span>(<em>yes | no</em>)</td><td colspan="1" class="confluenceTd">Shows if a multicast router is detected on the port. Monitoring value appears only when <span style="color: rgb(51,153,102);"><code>igmp-snooping</code></span> is enabled.</td></tr><tr><td class="confluenceTd"><strong>port-count</strong><span> </span>(<em>integer</em>)</td><td class="confluenceTd">Number of the bridge ports</td></tr><tr><td class="confluenceTd"><strong>root-bridge</strong><span> </span>(<em>yes | no</em>)</td><td class="confluenceTd">Shows whether the bridge is the root bridge of the spanning tree</td></tr><tr><td class="confluenceTd"><strong>root-bridge-id</strong><span> </span>(<em>text</em>)</td><td class="confluenceTd">The root bridge ID, which is in form of bridge-priority.bridge-MAC-address</td></tr><tr><td class="confluenceTd"><strong>root-path-cost</strong><span> </span>(<em>integer</em>)</td><td class="confluenceTd">The total cost of the path to the root-bridge</td></tr><tr><td class="confluenceTd"><strong>root-port</strong><span> </span>(<em>name</em>)</td><td class="confluenceTd">Port to which the root bridge is connected to</td></tr><tr><td class="confluenceTd"><strong>state</strong><span> </span>(<em>enabled | disabled</em>)</td><td class="confluenceTd">State of the bridge</td></tr></tbody></table></div><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] /interface bridge monitor bridge1
state: enabled
current-mac-address: CC:2D:E0:E4:B3:38
root-bridge: yes
root-bridge-id: 0x8000.CC:2D:E0:E4:B3:38
root-path-cost: 0
root-port: none
port-count: 2
designated-port-count: 2
fast-forward: no</pre>
</div></div><h1 id="BridgingandSwitching-SpanningTreeProtocol"><span>Spanning Tree Protocol</span></h1><hr/><p>RouterOS bridge interfaces are capable of running Spanning Tree Protocol to ensure a loop-free and redundant topology. For small networks with just 2 bridges STP does not bring many benefits, but for larger networks properly configured STP is very crucial, leaving STP-related values to default may result in a completely unreachable network in case of an even single bridge failure. To achieve a proper loop-free and redundant topology, it is necessary to properly set bridge priorities, port path costs, and port priorities.</p><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>In RouterOS it is possible to set any value for bridge priority between 0 and 65535, the IEEE 802.1W standard states that the bridge priority must be in steps of 4096. This can cause incompatibility issues between devices that do not support such values. To avoid compatibility issues, it is recommended to use only these priorities: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440</p></div></div><p>STP has multiple variants, currently, RouterOS supports STP, RSTP, and MSTP. Depending on needs, either one of them can be used, some devices are able to run some of these protocols using hardware offloading, detailed information about which device support it can be found in the<span> </span>Hardware Offloading<span> </span>section. STP is considered to be outdated and slow, it has been almost entirely replaced in all network topologies by RSTP, which is backward compatible with STP. For network topologies that depend on VLANs, it is recommended to use MSTP since it is a VLAN aware protocol and gives the ability to do load balancing per VLAN groups. There are a lot of considerations that should be made when designing an STP enabled network, more detailed case studies can be found in the<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Spanning+Tree+Protocol" rel="nofollow">Spanning Tree Protocol<span> </span></a>article. In RouterOS, the<span> </span><span style="color: rgb(51,153,102);"><code>protocol-mode</code></span><span> </span>property controls the used STP variant.</p><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>RouterOS bridge does not work with PVST and its variants. The PVST BPDUs (with a MAC destination 01<span>:00:</span>0C<span>:CC:</span>CC:CD) are treated by RouterOS bridges as typical multicast packets. In simpler terms, they undergo RouterOS bridge/switch forwarding logic and may get tagged or untagged. </p></div></div><p><br/></p><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>By the IEEE 802.1ad standard, the BPDUs from bridges that comply with IEEE 802.1Q are not compatible with IEEE 802.1ad bridges, this means that the same bridge VLAN protocol should be used across all bridges in a single Layer2 domain, otherwise (R/M)STP will not function properly.</p></div></div><h2 id="BridgingandSwitching-Per-portSTP"><span style="font-size: 20.0px;letter-spacing: -0.008em;">Per-port STP</span></h2><p>There might be certain situations where you want to limit STP functionality on single or multiple ports. Below you can find some examples for different use cases.</p><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Be careful when changing the default (R/M)STP functionality, make sure you understand the working principles of STP and BPDUs. Misconfigured (R/M)STP can cause unexpected behavior.</p></div></div><h3 id="BridgingandSwitching-Createedgeports">Create edge ports</h3><p>Setting a bridge port as an edge port will restrict it from sending BPDUs and will ignore any received BPDUs:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1 edge=yes
add bridge=bridge1 interface=ether2</pre>
</div></div><h3 id="BridgingandSwitching-DropreceivedBPDUs"><span style="letter-spacing: -0.006em;">Drop received BPDUs</span></h3><p>The bridge filter or NAT rules cannot drop BPDUs when the bridge has STP/RSTP/MSTP enabled due to the special processing of BPDUs. However, dropping received BPDUs on a certain port can be done on some switch chips using ACL rules:</p><p>On CRS3xx:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch rule
add dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF new-dst-ports="" ports=ether1 switch=switch1</pre>
</div></div><p><span>On CRS1xx/CRS2xx with </span>Access Control List (ACL) support<span>:<br/></span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch acl
add action=drop mac-dst-address=01:80:C2:00:00:00 src-ports=ether1</pre>
</div></div><p><span>In this example all received BPDUs on</span><span> </span><strong>ether1</strong><span> </span><span>are dropped.</span></p><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>If you intend to drop received BPDUs on a port, then make sure to prevent BPDUs from being sent out from the interface that this port is connected to. A root bridge always sends out BPDUs and under normal conditions is waiting for a more superior BPDU (from a bridge with a lower bridge ID), but the bridge must temporarily disable the new root-port when transitioning from a root bridge to a designated bridge. If you have blocked BPDUs only on one side, then a port will flap continuously.</p></div></div><h3 id="BridgingandSwitching-EnableBPDUguard">Enable BPDU guard</h3><p>In this example, if<span> </span><strong>ether1</strong><span> </span>receives a BPDU, it will block the port and will require you to manually re-enable it.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1 bpdu-guard=yes
add bridge=bridge1 interface=ether2</pre>
</div></div><h3 id="BridgingandSwitching-EnableRootguard"><span class="mw-headline">Enable Root guard</span></h3><p><span class="mw-headline">In this example, <strong>ether1</strong> is configured with <code><span style="color: rgb(51,153,102);">restricted-role=yes.</span></code> It prevented the port from becoming the root port for the CIST or any MSTI, regardless of its best spanning tree priority vector. Such a port will be selected as an Alternate Port (discarding state) and remains so as long as it continues to receive superior BPDUs. It will automatically transition to the forwarding state when it no longer detects a superior root path. Network administrators may enable this setting to safeguard against external bridges influencing the active spanning tree.</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1 restricted-role=yes
add bridge=bridge1 interface=ether2
[admin@MikroTik] /interface/bridge/port monitor [find]
interface: ether1 ether2
status: in-bridge in-bridge
port-number: 1 2
role: alternate-port designated-port
edge-port: no yes
edge-port-discovery: yes yes
point-to-point-port: yes yes
external-fdb: no no
sending-rstp: yes yes
learning: no yes
forwarding: no yes
actual-path-cost: 20000 20000
root-path-cost: 20000
designated-bridge: 0x7000.64:D1:54:C7:3A:6E
designated-cost: 0
designated-port-number: 1
hw-offload-group: switch1 switch1</pre>
</div></div><h1 id="BridgingandSwitching-BridgeSettings"><span class="mw-headline">Bridge Settings</span></h1><hr/><p><span class="mw-headline">Under the bridge settings menu, it is possible to control certain features for all bridge interfaces and monitor global bridge counters.</span></p><p><strong>Sub-menu:</strong><span> </span><code>/interface bridge settings</code></p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 100.0%;"><colgroup><col style="width: 25.639%;"/><col style="width: 74.361%;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>use-ip-firewall</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Force bridged traffic to also be processed by prerouting, forward, and postrouting sections of IP routing (see more details on <a href="https://help.mikrotik.com/docs/display/ROS/Packet+Flow+in+RouterOS#heading-FlowofBridgedPacket" rel="nofollow">Packet Flow</a> article). This does not apply to routed traffic. This property is required in case you want to assign<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Queues#heading-SimpleQueue" rel="nofollow">Simple Queues</a><span> </span>or global<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Queues#heading-QueueTree" rel="nofollow">Queue Tree</a><span> </span>to traffic in a bridge. Property<span> </span><span style="color: rgb(51,153,102);"><code>use-ip-firewall-for-vlan</code></span><span> </span>is required in case bridge<span> </span><span style="color: rgb(51,153,102);"><code>vlan-filtering</code></span><span> </span>is used.</td></tr><tr><td class="confluenceTd"><strong>use-ip-firewall-for-pppoe</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Send bridged un-encrypted PPPoE traffic to also be processed by<span> </span>IP/Firewall. This property only has an effect when<span> </span><span style="color: rgb(51,153,102);"><code>use-ip-firewall</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>yes</code></span>. This property is required in case you want to assign<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Queues#heading-SimpleQueue" rel="nofollow">Simple Queues</a><span> </span>or global<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Queues#heading-QueueTree" rel="nofollow">Queue Tree</a><span> </span>to PPPoE traffic in a bridge.</td></tr><tr><td class="confluenceTd"><strong>use-ip-firewall-for-vlan</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Send bridged VLAN traffic to also be processed by<span> </span>IP/Firewall. This property only has an effect when<span> </span><span style="color: rgb(51,153,102);"><code>use-ip-firewall</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>yes</code></span>. This property is required in case you want to assign<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Queues#heading-SimpleQueue" rel="nofollow">Simple Queues</a><span> </span>or global<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Queues#heading-QueueTree" rel="nofollow">Queue Tree</a><span> </span>to VLAN traffic in a bridge.</td></tr><tr><td class="confluenceTd"><strong>allow-fast-path</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>yes</strong>)</td><td class="confluenceTd">Whether to enable a bridge<span> </span>Fast Path<span> </span>globally.</td></tr><tr><td class="confluenceTd"><strong>bridge-fast-path-active</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><em>)</em></td><td class="confluenceTd">Shows whether a bridge FastPath is active globally, Fast Path status per bridge interface is not displayed.</td></tr><tr><td class="confluenceTd"><strong>bridge-fast-path-packets</strong><span> </span>(<em>integer</em>; Default:<span> </span><em>)</em></td><td class="confluenceTd">Shows packet count forwarded by bridge Fast Path.</td></tr><tr><td class="confluenceTd"><strong>bridge-fast-path-bytes</strong><span> </span>(<em>integer</em>; Default:<span> </span><em>)</em></td><td class="confluenceTd">Shows byte count forwarded by bridge Fast Path.</td></tr><tr><td class="confluenceTd"><strong>bridge-fast-forward-packets</strong><span> </span>(<em>integer</em>; Default:<span> </span><em>)</em></td><td class="confluenceTd">Shows packet count forwarded by bridge Fast Forward.</td></tr><tr><td class="confluenceTd"><strong>bridge-fast-forward-bytes</strong><span> </span>(<em>integer</em>; Default:<span> </span><em>)</em></td><td class="confluenceTd">Shows byte count forwarded by bridge Fast Forward.</td></tr></tbody></table></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>In case you want to assign<span> </span>Simple Queues or global<span> </span>Queue Trees<span> </span>to traffic that is being forwarded by a bridge, then you need to enable the<span> </span><span style="color: rgb(51,153,102);"><code>use-ip-firewall</code></span><span> </span>property. Without using this property the bridge traffic will never reach the postrouting chain,<span> </span>Simple Queues<span> </span>and global<span> </span>Queue Trees<span> </span>are working in the postrouting chain. To assign<span> </span>Simple Queues<span> </span>or global<span> </span>Queue Trees<span> </span>for VLAN or PPPoE traffic in a bridge you should enable appropriate properties as well.</p></div></div><h1 id="BridgingandSwitching-PortSettings"><span class="mw-headline">Port Settings</span></h1><hr/><p><span class="mw-headline">Port submenu is used to add interfaces in a particular bridge.</span></p><p><strong>Sub-menu:</strong><span> </span><code>/interface bridge port</code></p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 100.0%;"><colgroup><col style="width: 22.8381%;"/><col style="width: 77.1619%;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>auto-isolate</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">When enabled, prevents a port moving from discarding into forwarding state if no BPDUs are received from the neighboring bridge. The port will change into a forwarding state only when a BPDU is received. This property only has an effect when<span> </span><span style="color: rgb(51,153,102);"><code>protocol-mode</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>rstp</code> </span>or<span> </span><span style="color: rgb(51,153,102);"><code>mstp</code> </span>and<span> </span><span style="color: rgb(51,153,102);"><code>edge</code></span> is set to<span> </span><span style="color: rgb(51,153,102);"><code>no</code></span>.</td></tr><tr><td class="confluenceTd"><strong>bpdu-guard</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enables or disables BPDU Guard feature on a port. This feature puts the port in a disabled role if it receives a BPDU and requires the port to be manually disabled and enabled if a BPDU was received. Should be used to prevent a bridge from BPDU related attacks. This property has no effect when<span> </span><span style="color: rgb(51,153,102);"><code>protocol-mode</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>none</code></span>.</td></tr><tr><td class="confluenceTd"><strong>bridge</strong><span> </span>(<em>name</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">The bridge interface where the respective interface is grouped in.</td></tr><tr><td class="confluenceTd"><strong>broadcast-flood</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>yes</strong>)</td><td class="confluenceTd">When enabled, bridge floods broadcast traffic to all bridge egress ports. When disabled, drops broadcast traffic on egress ports. Can be used to filter all broadcast traffic on an egress port. Broadcast traffic is considered as traffic that uses<span> </span><strong>FF:FF:FF:FF:FF:FF</strong><span> </span>as destination MAC address, such traffic is crucial for many protocols such as DHCP, ARP, NDP, BOOTP (Netinstall), and others. This option does not limit traffic flood to the CPU.</td></tr><tr><td class="confluenceTd"><strong>edge</strong><span> </span>(<em>auto | no | no-discover | yes | yes-discover</em>; Default:<span> </span><strong>auto</strong>)</td><td class="confluenceTd">Set port as edge port or non-edge port, or enable edge discovery. Edge ports are connected to a LAN that has no other bridges attached. An edge port will skip the learning and the listening states in STP and will transition directly to the forwarding state, this reduces the STP initialization time. If the port is configured to discover edge port then as soon as the bridge detects a BPDU coming to an edge port, the port becomes a non-edge port. This property has no effect when<span> </span><span style="color: rgb(51,153,102);"><code>protocol-mode</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>none</code></span>.<ul><li><span style="color: rgb(51,153,102);"><code>no</code> </span>- non-edge port, will participate in learning and listening states in STP.</li><li><span style="color: rgb(51,153,102);"><code>no-discover</code></span><span> </span>- non-edge port with enabled discovery, will participate in learning and listening states in STP, a port can become an edge port if no BPDU is received.</li><li><span style="color: rgb(51,153,102);"><code>yes</code> </span>- edge port without discovery, will transit directly to forwarding state.</li><li><span style="color: rgb(51,153,102);"><code>yes-discover</code></span><span> </span>- edge port with enabled discovery, will transit directly to forwarding state.</li><li><span style="color: rgb(51,153,102);"><code>auto</code> </span>- same as<span> </span><span style="color: rgb(51,153,102);"><code>no-discover</code></span>, but will additionally detect if a bridge port is a Wireless interface with disabled bridge-mode, such interface will be automatically set as an edge port without discovery.</li></ul></td></tr><tr><td class="confluenceTd"><strong>fast-leave</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enables IGMP/MLD fast leave feature on the bridge port. The bridge will stop forwarding multicast traffic to a bridge port when an IGMP/MLD leave message is received. This property only has an effect when<span> </span><code><span style="color: rgb(51,153,102);">igmp-snooping</span></code><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>yes</code></span>.</td></tr><tr><td class="confluenceTd"><strong>frame-types</strong><span> </span>(<em>admit-all | admit-only-untagged-and-priority-tagged | admit-only-vlan-tagged</em>; Default:<span> </span><strong>admit-all</strong>)</td><td class="confluenceTd">Specifies allowed ingress frame types on a bridge port. This property only has an effect when<span> </span><span style="color: rgb(51,153,102);"><code>vlan-filtering</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>yes</code></span>.</td></tr><tr><td class="confluenceTd"><strong>ingress-filtering</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>yes</strong>)</td><td class="confluenceTd">Enables or disables VLAN ingress filtering, which checks if the ingress port is a member of the received VLAN ID in the bridge VLAN table. Should be used with<span> </span><span style="color: rgb(51,153,102);"><code>frame-types</code></span><span> </span>to specify if the ingress traffic should be tagged or untagged. This property only has effect when<span> </span><span style="color: rgb(51,153,102);"><code>vlan-filtering</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>yes</code></span>. The setting is enabled by default since RouterOS v7.</td></tr><tr><td class="confluenceTd"><strong>learn</strong><span> </span>(<em>auto | no | yes</em>; Default:<span> </span><strong>auto</strong>)</td><td class="confluenceTd">Changes MAC learning behavior on a bridge port<ul><li><span style="color: rgb(51,153,102);"><code>yes</code> </span>- enables MAC learning</li><li><span style="color: rgb(51,153,102);"><code>no</code> </span>- disables MAC learning</li><li><span style="color: rgb(51,153,102);"><code>auto</code> </span>- detects if bridge port is a Wireless interface and uses a Wireless registration table instead of MAC learning, will use Wireless registration table if the<span> </span>Wireless interface<span> </span>is set to one of<span> </span><span style="color: rgb(51,153,102);"><code>ap-bridge</code></span>, <span style="color: rgb(51,153,102);"><code>bridge</code></span>, <span style="color: rgb(51,153,102);"><code>wds-slave</code></span><span> </span>mode and bridge mode for the<span> </span>Wireless interface<span> </span>is disabled.</li></ul></td></tr><tr><td class="confluenceTd"><strong>multicast-router</strong><span> </span>(<em>disabled | permanent | temporary-query</em>; Default:<span> </span><strong>temporary-query</strong>)</td><td class="confluenceTd"><span style="color: rgb(23,43,77);">A multicast router port is a port where a multicast router or querier is connected. On this port, unregistered multicast streams and IGMP/MLD membership reports will be sent. This setting changes the state of the multicast router for bridge ports. This property can be used to send IGMP/MLD membership reports to certain bridge ports for further multicast routing or proxying. This property only has an effect when</span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(51,153,102);"><code>igmp-snooping</code></span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(23,43,77);">is set to</span><span style="color: rgb(23,43,77);"> </span><span style="color: rgb(51,153,102);"><code>yes</code></span><span style="color: rgb(23,43,77);">.</span><ul style="text-align: left;"><li><span style="color: rgb(51,153,102);"><code>disabled</code> </span>- disabled multicast router state on the bridge port. Unregistered multicast and IGMP/MLD membership reports are not sent to the bridge port regardless of what is connected to it.</li><li><span style="color: rgb(51,153,102);"><code>permanent</code> </span>- enabled multicast router state on the bridge port. Unregistered multicast and IGMP/MLD membership reports are sent to the bridge port regardless of what is connected to it.</li><li><span style="color: rgb(51,153,102);"><code>temporary-query</code></span><span> </span>- automatically detect multicast router state on the bridge port using IGMP/MLD queries.</li></ul></td></tr><tr><td class="confluenceTd"><strong>horizon</strong><span> </span>(<em>integer 0..429496729</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Use split horizon bridging to prevent bridging loops. Set the same value for a group of ports, to prevent them from sending data to ports with the same horizon value. Split horizon is a software feature that disables hardware offloading. Read more about<span> </span><a class="external-link" href="https://wiki.mikrotik.com/wiki/MPLSVPLS#Split_horizon_bridging" rel="nofollow" style="text-decoration: none;" title="MPLSVPLS">Bridge split horizon</a>.</td></tr><tr><td class="confluenceTd"><strong>hw</strong> (<em>yes | no</em>; Default: <strong>yes</strong>)</td><td class="confluenceTd">Allows to enable or disable <a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeHardwareOffloading" rel="nofollow">hardware offloading</a> on interfaces capable of HW offloading. For software interfaces like <a href="https://help.mikrotik.com/docs/display/ROS/EoIP" rel="nofollow">EoIP</a> or <a href="https://help.mikrotik.com/docs/display/ROS/VLAN" rel="nofollow">VLAN</a> this setting is ignored and has no effect. Certain bridge or port functions can automatically disable HW offloading, use the <span style="color: rgb(128,0,128);"><code>print</code></span> command to see whether the "H" flag is active. </td></tr><tr><td class="confluenceTd"><strong>internal-path-cost</strong><span> </span>(<em>integer: 1..200000000</em>; Default:<span> </span>)</td><td class="confluenceTd"><div class="content-wrapper"><p>Path cost to the interface for MSTI0 inside a region. If not manually configured, the bridge automatically determines the internal-path-cost based on the interface speed and the <code><span style="color: rgb(51,153,102);">port-cost-mode</span></code> setting. To revert to the automatic determination and remove any manually applied value, simply use an exclamation mark before the <code><span style="color: rgb(51,153,102);">internal-path-cost </span></code>property. This property only has effect when<span> </span><span style="color: rgb(51,153,102);"><code>protocol-mode</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>mstp</code></span>.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge port set [find interface=sfp28-1] !internal-path-cost</pre>
</div></div><p>Use <a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgePortMonitoring" rel="nofollow">port monitor</a> to observe the applied internal-path-cost.</p></div></td></tr><tr><td class="confluenceTd"><strong>interface</strong><span> </span>(<em>name</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Name of the interface.</td></tr><tr><td class="confluenceTd"><strong>path-cost</strong><span> </span>(<em>integer: 1..200000000</em>; Default:<span> </span>)</td><td class="confluenceTd"><div class="content-wrapper"><p>Path cost to the interface, used by STP and RSTP to determine the best path, and used by MSTP to determine the best path between regions. If not manually configured, the bridge automatically determines the path-cost based on the interface speed and the <code><span style="color: rgb(51,153,102);">port-cost-mode</span></code> setting. To revert to the automatic determination and remove any manually applied value, simply use an exclamation mark before the <code><span style="color: rgb(51,153,102);">path-cost </span></code>property. This property has no effect when<span> </span><span style="color: rgb(51,153,102);"><code>protocol-mode</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>none</code></span>.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge port set [find interface=sfp28-1] !path-cost</pre>
</div></div><p>Use <a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgePortMonitoring" rel="nofollow">port monitor</a> to observe the applied path-cost.</p></div></td></tr><tr><td class="confluenceTd"><strong>point-to-point</strong><span> </span>(<em>auto | yes | no</em>; Default:<span> </span><strong>auto</strong>)</td><td class="confluenceTd">Specifies if a bridge port is connected to a bridge using a point-to-point link for faster convergence in case of failure. By setting this property to<span> </span><span style="color: rgb(51,153,102);"><code>yes</code></span>, you are forcing the link to be a point-to-point link, which will skip the checking mechanism, which detects and waits for BPDUs from other devices from this single link. By setting this property to<span> </span><span style="color: rgb(51,153,102);"><code>no</code></span>, you are expecting that a link can receive BPDUs from multiple devices. By setting the property to<span> </span><span style="color: rgb(51,153,102);"><code>yes</code></span>, you are significantly improving (R/M)STP convergence time. In general, you should only set this property to<span> </span><span style="color: rgb(51,153,102);"><code>no</code> </span>if it is possible that another device can be connected between a link, this is mostly relevant to Wireless mediums and Ethernet hubs. If the Ethernet link is full-duplex,<span> </span><span style="color: rgb(51,153,102);"><code>auto</code> </span>enables point-to-point functionality. This property has no effect when<span> </span><span style="color: rgb(51,153,102);"><code>protocol-mode</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>none</code></span>.</td></tr><tr><td class="confluenceTd"><strong>priority</strong><span> </span>(<em>integer: 0..240</em>; Default:<span> </span><strong>128</strong>)</td><td class="confluenceTd">The priority of the interface, used by STP to determine the root port, used by MSTP to determine root port between regions.</td></tr><tr><td class="confluenceTd"><strong>pvid</strong><span> </span>(<em>integer 1..4094</em>; Default:<span> </span><strong>1</strong>)</td><td class="confluenceTd">Port VLAN ID (pvid) specifies which VLAN the untagged ingress traffic is assigned to. This property only has an effect when<span> </span><span style="color: rgb(51,153,102);"><code>vlan-filtering</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>yes</code></span>.</td></tr><tr><td class="confluenceTd"><strong>restricted-role</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enables or disables the restricted role on a port. When enabled, it prevents the port from becoming the root port for the CIST or any MSTI, regardless of its best spanning tree priority vector. Such a port will be selected as an Alternate Port (discarding state) and remains so as long as it continues to receive superior BPDUs. It will automatically transition to the forwarding state when it no longer detects a superior root path. Network administrators may enable this setting to safeguard against external bridges influencing the active spanning tree, a feature also known as root-guard or root-protection. This property has an effect when<span> </span><span style="color: rgb(51,153,102);"><code>protocol-mode</code></span><span> </span>is set to <code><span style="color: rgb(51,153,102);">stp</span></code>, <code><span style="color: rgb(51,153,102);">rstp</span></code><span>, or </span><code><span style="color: rgb(51,153,102);">mstp</span></code> (support for STP and RSTP is available since RouterOS v7.14).</td></tr><tr><td class="confluenceTd"><strong>restricted-tcn</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enables or disables topology change notification (TCN) handling on a port. When enabled, it causes the port not to propagate received topology change notifications to other ports, and any changes caused by the port itself does not result in topology change notification to other ports. This parameter is disabled by default. It can be set by a network administrator to prevent external bridges causing MAC address flushing in local network. This property has an effect when<span> </span><span style="color: rgb(51,153,102);"><code>protocol-mode</code></span><span> </span>is set to <code><span style="color: rgb(51,153,102);">stp</span></code>, <code><span style="color: rgb(51,153,102);">rstp</span></code><span>, or </span><code><span style="color: rgb(51,153,102);">mstp</span></code> (support for STP and RSTP is available since RouterOS v7.14).</td></tr><tr><td class="confluenceTd"><strong>tag-stacking</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Forces all packets to be treated as untagged packets. Packets on ingress port will be tagged with another VLAN tag regardless if a VLAN tag already exists, packets will be tagged with a VLAN ID that matches the<span> </span><span style="color: rgb(51,153,102);"><code>pvid </code></span>value and will use EtherType that is specified in<span> </span><span style="color: rgb(51,153,102);"><code>ether-type</code></span>. This property only has effect when<span> </span><span style="color: rgb(51,153,102);"><code>vlan-filtering</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>yes</code></span>.</td></tr><tr><td class="confluenceTd"><strong>trusted</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">When enabled, it allows forwarding DHCP packets towards the DHCP server through this port. Mainly used to limit unauthorized servers to provide malicious information for users. This property only has an effect when<span> </span><span style="color: rgb(51,153,102);"><code>dhcp-snooping</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>yes</code></span>.</td></tr><tr><td class="confluenceTd"><strong>unknown-multicast-flood</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>yes</strong>)</td><td class="confluenceTd"><p>Changes the multicast flood option on bridge port, only controls the egress traffic. When enabled, the bridge allows flooding multicast packets to the specified bridge port, but when disabled, the bridge restricts multicast traffic from being flooded to the specified bridge port. The setting affects all multicast traffic, this includes non-IP, IPv4, IPv6 and the link-local multicast ranges (e.g. 224.0.0.0/24 and <span style="color: rgb(51,51,51);">ff02::1</span>).</p><p>Note that when <span style="color: rgb(51,153,102);"><code>igmp-snooping</code></span> is enabled and IGMP/MLD querier is detected, the bridge will automatically restrict unknown IP multicast from being flooded, so the setting is not mandatory for IGMP/MLD snooping setups.</p><p>When using this setting together with <span style="color: rgb(51,153,102);"><code>igmp-snooping</code></span>, the only multicast traffic that is allowed on the bridge port is the known multicast from the MDB table. </p></td></tr><tr><td class="confluenceTd"><strong>unknown-unicast-flood</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>yes</strong>)</td><td class="confluenceTd"><p>Changes the unknown unicast flood option on bridge port, only controls the egress traffic. When enabled, the bridge allows flooding unknown unicast packets to the specified bridge port, but when disabled, the bridge restricts unknown unicast traffic from being flooded to the specified bridge port.</p><p>If a MAC address is not learned in<span> the host table</span>, then the traffic is considered as unknown unicast traffic and will be flooded to all ports. MAC address is learned as soon as a packet on a bridge port is received and the source MAC address is added to the bridge host table. Since it is required for the bridge to receive at least one packet on the bridge port to learn the MAC address, it is recommended to use static bridge host entries to avoid packets being dropped until the MAC address has been learned.</p></td></tr></tbody></table></div><p><br/></p><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>RouterOS can handle a maximum of 1024 bridged interfaces, this limit is fixed and cannot be modified. If you try to add more interfaces as bridge ports, it may lead to unpredictable behavior.</p></div></div><h2 id="BridgingandSwitching-Example.1"><span style="font-size: 20.0px;letter-spacing: -0.008em;">Example</span></h2><p>To group ether1 and ether2 in the already created bridge1 interface.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] /interface bridge port add bridge=bridge1 interface=ether1
[admin@MikroTik] /interface bridge port add bridge=bridge1 interface=ether2
[admin@MikroTik] /interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON
0 ether1 bridge1 yes 100 0x80 10 10 none
1 ether2 bridge1 yes 200 0x80 10 10 none</pre>
</div></div><h2 id="BridgingandSwitching-Interfacelists">Interface lists</h2><p>Starting with RouterOS v6.41 it possible to add interface lists as a bridge port and sort them. Interface lists are useful for creating simpler firewall rules. Below is an example how to add an interface list to a bridge:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface list
add name=LAN1
add name=LAN2
/interface list member
add interface=ether1 list=LAN1
add interface=ether2 list=LAN1
add interface=ether3 list=LAN2
add interface=ether4 list=LAN2
/interface bridge port
add bridge=bridge1 interface=LAN1
add bridge=bridge1 interface=LAN2</pre>
</div></div><p><span>Ports from an interface list added to a bridge will show up as dynamic ports:</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] /interface bridge port> pr
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON
0 LAN1 bridge1 yes 1 0x80 10 10 none
1 D ether1 bridge1 yes 1 0x80 10 10 none
2 D ether2 bridge1 yes 1 0x80 10 10 none
3 LAN2 bridge1 yes 1 0x80 10 10 none
4 D ether3 bridge1 yes 1 0x80 10 10 none
5 D ether4 bridge1 yes 1 0x80 10 10 none</pre>
</div></div><p><span>It is also possible to sort the order of lists in which they appear</span><span>. This can be done using the</span><span> </span><span style="color: rgb(128,0,128);"><code>move</code><span> </span></span><span>command. Below is an example of how to sort interface lists:</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > /interface bridge port move 3 0
[admin@MikroTik] > /interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON
0 LAN2 bridge1 yes 1 0x80 10 10 none
1 D ether3 bridge1 yes 1 0x80 10 10 none
2 D ether4 bridge1 yes 1 0x80 10 10 none
3 LAN1 bridge1 yes 1 0x80 10 10 none
4 D ether1 bridge1 yes 1 0x80 10 10 none
5 D ether2 bridge1 yes 1 0x80 10 10 none</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>The second parameter when moving interface lists is considered as "before id", the second parameter specifies before which interface list should be the selected interface list moved. When moving the first interface list in place of the second interface list, then the command will have no effect since the first list will be moved before the second list, which is the current state either way.</p></div></div><h2 id="BridgingandSwitching-BridgePortMonitoring"><span class="mw-headline">Bridge Port Monitoring</span></h2><p><span class="mw-headline">To monitor the current status of bridge ports, use the <span style="color: rgb(128,0,128);"><code>monitor</code></span> command.</span></p><p><strong>Sub-menu:</strong><span> </span><code>/interface bridge port monitor</code></p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>designated-bridge</strong> (<em>bridge identifier</em>)</td><td class="confluenceTd">Shows the received bridge identifier.</td></tr><tr><td class="confluenceTd"><strong>designated-cost</strong> (<em>integer</em>)</td><td class="confluenceTd">Shows the received root-path-cost.</td></tr><tr><td class="confluenceTd"><strong>designated-port-number</strong> (<em>integer</em>)</td><td class="confluenceTd">Shows the received port number.</td></tr><tr><td class="confluenceTd"><strong>edge-port</strong><span> </span>(<em>yes | no</em>)</td><td class="confluenceTd">Whether the port is an edge port or not.</td></tr><tr><td class="confluenceTd"><strong>edge-port-discovery</strong><span> </span>(<em>yes | no</em>)</td><td class="confluenceTd">Whether the port is set to automatically detect edge ports.</td></tr><tr><td class="confluenceTd"><strong>external-fdb</strong><span> </span>(<em>yes | no</em>)</td><td class="confluenceTd">Whether the registration table is used instead of a forwarding database.</td></tr><tr><td class="confluenceTd"><strong>forwarding</strong><span> </span>(<em>yes | no</em>)</td><td class="confluenceTd">Shows if the port is not blocked by (R/M)STP.</td></tr><tr><td class="confluenceTd"><strong>hw-offload-group</strong><span> </span>(<em>switchX</em>)</td><td class="confluenceTd">Switch chip used by the port.</td></tr><tr><td class="confluenceTd"><strong>interface</strong> (<em>name</em>)</td><td class="confluenceTd">Interface name.</td></tr><tr><td class="confluenceTd"><strong>learning</strong><span> </span>(<em>yes | no</em>)</td><td class="confluenceTd">Shows whether the port is capable of learning MAC addresses.</td></tr><tr><td class="confluenceTd"><strong>multicast-router</strong><span> </span>(<em>yes | no</em>)</td><td class="confluenceTd">Shows if a multicast router is detected on the port. Monitoring value appears only when<span> </span><span style="color: rgb(51,153,102);"><code>igmp-snooping</code></span><span> </span>is enabled.</td></tr><tr><td class="confluenceTd"><strong>path-cost</strong> (<em>integer: 1..200000000</em>)</td><td class="confluenceTd">Shows the actual port path-cost. Either manually applied or automatically determined based on the interface speed and the <code><span style="color: rgb(51,153,102);">port-cost-mode</span></code> setting.</td></tr><tr><td class="confluenceTd"><strong>port-number</strong><span> </span>(<em>integer 1..4095</em>)</td><td class="confluenceTd">A port-number will be assigned in the order that ports got added to the bridge, but this is only true until reboot. After reboot, the internal port numbering will be used.</td></tr><tr><td class="confluenceTd"><strong>point-to-point-port</strong><span> </span>(<em>yes | no</em>)</td><td class="confluenceTd">Whether the port is connected to a bridge port using full-duplex (yes) or half-duplex (no).</td></tr><tr><td class="confluenceTd"><strong>role</strong><span> </span>(<em>designated | root port | alternate | backup | disabled</em>)</td><td class="confluenceTd"><p>(R/M)STP algorithm assigned the role of the port:</p><ul><li><span style="color: rgb(51,153,102);"><code>disabled-port</code></span><span> </span>- not strictly part of STP, a network administrator can manually disable a port</li><li><span style="color: rgb(51,153,102);"><code>root-port</code></span><span> </span>- a forwarding port that is the best port facing towards the root bridge</li><li><span style="color: rgb(51,153,102);"><code>alternative-port</code></span><span> </span>- an alternate path to the root bridge</li><li><span style="color: rgb(51,153,102);"><code>designated-port</code></span><span> </span>- a forwarding port for every LAN segment</li><li><span style="color: rgb(51,153,102);"><code>backup-port</code></span><span> </span>- a backup/redundant path to a segment where another bridge port already connects.</li></ul></td></tr><tr><td style="text-align: left;vertical-align: top;" class="confluenceTd"><strong>root-path-cost</strong><span> </span>(<em>integer</em>)</td><td style="text-align: left;vertical-align: top;" class="confluenceTd">The total cost of the path to the root-bridge</td></tr><tr><td class="confluenceTd"><strong>sending-rstp</strong><span> </span>(<em>yes | no</em>)</td><td class="confluenceTd">Whether the port is using RSTP or MSTP BPDU types. A port will transit to STP type when RSTP/MSTP enabled port receives an STP BPDU. This settings <strong>does not</strong> indicate whether the BDPUs are actually sent.</td></tr><tr><td class="confluenceTd"><strong>status</strong><span> </span>(<em>in-bridge | inactive</em>)</td><td class="confluenceTd">Port status:<ul><li><span style="color: rgb(51,153,102);"><code>in-bridge</code></span><span> </span>- port is enabled</li><li><span style="color: rgb(51,153,102);"><code>inactive</code> </span>- port is disabled.</li></ul></td></tr></tbody></table></div><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] /interface bridge port monitor [find interface=sfp-sfpplus2]
interface: sfp-sfpplus2
status: in-bridge
port-number: 1
role: root-port
edge-port: no
edge-port-discovery: yes
point-to-point-port: yes
external-fdb: no
sending-rstp: yes
learning: yes
forwarding: yes
path-cost: 2000
root-path-cost: 4000
designated-bridge: 0x8000.DC:2C:6E:9E:11:1C
designated-cost: 2000
designated-port-number: 2</pre>
</div></div><h1 id="BridgingandSwitching-HostsTable"><span class="mw-headline">Hosts Table</span></h1><hr/><p>MAC addresses that have been learned on a bridge interface can be viewed in the<span> host</span><span> </span>menu. Below is a table of parameters and flags that can be viewed.</p><p><strong>Sub-menu:</strong><span> </span><code>/interface bridge host</code></p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>bridge</strong><span> </span>(<em>read-only: name</em>)</td><td class="confluenceTd">The bridge the entry belongs to</td></tr><tr><td class="confluenceTd"><strong>disabled</strong><span> </span>(<em>read-only: flag</em>)</td><td class="confluenceTd">Whether the static host entry is disabled</td></tr><tr><td class="confluenceTd"><strong>dynamic</strong><span> </span>(<em>read-only: flag</em>)</td><td class="confluenceTd">Whether the host has been dynamically created</td></tr><tr><td class="confluenceTd"><strong>external</strong><span> </span>(<em>read-only: flag</em>)</td><td class="confluenceTd">Whether the host has been learned using an external table, for example, from a switch chip or Wireless registration table. Adding a static host entry on a hardware-offloaded bridge port will also display an active external flag</td></tr><tr><td class="confluenceTd"><strong>invalid</strong><span> </span>(<em>read-only: flag</em>)</td><td class="confluenceTd">Whether the host entry is invalid, can appear for statically configured hosts on already removed interface</td></tr><tr><td class="confluenceTd"><strong>local</strong><span> </span>(<em>read-only: flag</em>)</td><td class="confluenceTd">Whether the host entry is created from the bridge itself (that way all local interfaces are shown)</td></tr><tr><td class="confluenceTd"><strong>mac-address</strong><span> </span>(<em>read-only: MAC address</em>)</td><td class="confluenceTd">Host's MAC address</td></tr><tr><td class="confluenceTd"><strong>on-interface</strong><span> </span>(<em>read-only: name</em>)</td><td class="confluenceTd">Which of the bridged interfaces the host is connected to</td></tr></tbody></table></div><h2 id="BridgingandSwitching-Monitoring"><span class="mw-headline">Monitoring</span></h2><p>To get the active hosts table:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] /interface bridge host print
Flags: X - disabled, I - invalid, D - dynamic, L - local, E - external
# MAC-ADDRESS VID ON-INTERFACE BRIDGE
0 D B8:69:F4:C9:EE:D7 ether1 bridge1
1 D B8:69:F4:C9:EE:D8 ether2 bridge1
2 DL CC:2D:E0:E4:B3:38 bridge1 bridge1
3 DL CC:2D:E0:E4:B3:39 ether2 bridge1</pre>
</div></div><h2 id="BridgingandSwitching-Staticentries">Static entries</h2><p>It is possible to add a static MAC address entry into the host table. This can be used to forward a certain type of traffic through a specific port. Another use case for static host entries is to protect the device resources by disabling dynamic learning and relying only on configured static host entries. Below is a table of possible parameters that can be set when adding a static MAC address entry into the host table.</p><p><strong>Sub-menu:</strong><span> </span><code>/interface bridge host</code></p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>bridge</strong><span> </span>(<em>name</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">The bridge interface to which the MAC address is going to be assigned.</td></tr><tr><td class="confluenceTd"><strong>disabled</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Disables/enables static MAC address entry.</td></tr><tr><td class="confluenceTd"><strong>interface</strong><span> </span>(<em>name</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Name of the interface.</td></tr><tr><td class="confluenceTd"><strong>mac-address</strong><span> </span>(<em>MAC address</em>; Default: )</td><td class="confluenceTd">MAC address that will be added to the host table statically.</td></tr><tr><td class="confluenceTd"><strong>vid</strong><span> </span>(<em>integer: 1..4094</em>; Default: )</td><td class="confluenceTd">VLAN ID for the statically added MAC address entry.</td></tr></tbody></table></div><p>For example, if it was required that all traffic destined to<span> </span><strong>4C:5E:0C:4D:12:43</strong><span> </span>is forwarded only through<span> </span><strong>ether2</strong>, then the following commands can be used:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge host
add bridge=bridge interface=ether2 mac-address=4C:5E:0C:4D:12:43</pre>
</div></div><h1 id="BridgingandSwitching-MulticastTable"><span class="mw-headline">Multicast Table</span></h1><hr/><p>When <a href="https://help.mikrotik.com/docs/pages/viewpage.action?pageId=59277403" rel="nofollow">IGMP/MLD snooping</a> is enabled, the bridge will start to listen to IGMP/MLD communication, create multicast database (MDB) entries, and make forwarding decisions based on the received information. Packets with li<span style="color: rgb(23,43,77);">nk-local multicast destination addresses 224.0.0.0/24 and<span> </span></span><span style="color: rgb(51,51,51);">ff02::1 are not restricted and are always flooded on all ports and VLANs. </span>To see learned multicast database entries, use the <span style="color: rgb(128,0,128);"><code>print</code></span> command.</p><p><strong>Sub-menu:</strong><span> </span><code>/interface bridge mdb</code></p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><thead><tr><th style="text-align: left;" class="confluenceTh"><p>Property</p></th><th style="text-align: left;" class="confluenceTh"><p>Description</p></th></tr></thead><tbody><tr><td style="text-align: left;" colspan="1" class="confluenceTd"><strong>bridge</strong><span> </span>(<em>read-only:<span> </span>name</em>)</td><td style="text-align: left;" colspan="1" class="confluenceTd">Shows the bridge interface the entry belongs to.</td></tr><tr><td style="text-align: left;" colspan="1" class="confluenceTd"><strong>group</strong><span> </span>(<em>read-only:<span> </span></em><em>ipv4 | ipv6 address</em>)</td><td style="text-align: left;" colspan="1" class="confluenceTd">Shows a multicast group address.</td></tr><tr><td style="text-align: left;" colspan="1" class="confluenceTd"><strong>on-ports</strong><span> </span>(<em>read-only: name</em>)</td><td style="text-align: left;" colspan="1" class="confluenceTd">Shows the bridge ports which are subscribed to the certain multicast group.</td></tr><tr><td style="text-align: left;" colspan="1" class="confluenceTd"><strong>vid</strong><span> </span>(<em>read-only: integer</em>)</td><td style="text-align: left;" colspan="1" class="confluenceTd">Shows the VLAN ID for the multicast group, only applies when<code><span style="color: rgb(51,153,102);"><span> </span>vlan-filtering</span></code><span> </span>is enabled.</td></tr></tbody></table></div><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] /interface bridge mdb print
Flags: D - DYNAMIC
Columns: GROUP, VID, ON-PORTS, BRIDGE
# GROUP VID ON-PORTS BRIDGE
0 D ff02::2 1 bridge1 bridge1
1 D ff02::6a 1 bridge1 bridge1
2 D ff02::1:ff00:0 1 bridge1 bridge1
3 D ff02::1:ff01:6a43 1 bridge1 bridge1
4 D 229.1.1.1 10 ether2 bridge1
5 D 229.2.2.2 10 ether3 bridge1
ether2
6 D ff02::2 10 ether5 bridge1
ether3
ether2
ether4 </pre>
</div></div><h2 id="BridgingandSwitching-Staticentries.1">Static entries</h2><p>Since RouterOS version 7.7, it is possible to create static MDB entries for IPv4 and IPv6 multicast groups.</p><p><strong>Sub-menu:</strong><span> </span><code>/interface bridge mdb</code></p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><thead><tr><th style="text-align: left;" class="confluenceTh"><p>Property</p></th><th style="text-align: left;" class="confluenceTh"><p>Description</p></th></tr></thead><tbody><tr><td style="text-align: left;" class="confluenceTd"><strong>bridge</strong><span> (<em>name</em>; Default: )</span></td><td style="text-align: left;" class="confluenceTd">The bridge interface to which the MDB entry is going to be assigned.</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>disabled</strong><span> (<em>yes | no</em>; Default: <strong>no</strong>)</span></td><td style="text-align: left;" class="confluenceTd">Disables or enables static MDB entry.</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>group</strong><span> </span>(<em>ipv4 | ipv6 address</em>; Default: )</td><td style="text-align: left;" class="confluenceTd">The IPv4 or IPv6 multicast address. Static entries for <span style="color: rgb(23,43,77);">link-local multicast groups 224.0.0.0/24 and<span> </span></span><span style="color: rgb(51,51,51);">ff02::1 cannot be created, as these packets are always flooded on all ports and VLANs. </span></td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>ports</strong> (<em>name</em>; Default: )</td><td style="text-align: left;" class="confluenceTd">The list of bridge ports to which the multicast group will be forwarded.</td></tr><tr><td style="text-align: left;" class="confluenceTd"><strong>vid</strong><span> </span>(<em>integer: 1..4094</em>; Default: )</td><td style="text-align: left;" class="confluenceTd">The VLAN ID on which the MDB entry will be created, only applies when <code><span style="color: rgb(51,153,102);">vlan-filtering</span></code><span> </span>is enabled. When VLAN ID is not specified, the entry will work in shared-VLAN mode and dynamically apply on all defined VLAN IDs for particular ports.</td></tr></tbody></table></div><p>For example, to create a static MDB entry for multicast group 229.10.10.10 on ports ether2 and ether3 on VLAN 10, use the command below:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge mdb
add bridge=bridge1 group=229.10.10.10 ports=ether2,ether3 vid=10</pre>
</div></div><p>Verify the results with the <span style="color: rgb(128,0,128);"><code>print</code></span> command:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > /interface bridge mdb print where group=229.10.10.10
Columns: GROUP, VID, ON-PORTS, BRIDGE
# GROUP VID ON-PORTS BRIDGE
12 229.10.10.10 10 ether2 bridge1
ether3 </pre>
</div></div><p>In case a certain IPv6 multicast group does not need to be snooped and it is desired to be flooded on all ports and VLANs, it is possible to create a static MDB entry on all VLANs and ports, including the bridge interface itself. Use the command below to create a static MDB entry for multicast group ff02::2 on all VLANs and ports (modify the <code><span style="color: rgb(51,153,102);">ports</span></code> setting for your particular setup):</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge mdb
add bridge=bridge1 group=ff02::2 ports=bridge1,ether2,ether3,ether4,ether5
[admin@MikroTik] > /interface bridge mdb print where group=ff02::2
Flags: D - DYNAMIC
Columns: GROUP, VID, ON-PORTS, BRIDGE
# GROUP VID ON-PORTS BRIDGE
0 ff02::2 bridge1
15 D ff02::2 1 bridge1 bridge1
16 D ff02::2 10 bridge1 bridge1
ether2
ether3
ether4
ether5
17 D ff02::2 20 bridge1 bridge1
ether2
ether3
18 D ff02::2 30 bridge1 bridge1
ether2
ether3 </pre>
</div></div><h1 id="BridgingandSwitching-BridgeHardwareOffloading"><span class="mw-headline">Bridge Hardware Offloading</span></h1><hr/><p>It is possible to switch multiple ports together if a device has a built-in switch chip. While a bridge is a software feature that will consume CPU's resources, the bridge hardware offloading feature will allow you to use the built-in switch chip to forward packets. This allows you to achieve higher throughput if configured correctly.</p><p>In previous versions (prior to RouterOS v6.41) you had to use the<span> </span>master-port<span> </span>property to switch multiple ports together, but in RouterOS v6.41 this property is replaced with the bridge hardware offloading feature, which allows your to switch ports and use some of the bridge features, for example,<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Spanning+Tree+Protocol" rel="nofollow">Spanning Tree Protocol</a>.</p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>When upgrading from previous versions (before RouterOS v6.41), the old<span> </span>master-port<span> </span>configuration is automatically converted to the new<span> </span><strong>Bridge Hardware Offloading</strong><span> </span>configuration. When downgrading from newer versions (RouterOS v6.41 and newer) to older versions (before RouterOS v6.41) the configuration is not converted back, a bridge without hardware offloading will exist instead, in such a case you need to reconfigure your device to use the old<span> </span>master-port<span> </span>configuration.</p></div></div><p>Below is a list of devices and feature that supports hardware offloading (+) or disables hardware offloading (-):</p><div class="table-wrap"><table class="wrapped confluenceTable" style="text-align: center;"><colgroup><col/><col/><col/><col/><col/><col/><col/><col/><col/></colgroup><tbody><tr><td class="highlight-#f4f5f7 confluenceTd" title="Background colour : Light grey 100%" data-highlight-colour="#f4f5f7"><strong title="">RouterBoard/[Switch Chip] Model</strong></td><td class="highlight-#f4f5f7 confluenceTd" title="Background colour : Light grey 100%" data-highlight-colour="#f4f5f7"><strong title="">Features in Switch menu</strong></td><td class="highlight-#f4f5f7 confluenceTd" title="Background colour : Light grey 100%" data-highlight-colour="#f4f5f7"><strong title="">Bridge STP/RSTP</strong></td><td class="highlight-#f4f5f7 confluenceTd" title="Background colour : Light grey 100%" data-highlight-colour="#f4f5f7"><strong title="">Bridge MSTP</strong></td><td class="highlight-#f4f5f7 confluenceTd" title="Background colour : Light grey 100%" data-highlight-colour="#f4f5f7"><strong title="">Bridge IGMP Snooping</strong></td><td class="highlight-#f4f5f7 confluenceTd" title="Background colour : Light grey 100%" data-highlight-colour="#f4f5f7"><strong title="">Bridge DHCP Snooping</strong></td><td class="highlight-#f4f5f7 confluenceTd" title="Background colour : Light grey 100%" data-highlight-colour="#f4f5f7"><strong title="">Bridge VLAN Filtering</strong></td><td class="highlight-#f4f5f7 confluenceTd" title="Background colour : Light grey 100%" data-highlight-colour="#f4f5f7"><strong title="">Bonding <sup>4, 5</sup></strong></td><td class="highlight-grey confluenceTd" title="Background color :" data-highlight-colour="grey"><strong title="">Horizon <sup>4</sup></strong></td></tr><tr><td class="highlight-#f4f5f7 confluenceTd" title="Background colour : Light grey 100%" data-highlight-colour="#f4f5f7">CRS3xx, CRS5xx series</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><strong title="">+</strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><strong title="">+</strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><strong title="">+</strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><strong title="">+</strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><strong title="">+</strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><strong title="">+</strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><strong title="">+</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td></tr><tr><td class="highlight-#f4f5f7 confluenceTd" data-highlight-colour="#f4f5f7">CCR2116, CCR2216</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef"><strong title="">+</strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef"><strong title="">+</strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef"><strong title="">+</strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef"><strong title="">+</strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef"><strong title="">+</strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef"><strong title="">+</strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef"><strong title="">+</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td></tr><tr><td class="highlight-#f4f5f7 confluenceTd" title="Background colour : Light grey 100%" data-highlight-colour="#f4f5f7">CRS1xx/CRS2xx series</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><strong title="">+</strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><strong title="">+</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#fffae6 confluenceTd" style="text-align: center;" title="Background color : Light yellow 35%" data-highlight-colour="#fffae6"><strong title="">+<sup><span> </span><small>2</small></sup></strong></td><td class="highlight-#fffae6 confluenceTd" style="text-align: center;" title="Background color : Light yellow 35%" data-highlight-colour="#fffae6"><strong title="">+<span> </span><sup><small>1</small></sup></strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td></tr><tr><td class="highlight-#f4f5f7 confluenceTd" title="Background colour : Light grey 100%" data-highlight-colour="#f4f5f7">[QCA8337]</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><strong title="">+</strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><strong title="">+</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#fffae6 confluenceTd" style="text-align: center;" title="Background color : Light yellow 35%" data-highlight-colour="#fffae6"><strong title="">+<span> </span><sup><small>2</small></sup></strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td></tr><tr><td class="highlight-#f4f5f7 confluenceTd" title="Background colour : Light grey 100%" data-highlight-colour="#f4f5f7">[Atheros8327]</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><strong title="">+</strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><strong title="">+</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#fffae6 confluenceTd" style="text-align: center;" title="Background color : Light yellow 35%" data-highlight-colour="#fffae6"><strong title="">+<span> </span><sup><small>2</small></sup></strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td></tr><tr><td class="highlight-#f4f5f7 confluenceTd" title="Background colour : Light grey 100%" data-highlight-colour="#f4f5f7">[Atheros8316]</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><strong title="">+</strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><strong title="">+</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#fffae6 confluenceTd" style="text-align: center;" title="Background color : Light yellow 35%" data-highlight-colour="#fffae6"><strong title="">+<span> </span><sup><small>2</small></sup></strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td></tr><tr><td class="highlight-#f4f5f7 confluenceTd" data-highlight-colour="#f4f5f7">[Atheros8227]</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef"><strong title="">+</strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef"><strong title="">+</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td></tr><tr><td class="highlight-#f4f5f7 confluenceTd" title="Background colour : Light grey 100%" data-highlight-colour="#f4f5f7">[Atheros7240]</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><strong title="">+</strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><strong title="">+</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td></tr><tr><td class="highlight-#f4f5f7 confluenceTd" data-highlight-colour="#f4f5f7">[IPQ-PPE]</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef"><strong title="">+<sup>6</sup></strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td></tr><tr><td class="highlight-#f4f5f7 confluenceTd" title="Background colour : Light grey 100%" data-highlight-colour="#f4f5f7">[ICPlus175D]</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><strong title="">+</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td></tr><tr><td class="highlight-#f4f5f7 confluenceTd" data-highlight-colour="#f4f5f7">[MT7621, MT7531]</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef"><strong title="">+</strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef"><strong title="">+ <sup>3</sup></strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef"><strong title="">+ <sup>3</sup></strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#fffae6 confluenceTd" style="text-align: center;" data-highlight-colour="#fffae6"><strong title="">+ <sup>3</sup></strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td></tr><tr><td class="highlight-#f4f5f7 confluenceTd" data-highlight-colour="#f4f5f7">[RTL8367]</td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef"><strong title="">+</strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef"><strong title="">+ <sup>3</sup></strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" data-highlight-colour="#e3fcef"><strong title="">+ <sup>3</sup></strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#fffae6 confluenceTd" style="text-align: center;" data-highlight-colour="#fffae6"><strong title="">+ <sup>3</sup></strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" data-highlight-colour="#ffebe6"><strong title="">-</strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td></tr><tr><td class="highlight-#f4f5f7 confluenceTd" data-highlight-colour="#f4f5f7"><p>[88E6393X, <span style="color: rgb(23,43,77);">88E6191X, 88E6190</span>]</p></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><strong>+</strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><strong>+</strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><strong>+</strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><strong>+</strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><strong>+</strong></td><td class="highlight-#fffae6 confluenceTd" style="text-align: center;" title="Background color : Light yellow 35%" data-highlight-colour="#fffae6"><strong><strong title="">+ <sup>3</sup></strong></strong></td><td class="highlight-#e3fcef confluenceTd" style="text-align: center;" title="Background color : Light green 35%" data-highlight-colour="#e3fcef"><strong>+ <sup>7</sup></strong></td><td class="highlight-#ffebe6 confluenceTd" style="text-align: center;" title="Background color : Light red 35%" data-highlight-colour="#ffebe6"><strong title="">-</strong></td></tr></tbody></table></div><p>Footnotes:</p><ol><li>The feature will not work properly in VLAN switching setups. It is possible to correctly snoop DHCP packets only for a single VLAN, but this requires that these DHCP messages get tagged with the correct VLAN tag using an ACL rule, for example,<span style="color: rgb(51,153,102);"> <code>/interface ethernet switch acl add dst-l3-port=67-68 ip-protocol=udp mac-protocol=ip new-customer-vid=10 src-ports=switch1-cpu</code></span>. DHCP Option 82 will not contain any information regarding VLAN-ID.</li><li>The feature will not work properly in VLAN switching setups.</li><li>The HW vlan-filtering and R/M/STP was added in the RouterOS 7.1rc1 (for RTL8367) and 7.1rc5 (for MT7621) versions. The switch does not support other ether-type 0x88a8 or 0x9100 (only 0x8100 is supported) and no tag-stacking. Using these features will disable HW offload.</li><li>The HW offloading will be disabled only for the specific bridge port, not the entire bridge.</li><li>Only <code><span style="color: rgb(51,153,102);">802.3ad</span></code> and <code><span style="color: rgb(51,153,102);">balance-xor</span></code> modes can be HW offloaded. Other bonding modes do not support HW offloading.</li><li>Currently, HW offloaded bridge support for the IPQ-PPE switch chip is still a work in progress. We recommend using, the default, non-HW offloaded bridge (enabled RSTP).</li><li>The <code><span style="color: rgb(51,153,102);">802.3ad</span></code> mode is compatible only with R/M/STP enabled bridge.</li></ol><p><br/></p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>When upgrading from older versions (before RouterOS v6.41), only the<span> </span>master-port<span> </span>configuration is converted. For each<span> </span>master-port<span> </span>a bridge will be created. VLAN configuration is not converted and should not be changed, check the<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Basic+VLAN+switching" rel="nofollow">Basic VLAN switching</a><span> </span>guide to be sure how VLAN switching should be configured for your device.</p></div></div><p>Bridge Hardware Offloading should be considered as port switching, but with more possible features. By enabling hardware offloading you are allowing a built-in switch chip to process packets using its switching logic. The diagram below illustrates that switching occurs before any software related action.</p><p><span class="confluence-embedded-file-wrapper image-center-wrapper"><img class="confluence-embedded-image image-center" draggable="false" src="https://help.mikrotik.com/docs/download/attachments/328068/image2022-2-14_14-57-37.png?version=1&modificationDate=1644843359301&api=v2" data-image-src="https://help.mikrotik.com/docs/download/attachments/328068/image2022-2-14_14-57-37.png?version=1&modificationDate=1644843359301&api=v2" data-unresolved-comment-count="0" data-linked-resource-id="108789762" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="image2022-2-14_14-57-37.png" data-base-url="https://help.mikrotik.com/docs" data-linked-resource-content-type="image/png" data-linked-resource-container-id="328068" data-linked-resource-container-version="117" alt=""></span></p><p>A packet that is received by one of the ports always passes through the switch logic first. Switch logic decides which ports the packet should be going to (most commonly this decision is made based on the destination MAC address of a packet, but there might be other criteria that might be involved based on the packet and the configuration). In most cases the packet will not be visible to RouterOS (only statistics will show that a packet has passed through), this is because the packet was already processed by the switch chip and never reached the CPU.</p><p>Though it is possible in certain situations to allow a packet to be processed by the CPU, this is usually called a packet forwarding to the switch CPU port (or the bridge interface in bridge VLAN filtering scenario). This allows the CPU to process the packet and lets the CPU to forward the packet. Passing the packet to the CPU port will give you the opportunity to route packets to different networks, perform traffic control and other software related packet processing actions. To allow a packet to be processed by the CPU, you need to make certain configuration changes depending on your needs and on the device you are using (most commonly passing packets to the CPU are required for VLAN filtering setups). Check the manual page for your specific device:</p><ul><li><a href="https://help.mikrotik.com/docs/pages/viewpage.action?pageId=103841836" rel="nofollow">CRS1xx/2xx series switches</a></li><li><a href="https://help.mikrotik.com/docs/display/ROS/CRS3xx%2C+CRS5xx%2C+CCR2116%2C+CCR2216+switch+chip+features" rel="nofollow">CRS3xx, CRS5xx series switches and CCR2116, CCR2216 routers</a></li><li><a href="https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features" rel="nofollow">non-CRS series switches</a></li></ul><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p><span style="color: rgb(13,13,13);letter-spacing: 0.0px;">Certain bridge and Ethernet port properties are directly related to switch chip settings. Changing such properties can trigger a</span><strong style="color: rgb(13,13,13);letter-spacing: 0.0px;"> switch chip reset</strong><span style="color: rgb(13,13,13);letter-spacing: 0.0px;">, temporarily disabling all Ethernet ports that are on the switch chip for the settings to take effect. This must be taken into account whenever changing properties in production environments. Such properties include DHCP Snooping, IGMP Snooping, VLAN filtering, L2MTU, Flow Control, and others. The exact settings that can trigger a switch chip reset depend on the device's model.</span></p></div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>The <a href="https://help.mikrotik.com/docs/pages/viewpage.action?pageId=103841835#CRS1xx/2xxseriesswitches-Multipleswitchgroups" rel="nofollow">CRS1xx/2xx series switches</a> support multiple hardware offloaded bridges per switch chip. All other devices support only one hardware offloaded bridge per switch chip. Use the hw=yes/no parameter to select which bridge will use hardware offloading. </p></div></div><h2 id="BridgingandSwitching-Example.2"><span class="mw-headline">Example</span></h2><p>Port switching with bridge configuration and enabled hardware offloading:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether3 hw=yes
add bridge=bridge1 interface=ether4 hw=yes
add bridge=bridge1 interface=ether5 hw=yes</pre>
</div></div><p>Make sure that hardware offloading is enabled and active by checking the "H" flag:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] /interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON
0 H ether2 bridge1 yes 1 0x80 10 10 none
1 H ether3 bridge1 yes 1 0x80 10 10 none
2 H ether4 bridge1 yes 1 0x80 10 10 none
3 H ether5 bridge1 yes 1 0x80 10 10 none</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Port switching in RouterOS v6.41 and newer is done using the bridge configuration. Prior to RouterOS v6.41 port switching was done using the<span> </span>master-port<span> </span>property.</p></div></div><h1 id="BridgingandSwitching-BridgeVLANFiltering"><span class="mw-headline">Bridge VLAN Filtering</span></h1><hr/><p><span style="color: rgb(13,13,13);">Bridge VLAN Filtering provides VLAN-aware Layer 2 forwarding and VLAN tag modifications within the bridge. This set of features makes bridge operation more similar to a traditional Ethernet switch and allows overcoming Spanning Tree compatibility issues compared to the configuration when VLAN interfaces are bridged. Bridge VLAN Filtering configuration is highly recommended to comply with STP (IEEE 802.1D), RSTP (IEEE 802.1W) standards and is mandatory to enable MSTP (IEEE 802.1s) support in RouterOS.</span></p><p><span style="letter-spacing: 0.0px;">The main VLAN setting is</span><span style="letter-spacing: 0.0px;"> </span><span style="color: rgb(51,153,102);"><code>vlan-filtering</code></span><span style="letter-spacing: 0.0px;"> </span><span style="letter-spacing: 0.0px;">which globally controls VLAN-awareness and VLAN tag processing in the bridge. If</span><span style="letter-spacing: 0.0px;"> </span><span style="color: rgb(51,153,102);"><code>vlan-filtering=no</code></span><span style="letter-spacing: 0.0px;"> is configured, the bridge ignores VLAN tags, works in a shared-VLAN-learning (SVL) mode, and cannot modify VLAN tags of packets. Turning on</span><span style="letter-spacing: 0.0px;"> </span><span style="color: rgb(51,153,102);"><code>vlan-filtering</code></span><span style="letter-spacing: 0.0px;"> </span><span style="letter-spacing: 0.0px;">enables all bridge VLAN related functionality and independent-VLAN-learning (IVL) mode. Besides joining the ports for Layer2 forwarding, the bridge itself is also an interface therefore it has Port VLAN ID (pvid).</span></p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Currently, CRS3xx, CRS5xx series switches, CCR2116, CCR2216 routers and <span style="color: rgb(23,43,77);">RTL8367, 88E6393X, 88E6191X, 88E6190, MT7621 and MT7531 </span>switch chips (since RouterOS v7) are capable of using bridge VLAN filtering and hardware offloading at the same time, other devices will not be able to use the benefits of a built-in switch chip when bridge VLAN filtering is enabled. Other devices should be configured according to the method described in the<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Basic+VLAN+switching" rel="nofollow">Basic VLAN switching</a><span> </span>guide. If an improper configuration method is used, your device can cause throughput issues in your network.</p></div></div><h2 id="BridgingandSwitching-BridgeVLANtable">Bridge VLAN table</h2><p>Bridge VLAN table represents per-VLAN port mapping with an egress VLAN tag action.<span> The </span><span style="color: rgb(51,153,102);"><code>tagged</code> </span>ports send out frames with a corresponding VLAN ID tag.<span> The </span><span style="color: rgb(51,153,102);"><code>untagged</code> </span>ports remove a VLAN tag before sending out frames. Bridge ports with <span style="color: rgb(51,153,102);"><code>frame-types</code></span> set to <code><span style="color: rgb(51,153,102);">admit-all</span></code> or <span style="color: rgb(51,153,102);"><code>admit-only-untagged-and-priority-tagged</code></span> will be automatically added as untagged ports for the <span style="color: rgb(51,153,102);"><code>pvid</code></span> VLAN.</p><p><strong>Sub-menu:</strong><span> </span><code>/interface bridge vlan</code></p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>bridge</strong><span> </span>(<em>name</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">The bridge interface which the respective VLAN entry is intended for.</td></tr><tr><td class="confluenceTd"><strong>disabled</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enables or disables Bridge VLAN entry.</td></tr><tr><td class="confluenceTd"><strong>tagged</strong><span> </span>(<em>interfaces</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Interface list with a VLAN tag adding action in egress. This setting accepts comma-separated values. e.g.<span> </span><code><span style="color: rgb(51,153,102);">tagged</span>=ether1,ether2</code>.</td></tr><tr><td class="confluenceTd"><strong>untagged</strong><span> </span>(<em>interfaces</em>; Default:<span> </span><strong>none</strong>)</td><td class="confluenceTd">Interface list with a VLAN tag removing action in egress. This setting accepts comma-separated values. e.g.<span> </span><code><span style="color: rgb(51,153,102);">untagged</span>=ether3,ether4</code></td></tr><tr><td class="confluenceTd"><strong>vlan-ids</strong><span> </span>(<em>integer 1..4094</em>; Default:<span> </span><strong>1</strong>)</td><td class="confluenceTd">The list of VLAN IDs for certain port configuration. This setting accepts the VLAN ID range as well as comma-separated values. e.g.<span> </span><code><span style="color: rgb(51,153,102);">vlan-ids</span>=100-115,120,122,128-130</code>.</td></tr></tbody></table></div><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>The<span> </span><code><span style="color: rgb(51,153,102);">vlan-ids</span></code><span> </span>parameter can be used to specify a set or range of VLANs, but specifying multiple VLANs in a single bridge VLAN table entry should only be used for ports that are tagged ports. In case multiple VLANs are specified for access ports, then tagged packets might get sent out as untagged packets through the wrong access port, regardless of the<span> </span>PVID<span> </span>value.</p></div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Make sure you have added all needed interfaces to the bridge VLAN table when using bridge VLAN filtering. For routing functions to work properly on the same device through ports that use bridge VLAN filtering, you will need to allow access to the bridge interface (this automatically include a switch-cpu port when HW offloaded vlan-filtering is used, e.g. on CRS3xx series switches), this can be done by adding the bridge interface itself to the VLAN table, for tagged traffic you will need to add the bridge interface as a tagged port and create a VLAN interface on the bridge interface. Examples can be found in the inter-VLAN routing and<span> </span>Management port<span> </span>sections.</p></div></div><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>When allowing access to the CPU, you are allowing access from a certain port to the actual router/switch, this is not always desirable. Make sure you implement proper firewall filter rules to secure your device when access to the CPU is allowed from a certain VLAN ID and port, use firewall filter rules to allow access to only certain services.</p></div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Improperly configured bridge VLAN filtering can cause security issues, make sure you fully understand how<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Bridge+VLAN+Table" rel="nofollow">Bridge VLAN table</a><span> </span>works before deploying your device into production environments.</p></div></div><h2 id="BridgingandSwitching-Bridgeportsettings"><span class="mw-headline">Bridge port settings</span></h2><p><span class="mw-headline">Each bridge port have multiple VLAN related settings, that can change untagged VLAN membership, VLAN tagging/untagging behavior and packet filtering based on VLAN tag presence.</span></p><p><span class="mw-headline"><strong>Sub-menu:</strong><span> </span><code>/interface bridge port</code></span></p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 100.0%;"><colgroup><col style="width: 22.8505%;"/><col style="width: 77.1495%;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>frame-types</strong><span> </span>(<em>admit-all | admit-only-untagged-and-priority-tagged | admit-only-vlan-tagged</em>; Default:<span> </span><strong>admit-all</strong>)</td><td class="confluenceTd">Specifies allowed ingress frame types on a bridge port. This property only has an effect when<span> </span><span style="color: rgb(51,153,102);"><code>vlan-filtering</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>yes</code></span>.</td></tr><tr><td class="confluenceTd"><strong>ingress-filtering</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>yes</strong>)</td><td class="confluenceTd">Enables or disables VLAN ingress filtering, which checks if the ingress port is a member of the received VLAN ID in the bridge VLAN table. Should be used with<span> </span><span style="color: rgb(51,153,102);"><code>frame-types</code></span><span> </span>to specify if the ingress traffic should be tagged or untagged. This property only has effect when<span> </span><span style="color: rgb(51,153,102);"><code>vlan-filtering</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>yes</code></span>. The setting is enabled by default since RouterOS v7.</td></tr><tr><td class="confluenceTd"><strong>pvid</strong><span> </span>(<em>integer 1..4094</em>; Default:<span> </span><strong>1</strong>)</td><td class="confluenceTd">Port VLAN ID (pvid) specifies which VLAN the untagged ingress traffic is assigned to. This property only has an effect when<span> </span><span style="color: rgb(51,153,102);"><code>vlan-filtering</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>yes</code></span>.</td></tr><tr><td class="confluenceTd"><strong>tag-stacking</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Forces all packets to be treated as untagged packets. Packets on ingress port will be tagged with another VLAN tag regardless if a VLAN tag already exists, packets will be tagged with a VLAN ID that matches the<span> </span><span style="color: rgb(51,153,102);"><code>pvid </code></span>value and will use EtherType that is specified in<span> </span><span style="color: rgb(51,153,102);"><code>ether-type</code></span>. This property only has effect when<span> </span><span style="color: rgb(51,153,102);"><code>vlan-filtering</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>yes</code></span>.</td></tr></tbody></table></div><h2 id="BridgingandSwitching-Bridgehosttable">Bridge host table</h2><p>Bridge host table allows monitoring learned MAC addresses. When<span> </span><span style="color: rgb(51,153,102);"><code>vlan-filtering</code></span><span> </span>is enabled, it shows learned VLAN ID as well (enabled independent-VLAN-learning or IVL).</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > /interface bridge host print where !local
Flags: X - disabled, I - invalid, D - dynamic, L - local, E - external
# MAC-ADDRESS VID ON-INTERFACE BRIDGE
0 D CC:2D:E0:E4:B3:AA 300 ether3 bridge1
1 D CC:2D:E0:E4:B3:AB 400 ether4 bridge1</pre>
</div></div><h2 id="BridgingandSwitching-VLANExample-TrunkandAccessPorts"><span class="mw-headline">VLAN Example - Trunk and Access Ports</span></h2><p><span class="confluence-embedded-file-wrapper image-center-wrapper"><img class="confluence-embedded-image image-center" draggable="false" src="https://help.mikrotik.com/docs/download/attachments/328068/access_ports.png?version=2&modificationDate=1626780195564&api=v2" data-image-src="https://help.mikrotik.com/docs/download/attachments/328068/access_ports.png?version=2&modificationDate=1626780195564&api=v2" data-unresolved-comment-count="0" data-linked-resource-id="76939371" data-linked-resource-version="2" data-linked-resource-type="attachment" data-linked-resource-default-alias="access_ports.png" data-base-url="https://help.mikrotik.com/docs" data-linked-resource-content-type="image/png" data-linked-resource-container-id="328068" data-linked-resource-container-version="117" alt=""></span></p><p>Create a bridge with disabled<span> </span><span style="color: rgb(51,153,102);"><code>vlan-filtering</code></span><span> </span>to avoid losing access to the device before VLANs are completely configured. If you need a management access to the bridge, see the <a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-Managementaccessconfiguration" rel="nofollow">Management access configuration</a> section.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
add name=bridge1 vlan-filtering=no</pre>
</div></div><p>Add bridge ports and specify<span> </span><span style="color: rgb(51,153,102);"><code>pvid</code> </span>for access ports to assign their untagged traffic to the intended VLAN. Use <span style="color: rgb(51,153,102);"><code>frame-types</code></span> setting to accept only tagged or untagged packets.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge port
add bridge=bridge1 interface=ether2 frame-types=admit-only-vlan-tagged
add bridge=bridge1 interface=ether6 pvid=200 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether7 pvid=300 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether8 pvid=400 frame-types=admit-only-untagged-and-priority-tagged</pre>
</div></div><p>Add Bridge VLAN entries and specify tagged ports in them. <span style="color: rgb(51,51,51);">Bridge ports with </span><span style="color: rgb(51,153,102);"><code>frame-types</code></span><span style="color: rgb(51,51,51);"> set to </span><span style="color: rgb(51,153,102);"><code>admit-only-untagged-and-priority-tagged</code></span><span style="color: rgb(51,51,51);"> will be automatically added as untagged ports for the </span><span style="color: rgb(51,153,102);"><code>pvid</code></span><span style="color: rgb(51,51,51);"> VLAN.</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge vlan
add bridge=bridge1 tagged=ether2 vlan-ids=200
add bridge=bridge1 tagged=ether2 vlan-ids=300
add bridge=bridge1 tagged=ether2 vlan-ids=400</pre>
</div></div><p>In the end, when VLAN configuration is complete, enable Bridge VLAN Filtering.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge set bridge1 vlan-filtering=yes </pre>
</div></div><p>Optional step is to set <span style="color: rgb(51,153,102);"><code>frame-types=admit-only-vlan-tagged</code></span> on the bridge interface in order to disable the default untagged VLAN 1 (<code><span style="color: rgb(51,153,102);">pvid=1</span></code>).</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge set bridge1 frame-types=admit-only-vlan-tagged</pre>
</div></div><h2 id="BridgingandSwitching-VLANExample-TrunkandHybridPorts">VLAN Example - Trunk and Hybrid Ports</h2><p><span class="confluence-embedded-file-wrapper image-center-wrapper"><img class="confluence-embedded-image image-center" draggable="false" src="https://help.mikrotik.com/docs/download/attachments/328068/hybrid_ports.png?version=2&modificationDate=1626780214236&api=v2" data-image-src="https://help.mikrotik.com/docs/download/attachments/328068/hybrid_ports.png?version=2&modificationDate=1626780214236&api=v2" data-unresolved-comment-count="0" data-linked-resource-id="76939372" data-linked-resource-version="2" data-linked-resource-type="attachment" data-linked-resource-default-alias="hybrid_ports.png" data-base-url="https://help.mikrotik.com/docs" data-linked-resource-content-type="image/png" data-linked-resource-container-id="328068" data-linked-resource-container-version="117" alt=""></span></p><p>Create a bridge with disabled<span style="letter-spacing: 0.0px;"> </span><span style="color: rgb(51,153,102);"><code style="letter-spacing: 0.0px;">vlan-filtering</code></span><span style="letter-spacing: 0.0px;"> </span><span style="letter-spacing: 0.0px;">to avoid losing access to the router before VLANs are completely configured. If you need a management access to the bridge, see the <a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-Managementaccessconfiguration" rel="nofollow">Management access configuration</a> section.</span><span style="font-size: 20.0px;letter-spacing: -0.008em;"><br/></span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
add name=bridge1 vlan-filtering=no</pre>
</div></div><p>Add bridge ports and specify<span> </span><span style="color: rgb(51,153,102);"><code>pvid</code> </span>on hybrid VLAN ports to assign untagged traffic to the intended VLAN. Use <span style="color: rgb(51,153,102);"><code>frame-types</code></span> setting to accept only tagged packets on ether2.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge port
add bridge=bridge1 interface=ether2 frame-types=admit-only-vlan-tagged
add bridge=bridge1 interface=ether6 pvid=200
add bridge=bridge1 interface=ether7 pvid=300
add bridge=bridge1 interface=ether8 pvid=400</pre>
</div></div><p>Add Bridge VLAN entries and specify tagged ports in them. In this example egress VLAN tagging is done on ether6,ether7,ether8 ports too, making them into hybrid ports. <span style="color: rgb(51,51,51);">Bridge ports with </span><span style="color: rgb(51,153,102);"><code>frame-types</code></span><span style="color: rgb(51,51,51);"> set to </span><code><span style="color: rgb(51,153,102);">admit-all</span></code><span style="color: rgb(51,51,51);"> will be automatically added as untagged ports for the </span><span style="color: rgb(51,153,102);"><code>pvid</code></span><span style="color: rgb(51,51,51);"> VLAN.</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge vlan
add bridge=bridge1 tagged=ether2,ether7,ether8 vlan-ids=200
add bridge=bridge1 tagged=ether2,ether6,ether8 vlan-ids=300
add bridge=bridge1 tagged=ether2,ether6,ether7 vlan-ids=400</pre>
</div></div><p>In the end, when VLAN configuration is complete, enable Bridge VLAN Filtering.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge set bridge1 vlan-filtering=yes </pre>
</div></div><p>Optional step is to set <span style="color: rgb(51,153,102);"><code>frame-types=admit-only-vlan-tagged</code></span> on the bridge interface in order to disable the default untagged VLAN 1 (<code><span style="color: rgb(51,153,102);">pvid=1</span></code>).</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge set bridge1 frame-types=admit-only-vlan-tagged</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>You don't have to add access ports as untagged ports, because they will be added dynamically as an untagged port with the VLAN ID that is specified in<span style="color: rgb(51,153,102);"><code> pvid</code></span>, you can specify just the trunk port as a tagged port. All ports that have the same<span style="color: rgb(51,153,102);"><code> pvid </code></span>set will be added as untagged ports in a single entry. You must take into account that the bridge itself is a port and it also has a<span style="color: rgb(51,153,102);"><code> pvid </code></span>value, this means that the bridge port also will be added as an untagged port for the ports that have the same <span style="color: rgb(51,153,102);"><code>pvid</code></span>. You can circumvent this behavior by either setting different <span style="color: rgb(51,153,102);"><code>pvid</code> </span>on all ports (even the trunk port and bridge itself), or to use <span style="color: rgb(51,153,102);"><code>frame-type</code></span> set to <span style="color: rgb(51,153,102);"><code>accept-only-vlan-tagged</code></span>.</p></div></div><h2 id="BridgingandSwitching-VLANExample-InterVLANRoutingbyBridge"><span class="mw-headline">VLAN Example - InterVLAN Routing by Bridge</span></h2><p><span class="mw-headline"><span class="confluence-embedded-file-wrapper image-center-wrapper"><img class="confluence-embedded-image image-center" draggable="false" src="https://help.mikrotik.com/docs/download/attachments/328068/vlan_routing.png?version=2&modificationDate=1626780264836&api=v2" data-image-src="https://help.mikrotik.com/docs/download/attachments/328068/vlan_routing.png?version=2&modificationDate=1626780264836&api=v2" data-unresolved-comment-count="0" data-linked-resource-id="76939373" data-linked-resource-version="2" data-linked-resource-type="attachment" data-linked-resource-default-alias="vlan_routing.png" data-base-url="https://help.mikrotik.com/docs" data-linked-resource-content-type="image/png" data-linked-resource-container-id="328068" data-linked-resource-container-version="117" alt=""></span><br/></span></p><p>Create a bridge with disabled<span> </span><span style="color: rgb(51,153,102);"><code>vlan-filtering</code></span><span> </span>to avoid losing access to the router before VLANs are completely configured. <span> If you need a management access to the bridge, see the <a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-Managementaccessconfiguration" rel="nofollow">Management access configuration</a> section.</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
add name=bridge1 vlan-filtering=no</pre>
</div></div><p><span style="letter-spacing: 0.0px;">Add bridge ports and specify</span><span style="letter-spacing: 0.0px;"> </span><span style="color: rgb(51,153,102);"><code style="letter-spacing: 0.0px;">pvid</code><span style="letter-spacing: 0.0px;"> </span></span><span style="letter-spacing: 0.0px;">for VLAN access ports to assign their untagged traffic to the intended VLAN. Use <span style="color: rgb(51,153,102);"><code>frame-types</code></span> setting to accept only untagged packets.</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge port
add bridge=bridge1 interface=ether6 pvid=200 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether7 pvid=300 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether8 pvid=400 frame-types=admit-only-untagged-and-priority-tagged</pre>
</div></div><p><span style="letter-spacing: 0.0px;">Add Bridge VLAN entries and specify tagged ports in them. In this example</span><span style="letter-spacing: 0.0px;"> </span><strong style="letter-spacing: 0.0px;">bridge1</strong><span style="letter-spacing: 0.0px;"> </span><span style="letter-spacing: 0.0px;">interface is the VLAN trunk that will send traffic further to do InterVLAN routing. <span style="color: rgb(51,51,51);">Bridge ports with </span><span style="color: rgb(51,153,102);"><code>frame-types</code></span><span style="color: rgb(51,51,51);"> set to </span><span style="color: rgb(51,153,102);"><code>admit-only-untagged-and-priority-tagged</code></span><span style="color: rgb(51,51,51);"> will be automatically added as untagged ports for the </span><span style="color: rgb(51,153,102);"><code>pvid</code></span><span style="color: rgb(51,51,51);"> VLAN.</span></span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge vlan
add bridge=bridge1 tagged=bridge1 vlan-ids=200
add bridge=bridge1 tagged=bridge1 vlan-ids=300
add bridge=bridge1 tagged=bridge1 vlan-ids=400</pre>
</div></div><p><span style="letter-spacing: 0.0px;">Configure VLAN interfaces on the</span><span style="letter-spacing: 0.0px;"> </span><strong style="letter-spacing: 0.0px;">bridge1</strong><span style="letter-spacing: 0.0px;"> </span><span style="letter-spacing: 0.0px;">to allow handling of tagged VLAN traffic at routing level and set IP addresses to ensure routing between VLANs as planned.</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface vlan
add interface=bridge1 name=VLAN200 vlan-id=200
add interface=bridge1 name=VLAN300 vlan-id=300
add interface=bridge1 name=VLAN400 vlan-id=400
/ip address
add address=20.0.0.1/24 interface=VLAN200
add address=30.0.0.1/24 interface=VLAN300
add address=40.0.0.1/24 interface=VLAN400</pre>
</div></div><p><span style="letter-spacing: 0.0px;">In the end, when VLAN configuration is complete, enable Bridge VLAN Filtering:<br/></span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge set bridge1 vlan-filtering=yes </pre>
</div></div><p>Optional step is to set <span style="color: rgb(51,153,102);"><code>frame-types=admit-only-vlan-tagged</code></span> on the bridge interface in order to disable the default untagged VLAN 1 (<code><span style="color: rgb(51,153,102);">pvid=1</span></code>).</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge set bridge1 frame-types=admit-only-vlan-tagged</pre>
</div></div><p><span class="mw-headline">Since RouterOS v7, it is possible to route traffic using the L3 HW offloading on certain devices. See more details on <a href="https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading" rel="nofollow">L3 Hardware Offloading</a>.</span></p><h2 id="BridgingandSwitching-Managementaccessconfiguration"><span class="mw-headline">Management access configuration</span></h2><p>There are multiple ways to set up management access on a device that uses bridge VLAN filtering. Below are some of the most popular approaches to properly enable access to a router/switch. Start by creating a bridge without VLAN filtering enabled:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
add name=bridge1 vlan-filtering=no</pre>
</div></div><h3 id="BridgingandSwitching-UntaggedaccesswithoutVLANfiltering">Untagged access without VLAN filtering</h3><p>In case VLAN filtering will not be used and access with untagged traffic is desired, the only requirement is to create an IP address on the bridge interface.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip address
add address=192.168.99.1/24 interface=bridge1</pre>
</div></div><h3 id="BridgingandSwitching-TaggedaccesswithoutVLANfiltering">Tagged access without VLAN filtering</h3><p>In case VLAN filtering will not be used and access with tagged traffic is desired, create a routable VLAN interface on the bridge and add an IP address on the VLAN interface.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface vlan
add interface=bridge1 name=MGMT vlan-id=99
/ip address
add address=192.168.99.1/24 interface=MGMT</pre>
</div></div><h3 id="BridgingandSwitching-TaggedaccesswithVLANfiltering">Tagged access with VLAN filtering</h3><p>In case VLAN filtering is used and access with tagged traffic is desired, additional steps are required. In this example, VLAN 99 will be used to access the device. A VLAN interface on the bridge must be created and an IP address must be assigned to it.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface vlan
add interface=bridge1 name=MGMT vlan-id=99
/ip address
add address=192.168.99.1/24 interface=MGMT</pre>
</div></div><p>For example, if you want to allow access to the device from ports<span> </span><strong>ether3</strong>,<span> </span><strong>ether4,</strong><span> </span><strong>sfp-sfpplus1 </strong>using tagged VLAN 99 traffic, then you must add this entry to the VLAN table. Note that the <strong>bridge1</strong> interface is also included in the tagged port list:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether3,ether4,sfp-sfpplus1 vlan-ids=99</pre>
</div></div><p><span style="letter-spacing: 0.0px;">After that you can enable VLAN filtering:<br/></span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge set bridge1 vlan-filtering=yes</pre>
</div></div><h3 id="BridgingandSwitching-UntaggedaccesswithVLANfiltering">Untagged access with VLAN filtering</h3><p>In case VLAN filtering is used and access with untagged traffic is desired, the VLAN interface must use the same VLAN ID as the untagged port VLAN ID (<span style="color: rgb(51,153,102);"><code>pvid</code></span>). Just like in the previous example, start by creating a VLAN interface on the bridge and add an IP address for the VLAN.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface vlan
add interface=bridge1 name=MGMT vlan-id=99
/ip address
add address=192.168.99.1/24 interface=MGMT</pre>
</div></div><p>For example, untagged ports <strong>ether2</strong> and <strong>ether3</strong> should be able to communicate with the VLAN 99 interface using untagged traffic. In order to achieve this, these ports should be configured with the <code><span style="color: rgb(51,153,102);">pvid</span></code> that matches the VLAN ID on management VLAN. Note that the <strong>bridge1</strong> interface is a tagged port member, you can configure additional tagged ports if necessary (see the previous example).</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge port
set [find interface=ether2] pvid=99
set [find interface=ether3] pvid=99
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether2,ether3 vlan-ids=99</pre>
</div></div><p>After that you can enable VLAN filtering:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge set bridge1 vlan-filtering=yes </pre>
</div></div><h3 id="BridgingandSwitching-ChanginguntaggedVLANforthebridgeinterface">Changing untagged VLAN for the bridge interface</h3><p>In case VLAN filtering is used, it is possible to change the untagged VLAN ID for the bridge interface using the <code><span style="color: rgb(51,153,102);">pvid</span></code> setting. Note that creating routable VLAN interfaces and allowing tagged traffic on the bridge is a more flexible and generally recommended option.</p><p>First, create an IP address on the bridge interface.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip address
add address=192.168.99.1/24 interface=bridge1</pre>
</div></div><p>For example, untagged <strong>bridge1</strong> traffic should be able to communicate with untagged <strong>ether2</strong> and <strong>ether3</strong> ports and tagged <strong>sfp-sfpplus1</strong> port in VLAN 99. In order to achieve this, <strong>bridge1</strong>,<strong> ether2</strong>, <strong>ether3</strong> should be configured with the same <code><span style="color: rgb(51,153,102);">pvid</span></code> and sfp-sfpplus1 added as a tagged member.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
set [find name=bridge1] pvid=99
/interface bridge port
set [find interface=ether2] pvid=99
set [find interface=ether3] pvid=99
/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus1 untagged=bridge1,ether2,ether3 vlan-ids=99</pre>
</div></div><p style="text-align: left;">After that you can enable VLAN filtering:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge set bridge1 vlan-filtering=yes </pre>
</div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>If the connection to the router/switch through an IP address is not required, then steps adding an IP address can be skipped since a connection to the router/switch through Layer2 protocols (e.g. MAC-telnet) will be working either way.</p></div></div><h2 id="BridgingandSwitching-VLANTunneling(QinQ)"><span class="mw-headline">VLAN Tunneling (QinQ)</span></h2><p>Since RouterOS v6.43 the RouterOS bridge is IEEE 802.1ad compliant and it is possible to filter VLAN IDs based on Service VLAN ID (0x88a8) rather than Customer VLAN ID (0x8100). The same principles can be applied as with IEEE 802.1Q VLAN filtering (the same setup examples can be used). Below is a topology for a common<span> </span><strong>Provider bridge</strong>:</p><p><span class="confluence-embedded-file-wrapper image-center-wrapper"><img class="confluence-embedded-image image-center" draggable="false" src="https://help.mikrotik.com/docs/download/attachments/328068/Provider_bridge.png?version=3&modificationDate=1615376897236&api=v2" data-image-src="https://help.mikrotik.com/docs/download/attachments/328068/Provider_bridge.png?version=3&modificationDate=1615376897236&api=v2" data-unresolved-comment-count="0" data-linked-resource-id="43057256" data-linked-resource-version="3" data-linked-resource-type="attachment" data-linked-resource-default-alias="Provider_bridge.png" data-base-url="https://help.mikrotik.com/docs" data-linked-resource-content-type="image/png" data-linked-resource-container-id="328068" data-linked-resource-container-version="117" alt=""></span></p><p>In this example,<span> </span><strong>R1</strong>,<span> </span><strong>R2</strong>,<span> </span><strong>R3,</strong><span> </span>and<span> </span><strong>R4</strong><span> </span>might be sending any VLAN tagged traffic by 802.1Q (CVID), but<span> </span><strong>SW1</strong><span> </span>and<span> </span><strong>SW2</strong><span> </span>needs isolate traffic between routers in a way that<span> </span><strong>R1</strong><span> </span>is able to communicate only with<span> </span><strong>R3</strong>,<span> </span>and<span> </span><strong>R2</strong><span> </span>is only able to communicate with<span> </span><strong>R4</strong>. To do so, you can tag all ingress traffic with an SVID and only allow these VLANs on certain ports. Start by enabling the service tag 0x88a8, introduced by<span> </span><span style="color: rgb(51,153,102);"><code>802.1ad</code></span>, on the bridge. Use these commands on<span> </span><strong>SW1</strong><span> </span>and<span> </span><strong>SW2</strong>:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
add name=bridge1 vlan-filtering=no ether-type=0x88a8</pre>
</div></div><p><span style="letter-spacing: 0.0px;">In this setup,</span><span style="letter-spacing: 0.0px;"> </span><strong style="letter-spacing: 0.0px;">ether1</strong><span style="letter-spacing: 0.0px;"> </span><span style="letter-spacing: 0.0px;">and</span><span style="letter-spacing: 0.0px;"> </span><strong style="letter-spacing: 0.0px;">ether2</strong><span style="letter-spacing: 0.0px;"> </span><span style="letter-spacing: 0.0px;">are going to be access ports (untagged), use the</span><span style="letter-spacing: 0.0px;"> </span><span style="color: rgb(51,153,102);"><code style="letter-spacing: 0.0px;">pvid</code><span style="letter-spacing: 0.0px;"> </span></span><span style="letter-spacing: 0.0px;">parameter to tag all ingress traffic on each port, use these commands on</span><span style="letter-spacing: 0.0px;"> </span><strong style="letter-spacing: 0.0px;">SW1</strong><span style="letter-spacing: 0.0px;"> </span><span style="letter-spacing: 0.0px;">and</span><span style="letter-spacing: 0.0px;"> </span><strong style="letter-spacing: 0.0px;">SW2</strong><span style="letter-spacing: 0.0px;">:</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge port
add interface=ether1 bridge=bridge1 pvid=200
add interface=ether2 bridge=bridge1 pvid=300
add interface=ether3 bridge=bridge1</pre>
</div></div><p><span style="letter-spacing: 0.0px;">Specify tagged and untagged ports in the bridge VLAN table, use these commands on</span><span style="letter-spacing: 0.0px;"> </span><strong style="letter-spacing: 0.0px;">SW1</strong><span style="letter-spacing: 0.0px;"> </span><span style="letter-spacing: 0.0px;">and</span><span style="letter-spacing: 0.0px;"> </span><strong style="letter-spacing: 0.0px;">SW2</strong><span style="letter-spacing: 0.0px;">:</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge vlan
add bridge=bridge1 tagged=ether3 untagged=ether1 vlan-ids=200
add bridge=bridge1 tagged=ether3 untagged=ether2 vlan-ids=300</pre>
</div></div><p><span style="letter-spacing: 0.0px;">When the bridge VLAN table is configured, you can enable bridge VLAN filtering, use these commands on</span><span style="letter-spacing: 0.0px;"> </span><strong style="letter-spacing: 0.0px;">SW1</strong><span style="letter-spacing: 0.0px;"> </span><span style="letter-spacing: 0.0px;">and</span><span style="letter-spacing: 0.0px;"> </span><strong style="letter-spacing: 0.0px;">SW2:</strong></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge set bridge1 vlan-filtering=yes </pre>
</div></div><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>By enabling<span> </span>vlan-filtering<span> </span>you will be filtering out traffic destined to the CPU, before enabling VLAN filtering you should make sure that you set up a<span> </span>Management port.</p><p>Note, that if you are using the new EtherType/TPID 0x88a8 (service tag) and you also need a VLAN interface for your Service VLAN, you will also have to apply the<span style="color: rgb(51,153,102);"><code> use-service-tag</code></span><span> </span>parameter on the VLAN interface.</p></div></div><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>When<span> </span><span style="color: rgb(51,153,102);"><code>ether-type=0x8100</code></span> is configured, the bridge checks the outer VLAN tag and sees if it is using EtherType<span> </span><code>0x8100</code>. If the bridge receives a packet with an outer tag that has a different EtherType, it will mark the packet as<span> </span><code>untagged</code>. Since RouterOS only checks the outer tag of a packet, it is not possible to filter 802.1Q packets when the 802.1ad protocol is used.</p></div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Currently, only CRS3xx, CRS5xx series switches and CCR2116, CCR2216 routers are capable of hardware offloaded VLAN filtering using the Service tag, EtherType/TPID <span style="color: rgb(51,153,102);"><code>0x88a8</code></span>.</p></div></div><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Devices with switch chip Marvell-98DX3257 (e.g. CRS354 series) do not support VLAN filtering on 1Gbps Ethernet interfaces for other VLAN types (<span style="color: rgb(51,153,102);"><code>0x88a8</code></span><span> </span>and<span> </span><span style="color: rgb(51,153,102);"><code>0x9100</code></span>).</p></div></div><h2 id="BridgingandSwitching-Tagstacking"><span class="mw-headline">Tag stacking</span></h2><p>Since RouterOS v6.43 it is possible to forcefully add a new VLAN tag over any existing VLAN tags, this feature can be used to achieve a CVID stacking setup, where a CVID (0x8100) tag is added before an existing CVID tag. This type of setup is very similar to<span> the </span>Provider bridge<span> </span>setup, to achieve the same setup but with multiple CVID tags (CVID stacking) we can use the same topology:</p><p><span class="confluence-embedded-file-wrapper image-center-wrapper"><img class="confluence-embedded-image image-center" draggable="false" src="https://help.mikrotik.com/docs/download/attachments/328068/Tag_stacking.png?version=3&modificationDate=1615376914770&api=v2" data-image-src="https://help.mikrotik.com/docs/download/attachments/328068/Tag_stacking.png?version=3&modificationDate=1615376914770&api=v2" data-unresolved-comment-count="0" data-linked-resource-id="43057257" data-linked-resource-version="3" data-linked-resource-type="attachment" data-linked-resource-default-alias="Tag_stacking.png" data-base-url="https://help.mikrotik.com/docs" data-linked-resource-content-type="image/png" data-linked-resource-container-id="328068" data-linked-resource-container-version="117" alt=""></span></p><p>In this example<span> </span><strong>R1</strong>,<span> </span><strong>R2</strong>,<span> </span><strong>R3,</strong><span> </span>and<span> </span><strong>R4</strong><span> </span>might be sending any VLAN tagged traffic, it can be 802.1ad, 802.1Q or any other type of traffic, but<span> </span><strong>SW1</strong><span> </span>and<span> </span><strong>SW2</strong><span> </span>needs isolate traffic between routers in a way that<span> </span><strong>R1</strong><span> </span>is able to communicate only with<span> </span><strong>R3</strong>,<span> </span>and<span> </span><strong>R2</strong><span> </span>is only able to communicate with<span> </span><strong>R4</strong>. To do so, you can tag all ingress traffic with a new CVID tag and only allow these VLANs on certain ports. Start by selecting the proper EtherType, use these commands on<span> </span><strong>SW1</strong><span> </span>and<span> </span><strong>SW2</strong>:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
add name=bridge1 vlan-filtering=no ether-type=0x8100</pre>
</div></div><p><span style="letter-spacing: 0.0px;">In this setup,</span><span style="letter-spacing: 0.0px;"> </span><strong style="letter-spacing: 0.0px;">ether1</strong><span style="letter-spacing: 0.0px;"> </span><span style="letter-spacing: 0.0px;">and</span><span style="letter-spacing: 0.0px;"> </span><strong style="letter-spacing: 0.0px;">ether2</strong><span style="letter-spacing: 0.0px;"> </span><span style="letter-spacing: 0.0px;">will ignore any VLAN tags that are present and add a new VLAN tag, use the</span><span style="letter-spacing: 0.0px;"> </span><span style="color: rgb(51,153,102);"><code style="letter-spacing: 0.0px;">pvid</code><span style="letter-spacing: 0.0px;"> </span></span><span style="letter-spacing: 0.0px;">parameter to tag all ingress traffic on each port and allow</span><span style="letter-spacing: 0.0px;"> </span><span style="color: rgb(51,153,102);"><code style="letter-spacing: 0.0px;">tag-stacking</code></span><span style="letter-spacing: 0.0px;"> </span><span style="letter-spacing: 0.0px;">on these ports, use these commands on</span><span style="letter-spacing: 0.0px;"> </span><strong style="letter-spacing: 0.0px;">SW1</strong><span style="letter-spacing: 0.0px;"> </span><span style="letter-spacing: 0.0px;">and</span><span style="letter-spacing: 0.0px;"> </span><strong style="letter-spacing: 0.0px;">SW2</strong><span style="letter-spacing: 0.0px;">:</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge port
add interface=ether1 bridge=bridge1 pvid=200 tag-stacking=yes
add interface=ether2 bridge=bridge1 pvid=300 tag-stacking=yes
add interface=ether3 bridge=bridge1</pre>
</div></div><p><span style="letter-spacing: 0.0px;">Specify tagged and untagged ports in the bridge VLAN table, you only need to specify the VLAN ID of the outer tag, use these commands on</span><span style="letter-spacing: 0.0px;"> </span><strong style="letter-spacing: 0.0px;">SW1</strong><span style="letter-spacing: 0.0px;"> </span><span style="letter-spacing: 0.0px;">and</span><span style="letter-spacing: 0.0px;"> </span><strong style="letter-spacing: 0.0px;">SW2</strong><span style="letter-spacing: 0.0px;">:</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge vlan
add bridge=bridge1 tagged=ether3 untagged=ether1 vlan-ids=200
add bridge=bridge1 tagged=ether3 untagged=ether2 vlan-ids=300</pre>
</div></div><p><br/></p><p>When the bridge VLAN table is configured, you can enable bridge VLAN filtering, which is required in order for the <span style="color: rgb(51,153,102);"><span style="font-family: SFMono-Medium , SF Mono , Segoe UI Mono , Roboto Mono , Ubuntu Mono , Menlo , Courier , monospace;">pvid </span></span>parameter to have any effect, use these commands on <strong>SW1</strong> and <strong>SW2:</strong></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge set bridge1 vlan-filtering=yes</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>By enabling<span> </span>vlan-filtering<span> </span>you will be filtering out traffic destined to the CPU, before enabling VLAN filtering you should make sure that you set up a<span> </span>Management port.</p></div></div><h2 id="BridgingandSwitching-MVRP"><span class="mw-headline">MVRP</span></h2><p>Multiple VLAN Registration protocol (MVRP) is a protocol based on Multiple Registration Protocol (MRP) which allows to register attributes (VLAN IDs in case of MVRP) with other members of Bridged LAN.</p><p>An MRP application can make or withdraw declarations of attributes which result in registration or leaving of those attributes with other MRP participants.</p><p>Here's how it works.</p><p><span>MRP consists of two parts:</span></p><ul><li><p><strong>Applicant</strong> - responsible for sending declarations (or leaves). Its behavior can be configured on a per-port basis using the setting called <code><span style="color: rgb(51,153,102);">mvrp-applicant-state</span></code>, and per-VLAN using the <code><span style="color: rgb(51,153,102);">mvrp-forbidden</span></code> setting.</p></li><li><p><strong>Registrar</strong> - responsible for registering incoming declarations. Its configuration can be set per-port using the <span style="color: rgb(51,153,102);"><code>mvrp-registrar-state</code></span> setting, and per-VLAN using the <code><span style="color: rgb(51,153,102);">mvrp-forbidden</span></code> setting.</p></li></ul><p><strong>Registration Propagation:</strong> Incoming registration on a bridge port dynamically makes that specific port a tagged VLAN member. Additionally, the attributes associated with this registration are spread to all active (forwarding) bridge ports as a declaration.</p><p><strong>Declaration Operation:</strong> I<span>n case of MVRP, the configured VLAN's get declared on each port, but they will only get configured as members of those VLAN's when a declaration is received from the LAN (Registrar will register the VLAN). From the perspective of an end-station, a single declaration will be registered on each upstream port across the entire LAN. When another end-station declares the same attribute, a path of registrations will be made between the two (or more) end stations, see the picture below. </span></p><p><span>MVRP helps to dynamically propagate VLAN information throughout the bridged network and configure VLANs only on the needed ports. This makes the network efficient by avoiding unnecessary traffic flooding.</span></p><p>As noted before, MVRP is only active on ports that are forwarding. In case of MSTP declarations and registrations are made only if the port is forwarding in the MSTI in which VLAN is mapped.</p><p>The point-to-point ports speed up the<span> process of registration (or leaving). Manually configuring </span><code><span style="color: rgb(51,153,102);">point-to-point=yes</span></code> <span>can be advantageous for non-Ethernet interfaces.</span></p><p><span><span class="confluence-embedded-file-wrapper image-center-wrapper"><img class="confluence-embedded-image image-center" draggable="false" src="https://help.mikrotik.com/docs/download/attachments/328068/2b.png?version=1&modificationDate=1711375113198&api=v2" data-image-src="https://help.mikrotik.com/docs/download/attachments/328068/2b.png?version=1&modificationDate=1711375113198&api=v2" data-unresolved-comment-count="0" data-linked-resource-id="240156844" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="2b.png" data-base-url="https://help.mikrotik.com/docs" data-linked-resource-content-type="image/png" data-linked-resource-container-id="328068" data-linked-resource-container-version="117" alt=""></span></span></p><h3 id="BridgingandSwitching-PropertyReference">Property Reference</h3><p><strong>Sub-menu:</strong> <code>/interface bridge</code></p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup class=""><col class=""/><col class=""/></colgroup><tbody class=""><tr class=""><th class="confluenceTh"><p>Property</p></th><th class="confluenceTh"><p>Description</p></th></tr><tr class=""><td class="confluenceTd"><p><strong>mvrp</strong> (<em>yes </em>|<em> no</em>; Default: <strong>no</strong>)</p></td><td class="confluenceTd"><p>Enables MVRP for bridge. It ensures that the MAC address 01:80:C2:00:00:21 is trapped and not forwarded, the <span style="color: rgb(51,153,102);"><code>vlan-filtering</code></span> must be enabled.</p></td></tr></tbody></table></div><p><br/></p><p><strong>Sub-menu:</strong> <code>/interface bridge port</code></p><p>The port menu enables control over the applicant and registrar settings on a per-port basis.</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup class=""><col class=""/><col class=""/></colgroup><tbody class=""><tr class=""><th class="confluenceTh"><p>Property</p></th><th class="confluenceTh"><p>Description</p></th></tr><tr class=""><td class="confluenceTd"><p style="text-align: left;"><strong>mvrp-applicant-state</strong><span> </span>(<em>non-participant | normal-participant;</em> Default: <strong>normal-participant</strong>)</p></td><td class="confluenceTd"><p>MVRP applicant options:</p><ul style="text-align: left;"><li><p><strong>non-participant</strong> - port does not send any MRP messages;</p></li><li><p><strong>normal-participant </strong>- port participates normally in MRP exchanges.</p></li></ul></td></tr><tr class=""><td class="confluenceTd"><p style="text-align: left;"><strong>mvrp-registrar-state</strong> (<em>fixed | normal</em>; Default: <strong>normal</strong>)</p></td><td class="confluenceTd"><p>MVRP registrar options:</p><ul style="text-align: left;"><li><p><strong>fixed</strong> - port ignores all MRP messages, and remains Registered (IN) in all configured vlans.</p></li><li><p><strong>normal </strong>- port receives MRP messages and handles them according to the standard.</p></li></ul></td></tr></tbody></table></div><p> <span class="mw-headline">To monitor the currently declared and registered VLAN IDs, use the <span style="color: rgb(128,0,128);"><code>monitor</code></span> command.</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > interface/bridge/port monitor [find interface=sfp-sfpplus1]
interface: sfp-sfpplus1
status: in-bridge
port-number: 1
role: designated-port
edge-port: no
edge-port-discovery: yes
point-to-point-port: yes
external-fdb: no
sending-rstp: yes
learning: yes
forwarding: yes
actual-path-cost: 2000
hw-offload-group: switch1
declared-vlan-ids: 1,10,20-21
registered-vlan-ids: 1,10,20,30-33</pre>
</div></div><p><br/></p><p><strong>Sub-menu:</strong> <code>/interface bridge vlan</code></p><p>All ports that are members of static VLANs or dynamic untagged VLANs created by the port <code><span style="color: rgb(51,153,102);">pvid</span></code> setting are treated as "fixed." Meaning the registrar disregards all MRP messages and remains registered (IN) for those VLANs.</p><p>When VLAN is neither manually configured nor created by the port <code><span style="color: rgb(51,153,102);">pvid</span></code> setting, incoming registrations on a bridge port can dynamically designate that specific port as a tagged VLAN member. The <code><span style="color: rgb(51,153,102);">mvrp-forbidden</span></code> feature allows creating a list of ports that are restricted from registering into a specific VLAN ID.</p><p>VLANs that are static or dynamic will be declared by the applicants unless this functionality is disabled by the port's <code><span style="color: rgb(51,153,102);">mvrp-applicant-state</span></code>, or by VLAN's<span style="letter-spacing: 0.0px;"> </span><code style="letter-spacing: 0.0px;"><span style="color: rgb(51,153,102);">mvrp-forbidden</span></code><span style="letter-spacing: 0.0px;"> setting.</span></p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 100.0%;"><colgroup class=""><col class="" style="width: 24.0227%;"/><col class="" style="width: 75.9773%;"/></colgroup><tbody class=""><tr class=""><th class="confluenceTh"><p>Property</p></th><th class="confluenceTh"><p>Description</p></th></tr><tr class=""><td class="confluenceTd"><p><strong style="text-align: left;">mvrp-forbidden</strong><span style="color: rgb(23,43,77);"> (</span><em style="text-align: left;">interfaces</em><span style="color: rgb(23,43,77);">; Default: </span><span style="color: rgb(23,43,77);">)</span></p></td><td class="confluenceTd"><p>Ports that ignore all MRP messages and remains Not Registered (MT), as well as disables applicant from declaring specific VLAN ID.</p></td></tr></tbody></table></div><p><br/></p><p><strong>Sub-menu:</strong> <code>/interface bridge vlan mvrp</code></p><p style="text-align: left;">The MVRP attributes menu can be used to see internal MVRP attribute states, as specified in the IEEE 802.1Q-2011.</p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 100.0%;"><colgroup class=""><col class="" style="width: 24.0227%;"/><col class="" style="width: 75.9773%;"/></colgroup><tbody class=""><tr class=""><th class="confluenceTh"><p>Property</p></th><th class="confluenceTh"><p>Description</p></th></tr><tr class=""><td class="confluenceTd"><p><strong style="text-align: left;">applicant-state</strong></p></td><td class="confluenceTd"><p>The Applicant state machine that declares attributes. Its state can be VO, VP, VN, AN, AA, QA, LA, AO, QO, AP, QP, or LO. Each state consists of two letters.</p><p>The first letter indicates the state:</p><ul><li>V—Very anxious;</li><li>A—Anxious;</li><li>Q—Quiet;</li><li>L—Leaving.</li></ul><p><span>The second letter indicates the membership state:</span></p><ul><li>A - Active member;</li><li>P - Passive member;</li><li>O - Observer;</li><li>N - New.</li></ul><p><span>For example, VP indicates "Very anxious, Passive member."</span></p></td></tr><tr class=""><td class="confluenceTd"><p><strong style="text-align: left;">registrar-state</strong></p></td><td class="confluenceTd"><p class="TableText" style="text-align: left;">The Registrar state machine that records the registration state of attributes declared by other participants. Its state can be IN, LV, or MT:</p><ul><li class="TableText"><span class="BoldText">IN</span><span>—Registered;</span></li><li class="TableText"><span class="BoldText">LV</span><span>—Previously registered, but now being timed out;</span></li><li class="TableText"><span class="BoldText">MT</span><span>—Not registered.</span></li></ul></td></tr></tbody></table></div><p><br/></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@Mikrotik] /interface/bridge/vlan/mvrp print where vlan-id=10
Columns: BRIDGE, PORT, VLAN-ID, REGISTRAR-STATE, APPLICANT-STATE, LAST-EVENT
# BRIDGE PORT VLAN-ID REGISTRAR-STATE APPLICANT-STATE LAST-EVENT
1 bridge67 sfp-sfpplus1 10 IN Quiet Active JoinIn
9 bridge67 sfp-sfpplus5 10 MT Quiet Active JoinEmpty
17 bridge67 sfp-sfpplus9 10 MT Quiet Active JoinEmpty
25 bridge67 sfp-sfpplus13 10 IN Quiet Active JoinIn </pre>
</div></div><h1 id="BridgingandSwitching-FastForward"><span class="mw-headline">Fast Forward</span></h1><hr/><p>Fast Forward allows forwarding packets faster under special conditions. When Fast Forward is enabled, then the bridge can process packets even faster since it can skip multiple bridge-related checks, including MAC learning. Below you can find a list of conditions that<span> </span><strong>MUST</strong><span> </span>be met in order for Fast Forward to be active:</p><ul><li>Bridge has<span> </span><code><span style="color: rgb(51,153,102);">fast-forward</span></code><span> </span>set to<span> </span><span style="color: rgb(51,153,102);"><code>yes</code></span></li><li>Bridge has only 2 running ports</li><li>Both bridge ports support<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Packet+Flow+in+RouterOS#heading-FastPath" rel="nofollow">Fast Path</a>, Fast Path is active on ports and globally on the bridge</li><li>Bridge Hardware Offloading<span> </span>is disabled</li><li>Bridge VLAN Filtering<span> </span>is disabled</li><li>Bridge DHCP snooping<span> </span>is disabled</li><li><span style="color: rgb(51,153,102);"><code>unknown-multicast-flood</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>yes</code></span></li><li><span style="color: rgb(51,153,102);"><code>unknown-unicast-flood</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>yes</code></span></li><li><span style="color: rgb(51,153,102);"><code>broadcast-flood</code></span><span> </span>is set to<span> </span><span style="color: rgb(51,153,102);"><code>yes</code></span></li><li>MAC address for the bridge matches with a MAC address from one of the bridge slave ports</li><li><span style="color: rgb(51,153,102);"><code>horizon</code></span><span> </span>for both ports is set to<span> </span><span style="color: rgb(51,153,102);"><code>none</code></span></li></ul><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Fast Forward disables MAC learning, this is by design to achieve faster packet forwarding. MAC learning prevents traffic from flooding multiple interfaces, but MAC learning is not needed when a packet can only be sent out through just one interface.</p></div></div><p><br/></p><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Fast Forward is disabled when hardware offloading is enabled. Hardware offloading can achieve full write-speed performance when it is active since it will use the built-in switch chip (if such exists on your device), fast forward uses the CPU to forward packets. When comparing throughput results, you would get such results: Hardware offloading > Fast Forward > Fast Path > Slow Path.</p></div></div><p>It is possible to check how many packets where processed by Fast Forward:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] /interface bridge settings> pr
use-ip-firewall: no
use-ip-firewall-for-vlan: no
use-ip-firewall-for-pppoe: no
allow-fast-path: yes
bridge-fast-path-active: yes
bridge-fast-path-packets: 0
bridge-fast-path-bytes: 0
bridge-fast-forward-packets: 16423
bridge-fast-forward-bytes: 24864422</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>If packets are processed by Fast Path, then Fast Forward is not active. Packet count can be used as an indicator of whether Fast Forward is active or not.</p></div></div><p>Since RouterOS 6.44 it is possible to monitor Fast Forward status, for example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] /interface bridge monitor bridge1
state: enabled
current-mac-address: B8:69:F4:C9:EE:D7
root-bridge: yes
root-bridge-id: 0x8000.B8:69:F4:C9:EE:D7
root-path-cost: 0
root-port: none
port-count: 2
designated-port-count: 2
fast-forward: yes</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Disabling or enabling<span> </span>fast-forward<span> </span>will temporarily disable all bridge ports for settings to take effect. This must be taken into account whenever changing this property on production environments since it can cause all packets to be temporarily dropped.</p></div></div><h1 id="BridgingandSwitching-IGMP/MLDSnooping"><span class="mw-headline">IGMP/MLD Snooping</span></h1><hr/><p>The bridge supports IGMP/MLD snooping. It controls multicast streams and prevents multicast flooding on unnecessary ports. Its settings are placed in the bridge menu and it works independently in every bridge interface. Software-driven implementation works on all devices with RouterOS, but CRS3xx, CRS5xx series switches, CCR2116, CR2216 routers, and <span style="color: rgb(23,43,77);">88E6393X, 88E6191X, 88E6190 switch chips</span> also support IGMP/MLD snooping with hardware offloading. See more details on <a href="https://help.mikrotik.com/docs/pages/viewpage.action?pageId=59277403" rel="nofollow">IGMP/MLD snooping manual</a>.</p><h1 id="BridgingandSwitching-DHCPSnoopingandDHCPOption82"><span class="mw-headline">DHCP Snooping and DHCP Option 82</span></h1><hr/><p>DHCP Snooping and DHCP Option 82 is supported by bridge. The DHCP Snooping is a Layer2 security feature, that limits unauthorized DHCP servers from providing malicious information to users. In RouterOS, you can specify which bridge ports are trusted (where known DHCP server resides and DHCP messages should be forwarded) and which are untrusted (usually used for access ports, received DHCP server messages will be dropped). The DHCP Option 82 is additional information (Agent Circuit ID and Agent Remote ID) provided by DHCP Snooping enabled devices that allow identifying the device itself and DHCP clients.</p><p><span class="confluence-embedded-file-wrapper image-center-wrapper"><img class="confluence-embedded-image image-center" draggable="false" src="https://help.mikrotik.com/docs/download/attachments/328068/Dhcp_snooping.png?version=2&modificationDate=1615372193430&api=v2" data-image-src="https://help.mikrotik.com/docs/download/attachments/328068/Dhcp_snooping.png?version=2&modificationDate=1615372193430&api=v2" data-unresolved-comment-count="0" data-linked-resource-id="43057258" data-linked-resource-version="2" data-linked-resource-type="attachment" data-linked-resource-default-alias="Dhcp_snooping.png" data-base-url="https://help.mikrotik.com/docs" data-linked-resource-content-type="image/png" data-linked-resource-container-id="328068" data-linked-resource-container-version="117" alt=""></span></p><p>In this example, SW1 and SW2 are DHCP Snooping, and Option 82 enabled devices. First, we need to create a bridge, assign interfaces and mark trusted ports. Use these commands on<span> </span><strong>SW1</strong>:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
add name=bridge
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2 trusted=yes</pre>
</div></div><p><span style="letter-spacing: 0.0px;">For SW2, the configuration will be similar, but we also need to mark ether1 as trusted, because this interface is going to receive DHCP messages with Option 82 already added. You need to mark all ports as trusted if they are going to receive DHCP messages with added Option 82, otherwise these messages will be dropped. Also, we add ether3 to the same bridge and leave this port untrusted, imagine there is an unauthorized (rogue) DHCP server. Use these commands on</span><span style="letter-spacing: 0.0px;"> </span><strong style="letter-spacing: 0.0px;">SW2</strong><span style="letter-spacing: 0.0px;">:</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
add name=bridge
/interface bridge port
add bridge=bridge interface=ether1 trusted=yes
add bridge=bridge interface=ether2 trusted=yes
add bridge=bridge interface=ether3</pre>
</div></div><p><span style="letter-spacing: 0.0px;">Then we need to enable DHCP Snooping and Option 82. In case your DHCP server does not support DHCP Option 82 or you do not implement any Option 82 related policies, this option can be disabled. Use these commands on</span><span style="letter-spacing: 0.0px;"> </span><strong style="letter-spacing: 0.0px;">SW1</strong><span style="letter-spacing: 0.0px;"> </span><span style="letter-spacing: 0.0px;">and</span><span style="letter-spacing: 0.0px;"> </span><strong style="letter-spacing: 0.0px;">SW2</strong><span style="letter-spacing: 0.0px;">:</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
set [find where name="bridge"] dhcp-snooping=yes add-dhcp-option82=yes</pre>
</div></div><p><span style="letter-spacing: 0.0px;">Now both devices will analyze what DHCP messages are received on bridge ports. The</span><span style="letter-spacing: 0.0px;"> </span><strong style="letter-spacing: 0.0px;">SW1</strong><span style="letter-spacing: 0.0px;"> </span><span style="letter-spacing: 0.0px;">is responsible for adding and removing the DHCP Option 82. The</span><span style="letter-spacing: 0.0px;"> </span><strong style="letter-spacing: 0.0px;">SW2</strong><span style="letter-spacing: 0.0px;"> </span><span style="letter-spacing: 0.0px;">will limit rogue DHCP server from receiving any discovery messages and drop malicious DHCP server messages from ether3.</span></p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Currently, CRS3xx, CRS5xx series switches, CCR2116, CR2216 routers, and <span style="color: rgb(23,43,77);">88E6393X, 88E6191X, 88E6190 switch chips</span> fully support hardware offloaded DHCP Snooping and Option 82. For CRS1xx and CRS2xx series switches it is possible to use DHCP Snooping along with VLAN switching, but then you need to make sure that DHCP packets are sent out with the correct VLAN tag using egress ACL rules. Other devices are capable of using DHCP Snooping and Option 82 features along with hardware offloading, but you must make sure that there is no VLAN-related configuration applied on the device, otherwise, DHCP Snooping and Option 82 might not work properly. See<span> the </span>Bridge Hardware Offloading<span> </span>section with supported features.</p></div></div><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>For CRS3xx, CRS5xx series switches and CCR2116, CR2216 routers DHCP snooping will not work when hardware offloading bonding interfaces are created.</p></div></div><h1 id="BridgingandSwitching-ControllerBridgeandPortExtender">Controller Bridge and Port Extender</h1><hr/><p><span style="color: rgb(23,43,77);">Controller Bridge (CB) and Port Extender (PE) is an IEEE 802.1BR standard implementation in RouterOS for CRS3xx, CRS5xx series switches and CCR2116, CCR2216 routers. It allows virtually extending the CB ports with a PE device and managing these extended interfaces from a single controlling device. Such configuration provides a simplified network topology, flexibility, increased port density, and ease of manageability. See more details on <a href="https://help.mikrotik.com/docs/display/ROS/Controller+Bridge+and+Port+Extender" rel="nofollow">Controller Bridge and Port Extender manual</a>.</span></p><h1 id="BridgingandSwitching-BridgeFirewall"><span class="mw-headline">Bridge Firewall</span></h1><hr/><p>The bridge firewall implements packet filtering and thereby provides security functions that are used to manage data flow to, from, and through the bridge.</p><p><a href="https://help.mikrotik.com/docs/display/ROS/Packet+Flow+in+RouterOS" rel="nofollow">Packet flow diagram</a><span> </span>shows how packets are processed through the router. It is possible to force bridge traffic to go through<span> </span><span style="color: rgb(51,153,102);"><code>/ip firewall filter</code></span><span> </span>rules (see the bridge settings).</p><p>There are two bridge firewall tables:</p><ul><li><strong>filter</strong><span> </span>- bridge firewall with three predefined chains:<ul><li><strong>input</strong><span> </span>- filters packets, where the destination is the bridge (including those packets that will be routed, as they are destined to the bridge MAC address anyway)</li><li><strong>output</strong><span> </span>- filters packets, which come from the bridge (including those packets that has been routed normally)</li><li><strong>forward</strong><span> </span>- filters packets, which are to be bridged (note: this chain is not applied to the packets that should be routed through the router, just to those that are traversing between the ports of the same bridge)</li></ul></li><li><strong>nat</strong><span> </span>- bridge network address translation provides ways for changing source/destination MAC addresses of the packets traversing a bridge. Has two built-in chains:<ul><li><strong>srcnat</strong><span> </span>- used for "hiding" a host or a network behind a different MAC address. This chain is applied to the packets leaving the router through a bridged interface</li><li><strong>dstnat</strong><span> </span>- used for redirecting some packets to other destinations</li></ul></li></ul><p>You can put packet marks in bridge firewall (filter and NAT), which are the same as the packet marks in IP firewall configured by<span> </span><code>'<span style="color: rgb(51,153,102);">/ip firewall mangle</span>'</code>. In this way, packet marks put by bridge firewall can be used in 'IP firewall', and vice versa.</p><p>General bridge firewall properties are described in this section. Some parameters that differ between nat and filter rules are described in further sections.</p><p><strong>Sub-menu:</strong><span> </span><code>/interface bridge filter, /interface bridge nat</code></p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>802.3-sap</strong><span> </span>(<em>integer</em>; Default: )</td><td class="confluenceTd">DSAP (Destination Service Access Point) and SSAP (Source Service Access Point) are 2 one-byte fields, which identify the network protocol entities which use the link-layer service. These bytes are always equal. Two hexadecimal digits may be specified here to match an SAP byte.</td></tr><tr><td class="confluenceTd"><strong>802.3-type</strong><span> </span>(<em>integer</em>; Default: )</td><td class="confluenceTd">Ethernet protocol type, placed after the IEEE 802.2 frame header. Works only if 802.3-sap is 0xAA (SNAP - Sub-Network Attachment Point header). For example, AppleTalk can be indicated by the SAP code of 0xAA followed by a SNAP type code of 0x809B.</td></tr><tr><td class="confluenceTd"><strong>action</strong><span> </span>(<em>accept | drop | jump | log | mark-packet | passthrough | return | set-priority</em>; Default: )</td><td class="confluenceTd">Action to take if the packet is matched by the rule:<ul><li>accept<span> </span>- accept the packet. The packet is not passed to the next firewall rule</li><li>drop<span> </span>- silently drop the packet</li><li>jump<span> </span>- jump to the user-defined chain specified by the value of<span> </span><span style="color: rgb(51,153,102);"><code>jump-target</code></span><span> </span>parameter</li><li>log<span> </span>- add a message to the system log containing the following data: in-interface, out-interface, src-mac, protocol, src-ip:port->dst-ip:port and length of the packet. After the packet is matched it is passed to the next rule in the list, similar as<span> </span><span style="color: rgb(51,153,102);"><code>passthrough</code></span></li><li>mark-packet<span> </span>- place a mark specified by the new-packet-mark parameter on a packet that matches the rule</li><li>passthrough<span> </span>- if the packet is matched by the rule, increase counter and go to next rule (useful for statistics)</li><li>return<span> </span>- passes control back to the chain from where the jump took place</li><li>set-priority<span> </span>- set priority specified by the new-priority parameter on the packets sent out through a link that is capable of transporting priority (VLAN or WMM-enabled wireless interface).<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/WMM+and+VLAN+priority" rel="nofollow">Read more</a></li></ul></td></tr><tr><td class="confluenceTd"><strong>arp-dst-address</strong><span> </span>(<em>IP address</em>; Default: )</td><td class="confluenceTd">ARP destination IP address.</td></tr><tr><td class="confluenceTd"><strong>arp-dst-mac-address</strong><span> </span>(<em>MAC address</em>; Default: )</td><td class="confluenceTd">ARP destination MAC address.</td></tr><tr><td class="confluenceTd"><strong>arp-gratuitous</strong><span> </span>(<em>yes | no</em>; Default: )</td><td class="confluenceTd">Matches ARP gratuitous packets.</td></tr><tr><td class="confluenceTd"><strong>arp-hardware-type</strong><span> </span>(<em>integer</em>; Default:<span> </span><strong>1</strong>)</td><td class="confluenceTd">ARP hardware type. This is normally Ethernet (Type 1).</td></tr><tr><td class="confluenceTd"><strong>arp-opcode</strong><span> </span>(<em>arp-nak | drarp-error | drarp-reply | drarp-request | inarp-reply | inarp-request | reply | reply-reverse | request | request-reverse</em>; Default: )</td><td class="confluenceTd">ARP opcode (packet type)<ul><li>arp-nak<span> </span>- negative ARP reply (rarely used, mostly in ATM networks)</li><li>drarp-error<span> </span>- Dynamic RARP error code, saying that an IP address for the given MAC address can not be allocated</li><li>drarp-reply<span> </span>- Dynamic RARP reply, with a temporary IP address assignment for a host</li><li>drarp-request<span> </span>- Dynamic RARP request to assign a temporary IP address for the given MAC address</li><li>inarp-reply<span> </span>- InverseARP Reply</li><li>inarp-request<span> </span>- InverseARP Request</li><li>reply<span> </span>- standard ARP reply with a MAC address</li><li>reply-reverse<span> </span>- reverse ARP (RARP) reply with an IP address assigned</li><li>request<span> </span>- standard ARP request to a known IP address to find out unknown MAC address</li><li>request-reverse<span> </span>- reverse ARP (RARP) request to a known MAC address to find out the unknown IP address (intended to be used by hosts to find out their own IP address, similarly to DHCP service)</li></ul></td></tr><tr><td class="confluenceTd"><strong>arp-packet-type</strong><span> </span>(<em>integer 0..65535 | hex 0x0000-0xffff</em>; Default: )</td><td class="confluenceTd">ARP Packet Type.</td></tr><tr><td class="confluenceTd"><strong>arp-src-address</strong><span> </span>(<em>IP address</em>; Default: )</td><td class="confluenceTd">ARP source IP address.</td></tr><tr><td class="confluenceTd"><strong>arp-src-mac-address</strong><span> </span>(<em>MAC addres</em>; Default: )</td><td class="confluenceTd">ARP source MAC address.</td></tr><tr><td class="confluenceTd"><strong>chain</strong><span> </span>(<em>text</em>; Default: )</td><td class="confluenceTd">Bridge firewall chain, which the filter is functioning in (either a built-in one, or a user-defined one).</td></tr><tr><td class="confluenceTd"><strong>dst-address</strong><span> </span>(<em>IP address</em>; Default: )</td><td class="confluenceTd">Destination IP address (only if MAC protocol is set to IP).</td></tr><tr><td class="confluenceTd"><strong>dst-address6</strong><span> </span>(<em>IPv6 address</em>; Default: )</td><td class="confluenceTd">Destination IPv6 address (only if MAC protocol is set to IPv6).</td></tr><tr><td class="confluenceTd"><strong>dst-mac-address</strong><span> </span>(<em>MAC address</em>; Default: )</td><td class="confluenceTd">Destination MAC address.</td></tr><tr><td class="confluenceTd"><strong>dst-port</strong><span> </span>(<em>integer 0..65535</em>; Default: )</td><td class="confluenceTd">Destination port number or range (only for TCP or UDP protocols).</td></tr><tr><td class="confluenceTd"><strong>in-bridge</strong><span> </span>(<em>name</em>; Default: )</td><td class="confluenceTd">Bridge interface through which the packet is coming in.</td></tr><tr><td class="confluenceTd"><strong>in-bridge-list</strong><span> </span>(<em>name</em>; Default: )</td><td class="confluenceTd">Set of bridge interfaces defined in<span> </span>interface list. Works the same as<span> </span><span style="color: rgb(51,153,102);"><code>in-bridge</code></span>.</td></tr><tr><td class="confluenceTd"><strong>in-interface</strong><span> </span>(<em>name</em>; Default: )</td><td class="confluenceTd">Physical interface (i.e., bridge port) through which the packet is coming in.</td></tr><tr><td class="confluenceTd"><strong>in-interface-list</strong><span> </span>(<em>name</em>; Default: )</td><td class="confluenceTd">Set of interfaces defined in<span> </span>interface list. Works the same as<span> </span><span style="color: rgb(51,153,102);"><code>in-interface</code></span>.</td></tr><tr><td class="confluenceTd"><strong>ingress-priority</strong><span> </span>(<em>integer 0..63</em>; Default: )</td><td class="confluenceTd">Matches the priority of an ingress packet. Priority may be derived from VLAN, WMM, DSCP or MPLS EXP bit.<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/WMM+and+VLAN+priority" rel="nofollow">read more</a></td></tr><tr><td class="confluenceTd"><strong>ip-protocol</strong><span> </span>(<em>dccp | ddp | egp | encap | etherip | ggp | gre | hmp | icmp | icmpv6 | idpr-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | ipv6 | ipv6-frag | ipv6-nonxt | ipv6-opts | ipv6-route | iso-tp4 | l2tp | ospf | pim | pup | rdp | rspf | rsvp | sctp | st | tcp | udp | udp-lite | vmtp | vrrp | xns-idp | xtp</em>; Default: )</td><td class="confluenceTd">IP protocol (only if MAC protocol is set to IPv4)<ul><li>dccp<span> </span>- Datagram Congestion Control Protocol</li><li>ddp<span> </span>- Datagram Delivery Protocol</li><li>egp<span> </span>- Exterior Gateway Protocol</li><li>encap<span> </span>- Encapsulation Header</li><li>etherip<span> </span>- Ethernet-within-IP Encapsulation</li><li>ggp<span> </span>- Gateway-to-Gateway Protocol</li><li>gre<span> </span>- Generic Routing Encapsulation</li><li>hmp<span> </span>- Host Monitoring Protocol</li><li>icmp<span> </span>- IPv4 Internet Control Message Protocol</li><li>icmpv6<span> </span>- IPv6 Internet Control Message Protocol</li><li>idpr-cmtp<span> </span>- Inter-Domain Policy Routing Control Message Transport Protocol</li><li>igmp<span> </span>- Internet Group Management Protocol</li><li>ipencap<span> </span>- IP in IP (encapsulation)</li><li>ipip<span> </span>- IP-within-IP Encapsulation Protocol</li><li>ipsec-ah<span> </span>- IPsec Authentication Header</li><li>ipsec-esp<span> </span>- IPsec Encapsulating Security Payload</li><li>ipv6<span> </span>- Internet Protocol version 6</li><li>ipv6-frag<span> </span>- Fragment Header for IPv6</li><li>ipv6-nonxt<span> </span>- No Next Header for IPv6</li><li>ipv6-opts<span> </span>- Destination Options for IPv6</li><li>ipv6-route<span> </span>- Routing Header for IPv6</li><li>iso-tp4<span> </span>- ISO Transport Protocol Class 4</li><li>l2tp<span> </span>- Layer Two Tunneling Protocol</li><li>ospf<span> </span>- Open Shortest Path First</li><li>pim<span> </span>- Protocol Independent Multicast</li><li>pup<span> </span>- PARC Universal Packet</li><li>rdp<span> </span>- Reliable Data Protocol</li><li>rspf<span> </span>- Radio Shortest Path First</li><li>rsvp<span> </span>- Reservation Protocol</li><li>sctp<span> </span>- Stream Control Transmission Protocol</li><li>st<span> </span>- Internet Stream Protocol</li><li>tcp<span> </span>- Transmission Control Protocol</li><li>udp<span> </span>- User Datagram Protocol</li><li>udp-lite<span> </span>- Lightweight User Datagram Protocol</li><li>vmtp<span> </span>- Versatile Message Transaction Protocol</li><li>vrrp<span> </span>- Virtual Router Redundancy Protocol</li><li>xns-idp<span> </span>- Xerox Network Systems Internet Datagram Protocol</li><li>xtp<span> </span>- Xpress Transport Protocol</li></ul></td></tr><tr><td class="confluenceTd"><strong>jump-target</strong><span> </span>(<em>name</em>; Default: )</td><td class="confluenceTd">If<span> </span><span style="color: rgb(51,153,102);"><code>action=jump</code></span><span> </span>specified, then specifies the user-defined firewall chain to process the packet.</td></tr><tr><td class="confluenceTd"><strong>limit</strong><span> </span>(<em>integer/time,integer</em>; Default: )</td><td class="confluenceTd">Restricts packet match rate to a given limit.<ul><li>count<span> </span>- maximum average packet rate, measured in packets per second (pps), unless followed by Time option</li><li>time<span> </span>- specifies the time interval over which the packet rate is measured</li><li>burst<span> </span>- number of packets to match in a burst</li></ul></td></tr><tr><td style="text-align: left;vertical-align: top;" class="confluenceTd"><strong>log </strong>(<em>yes | no; Default:<span> </span></em><strong>no</strong>)</td><td style="text-align: left;vertical-align: top;" class="confluenceTd"><span style="color: rgb(23,43,77);">Add a message to the system log containing the following data: in-interface, out-interface, src-mac, dst-mac, eth-protocol, ip-protocol, src-ip:port->dst-ip:port, and length of the packet.</span></td></tr><tr><td class="confluenceTd"><strong>log-prefix</strong><span> </span>(<em>text</em>; Default: )</td><td class="confluenceTd">Defines the prefix to be printed before the logging information.</td></tr><tr><td class="confluenceTd"><strong>mac-protocol</strong><span> </span>(<em>802.2 | arp | homeplug-av | ip | ipv6 | ipx | length | lldp | loop-protect | mpls-multicast | mpls-unicast | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan | integer 0..65535 | hex 0x0000-0xffff</em>; Default: )</td><td class="confluenceTd">Ethernet payload type (MAC-level protocol). To match protocol type for VLAN encapsulated frames (0x8100 or 0x88a8), a<span> </span>vlan-encap<span> </span>property should be used.<ul><li>802.2<span> </span>- 802.2 Frames (0x0004)</li><li>arp<span> </span>- Address Resolution Protocol (0x0806)</li><li>homeplug-av<span> </span>- HomePlug AV MME (0x88E1)</li><li>ip<span> </span>- Internet Protocol version 4 (0x0800)</li><li>ipv6<span> </span>- Internet Protocol Version 6 (0x86DD)</li><li>ipx<span> </span>- Internetwork Packet Exchange (0x8137)</li><li>length<span> </span>- Packets with length field (0x0000-0x05DC)</li><li>lldp<span> </span>- Link Layer Discovery Protocol (0x88CC)</li><li>loop-protect<span> </span>- Loop Protect Protocol (0x9003)</li><li>mpls-multicast<span> </span>- MPLS multicast (0x8848)</li><li>mpls-unicast<span> </span>- MPLS unicast (0x8847)</li><li>packing-compr<span> </span>- Encapsulated packets with compressed<span> </span><a class="external-link" href="https://wiki.mikrotik.com/wiki/Manual:IP/Packing" rel="nofollow" style="text-decoration: none;" title="Manual:IP/Packing">IP packing</a><span> </span>(0x9001)</li><li>packing-simple<span> </span>- Encapsulated packets with simple<span> </span><a class="external-link" href="https://wiki.mikrotik.com/wiki/Manual:IP/Packing" rel="nofollow" style="text-decoration: none;" title="Manual:IP/Packing">IP packing</a><span> </span>(0x9000)</li><li>pppoe<span> </span>- PPPoE Session Stage (0x8864)</li><li>pppoe-discovery<span> </span>- PPPoE Discovery Stage (0x8863)</li><li>rarp<span> </span>- Reverse Address Resolution Protocol (0x8035)</li><li>service-vlan<span> </span>- Provider Bridging (IEEE 802.1ad) & Shortest Path Bridging IEEE 802.1aq (0x88A8)</li><li>vlan<span> </span>- VLAN-tagged frame (IEEE 802.1Q) and Shortest Path Bridging IEEE 802.1aq with NNI compatibility (0x8100)</li></ul></td></tr><tr><td style="text-align: left;vertical-align: top;" class="confluenceTd"><strong>new-packet-mark</strong><span> </span>(<em>string</em>; Default: )</td><td style="text-align: left;vertical-align: top;" class="confluenceTd">Sets a new packet-mark value.</td></tr><tr><td style="text-align: left;vertical-align: top;" class="confluenceTd"><strong>new-priority</strong><span> </span>(<em>integer | from-ingress</em>; Default: )</td><td style="text-align: left;vertical-align: top;" class="confluenceTd">Sets a new priority for a packet. This can be the VLAN, WMM or MPLS EXP priority<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/WMM+and+VLAN+priority" rel="nofollow">Read more</a>. This property can also be used to set an internal priori</td></tr><tr><td class="confluenceTd"><strong>out-bridge</strong><span> </span>(<em>name</em>; Default: )</td><td class="confluenceTd">Outgoing bridge interface.</td></tr><tr><td class="confluenceTd"><strong>out-bridge-list</strong><span> </span>(<em>name</em>; Default: )</td><td class="confluenceTd">Set of bridge interfaces defined in<span> </span>interface list. Works the same as<span> </span><span style="color: rgb(51,153,102);"><code>out-bridge</code></span>.</td></tr><tr><td class="confluenceTd"><strong>out-interface</strong><span> </span>(<em>name</em>; Default: )</td><td class="confluenceTd">Interface that the packet is leaving the bridge through.</td></tr><tr><td class="confluenceTd"><strong>out-interface-list</strong><span> </span>(<em>name</em>; Default: )</td><td class="confluenceTd">Set of interfaces defined in<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/List" rel="nofollow">interface list</a>. Works the same as<span> </span><span style="color: rgb(51,153,102);"><code>out-interface</code></span>.</td></tr><tr><td class="confluenceTd"><strong>packet-mark</strong><span> </span>(<em>name</em>; Default: )</td><td class="confluenceTd">Match packets with a certain packet mark.</td></tr><tr><td class="confluenceTd"><strong>packet-type</strong><span> </span>(<em>broadcast | host | multicast | other-host</em>; Default: )</td><td class="confluenceTd">MAC frame type:<ul><li>broadcast<span> </span>- broadcast MAC packet</li><li>host<span> </span>- packet is destined to the bridge itself</li><li>multicast<span> </span>- multicast MAC packet</li><li>other-host<span> </span>- packet is destined to some other unicast address, not to the bridge itself</li></ul></td></tr><tr><td class="confluenceTd"><strong>src-address</strong><span> </span>(<em>IP address</em>; Default: )</td><td class="confluenceTd">Source IP address (only if MAC protocol is set to IPv4).</td></tr><tr><td class="confluenceTd"><strong>src-address6</strong><span> </span>(<em>IPv6 address</em>; Default: )</td><td class="confluenceTd">Source IPv6 address (only if MAC protocol is set to IPv6).</td></tr><tr><td class="confluenceTd"><strong>src-mac-address</strong><span> </span>(<em>MAC address</em>; Default: )</td><td class="confluenceTd">Source MAC address.</td></tr><tr><td class="confluenceTd"><strong>src-port</strong><span> </span>(<em>integer 0..65535</em>; Default: )</td><td class="confluenceTd">Source port number or range (only for TCP or UDP protocols).</td></tr><tr><td class="confluenceTd"><strong>stp-flags</strong><span> </span>(<em>topology-change | topology-change-ack</em>; Default: )</td><td class="confluenceTd">The BPDU (Bridge Protocol Data Unit) flags. Bridge exchange configuration messages named BPDU periodically for preventing loops<ul><li>topology-change<span> </span>- topology change flag is set when a bridge detects port state change, to force all other bridges to drop their host tables and recalculate network topology</li><li>topology-change-ack<span> </span>- topology change acknowledgment flag is sent in replies to the notification packets</li></ul></td></tr><tr><td class="confluenceTd"><strong>stp-forward-delay</strong><span> </span>(<em>integer 0..65535</em>; Default: )</td><td class="confluenceTd">Forward delay timer.</td></tr><tr><td class="confluenceTd"><strong>stp-hello-time</strong><span> </span>(<em>integer 0..65535</em>; Default: )</td><td class="confluenceTd">STP hello packets time.</td></tr><tr><td class="confluenceTd"><strong>stp-max-age</strong><span> </span>(<em>integer 0..65535</em>; Default: )</td><td class="confluenceTd">Maximal STP message age.</td></tr><tr><td class="confluenceTd"><strong>stp-msg-age</strong><span> </span>(<em>integer 0..65535</em>; Default: )</td><td class="confluenceTd">STP message age.</td></tr><tr><td class="confluenceTd"><strong>stp-port</strong><span> </span>(<em>integer 0..65535</em>; Default: )</td><td class="confluenceTd">STP port identifier.</td></tr><tr><td class="confluenceTd"><strong>stp-root-address</strong><span> </span>(<em>MAC address</em>; Default: )</td><td class="confluenceTd">Root bridge MAC address.</td></tr><tr><td class="confluenceTd"><strong>stp-root-cost</strong><span> </span>(<em>integer 0..65535</em>; Default: )</td><td class="confluenceTd">Root bridge cost.</td></tr><tr><td class="confluenceTd"><strong>stp-root-priority</strong><span> </span>(<em>integer 0..65535</em>; Default: )</td><td class="confluenceTd">Root bridge priority.</td></tr><tr><td class="confluenceTd"><strong>stp-sender-address</strong><span> </span>(<em>MAC address</em>; Default: )</td><td class="confluenceTd">STP message sender MAC address.</td></tr><tr><td class="confluenceTd"><strong>stp-sender-priority</strong><span> </span>(<em>integer 0..65535</em>; Default: )</td><td class="confluenceTd">STP sender priority.</td></tr><tr><td class="confluenceTd"><strong>stp-type</strong><span> </span>(<em>config | tcn</em>; Default: )</td><td class="confluenceTd">The BPDU type:<ul><li>config<span> </span>- configuration BPDU</li><li>tcn<span> </span>- topology change notification</li></ul></td></tr><tr><td class="confluenceTd"><strong>tls-host</strong><span> </span>(<em>string</em>; Default: )</td><td class="confluenceTd">Allows matching https traffic based on TLS SNI hostname. Accepts<span> </span><a class="external-link" href="https://en.wikipedia.org/wiki/Glob_(programming)" rel="nofollow" style="text-decoration: none;">GLOB syntax</a><span> </span>for wildcard matching. Note that matcher will not be able to match hostname if the TLS handshake frame is fragmented into multiple TCP segments (packets).</td></tr><tr><td class="confluenceTd"><strong>vlan-encap</strong><span> </span>(<em>802.2 | arp | ip | ipv6 | ipx | length | mpls-multicast | mpls-unicast | pppoe | pppoe-discovery | rarp | vlan | integer 0..65535 | hex 0x0000-0xffff</em>; Default: )</td><td class="confluenceTd">Matches the MAC protocol type encapsulated in the VLAN frame.</td></tr><tr><td class="confluenceTd"><strong>vlan-id</strong><span> </span>(<em>integer 0..4095</em>; Default: )</td><td class="confluenceTd">Matches the VLAN identifier field.</td></tr><tr><td class="confluenceTd"><strong>vlan-priority</strong><span> </span>(<em>integer 0..7</em>; Default: )</td><td class="confluenceTd">Matches the VLAN priority (priority code point)</td></tr></tbody></table></div><p><span class="mw-headline">Footnotes:</span></p><ul><li>STP matchers are only valid if the destination MAC address is <code>01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF</code> (Bridge Group address), also STP should be enabled.</li></ul><ul><li>ARP matchers are only valid if<span> </span>mac-protocol<span> </span>is<span> </span><span style="color: rgb(0,0,0);"><code>arp</code> </span>or<span> </span><span style="color: rgb(0,0,0);"><code>rarp</code></span></li></ul><ul><li>VLAN matchers are only valid for<span> </span><code>0x8100</code><span> </span>or<span> </span><code>0x88a8</code><span> </span>ethernet protocols</li></ul><ul><li>IP or IPv6 related matchers are only valid if<span> </span>mac-protocol<span> </span>is either set to<span> </span><code>ip</code><span> </span>or<span> </span><code>ipv6</code></li></ul><ul><li>802.3 matchers are only consulted if the actual frame is compliant with IEEE 802.2 and IEEE 802.3 standards. These matchers are ignored for other packets.</li></ul><h2 id="BridgingandSwitching-BridgePacketFilter"><span class="mw-headline">Bridge Packet Filter</span></h2><p><span class="mw-headline">This section describes specific bridge filter options.</span></p><p><strong>Sub-menu:</strong><span> </span><code>/interface bridge filter</code></p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>action</strong><span> </span>(<em>accept | drop | jump | log | mark-packet | passthrough | return | set-priority</em>; Default:<span> </span><strong>accept</strong>)</td><td class="confluenceTd">Action to take if the packet is matched by the rule:<ul><li>accept<span> </span>- accept the packet. No action, i.e., the packet is passed through without undertaking any action, and no more rules are processed in the relevant list/chain</li><li>drop<span> </span>- silently drop the packet (without sending the ICMP reject message)</li><li>jump<span> </span>- jump to the chain specified by the value of the jump-target argument</li><li>log<span> </span>- add a message to the system log containing the following data: in-interface, out-interface, src-mac, dst-mac, eth-proto, protocol, src-ip:port->dst-ip:port and length of the packet. After packet is matched it is passed to the next rule in the list, similar as passthrough</li><li>mark<span> </span>- mark the packet to use the mark later</li><li>passthrough<span> </span>- ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for the ability to count packets</li><li>return<span> </span>- return to the previous chain, from where the jump took place</li><li>set-priority<span> </span>- set priority specified by the new-priority parameter on the packets sent out through a link that is capable of transporting priority (VLAN or WMM-enabled wireless interface).<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/WMM+and+VLAN+priority" rel="nofollow">Read more</a></li></ul></td></tr></tbody></table></div><h2 id="BridgingandSwitching-BridgeNAT"><span class="mw-headline">Bridge NAT</span></h2><p><span class="mw-headline">This section describes specific bridge NAT options.</span></p><p><strong>Sub-menu:</strong><span> </span><code>/interface bridge nat</code></p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>action</strong><span> </span>(<em>accept | drop | jump | mark-packet | redirect | set-priority | arp-reply | dst-nat | log | passthrough | return | src-nat</em>; Default:<span> </span><strong>accept</strong>)</td><td class="confluenceTd">Action to take if the packet is matched by the rule:<ul><li>accept<span> </span>- accept the packet. No action, i.e., the packet is passed through without undertaking any action, and no more rules are processed in the relevant list/chain</li><li>arp-reply<span> </span>- send a reply to an ARP request (any other packets will be ignored by this rule) with the specified MAC address (only valid in dstnat chain)</li><li>drop<span> </span>- silently drop the packet (without sending the ICMP reject message)</li><li>dst-nat<span> </span>- change destination MAC address of a packet (only valid in dstnat chain)</li><li>jump<span> </span>- jump to the chain specified by the value of the jump-target argument</li><li>log<span> </span>- log the packet</li><li>mark<span> </span>- mark the packet to use the mark later</li><li>passthrough<span> </span>- ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for the ability to count packets</li><li>redirect<span> </span>- redirect the packet to the bridge itself (only valid in dstnat chain)</li><li>return<span> </span>- return to the previous chain, from where the jump took place</li><li>set-priority<span> </span>- set priority specified by the new-priority parameter on the packets sent out through a link that is capable of transporting priority (VLAN or WMM-enabled wireless interface).<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/WMM+and+VLAN+priority" rel="nofollow">Read more</a></li><li>src-nat<span> </span>- change source MAC address of a packet (only valid in srcnat chain)</li></ul></td></tr><tr><td class="confluenceTd"><strong>to-arp-reply-mac-address</strong><span> </span>(<em>MAC address</em>; Default: )</td><td class="confluenceTd">Source MAC address to put in Ethernet frame and ARP payload, when<span> </span><span style="color: rgb(51,153,102);"><code>action=arp-reply</code></span><span> </span>is selected</td></tr><tr><td class="confluenceTd"><strong>to-dst-mac-address</strong><span> </span>(<em>MAC address</em>; Default: )</td><td class="confluenceTd">Destination MAC address to put in Ethernet frames, when<span> </span><span style="color: rgb(51,153,102);"><code>action=dst-nat</code></span><span> </span>is selected</td></tr><tr><td class="confluenceTd"><strong>to-src-mac-address</strong><span> </span>(<em>MAC address</em>; Default: )</td><td class="confluenceTd">Source MAC address to put in Ethernet frames, when<span> </span><span style="color: rgb(51,153,102);"><code>action=src-nat</code></span><span> </span>is selected</td></tr></tbody></table></div><h1 id="BridgingandSwitching-Seealso"><span class="mw-headline">See also</span></h1><hr/><ul><li><a href="https://help.mikrotik.com/docs/pages/viewpage.action?pageId=103841835" rel="nofollow">CRS1xx/2xx series switches</a></li><li><a href="https://help.mikrotik.com/docs/display/ROS/CRS3xx%2C+CRS5xx%2C+CCR2116%2C+CCR2216+switch+chip+features" rel="nofollow">CRS3xx, CRS5xx series switches, and CCR2116, CCR2216 routers</a></li><li><a href="https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features" rel="nofollow">Switch chip features</a></li><li><a href="https://help.mikrotik.com/docs/display/ROS/MTU+in+RouterOS" rel="nofollow">MTU on RouterBOARD</a></li><li><a href="https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration" rel="nofollow">Layer2 misconfiguration</a></li><li><a href="https://help.mikrotik.com/docs/display/ROS/Bridge+VLAN+Table" rel="nofollow">Bridge VLAN Table</a></li><li><a class="external-link" href="https://wiki.mikrotik.com/wiki/Manual:Wireless_VLAN_Trunk" rel="nofollow" style="text-decoration: none;" title="Manual:Wireless VLAN Trunk">Wireless VLAN Trunk</a></li><li><a class="external-link" href="https://wiki.mikrotik.com/wiki/Manual:VLANs_on_Wireless" rel="nofollow" style="text-decoration: none;" title="Manual:VLANs on Wireless">VLANs on Wireless</a></li></ul></div>
</div>
</div>
</div>
</div>
<div style="padding: 10px 0;">
<a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching">View Online</a>
·
<a href="https://help.mikrotik.com/docs/pages/diffpagesbyversion.action?pageId=328068&revisedVersion=117&originalVersion=116">View Changes Online</a>
</div>
</div>Guntis G.2019-09-30T09:58:39ZInterface ListsGuntis G.tag:help.mikrotik.com,2009:page-47579180-82024-03-26T15:21:17Z2020-12-07T10:30:17Z<div class="feed"> <p>
Page
<b>edited</b> by
<a href=" https://help.mikrotik.com/docs/display/~guntis
">Guntis G.</a>
</p>
<div style="border-top: 1px solid #ddd; border-bottom: 1px solid #ddd; padding: 10px;">
<p><style type='text/css'>/*<![CDATA[*/
div.rbtoc1711701163725 {padding: 0px;}
div.rbtoc1711701163725 ul {margin-left: 0px;}
div.rbtoc1711701163725 li {margin-left: 0px;padding-left: 0px;}
/*]]>*/</style><div class='toc-macro rbtoc1711701163725'>
<ul class='toc-indentation'>
<li><a href='#InterfaceLists-Summary'>Summary</a></li>
<li><a href='#InterfaceLists-Lists'>Lists</a></li>
<li><a href='#InterfaceLists-Members'>Members</a></li>
</ul>
</div></p><h1 id="InterfaceLists-Summary">Summary</h1><p>Allows defining a set of interfaces for easier interface management in the different interface-based configuration sections such as Neighbor Discovery, Firewall, Bridge, and Internet Detect. </p><h1 id="InterfaceLists-Lists">Lists</h1><p><strong>Sub-menu:</strong> <code>/interface list<br/></code></p><p>This menu contains information about all interface lists available on the router. There are four predefined lists - <span style="color: rgb(51,153,102);"><code>all </code></span>(contains all interfaces), <code><span style="color: rgb(51,153,102);">none</span></code><em> </em>(contains no interfaces), <code><span style="color: rgb(51,153,102);">dynamic</span></code><em> </em>(contains dynamic interfaces), and <code><span style="color: rgb(51,153,102);">static</span></code><em> </em>(contains static interfaces). It is also possible to create additional interface lists.</p><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Dynamic interfaces are interfaces that have a "dynamic" flag. Any interface that doesn't have a dynamic flag will be part of the <code><span style="color: rgb(51,153,102);">static</span></code> interface list.</p></div></div><p><br/></p><div class="table-wrap"><table class="wrapped relative-table confluenceTable" style="width: 100.0%;"><colgroup><col style="width: 7.86263%;"/><col style="width: 92.1374%;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>name</strong> (<em>string</em>)</td><td class="confluenceTd">Name of the interface list</td></tr><tr><td class="confluenceTd"><strong>include</strong> (<em>string</em>)</td><td class="confluenceTd">Defines interface list which members are included in the list. It is possible to add multiple lists separated by commas</td></tr><tr><td class="confluenceTd"><strong>exclude</strong> (<em>string</em>)</td><td class="confluenceTd">Defines interface list which members are excluded from the list. It is possible to add multiple lists separated by commas</td></tr></tbody></table></div><p><br/>Members are added to the interface list in the following order:</p><ol><li>include members are added to the interface list</li><li>exclude members are removed from the list</li><li>Statically configured members are added to the list</li></ol><h1 id="InterfaceLists-Members">Members</h1><p><strong>Sub-menu:</strong> <code>/interface list member</code></p><p>This sub-menu contains information about statically configured interface members to each interface list. Note that dynamically added interfaces by include and exclude statements are not represented in this sub-menu.</p><div class="table-wrap"><table class="wrapped relative-table confluenceTable" style="width: 99.9097%;"><colgroup><col style="width: 7.86974%;"/><col style="width: 92.1303%;"/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>interface</strong> (<em>string</em>)</td><td class="confluenceTd">Name of the interface</td></tr><tr><td class="confluenceTd"><strong>list</strong> (<em>string</em>)</td><td class="confluenceTd">Name of the interface list</td></tr></tbody></table></div><p><br/></p><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Care must be taken when working with bridges and lists. Adding a bridge as a member is not the same as adding all its ports! And adding all slave ports as members is not the same as adding the bridge itself. This can particularly impact functionality of neighbor discovery.</p></div></div><p><br/></p>
</div>
<div style="padding: 10px 0;">
<a href="https://help.mikrotik.com/docs/display/ROS/Interface+Lists">View Online</a>
·
<a href="https://help.mikrotik.com/docs/pages/diffpagesbyversion.action?pageId=47579180&revisedVersion=8&originalVersion=7">View Changes Online</a>
</div>
</div>Guntis G.2020-12-07T10:30:17ZLTEEmīls T.tag:help.mikrotik.com,2009:page-30146563-752024-03-26T14:41:30Z2020-06-04T10:53:24Z<div class="feed"> <p>
Page
<b>edited</b> by
<a href=" https://help.mikrotik.com/docs/display/~emilst
">Emīls T.</a>
</p>
<div style="border-top: 1px solid #ddd; border-bottom: 1px solid #ddd; padding: 10px;">
<h2 id="LTE-Summary"><span class="mw-headline"><style type='text/css'>/*<![CDATA[*/
div.rbtoc1711701163802 {padding: 0px;}
div.rbtoc1711701163802 ul {margin-left: 0px;}
div.rbtoc1711701163802 li {margin-left: 0px;padding-left: 0px;}
/*]]>*/</style><div class='toc-macro rbtoc1711701163802'>
<ul class='toc-indentation'>
<li><a href='#LTE-Summary'>Summary</a></li>
<li><a href='#LTE-LTEClient'>LTE Client</a>
<ul class='toc-indentation'>
<li><a href='#LTE-Properties'>Properties</a></li>
<li><a href='#LTE-APNprofiles'>APN profiles</a></li>
<li><a href='#LTE-LTEsettings'>LTE settings</a></li>
<li><a href='#LTE-Scanner'>Scanner</a></li>
<li><a href='#LTE-UserInfocommand'>User Info command</a>
<ul class='toc-indentation'>
<li><a href='#LTE-Properties(Upto6.40)'>Properties (Up to 6.40)</a></li>
</ul>
</li>
<li><a href='#LTE-Userat-chatcommand'>User at-chat command</a></li>
</ul>
</li>
<li><a href='#LTE-Quicksetupexample'>Quick setup example</a></li>
<li><a href='#LTE-PassthroughExample'>Passthrough Example</a></li>
<li><a href='#LTE-DualSIM'>Dual SIM</a>
<ul class='toc-indentation'>
<li><a href='#LTE-BoardswithswitchableSIMslots'>Boards with switchable SIM slots</a></li>
<li><a href='#LTE-UsageExample'>Usage Example</a></li>
</ul>
</li>
<li><a href='#LTE-TipsandTricks'>Tips and Tricks</a>
<ul class='toc-indentation'>
<li><a href='#LTE-FinddevicelocationusingCellinformation'>Find device location using Cell information</a></li>
<li><a href='#LTE-UsingCelllock'>Using Cell lock</a></li>
<li><a href='#LTE-CellMonitor'>Cell Monitor</a></li>
</ul>
</li>
<li><a href='#LTE-Troubleshooting'>Troubleshooting</a>
<ul class='toc-indentation'>
<li><a href='#LTE-LockingbandonHuaweiandothermodems'>Locking band on Huawei and other modems</a></li>
<li><a href='#LTE-mPCIemodemswithRB9xxseriesdevices'>mPCIe modems with RB9xx series devices</a></li>
<li><a href='#LTE-BoardswithUSB-AportandmPCIe'>Boards with USB-A port and mPCIe</a></li>
<li><a href='#LTE-Modemfirmwareupgrade'>Modem firmware upgrade</a></li>
<li><a href='#LTE-Avoidingtetheringspeedthrottling'>Avoiding tethering speed throttling</a></li>
<li><a href='#LTE-UnlockingSIMcardaftermultiplewrongPINcodeattempts'>Unlocking SIM card after multiple wrong PIN code attempts</a></li>
</ul>
</li>
</ul>
</div><br/>Summary</span></h2><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">Package: system</pre>
</div></div><p>Support for Direct-IP mode type cards only. MBIM support is available in RouterOS v7 releases and MBIM driver is loaded automatically. If modem is not recognized in RouterOS v6 - Please test it in v7 releases before asking for support in RouterOS v6.</p><p>To enable access via a PPP interface instead of a LTE Interface, change direct IP mode with <code>/port firmware set ignore-directip-modem=yes</code> command and a reboot. Note that using PPP emulation mode you may not get the same throughput speeds as using the LTE interface emulation type. </p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>For RouterOS v7 ignore-direct-modem parameter renamed to "mode" and moved to <code>/interface lte settings</code> menu.</p></div></div><h2 id="LTE-LTEClient"><span class="mw-headline">LTE Client</span></h2><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">Sub-menu: /interface lte</pre>
</div></div><h3 id="LTE-Properties"><span class="mw-headline">Properties</span></h3><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>allow-roaming</strong> (<em>yes | no</em>; Default: <strong>no</strong>)</td><td class="confluenceTd">Enable data roaming for connecting to other countries data-providers. Not all LTE modems support this feature. Some modems, that do not fully support this feature, will connect to the network but will not establish an IP data connection with allow-roaming set to no.</td></tr><tr><td class="confluenceTd"><strong>apn-profiles</strong> (<em>string</em>; Default: <strong>default</strong>)</td><td class="confluenceTd">Which APN profile to use for this interface</td></tr><tr><td class="confluenceTd"><strong>band</strong> (<em>integer list</em>; Default: <strong>""</strong>)</td><td class="confluenceTd">LTE Frequency band used in communication <code><a class="external-link" href="https://en.wikipedia.org/wiki/LTE_frequency_bands#Frequency_bands_and_channel_bandwidths" rel="nofollow">LTE Bands and bandwidths</a></code></td></tr><tr><td class="confluenceTd"><strong>nr-band </strong>(<em>integer list</em>; Default: "")</td><td class="confluenceTd">5G NR Frequency band used in communication <code><a class="external-link" href="https://en.wikipedia.org/wiki/5G_NR_frequency_bands" rel="nofollow">5G NR Bands and bandwidths</a></code></td></tr><tr><td class="confluenceTd"><strong>comment</strong> (<em>string</em>; Default: <strong>""</strong>)</td><td class="confluenceTd">Descriptive name of an item</td></tr><tr><td class="confluenceTd"><strong>disabled</strong> (<em>yes | no</em>; Default: <strong>yes</strong>)</td><td class="confluenceTd">Whether interface is disabled or not. By default it is disabled.</td></tr><tr><td class="confluenceTd"><strong>modem-init</strong> (<em>string</em>; Default: <strong>""</strong>)</td><td class="confluenceTd">Modem init string (AT command that will be executed at modem startup)</td></tr><tr><td class="confluenceTd"><strong>mtu</strong> (<em>integer</em>; Default: <strong>1500</strong>)</td><td class="confluenceTd">Maximum Transmission Unit. Max packet size that LTE interface will be able to send without packet fragmentation.</td></tr><tr><td class="confluenceTd"><strong>name</strong> (<em>string</em>; Default: <strong>""</strong>)</td><td class="confluenceTd">Descriptive name of the interface.</td></tr><tr><td class="confluenceTd"><strong>network-mode</strong> (<em>3g | gsm | lte | 5g</em>)</td><td class="confluenceTd">Select/force mode for LTE interface to operate with</td></tr><tr><td class="confluenceTd"><strong>operator</strong> (<em>integer</em>; Default: <strong>""</strong>)</td><td class="confluenceTd">used to lock device to specific operator full PLMN number is used for lock consisting from MCC+MNC. <a class="external-link" href="https://en.wikipedia.org/wiki/Public_land_mobile_network" rel="nofollow">PLMN codes</a></td></tr><tr><td class="confluenceTd"><strong>pin</strong> (<em>integer</em>; Default: <strong>""</strong>)</td><td class="confluenceTd">SIM Card's PIN code.</td></tr></tbody></table></div><h3 id="LTE-APNprofiles"><span class="mw-headline">APN profiles</span></h3><p>All network related settings are moved under profiles, starting from RouterOS 6.41</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">Sub-menu: /interface lte apn</pre>
</div></div><p><br/></p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>add-default-route</strong> (<em>yes | no</em>)</td><td class="confluenceTd">Whether to add default route to forward all traffic over the LTE interface.</td></tr><tr><td class="confluenceTd"><strong>apn</strong> (<em>string</em>)</td><td class="confluenceTd">Service Provider's Access Point Name</td></tr><tr><td class="confluenceTd"><strong>authentication</strong> (<em>pap | chap | none</em>; Default: <strong>none</strong>)</td><td class="confluenceTd">Allowed protocol to use for authentication</td></tr><tr><td class="confluenceTd"><strong>default-route-distance</strong> (<em>integer</em>; Default: <strong>2</strong>)</td><td class="confluenceTd">Sets distance value applied to auto created default route, if add-default-route is also selected. LTE route by default is with distance 2 to prefer wired routes over LTE</td></tr><tr><td class="confluenceTd"><strong>ip-type</strong> (<em>ipv4 | auto | ipv6</em>; Default: <strong>auto</strong> )</td><td class="confluenceTd">Requested PDN type</td></tr><tr><td class="confluenceTd"><strong>ipv6-interface</strong> (; Default: )</td><td class="confluenceTd">Interface on which to advertise IPv6 prefix</td></tr><tr><td class="confluenceTd"><strong>name</strong> (<em>string</em>; Default: )</td><td class="confluenceTd">APN profile name</td></tr><tr><td class="confluenceTd"><strong>number</strong> (<em>integer</em>; Default: )</td><td class="confluenceTd">APN profile number</td></tr><tr><td class="confluenceTd"><strong>passthrough-interface</strong> (; Default: )</td><td class="confluenceTd">Interface to passthrough IP configuration (activates passthrough)</td></tr><tr><td class="confluenceTd"><strong>passthrough-mac</strong> (<em>MAC</em>; Default: <strong>auto</strong>)</td><td class="confluenceTd">If set to auto, then will learn MAC from first packet</td></tr><tr><td class="confluenceTd"><strong>passthrough-subnet-selection </strong>(<em>auto / p2p</em>; Default:<strong> auto</strong>)</td><td class="confluenceTd">"auto" selects the smallest possible subnet to be used for the passthrough interface. "p2p" sets the passthrough interface subnet as /32 and picks gateway address from 10.177.0.0/16 range. The gateway address stays the same until the apn configuration is changed.</td></tr><tr><td class="confluenceTd"><strong>password</strong> (<em>string</em>; Default: )</td><td class="confluenceTd">Password used if any of the authentication protocols are active</td></tr><tr><td class="confluenceTd"><strong>use-network-apn</strong> (<em>yes | no</em>; Default: <strong>yes</strong>)</td><td class="confluenceTd">Parameter is available starting from RouterOS v7 and used only for MBIM modems. If set to yes, uses network provided APN.</td></tr><tr><td class="confluenceTd"><strong>use-peer-dns</strong> (<em>yes | no</em>; Default: <strong>yes</strong>)</td><td class="confluenceTd">If set to yes, uses DNS recieved from LTE interface</td></tr><tr><td class="confluenceTd"><strong>user</strong> (<em>integer</em>)</td><td class="confluenceTd">Username used if any of the authentication protocols are active</td></tr></tbody></table></div><h3 id="LTE-LTEsettings"><span class="mw-headline">LTE settings<br/></span></h3><p>LTE and router-specific LTE settings. The menu is available starting from RouterOS v7.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">Sub-menu: /interface lte settings</pre>
</div></div><p><br/></p><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 88.6279%;"><colgroup class=""><col class="" style="width: 29.1696%;"/><col class="" style="width: 70.8304%;"/></colgroup><tbody class=""><tr class=""><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr class=""><td class="confluenceTd"><strong>mode</strong> (<em>auto | mbim | serial</em>; <em>Default: <strong>auto</strong></em>)</td><td class="confluenceTd"><p>Operation mode setting.</p><ul><li>auto - automatically select the operation mode.</li><li>serial - provide only serial ports</li><li>mbim - switch modem into MBIM mode if possible</li></ul></td></tr><tr class=""><td class="confluenceTd"><strong>firmware-path</strong> (<em>string</em>)</td><td class="confluenceTd">Firmware path in host OS. <a class="external-link" href="https://wiki.mikrotik.com/wiki/Modem_gobi_firmware" rel="nofollow">Modem gobi firmware</a></td></tr><tr class=""><td class="confluenceTd"><strong>external-antenna</strong> (<em>auto | both | div | main | none</em>; Default: <strong>auto</strong>)</td><td class="confluenceTd">This setting is only available for "Chateau" routers, except for Chateau 5G versions.<br/><ul><li>auto - measures the signal levels on both internal and external antennas and selects the antennas with the best signal(RSRP).</li><li>both - both antennas are set to external</li><li>div - diversity antenna set to external</li><li>main - main antenna set to external</li><li>none - no external antenna selected(using internal antennas) </li></ul></td></tr><tr class=""><td class="confluenceTd"><strong>external-antenna-selected</strong> ()</td><td class="confluenceTd">This setting is only available for "Chateau" routers, except for Chateau 5G versions. Shows the currently selected antenna if "<strong>external-antenna</strong>" is set to "auto"</td></tr><tr class=""><td class="confluenceTd"><strong>sim-slot</strong> ()</td><td class="confluenceTd">This setting is available for routers that have switchable SIM slots (LtAP, SXT). Selection options differ between products.</td></tr></tbody></table></div><h3 id="LTE-Scanner"><span class="mw-headline">Scanner</span></h3><p>It is possible to scan LTE interfaces with <code>/interface lte scan</code> command. Example:<br/><br/></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > /interface lte scan duration=60 number=0
Columns: OPERATOR, MCC-MNC, RSSI, RSRP, RSRQ
OPERATOR MCC-MNC RSSI RSRP RSRQ
LMT 24701 -36dBm -63dBm -7dB</pre>
</div></div><p>Available properties:</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>duration</strong> (<em>integer</em>)</td><td class="confluenceTd">Duration of scan in seconds</td></tr><tr><td class="confluenceTd"><strong>freeze-frame-interval</strong> (<em>integer</em>)</td><td class="confluenceTd">time between data printout</td></tr><tr><td class="confluenceTd"><strong>number</strong> (<em>integer</em>)</td><td class="confluenceTd">Interface number or name</td></tr></tbody></table></div><h3 id="LTE-UserInfocommand"><span class="mw-headline">User Info command</span></h3><p>It is possible to send special "info" command to LTE interface with <code>/interface lte info</code> command. In RouterOS v7 this command is moved to <code>/interface lte monitor</code> menu.</p><h4 id="LTE-Properties(Upto6.40)"><span class="mw-headline">Properties (Up to 6.40)</span></h4><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>user-command</strong> (<em>string</em>; Default: <strong>""</strong>)</td><td class="confluenceTd">send a command to LTE card to extract useful information, e.g. with AT commands</td></tr><tr><td class="confluenceTd"><strong>user-command-only</strong> (<em>yes | no</em>; Default: )</td><td class="confluenceTd"><br/></td></tr></tbody></table></div><h3 id="LTE-Userat-chatcommand"><span class="mw-headline">User at-chat command</span></h3><p>It is possible to send user defined "at-chat" command to LTE interface with <code>/interface lte at-chat</code> command.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > /interface lte at-chat lte1 input="AT"
output: OK</pre>
</div></div><p>It is also possible to use the "wait" parameter <em>wait=yes</em> with the command to make "at-chat" wait for 5 seconds and return all the output instead of returning only the first received data, this is useful for some commands that return multiline output or a large block of data.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > interface lte at-chat lte1 input="at+qcfg=?"
output:
[admin@MikroTik] > interface lte at-chat lte1 input="at+qcfg=?" wait=yes
output: +QCFG: "rrc",(0-5)
+QCFG: "hsdpacat",(6,8,10-24)
+QCFG: "hsupacat",(5,6)
+QCFG: "pdp/duplicatechk",(0,1)
+QCFG: "risignaltype",("respective","physical")
+QCFG: "lte/bandprior",(1-43),(1-43),(1-43)
+QCFG: "volte_disable",(0,1)
+QCFG: "diversity/config",(4,6),(1-4),(0)
+QCFG: "div_test_mode",(0,1)
+QCFG: "usbspeed",("20","30")
+QCFG: "data_interface",(0,1),(0,1)
+QCFG: "pcie/mode",(0,1)
+QCFG: "pcie_mbim",(0,1)
+QCFG: "sms_control",(0,1),(0,1)
+QCFG: "call_control",(0,1),(0,1)
+QCFG: "usb/maxpower",(0-900)
+QCFG: "efratctl",(0,1)
+QCFG: "netmaskset",(0,1)[,<netmask>]
+QCFG: "mmwave",ant_chip,ant_type
+QCFG: "gatewayset",(0,1)[,<gateway>]
+QCFG: "clat",(0,1),(0,1),<prefix>,(0,32,40,48,56,64,96),<fqdn>,(0,1),(0,1,2,4,8),(0,1),(0,1),(0,1,2),(0,1,2)
+QCFG: "usage/apmem"
+QCFG: "enable_gea1"[,(0,1)]
+QCFG: "dhcppktfltr",(0,1)
OK</pre>
</div></div><p>You can also use "at-chat" function in scripts and assign command output to variable.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > :global "lte_command" [/interface lte at-chat lte1 input="AT+CEREG?" as-value ]
[admin@MikroTik] > :put $"lte_command"
output=+CEREG: 0,1
OK</pre>
</div></div><h2 id="LTE-Quicksetupexample"><span class="mw-headline">Quick setup example</span></h2><p>Start with network settings -</p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body">This guide is for RouterOS versions starting from 6.41</div></div><p>Start with network settings - Add new connection parameters under LTE apn profile (provided by network provider):</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface lte apn add name=profile1 apn=phoneprovider.net authentication=chap password=web user=web</pre>
</div></div><p>Select newly created profile for LTE connection:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface lte set [find] apn-profiles=profile1 </pre>
</div></div><p>LTE interface should appear with running (R) flag:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > /interface lte print
Flags: X - disabled, R - running
0 R name="lte1" mtu=1500 mac-address=AA:AA:AA:AA:AA:AA </pre>
</div></div><p>If required, add NAT Masquerade for LTE Interface to get internet to the local network:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/ip firewall nat add action=masquerade chain=srcnat out-interface=lte1</pre>
</div></div><p>After interface is added, you can use "info" command to see what parameters client acquired (parameters returned depends on LTE hardware device):</p><pre>[admin@MikroTik] > interface/lte/monitor lte1
status: connected
model: EG18-EA
revision: EG18EAPAR01A12M4G
current-operator: LMT
current-cellid: 3103242
enb-id: 12122
sector-id: 10
phy-cellid: 480
data-class: LTE
session-uptime: 15m54s
imei: 86981604098XXXX
imsi: 24701060267XXXX
uicc: 8937101122102057XXXX
primary-band: B3@20Mhz earfcn: 1300 phy-cellid: 480
dl-modulation: qpsk
cqi: 7
ri: 2
mcs: 1
rssi: -68dBm
rsrp: -97dBm
rsrq: -9dB
sinr: 6dB</pre><h2 id="LTE-PassthroughExample"><span class="mw-headline">Passthrough Example</span></h2><p>Starting from RouterOS v6.41 some LTE interfaces support LTE Passthrough feature where the IP configuration is applied directly to the client device. In this case modem firmware is responsible for the IP configuration and router is used only to configure modem settings - APN, Network Technologies and IP-Type. In this configuration the router will not get IP configuration from the modem. The LTE Passthrough modem can pass both IPv4 and IPv6 addresses if that is supported by modem. Some modems support multiple APN where you can pass the traffic from each APN to a specific router interface.</p><p>Passthrough will only work for one host. Router will automatically detect MAC address of the first received packet and use it for the Passthrough. If there are multiple hosts on the network it is possible to lock the Passthrough to a specific MAC. On the host on the network where the Passthrough is providing the IP a DHCP-Client should be enabled on that interface to. Note, that it will not be possible to connect to the LTE router via public lte ip address or from the host which is used by the passthrough. It is suggested to create additional connection from the LTE router to the host for configuration purposes. For example vlan interface between the LTE router and host.</p><p>To enable the Passthrough a new entry is required or the default entry should be changed in the '/interface lte apn' menu</p><p style="margin-left: 56.0px;"><br/></p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body">Passthrough is not supported by all chipsets.</div></div><p><br/>Examples.</p><p>To configure the Passthrough on ether1:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > /interface lte apn add apn=apn1 passthrough-interface=ether1
[admin@MikroTik] > /interface lte set lte1 apn-profiles=apn1</pre>
</div></div><p>To configure the Passthrough on ether1 host 00:0C:42:03:06:AB:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > /interface lte apn add apn=apn1 passthrough-interface=ether1 passthrough-mac=00:0C:42:03:06:AB
[admin@MikroTik] > /interface lte set lte1 apn-profiles=apn1</pre>
</div></div><p>To configure multiple APNs on ether1 and ether2:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > /interface lte apn add apn=apn1 passthrough-interface=ether1
[admin@MikroTik] > /interface lte apn add apn=apn2 passthrough-interface=ether2
[admin@MikroTik] > /interface lte set lte1 apn-profiles=apn1,apn2</pre>
</div></div><p>To configure multiple APNs with the same APN for different interfaces:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > /interface lte apn add name=interface1 apn=apn1
[admin@MikroTik] > /interface lte apn add name=interface2 apn=apn1 passthrough-interface=ether1
[admin@MikroTik] > /interface lte set lte1 apn-profiles=interface1
[admin@MikroTik] > /interface lte set lte2 apn-profiles=interface2</pre>
</div></div><h2 id="LTE-DualSIM"><span class="mw-headline">Dual SIM<br/></span></h2><h3 id="LTE-BoardswithswitchableSIMslots">Boards with switchable SIM slots</h3><div class="table-wrap"><table class="relative-table wrapped confluenceTable" style="width: 30.4681%;"><colgroup><col style="width: 31.0924%;"/><col style="width: 26.0504%;"/><col style="width: 16.5266%;"/><col style="width: 26.3305%;"/></colgroup><tbody><tr><th scope="col" class="confluenceTh">RouterBoard</th><th scope="col" class="confluenceTh">Modem slot</th><th scope="col" class="confluenceTh">SIM slots</th><th scope="col" class="confluenceTh">Switchable</th></tr><tr><td style="text-align: left;" rowspan="2" class="confluenceTd">LtAP <br/><br/></td><td style="text-align: center;" class="confluenceTd">lower</td><td style="text-align: center;" class="confluenceTd">2 | 3</td><td style="text-align: center;" class="confluenceTd">Y</td></tr><tr><td style="text-align: center;" class="confluenceTd">upper</td><td style="text-align: center;" class="confluenceTd">1</td><td style="text-align: center;" class="confluenceTd">N</td></tr><tr><td style="text-align: left;" class="confluenceTd">LtAP mini</td><td style="text-align: center;" class="confluenceTd"><br/></td><td style="text-align: center;" class="confluenceTd">up | down</td><td style="text-align: center;" class="confluenceTd">Y</td></tr><tr><td style="text-align: left;" class="confluenceTd">SXT R</td><td style="text-align: center;" class="confluenceTd"><br/></td><td style="text-align: center;" class="confluenceTd">a | b</td><td style="text-align: center;" class="confluenceTd">Y</td></tr></tbody></table></div><p>SIM slots switching commands</p><ul><li>RouterOS v7</li></ul><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface lte settings set sim-slot=down</pre>
</div></div><ul><li>RouterOS v6 after 6.45.1</li></ul><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/system routerboard modem set sim-slot=down</pre>
</div></div><ul><li>RouterOS v6 pre 6.45.1:</li></ul><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/system routerboard sim set sim-slot=down</pre>
</div></div><p><span class="mw-headline">For more reference please see board block diagram, Quick Guide and User manual.</span></p><h3 id="LTE-UsageExample"><span class="mw-headline">Usage Example</span></h3><p>Follow this link - <a class="external-link" href="https://wiki.mikrotik.com/wiki/Dual_SIM_Application" rel="nofollow" title="Dual SIM Application">Dual SIM Application</a>, to see examples of how to change SIM slot based on roaming status and in case the interface status is down with help of RouterOS scripts and scheduler.</p><h2 id="LTE-TipsandTricks"><span class="mw-headline">Tips and Tricks</span></h2><p>This paragraph contains information for additional features and usage cases.</p><h3 id="LTE-FinddevicelocationusingCellinformation"><span class="mw-headline">Find device location using Cell information</span></h3><p>On devices using R11e-LTE International version card (wAP LTE kit) some extra information is provided under info command (from 6.41rc61)</p><pre> current-operator: 24701
lac: 40
current-cellid: 2514442</pre><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>current-operator</strong> (<em>integer</em>; Default: )</td><td class="confluenceTd">Contains MCC and MNC. For example: current-operator: 24701 breaks to: MCC=247 MNC=01</td></tr><tr><td class="confluenceTd"><strong>lac</strong> (<em>integer</em>; Default: )</td><td class="confluenceTd">location area code (LAC)</td></tr><tr><td class="confluenceTd"><strong>current-cellid</strong> (<em>integer</em>; Default: )</td><td class="confluenceTd">Station identification number</td></tr></tbody></table></div><p>Values can be used to find location in databases: <a class="external-link" href="https://cellidfinder.com/cells/findcell" rel="nofollow">Cell Id Finder</a></p><h3 id="LTE-UsingCelllock"><span class="mw-headline">Using Cell lock</span></h3><p>It is possible to lock R11e-LTE, R11e-LTE6 and R11e-4G modems and equipped devices to exact LTE tower. LTE info command provides currently used cellular tower information:</p><pre> phy-cellid: 384
earfcn: 1300 (band 3, bandwidth 20Mhz)</pre><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>phy-cellid</strong> (<em>integer</em>; Default: )</td><td class="confluenceTd">Physical Cell Identification (PCI) of currently used cell tower.</td></tr><tr><td class="confluenceTd"><strong>earfcn</strong> (<em>integer</em>; Default: )</td><td class="confluenceTd">Absolute Radio Frequency Channel Number</td></tr></tbody></table></div><p>Exact tower location as well as available bands and other information can be acquired from mobile carrier or by using online services:</p><p><a class="external-link" href="https://www.cellmapper.net/map" rel="nofollow">CellMapper</a></p><p>By using those acquired variables it's possible to send AT command to modem for locking to tower in current format:</p><p><strong>for R11e-LTE and R11e-LTE6</strong></p><pre>AT*Cell=<mode>,<NetworkMode>,<band>,<EARFCN>,<PCI>
where
<mode> :
0 – Cell/Frequency disabled
1 – Frequency lock enabled
2 – Cell lock enabled
<NetworkMode>
0 – GSM
1 – UMTS_TD
2 – UMTS_WB
3 – LTE
<band>
Not in use, leave this blank
<EARFCN>
earfcn from lte info
<PCI>
phy-cellid from lte info</pre><p>To lock modem at previously used tower at-chat can be used:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface lte at-chat lte1 input="AT*Cell=2,3,,1300,384"</pre>
</div></div><p>For R11e-LTE all set on locks are lost after reboot or modem reset. Cell data can be also gathered from "cell-monitor".</p><p>For R11e-LTE6 cell lock works only for the primary band, this can be useful if you have multiple channels on the same band and you want to lock it to a specific earfcn. Note, that cell lock is not band-specific and for ca-band it can also use other frequency bands, unless you use band lock.</p><p>Use cell lock to set the primary band to the 1300 earfcn and use the second channel for the ca-band:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface lte at-chat lte1 input="AT*Cell=2,3,,1300,138"</pre>
</div></div><p>Now it uses the earfcn: 1300 for the primary channel:</p><pre> primary-band: B3@20Mhz earfcn: 1300 phy-cellid: 138
ca-band: B3@5Mhz earfcn: 1417 phy-cellid: 138</pre><p>You can also set it the other way around:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface lte at-chat lte1 input="AT*Cell=2,3,,1417,138"</pre>
</div></div><p>Now it uses the earfcn: 1417 for the primary channel:</p><pre> primary-band: B3@5Mhz earfcn: 1417 phy-cellid: 138
ca-band: B3@20Mhz earfcn: 1300 phy-cellid: 138</pre><p>For R11e-LTE6 modem cell lock information will not be lost after reboot or modem reset. To remove cell lock use at-chat command:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface lte at-chat lte1 input="AT*Cell=0"</pre>
</div></div><p><strong>for R11e-4G</strong></p><pre>AT%CLCMD=<mode>,<mode2>,<EARFCN>,<PCI>,<PLMN>
AT%CLCMD=1,1,3250,244,\"24705\"
where
<mode> :
0 – Cell/Frequency disabled
1 – Cell lock enabled
<mode2> :
0 - Save lock for first scan
1 - Always use lock
(after each reset modem will clear out previous settings no matter what is used here)
<EARFCN>
earfcn from lte info
<PCI>
phy-cellid from lte info
<PLMN>
Mobile operator code</pre><p>All PLMN codes available <a class="external-link" href="https://en.wikipedia.org/wiki/Mobile_country_code" rel="nofollow">here</a> this variable can be also left blank</p><p>To lock modem to the cell - modem needs to be in non operating state, easiest way for <strong>R11e-4G</strong> modem is to add CellLock line to "modem-init" string:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface lte set lte1 modem-init="AT%CLCMD=1,1,3250,244,\"24705\""</pre>
</div></div><p>Multiple cells can also be added by providing list instead of one tower information in following format:</p><pre>AT%CLCMD=<mode>,<mode2>,<EARFCN_1>,<PCI_1>,<PLMN_1>,<EARFCN_2>,<PCI_2>,<PLMN_2></pre><p>For example to lock to two different PCIs within same band and operator:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface lte set lte1 modem-init="AT%CLCMD=1,1,6300,384,\"24701\",6300,385,\"24701\""</pre>
</div></div><p><strong>for Chateau LTE12, Chateau 5G, LHG LTE18 and ATL LTE18<br/></strong></p><pre>AT+QNWLOCK="common/4g",<num of cells>,[[<freq>,<pci>],...]
AT+QNWLOCK=\"common/4g\",1,6300,384
where
<num of cells>
number of cells to cell lock
<freq>
earfcn from lte info
<pci>
phy-cellid from lte info
</pre><p>Single cell lock example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface lte at-chat lte1 input="AT+QNWLOCK=\"common/4g\",1,3050,448"</pre>
</div></div><p>Query current configuration:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface lte at-chat lte1 input="AT+QNWLOCK=\"common/4g\""</pre>
</div></div><p>Multiple cells can also be added to the cell lock. For example to lock to two different cells:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface lte at-chat lte1 input="AT+QNWLOCK=\"common/4g\",2,3050,448,1574,474"</pre>
</div></div><p><br/></p><p>To remove the cell lock use this at-chat command:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface lte at-chat lte1 input="at+qnwlock=\"common/4g\",0"</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body">1. Cell lock information will not be saved after a reboot or modem reset. 2. AT+QNWLOCK command can lock the cell and frequency. Therefore, the module can be given priority to register to the locked cell, however, according to the 3gpp protocol, the module will be redirected or handover to a cell with better signal instructions, even if it is not within the lock of the command. This phenomenon is normal.</div></div><p><strong>for Fibocom FG621 </strong></p><pre>AT+GTCELLLOCK=<mode>[,<rat>,<type>,<earfcn>[,<PCI>]]
<br/>where<br/>
< mode >: integer type; 0 Disable this function 1 Enable this function 2 Add new cell to be locked<br/>
<rat>: integer type; 0 LTE 1 WCDMA<br/>
<type>: integer type; 0 Lock PCI 1 Lock frequency<br/>
<earfcn>: integer type; the range is 0-65535.<br/>
<PCI>: integer type; If second parameter value is 0, the range is 0-503 for LTE If second parameter value is 1, the range is 0-512 for WCDMA</pre><p>Example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface lte at-chat lte1 input="AT+GTCELLLOCK=1,0,0,6175,176" </pre>
</div></div><h3 id="LTE-CellMonitor"><span class="mw-headline">Cell Monitor</span></h3><p>Cell monitor allows to scan available nearby mobile network cells:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > /interface lte cell-monitor lte1
PHY-CELLID BAND PSC EARFCN RSRP RSRQ RSSI SINR
49 B20 6300 -110dBm -19.5dB
272 B20 6300 -116dBm -19.5dB
374 B20 6300 -108dBm -16dB
384 B1 150 -105dBm -13.5dB
384 B3 1300 -106dBm -12dB
384 B7 2850 -107dBm -11.5dB
432 B7 2850 -119dBm -19.5dB</pre>
</div></div><p>Gathered data can be used for more precise location detection or for Cell lock.</p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body">Not all modems support this feature</div></div><h2 id="LTE-Troubleshooting"><span class="mw-headline">Troubleshooting</span></h2><p>Enable LTE logging:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > /system logging add topics=lte</pre>
</div></div><p>Check for errors in log:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > /log print
11:08:59 lte,async lte1: sent AT+CPIN?
11:08:59 lte,async lte1: rcvd +CME ERROR: 10 </pre>
</div></div><p>search for CME error description online,</p><p>in this case: CME error 10 - SIM not inserted</p><h3 id="LTE-LockingbandonHuaweiandothermodems"><span class="mw-headline">Locking band on Huawei and other modems</span></h3><p>To lock band for Huawei modems <code>/interface lte set lte1 band=""</code> option can't be used.</p><p>It is possible to use AT commands to lock to desired band manually.</p><p>To check all supported bands run at-chat command:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] /interface lte at-chat lte1 input="AT^SYSCFGEX=\?"
output: ^SYSCFGEX: ("00","03","02","01","99"),((2000004e80380,"GSM850/GSM900/GSM1800/GSM1900/WCDMA BCI/WCDMA BCII/WCDMA BCV/WCDMA BCVIII"),
(3fffffff,"All Bands")),(0-2),(0-4),((800d7,"LTE BC1/LTE BC2/LTE
BC3/LTE BC5/LTE BC7/LTE BC8/LTE BC20"),(7fffffffffffffff,"All Bands"))
OK
</pre>
</div></div><p>Example to lock to LTE band 7:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] /interface lte set lte1 modem-init="AT^SYSCFGEX=\"03\",3FFFFFFF,2,4,40,,"</pre>
</div></div><p>Change last part <strong>40</strong> to desired band specified hexadecimal value where:</p><pre>4 LTE BC3
40 LTE BC7
80000 LTE BC20
7FFFFFFFFFFFFFFF All bands
etc</pre><p>All band HEX values and AT commands can be found in <a class="external-link" href="https://download-c.huawei.com/download/downloadCenter?downloadId=29741&version=72288&siteCode=" rel="nofollow">Huawei AT Command Interface Specification guide</a></p><p>Check if band is locked:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] /interface lte at-chat lte1 input="AT^SYSCFGEX\?"
output: ^SYSCFGEX: "03",3FFFFFFF,0,2,40
OK</pre>
</div></div><p>For more information check modem manufacturers AT command reference manuals.</p><h3 id="LTE-mPCIemodemswithRB9xxseriesdevices"><span class="mw-headline">mPCIe modems with RB9xx series devices</span></h3><p>In case your modem is not being recognized after a soft reboot, then you might need to add a delay before the USB port is being initialized. This can be done using the following command:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/system routerboard settings set init-delay=5s</pre>
</div></div><h3 id="LTE-BoardswithUSB-AportandmPCIe"><span class="mw-headline">Boards with USB-A port and mPCIe<br/></span></h3><p><span class="mw-headline">Some devices such as specific RB9xx's and the RBLtAP-2HnD share the same USB lines between a single mPCIe slot and a USB-A port. If auto switch is not taking place and a modem is not getting detected, you might need to switch manually to either use the USB-A or mini-PCIe:</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/system routerboard usb set type=mini-PCIe</pre>
</div></div><h3 id="LTE-Modemfirmwareupgrade"><span class="mw-headline">Modem firmware upgrade</span></h3><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body">Before attempting LTE modem firmware upgrade - upgrade RouterOS version to latest releases <a class="external-link" href="https://wiki.mikrotik.com/wiki/Manual:Upgrading_RouterOS" rel="nofollow">How To Upgrade RouterOS</a></div></div><p><br/>Starting from RouterOS version 6.44beta20 it is possible to upgrade modems firmware. The firmware upgrade is also possible for the Chateau series products starting from 7.1beta1 version.</p><p>Firmware update is available only as FOTA Firmware Over The Air - firmware upgrade can only be done through working mobile connection for:</p><ul><li>)R11e-LTE</li><li>)R11e-LTE-US</li></ul><p>Firmware update available as FOTA and as well as upgrade from file for:</p><ul><li>)R11e-4G</li><li>)R11e-LTE6</li></ul><p>Firmware update available as FOTA with access to the internet over any interface:</p><ul><li>)EG12-EA (Chateau LTE12)</li><li>)RG502Q-EA (Chateau 5G)</li><li>)EG18-EA (LHG LTE18)</li></ul><p>Firmware updates usually includes small improvements in stability or small bug fixes that can't be included into RouterOS.</p><p>Check currently used firmware version by running:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > /interface lte info lte1 once
-----
revision: "MikroTik_CP_2.160.000_v008"
-----</pre>
</div></div><p>Check if new firmware is available:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > /interface lte firmware-upgrade lte1
installed: MikroTik_CP_2.160.000_v008
latest: MikroTik_CP_2.160.000_v010</pre>
</div></div><p>Upgrade firmware:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > /interface lte firmware-upgrade lte1 upgrade=yes
status: downloading via LTE connection (>2min)</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body">Whole upgrade process may take up to 10 minutes, depending on mobile connection speed.</div></div><p>After successful upgrade issue USB power-reset, reboot device or run AT+reset command, to update modem version readout under info command:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">[admin@MikroTik] > /interface lte at-chat lte1 input="AT+reset"</pre>
</div></div><p>if modem has issues connecting to cells after update, or there are any other unrelated issues - wipe old configuration with:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface lte at-chat lte1 input="AT+RSTSET"</pre>
</div></div><h3 id="LTE-Avoidingtetheringspeedthrottling"><span class="mw-headline">Avoiding tethering speed throttling</span></h3><p>Some operators (TMobile, YOTA etc.) allows unlimited data only for device SIM card is used on, all other data coming from mobile hotspots or tethering is highly limited by volume or by throughput speed. <a class="external-link" href="https://www.reddit.com/r/hacking/comments/54a7dd/bypassing_tmobiles_tethering_data_capthrottling/" rel="nofollow">Some sources</a> have found out that this limitation is done by monitoring TTL (Time To Live) values from packets to determinate if limitations need to be applied (TTL is decreased by 1 for each "hop" made). RouterOS allows changing the TTL parameter for packets going from the router to allow hiding sub networks. Keep in mind that this may conflict with fair use policy.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">IPv4 mangle rule:
/ip firewall mangle
add action=change-ttl chain=postrouting new-ttl=set:65 out-interface=lte1 passthrough=yes
IPv6 mangle rule:
/ipv6 firewall mangle
add action=change-hop-limit chain=postrouting new-hop-limit=set:65 passthrough=yes</pre>
</div></div><p>More information: <a class="external-link" href="https://m.habr.com/en/post/238351/" rel="nofollow">YOTA</a>, <a class="external-link" href="https://www.reddit.com/r/mikrotik/comments/acq4kz/anyone_familiar_with_configuring_the_ltap_us_with/" rel="nofollow">TMobile</a></p><h3 id="LTE-UnlockingSIMcardaftermultiplewrongPINcodeattempts"><span class="mw-headline">Unlocking SIM card after multiple wrong PIN code attempts</span></h3><p>After locking SIM card, unlock can be done through "at-chat"</p><p>Check current PIN code status:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface lte at-chat lte1 input="at+cpin\?"</pre>
</div></div><p>If card is locked - unlock it by providing:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface lte at-chat lte1 input="AT+CPIN=\"PUK_code\",\"NEW_PIN\""</pre>
</div></div><p>Replace PUK_code and NEW_PIN with matching values.</p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>The command for sim slot selection changes in v6.45.1 and again in v7. Some device models like SXT, have SIM slots named "a" and "b" instead of "up" and down"</p></div></div>
</div>
<div style="padding: 10px 0;">
<a href="https://help.mikrotik.com/docs/display/ROS/LTE">View Online</a>
·
<a href="https://help.mikrotik.com/docs/pages/diffpagesbyversion.action?pageId=30146563&revisedVersion=75&originalVersion=74">View Changes Online</a>
</div>
</div>Emīls T.2020-06-04T10:53:24ZCRS3xx, CRS5xx, CCR2116, CCR2216 switch chip featuresGuntis G.tag:help.mikrotik.com,2009:page-30474317-612024-03-26T12:20:28Z2020-06-11T10:56:20Z<div class="feed"> <p>
Page
<b>edited</b> by
<a href=" https://help.mikrotik.com/docs/display/~guntis
">Guntis G.</a>
- "formatting/typos"
</p>
<div style="border-top: 1px solid #ddd; border-bottom: 1px solid #ddd; padding: 10px;">
<p><span class="mw-headline"><style type='text/css'>/*<![CDATA[*/
div.rbtoc1711701163909 {padding: 0px;}
div.rbtoc1711701163909 ul {margin-left: 0px;}
div.rbtoc1711701163909 li {margin-left: 0px;padding-left: 0px;}
/*]]>*/</style><div class='toc-macro rbtoc1711701163909'>
<ul class='toc-indentation'>
<li><a href='#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-Summary'>Summary</a>
<ul class='toc-indentation'>
<li><a href='#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-Features'>Features</a></li>
<li><a href='#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-Models'>Models</a></li>
<li><a href='#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-Abbreviations'>Abbreviations</a></li>
</ul>
</li>
<li><a href='#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-Portswitching'>Port switching</a></li>
<li><a href='#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-VLAN'>VLAN</a>
<ul class='toc-indentation'>
<li><a href='#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-VLANFiltering'>VLAN Filtering</a>
<ul class='toc-indentation'>
<li><a href='#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-Port-BasedVLAN'>Port-Based VLAN</a></li>
<li><a href='#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-MACBasedVLAN'>MAC Based VLAN</a></li>
<li><a href='#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-ProtocolBasedVLAN'>Protocol Based VLAN</a></li>
<li><a href='#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-VLANTunneling(Q-in-Q)'>VLAN Tunneling (Q-in-Q)</a></li>
</ul>
</li>
<li><a href='#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-IngressVLANtranslation'>Ingress VLAN translation</a></li>
</ul>
</li>
<li><a href='#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-(R/M)STP'>(R/M)STP</a></li>
<li><a href='#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-Bonding'>Bonding</a></li>
<li><a href='#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-Multi-chassisLinkAggregationGroup'>Multi-chassis Link Aggregation Group</a></li>
<li><a href='#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-L3HardwareOffloading'>L3 Hardware Offloading</a></li>
<li><a href='#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-Portisolation'>Port isolation</a></li>
<li><a href='#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-IGMP/MLDSnooping'>IGMP/MLD Snooping</a></li>
<li><a href='#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-DHCPSnoopingandDHCPOption82'>DHCP Snooping and DHCP Option 82</a></li>
<li><a href='#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-ControllerBridgeandPortExtender'>Controller Bridge and Port Extender</a></li>
<li><a href='#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-Mirroring'>Mirroring</a></li>
<li><a href='#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-TrafficShaping'>Traffic Shaping</a></li>
<li><a href='#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-TrafficStormControl'>Traffic Storm Control</a></li>
<li><a href='#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-MPLShardwareoffloading'>MPLS hardware offloading</a></li>
<li><a href='#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-SwitchRules(ACL)'>Switch Rules (ACL)</a></li>
<li><a href='#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-PortSecurity'>Port Security</a></li>
<li><a href='#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-DualBoot'>Dual Boot</a></li>
<li><a href='#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-ConfiguringSwOSusingRouterOS'>Configuring SwOS using RouterOS</a></li>
<li><a href='#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-Seealso'>See also</a></li>
</ul>
</div></span></p><h1 id="CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-Summary"><span class="mw-headline">Summary</span></h1><hr/><p>The CRS3xx and CRS5xx series switches, as well as the CCR2116 and CCR2216 routers, feature highly integrated switches with high-performance CPUs and feature-rich packet processors. <span style="color: rgb(13,13,13);">These devices can be used for various Ethernet applications, including unmanaged switches, Layer 2 managed switches, carrier switches, inter-VLAN routers, and wired unified packet processors.</span></p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>This article applies to CRS3xx, CRS5xx series switches, and CCR2116, CCR2216 routers, and not to <a href="https://help.mikrotik.com/docs/pages/viewpage.action?pageId=103841835" rel="nofollow">CRS1xx/CRS2xx series switches</a>.</p></div></div><h2 id="CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-Features"><span class="mw-headline">Features</span></h2><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><tbody><tr><th class="confluenceTh">Features</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>Forwarding</strong></td><td class="confluenceTd"><ul class="bullets"><li>Configurable ports for switching or routing</li><li>Full non-blocking wire-speed switching</li><li>Large Unicast FDB for Layer 2 unicast forwarding</li><li>Forwarding Databases works based on IVL</li><li>Jumbo frame support</li><li>IGMP Snooping support</li><li>DHCP Snooping with Option 82 </li></ul></td></tr><tr><td class="confluenceTd"><strong>Routing</strong></td><td class="confluenceTd"><ul><li>Layer 3 Hardware Offloading:<ul><li>IPv4, IPv6 Unicast Routing</li><li>Supported on Ethernet, Bridge, Bonding, and VLAN interfaces</li><li>ECMP</li><li>Blackholes</li><li>Offloaded Fasttrack connections (applies only to certain switch models)</li><li>Offloaded NAT for Fasttrack connections (applies only to certain switch models)</li><li>Multiple MTU profiles</li></ul></li></ul></td></tr><tr><td class="confluenceTd"><strong>Spanning Tree Protocol</strong></td><td class="confluenceTd"><ul class="bullets"><li>STP</li><li>RSTP</li><li>MSTP</li></ul></td></tr><tr><td class="confluenceTd"><strong>Mirroring</strong></td><td class="confluenceTd"><ul class="bullets"><li>Various types of mirroring:<ul class="bullets"><li>Port based mirroring</li><li>VLAN based mirroring</li><li>MAC based mirroring</li></ul></li></ul></td></tr><tr><td class="confluenceTd"><strong>VLAN</strong></td><td class="confluenceTd"><ul class="bullets"><li>Fully compatible with IEEE802.1Q and IEEE802.1ad VLAN</li><li>4k active VLANs</li><li>Flexible VLAN assignment:<ul class="bullets"><li>Port based VLAN</li><li>Protocol based VLAN</li><li>MAC based VLAN</li></ul></li><li>VLAN filtering</li><li>Ingress VLAN translation</li></ul></td></tr><tr><td class="confluenceTd"><strong>Bonding</strong></td><td class="confluenceTd"><ul class="bullets"><li>Supports 802.3ad (LACP) and balance-xor modes</li><li>Up to 8 member ports per bonding interface</li><li>Hardware automatic failover and load balancing</li><li>MLAG</li></ul></td></tr><tr><td class="confluenceTd"><strong>Traffic Shaping</strong></td><td class="confluenceTd"><ul class="bullets"><li>Ingress traffic limiting</li><ul class="bullets"><li>Port based</li><li>MAC based</li><li>IP based</li><li>VLAN based</li><li>Protocol based</li><li>DSCP based</li></ul><li>Port based egress traffic limiting</li><li><span class="toc-item-body">Traffic Storm Control</span></li></ul></td></tr><tr><td class="confluenceTd"><strong>Port isolation</strong></td><td class="confluenceTd"><ul class="bullets"><li>Applicable for Private VLAN implementation</li></ul></td></tr><tr><td class="confluenceTd"><strong>Access Control List</strong></td><td class="confluenceTd"><ul class="bullets"><li>Ingress ACL tables</li><li>Classification based on ports, L2, L3, L4 protocol header fields</li><li>ACL actions include filtering, forwarding, and modifying of the protocol header fields</li></ul></td></tr></tbody></table></div><h2 id="CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-Models"><span class="mw-headline">Models</span></h2><p>This table clarifies the main differences between Cloud Router Switch models and CCR routers.</p><div class="table-wrap"><table class="wrapped confluenceTable" style="text-align: center;"><colgroup><col/><col/><col/><col/><col/><col/><col/><col/><col/><col/><col/><col/><col/></colgroup><tbody><tr><td class="highlight-grey confluenceTd" title="Background colour : undefined" data-highlight-colour="grey"><strong title=""><u>Model</u></strong></td><td class="highlight-grey confluenceTd" title="Background colour : undefined" data-highlight-colour="grey"><strong title="">Switch Chip</strong></td><td class="highlight-grey confluenceTd" title="Background colour : undefined" data-highlight-colour="grey"><strong title="">CPU</strong></td><td class="highlight-grey confluenceTd" title="Background colour : undefined" data-highlight-colour="grey"><strong title="">Cores</strong></td><td class="highlight-grey confluenceTd" title="Background colour : undefined" data-highlight-colour="grey"><strong title="">10G SFP+</strong></td><td class="highlight-grey confluenceTd" data-highlight-colour="grey"><strong title="">2.5G Ethernet</strong></td><td class="highlight-grey confluenceTd" title="Background color :" data-highlight-colour="grey"><strong title="">10G Ethernet</strong></td><td class="highlight-grey confluenceTd" title="Background color :" data-highlight-colour="grey"><strong title="">25G SFP28</strong></td><td class="highlight-grey confluenceTd" title="Background color :" data-highlight-colour="grey"><strong title="">40G QSFP+</strong></td><td class="highlight-grey confluenceTd" title="Background color :" data-highlight-colour="grey"><strong title="">100G QSFP28</strong></td><td class="highlight-grey confluenceTd" title="Background colour : undefined" data-highlight-colour="grey"><strong title="">ACL rules</strong></td><td class="highlight-grey confluenceTd" title="Background colour : undefined" data-highlight-colour="grey"><strong title="">Unicast FDB entries</strong></td><td class="highlight-grey confluenceTd" title="Background colour : undefined" data-highlight-colour="grey"><strong title="">Jumbo Frame (Bytes)</strong></td></tr><tr><td class="confluenceTd">netPower 15FR (CRS318-1Fi-15Fr-2S)</td><td class="confluenceTd"><strong>Marvell-98DX224S</strong></td><td class="confluenceTd"><strong>800MHz</strong></td><td class="confluenceTd"><strong>1</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>128</strong></td><td class="confluenceTd"><strong>16,000</strong></td><td class="confluenceTd"><strong>10218</strong></td></tr><tr><td class="confluenceTd">netPower 16P (CRS318-16P-2S+)</td><td class="confluenceTd"><strong>Marvell-98DX226S</strong></td><td class="confluenceTd"><strong>800MHz</strong></td><td class="confluenceTd"><strong>1</strong></td><td class="confluenceTd"><strong>2</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>128</strong></td><td class="confluenceTd"><strong>16,000</strong></td><td class="confluenceTd"><strong>10218</strong></td></tr><tr><td class="confluenceTd">CRS310-1G-5S-4S+ (netFiber 9/IN)</td><td class="confluenceTd"><strong>Marvell-98DX226S</strong></td><td class="confluenceTd"><strong>800MHz</strong></td><td class="confluenceTd"><strong>1</strong></td><td class="confluenceTd"><strong>4</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>128</strong></td><td class="confluenceTd"><strong>16,000</strong></td><td class="confluenceTd"><strong>10218</strong></td></tr><tr><td class="confluenceTd">CRS310-8G+2S+</td><td class="confluenceTd"><strong>Marvell-98DX226S</strong></td><td class="confluenceTd"><strong>800MHz</strong></td><td class="confluenceTd"><strong>2</strong></td><td class="confluenceTd"><strong>2</strong></td><td class="confluenceTd"><strong>8</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>128</strong></td><td class="confluenceTd"><strong>16,000</strong></td><td class="confluenceTd"><strong>10218</strong></td></tr><tr><td class="confluenceTd">CRS326-24G-2S+ (RM/IN)</td><td class="confluenceTd"><strong>Marvell-98DX3236</strong></td><td class="confluenceTd"><strong>800MHz</strong></td><td class="confluenceTd"><strong>1</strong></td><td class="confluenceTd"><strong>2</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>128</strong></td><td class="confluenceTd"><strong>16,000</strong></td><td class="confluenceTd"><strong>10218</strong></td></tr><tr><td class="confluenceTd">CRS328-24P-4S+</td><td class="confluenceTd"><strong>Marvell-98DX3236</strong></td><td class="confluenceTd"><strong>800MHz</strong></td><td class="confluenceTd"><strong>1</strong></td><td class="confluenceTd"><strong>4</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>128</strong></td><td class="confluenceTd"><strong>16,000</strong></td><td class="confluenceTd"><strong>10218</strong></td></tr><tr><td class="confluenceTd">CRS328-4C-20S-4S+</td><td class="confluenceTd"><strong>Marvell-98DX3236</strong></td><td class="confluenceTd"><strong>800MHz</strong></td><td class="confluenceTd"><strong>1</strong></td><td class="confluenceTd"><strong>4</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>128</strong></td><td class="confluenceTd"><strong>16,000</strong></td><td class="confluenceTd"><strong>10218</strong></td></tr><tr><td class="confluenceTd">CRS305-1G-4S+</td><td class="confluenceTd"><strong>Marvell-98DX3236</strong></td><td class="confluenceTd"><strong>800MHz</strong></td><td class="confluenceTd"><strong>1</strong></td><td class="confluenceTd"><strong>4</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>128</strong></td><td class="confluenceTd"><strong>16,000</strong></td><td class="confluenceTd"><strong>10218</strong></td></tr><tr><td class="confluenceTd">CRS309-1G-8S+</td><td class="confluenceTd"><strong>Marvell-98DX8208</strong></td><td class="confluenceTd"><strong>800MHz</strong></td><td class="confluenceTd"><strong>2</strong></td><td class="confluenceTd"><strong>8</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>1024</strong></td><td class="confluenceTd"><strong>32,000</strong></td><td class="confluenceTd"><strong>10218</strong></td></tr><tr><td class="confluenceTd">CRS317-1G-16S+</td><td class="confluenceTd"><strong>Marvell-98DX8216</strong></td><td class="confluenceTd"><strong>800MHz</strong></td><td class="confluenceTd"><strong>2</strong></td><td class="confluenceTd"><strong>16</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>1024</strong></td><td class="confluenceTd"><strong>128,000</strong></td><td class="confluenceTd"><strong>10218</strong></td></tr><tr><td class="confluenceTd">CRS312-4C+8XG</td><td class="confluenceTd"><strong>Marvell-98DX8212</strong></td><td class="confluenceTd"><strong>650MHz</strong></td><td class="confluenceTd"><strong>1</strong></td><td class="confluenceTd"><strong>4 (combo ports)</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>8 + 4 (combo ports)</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>512</strong></td><td class="confluenceTd"><strong>32,000</strong></td><td class="confluenceTd"><strong>10218</strong></td></tr><tr><td class="confluenceTd">CRS326-24S+2Q+</td><td class="confluenceTd"><strong>Marvell-98DX8332</strong></td><td class="confluenceTd"><strong>650MHz</strong></td><td class="confluenceTd"><strong>1</strong></td><td class="confluenceTd"><strong>24</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>2</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>256</strong></td><td class="confluenceTd"><strong>32,000</strong></td><td class="confluenceTd"><strong>10218</strong></td></tr><tr><td class="confluenceTd">CRS354-48G-4S+2Q+</td><td class="confluenceTd"><strong>Marvell-98DX3257</strong></td><td class="confluenceTd"><strong>650MHz</strong></td><td class="confluenceTd"><strong>1</strong></td><td class="confluenceTd"><strong>4</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>2</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>170</strong></td><td class="confluenceTd"><strong>32,000</strong></td><td class="confluenceTd"><strong>10218</strong></td></tr><tr><td class="confluenceTd">CRS354-48P-4S+2Q+</td><td class="confluenceTd"><strong>Marvell-98DX3257</strong></td><td class="confluenceTd"><strong>650MHz</strong></td><td class="confluenceTd"><strong>1</strong></td><td class="confluenceTd"><strong>4</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>2</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>170</strong></td><td class="confluenceTd"><strong>32,000</strong></td><td class="confluenceTd"><strong>10218</strong></td></tr><tr><td class="confluenceTd">CRS504-4XQ (IN/OUT)</td><td class="confluenceTd"><strong>Marvell-98DX4310</strong></td><td class="confluenceTd"><strong>650MHz</strong></td><td class="confluenceTd"><strong>1</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>4</strong></td><td class="confluenceTd"><strong>1024</strong></td><td class="confluenceTd"><strong>128,000</strong></td><td class="confluenceTd"><strong>10218</strong></td></tr><tr><td class="confluenceTd">CRS510-8XS-2XQ-IN</td><td class="confluenceTd"><strong>Marvell-98DX4310</strong></td><td class="confluenceTd"><strong>650MHz</strong></td><td class="confluenceTd"><strong>1</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>8</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>2</strong></td><td class="confluenceTd"><strong>1024</strong></td><td class="confluenceTd"><strong>128,000</strong></td><td class="confluenceTd"><strong>10218</strong></td></tr><tr><td class="confluenceTd">CRS518-16XS-2XQ</td><td class="confluenceTd"><strong>Marvell-98DX8525</strong></td><td class="confluenceTd"><strong>650MHz</strong></td><td class="confluenceTd"><strong>1</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>16</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>2</strong></td><td class="confluenceTd"><strong>1024</strong></td><td class="confluenceTd"><strong>128,000</strong></td><td class="confluenceTd"><strong>10218</strong></td></tr><tr><td class="confluenceTd">CCR2116-12G-4S+</td><td class="confluenceTd"><strong>Marvell-98DX3255</strong></td><td class="confluenceTd"><strong>2000MHz</strong></td><td class="confluenceTd"><strong>16</strong></td><td class="confluenceTd"><strong>4</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>512</strong></td><td class="confluenceTd"><strong>32,000</strong></td><td class="confluenceTd"><strong>9570</strong></td></tr><tr><td class="confluenceTd">CCR2216-1G-12XS-2XQ</td><td class="confluenceTd"><strong>Marvell-98DX8525</strong></td><td class="confluenceTd"><strong>2000MHz</strong></td><td class="confluenceTd"><strong>16</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>12</strong></td><td class="confluenceTd"><strong>-</strong></td><td class="confluenceTd"><strong>2</strong></td><td class="confluenceTd"><strong>1024</strong></td><td class="confluenceTd"><strong>128,000</strong></td><td class="confluenceTd"><strong>9570</strong></td></tr></tbody></table></div><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>For L3 hardware offloading feature support and hardware limits, please refer to <a href="https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading#L3HardwareOffloading-L3HWFeatureSupport" rel="nofollow">Feature Support</a> and <a href="https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading#L3HardwareOffloading-L3HWDeviceSupport" rel="nofollow">Device Support</a> user manuals.</p></div></div><h2 id="CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-Abbreviations"><span class="mw-headline">Abbreviations</span></h2><ul><li>FDB - Forwarding Database</li><li>MDB - Multicast Database</li><li>SVL - Shared VLAN Learning</li><li>IVL - Independent VLAN Learning</li><li>PVID - Port VLAN ID</li><li>ACL - Access Control List</li><li>CVID - Customer VLAN ID</li><li>SVID - Service VLAN ID</li></ul><h1 id="CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-Portswitching"><span class="mw-headline">Port switching</span></h1><hr/><p>To set up a port switching, check the<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeHardwareOffloading" rel="nofollow">Bridge Hardware Offloading</a><span> </span>page.</p><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Currently, it is possible to create only one bridge with hardware offloading. Use the<span> </span><span style="color: rgb(51,153,102);"><code>hw=yes/no</code></span><span> </span>parameter to select which bridge will use hardware offloading.</p></div></div><p><br/></p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Bridge STP/RSTP/MSTP, IGMP Snooping, and VLAN filtering settings don't affect hardware offloading, Bonding interfaces are also hardware offloaded.</p></div></div><h1 id="CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-VLAN"><span class="mw-headline">VLAN</span></h1><p>The bridge provides VLAN-aware Layer 2 forwarding and VLAN tag modifications. This set of features makes bridge operation more akin to a traditional Ethernet switch, allowing it to overcome Spanning Tree compatibility issues compared to configurations where tunnel-like VLAN interfaces are bridged. Configuring Bridge VLAN Filtering is highly recommended to comply with STP (802.1D) and RSTP (802.1w) standards, and enabling MSTP (802.1s) support in RouterOS is mandatory.</p><h2 id="CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-VLANFiltering"><span class="mw-headline">VLAN Filtering</span></h2><p><span class="mw-headline">VLAN filtering is described in the<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeVLANFiltering" rel="nofollow">Bridge VLAN Filtering</a><span> </span>section.</span></p><p><span style="font-size: 20.0px;letter-spacing: -0.008em;">VLAN setup examples</span></p><p><span class="mw-headline">Some of the most common ways how to utilize VLAN forwarding:</span></p><h3 id="CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-Port-BasedVLAN"><span class="mw-headline">Port-Based VLAN</span></h3><p>The configuration is described in the<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeVLANFiltering" rel="nofollow">Bridge VLAN Filtering</a><span> </span>section.</p><h3 id="CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-MACBasedVLAN"><span class="mw-headline">MAC Based VLAN</span></h3><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><ul><li>The Switch Rule table is used for MAC Based VLAN functionality, see<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/CRS3xx%2C+CRS5xx%2C+CCR2116%2C+CCR2216+switch+chip+features#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-Models" rel="nofollow">this table</a><span> </span>on how many rules each device supports.</li><li>MAC-based VLANs will only work properly between switch ports and not between switch ports and CPU. When a packet is being forwarded to the CPU, the <span style="color: rgb(51,153,102);"><code>pvid</code></span> property of the bridge port will be always used instead of <code><span style="color: rgb(51,153,102);">new-vlan-id</span> </code>from ACL rules.</li><li>MAC-based VLANs will not work for DHCP packets when DHCP snooping is enabled.</li></ul></div></div><p>Enable switching on ports by creating a bridge with enabled hw-offloading:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
add name=bridge1 vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether7 hw=yes</pre>
</div></div><p>Add VLANs in the Bridge VLAN table and specify ports:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge vlan
add bridge=bridge1 tagged=ether2 untagged=ether7 vlan-ids=200,300,400</pre>
</div></div><p>Add Switch rules that assign VLAN ID based on MAC address:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch rule
add switch=switch1 ports=ether7 src-mac-address=A4:12:6D:77:94:43/FF:FF:FF:FF:FF:FF new-vlan-id=200
add switch=switch1 ports=ether7 src-mac-address=84:37:62:DF:04:20/FF:FF:FF:FF:FF:FF new-vlan-id=300
add switch=switch1 ports=ether7 src-mac-address=E7:16:34:A1:CD:18/FF:FF:FF:FF:FF:FF new-vlan-id=400</pre>
</div></div><h3 id="CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-ProtocolBasedVLAN"><span class="mw-headline">Protocol Based VLAN</span></h3><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><ul><li><span style="color: rgb(13,13,13);">The Switch Rule table is utilized for Protocol-based VLAN functionality. Refer to</span><span> </span><a href="https://help.mikrotik.com/docs/display/ROS/CRS3xx%2C+CRS5xx%2C+CCR2116%2C+CCR2216+switch+chip+features#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-Models" rel="nofollow">this table</a><span> <span style="color: rgb(13,13,13);">to determine the number of rules each device supports.</span></span></li><li class="auto-cursor-target">Protocol-based VLANs will only function correctly between switch ports and not between switch ports and the CPU. When a packet is forwarded to the CPU, the <span style="color: rgb(51,153,102);"><code>pvid</code></span> property of the bridge port will always be used instead of the <span style="color: rgb(51,153,102);"><code>new-vlan-id</code> </span>from ACL rules.</li><li class="auto-cursor-target">Protocol-based VLANs will not function for DHCP packets when DHCP snooping is enabled.</li></ul></div></div><p>Enable switching on ports by creating a bridge with enabled hw-offloading:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
add name=bridge1 vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether6 hw=yes
add bridge=bridge1 interface=ether7 hw=yes
add bridge=bridge1 interface=ether8 hw=yes</pre>
</div></div><p>Add VLANs in the Bridge VLAN table and specify ports:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge vlan
add bridge=bridge1 tagged=ether2 untagged=ether6 vlan-ids=200
add bridge=bridge1 tagged=ether2 untagged=ether7 vlan-ids=300
add bridge=bridge1 tagged=ether2 untagged=ether8 vlan-ids=400</pre>
</div></div><p>Add Switch rules that assign VLAN ID based on MAC protocol:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch rule
add mac-protocol=ip new-vlan-id=200 ports=ether6 switch=switch1
add mac-protocol=ipx new-vlan-id=300 ports=ether7 switch=switch1
add mac-protocol=0x80F3 new-vlan-id=400 ports=ether8 switch=switch1</pre>
</div></div><h3 id="CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-VLANTunneling(Q-in-Q)">VLAN Tunneling (Q-in-Q)</h3><p>It is possible to use a provider bridge (IEEE 802.1ad) Tag Stacking VLAN filtering, and hardware offloading simultaneously. The configuration for this is outlined in the<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-VLANTunneling(QinQ)" rel="nofollow">Bridge VLAN Tunneling (Q-in-Q)</a><span> </span>section.</p><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Devices equipped with switch chip Marvell-98DX3257 (e.g. CRS354 series) do not support VLAN filtering on 1Gbps Ethernet interfaces for other VLAN types (<span style="color: rgb(51,153,102);"><code>0x88a8</code></span> and <span style="color: rgb(51,153,102);"><code>0x9100</code></span>).</p></div></div><h2 id="CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-IngressVLANtranslation">Ingress VLAN translation</h2><p>It is possible to translate a certain VLAN ID to a different VLAN ID using ACL rules on an ingress port. In this example, we create two ACL rules, allowing bidirectional communication. This can be done by following these steps:</p><p>1) Create a new bridge and add ports to it with hardware offloading:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
add name=bridge1 vlan-filtering=no
/interface bridge port
add interface=ether1 bridge=bridge1 hw=yes
add interface=ether2 bridge=bridge1 hw=yes</pre>
</div></div><p>2) Add ACL rules to translate a VLAN ID in each direction:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch rule
add new-dst-ports=ether2 new-vlan-id=20 ports=ether1 switch=switch1 vlan-id=10
add new-dst-ports=ether1 new-vlan-id=10 ports=ether2 switch=switch1 vlan-id=20</pre>
</div></div><p>3) Add both VLAN IDs to the bridge VLAN table:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge vlan
add bridge=bridge1 tagged=ether1 vlan-ids=10
add bridge=bridge1 tagged=ether2 vlan-ids=20</pre>
</div></div><p>4) Enable bridge VLAN filtering:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge set bridge1 vlan-filtering=yes</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Bidirectional communication is limited only between two switch ports. Translating VLAN ID between more ports can cause traffic flooding or incorrect forwarding between the same VLAN ports.</p></div></div><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>By enabling<span> </span><span style="color: rgb(51,153,102);"><code>vlan-filtering</code></span><span> </span>you will be filtering out traffic destined to the CPU, before enabling VLAN filtering you should make sure that you set up a<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-Managementaccessconfiguration" rel="nofollow">Management port</a>.</p></div></div><h1 id="CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-(R/M)STP"><span class="mw-headline">(R/M)STP</span></h1><hr/><p>CRS3xx, CRS5xx series switches, CCR2116, and CCR2216 routers are capable of running STP, RSTP, and MSTP on a hardware level. For more detailed information you should check out the<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Spanning+Tree+Protocol" rel="nofollow">Spanning Tree Protocol</a><span> </span>manual page.</p><h1 id="CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-Bonding"><span class="mw-headline">Bonding</span></h1><hr/><p>CRS3xx, CRS5xx series switches, and CCR2116, CCR2216 routers support hardware offloading with bonding interfaces. Only<span> </span><span style="color: rgb(51,153,102);"><code>802.3ad</code></span><span> </span>and<span> </span><code><span style="color: rgb(51,153,102);">balance-xor</span> </code>bonding modes are hardware offloaded, other bonding modes will use the CPU's resources. You can find more information about the bonding interfaces in the<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Bonding" rel="nofollow">Bonding Interface<span> </span></a>section. If <span style="color: rgb(51,153,102);"><code>802.3ad</code></span> mode is used, then LACP (Link Aggregation Control Protocol) is supported.</p><p>To create a hardware offloaded bonding interface, you must create a bonding interface with a supported bonding mode:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bonding
add mode=802.3ad name=bond1 slaves=ether1,ether2</pre>
</div></div><p><span style="letter-spacing: 0.0px;">This interface can be added to a bridge alongside other interfaces:</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
add name=bridge
/interface bridge port
add bridge=bridge interface=bond1 hw=yes
add bridge=bridge interface=ether3 hw=yes
add bridge=bridge interface=ether4 hw=yes</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Do not add interfaces to a bridge that are already in a bond, RouterOS will not allow you to add an interface to a bridge that is already a slave port for bonding.</p></div></div><p>Make sure that the bonding interface is hardware offloaded by checking the "H" flag:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: text; gutter: false; theme: Confluence" data-theme="Confluence">/interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
# INTERFACE BRIDGE HW
0 H bond1 bridge yes
1 H ether3 bridge yes
2 H ether4 bridge yes</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>With HW-offloaded bonding interfaces, the built-in switch chip will always use Layer2+Layer3+Layer4 for a transmit hash policy, changing the transmit hash policy manually will have no effect.</p></div></div><h1 id="CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-Multi-chassisLinkAggregationGroup">Multi-chassis Link Aggregation Group</h1><hr/><p><span class="mw-headline"><span style="color: rgb(23,43,77);">MLAG (Multi-chassis Link Aggregation Group) implementation in RouterOS allows configuring LACP bonds on two separate devices, while the client device believes to be connected to the same machine. This provides a physical redundancy in case of switch failure. All CRS3xx, CRS5xx series, and CCR2116, CCR2216 devices can be configured with MLAG. Read <a href="https://help.mikrotik.com/docs/display/ROS/Multi-chassis+Link+Aggregation+Group" rel="nofollow">here</a> for more information.</span></span></p><h1 id="CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-L3HardwareOffloading"><span class="mw-headline">L3 Hardware Offloading</span></h1><hr/><p><span class="mw-headline"><span style="color: rgb(23,43,77);text-decoration: none;">Layer3 hardware offloading, also known as IP switching or HW routing, <span style="color: rgb(13,13,13);">enables the offloading of certain router features onto the switch chip.</span> <span style="color: rgb(13,13,13);">This capability allows for achieving wire speeds when routing packets, a feat that would not be possible with just the CPU alone.</span></span></span></p><p><span class="mw-headline">The offloaded feature set depends on the used chipset. For more information, please refer to the documentation provided <a href="https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading">here</a>.</span></p><h1 id="CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-Portisolation"><span class="mw-headline">Port isolation</span></h1><hr/><p>It is possible to create a Private VLAN setup, an example can be found in the<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features#SwitchChipFeatures-Portisolation" rel="nofollow">Switch chip port isolation</a><span> </span>manual page. Hardware offloaded bonding interfaces are not included in the switch port-isolation menu, but it is still possible to configure port-isolation individually on<span style="color: rgb(23,43,77);"> each secondary interface of the bonding.</span></p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Port isolation can be used with a VLAN-filtering bridge and it is possible to isolate ports that are members of the same VLAN. The isolation works per port, it is not possible to isolate ports per VLAN.</p></div></div><h1 id="CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-IGMP/MLDSnooping"><span class="mw-headline">IGMP/MLD Snooping</span></h1><hr/><p>CRS3xx, CRS5xx series switches and CCR2116, CCR2216 routers can use IGMP/MLD Snooping on a hardware level. For more detailed information, you should check out the<span> </span><a href="https://help.mikrotik.com/docs/pages/viewpage.action?pageId=59277403" rel="nofollow">IGMP/MLD snooping</a><span> </span>manual page.</p><h1 id="CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-DHCPSnoopingandDHCPOption82"><span class="mw-headline">DHCP Snooping and DHCP Option 82</span></h1><hr/><p>CRS3xx, CRS5xx series switches and CCR2116, CCR2216 routers can use DHCP Snooping with Option 82 on a hardware level. The switch will create a dynamic ACL rule to capture the DHCP packets and redirect them to the main CPU for further processing. To see more detailed information, please visit the <a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-DHCPSnoopingandDHCPOption82" rel="nofollow">DHCP Snooping and DHCP Option 82</a><span> </span>manual page.</p><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>DHCP snooping will not work when hardware offloading bonding interfaces are created.</p></div></div><h1 id="CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-ControllerBridgeandPortExtender"><span class="mw-headline">Controller Bridge and Port Extender</span></h1><hr/><p><span class="mw-headline"><span style="color: rgb(23,43,77);">Controller Bridge (CB) and Port Extender (PE) is an IEEE 802.1BR standard implementation in RouterOS. It allows virtually extending the CB ports with a PE device and managing these extended interfaces from a single controlling device. Such configuration provides a simplified network topology, flexibility, increased port density, and ease of manageability. See more details on the </span><a href="https://help.mikrotik.com/docs/display/ROS/Controller+Bridge+and+Port+Extender" rel="nofollow" style="text-decoration: none;">Controller Bridge and Port Extender manual</a><span style="color: rgb(23,43,77);">.</span></span></p><h1 id="CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-Mirroring"><span class="mw-headline">Mirroring</span></h1><hr/><p><span style="color: rgb(13,13,13);">Mirroring allows the switch to intercept all traffic passing through the switch chip and send a copy of those packets to another designated port (mirror-target). This feature facilitates the creation of a tap device, enabling network traffic inspection on a traffic analyzer device. You can configure simple port-based mirroring or more complex mirroring based on various parameters. Note that the mirror-target port must belong to the same switch (you can identify which port belongs to which switch in the /interface ethernet menu). Additionally, the mirror-target port can be set to a special value 'cpu', indicating that sniffed packets will be forwarded to the switch chip's CPU port. There are several methods to mirror specific traffic, and below are some of the most common mirroring examples:</span></p><p class="auto-cursor-target">Port Based Mirroring:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch
set switch1 mirror-source=ether2 mirror-target=ether3</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Property<span> </span><span style="color: rgb(51,153,102);"><code>mirror-source</code></span><span> </span>will send an ingress and egress packet copies to the<span> </span><span style="color: rgb(51,153,102);"><code>mirror-target</code></span><span> </span>port. Both<span> </span><code><span style="color: rgb(51,153,102);">mirror-source</span> </code>and<span> </span><span style="color: rgb(51,153,102);"><code>mirror-target</code></span><span> </span>are limited to a single interface.</p></div></div><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch
set switch1 mirror-source=none mirror-target=ether3
/interface ethernet switch rule
add mirror=yes ports=ether1,ether2 switch=switch1</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Using ACL rules, it is possible to mirror packets from multiple<span> </span><span style="color: rgb(51,153,102);"><code>ports</code></span><span> </span>interfaces. Only ingress packets are mirrored to<span> </span><span style="color: rgb(51,153,102);"><code>mirror-target</code></span><span> </span>interface.</p></div></div><p><span style="letter-spacing: 0.0px;">VLAN Based Mirroring:</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
set bridge1 vlan-filtering=yes
/interface ethernet switch
set switch1 mirror-target=ether3 mirror-source=none
/interface ethernet switch rule
add mirror=yes ports=ether1 switch=switch1 vlan-id=11</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>By enabling<span> </span><span style="color: rgb(51,153,102);"><code>vlan-filtering</code></span><span> </span>you will be filtering out traffic destined for the CPU, before enabling VLAN filtering you should make sure that you set up a<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-Managementaccessconfiguration" rel="nofollow">Management port</a>.</p></div></div><p><br/></p><p>MAC Based Mirroring:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch
set switch1 mirror-target=ether3 mirror-source=none
/interface ethernet switch rule
add mirror=yes ports=ether1 switch=switch1 dst-mac-address=64:D1:54:D9:27:E6/FF:FF:FF:FF:FF:FF
add mirror=yes ports=ether1 switch=switch1 src-mac-address=64:D1:54:D9:27:E6/FF:FF:FF:FF:FF:FF</pre>
</div></div><p><span style="letter-spacing: 0.0px;">Protocol Based Mirroring:</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch
set switch1 mirror-target=ether3 mirror-source=none
/interface ethernet switch rule
add mirror=yes ports=ether1 switch=switch1 mac-protocol=ipx</pre>
</div></div><p><span style="letter-spacing: 0.0px;">IP Based Mirroring:</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch
set switch1 mirror-target=ether3 mirror-source=none
/interface ethernet switch rule
add mirror=yes ports=ether1 switch=switch1 src-address=192.168.88.0/24
add mirror=yes ports=ether1 switch=switch1 dst-address=192.168.88.0/24</pre>
</div></div><p><span style="letter-spacing: 0.0px;">There are other options as well, check the</span><span style="letter-spacing: 0.0px;"> </span><a href="https://help.mikrotik.com/docs/display/ROS/CRS3xx%2C+CRS5xx%2C+CCR2116%2C+CCR2216+switch+chip+features#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-SwitchRules(ACL)" rel="nofollow">ACL section</a><span style="letter-spacing: 0.0px;"> </span><span style="letter-spacing: 0.0px;">to find out all possible parameters that can be used to match packets.</span></p><h1 id="CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-TrafficShaping"><span class="mw-headline">Traffic Shaping</span></h1><hr/><p>It is possible to limit ingress traffic that matches certain parameters with ACL rules and it is possible to limit ingress/egress traffic per port basis. The policer is used for ingress traffic, the shaper is used for egress traffic. The ingress policer controls the received traffic with packet drops. Everything that exceeds the defined limit will get dropped. This can affect the TCP congestion control mechanism on end hosts and the achieved bandwidth can be actually less than defined. The egress shaper tries to queue packets that exceed the limit instead of dropping them. Eventually, it will also drop packets when the output queue gets full, however, it should allow for better utilization of the defined throughput.</p><p>Port-based traffic police and shaper:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch port
set ether1 ingress-rate=10M egress-rate=5M</pre>
</div></div><p><span style="letter-spacing: 0.0px;">MAC-based traffic policer:</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch rule
add ports=ether1 switch=switch1 src-mac-address=64:D1:54:D9:27:E6/FF:FF:FF:FF:FF:FF rate=10M</pre>
</div></div><p><span style="letter-spacing: 0.0px;">VLAN-based traffic policer:</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
set bridge1 vlan-filtering=yes
/interface ethernet switch rule
add ports=ether1 switch=switch1 vlan-id=11 rate=10M</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>By enabling<span> </span><span style="color: rgb(51,153,102);"><code>vlan-filtering</code> </span>you will be filtering out traffic destined to the CPU, before enabling VLAN filtering you should make sure that you set up a<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-Managementaccessconfiguration" rel="nofollow">Management port</a>.</p></div></div><p>Protocol-based traffic policer:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch rule
add ports=ether1 switch=switch1 mac-protocol=ipx rate=10M</pre>
</div></div><p><span style="letter-spacing: 0.0px;">There are other options as well, check the</span><span style="letter-spacing: 0.0px;"> </span><a href="https://help.mikrotik.com/docs/display/ROS/CRS3xx%2C+CRS5xx%2C+CCR2116%2C+CCR2216+switch+chip+features#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-SwitchRules(ACL)" rel="nofollow">ACL section</a><span style="letter-spacing: 0.0px;"> </span><span style="letter-spacing: 0.0px;">to find out all possible parameters that can be used to match packets.</span></p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>The Switch Rule table is used for QoS functionality, see<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/CRS3xx%2C+CRS5xx%2C+CCR2116%2C+CCR2216+switch+chip+features#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-Models" rel="nofollow">this table</a><span> </span>for how many rules each device supports.</p></div></div><h1 id="CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-TrafficStormControl"><span class="mw-headline">Traffic Storm Control</span></h1><hr/><p>A traffic storm can emerge when certain frames are continuously flooded on the network. For example, if a network loop has been created and no loop avoidance mechanisms are used (e.g.<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/Spanning+Tree+Protocol" rel="nofollow">Spanning Tree Protocol</a>), broadcast or multicast frames can quickly overwhelm the network, causing degraded network performance or even complete network breakdown. With CRS3xx, CRS5xx series switches and CCR2116, CCR2216 routers it is possible to limit broadcast, unknown multicast, and unknown unicast traffic. Unknown unicast traffic is considered when a switch does not contain a host entry for the destined MAC address. Unknown multicast traffic is considered when a switch does not contain a multicast group entry in the<span> </span><span style="color: rgb(51,153,102);"><code>/interface bridge mdb</code></span><span> </span>menu. Storm control settings should be applied to ingress ports, the egress traffic will be limited.</p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>The storm control parameter is specified in percentage (%) of the link speed. If your link speed is 1Gbps, then specifying<span> </span><span style="color: rgb(51,153,102);"><code>storm-rate</code></span><span> </span>as<span> </span><code>10</code><span> </span>will allow only 100Mbps of broadcast, unknown multicast, and/or unknown unicast traffic to be forwarded.</p></div></div><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch port</code></p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>limit-broadcasts</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>yes</strong>)</td><td class="confluenceTd">Limit broadcast traffic on a switch port.</td></tr><tr><td class="confluenceTd"><strong>limit-unknown-multicasts</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Limit unknown multicast traffic on a switch port.</td></tr><tr><td class="confluenceTd"><strong>limit-unknown-unicasts</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Limit unknown unicast traffic on a switch port.</td></tr><tr><td class="confluenceTd"><strong>storm-rate</strong><span> </span>(<em>integer 0..100</em>; Default:<span> </span><strong>100</strong>)</td><td class="confluenceTd">The amount of broadcast, unknown multicast, and/or unknown unicast traffic is limited to a percentage of the link speed.</td></tr></tbody></table></div><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Devices with Marvell-98DX3236 switch chip cannot distinguish unknown multicast traffic from all multicast traffic. For example, CRS326-24G-2S+ will limit all multicast traffic when<span> </span><span style="color: rgb(51,153,102);"><code>limit-unknown-multicasts</code></span><span> </span>and<span> </span><span style="color: rgb(51,153,102);"><code>storm-rate</code></span><span> </span>is used. For other devices, for example, CRS317-1G-16S+ the<span> </span><span style="color: rgb(51,153,102);"><code>limit-unknown-multicasts</code></span><span> </span>parameter will limit only unknown multicast traffic (addresses that are not present in<span> </span><code><span style="color: rgb(51,153,102);">/interface bridge mdb</span>).</code></p></div></div><p>For example, to limit 1% (10Mbps) of broadcast and unknown unicast traffic on ether1 (1Gbps), use the following commands:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch port
set ether1 storm-rate=1 limit-broadcasts=yes limit-unknown-unicasts=yes</pre>
</div></div><h1 id="CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-MPLShardwareoffloading"><span class="mw-headline">MPLS hardware offloading</span></h1><hr/><p>It is possible to offload certain MPLS functions to the switch chip, the switch must be a (P)rovider router in a PE-P-PE setup in order to achieve hardware offloading. A setup example can be found in the<span> </span><a class="external-link" href="https://wiki.mikrotik.com/wiki/Manual:Basic_MPLS_setup_example" rel="nofollow" style="text-decoration: none;" title="Manual:Basic MPLS setup example">Basic MPLS setup example</a><span> </span>manual page. The hardware offloading will only take place when LDP interfaces are configured as physical switch interfaces (e.g. Ethernet, SFP, SFP+).</p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Currently only<span> </span><code>CRS317-1G-16S+</code><span> </span>and<span> </span><code>CRS309-1G-8S+</code><span> </span>using RouterOS v6.41 and newer are capable of hardware offloading certain MPLS functions.<span> </span><code>CRS317-1G-16S+</code><span> </span>and<span> </span><code>CRS309-1G-8S+</code><span> </span>built-in switch chip is not capable of popping MPLS labels from packets, in a PE-P-PE setup you either have to use explicit null or disable TTL propagation in the MPLS network to achieve hardware offloading.</p></div></div><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>The MPLS hardware offloading has been removed since RouterOS v7.</p></div></div><h1 id="CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-SwitchRules(ACL)"><span class="mw-headline">Switch Rules (ACL)</span></h1><hr/><p>Access Control List contains an ingress policy engine. See<span> </span><a href="https://help.mikrotik.com/docs/display/ROS/CRS3xx%2C+CRS5xx%2C+CCR2116%2C+CCR2216+switch+chip+features#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-Models" rel="nofollow">this table</a><span> </span>on how many rules each device supports. It is an advanced tool for wire-speed packet filtering, forwarding, and modifying based on Layer2, Layer3, and Layer4 protocol header field conditions.</p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>ACL rules are checked for each received packet until a match has been found. If multiple rules can match, then only the first rule will be triggered. A rule without any action parameters is a rule to accept the packet.</p></div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>It is not required to set <code><span style="color: rgb(51,153,102);">mac-protocol</span> </code>to certain IP version when using L3 or L4 matchers, however, it is recommended to set the <code><span style="color: rgb(51,153,102);">mac-protocol=ip</span></code> or <code><span style="color: rgb(51,153,102);">mac-protocol=ipv6</span></code> when filtering any IP packets.</p></div></div><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p><span style="color: rgb(36,41,46);">When switch ACL rules are modified (e.g. added, removed, disabled, enabled, or moved), the existing switch rules will be inactive for a short time. This can cause some packet leakage during the ACL rule modifications.</span></p></div></div><p><br/></p><p><strong>Sub-menu:</strong><span> </span><code>/interface ethernet switch rule</code></p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>copy-to-cpu</strong><span> </span>(<em>no | yes</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Clones the matching packet and sends it to the CPU.</td></tr><tr><td class="confluenceTd"><strong>disabled</strong><span> </span>(<em>yes | no</em>; Default:<span> </span><strong>no</strong>)</td><td class="confluenceTd">Enables or disables ACL entry.</td></tr><tr><td class="confluenceTd"><strong>dscp</strong><span> </span>(<em>0..63</em>)</td><td class="confluenceTd">Matching the DSCP field of the packet (only applies to IPv4 packets).</td></tr><tr><td class="confluenceTd"><strong>dst-address</strong><span> </span>(<em>IP address/Mask</em>)</td><td class="confluenceTd">Matching destination IPv4 address and mask, also matches the destination IP in ARP packets. </td></tr><tr><td class="confluenceTd"><strong>dst-address6</strong><span> </span>(<em>IPv6 address/Mask</em>)</td><td class="confluenceTd">Matching destination IPv6 address and mask.</td></tr><tr><td class="confluenceTd"><strong>dst-mac-address</strong><span> </span>(<em>MAC address/Mask</em>)</td><td class="confluenceTd">Matching destination MAC address and mask.</td></tr><tr><td class="confluenceTd"><strong>dst-port</strong><span> </span>(<em>0..65535</em>)</td><td class="confluenceTd">Matching destination protocol port number (applies to IPv4 and IPv6 packets if <span style="color: rgb(51,153,102);"><code>mac-protocol</code></span> is not specified).</td></tr><tr><td class="confluenceTd"><strong>flow-label</strong><span> </span>(<em>0..1048575</em>)</td><td class="confluenceTd">Matching IPv6 flow label.</td></tr><tr><td class="confluenceTd"><strong>mac-protocol</strong><span> </span>(<em>802.2 | arp | homeplug-av | ip | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan | or 0..65535 | or 0x0000-0xffff</em>)</td><td class="confluenceTd">Matching particular MAC protocol specified by protocol name or number</td></tr><tr><td class="confluenceTd"><strong>mirror</strong><span> </span>(<em>no | yes</em>)</td><td class="confluenceTd">Clones the matching packet and sends it to the <span style="color: rgb(51,153,102);">mirror-target</span> port.</td></tr><tr><td class="confluenceTd"><strong>new-dst-ports</strong><span> </span>(<em>ports</em>)</td><td class="confluenceTd">Changes the destination port as specified. An empty setting will drop the packet. A specified port will redirect the packet to it. When the parameter is not used, the packet will be accepted. Multiple "<span style="color: rgb(51,153,102);">new-dst-ports</span>" are not supported.</td></tr><tr><td class="confluenceTd"><strong>new-vlan-id</strong><span> </span>(<em>0..4095</em>)</td><td class="confluenceTd">Changes the VLAN ID to the specified value. Requires<span> </span><span style="color: rgb(51,153,102);"><code>vlan-filtering=yes</code></span>.</td></tr><tr><td class="confluenceTd"><strong>new-vlan-priority</strong><span> </span>(<em>0..7</em>)</td><td class="confluenceTd">Changes the VLAN priority (priority code point). Requires<span> </span><span style="color: rgb(51,153,102);"><code>vlan-filtering=yes</code></span>.</td></tr><tr><td class="confluenceTd"><strong>ports</strong><span> </span>(<em>ports</em>)</td><td class="confluenceTd">Matching ports on which will the rule apply on received traffic.</td></tr><tr><td class="confluenceTd"><strong>protocol</strong><span> </span>(<em>dccp | ddp | egp | encap | etherip | ggp | gre | hmp | icmp | icmpv6 | idpr-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | ipv6 | ipv6-frag | ipv6-nonxt | ipv6-opts | ipv6-route | iso-tp4 | l2tp | ospf | pim | pup | rdp | rspf | rsvp | sctp | st | tcp | udp | udp-lite | vmtp | vrrp | xns-idp | xtp | or 0..255</em>)</td><td class="confluenceTd">Matching particular IP protocol specified by protocol name or number. This only applies to IPv4 packets if <code><span style="color: rgb(51,153,102);">mac-protocol</span></code> is not specified. To match certain IPv6 protocols, use the <code><span style="color: rgb(51,153,102);">mac-protocol=ipv6</span></code> setting.</td></tr><tr><td class="confluenceTd"><strong>rate</strong><span> </span>(<em>0..4294967295</em>)</td><td class="confluenceTd">Sets ingress traffic limitation (bits per second) for matched traffic.</td></tr><tr><td class="confluenceTd"><strong>redirect-to-cpu</strong><span> </span>(<em>no | yes</em>)</td><td class="confluenceTd">Changes the destination port of a matching packet to the CPU.</td></tr><tr><td class="confluenceTd"><strong>src-address</strong><span> </span>(<em>IP address/Mask</em>)</td><td class="confluenceTd">Matching source IPv4 address and mask, also matches the source IP in ARP packets. </td></tr><tr><td class="confluenceTd"><strong>src-address6</strong><span> </span>(<em>IPv6 address/Mask</em>)</td><td class="confluenceTd">Matching source IPv6 address and mask.</td></tr><tr><td class="confluenceTd"><strong>src-mac-address</strong><span> </span>(<em>MAC address/Mask</em>)</td><td class="confluenceTd">Matching source MAC address and mask.</td></tr><tr><td class="confluenceTd"><strong>src-port</strong><span> </span>(<em>0..65535</em>)</td><td class="confluenceTd">Matching source protocol port number (applies to IPv4 and IPv6 packets if <span style="color: rgb(51,153,102);"><code>mac-protocol</code></span> is not specified).</td></tr><tr><td class="confluenceTd"><strong>switch</strong><span> </span>(<em>switch group</em>)</td><td class="confluenceTd">Matching switch group on which will the rule apply.</td></tr><tr><td class="confluenceTd"><strong>traffic-class</strong><span> </span>(<em>0..255</em>)</td><td class="confluenceTd">Matching IPv6 traffic class.</td></tr><tr><td class="confluenceTd"><strong>vlan-id</strong><span> </span>(<em>0..4095</em>)</td><td class="confluenceTd">Matching VLAN ID. Requires<span> </span><span style="color: rgb(51,153,102);"><code>vlan-filtering=yes</code></span>.</td></tr><tr><td class="confluenceTd"><strong>vlan-header</strong><span> </span>(<em>not-present | present</em>)</td><td class="confluenceTd">Matching VLAN header, whether the VLAN header is present or not. Requires<span style="color: rgb(51,153,102);"> <code>vlan-filtering=yes</code></span>.</td></tr><tr><td class="confluenceTd"><strong>vlan-priority</strong><span> </span>(<em>0..7</em>)</td><td class="confluenceTd">Matching VLAN priority (priority code point).</td></tr></tbody></table></div><p>Action parameters:</p><ul><li>copy-to-cpu</li><li>redirect-to-cpu</li><li>mirror</li><li>new-dst-ports (can be used to drop packets)</li><li>new-vlan-id</li><li>new-vlan-priority</li><li>rate</li></ul><p>Layer2 condition parameters:</p><ul><li>dst-mac-address</li><li>mac-protocol</li><li>src-mac-address</li><li>vlan-id</li><li>vlan-header</li><li>vlan-priority</li></ul><p>Layer3 condition parameters:</p><ul><li>dscp</li><li>protocol</li><li>IPv4 conditions:<ul><li>dst-address</li><li>src-address</li></ul></li><li>IPv6 conditions:<ul><li>dst-address6</li><li>flow-label</li><li>src-address6</li><li>traffic-class</li></ul></li></ul><p>Layer4 condition parameters:</p><ul><li>dst-port</li><li>src-port</li></ul><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>For VLAN related matchers or VLAN related action parameters to work, you need to enable<span> </span><span style="color: rgb(51,153,102);"><code>vlan-filtering</code></span><span> </span>on the bridge interface and make sure that hardware offloading is enabled on those ports, otherwise, these parameters will not have any effect.</p></div></div><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>When bridge interface<span> <code><span style="color: rgb(51,153,102);">ether-</span><span style="color: rgb(51,153,102);">type</span></code></span><span> </span>is set to <span style="color: rgb(51,153,102);"><code>0x8100</code></span>, then VLAN related ACL rules are relevant to<span> frames tagged using regular/customer VLAN (TPID </span>0x8100), this includes<span> </span><span style="color: rgb(51,153,102);"><code>vlan-id</code></span><span> </span>and<span> </span><span style="color: rgb(51,153,102);"><code>new-vlan-id</code></span>. When bridge interface <span><code><span style="color: rgb(51,153,102);">ether-type</span></code></span><span> </span>is set to <code><span style="color: rgb(51,153,102);">0x88a8</span></code>, then ACL rules are relevant to frames tagged with 802.1ad service tag (TPID <span style="color: rgb(51,153,102);">0x88a8</span>).</p></div></div><h1 id="CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-PortSecurity"><span class="mw-headline">Port Security</span></h1><hr/><p>It is possible to limit allowed MAC addresses on a single switch port. For example, to allow<span> </span>64:D1:54:81:EF:8E MAC address on a switch port,<span> </span>start by switching multiple ports together, in this example<span> </span>64:D1:54:81:EF:8E is going to be located behind<span> </span><strong>ether1</strong>. </p><p><span style="letter-spacing: 0.0px;">Create an ACL rule to allow the given MAC address and drop all other traffic on</span><span style="letter-spacing: 0.0px;"> </span><strong style="letter-spacing: 0.0px;">ether1</strong><span style="letter-spacing: 0.0px;"> </span><span style="letter-spacing: 0.0px;">(for ingress traffic):</span></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface ethernet switch rule
add ports=ether1 src-mac-address=64:D1:54:81:EF:8E/FF:FF:FF:FF:FF:FF switch=switch1
add new-dst-ports="" ports=ether1 switch=switch1</pre>
</div></div><p>Switch all required ports together, disable MAC learning, and disable unknown unicast flooding on<span> </span><strong>ether1</strong>:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1 hw=yes learn=no unknown-unicast-flood=no
add bridge=bridge1 interface=ether2 hw=yes</pre>
</div></div><p>Add a static hosts entry for<span> </span>64:D1:54:81:EF:8E<span> </span>(for egress traffic):</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="syntaxhighlighter-pre" data-syntaxhighlighter-params="brush: ros; gutter: false; theme: Confluence" data-custom-language-resource="com.atlassian.confluence.ext.code.custom.RouterOS.-3571982644292169508:custom-code-syntax-resources" data-theme="Confluence">/interface bridge host
add bridge=bridge1 interface=ether1 mac-address=64:D1:54:81:EF:8E</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Broadcast traffic will still be sent out from<span> </span><strong>ether1</strong>. To limit broadcast traffic flood on a bridge port, you can use the<span> </span><code>broadcast-flood</code><span> </span>parameter to toggle it. Note that some protocols, such as streaming protocols and DHCP, depend on broadcast traffic.</p></div></div><h1 id="CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-DualBoot"><span class="mw-headline">Dual Boot</span></h1><hr/><p>The “dual boot” feature allows you to choose which operating system you prefer to use on CRS3xx series switches, RouterOS, or SwOS. Device operating system can be changed using:</p><ul><li>Command-line (<span style="color: rgb(51,153,102);"><code>/system routerboard settings set boot-os=swos</code></span>)</li><li>WinBox</li><li><span style="letter-spacing: 0.0px;">WebFig</span></li><li><span style="letter-spacing: 0.0px;">Serial Console</span></li></ul><p><span style="letter-spacing: 0.0px;">More details about SwOS are described here:</span><span style="letter-spacing: 0.0px;"> </span><a href="https://help.mikrotik.com/docs/display/SWOS/SwOS" rel="nofollow">SwOS manual</a></p><h1 id="CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-ConfiguringSwOSusingRouterOS"><span class="mw-headline">Configuring SwOS using RouterOS</span></h1><hr/><p>It is possible to load, save, and reset SwOS configuration, as well as upgrade SwOS and set an IP address for the CRS3xx series switches by using RouterOS.</p><ul><li>Save configuration with<span> </span><span style="color: rgb(51,153,102);"><code>/system swos save-config</code></span></li></ul><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>The configuration will be saved on the same device with "<code>swos.config"</code> as the filename. Please ensure you downloaded the file from your device, as the configuration file will be removed after a reboot.</p></div></div><ul><li>Load configuration with<span> </span><span style="color: rgb(51,153,102);"><code>/system swos load-config</code></span></li><li>Change password with<span> </span><span style="color: rgb(51,153,102);"><code>/system swos password</code></span></li><li>Reset configuration with<span> </span><span style="color: rgb(51,153,102);"><code>/system swos reset-config</code></span></li><li>Upgrade SwOS from RouterOS using<span> </span><span style="color: rgb(51,153,102);"><code>/system swos upgrade</code></span></li></ul><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p><span style="color: rgb(13,13,13);">The upgrade command will automatically install the latest available SwOS primary backup version. Ensure that your device has access to the Internet for the upgrade process to work properly. When the device is booted into SwOS, the version number will include the letter "p", indicating a primary backup version. You can then install the latest available SwOS secondary main version from the SwOS "Upgrade" menu.</span></p></div></div><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup><col/><col/></colgroup><tbody><tr><th class="confluenceTh">Property</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><strong>address-acquisition-mode</strong><span> </span>(<em>dhcp-only | dhcp-with-fallback | static</em>; Default:<span> </span><strong>dhcp-with-fallback</strong>)</td><td class="confluenceTd">Changes address acquisition method:<p><code><span style="color: rgb(51,153,102);">dhcp-only</span></code><span> </span>- uses only a DHCP client to acquire the address</p><p><span style="color: rgb(51,153,102);"><code>dhcp-with-fallback</code></span><span> </span>- for the first 10 seconds will try to acquire an address using a DHCP client. If the request is unsuccessful, then the address falls back to static as defined by<span> the </span>static-ip-address<span> </span>property</p><p><code><span style="color: rgb(51,153,102);">static</span></code><span> </span>- the address is set as defined by<span> the </span><code><span style="color: rgb(51,153,102);">static-ip-address</span></code><span> </span>property</p></td></tr><tr><td class="confluenceTd"><strong>allow-from</strong><span> </span>(<em>IP/Mask</em>; Default:<span> </span><strong>0.0.0.0/0</strong>)</td><td class="confluenceTd">IP address or a network from which the switch is accessible. By default, the switch is accessible by any IP address.</td></tr><tr><td class="confluenceTd"><strong>allow-from-ports</strong><span> </span>(<em>name</em>; Default: )</td><td class="confluenceTd">List of switch ports from which the device is accessible. By default, all ports are allowed to access the switch</td></tr><tr><td class="confluenceTd"><strong>allow-from-vlan</strong><span> </span>(<em>integer: 0..4094</em>; Default:<span> </span><strong>0</strong>)</td><td class="confluenceTd">VLAN ID from which the device is accessible. By default, all VLANs are allowed</td></tr><tr><td class="confluenceTd"><strong>identity</strong><span> </span>(<em>name</em>; Default:<span> </span><strong>Mikrotik</strong>)</td><td class="confluenceTd">Name of the switch (used for Mikrotik Neighbor Discovery protocol)</td></tr><tr><td class="confluenceTd"><strong>static-ip-address</strong><span> </span>(<em>IP</em>; Default:<span> </span><strong>192.168.88.1</strong>)</td><td class="confluenceTd">The IP address of the switch in case<span> </span><code><span style="color: rgb(51,153,102);">address-acquisition-mode</span></code><span> </span>is either set to<span> </span><code><span style="color: rgb(51,153,102);">dhcp-with-fallback</span></code><span> </span>or<span> </span><code><span style="color: rgb(51,153,102);">static</span></code>. By setting a static IP address, the address acquisition process does not change, which is DHCP with fallback by default. This means that the configured static IP address will become active only when there are no DHCP servers in the same broadcast domain</td></tr></tbody></table></div><h1 id="CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-Seealso"><span class="mw-headline">See also</span></h1><p><a href="https://help.mikrotik.com/docs/pages/viewpage.action?pageId=103841835" rel="nofollow">CRS1xx/2xx series switches</a></p><p><a href="https://help.mikrotik.com/docs/display/ROS/CRS3xx%2C+CRS5xx%2C+CCR2116%2C+CCR2216+VLANs+with+Bonds">CRS3xx, RS6xx, CCR2116, CCR2216 VLANs with Bonds</a></p><p><a href="https://help.mikrotik.com/docs/display/ROS/Basic+VLAN+switching" rel="nofollow">Basic VLAN switching</a></p><p><a href="https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeHardwareOffloading" rel="nofollow">Bridge Hardware Offloading</a></p><p><a href="https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading" rel="nofollow">Route Hardware Offloading</a></p><p><a href="https://help.mikrotik.com/docs/display/ROS/Spanning+Tree+Protocol" rel="nofollow">Spanning Tree Protocol</a></p><p><a href="https://help.mikrotik.com/docs/display/ROS/MTU+in+RouterOS" rel="nofollow">MTU on RouterBOARD</a></p><p><a href="https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration" rel="nofollow">Layer2 misconfiguration</a></p><p><a href="https://help.mikrotik.com/docs/display/ROS/Bridge+VLAN+Table" rel="nofollow">Bridge VLAN Table</a></p><p><a href="https://help.mikrotik.com/docs/pages/viewpage.action?pageId=59277403" rel="nofollow">Bridge IGMP/MLD snooping</a></p><p><a href="https://help.mikrotik.com/docs/display/ROS/Multi-chassis+Link+Aggregation+Group" rel="nofollow">Multi-chassis Link Aggregation Group</a></p>
</div>
<div style="padding: 10px 0;">
<a href="https://help.mikrotik.com/docs/display/ROS/CRS3xx%2C+CRS5xx%2C+CCR2116%2C+CCR2216+switch+chip+features">View Online</a>
·
<a href="https://help.mikrotik.com/docs/pages/diffpagesbyversion.action?pageId=30474317&revisedVersion=61&originalVersion=60">View Changes Online</a>
</div>
</div>Guntis G.2020-06-11T10:56:20Z