Manual:CRS3xx series switches: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
Line 90: Line 90:
|-  
|-  
|  style="background-color: #CCC;font-weight: bold;" | CRS328-24P-4S+
|  style="background-color: #CCC;font-weight: bold;" | CRS328-24P-4S+
|  <b>Marvell-98DX3236</b>
|  <b>800MHz</b>
|  <b>1</b>
|  style="background-color: #F99;" |  <b>-</b>
|  <b>+</b>
|  <b>+</b>
|  <b>10218</b>
|-
|  style="background-color: #CCC;font-weight: bold;" | CRS328-4C-20S-4S+
|  <b>Marvell-98DX3236</b>
|  <b>Marvell-98DX3236</b>
|  <b>800MHz</b>
|  <b>800MHz</b>

Revision as of 09:58, 24 April 2018

Applies to RouterOS: v6.41 +

Summary

The Cloud Router Switch series are highly integrated switches with high performance ARM CPU and feature-rich packet processor. The CRS switches can be designed into various Ethernet applications including unmanaged switch, Layer 2 managed switch, carrier switch and wired unified packet processing.

Warning: This article applies to CRS3xx series switches and not to CRS1xx/CRS2xx series switches.


Features

FeaturesDescription
Forwarding
  • Configurable ports for switching or routing
  • Full non-blocking wirespeed switching
  • Up to 16k MAC entries in Unicast FDB for Layer 2 unicast forwarding
  • Forwarding Databases works based on IVL
  • Jumbo frame support
Mirroring
  • Port based mirroring
VLAN
  • Fully compatible with IEEE802.1Q
  • 4k active VLANs
  • Port based VLAN
  • VLAN filtering
Bonding
  • Supports 802.3ad and balance-xor modes
  • Up 8 member ports per bonding interface
  • Up to 30 bonding interfaces
Quality of Service (QoS)
  • Ingress traffic limiting
  • Egress traffic limiting
Access Control List
  • Ingress ACL tables
  • Up to 128 ACL rules (limited by RouterOS)
  • Classification based on ports, L2, L3, L4 protocol header fields
  • ACL actions include filtering, forwarding and modifying of the protocol header fields

Models

This table clarifies main differences between Cloud Router Switch models.

Model Switch Chip CPU Cores Wireless SFP+ port Access Control List Jumbo Frame (Bytes)
CRS326-24G-2S+ Marvell-98DX3236 800MHz 1 - + + 10218
CRS328-24P-4S+ Marvell-98DX3236 800MHz 1 - + + 10218
CRS328-4C-20S-4S+ Marvell-98DX3236 800MHz 1 - + + 10218
CRS317-1G-16S+ Marvell-98DX8216 800MHz 2 - + + 10218

Abbreviations

  • FDB - Forwarding Database
  • MDB - Multicast Database
  • SVL - Shared VLAN Learning
  • IVL - Independent VLAN Learning
  • PVID - Port VLAN ID
  • ACL - Access Control List

Port Switching

Since v6.41 bridges will handle all Layer2 forwarding and the use of switch chip (hw-offload) will automatically turn on if appropriate conditions are met. The rest of RouterOS Switch features remain untouched in usual menus. By default all newly created bridge ports have hw=yes option and it allows enabling of hw-offload when possible. If such functionality is not required, it can be disabled by hw=no on bridge port to have completely software operated bridging.

Note: Downgrading to previous RouterOS versions will not restore master-port configuration. The bridge with no hw-offload will appear instead and master-port configuration will have to be redone from the beginning.


Example

Use the command lines below to create a bridge and add ports to it. On CRS3xx using other bridge protocol modes will also enable hardware offloading.

/interface bridge 
add name=bridge1 igmp-snooping=no protocol-mode=none
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5

Make sure that hardware offloading is enabled. If H flag is available next to the desired interface, then hardware offloading is active on that port. If hardware offloading flag is not shown, then make sure you haven't enabled features that disable hardware offloading.

Note: Currently it is possible to create only one bridge with hardware offloading on CRS3xx series devices. Use the hw parameter to select which bridge will use hardware offloading.


[admin@MikroTik] > /interface bridge port print 
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE              BRIDGE              HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0   H ether2                 bridge1             yes    1     0x80         10                 10       none
 1   H ether3                 bridge1             yes    1     0x80         10                 10       none
 2   H ether4                 bridge1             yes    1     0x80         10                 10       none
 3   H ether5                 bridge1             yes    1     0x80         10                 10       none

Note: On CRS3xx series switches bridge STP/RSTP/MSTP, IGMP Snooping and VLAN filtering settings don't affect hardware offloading, since RouterOS v6.42 Bonding interfaces are also hardware offloaded.


Host Table

Sub-menu: /interface bridge host


Property Description
age (read-only: time) The time since the last packet was received from the host
bridge (read-only: name) The bridge the entry belongs to
external-fdb (read-only: flag) Whether the host was learned using wireless registration table
local (read-only: flag) Whether the host entry is of the bridge itself (that way all local interfaces are shown)
mac-address (read-only: MAC address) Host's MAC address
on-interface (read-only: name) Which of the bridged interfaces the host is connected to

Example

  • Use this command to get the active host table:
[admin@MikroTik] > /interface bridge host print 
Flags: L - local, E - external-fdb 
  BRIDGE           MAC-ADDRESS       ON-INTERFACE          AGE                 
  bridge1          00:00:00:00:00:01 ether2                3s                  
  bridge1          00:01:29:FF:1D:CC ether2                0s                  
L bridge1          00:0C:42:52:2E:CF ether2                0s                  
  bridge1          00:0C:42:52:2E:D0 ether2                3s                  
  bridge1          00:0C:42:5C:A5:AE ether2                0s                  

VLAN

Since RouterOS v6.41 bridges provides VLAN aware Layer2 forwarding and VLAN tag modifications within the bridge. This set of features makes bridge operation more like a traditional Ethernet switch and allows to overcome Spanning Tree compatibilty issues compared to configuration when tunnel-like VLAN interfaces are bridged. Bridge VLAN Filtering configuration is highly recommended to comply with STP (802.1D), RSTP (802.1w) standards and is mandatory to enable MSTP (802.1s) support in RouterOS.

VLAN Filtering

The main VLAN setting is vlan-filtering which globally controls vlan-awareness and VLAN tag processing in the bridge. If vlan-filtering=no, bridge ignores VLAN tags, works in a shared-VLAN-learning (SVL) mode and cannot modify VLAN tags of packets. Turning on vlan-filtering enables all bridge VLAN related functionality and independent-VLAN-learning (IVL) mode. Besides joining the ports for Layer2 forwarding, bridge itself is also an interface therefore it has Port VLAN ID (pvid).

Sub-menu: /interface bridge


Property Description
vlan-filtering (yes | no; Default: no) Globally enables or disables VLAN functionality for bridge.
pvid (1..4094; Default: 1) Port VLAN ID (pvid) specifies which VLAN the untagged ingress traffic is assigned to. It applies e.g. to frames sent from bridge IP and destined to a bridge port.


Sub-menu: /interface bridge port


Property Description
frame-types (admit-all | admit-only-untagged-and-priority-tagged | admit-only-vlan-tagged; Default: admit-all) Specifies allowed ingress frame types on a bridge port.
ingress-filtering (yes | no; Default: no) Enables or disables filtering which looks for an ingress port match in the Bridge VLAN table.
pvid (1..4094; Default: 1) Port VLAN ID (pvid) specifies which VLAN the untagged ingress traffic is assigned to.

VLAN Table

Bridge VLAN table represents per-VLAN port mapping with an egress VLAN tag action. tagged ports send out frames with a learned VLAN ID tag. untagged ports remove VLAN tag before sending out frames if the learned VLAN ID matches the port pvid.

Sub-menu: /interface bridge vlan


Property Description
bridge (name) The bridge interface which the respective VLAN entry is intended for.
disabled (yes | no; Default: no) Enables or disables Bridge VLAN entry.
tagged (interfaces; Default: none) Interface list with a VLAN tag adding action in egress. This setting accepts comma separated values. E.g. tagged=ether1,ether2.
untagged (interfaces; Default: none) Interface list with a VLAN tag removing action in egress. This setting accepts comma separated values. E.g. tagged=ether3,ether4.
vlan-ids (1..4094) The list of VLAN IDs for certain port configuration. This setting accepts VLAN ID range as well as comma separated values. E.g. vlan-ids=100-115,120,122,128-130.


Setup examples

Port Based VLAN

MAC Based VLAN

Alt text
MAC Based VLAN

Note: The CRS3xx Switch Rule table is used for MAC Based VLAN functionality, it supports up to 128 entries.


  • Enable switching on ports by creating a bridge with enabled hw-offloading.
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether7 hw=yes
  • Add VLANs in the Bridge VLAN table and specify ports.
/interface bridge vlan
add bridge=bridge1 tagged=ether2 untagged=ether7 vlan-ids=200,300,400
  • Add Switch rules which assign VLAN id based on MAC address.
/interface ethernet switch rule
add switch=switch1 ports=ether7 src-mac-address=A4:12:6D:77:94:43/FF:FF:FF:FF:FF:FF new-vlan-id=200
add switch=switch1 ports=ether7 src-mac-address=84:37:62:DF:04:20/FF:FF:FF:FF:FF:FF new-vlan-id=300
add switch=switch1 ports=ether7 src-mac-address=E7:16:34:A1:CD:18/FF:FF:FF:FF:FF:FF new-vlan-id=400

(R/M)STP

Network loops may emerge (intentionally or not) in complex topologies. Without any special treatment, loops would prevent network from functioning normally, as they would lead to avalanche-like packet multiplication. Each bridge runs an algorithm which calculates how the loop can be prevented. STP and RSTP allows bridges to communicate with each other, so they can negotiate a loop free topology. All other alternative connections that would otherwise form loops, are put to standby, so that should the main connection fail, another connection could take its place. This algorithm exchanges configuration messages (BPDU - Bridge Protocol Data Unit) periodically, so that all bridges are updated with the newest information about changes in network topology. (R/M)STP selects a root bridge which is responsible for network reconfiguration, such as blocking and opening ports on other bridges. The root bridge is the bridge with the lowest bridge ID.

As of RouterOS v6.41 all CRS3xx series switches support (R/M)STP bridge protocol mode and hardware offloading simultaneously, meaning that it possible to use the switch chip's built-in VLAN filtering function in conjunction with bridge's Spanning Tree Protocol features and forward packets at wire-speed. There are a lot of considerations that should be made when designing a STP enabled network, more detailed case studies can be found in the Spanning Tree Protocol section.

Sub-menu: /interface bridge


Property Description
protocol-mode (mstp | none | rstp | stp; Default: rstp)
  • stp - Spanning Tree Protocol to enable loop-free topology;
  • rstp - "faster" Spanning Tree Protocol;
  • mstp - VLAN aware Spanning Tree Protocol;
  • none - disables network topology learning features;

Bonding

Since RouterOS v6.42 all CRS3xx series switches support hardware offloading with bonding interfaces. Only 802.3ad and balance-xor bonding modes are hardware offloaded, other bonding modes will use the CPU's resources. You can find more information about the bonding interfaces in the Bonding Interface section. If 802.3ad mode is used, then LACP (Link Aggregation Control Protocol) is supported.

To create a hardware offloaded bonding interface, you must create a bonding interface with a supported bonding mode:

/interface bonding
add mode=802.3ad name=bond1 slaves=ether1,ether2

This interface can be added to a bridge alongside with other interfaces:

/interface bridge
add name=bridge
/interface bridge port
add bridge=bridge interface=bond1 hw=yes
add bridge=bridge interface=ether3 hw=yes
add bridge=bridge interface=ether4 hw=yes

Note: Don't add interfaces to a bridge that are already in a bond, RouterOS will not allow you to add an interface that is already a slave to a bridge as there is no need to do it since a bonding interface already contains the slave interfaces.


Make sure that the bonding interface is hardware offloaded by checking the "H" flag:

/interface bridge port print 
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE                                 BRIDGE                                 HW
 0   H bond1                                     bridge                                 yes
 1   H ether3                                    bridge                                 yes
 2   H ether4                                    bridge                                 yes

Note: The built-in switch chip will always use Layer2+Layer3+Layer4 for transmit hash policy, changing the transmit hash policy manually will have no effect.


IGMP Snooping

IGMP Snooping which controls multicast streams and prevents multicast flooding is implemented in RouterOS starting from version 6.41. It's settings are placed in bridge menu and it works independently in every bridge interface. Software driven implementation works on all devices with RouterOS but CRS1xx/2xx/3xx series switches also support IGMP Snooping with hardware offloading.

  • Use this command to enable IGMP Snooping on a bridge interface:
/interface bridge set bridge1 igmp-snooping=yes
  • Use this command to get current Multicast Database entries:
[admin@MikroTik] > /interface bridge mdb print 
BRIDGE                   VID GROUP                                              PORTS           
bridge1                  200 229.1.1.2                                          ether3          
                                                                                ether2          
                                                                                ether1          
bridge1                  300 231.1.3.3                                          ether4          
                                                                                ether3          
                                                                                ether2          
bridge1                  400 229.10.10.4                                        ether4          
                                                                                ether3          
bridge1                  500 234.5.1.5                                          ether5          
                                                                                ether1

Global Switch Settings

This sections holds general information about the switch chip built-in into the device and allows to specify port mirroring options.

Sub-menu: /interface ethernet switch


To view the current switch chip for the device, use this command:

[admin@MikroTik] /interface ethernet switch> print 
Flags: I - invalid 
 #   NAME                              TYPE             MIRROR-SOURCE                             MIRROR-TARGET
 0   switch1                           Marvell-98DX3236 none                                      none  

To change the switch chip's name, use this command:

/interface ethernet switch set switch1 name=switch_chip

Port Mirroring

Port mirroring lets switch 'sniff' all traffic that is going in and out of one port (mirror-source) and send a copy of those packets out of some other port (mirror-target). This feature can be used to easily set up a 'tap' device that receives all traffic that goes in/out of some specific port. Note that mirror-source and mirror-target ports have to belong to same switch. (See which port belong to which switch in /interface ethernet menu). Also mirror-target can have a special 'cpu' value, which means that 'sniffed' packets should be sent out of switch chips cpu port. Port mirroring happens independently of switching groups that have or have not been set up.

Use this command to set a port mirror from ether2 to ether3:

/interface ethernet switch
set switch1 mirror-source=ether2 mirror-target=ether3

Quality of Service

It is possible to limit ingress and egress bandwidth per port using the /interface ethernet switch port menu.

Sub-menu: /interface ethernet switch port


Property Description
egress-rate (bps; Default: unlimited) Specifies port egress rate in bps, limited by using traffic shaper.
ingress-rate (bps; Default: unlimited) Specifies port ingress rate in bps, limited by using traffic policer.


  • For example, to limit ingress and egress traffic on ether1 use these commands:
/interface ethernet switch port
set ether1 ingress-rate=10M egress-rate=5M

Traffic Storm Control

Since RouterOS v6.42 it is possible to enable traffic storm control on CRS3xx series devices. It is possible to limit broadcast, unknown multicast and unknown unicast traffic. These settings should be applied to ingress ports, the egress traffic will be limited.

Note: The storm control parameter is specified in percentage (%) of the link speed. If your link speed is 1Gbps, then specifying storm-rate as 10 will allow only 100Mbps of broadcast, unknown multicast and/or unknown unicast traffic to be forwarded.


Sub-menu: /interface ethernet switch port


Property Description
limit-broadcasts (yes | no; Default: yes) Limit broadcast traffic on switch port.
limit-unknown-multicasts (yes | no; Default: no) Limit unknown multicast traffic on switch port.
limit-unknown-unicasts (yes | no; Default: no) Limit unknown unicast traffic on switch port.
storm-rate (integer 0..100; Default: 100) Amount of broadcast, unknown multicast and/or unknown unicast traffic is limited to in percentage of the link speed.


Warning: Devices with Marvell-98DX3236 switch chip cannot distinguish unknown multicast traffic from all multicast traffic. For example, CRS326-24G-2S+ will limit all multicast traffic when limit-unknown-multicasts and storm-rate is used. For other devices, for example, CRS317-1G-16S+ the limit-unknown-multicasts parameter will limit only unknown multicast traffic (addresses that are not present in /interface bridge mdb


  • For example, to limit 1% (10Mbps) of broadcast and unknown unicast traffic on ether1 (1Gbps), use the following commands:
/interface ethernet switch port
set ether1 storm-rate=1 limit-broadcasts=yes limit-unknown-unicasts=yes

Switch Rules (ACL)

Access Control List contains of ingress policy and egress policy engines and allows to configure up to 128 policy rules (limited by RouterOS). It is advanced tool for wire-speed packet filtering, forwarding and modifying based on Layer2, Layer3 and Layer4 protocol header field conditions.

Sub-menu: /interface ethernet switch rule


Property Description
copy-to-cpu (no | yes; Default: no) Clones the matching packet and sends it to the CPU.
disabled (yes | no; Default: no) Enables or disables ACL entry.
dscp (0..63) Matching DSCP field of the packet.
dst-address (IP address/Mask) Matching destination IP address and mask.
dst-address6 (IPv6 address/Mask) Matching destination IPv6 address and mask.
dst-mac-address (MAC address/Mask) Matching destination MAC address and mask.
dst-port (0..65535) Matching destination protocol port number.
flow-label (0..1048575) Matching IPv6 flow label.
mac-protocol (802.2 | arp | homeplug-av | ip | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan | or 0..65535 | or 0x0000-0xffff) Matching particular MAC protocol specified by protocol name or number
mirror (no | yes) Clones the matching packet and sends it to the mirror-target port.
new-dst-ports (ports) Changes the destination port as specified. An empty setting will drop the packet. A specified port will redirect the packet to it. When the parameter is not used, the packet will be accepted. Multiple "new-dst-ports" are not supported on CRS3xx series switches.
new-vlan-id (0..4095) Changes the VLAN ID to the specified value. Requires vlan-filtering=yes.
new-vlan-priority (0..7) Changes the VLAN priority tag. Requires vlan-filtering=yes.
ports (ports) Matching ports on which will the rule apply on received traffic.
protocol (dccp | ddp | egp | encap | etherip | ggp | gre | hmp | icmp | icmpv6 | idpr-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | ipv6 | ipv6-frag | ipv6-nonxt | ipv6-opts | ipv6-route | iso-tp4 | l2tp | ospf | pim | pup | rdp | rspf | rsvp | sctp | st | tcp | udp | udp-lite | vmtp | vrrp | xns-idp | xtp | or 0..255) Matching particular IP protocol specified by protocol name or number.
redirect-to-cpu (no | yes) Changes the destination port of a matching packet to the CPU.
src-address (IP address/Mask) Matching source IP address and mask.
src-address6 (IPv6 address/Mask) Matching source IPv6 address and mask.
src-mac-address (MAC address/Mask) Matching source MAC address and mask.
src-port (0..65535) Matching source protocol port number.
switch (switch group) Matching switch group on which will the rule apply.
traffic-class (0..255) Matching IPv6 traffic class.
vlan-id (0..4095) Matching VLAN ID. Requires vlan-filtering=yes.
vlan-header (not-present | present) Matching VLAN header, whether the VLAN header is present or not.
vlan-priority (0..7) Matching VLAN priority.

Action parameters:

  • copy-to-cpu
  • redirect-to-cpu
  • mirror
  • new-dst-ports (can be used to drop packets)
  • new-vlan-id
  • new-vlan-priority
  • rate

Conditional parameters:

  • Layer2 conditions:
    • dst-mac-address
    • mac-protocol
    • src-mac-address
    • vlan-id
    • vlan-header
    • vlan-priority
  • Layer3 conditions:
    • dscp
    • protocol
    • IPv4 conditions:
      • dst-address
      • src-address
    • IPv6 conditions:
      • dst-address6
      • flow-label
      • src-address6
      • traffic-class
  • Layer4 conditions:
    • dst-port
    • src-port

Note: For VLAN related matchers or VLAN related action parameters to work, you need to enable vlan-filtering on the bridge interface and make sure that hardware offloading is enabled on those ports, otherwise these parameters will not have any effect.



Dual Boot

“Dual boot” feature allows you to choose which operating system you prefer to use, RouterOS or SwOS. Device operating system could be changed using:

  • Serial Terminal (/system routerboard settings set boot-os=swos)
  • Winbox
  • Webfig
  • Serial Console
Alt text
Winbox
Alt text
Webfig
Alt text
Serial Console

More details about SwOS are described here: SwOS manual

See also

[ Top | Back to Content ]