Manual:Switch Chip Features: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
No edit summary
 
(95 intermediate revisions by 5 users not shown)
Line 1: Line 1:
{{Versions| v6.0 + }}
{{Versions| v6.0 + }}
{{Warning|This manual is moved to https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features}}


==Introduction==
==Introduction==
Line 9: Line 11:


<table class="styled_table">
<table class="styled_table">
<tr><th>Feature</th><th>QCA8337</th><th>Atheros8327</th><th>Atheros8316</th><th>Atheros8227</th><th>Atheros7240</th><th>ICPlus175D</th><th>MT7621</th><th>RTL8367</th><th>Other</th></tr>
<tr><th>Feature</th><th>QCA8337</th><th>Atheros8327</th><th>Atheros8316</th><th>Atheros8227</th><th>Atheros7240</th></tr>
<tr><td>Port Switching</td><td>yes</td><td>yes</td><td>yes</td><td>yes</td><td>yes</td><td>yes</td><td>yes</td><td>yes</td><td>yes</td></tr>
<tr><td>Port Switching</td><td>yes</td><td>yes</td><td>yes</td><td>yes</td><td>yes</td></tr>
<tr><td>Port Mirroring</td><td>yes</td><td>yes</td><td>yes</td><td>yes</td><td>yes</td><td>yes</td><td>yes</td><td>yes</td><td>no</td></tr>
<tr><td>Port Mirroring</td><td>yes</td><td>yes</td><td>yes</td><td>yes</td><td>yes</td></tr>
<tr><td>Host table</td><td>2048 entries</td><td>2048 entries</td><td>2048 entries</td><td>1024 entries</td><td>2048 entries</td><td>no</td><td>2048 entries</td><td>2048 entries</td><td>no</td></tr>
<tr><td>TX limit</td><td>yes</td><td>yes</td><td>yes</td><td>yes</td><td>yes</td></tr>
<tr><td>Vlan table</td><td>4096 entries</td><td>4096 entries</td><td>4096 entries</td><td>4096 entries</td><td>16 entries</td><td>no</td><td>no</td><td>no</td><td>no</td></tr>
<tr><td>RX limit</td><td>yes</td><td>yes</td><td>no</td><td>no</td><td>no</td></tr>
<tr><td>Rule table</td><td>92 rules</td><td>92 rules</td><td>32 rules</td><td>no</td><td>no</td><td>no</td><td>no</td><td>no</td><td>no</td></tr>
<tr><td>Host table</td><td>2048 entries</td><td>2048 entries</td><td>2048 entries</td><td>1024 entries</td><td>2048 entries</td></tr>
<tr><td>Vlan table</td><td>4096 entries</td><td>4096 entries</td><td>4096 entries</td><td>4096 entries</td><td>16 entries</td></tr>
<tr><td>Rule table</td><td>92 rules</td><td>92 rules</td><td>32 rules</td><td>no</td><td>no</td></tr>
</table>
 
 
<table class="styled_table">
<tr><th>Feature</th><th>ICPlus175D</th><th>MT7621</th><th>RTL8367</th><th>98PX1012</th><th>Other</th></tr>
<tr><td>Port Switching</td><td>yes</td><td>yes</td><td>yes</td><td>no</td><td>yes</td></tr>
<tr><td>Port Mirroring</td><td>yes</td><td>yes</td><td>yes</td><td>no</td><td>no</td></tr>
<tr><td>TX limit</td><td>no</td><td>no</td><td>no</td><td>no</td><td>no</td></tr>
<tr><td>RX limit</td><td>no</td><td>no</td><td>no</td><td>no</td><td>no</td></tr>
<tr><td>Host table</td><td>no</td><td>2048 entries</td><td>2048 entries</td><td>no</td><td>no</td></tr>
<tr><td>Vlan table</td><td>no</td><td>no</td><td>no</td><td>no</td><td>no</td></tr>
<tr><td>Rule table</td><td>no</td><td>no</td><td>no</td><td>no</td><td>no</td></tr>
</table>
</table>


Line 23: Line 39:
   <th width="200">RouterBoard</th>
   <th width="200">RouterBoard</th>
   <th width="400">Switch-chip description</th>
   <th width="400">Switch-chip description</th>
</tr>
<tr>
  <td ><b>RB4011iGS+</b></td>
  <td >RTL8367 (ether1-ether5); RTL8367 (ether6-ether10);</td>
</tr>
</tr>
<tr>
<tr>
Line 31: Line 51:
   <td ><b>RB750Gr3 (hEX), RB760iGS (hEX S)</b></td>
   <td ><b>RB750Gr3 (hEX), RB760iGS (hEX S)</b></td>
   <td >MT7621 (ether1-ether5)</td>
   <td >MT7621 (ether1-ether5)</td>
</tr>
<tr>
  <td ><b>RBM33G</b></td>
  <td >MT7621 (ether1-ether3)</td>
</tr>
</tr>
<tr>
<tr>
Line 39: Line 63:
   <td ><b>RB OmniTik ac series</b></td>
   <td ><b>RB OmniTik ac series</b></td>
   <td >QCA8337 (ether1-ether5)</td>
   <td >QCA8337 (ether1-ether5)</td>
</tr>
<tr>
  <td ><b>RBwsAP-5Hac2nD (wsAP ac lite)</b></td>
  <td >Atheros8227 (ether1-ether3)</td>
</tr>
</tr>
<tr>
<tr>
Line 81: Line 109:
</tr>
</tr>
<tr>
<tr>
   <td ><b>CCR1009 series</b></td>
   <td ><b>CCR1009-8G-1S-1S+; CCR1009-8G-1S</b></td>
   <td >Atheros8327 (ether1-ether4)</td>
   <td >Atheros8327 (ether1-ether4)</td>
</tr>
</tr>
Line 95: Line 123:
   <td ><b>RB450G</b></td>
   <td ><b>RB450G</b></td>
   <td >Atheros8316 (ether1-ether5) with ether1 optional [[http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#switch-all-ports more]]</td>
   <td >Atheros8316 (ether1-ether5) with ether1 optional [[http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#switch-all-ports more]]</td>
</tr>
<tr>
  <td ><b>RB450Gx4</b></td>
  <td >Atheros8327 (ether1-ether5)</td>
</tr>
</tr>
<tr>
<tr>
Line 111: Line 143:
   <td ><b>RB1100</b></td>
   <td ><b>RB1100</b></td>
   <td >Atheros8316 (ether1-ether5); Atheros8316 (ether6-ether10)</td>
   <td >Atheros8316 (ether1-ether5); Atheros8316 (ether6-ether10)</td>
</tr>
<tr>
  <td ><b>DISC Lite5</b></td>
  <td >Atheros8227 (ether1)</td>
</tr>
<tr>
  <td ><b>RBmAP2nD</b></td>
  <td >Atheros8227 (ether1-ether2)</td>
</tr>
<tr>
  <td ><b>RBmAP2n</b></td>
  <td >Atheros7240 (ether1-ether2)</td>
</tr>
</tr>
<tr>
<tr>
Line 170: Line 214:
===Port Switching===
===Port Switching===


In order to setup port switching on non-CRS series devices, check the [[Manual:Interface/Bridge#Bridge_Hardware_Offloading | Bridge Hardware Offloading]] page.


Switching feature allows wire speed traffic passing among a group of ports, like the ports were a regular ethernet switch. You configure this feature by setting a "master-port" property to one ore more ports in <code>/interface ethernet</code> menu. A 'master' port will be the port through which the RouterOS will communicate to all ports in the group. Interfaces for which the 'master' port is specified become inactive - no traffic is received on them and no traffic can be sent out.
{{ Note | Port switching in RouterOS v6.41 and newer is done using the bridge configuration. Prior to RouterOS v6.41 port switching was done using the <var>master-port</var> property, for more details check the [[Manual:Master-port | Master-port]] page. }}


For example consider a router with five ethernet interfaces:
====Switch All Ports Feature====


<pre>
<p id="switch-all-ports">Ether1 port on RB450G/RB435G/RB850Gx2 has a feature that allows it to be removed/added to the default switch group. By default ether1 port will be included in the switch group. This configuration can be changed with <code>/interface ethernet switch set switch1 switch-all-ports=no</code></p>
[admin@MikroTik] > interface ethernet print
Flags: X - disabled, R - running, S - slave
  #    NAME      MTU  MAC-ADDRESS      ARP        MASTER-PORT      SWITCH
0 R  ether1    1500  00:0C:42:3E:5D:BB enabled
1    ether2    1500  00:0C:42:3E:5D:BC enabled    none            switch1
2    ether3    1500  00:0C:42:3E:5D:BD enabled    none            switch1
3    ether4    1500  00:0C:42:3E:5D:BE enabled    none            switch1
4 R  ether5    1500  00:0C:42:3E:5D:BF enabled    none            switch1
</pre>
And you configure a switch containing three ports ether3, ether4 and ether5:
<pre>
[admin@MikroTik] /interface ethernet> set ether4,ether5 master-port=ether3
[admin@MikroTik] /interface ethernet> print
Flags: X - disabled, R - running, S - slave
#    NAME      MTU  MAC-ADDRESS      ARP        MASTER-PORT      SWITCH
0 R  ether1    1500  00:0C:42:3E:5D:BB enabled
1    ether2    1500  00:0C:42:3E:5D:BC enabled    none            switch1
2 R  ether3    1500  00:0C:42:3E:5D:BD enabled    none            switch1
3  S ether4    1500  00:0C:42:3E:5D:BE enabled    ether3          switch1
4 RS ether5    1500  00:0C:42:3E:5D:BF enabled    ether3          switch1
</pre>
ether3 is now the master port of the group. Note: you can see that previously a link was detected only on ether5, but now as the ether3 is a 'master' the running flag is propagated to master port.


[[Image:switch1.png|707px]]
* <b>switch-all-ports</b>=yes/no -


In essence this configuration is the same as if you had a RouterBoard with 3 ethernet interfaces with ether3 connected to ethernet switch that has 4 ports:
"yes" means ether1 is part of switch and supports switch grouping, and all other advanced Atheros8316/Atheros8327 features including extended statistics (<code>/interface ethernet print stats</code>).


[[Image:switch2.png]]
"no" means ether1 is not part of switch, effectively making it as stand alone ethernet port, this way increasing its throughput to other ports in bridged, and routed mode, but removing the switching possibility on this port.


A more general diagram of RouterBoard with switch chip that has 5 port switch chip:
[[Image:switch4.png]]


[[Image:switch3.png]]
===Port Settings===


Here you can see that, a packet that gets received by one of the ports always passes through the switch logic at first. Switch logic decides to which ports the packet should be going to. Passing packet 'up' or giving it to RouterOS is also called sending it to switch chips 'cpu' port. That means that at the point switch forwards the packet to cpu port the packet starts to get processed by RouterOS as some interfaces incoming packet. While the packet does not have to go to cpu port it is handled entirely by switch logic and does not require any cpu cycles and happen at wire speed for any frame size.
Properties under this menu are used to configure VLAN switching and filtering options for switch chips that support a VLAN Table. These properties are only available to switch chips that have VLAN Table support, check the [[Manual:Switch_Chip_Features#Introduction | Switch Chip Features]] table to make sure your device supports such a feature.


====Bridge Hardware Offloading====
{{ Warning | Ingress traffic is considered as traffic that is being sent '''IN''' a certain port, this port is sometimes called '''ingress port'''. Egress traffic is considered as traffic that is being sent '''OUT''' of a certain port, this port is sometimes called '''egress port'''. Distinguishing them is very important in order to properly set up VLAN filtering since some properties apply only to either ingress or egress traffic. }}


Since RouterOS v6.41 there are user interface changes which convert RouterBoard master-port configuration into a bridge with hardware offloading.
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch port</code></p>
From now on bridges will handle all Layer2 forwarding and the use of switch chip (<code>hw-offload</code>) will automatically turn on if appropriate conditions are met.
<br />
The rest of RouterOS Switch features remain untouched in usual menus.
By default all newly created bridge ports have <code>hw=yes</code> option and it allows enabling of <code>hw-offload</code> when possible. If such functionality is not required, it can be disabled by <code>hw=no</code> on bridge port to have completely software operated bridging.


{{Note | Downgrading to previous RouterOS versions will not restore master-port configuration. The bridge with no hw-offload will appear instead and master-port configuration will have to be redone from the beginning.}}
{{Mr-arg-table-h
|prop=Property
|desc=Description
}}


Following table states what features currently in v6.41 keeps bridge hardware offloading enabled on certain RouterBoard and switch chip models.
{{Mr-arg-table
|arg=vlan-mode
|type=check {{!}} disabled {{!}} fallback {{!}} secure
|default=disabled
|desc=Changes the VLAN lookup mechanism against the [[Manual:Switch_Chip_Features#VLAN_Table | VLAN Table]] for ingress traffic.
* <code>disabled</code> - disables checking against the VLAN Table completely for ingress traffic. No traffic is dropped when set on ingress port.
* <code>fallback</code> - checks tagged traffic against the VLAN Table for ingress traffic, forwards all untagged traffic. If ingress traffic is tagged and egress port is not found in the VLAN table for the appropriate VLAN ID, then traffic is dropped. If a VLAN ID is not found in the VLAN Table, then traffic is forwarded. Used to allow known VLANs only in specific ports.
* <code>check</code> - checks tagged traffic against the VLAN Table for ingress traffic, drops all untagged traffic. If ingress traffic is tagged and egress port is not found in the VLAN table for the appropriate VLAN ID, then traffic is dropped.
* <code>secure</code> - checks tagged traffic against the VLAN Table for ingress traffic, drops all untagged traffic. Both ingress and egress port must be found in the VLAN Table for the appropriate VLAN ID, otherwise traffic is dropped.
}}


Notes:
{{Mr-arg-table
* Enabling this feature maintains hw-offload: +
|arg=vlan-header
* Enabling this feature turns off hw-offload: -  
|type=add-if-missing {{!}} always-strip {{!}} leave-as-is
|default=leave-as-is
|desc=Sets action which is performed on the port for egress traffic.
* <code>add-if-missing</code> - adds a VLAN tag on egress traffic and uses <var>default-vlan-id</var> from the ingress port. Should be used for trunk ports.
* <code>always-strip</code> - removes a VLAN tag on egress traffic. Should be used for access ports.
* <code>leave-as-is</code> - does not add nor removes a VLAN tag on egress traffic. Should be used for hybrid ports.
}}


{| border="1" class="wikitable collapsible sortable" style="text-align: center"
{{Mr-arg-table-end
|  nowrap style="background-color: #CCC;* " | <b><u>RouterBoard/[Switch Chip] Model</u></b>
|arg=default-vlan-id
| nowrap style="background-color: #CCC;* " | <b>Features in Switch menu</b>
|type=auto {{!}} integer: 0..4095
|  nowrap style="background-color: #CCC;* " | <b>Bridge STP/RSTP</b>
|default=auto
| nowrap style="background-color: #CCC;* " | <b>Bridge MSTP</b>
|desc=Adds a VLAN tag with the specified VLAN ID on all untagged ingress traffic on a port, should be used with <var>vlan-header</var> set to <code>always-strip</code> on a port to configure the port to be the access port. For hybrid ports <var>default-vlan-id</var> is used to tag untagged traffic. If two ports have the same <var>default-vlan-id</var>, then VLAN tag is not added since the switch chip assumes that traffic is being forwarded between access ports.
| nowrap style="background-color: #CCC;* " | <b>Bridge IGMP Snooping</b>
}}
| nowrap style="background-color: #CCC;* " | <b>Bridge VLAN Filtering</b>
|  nowrap style="background-color: #CCC;* " | <b>Bonding</b>
|-
|  style="background-color: #CCC;font-weight: bold;" | CRS3xx series
|  <b>+</b>
|  <b>+</b>
|  <b>+</b>
|  <b>+</b>
|  <b>+</b>
|  <b>+</b>
|-
|  style="background-color: #CCC;font-weight: bold;" | CRS1xx/CRS2xx series
|  <b>+</b>
|  <b>+</b>
|  <b>-</b>
|  <b>+</b>
<b>-</b>
<b>-</b>
|-
|  style="background-color: #CCC;font-weight: bold;" | [QCA8337]
|  <b>+</b>
|  <b>+</b>
<b>-</b>
|  <b>-</b>
<b>-</b>
|  <b>-</b>
|-
|  style="background-color: #CCC;font-weight: bold;" | [AR8327]
|  <b>+</b>
|  <b>+</b>
|  <b>-</b>
|  <b>-</b>
|  <b>-</b>
|  <b>-</b>
|-
|  style="background-color: #CCC;font-weight: bold;" | [AR8227]
|  <b>+</b>
|  <b>+</b>
|  <b>-</b>
|  <b>-</b>
|  <b>-</b>
|  <b>-</b>
|-
|  style="background-color: #CCC;font-weight: bold;" | [AR8316]
|  <b>+</b>
|  <b>+</b>
|  <b>-</b>
|  <b>-</b>
|  <b>-</b>
|  <b>-</b>
|-
|  style="background-color: #CCC;font-weight: bold;" | [AR7240]
|  <b>+</b>
|  <b>+</b>
|  <b>-</b>
|  <b>-</b>
|  <b>-</b>
|  <b>-</b>
|-
|  style="background-color: #CCC;font-weight: bold;" | [MT7621]
|  <b>+</b>
|  <b>-</b>
|  <b>-</b>
|  <b>-</b>
|  <b>-</b>
|  <b>-</b>
|-
|  style="background-color: #CCC;font-weight: bold;" | RB1100AHx4 [RTL8367]
|  <b>+</b>
|  <b>-</b>
|  <b>-</b>
|  <b>-</b>
|  <b>-</b>
|  <b>-</b>
|-
|  style="background-color: #CCC;font-weight: bold;" | [ICPlus175D]
|  <b>+</b>
|  <b>-</b>
|  <b>-</b>
|  <b>-</b>
|  <b>-</b>
|  <b>-</b>
|-
|}


* Port switching with master-port configuration before v6.41
<br />
<pre>
[admin@MikroTik] > interface ethernet export
/interface ethernet
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
[admin@MikroTik] >  


[admin@MikroTik] > interface ethernet print
{{ Note | QCA8337 and Atheros8327 switch chips ignore the <var>vlan-header</var> property and uses the <var>default-vlan-id</var> property to determine which ports are access ports. The <var>vlan-header</var> is set to <code>leave-as-is</code> and cannot be changed while the <var>default-vlan-id</var> property should only be used on access ports to tag all ingress traffic. }}
Flags: X - disabled, R - running, S - slave
#    NAME            MTU MAC-ADDRESS      ARP            MASTER-PORT          SWITCH       
0 R  ether1          1500 D4:CA:6D:E2:64:64 enabled        none                switch1       
1 R  ether2          1500 D4:CA:6D:E2:64:65 enabled        none                switch1       
2 RS ether3          1500 D4:CA:6D:E2:64:66 enabled        ether2              switch1       
3 RS ether4          1500 D4:CA:6D:E2:64:67 enabled        ether2              switch1       
4 RS ether5          1500 D4:CA:6D:E2:64:68 enabled        ether2              switch1                   
[admin@MikroTik] >  
</pre>


* Port switching with bridge configuration and enabled hw-offload since v6.41
====VLAN Forwarding====
<pre>
[admin@MikroTik] > interface bridge export
/interface bridge
add name=bridge1 igmp-snooping=no  protocol-mode=none
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
[admin@MikroTik] >


[admin@MikroTik] > interface bridge port print
Both <var>vlan-mode</var> and <var>vlan-header</var> along with the VLAN Table can be used to configure VLAN tagging, untagging and filtering, there are multiple combinations that are possible, each achieving a different result. Below you can find a table of what kind of traffic is going to be sent out through an egress port when a certain traffic is received on an ingress port for each VLAN Mode.
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
#    INTERFACE              BRIDGE              HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
0  H ether2                bridge1            yes    1    0x80        10                10      none
1  H ether3                bridge1            yes    1    0x80        10                10      none
2  H ether4                bridge1            yes    1    0x80        10                10      none
3  H ether5                bridge1            yes    1    0x80        10                10      none
[admin@MikroTik] >
</pre>


====Switch All Ports Feature====
'''NOTES:'''
* '''L''' - <var>vlan-header</var> is set to <code>leave-as-is</code>
* '''S''' - <var>vlan-header</var> set to <code>always-strip</code>
* '''A''' - <var>vlan-header</var> set to <code>add-if-missing</code>
* '''U''' - Untagged traffic is sent out
* '''T''' - Tagged traffic is sent out, tag is already present on ingress port
* '''TA''' - Tagged traffic is sent out, tag was added on ingress port
* '''DI''' - Traffic is dropped on ingress port because of mode selected in <var>vlan-mode</var>
* '''DE''' - Traffic is dropped on egress port because egress port was not found in the VLAN Table
* '''VID match''' - VLAN ID from the VLAN tag for ingress traffic is present in the VLAN Table
* '''Port match''' - Ingress port is present in the VLAN Table for the appropriate VLAN ID


<p  id="switch-all-ports">Ether1 port on RB450G/RB435G/RB850Gx2 has a feature that allows it to be removed/added to the default switch group. By default ether1 port will be included in the switch group. This configuration can be changed with <code>/interface ethernet switch set switch1 switch-all-ports=no</code></p>
{| border="1" class="wikitable collapsible" style="text-align: center"
| rowspan="2" | ''VLAN Mode = disabled''
! colspan="3" | Egress port not present in VLAN Table
! colspan="3" | Egress port is present in VLAN Table
|-
!L
!S
!A
!L
!S
!A
|-
!Untagged traffic
|U
|U
|TA
|U
|U
|TA
|-
!Tagged traffic; no VID match
|T
|U
|T
| colspan="3" |
|-
!Tagged traffic; VID match; no Port match
|T
|U
|T
|T
|U
|T
|-
!Tagged traffic; VID match; Port match
|T
|U
|T
|T
|U
|T
|}


* <b>switch-all-ports</b>=yes/no -
{| border="1" class="wikitable collapsible" style="text-align: center"
| rowspan="2" | ''VLAN Mode = fallback''
! colspan="3" | Egress port not present in VLAN Table
! colspan="3" | Egress port is present in VLAN Table
|-
!L
!S
!A
!L
!S
!A
|-
!Untagged traffic
|U
|U
|TA
|U
|U
|TA
|-
!Tagged traffic; no VID match
|T
|U
|T
| colspan="3" |
|-
!Tagged traffic; VID match; no Port match
| style="background-color: #F99;" | DE
| style="background-color: #F99;" | DE
| style="background-color: #F99;" | DE
|T
|U
|T
|-
!Tagged traffic; VID match; Port match
| style="background-color: #F99;" | DE
| style="background-color: #F99;" | DE
| style="background-color: #F99;" | DE
|T
|U
|T
|}


"yes" means ether1 is part of switch and supports switch grouping, and all other advanced Atheros8316/Atheros8327 features including extended statistics (<code>/interface ethernet print stats</code>).
{| border="1" class="wikitable collapsible" style="text-align: center"
| rowspan="2" | ''VLAN Mode = check''
! colspan="3" | Egress port not present in VLAN Table
! colspan="3" | Egress port is present in VLAN Table
|-
!L
!S
!A
!L
!S
!A
|-
!Untagged traffic
| colspan="6" |
|-
!Tagged traffic; no VID match
| style="background-color: #F99;" | DI
| style="background-color: #F99;" | DI
| style="background-color: #F99;" | DI
| colspan="3" |
|-
!Tagged traffic; VID match; no Port match
| style="background-color: #F99;" | DE
| style="background-color: #F99;" | DE
| style="background-color: #F99;" | DE
|T
|U
|T
|-
!Tagged traffic; VID match; Port match
| style="background-color: #F99;" | DE
| style="background-color: #F99;" | DE
| style="background-color: #F99;" | DE
|T
|U
|T
|}


"no" means ether1 is not part of switch, effectively making it as stand alone ethernet port, this way increasing its throughput to other ports in bridged, and routed mode, but removing the switching possibility on this port.
{| border="1" class="wikitable collapsible" style="text-align: center"
| rowspan="2" | ''VLAN Mode = secure''
! colspan="3" | Egress port not present in VLAN Table
! colspan="3" | Egress port is present in VLAN Table
|-
!L
!S
!A
!L
!S
!A
|-
!Untagged traffic
| colspan="6" |
|-
!Tagged traffic; no VID match
| style="background-color: #F99;" | DI
| style="background-color: #F99;" | DI
| style="background-color: #F99;" | DI
| colspan="3" |
|-
!Tagged traffic; VID match; no Port match
| style="background-color: #F99;" | DI
| style="background-color: #F99;" | DI
| style="background-color: #F99;" | DI
| style="background-color: #F99;" | DI
| style="background-color: #F99;" | DI
| style="background-color: #F99;" | DI
|-
!Tagged traffic; VID match; Port match
| style="background-color: #F99;" | DE
| style="background-color: #F99;" | DE
| style="background-color: #F99;" | DE
|T
|U
|T
|}


[[Image:switch4.png]]
{{ Note | The tables above are meant for more advanced configurations and to double check your own understand of how packets will be processed with each VLAN related property. }}


===Port Mirroring===
===Port Mirroring===
Line 387: Line 472:


Basically the hosts table represents switch chips internal mac address to port mapping. It can contain two kinds of entries: dynamic and static. Dynamic entries get added automatically, this is also called a learning process: when switch chip receives a packet from certain port, it adds the packets source mac address X and port it received the packet from to host table, so when a packet comes in with destination mac address X it knows to which port it should forward the packet. If the destination mac address is not present in host table then it forwards the packet to all ports in the group. Dynamic entries take about 5 minutes to time out.
Basically the hosts table represents switch chips internal mac address to port mapping. It can contain two kinds of entries: dynamic and static. Dynamic entries get added automatically, this is also called a learning process: when switch chip receives a packet from certain port, it adds the packets source mac address X and port it received the packet from to host table, so when a packet comes in with destination mac address X it knows to which port it should forward the packet. If the destination mac address is not present in host table then it forwards the packet to all ports in the group. Dynamic entries take about 5 minutes to time out.
Learning is enabled only on ports that are configured as part of switch group. So you won't see dynamic entries if you have not specified some 'master-ports'.
Learning is enabled only on ports that are configured as part of switch group. So you won't see dynamic entries if you have not set up port switching.
Also you can add static entries that take over dynamic if dynamic entry with same mac-address already exists. Also by adding a static entry you get access to some more functionality that is controlled via following params:
Also you can add static entries that take over dynamic if dynamic entry with same mac-address already exists. Also by adding a static entry you get access to some more functionality that is controlled via following params:


Line 402: Line 487:
===VLAN Table===
===VLAN Table===


Vlan table specifies certain forwarding rules for packets that have specific 802.1q tag. Those rules are of higher priority than switch groups configured using 'master-port' property. Basically the table contains entries that map specific vlan tag ids to a group of one or more ports. Packets with vlan tags leave switch chip through one or more ports that are set in corresponding table entry. The exact logic that controls how packets with vlan tags are treated is controlled by vlan-mode parameter that is changeable per switch port in <code>/interface ethernet switch port</code> menu.
VLAN table specifies certain forwarding rules for packets that have specific 802.1Q tag. Those rules are of higher priority than switch groups configured using the [[Manual:Interface/Bridge#Bridge_Hardware_Offloading | Bridge Hardware Offloading]] feature. Basically the table contains entries that map specific VLAN tag ids to a group of one or more ports. Packets with VLAN tags leave switch chip through one or more ports that are set in corresponding table entry. The exact logic that controls how packets with VLAN tags are treated is controlled by vlan-mode parameter that is changeable per switch port in <code>/interface ethernet switch port</code> menu.
Vlan-mode can take following values:
Vlan-mode can take following values:


* '''disabled''' - ignore vlan table, treat packet with vlan tags just as if they did not contain a vlan tag;
* '''disabled''' - ignore VLAN table, treat packet with VLAN tags just as if they did not contain a VLAN tag;
* '''fallback''' - the default mode - handle packets with vlan tag that is not present in vlan table just like packets without vlan tag. Packets with vlan tags that are present in vlan table, but incoming port does not match any port in vlan table entry does not get dropped.
* '''fallback''' - the default mode - handle packets with VLAN tag that is not present in vlan table just like packets without VLAN tag. Packets with VLAN tags that are present in VLAN table, but incoming port does not match any port in VLAN table entry does not get dropped.
* '''check''' - drop packets with vlan tag that is not present in vlan table. Packets with vlan tags that are present in vlan table, but incoming port does not match any port in vlan table entry does not get dropped.
* '''check''' - drop packets with VLAN tag that is not present in VLAN table. Packets with VLAN tags that are present in VLAN table, but incoming port does not match any port in VLAN table entry does not get dropped.
* '''secure''' - drop packets with vlan tag that is not present in vlan table. Packets with vlan tags that are present in vlan table, but incoming port does not match any port in vlan table entry get dropped.
* '''secure''' - drop packets with VLAN tag that is not present in VLAN table. Packets with VLAN tags that are present in VLAN table, but incoming port does not match any port in VLAN table entry get dropped.




Vlan tag id based forwarding takes into account the MAC addresses dynamically learned or manually added in the host table.
VLAN tag id based forwarding takes into account the MAC addresses dynamically learned or manually added in the host table.
QCA8337 and AR8327 switch-chips also support Independent VLAN learning (IVL) which does the learning based on both MAC addresses and VLAN IDs thus allowing the same MAC to be used in multiple VLANs. The option "independent-learning" in VLAN table entries enables this feature.  
QCA8337 and Atheros8327 switch-chips also support Independent VLAN learning (IVL) which does the learning based on both MAC addresses and VLAN IDs thus allowing the same MAC to be used in multiple VLANs. The option "independent-learning" in VLAN table entries enables this feature.  




Packets without vlan tag are treated just like if they had a vlan tag with port <var>default-vlan-id</var>. This means that if "vlan-mode=check or secure" to be able to forward packets without vlan tags you have to add a special entry to vlan table with the same vlan id set according to <var>default-vlan-id</var>.
Packets without VLAN tag are treated just like if they had a VLAN tag with port <var>default-vlan-id</var>. This means that if "vlan-mode=check or secure" to be able to forward packets without VLAN tags you have to add a special entry to VLAN table with the same VLAN ID set according to <var>default-vlan-id</var>.




Vlan-header option (configured in <code>/interface ethernet switch port</code>) sets the VLAN tag mode on egress port. Starting from RouterOS version 6 this option works with QCA8337, AR8316, AR8327, AR8227 and AR7240 switch chips and takes the following values:
Vlan-header option (configured in <code>/interface ethernet switch port</code>) sets the VLAN tag mode on egress port. Starting from RouterOS version 6 this option works with QCA8337, Atheros8316, Atheros8327, Atheros8227 and Atheros7240 switch chips and takes the following values:


* '''leave-as-is''' - packet remains unchanged on egress port;
* '''leave-as-is''' - packet remains unchanged on egress port;
Line 436: Line 521:
* '''new-vlan-id''' '''''(only applies to Atheros8316)''''' - if specified changes the vlan tag id, or add new vlan tag if one was not present;
* '''new-vlan-id''' '''''(only applies to Atheros8316)''''' - if specified changes the vlan tag id, or add new vlan tag if one was not present;
* '''new-vlan-priority''' - if specified changes the vlan tag priority bits;
* '''new-vlan-priority''' - if specified changes the vlan tag priority bits;
* '''rate''' '''''(only applies to Atheros8327/QCA8337)''''' - Sets limitation (bits per second) for all matched traffic. Can only  be applied to first 32 rule slots.  
* '''rate''' '''''(only applies to Atheros8327/QCA8337)''''' - Sets ingress traffic limitation (bits per second) for matched traffic. Can only  be applied to first 32 rule slots.  


Conditions part is controlled by rest of parameters:
Conditions part is controlled by rest of parameters:
Line 468: Line 553:
IPv4 and IPv6 specific conditions cannot be present in same rule.
IPv4 and IPv6 specific conditions cannot be present in same rule.
Menu contains ordered list of rules just like in <code>/ip firewall filter</code>.
Menu contains ordered list of rules just like in <code>/ip firewall filter</code>.
Due to the fact that the rule table is processed entirely in switch chips hardware there is limitation to how many rules you may have. Depending on the amount of conditions (MAC layer, IP layer, IPv6, L4 layer) you use in your rules the amount of active rules may vary from 8 to 32 for Atheros8316 switch chip and from 24 to 96 for Atheros8327/QCA8337 switch chip. You can always do <code>/interface ethernet switch rule print</code> after modifying your rule set to see that no rules at the end of the list are 'invalid' which means those rules did not fit into the switch chip.
Due to the fact that the rule table is processed entirely in switch chips hardware there is limitation to how many rules you may have. Depending on the number of conditions (MAC layer, IP layer, IPv6, L4 layer) you use in your rules the number of active rules may vary from 8 to 32 for Atheros8316 switch chip and from 24 to 96 for Atheros8327/QCA8337 switch chip. You can always do <code>/interface ethernet switch rule print</code> after modifying your rule set to see that no rules at the end of the list are 'invalid' which means those rules did not fit into the switch chip.


===Port isolation===
===Port isolation===


Since RouterOS v6.43rc11 it is possible to create an uplink port and isolated ports. Such a configuration allows each device connected to a switch port to be isolated from other ports and these isolated ports are only capable of communicating with other devices through the uplink port. This kind of configuration can also be called '''Private VLAN''' configuration, the '''Switch''' will forward all Ethernet frames directly to the uplink port allowing the '''Router''' to filter unwanted packets and limit access between devices that are behind switch ports.
Port isolation provides the possibility to divide (isolate) certain parts of your network, this might be useful when need to make sure that certain devices cannot access other devices, this can be done by isolating switch ports. Switch port isolation is available on all switch chips since RouterOS v6.43.
 
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch port-isolation</code></p>
<br />
 
{{Mr-arg-table-h
|prop=Property
|desc=Description
}}
 
{{Mr-arg-table-end
|arg=forwarding-override
|type=interface
|default=
|desc=Forces ingress traffic to be forwarded to a specific interface. Multiple interfaces can be specified by separating them with a comma.
}}
 
{{ Note | (R/M)STP will only work properly in PVLAN setups, (R/M)STP will not work properly in setups, where there are multiple isolated switch groups, because switch groups might not properly receive BPDUs and therefore fail to detect network loops. }}
 
{{ Warning | The <code>forwarding-override</code> property that has an effect on ingress traffic only. Switch ports that do not have the <code>forwarding-override</code> specified are able to send packets through all switch ports. }}
 
{{ Warning | Switch chips with a VLAN table support ('''QCA8337''', '''Atheros8327''', '''Atheros8316''', '''Atheros8227''' and '''Atheros7240''') can override the port isolation configuration when enabling a VLAN lookup on the switch port (a <var>vlan-mode</var> is set to <code>fallback</code>, <code>check</code> or <code>secure</code>). If additional port isolation is needed between ports on the same VLAN, a switch rule with a <var>new-dst-ports</var> property can be implemented. Other devices without switch rule support cannot overcome this limitation.}}
 
==== Private VLAN ====
 
In some scenarios you might need to forward all traffic to a uplink port while all other ports are isolated from each other. This kind of setup is called '''Private VLAN''' configuration, the '''Switch''' will forward all Ethernet frames directly to the uplink port allowing the '''Router''' to filter unwanted packets and limit access between devices that are behind switch ports.


[[File:isolation.png|700px|thumb|center|alt=Alt text|Switch port isolation]]
[[File:isolation.png|700px|thumb|center|alt=Alt text|Switch port isolation]]
Line 479: Line 589:
<pre>
<pre>
/interface bridge
/interface bridge
add name=bridge1 protocol-mode=none
add name=bridge1
/interface bridge port
/interface bridge port
add interface=sfp1 bridge=bridge1 hw=yes
add interface=sfp1 bridge=bridge1 hw=yes
Line 486: Line 596:
add interface=ether3 bridge=bridge1 hw=yes
add interface=ether3 bridge=bridge1 hw=yes
</pre>
</pre>
{{ Note | By default, the bridge interface is configured with <var>protocol-mode</var> set to <code>rstp</code>. For some devices, this can disable hardware offloading because specific switch chips do not support this feature.  See the [[Manual:Interface/Bridge#Bridge_Hardware_Offloading | Bridge Hardware Offloading]] section with supported features. }}


Override the egress port for each switch port that needs to be isolated (excluding the uplink port):
Override the egress port for each switch port that needs to be isolated (excluding the uplink port):
Line 496: Line 608:


{{ Note | It is possible to set multiple uplink ports for a single switch chip, this can be done by specifying multiple interfaces and separating them with a comma. }}
{{ Note | It is possible to set multiple uplink ports for a single switch chip, this can be done by specifying multiple interfaces and separating them with a comma. }}
==== Isolated switch groups ====
In some scenarios you might need to isolate a group of devices from other groups, this can be done using the switch port isolation feature. This is useful when you have multiple networks but you want to use a single switch, with port isolation you can allow certain switch ports to be able to communicate through only a set of switch ports. In this example devices on '''ether1-4''' will only be able to communicate with devices that are on '''ether1-4''', while devices on '''ether5-8''' will only be able to communicate with devices on '''ether5-8''' ('''ether1-4''' is not able to communicate with '''ether5-8''')
[[File:port_isolation.png|700px|thumb|center|alt=Alt text|Isolated switch groups topology]]
To configure isolated switch groups you must first switch all ports:
<pre>
/interface bridge
add name=bridge
/interface bridge port
add bridge=bridge1 interface=ether1 hw=yes
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether3 hw=yes
add bridge=bridge1 interface=ether4 hw=yes
add bridge=bridge1 interface=ether5 hw=yes
add bridge=bridge1 interface=ether6 hw=yes
add bridge=bridge1 interface=ether7 hw=yes
add bridge=bridge1 interface=ether8 hw=yes
</pre>
{{ Note | By default, the bridge interface is configured with <var>protocol-mode</var> set to <code>rstp</code>. For some devices, this can disable hardware offloading because specific switch chips do not support this feature.  See the [[Manual:Interface/Bridge#Bridge_Hardware_Offloading | Bridge Hardware Offloading]] section with supported features. }}
Then specify in the <code>forwarding-override</code> property all ports that you want to be in the same isolated switch group (except the port on which you are applying the property), for example, to create an isolated switch group for '''A''' devices:
<pre>
/interface ethernet switch port-isolation
set ether1 forwarding-override=ether2,ether3,ether4
set ether2 forwarding-override=ether1,ether3,ether4
set ether3 forwarding-override=ether1,ether2,ether4
set ether4 forwarding-override=ether1,ether2,ether3
</pre>
To create an isolated switch group for '''B''' devices:
<pre>
/interface ethernet switch port-isolation
set ether5 forwarding-override=ether6,ether7,ether8
set ether6 forwarding-override=ether5,ether7,ether8
set ether7 forwarding-override=ether5,ether6,ether8
set ether8 forwarding-override=ether5,ether6,ether7
</pre>
===CPU Flow Control===
All switch chips have a special port that is called '''switchX-cpu''', this is the CPU port for a switch chip, it is meant to forward traffic from a switch chip to the CPU, such a port is required for management traffic and for routing features. By default the switch chip ensures that this special CPU port is not congested and sends out Pause Frames when link capacity is exceeded to make sure the port is not oversaturated, this feature is called '''CPU Flow Control'''. Without this feature packets that might be crucial for routing or management purposes might get dropped.
Since RouterOS v6.43 it is possible to disable the CPU Flow Control feature on some devices that are using one of the follow switch chips:  Atheros8227, QCA8337, Atheros8327, Atheros7240 or Atheros8316. Other switch chips have this feature enabled by default and cannot be changed. To disable CPU Flow Control use the following command:
<pre>
/interface ethernet switch set switch1 cpu-flow-control=no
</pre>


===Statistics===
===Statistics===
Line 601: Line 763:


<p style="text-align:justify;">
<p style="text-align:justify;">
Routerboards with Atheros switch chips can be used for 802.1Q Trunking. This feature in RouterOS version 6 is supported by '''QCA8337, AR8316, AR8327, AR8227''' and '''AR7240''' switch chips. <br />
RouterBOARDs with Atheros switch chips can be used for 802.1Q Trunking. This feature in RouterOS v6 is supported by '''QCA8337, Atheros8316, Atheros8327, Atheros8227''' and '''Atheros7240''' switch chips. <br />
In this example ether3,ether4 and ether5 interfaces are access ports, while ether2 is a trunk port. VLAN IDs for each access port: ether3 - 200, ether4 - 300, ether5 - 400.
In this example '''ether3''', ''''ether4''' and '''ether5''' interfaces are access ports, while '''ether2''' is a trunk port. VLAN IDs for each access port: ether3 - 200, ether4 - 300, ether5 - 400.
</p>
</p>


[[File:ath1.png|center|frame]]
[[File:ath1.png|center|frame]]


<div style="clear:both;"></div>
Switch together the required ports:  
 
* Create a group of switched ports by selecting one master-port and setting it for other ports.
 
<pre>
<pre>
# pre-v6.41 master-port configuration
/interface ethernet
set ether3 master-port=ether2
set ether4 master-port=ether2
set ether5 master-port=ether2
# post-v6.41 bridge hw-offload configuration
/interface bridge
/interface bridge
add name=bridge1 igmp-snooping=no protocol-mode=none
add name=bridge1
/interface bridge port
/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether2 hw=yes
Line 630: Line 780:
</pre>
</pre>


* Add VLAN table entries to allow frames with specific VLAN IDs between ports.
{{ Note | By default, the bridge interface is configured with <var>protocol-mode</var> set to <code>rstp</code>. For some devices, this can disable hardware offloading because specific switch chips do not support this feature.  See the [[Manual:Interface/Bridge#Bridge_Hardware_Offloading | Bridge Hardware Offloading]] section with supported features. }}
 
Add VLAN table entries to allow frames with specific VLAN IDs between ports:


<pre>
<pre>
Line 639: Line 791:
</pre>
</pre>


* Assign "vlan-mode" and "vlan-header" mode for each port and also "default-vlan-id" on ingress for each access port. <br />
Assign <var>vlan-mode</var> and <var>vlan-header</var>mode for each port and also <var>default-vlan-id</var> on ingress for each access port:
Setting "vlan-mode=secure" ensures strict use of VLAN table. <br />
Setting "vlan-header=always-strip" for access ports removes VLAN header from frame when it leaves the switch chip. <br />
Setting "vlan-header=add-if-missing" for trunk port adds VLAN header to untagged frames. <br />
"Default-vlan-id" specifies what VLAN ID is added for untagged ingress traffic of the access port.
 
<pre>
<pre>
/interface ethernet switch port
/interface ethernet switch port
Line 652: Line 799:
set ether5 vlan-mode=secure vlan-header=always-strip default-vlan-id=400
set ether5 vlan-mode=secure vlan-header=always-strip default-vlan-id=400
</pre>
</pre>
* Setting <code>vlan-mode=secure</code> ensures strict use of VLAN table.
* Setting <code>vlan-header=always-strip</code> for access ports removes VLAN header from frame when it leaves the switch chip.
* Setting <code>vlan-header=add-if-missing</code> for trunk port adds VLAN header to untagged frames.
* <var>default-vlan-id</var> specifies what VLAN ID is added for untagged ingress traffic of the access port.
{{ Note | For devices with '''QCA8337''' and '''Atheros8327''' switch chips a default <code>vlan-header&#61;leave-as-is</code> should be used. When <code>vlan-mode&#61;secure</code> is configured, it ignore switch port <var>vlan-header</var> options. VLAN table entries handle all the egress tagging/untagging and works as <code>vlan-header&#61;leave-as-is</code> on all ports. It means what comes in tagged, goes out tagged as well, only <var>default-vlan-id</var> frames are untagged at the egress of port.}}


===VLAN Example 2 (Trunk and Hybrid Ports)===
===VLAN Example 2 (Trunk and Hybrid Ports)===


<p style="text-align:justify;">
<p style="text-align:justify;">
VLAN Hybrid ports which can forward both tagged and untagged traffic are supported only by some Gigabit switch chips ('''QCA8337, AR8327''')
VLAN Hybrid ports which can forward both tagged and untagged traffic are supported only by some Gigabit switch chips ('''QCA8337, Atheros8327''')
</p>
</p>


[[File:ath2.png|center|frame]]
[[File:ath2.png|center|frame]]


<div style="clear:both;"></div>
Switch together the required ports:  
 
* Create a group of switched ports.
 
<pre>
<pre>
# pre-v6.41 master-port configuration
/interface ethernet
set ether3 master-port=ether2
set ether4 master-port=ether2
set ether5 master-port=ether2
# post-v6.41 bridge hw-offload configuration
/interface bridge
/interface bridge
add name=bridge1 igmp-snooping=no protocol-mode=none
add name=bridge1
/interface bridge port
/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether2 hw=yes
Line 684: Line 826:
</pre>
</pre>


* Add VLAN table entries to allow frames with specific VLAN IDs between ports.
{{ Note | By default, the bridge interface is configured with <var>protocol-mode</var> set to <code>rstp</code>. For some devices, this can disable hardware offloading because specific switch chips do not support this feature.  See the [[Manual:Interface/Bridge#Bridge_Hardware_Offloading | Bridge Hardware Offloading]] section with supported features. }}


Add VLAN table entries to allow frames with specific VLAN IDs between ports.
<pre>
<pre>
/interface ethernet switch vlan
/interface ethernet switch vlan
Line 693: Line 836:
</pre>
</pre>


* In switch port menu set "vlan-mode" on all ports and also "default-vlan-id" on planned hybrid ports. <br />
In switch port menu set <var>vlan-mode</var> on all ports and also <var>default-vlan-id</var> on planned hybrid ports:
"Vlan-mode=secure" will ensure strict use of VLAN table. <br />
"Default-vlan-id" will define VLAN for untagged ingress traffic on port. <br />
In Gigabit switch chips when "vlan-mode=secure", it ignores switch port "vlan-header" options. VLAN table entries handle all the egress tagging/untagging and works as "vlan-header=leave-as-is" on all ports. <br />
It means what comes in tagged, goes out tagged as well, only "default-vlan-id" frames are untagged at the egress of port.
 
<pre>
<pre>
/interface ethernet switch port
/interface ethernet switch port
Line 707: Line 845:
</pre>
</pre>


===Management port configuration===
* <code>vlan-mode=secure</code> will ensure strict use of VLAN table.
* <var>default-vlan-id</var> will define VLAN for untagged ingress traffic on port.
* In QCA8337 and Atheros8327 chips when <code>vlan-mode=secure</code> is used, it ignores switch port <var>vlan-header</var> options. VLAN table entries handle all the egress tagging/untagging and works as <code>vlan-header=leave-as-is</code> on all ports. It means what comes in tagged, goes out tagged as well, only <var>default-vlan-id</var> frames are untagged at the egress of port.
 
===Management access configuration===


In these examples there will be shown examples for multiple scenarios, but each of these scenarios require you to have switched ports. Below you can find how to switch multiple ports:
In these examples there will be shown examples for multiple scenarios, but each of these scenarios require you to have switched ports. Below you can find how to switch multiple ports:
* For RouterOS before v6.41
<pre>
/interface ethernet
set ether2 master-port=ether1
</pre>
* For RouterOS after v6.41
<pre>
<pre>
/interface bridge
/interface bridge
add name=bridge1 protocol-mode=none
add name=bridge1
/interface bridge port
/interface bridge port
add interface=ether1 bridge=bridge1 hw=yes
add interface=ether1 bridge=bridge1 hw=yes
add interface=ether2 bridge=bridge1 hw=yes
add interface=ether2 bridge=bridge1 hw=yes
</pre>
</pre>
{{ Note | By default, the bridge interface is configured with <var>protocol-mode</var> set to <code>rstp</code>. For some devices, this can disable hardware offloading because specific switch chips do not support this feature.  See the [[Manual:Interface/Bridge#Bridge_Hardware_Offloading | Bridge Hardware Offloading]] section with supported features. }}


In these examples it will be assumed that '''ether1''' is the trunk port and '''ether2''' is the access port, for configuration as the following:
In these examples it will be assumed that '''ether1''' is the trunk port and '''ether2''' is the access port, for configuration as the following:
Line 731: Line 867:
set ether1 vlan-header=add-if-missing
set ether1 vlan-header=add-if-missing
set ether2 default-vlan-id=100 vlan-header=always-strip
set ether2 default-vlan-id=100 vlan-header=always-strip
/interface ethernet switch vlan
/interface ethernet switch vlan
add ports=ether1,ether2,switch1-cpu switch=switch1 vlan-id=100
add ports=ether1,ether2,switch1-cpu switch=switch1 vlan-id=100
Line 736: Line 873:


====Tagged====
====Tagged====
In order to make the device accessible only from a certain VLAN, you need to create a new VLAN interface on the bridge/master-port interface and assign an IP address to it:
In order to make the device accessible only from a certain VLAN, you need to create a new VLAN interface on the bridge interface and assign an IP address to it:
<pre>
<pre>
/interface vlan
/interface vlan
add name=MGMT vlan-id=99 interface=bridge1
add name=MGMT vlan-id=99 interface=bridge1
/ip address
/ip address
add address=192.168.99.1/24 interface=MGMT
add address=192.168.99.1/24 interface=MGMT
Line 765: Line 903:
/interface vlan
/interface vlan
add name=VLAN100 vlan-id=100 interface=bridge1
add name=VLAN100 vlan-id=100 interface=bridge1
/ip address
/ip address
add address=192.168.100.1/24 interface=VLAN100
add address=192.168.100.1/24 interface=VLAN100
Line 784: Line 923:
set switch1-cpu vlan-header=leave-as-is vlan-mode=secure
set switch1-cpu vlan-header=leave-as-is vlan-mode=secure
</pre>
</pre>
{{ Note | To setup management port using untagged traffic on a device with the  '''Atheros7240''' switch chip, you will need to set <code>vlan-header&#61;add-if-missing</code> for the CPU port.}}


====Untagged from tagged port====
====Untagged from tagged port====
It is possible to allow access to the device from the trunk (tagged) port with untagged traffic. To do so, assign an IP address on the bridge/master-port interface:
It is possible to allow access to the device from the trunk (tagged) port with untagged traffic. To do so, assign an IP address on the bridge interface:
<pre>
<pre>
/ip address
/ip address
Line 792: Line 933:
</pre>
</pre>


Specify the trunk port to be able to access the CPU for the <code>default-vlan-id</code> for the trunk port, by default it is set to 1:
Specify which ports are allowed to access the CPU. Use <code>vlan-id</code> that is used in <code>default-vlan-id</code> for switch-cpu and trunk ports, by default it is set to 0 or 1.
<pre>
<pre>
/interface ethernet switch vlan
/interface ethernet switch vlan
Line 802: Line 943:
/interface ethernet switch port
/interface ethernet switch port
set ether1 default-vlan-id=1 vlan-header=add-if-missing vlan-mode=secure
set ether1 default-vlan-id=1 vlan-header=add-if-missing vlan-mode=secure
set switch1-cpu vlan-header=leave-as-is vlan-mode=secure
set switch1-cpu default-vlan-id=1 vlan-header=leave-as-is vlan-mode=secure
</pre>
</pre>


===Spanning Tree Protocol===
{{ Note | This configuration example is not possible for devices with the '''Atheros8316''' and  '''Atheros7240''' switch chips.}}
{{ Note | For devices with '''QCA8337''' and '''Atheros8327''' switch chips it is possible to use any other <code>default-vlan-id</code> as long as it stays the same on switch-cpu and trunk ports. For devices with '''Atheros8227''' switch chip only <code>default-vlan-id&#61;0</code> can be used and trunk port must use <code>vlan-header&#61;leave-as-is</code>.}}


Starting from RouterOS v6.38 RouterBoards support Spanning Tree Protocols on ports configured for switching. This feature is available on following switch chips: QCA8337; Atheros8327; Atheros8316; Atheros8227; Atheros7240. To enable this feature create RouterOS bridge interface and add the master-port to it.
=See also=
 
* Create a group of switched ports
 
<pre>
/interface ethernet
set ether2 master-port=ether1
set ether3 master-port=ether1
set ether4 master-port=ether1
</pre>
 
* Create a bridge interface and add the master-port to it
 
<pre>
/interface bridge add name=bridge1 protocol=rstp
 
/interface bridge port add bridge=bridge1 interface=ether1
</pre>
 
* Slave ports are dynamically added to the bridge only to show STP status. Forwarding through switched ports still are handled by hardware switch chip.
 
<pre>
[admin@MikroTik] > /interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic
#    INTERFACE          BRIDGE          PRIORITY  PATH-COST    HORIZON
0    ether1              bridge1              0x80        10      none
1 ID ether2              bridge1              0x80        10      none
2  D ether3              bridge1              0x80        10      none
3  D ether4              bridge1              0x80        10      none
</pre>


{{ Note | Since RouterOS v6.41 the master-port configuration is removed and replaced with a more simplified bridge configuration. The same functionality can be achieved by adding ports to a bridge with hardware offloading enabled and ensuring that protocol-mode is set to RSTP. }}
* [[Manual:Switch_Router | Switch Router]]
* [[Manual:Basic_VLAN_switching | Basic VLAN Switching]]
* [[Manual:Interface/Bridge#Bridge_Hardware_Offloading | Bridge Hardware Offloading]]
* [[Manual:Interface/Bridge#Spanning_Tree_Protocol | Spanning Tree Protocol]]
* [[Manual:Interface/Bridge#DHCP_Snooping_and_DHCP_Option_82 | DHCP Snooping and Option 82]]
* [[M:Maximum_Transmission_Unit_on_RouterBoards | MTU on RouterBOARD]]
* [[Manual:Layer2_misconfiguration | Layer2 misconfiguration]]
* [[Manual:Master-port | Master-port]]


[[Category:Manual]]
[[Category:Manual]]
[[Category:Bridging and switching]]
[[Category:Bridging and switching]]

Latest revision as of 09:37, 18 September 2020

Applies to RouterOS: v6.0 +


Introduction

There are several types of switch chips on Routerboards and they have a different set of features. Most of them (from now on "Other") have only basic "Port Switching" feature, but there are few with more features:

Capabilities of switch chips:

FeatureQCA8337Atheros8327Atheros8316Atheros8227Atheros7240
Port Switchingyesyesyesyesyes
Port Mirroringyesyesyesyesyes
TX limityesyesyesyesyes
RX limityesyesnonono
Host table2048 entries2048 entries2048 entries1024 entries2048 entries
Vlan table4096 entries4096 entries4096 entries4096 entries16 entries
Rule table92 rules92 rules32 rulesnono


FeatureICPlus175DMT7621RTL836798PX1012Other
Port Switchingyesyesyesnoyes
Port Mirroringyesyesyesnono
TX limitnonononono
RX limitnonononono
Host tableno2048 entries2048 entriesnono
Vlan tablenonononono
Rule tablenonononono

Note: Cloud Router Switch (CRS) series devices have highly advanced switch chips built-in, they support wide variety of features. For more details about switch chip capabilities on CRS1xx/CRS2xx series devices check the CRS1xx/CRS2xx series switches manual, for CRS3xx series devices check the CRS3xx series switches manual.


RouterBoard Switch-chip description
RB4011iGS+ RTL8367 (ether1-ether5); RTL8367 (ether6-ether10);
RB1100AHx4 RTL8367 (ether1-ether5); RTL8367 (ether6-ether10); RTL8367 (ether11-ether13)
RB750Gr3 (hEX), RB760iGS (hEX S) MT7621 (ether1-ether5)
RBM33G MT7621 (ether1-ether3)
RB3011 series QCA8337 (ether1-ether5); QCA8337 (ether6-ether10)
RB OmniTik ac series QCA8337 (ether1-ether5)
RBwsAP-5Hac2nD (wsAP ac lite) Atheros8227 (ether1-ether3)
RB941-2nD (hAP lite) Atheros8227 (ether1-ether4)
RB951Ui-2nD (hAP); RB952Ui-5ac2nD (hAP ac lite); RB750r2 (hEX lite); RB750UPr2 (hEX PoE lite); RB750P-PBr2 (PowerBox); RB750P r2; RBOmniTikU-5HnDr2 (OmniTIK 5); RBOmniTikUPA-5HnDr2 (OmniTIK 5 PoE) Atheros8227 (ether1-ether5)
RB750Gr2 (hEX); RB962UiGS-5HacT2HnT (hAP ac); RB960PGS (hEX PoE); RB960PGS-PB (PowerBox Pro) QCA8337 (ether1-ether5)
RB953GS Atheros8327 (ether1-ether3+sfp1)
RB850Gx2 Atheros8327 (ether1-ether5) with ether1 optional [more]
RB2011 series Atheros8327 (ether1-ether5+sfp1); Atheros8227 (ether6-ether10)
RB750GL; RB751G-2HnD; RB951G-2HnD; RBD52G-5HacD2HnD (hAP ac²) Atheros8327 (ether1-ether5)
cAP ac Atheros8327 (ether1-ether2)
RB1100AH Atheros8327 (ether1-ether5); Atheros8327 (ether6-ether10)
RB1100AHx2 Atheros8327 (ether1-ether5); Atheros8327 (ether6-ether10)
CCR1009-8G-1S-1S+; CCR1009-8G-1S Atheros8327 (ether1-ether4)
RB493G Atheros8316 (ether1+ether6-ether9); Atheros8316 (ether2-ether5)
RB435G Atheros8316 (ether1-ether3) with ether1 optional [more]
RB450G Atheros8316 (ether1-ether5) with ether1 optional [more]
RB450Gx4 Atheros8327 (ether1-ether5)
RB433GL Atheros8327 (ether1-ether3)
RB750G Atheros8316 (ether1-ether5)
RB1200 Atheros8316 (ether1-ether5)
RB1100 Atheros8316 (ether1-ether5); Atheros8316 (ether6-ether10)
DISC Lite5 Atheros8227 (ether1)
RBmAP2nD Atheros8227 (ether1-ether2)
RBmAP2n Atheros7240 (ether1-ether2)
RB750 Atheros7240 (ether2-ether5)
RB750UP Atheros7240 (ether2-ether5)
RB751U-2HnD Atheros7240 (ether2-ether5)
RB951-2n Atheros7240 (ether2-ether5)
RB951Ui-2HnD Atheros8227 (ether1-ether5)
RB433 series ICPlus175D (ether2-ether3); older models had ICPlus175C
RB450 ICPlus175D (ether2-ether5); older models had ICPlus175C
RB493 series ICPlus178C (ether2-ether9)
RB816 ICPlus178C (ether1-ether16)


Command line config is under /interface ethernet switch menu. This menu contains a list of all switch chips present in system, and some sub-menus as well. /interface ethernet switch menu list item represents a switch chip in system:

[admin@MikroTik] /interface ethernet switch> print
Flags: I - invalid
 #   NAME     TYPE         MIRROR-SOURCE   MIRROR-TARGET
 0   switch1  Atheros-8316 ether2          none

Depending on switch type there might be available or not available some configuration capabilities.

Atheros8316 packet flow diagram

Features

Port Switching

In order to setup port switching on non-CRS series devices, check the Bridge Hardware Offloading page.

Note: Port switching in RouterOS v6.41 and newer is done using the bridge configuration. Prior to RouterOS v6.41 port switching was done using the master-port property, for more details check the Master-port page.


Switch All Ports Feature

Ether1 port on RB450G/RB435G/RB850Gx2 has a feature that allows it to be removed/added to the default switch group. By default ether1 port will be included in the switch group. This configuration can be changed with /interface ethernet switch set switch1 switch-all-ports=no

  • switch-all-ports=yes/no -

"yes" means ether1 is part of switch and supports switch grouping, and all other advanced Atheros8316/Atheros8327 features including extended statistics (/interface ethernet print stats).

"no" means ether1 is not part of switch, effectively making it as stand alone ethernet port, this way increasing its throughput to other ports in bridged, and routed mode, but removing the switching possibility on this port.

File:Switch4.png

Port Settings

Properties under this menu are used to configure VLAN switching and filtering options for switch chips that support a VLAN Table. These properties are only available to switch chips that have VLAN Table support, check the Switch Chip Features table to make sure your device supports such a feature.

Warning: Ingress traffic is considered as traffic that is being sent IN a certain port, this port is sometimes called ingress port. Egress traffic is considered as traffic that is being sent OUT of a certain port, this port is sometimes called egress port. Distinguishing them is very important in order to properly set up VLAN filtering since some properties apply only to either ingress or egress traffic.


Sub-menu: /interface ethernet switch port


Property Description
vlan-mode (check | disabled | fallback | secure; Default: disabled) Changes the VLAN lookup mechanism against the VLAN Table for ingress traffic.
  • disabled - disables checking against the VLAN Table completely for ingress traffic. No traffic is dropped when set on ingress port.
  • fallback - checks tagged traffic against the VLAN Table for ingress traffic, forwards all untagged traffic. If ingress traffic is tagged and egress port is not found in the VLAN table for the appropriate VLAN ID, then traffic is dropped. If a VLAN ID is not found in the VLAN Table, then traffic is forwarded. Used to allow known VLANs only in specific ports.
  • check - checks tagged traffic against the VLAN Table for ingress traffic, drops all untagged traffic. If ingress traffic is tagged and egress port is not found in the VLAN table for the appropriate VLAN ID, then traffic is dropped.
  • secure - checks tagged traffic against the VLAN Table for ingress traffic, drops all untagged traffic. Both ingress and egress port must be found in the VLAN Table for the appropriate VLAN ID, otherwise traffic is dropped.
vlan-header (add-if-missing | always-strip | leave-as-is; Default: leave-as-is) Sets action which is performed on the port for egress traffic.
  • add-if-missing - adds a VLAN tag on egress traffic and uses default-vlan-id from the ingress port. Should be used for trunk ports.
  • always-strip - removes a VLAN tag on egress traffic. Should be used for access ports.
  • leave-as-is - does not add nor removes a VLAN tag on egress traffic. Should be used for hybrid ports.
default-vlan-id (auto | integer: 0..4095; Default: auto) Adds a VLAN tag with the specified VLAN ID on all untagged ingress traffic on a port, should be used with vlan-header set to always-strip on a port to configure the port to be the access port. For hybrid ports default-vlan-id is used to tag untagged traffic. If two ports have the same default-vlan-id, then VLAN tag is not added since the switch chip assumes that traffic is being forwarded between access ports.


Note: QCA8337 and Atheros8327 switch chips ignore the vlan-header property and uses the default-vlan-id property to determine which ports are access ports. The vlan-header is set to leave-as-is and cannot be changed while the default-vlan-id property should only be used on access ports to tag all ingress traffic.


VLAN Forwarding

Both vlan-mode and vlan-header along with the VLAN Table can be used to configure VLAN tagging, untagging and filtering, there are multiple combinations that are possible, each achieving a different result. Below you can find a table of what kind of traffic is going to be sent out through an egress port when a certain traffic is received on an ingress port for each VLAN Mode.

NOTES:

  • L - vlan-header is set to leave-as-is
  • S - vlan-header set to always-strip
  • A - vlan-header set to add-if-missing
  • U - Untagged traffic is sent out
  • T - Tagged traffic is sent out, tag is already present on ingress port
  • TA - Tagged traffic is sent out, tag was added on ingress port
  • DI - Traffic is dropped on ingress port because of mode selected in vlan-mode
  • DE - Traffic is dropped on egress port because egress port was not found in the VLAN Table
  • VID match - VLAN ID from the VLAN tag for ingress traffic is present in the VLAN Table
  • Port match - Ingress port is present in the VLAN Table for the appropriate VLAN ID
VLAN Mode = disabled Egress port not present in VLAN Table Egress port is present in VLAN Table
L S A L S A
Untagged traffic U U TA U U TA
Tagged traffic; no VID match T U T
Tagged traffic; VID match; no Port match T U T T U T
Tagged traffic; VID match; Port match T U T T U T
VLAN Mode = fallback Egress port not present in VLAN Table Egress port is present in VLAN Table
L S A L S A
Untagged traffic U U TA U U TA
Tagged traffic; no VID match T U T
Tagged traffic; VID match; no Port match DE DE DE T U T
Tagged traffic; VID match; Port match DE DE DE T U T
VLAN Mode = check Egress port not present in VLAN Table Egress port is present in VLAN Table
L S A L S A
Untagged traffic
Tagged traffic; no VID match DI DI DI
Tagged traffic; VID match; no Port match DE DE DE T U T
Tagged traffic; VID match; Port match DE DE DE T U T
VLAN Mode = secure Egress port not present in VLAN Table Egress port is present in VLAN Table
L S A L S A
Untagged traffic
Tagged traffic; no VID match DI DI DI
Tagged traffic; VID match; no Port match DI DI DI DI DI DI
Tagged traffic; VID match; Port match DE DE DE T U T

Note: The tables above are meant for more advanced configurations and to double check your own understand of how packets will be processed with each VLAN related property.


Port Mirroring

Port mirroring lets switch 'sniff' all traffic that is going in and out of one port (mirror-source) and send a copy of those packets out of some other port (mirror-target). This feature can be used to easily set up a 'tap' device that receives all traffic that goes in/out of some specific port. Note that mirror-source and mirror-target ports have to belong to same switch. (See which port belong to which switch in /interface ethernet menu). Also mirror-target can have a special 'cpu' value, which means that 'sniffed' packets should be sent out of switch chips cpu port. Port mirroring happens independently of switching groups that have or have not been set up.

  • Port mirroring configuration example:
/interface ethernet switch
set switch1 mirror-source=ether2 mirror-target=ether3

Warning: If you set mirror-source as a Ethernet port for a device with at least two switch chips and these mirror-source ports are in a single bridge while mirror-target for both switch chips are set to send the packets to the CPU, then this will result in a loop, which can make your device inaccessible.


Hosts Table

Basically the hosts table represents switch chips internal mac address to port mapping. It can contain two kinds of entries: dynamic and static. Dynamic entries get added automatically, this is also called a learning process: when switch chip receives a packet from certain port, it adds the packets source mac address X and port it received the packet from to host table, so when a packet comes in with destination mac address X it knows to which port it should forward the packet. If the destination mac address is not present in host table then it forwards the packet to all ports in the group. Dynamic entries take about 5 minutes to time out. Learning is enabled only on ports that are configured as part of switch group. So you won't see dynamic entries if you have not set up port switching. Also you can add static entries that take over dynamic if dynamic entry with same mac-address already exists. Also by adding a static entry you get access to some more functionality that is controlled via following params:

  • copy-to-cpu=yes/no - a packet can be cloned and sent to cpu port
  • redirect-to-cpu=yes/no - a packet can be redirected to cpu port
  • mirror=yes/no - a packet can be cloned and sent to mirror-target port configured in "/interface ethernet switch"
  • drop=yes/no - a packet with certain mac address coming from certain ports can be dropped

copy-to-cpu, redirect-to-cpu, mirror actions are performed for packets which destination mac matches mac address specified in entry drop action is performed for packets which source mac address matches mac address specified in entry

Another possibility for static entries is that mac address can be mapped to more that one port, including 'cpu' port.

VLAN Table

VLAN table specifies certain forwarding rules for packets that have specific 802.1Q tag. Those rules are of higher priority than switch groups configured using the Bridge Hardware Offloading feature. Basically the table contains entries that map specific VLAN tag ids to a group of one or more ports. Packets with VLAN tags leave switch chip through one or more ports that are set in corresponding table entry. The exact logic that controls how packets with VLAN tags are treated is controlled by vlan-mode parameter that is changeable per switch port in /interface ethernet switch port menu. Vlan-mode can take following values:

  • disabled - ignore VLAN table, treat packet with VLAN tags just as if they did not contain a VLAN tag;
  • fallback - the default mode - handle packets with VLAN tag that is not present in vlan table just like packets without VLAN tag. Packets with VLAN tags that are present in VLAN table, but incoming port does not match any port in VLAN table entry does not get dropped.
  • check - drop packets with VLAN tag that is not present in VLAN table. Packets with VLAN tags that are present in VLAN table, but incoming port does not match any port in VLAN table entry does not get dropped.
  • secure - drop packets with VLAN tag that is not present in VLAN table. Packets with VLAN tags that are present in VLAN table, but incoming port does not match any port in VLAN table entry get dropped.


VLAN tag id based forwarding takes into account the MAC addresses dynamically learned or manually added in the host table. QCA8337 and Atheros8327 switch-chips also support Independent VLAN learning (IVL) which does the learning based on both MAC addresses and VLAN IDs thus allowing the same MAC to be used in multiple VLANs. The option "independent-learning" in VLAN table entries enables this feature.


Packets without VLAN tag are treated just like if they had a VLAN tag with port default-vlan-id. This means that if "vlan-mode=check or secure" to be able to forward packets without VLAN tags you have to add a special entry to VLAN table with the same VLAN ID set according to default-vlan-id.


Vlan-header option (configured in /interface ethernet switch port) sets the VLAN tag mode on egress port. Starting from RouterOS version 6 this option works with QCA8337, Atheros8316, Atheros8327, Atheros8227 and Atheros7240 switch chips and takes the following values:

  • leave-as-is - packet remains unchanged on egress port;
  • always-strip - if VLAN header is present it is removed from the packet;
  • add-if-missing - if VLAN header is not present it is added to the packet.

Rule Table

Rule table is very powerful tool allowing wire speed packet filtering, forwarding and vlan tagging based on L2,L3,L4 protocol header field condition.

Each rule contains a conditions part and an action part. Action part is controlled by following parameters:

  • copy-to-cpu=yes/no - clones matching packets and sends them to cpu port;
  • redirect-to-cpu=yes/no - redirects matching packets to cpu port;
  • mirror=yes/no - clones matching packets and send them to mirror-target port;
  • new-dst-ports - if set forces the destination port to be as specified, multiple ports allowed, including cpu port. Non obvious feature of this parameter is to pass empty list of ports to drop matching packets;
  • new-vlan-id (only applies to Atheros8316) - if specified changes the vlan tag id, or add new vlan tag if one was not present;
  • new-vlan-priority - if specified changes the vlan tag priority bits;
  • rate (only applies to Atheros8327/QCA8337) - Sets ingress traffic limitation (bits per second) for matched traffic. Can only be applied to first 32 rule slots.

Conditions part is controlled by rest of parameters:

  • ports - match port that packet came in from (multiple ports allowed);
  • mac layer conditions
    • dst-mac-address - match by destination mac address and mask;
    • src-mac-address - ...;
    • vlan-header - match by vlan header presence;
    • vlan-id (only applies to Atheros8316) - match by vlan tag id;
    • vlan-priority (only applies to Atheros8316) - match by priority in vlan tag;
    • mac-protocol - match by mac protocol (skips vlan tags if any);
  • ip conditions
    • dst-address - match by destination ip and mask;
    • src-address - match by source ip and mask;
    • dscp - match by ip dscp field;
    • protocol - match by ip protocol;
  • ipv6 conditions
    • dst-address6 - match by destination ip and mask;
    • src-address6 - match by source ip and mask;
    • flow-label - match by ipv6 flow label;
    • traffic-class - match by ipv6 traffic class;
    • protocol - match by ip protocol;
  • L4 conditions
    • src-port - match by tcp/udp source port range;
    • dst-port - match by tcp/udp destination port range;

IPv4 and IPv6 specific conditions cannot be present in same rule. Menu contains ordered list of rules just like in /ip firewall filter. Due to the fact that the rule table is processed entirely in switch chips hardware there is limitation to how many rules you may have. Depending on the number of conditions (MAC layer, IP layer, IPv6, L4 layer) you use in your rules the number of active rules may vary from 8 to 32 for Atheros8316 switch chip and from 24 to 96 for Atheros8327/QCA8337 switch chip. You can always do /interface ethernet switch rule print after modifying your rule set to see that no rules at the end of the list are 'invalid' which means those rules did not fit into the switch chip.

Port isolation

Port isolation provides the possibility to divide (isolate) certain parts of your network, this might be useful when need to make sure that certain devices cannot access other devices, this can be done by isolating switch ports. Switch port isolation is available on all switch chips since RouterOS v6.43.

Sub-menu: /interface ethernet switch port-isolation


Property Description
forwarding-override (interface; Default: ) Forces ingress traffic to be forwarded to a specific interface. Multiple interfaces can be specified by separating them with a comma.

Note: (R/M)STP will only work properly in PVLAN setups, (R/M)STP will not work properly in setups, where there are multiple isolated switch groups, because switch groups might not properly receive BPDUs and therefore fail to detect network loops.


Warning: The forwarding-override property that has an effect on ingress traffic only. Switch ports that do not have the forwarding-override specified are able to send packets through all switch ports.


Warning: Switch chips with a VLAN table support (QCA8337, Atheros8327, Atheros8316, Atheros8227 and Atheros7240) can override the port isolation configuration when enabling a VLAN lookup on the switch port (a vlan-mode is set to fallback, check or secure). If additional port isolation is needed between ports on the same VLAN, a switch rule with a new-dst-ports property can be implemented. Other devices without switch rule support cannot overcome this limitation.


Private VLAN

In some scenarios you might need to forward all traffic to a uplink port while all other ports are isolated from each other. This kind of setup is called Private VLAN configuration, the Switch will forward all Ethernet frames directly to the uplink port allowing the Router to filter unwanted packets and limit access between devices that are behind switch ports.

Alt text
Switch port isolation

To configure switch port isolation, you need to switch all required ports:

/interface bridge
add name=bridge1
/interface bridge port
add interface=sfp1 bridge=bridge1 hw=yes
add interface=ether1 bridge=bridge1 hw=yes
add interface=ether2 bridge=bridge1 hw=yes
add interface=ether3 bridge=bridge1 hw=yes

Note: By default, the bridge interface is configured with protocol-mode set to rstp. For some devices, this can disable hardware offloading because specific switch chips do not support this feature. See the Bridge Hardware Offloading section with supported features.


Override the egress port for each switch port that needs to be isolated (excluding the uplink port):

/interface ethernet switch port-isolation
set ether1 forwarding-override=sfp1
set ether2 forwarding-override=sfp1
set ether3 forwarding-override=sfp1

Note: It is possible to set multiple uplink ports for a single switch chip, this can be done by specifying multiple interfaces and separating them with a comma.


Isolated switch groups

In some scenarios you might need to isolate a group of devices from other groups, this can be done using the switch port isolation feature. This is useful when you have multiple networks but you want to use a single switch, with port isolation you can allow certain switch ports to be able to communicate through only a set of switch ports. In this example devices on ether1-4 will only be able to communicate with devices that are on ether1-4, while devices on ether5-8 will only be able to communicate with devices on ether5-8 (ether1-4 is not able to communicate with ether5-8)

Alt text
Isolated switch groups topology

To configure isolated switch groups you must first switch all ports:

/interface bridge
add name=bridge
/interface bridge port
add bridge=bridge1 interface=ether1 hw=yes
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether3 hw=yes
add bridge=bridge1 interface=ether4 hw=yes
add bridge=bridge1 interface=ether5 hw=yes
add bridge=bridge1 interface=ether6 hw=yes
add bridge=bridge1 interface=ether7 hw=yes
add bridge=bridge1 interface=ether8 hw=yes

Note: By default, the bridge interface is configured with protocol-mode set to rstp. For some devices, this can disable hardware offloading because specific switch chips do not support this feature. See the Bridge Hardware Offloading section with supported features.


Then specify in the forwarding-override property all ports that you want to be in the same isolated switch group (except the port on which you are applying the property), for example, to create an isolated switch group for A devices:

/interface ethernet switch port-isolation
set ether1 forwarding-override=ether2,ether3,ether4
set ether2 forwarding-override=ether1,ether3,ether4
set ether3 forwarding-override=ether1,ether2,ether4
set ether4 forwarding-override=ether1,ether2,ether3

To create an isolated switch group for B devices:

/interface ethernet switch port-isolation
set ether5 forwarding-override=ether6,ether7,ether8
set ether6 forwarding-override=ether5,ether7,ether8
set ether7 forwarding-override=ether5,ether6,ether8
set ether8 forwarding-override=ether5,ether6,ether7

CPU Flow Control

All switch chips have a special port that is called switchX-cpu, this is the CPU port for a switch chip, it is meant to forward traffic from a switch chip to the CPU, such a port is required for management traffic and for routing features. By default the switch chip ensures that this special CPU port is not congested and sends out Pause Frames when link capacity is exceeded to make sure the port is not oversaturated, this feature is called CPU Flow Control. Without this feature packets that might be crucial for routing or management purposes might get dropped.

Since RouterOS v6.43 it is possible to disable the CPU Flow Control feature on some devices that are using one of the follow switch chips: Atheros8227, QCA8337, Atheros8327, Atheros7240 or Atheros8316. Other switch chips have this feature enabled by default and cannot be changed. To disable CPU Flow Control use the following command:

/interface ethernet switch set switch1 cpu-flow-control=no

Statistics

Some switch chips are capable of reporting statistics, this can be useful to monitor how many packets are sent to the CPU from the built-in switch chip. These statistics can also be used to monitor CPU Flow Control. You can find an example of switch chip's statistics below:

[admin@MikroTik] > /interface ethernet switch print stats

                      name:      switch1
            driver-rx-byte:  221 369 701
          driver-rx-packet:    1 802 975
            driver-tx-byte:   42 621 969
          driver-tx-packet:      310 485
                  rx-bytes:  414 588 529
                 rx-packet:    2 851 236
              rx-too-short:            0
               rx-too-long:            0
              rx-broadcast:    1 040 309
                  rx-pause:            0
              rx-multicast:      486 321
              rx-fcs-error:            0
            rx-align-error:            0
               rx-fragment:            0
                rx-control:            0
             rx-unknown-op:            0
           rx-length-error:            0
             rx-code-error:            0
          rx-carrier-error:            0
                 rx-jabber:            0
                   rx-drop:            0
                  tx-bytes:   44 071 621
                 tx-packet:      312 597
              tx-too-short:            0
               tx-too-long:        8 397
              tx-broadcast:        2 518
                  tx-pause:        2 112
              tx-multicast:        7 142
    tx-excessive-collision:            0
     tx-multiple-collision:            0
       tx-single-collision:            0
     tx-excessive-deferred:            0
               tx-deferred:            0
         tx-late-collision:            0
        tx-total-collision:            0
                   tx-drop:            0
                 tx-jabber:            0
              tx-fcs-error:            0
                tx-control:        2 112
               tx-fragment:            0
                  tx-rx-64:        6 646
              tx-rx-65-127:    1 509 891
             tx-rx-128-255:    1 458 299
             tx-rx-256-511:      178 975
            tx-rx-512-1023:          953
           tx-rx-1024-1518:          672
            tx-rx-1519-max:            0

Some devices have multiple CPU cores that are directly connected to a built-in switch chip using separate data lanes. These devices can report which data lane was used to forward the packet from or to the CPU port from the switch chip. For such devices an extra line is added for each row, the first line represents data that was sent using the first data lane, the second line represent data that was sent using the second data line and so on. You can find an example of switch chip's statistics for a device with multiple data lanes connecting the CPU and the built-in switch chip:

[admin@MikroTik] > /interface ethernet switch print stats
                  name:      switch1
        driver-rx-byte:  226 411 248
                                   0
      driver-rx-packet:    1 854 971
                                   0
        driver-tx-byte:   45 988 067
                                   0
      driver-tx-packet:      345 282
                                   0
              rx-bytes:  233 636 763
                                   0
             rx-packet:    1 855 018
                                   0
          rx-too-short:            0
                                   0
           rx-too-long:            0
                                   0
              rx-pause:            0
                                   0
          rx-fcs-error:            0
                                   0
           rx-overflow:            0
                                   0
              tx-bytes:   47 433 203
                                   0
             tx-packet:      345 282
                                   0
    tx-total-collision:            0
                                   0

Setup Examples

Note: Make sure you have added all needed interfaces to the VLAN table when using secure vlan-mode. For routing functions to work properly on the same device through ports that use secure vlan-mode, you will need to allow access to the CPU from those ports, this can be done by adding the switchX-cpu interface itself to the VLAN table. Examples can be found at the Management port section.


Warning: When allowing access to the CPU, you are allowing access from a certain port to the actual router/switch, this is not always desirable. Make sure you implement proper firewall filter rules to secure your device when access to the CPU is allowed from a certain VLAN ID and port, use firewall filter rules to allow access to only certain services.


Note: It is possible to use the built-in switch chip and the CPU at the same time to create a Switch-Router setup, where a device acts as a switch and as a router at the same time. You can find a configuration example in the Switch-Router guide.


VLAN Example 1 (Trunk and Access Ports)

RouterBOARDs with Atheros switch chips can be used for 802.1Q Trunking. This feature in RouterOS v6 is supported by QCA8337, Atheros8316, Atheros8327, Atheros8227 and Atheros7240 switch chips.
In this example ether3, 'ether4 and ether5 interfaces are access ports, while ether2 is a trunk port. VLAN IDs for each access port: ether3 - 200, ether4 - 300, ether5 - 400.

Switch together the required ports:

/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether3 hw=yes
add bridge=bridge1 interface=ether4 hw=yes
add bridge=bridge1 interface=ether5 hw=yes

Note: By default, the bridge interface is configured with protocol-mode set to rstp. For some devices, this can disable hardware offloading because specific switch chips do not support this feature. See the Bridge Hardware Offloading section with supported features.


Add VLAN table entries to allow frames with specific VLAN IDs between ports:

/interface ethernet switch vlan
add ports=ether2,ether3 switch=switch1 vlan-id=200
add ports=ether2,ether4 switch=switch1 vlan-id=300
add ports=ether2,ether5 switch=switch1 vlan-id=400

Assign vlan-mode and vlan-headermode for each port and also default-vlan-id on ingress for each access port:

/interface ethernet switch port
set ether2 vlan-mode=secure vlan-header=add-if-missing
set ether3 vlan-mode=secure vlan-header=always-strip default-vlan-id=200
set ether4 vlan-mode=secure vlan-header=always-strip default-vlan-id=300
set ether5 vlan-mode=secure vlan-header=always-strip default-vlan-id=400
  • Setting vlan-mode=secure ensures strict use of VLAN table.
  • Setting vlan-header=always-strip for access ports removes VLAN header from frame when it leaves the switch chip.
  • Setting vlan-header=add-if-missing for trunk port adds VLAN header to untagged frames.
  • default-vlan-id specifies what VLAN ID is added for untagged ingress traffic of the access port.

Note: For devices with QCA8337 and Atheros8327 switch chips a default vlan-header=leave-as-is should be used. When vlan-mode=secure is configured, it ignore switch port vlan-header options. VLAN table entries handle all the egress tagging/untagging and works as vlan-header=leave-as-is on all ports. It means what comes in tagged, goes out tagged as well, only default-vlan-id frames are untagged at the egress of port.


VLAN Example 2 (Trunk and Hybrid Ports)

VLAN Hybrid ports which can forward both tagged and untagged traffic are supported only by some Gigabit switch chips (QCA8337, Atheros8327)

Switch together the required ports:

/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether3 hw=yes
add bridge=bridge1 interface=ether4 hw=yes
add bridge=bridge1 interface=ether5 hw=yes

Note: By default, the bridge interface is configured with protocol-mode set to rstp. For some devices, this can disable hardware offloading because specific switch chips do not support this feature. See the Bridge Hardware Offloading section with supported features.


Add VLAN table entries to allow frames with specific VLAN IDs between ports.

/interface ethernet switch vlan
add ports=ether2,ether3,ether4,ether5 switch=switch1 vlan-id=200
add ports=ether2,ether3,ether4,ether5 switch=switch1 vlan-id=300
add ports=ether2,ether3,ether4,ether5 switch=switch1 vlan-id=400

In switch port menu set vlan-mode on all ports and also default-vlan-id on planned hybrid ports:

/interface ethernet switch port
set ether2 vlan-mode=secure vlan-header=leave-as-is
set ether3 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=200
set ether4 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=300
set ether5 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=400
  • vlan-mode=secure will ensure strict use of VLAN table.
  • default-vlan-id will define VLAN for untagged ingress traffic on port.
  • In QCA8337 and Atheros8327 chips when vlan-mode=secure is used, it ignores switch port vlan-header options. VLAN table entries handle all the egress tagging/untagging and works as vlan-header=leave-as-is on all ports. It means what comes in tagged, goes out tagged as well, only default-vlan-id frames are untagged at the egress of port.

Management access configuration

In these examples there will be shown examples for multiple scenarios, but each of these scenarios require you to have switched ports. Below you can find how to switch multiple ports:

/interface bridge
add name=bridge1
/interface bridge port
add interface=ether1 bridge=bridge1 hw=yes
add interface=ether2 bridge=bridge1 hw=yes

Note: By default, the bridge interface is configured with protocol-mode set to rstp. For some devices, this can disable hardware offloading because specific switch chips do not support this feature. See the Bridge Hardware Offloading section with supported features.


In these examples it will be assumed that ether1 is the trunk port and ether2 is the access port, for configuration as the following:

/interface ethernet switch port
set ether1 vlan-header=add-if-missing
set ether2 default-vlan-id=100 vlan-header=always-strip

/interface ethernet switch vlan
add ports=ether1,ether2,switch1-cpu switch=switch1 vlan-id=100

Tagged

In order to make the device accessible only from a certain VLAN, you need to create a new VLAN interface on the bridge interface and assign an IP address to it:

/interface vlan
add name=MGMT vlan-id=99 interface=bridge1

/ip address
add address=192.168.99.1/24 interface=MGMT

Specify from which interfaces it is allowed to access the device:

/interface ethernet switch vlan
add ports=ether1,switch1-cpu switch=switch1 vlan-id=99

Note: Only specify trunk ports in this VLAN table entry, it is not possible to allow access to the CPU with tagged traffic through an access port since the access port will tag all ingress traffic with the specified default-vlan-id value.


When VLAN table is configured, you can enable vlan-mode=secure to limit access to the CPU:

/interface ethernet switch port
set ether1 vlan-header=add-if-missing vlan-mode=secure
set ether2 default-vlan-id=100 vlan-header=always-strip vlan-mode=secure
set switch1-cpu vlan-header=leave-as-is vlan-mode=secure

Untagged

In order to make the device accessible from the access port, create a VLAN interface with the same VLAN ID as set in default-vlan-id, for example VLAN 100, and add an IP address to it:

/interface vlan
add name=VLAN100 vlan-id=100 interface=bridge1

/ip address
add address=192.168.100.1/24 interface=VLAN100

Specify which access (untagged) ports are allowed to access the CPU:

/interface ethernet switch vlan
add ports=ether1,ether2,switch1-cpu switch=switch1 vlan-id=100

Warning: Most commonly an access (untagged) port is accompanied with a trunk (tagged) port. In case of untagged access to the CPU, you are forced to specify both the access port and the trunk port, this gives access to the CPU from the trunk port as well. Not always this is desired and Firewall might be required on top of VLAN filtering.


When VLAN table is configured, you can enable vlan-mode=secure to limit access to the CPU:

/interface ethernet switch port
set ether1 vlan-header=add-if-missing vlan-mode=secure
set ether2 default-vlan-id=100 vlan-header=always-strip vlan-mode=secure
set switch1-cpu vlan-header=leave-as-is vlan-mode=secure

Note: To setup management port using untagged traffic on a device with the Atheros7240 switch chip, you will need to set vlan-header=add-if-missing for the CPU port.


Untagged from tagged port

It is possible to allow access to the device from the trunk (tagged) port with untagged traffic. To do so, assign an IP address on the bridge interface:

/ip address
add address=10.0.0.1/24 interface=bridge1

Specify which ports are allowed to access the CPU. Use vlan-id that is used in default-vlan-id for switch-cpu and trunk ports, by default it is set to 0 or 1.

/interface ethernet switch vlan
add ports=ether1,switch1-cpu switch=switch1 vlan-id=1

When VLAN table is configured, you can enable vlan-mode=secure to limit access to the CPU:

/interface ethernet switch port
set ether1 default-vlan-id=1 vlan-header=add-if-missing vlan-mode=secure
set switch1-cpu default-vlan-id=1 vlan-header=leave-as-is vlan-mode=secure

Note: This configuration example is not possible for devices with the Atheros8316 and Atheros7240 switch chips.


Note: For devices with QCA8337 and Atheros8327 switch chips it is possible to use any other default-vlan-id as long as it stays the same on switch-cpu and trunk ports. For devices with Atheros8227 switch chip only default-vlan-id=0 can be used and trunk port must use vlan-header=leave-as-is.


See also