Manual:CRS3xx series switches: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
Line 394: Line 394:
</tr>
</tr>
<tr>
<tr>
     <td><var><b>mac-dst-address</b></var> (<em>MAC address/Mask</em>)</td>
     <td><var><b>dst-mac-address</b></var> (<em>MAC address/Mask</em>)</td>
     <td>Matching destination MAC address and mask.</td>
     <td>Matching destination MAC address and mask.</td>
</tr>
</tr>
Line 444: Line 444:
     <td><var><b>src-address</b></var> (<em>IP address/Mask</em>)</td>
     <td><var><b>src-address</b></var> (<em>IP address/Mask</em>)</td>
     <td>Matching source IP address and mask.</td>
     <td>Matching source IP address and mask.</td>
</tr>
<tr>
    <td><var><b>src-address6</b></var> (<em>IPv6 address/Mask</em>)</td>
    <td>Matching source IPv6 address and mask.</td>
</tr>
</tr>
<tr>
<tr>
Line 492: Line 488:
* new-vlan-priority
* new-vlan-priority
* rate
* rate
Conditional parameters:
* Layer2 conditions
** dst-mac-address
** mac-protocol
** src-mac-address
** vlan-id
** vlan-header
** vlan-priority
* Layer3 conditions
** dscp
** protocol
** IPv4 conditions
*** dst-address
*** src-address
** IPv6 conditions
*** dst-address6
*** flow-label
*** src-address6
*** traffic-class
* Layer4 conditions
** dst-port
** src-port


== See also ==
== See also ==

Revision as of 10:16, 12 October 2017

Applies to RouterOS: v6.41 +

Summary

The Cloud Router Switch series are highly integrated switches with high performance ARM CPU and feature-rich packet processor. The CRS switches can be designed into various Ethernet applications including unmanaged switch, Layer 2 managed switch, carrier switch and wired unified packet processing.

Warning: This article applies to CRS3xx series switches and not to CRS1xx/CRS2xx series switches.


Features

FeaturesDescription
Forwarding
  • Configurable ports for switching or routing
  • Full non-blocking wirespeed switching
  • Up to 16k MAC entries in Unicast FDB for Layer 2 unicast forwarding
  • Up to 1k MAC entries in Multicast FDB for multicast forwarding
  • Up to 256 MAC entries in Reserved FDB for control and management purposes
  • Forwarding Databases works based on IVL
  • Jumbo frame support
Mirroring
  • Port based mirroring
VLAN
  • Fully compatible with IEEE802.1Q
  • 4k active VLANs
  • Port based VLAN
  • VLAN filtering
Access Control List
  • Ingress ACL tables
  • Up to 128 ACL rules (limited by RouterOS)
  • Classification based on ports, L2, L3, L4 protocol header fields
  • ACL actions include filtering, forwarding and modifying of the protocol header fields

Models

This table clarifies main differences between Cloud Router Switch models.

Model Switch Chip CPU Wireless SFP+ port Access Control List Jumbo Frame (Bytes)
CRS326-24G-2S+ Marvell-98DX3236 800MHz - + + 10218
CRS317-1G-16S+ Marvell-98DX8216 800MHz - + + 10218

Abbreviations

  • FDB - Forwarding Database
  • MDB - Multicast Database
  • SVL - Shared VLAN Learning
  • IVL - Independent VLAN Learning
  • PVID - Port VLAN ID

Port Switching

Since v6.40rc29 bridges will handle all Layer2 forwarding and the use of switch chip (hw-offload) will automatically turn on if appropriate conditions are met. The rest of RouterOS Switch features remain untouched in usual menus. By default all newly created bridge ports have hw=yes option and it allows enabling of hw-offload when possible. If such functionality is not required, it can be disabled by hw=no on bridge port to have completely software operated bridging.

Note: Downgrading to previous RouterOS versions will not restore master-port configuration. The bridge with no hw-offload will appear instead and master-port configuration will have to be redone from the beginning.


Example

Use the command lines below to create a bridge and add ports to it. On CRS3xx using other bridge protocol modes will also enable hardware offloading.

/interface bridge 
add name=bridge1 igmp-snooping=no protocol-mode=none
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5

Make sure that hardware offloading is enabled. If H flag is available next to the desired interface, then hardware offloading is active on that port. If hardware offloading flag is not shown, then make sure you haven't enabled features that disable hardware offloading.

[admin@MikroTik] > /interface bridge port print 
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE              BRIDGE              HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0   H ether2                 bridge1             yes    1     0x80         10                 10       none
 1   H ether3                 bridge1             yes    1     0x80         10                 10       none
 2   H ether4                 bridge1             yes    1     0x80         10                 10       none
 3   H ether5                 bridge1             yes    1     0x80         10                 10       none

Note: On CRS3xx series switches bridge STP/RSTP/MSTP, IGMP Snooping and VLAN filtering settings don't affect hardware offloading, bonding on the other hand disables hardware offloading


Host Table

Sub-menu: /interface bridge host


Property Description
age (read-only: time) The time since the last packet was received from the host
bridge (read-only: name) The bridge the entry belongs to
external-fdb (read-only: flag) Whether the host was learned using wireless registration table
local (read-only: flag) Whether the host entry is of the bridge itself (that way all local interfaces are shown)
mac-address (read-only: MAC address) Host's MAC address
on-interface (read-only: name) Which of the bridged interfaces the host is connected to

Example

  • Use this command to get the active host table:
[admin@MikroTik] > /interface bridge host print 
Flags: L - local, E - external-fdb 
  BRIDGE           MAC-ADDRESS       ON-INTERFACE          AGE                 
  bridge1          00:00:00:00:00:01 ether2                3s                  
  bridge1          00:01:29:FF:1D:CC ether2                0s                  
L bridge1          00:0C:42:52:2E:CF ether2                0s                  
  bridge1          00:0C:42:52:2E:D0 ether2                3s                  
  bridge1          00:0C:42:5C:A5:AE ether2                0s                  

VLAN

Since RouterOS v6.40rc29 bridges provides VLAN aware Layer2 forwarding and VLAN tag modifications within the bridge. This set of features makes bridge operation more like a traditional Ethernet switch and allows to overcome Spanning Tree compatibilty issues compared to configuration when tunnel-like VLAN interfaces are bridged. Bridge VLAN Filtering configuration is highly recommended to comply with STP (802.1D), RSTP (802.1w) standards and is mandatory to enable MSTP (802.1s) support in RouterOS.

VLAN Filtering

The main VLAN setting is vlan-filtering which globally controls vlan-awareness and VLAN tag processing in the bridge. If vlan-filtering=no, bridge ignores VLAN tags, works in a shared-VLAN-learning (SVL) mode and cannot modify VLAN tags of packets. Turning on vlan-filtering enables all bridge VLAN related functionality and independent-VLAN-learning (IVL) mode. Besides joining the ports for Layer2 forwarding, bridge itself is also an interface therefore it has Port VLAN ID (pvid).

Sub-menu: /interface bridge


Property Description
vlan-filtering (yes | no; Default: no) Globally enables or disables VLAN functionality for bridge.
pvid (1..4094; Default: 1) Port VLAN ID (pvid) specifies which VLAN the untagged ingress traffic is assigned to. It applies e.g. to frames sent from bridge IP and destined to a bridge port.


Sub-menu: /interface bridge port


Property Description
frame-types (admit-all | admit-only-untagged-and-priority-tagged | admit-only-vlan-tagged; Default: admit-all) Specifies allowed ingress frame types on a bridge port.
ingress-filtering (yes | no; Default: no) Enables or disables filtering which looks for an ingress port match in the Bridge VLAN table.
pvid (1..4094; Default: 1) Port VLAN ID (pvid) specifies which VLAN the untagged ingress traffic is assigned to.

VLAN Table

Bridge VLAN table represents per-VLAN port mapping with an egress VLAN tag action. tagged ports send out frames with a learned VLAN ID tag. untagged ports remove VLAN tag before sending out frames if the learned VLAN ID matches the port pvid.

Sub-menu: /interface bridge vlan


Property Description
bridge (name) The bridge interface which the respective VLAN entry is intended for.
disabled (yes | no; Default: no) Enables or disables Bridge VLAN entry.
tagged (interfaces; Default: none) Interface list with a VLAN tag adding action in egress. This setting accepts comma separated values. E.g. tagged=ether1,ether2.
untagged (interfaces; Default: none) Interface list with a VLAN tag removing action in egress. This setting accepts comma separated values. E.g. tagged=ether3,ether4.
vlan-ids (1..4094) The list of VLAN IDs for certain port configuration. This setting accepts VLAN ID range as well as comma separated values. E.g. vlan-ids=100-115,120,122,128-130.

(R/M)STP

Network loops may emerge (intentionally or not) in complex topologies. Without any special treatment, loops would prevent network from functioning normally, as they would lead to avalanche-like packet multiplication. Each bridge runs an algorithm which calculates how the loop can be prevented. STP and RSTP allows bridges to communicate with each other, so they can negotiate a loop free topology. All other alternative connections that would otherwise form loops, are put to standby, so that should the main connection fail, another connection could take its place. This algorithm exchanges configuration messages (BPDU - Bridge Protocol Data Unit) periodically, so that all bridges are updated with the newest information about changes in network topology. (R)STP selects a root bridge which is responsible for network reconfiguration, such as blocking and opening ports on other bridges. The root bridge is the bridge with the lowest bridge ID.

As of RouterOS v6.41 all CRS3xx series switches support (R/M)STP bridge protocol mode and hardware offloading simultaneously, meaning that it possible to use the switch chip's built-in VLAN filtering function in conjunction with bridge's Spanning Tree Protocol features and forward packets at wire-speed.

Sub-menu: /interface bridge


Property Description
protocol-mode (mstp | none | rstp | stp; Default: rstp)
  • stp - Spanning Tree Protocol to enable loop-free topology;
  • rstp - "faster" Spanning Tree Protocol;
  • mstp - VLAN aware Spanning Tree Protocol;
  • none - disables network topology learning features;

IGMP Snooping

IGMP Snooping which controls multicast streams and prevents multicast flooding is implemented in RouterOS starting from version 6.41. It's settings are placed in bridge menu and it works independently in every bridge interface. Software driven implementation works on all devices with RouterOS but CRS1xx/2xx/3xx series switches also support IGMP Snooping with hardware offloading.

  • Use this command to enable IGMP Snooping on a bridge interface:
/interface bridge set bridge1 igmp-snooping=yes
  • Use this command to get current Multicast Database entries:
[admin@MikroTik] > /interface bridge mdb print 
BRIDGE                   VID GROUP                                              PORTS           
bridge1                  200 229.1.1.2                                          ether3          
                                                                                ether2          
                                                                                ether1          
bridge1                  300 231.1.3.3                                          ether4          
                                                                                ether3          
                                                                                ether2          
bridge1                  400 229.10.10.4                                        ether4          
                                                                                ether3          
bridge1                  500 234.5.1.5                                          ether5          
                                                                                ether1

Global Switch Settings

This sections holds general information about the switch chip built-in into the device and allows to specify port mirroring options.

Sub-menu: /interface ethernet switch


To view the current switch chip for the device, use this command:

[admin@MikroTik] /interface ethernet switch> print 
Flags: I - invalid 
 #   NAME                              TYPE             MIRROR-SOURCE                             MIRROR-TARGET
 0   switch1                           Marvell-98DX3236 none                                      none  

To change the switch chip's name, use this command:

/interface ethernet switch set switch1 name=switch_chip

Port Mirroring

Port mirroring lets switch 'sniff' all traffic that is going in and out of one port (mirror-source) and send a copy of those packets out of some other port (mirror-target). This feature can be used to easily set up a 'tap' device that receives all traffic that goes in/out of some specific port. Note that mirror-source and mirror-target ports have to belong to same switch. (See which port belong to which switch in /interface ethernet menu). Also mirror-target can have a special 'cpu' value, which means that 'sniffed' packets should be sent out of switch chips cpu port. Port mirroring happens independently of switching groups that have or have not been set up.

Use this command to set a port mirror from ether2 to ether3:

/interface ethernet switch
set switch1 mirror-source=ether2 mirror-target=ether3

Port Settings

It is possible to limit ingress and egress bandwidth per port using the /interface ethernet switch port menu.

Sub-menu: /interface ethernet switch port


Property Description
egress-rate (Default: none) Specifies port egress rate in bps
ingress-rate (Default: none) Specifies port ingress rate in bps

Switch Rules (ACL)

Access Control List contains of ingress policy and egress policy engines and allows to configure up to 128 policy rules (limited by RouterOS). It is advanced tool for wire-speed packet filtering, forwarding and modifying based on Layer2, Layer3 and Layer4 protocol header field conditions.

Sub-menu: /interface ethernet switch rule


Property Description
copy-to-cpu (no | yes; Default: no) Clones the matching packet and sends it to the CPU.
disabled (yes | no; Default: no) Enables or disables ACL entry.
dscp (0..63) Matching DSCP field of the packet.
dst-address (IP address/Mask) Matching destination IP address and mask.
dst-address6 (IPv6 address/Mask) Matching destination IPv6 address and mask.
dst-mac-address (MAC address/Mask) Matching destination MAC address and mask.
dst-port (0..65535) Matching destination protocol port number.
flow-label (0..1048575) Matching IPv6 flow label.
mac-protocol (802.2 | arp | homeplug-av | ip | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan | or 0..65535 | or 0x0000-0xffff) Matching particular MAC protocol specified by protocol name or number
mirror (no | yes) Clones the matching packet and sends it to the mirror-target port.
new-dst-ports (ports) Changes the destination port as specified. An empty list will drop the packet. A list of ports will redirect the packet. When the parameter is not used, the packet will be accepted.
new-vlan-id (0..4095) Changes the VLAN ID to the specified value/
new-vlan-priority (0..7) Changes the VLAN priority tag.
ports (ports) Matching ports on which will the rule apply on received traffic.
protocol (dccp | ddp | egp | encap | etherip | ggp | gre | hmp | icmp | icmpv6 | idpr-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | ipv6 | ipv6-frag | ipv6-nonxt | ipv6-opts | ipv6-route | iso-tp4 | l2tp | ospf | pim | pup | rdp | rspf | rsvp | sctp | st | tcp | udp | udp-lite | vmtp | vrrp | xns-idp | xtp | or 0..255) Matching particular IP protocol specified by protocol name or number.
rate (0..4294967295) Sets bandwidth limitation on matching packets in bps.
redirect-to-cpu (no | yes) Changes the destination port of a matching packet to the CPU.
src-address (IP address/Mask) Matching source IP address and mask.
src-address6 (IPv6 address/Mask) Matching source IPv6 address and mask.
src-mac-address (MAC address/Mask) Matching source MAC address and mask.
src-port (0..65535) Matching source protocol port number.
switch (switch group) Matching switch group on which will the rule apply.
traffic-class (0..255) Matching IPv6 traffic class.
vlan-id (0..4095) Matching VLAN ID.
vlan-header (not-present | present) Matching VLAN header, whether the VLAN header is present or not.
vlan-priority (0..7) Matching VLAN priority.

Action parameters:

  • copy-to-cpu
  • redirect-to-cpu
  • mirror
  • new-dst-ports (can be used to drop packets)
  • new-vlan-id
  • new-vlan-priority
  • rate

Conditional parameters:

  • Layer2 conditions
    • dst-mac-address
    • mac-protocol
    • src-mac-address
    • vlan-id
    • vlan-header
    • vlan-priority
  • Layer3 conditions
    • dscp
    • protocol
    • IPv4 conditions
      • dst-address
      • src-address
    • IPv6 conditions
      • dst-address6
      • flow-label
      • src-address6
      • traffic-class
  • Layer4 conditions
    • dst-port
    • src-port

See also