Manual:Switch Chip Features: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
Line 235: Line 235:
* '''mirror'''=yes/no - clones matching packets and send them to mirror-target port;
* '''mirror'''=yes/no - clones matching packets and send them to mirror-target port;
* '''new-dst-ports''' - if set forces the destination port to be as specified, multiple ports allowed, including cpu port. Non obvious feature of this parameter is to pass empty list of ports to drop matching packets;
* '''new-dst-ports''' - if set forces the destination port to be as specified, multiple ports allowed, including cpu port. Non obvious feature of this parameter is to pass empty list of ports to drop matching packets;
* '''new-vlan-id''' (only applies to Atheros8316) - if specified changes the vlan tag id, or add new vlan tag if one was not present;
* '''new-vlan-id''' '''''(only applies to Atheros8316)''''' - if specified changes the vlan tag id, or add new vlan tag if one was not present;
* '''new-vlan-priority''' - if specified changes the vlan tag priority bits;
* '''new-vlan-priority''' - if specified changes the vlan tag priority bits;
* '''rate''' (only applies to Atheros8327) - Sets limitation (bits per second) for all matched traffic. Can only  be applied to first 32 rule slots.  
* '''rate''' '''''(only applies to Atheros8327)''''' - Sets limitation (bits per second) for all matched traffic. Can only  be applied to first 32 rule slots.  


Conditions part is controlled by rest of parameters:
Conditions part is controlled by rest of parameters:
Line 246: Line 246:
** ''src-mac-address'' - ...;
** ''src-mac-address'' - ...;
** ''vlan-header'' - match by vlan header presence;
** ''vlan-header'' - match by vlan header presence;
** ''vlan-id'' (only applies to Atheros8316) - match by vlan tag id;
** ''vlan-id'' '''''(only applies to Atheros8316)''''' - match by vlan tag id;
** ''vlan-priority'' (only applies to Atheros8316) - match by priority in vlan tag;
** ''vlan-priority'' '''''(only applies to Atheros8316)''''' - match by priority in vlan tag;
** ''mac-protocol'' - match by mac protocol (skips vlan tags if any);
** ''mac-protocol'' - match by mac protocol (skips vlan tags if any);



Revision as of 08:32, 11 July 2014

Applies to RouterOS: v4.0 +

Introduction

There are several types of switch chips on Routerboards and they have a different set of features. Most of them (from now on "Other") have only basic "Port Switching" feature, but there are few with more features:

Capabilities of switch chips:

FeatureAtheros8327Atheros8316Atheros8227Atheros7240ICPlus175DOther
Port Switchingyesyesyesyesyesyes
Port Mirroringyesyesyesyesyesno
Host table2048 entries2048 entries1024 entries2048 entriesnono
Vlan table4096 entries4096 entries4096 entries16 entriesnono
Rule table92 rules32 rulesnononono


RouterBoard Switch-chip description
RB2011 series Atheros8327 (ether1-ether5+sfp1); Atheros8227 (ether6-ether10)
RB750GL Atheros8327 (ether1-ether5)
RB751G-2HnD Atheros8327 (ether1-ether5)
RB951G-2HnD Atheros8327 (ether1-ether5)
RB1100AH Atheros8327 (ether1-ether5); Atheros8327 (ether6-ether10)
RB1100AHx2 Atheros8327 (ether1-ether5); Atheros8327 (ether6-ether10)
CCR1009 series Atheros8327 (ether1-ether4)
RB493G Atheros8316 (ether1+ether6-ether9); Atheros8316 (ether2-ether5)
RB435G Atheros8316 (ether1-ether3) with ether1 optional [more]
RB450G Atheros8316 (ether1-ether5) with ether1 optional [more]
RB750G Atheros8316 (ether1-ether5)
RB1200 Atheros8316 (ether1-ether5)
RB1100 Atheros8316 (ether1-ether5); Atheros8316 (ether6-ether10)
RB750 Atheros7240 (ether2-ether5)
RB750UP Atheros7240 (ether2-ether5)
RB751U-2HnD Atheros7240 (ether2-ether5)
RB951-2n Atheros7240 (ether2-ether5)
RB951Ui-2HnD Atheros8227 (ether1-ether5)
RB433 series ICPlus175D (ether2-ether3); older models had ICPlus175C
RB450 ICPlus175D (ether2-ether5); older models had ICPlus175C
RB493 series ICPlus178C (ether2-ether9)
RB816 ICPlus178C (ether1-ether16)


Command line config is under /interface ethernet switch menu. This menu contains a list of all switch chips present in system, and some sub-menus as well. /interface ethernet switch menu list item represents a switch chip in system:

[admin@MikroTik] /interface ethernet switch> print
Flags: I - invalid
 #   NAME     TYPE         MIRROR-SOURCE   MIRROR-TARGET
 0   switch1  Atheros-8316 ether2          none

Depending on switch type there might be available or not available some configuration capabilities.

Atheros8316 packet flow diagram

Features

Port Switching

Switching feature allows wire speed traffic passing among a group of ports, like the ports were a regular ethernet switch. You configure this feature by setting a "master-port" property to one ore more ports in /interface ethernet menu. A 'master' port will be the port through which the RouterOS will communicate to all ports in the group. Interfaces for which the 'master' port is specified become inactive - no traffic is received on them and no traffic can be sent out.

For example consider a router with five ethernet interfaces:

[admin@MikroTik] > interface ethernet print
Flags: X - disabled, R - running, S - slave
 #    NAME      MTU   MAC-ADDRESS       ARP        MASTER-PORT      SWITCH
 0 R  ether1    1500  00:0C:42:3E:5D:BB enabled
 1    ether2    1500  00:0C:42:3E:5D:BC enabled    none             switch1
 2    ether3    1500  00:0C:42:3E:5D:BD enabled    none             switch1
 3    ether4    1500  00:0C:42:3E:5D:BE enabled    none             switch1
 4 R  ether5    1500  00:0C:42:3E:5D:BF enabled    none             switch1

And you configure a switch containing three ports ether3, ether4 and ether5:

[admin@MikroTik] /interface ethernet> set ether4,ether5 master-port=ether3
[admin@MikroTik] /interface ethernet> print
Flags: X - disabled, R - running, S - slave
 #    NAME      MTU   MAC-ADDRESS       ARP        MASTER-PORT      SWITCH
 0 R  ether1    1500  00:0C:42:3E:5D:BB enabled
 1    ether2    1500  00:0C:42:3E:5D:BC enabled    none             switch1
 2 R  ether3    1500  00:0C:42:3E:5D:BD enabled    none             switch1
 3  S ether4    1500  00:0C:42:3E:5D:BE enabled    ether3           switch1
 4 RS ether5    1500  00:0C:42:3E:5D:BF enabled    ether3           switch1

ether3 is now the master port of the group. Note: you can see that previously a link was detected only on ether5, but now as the ether3 is a 'master' the running flag is propagated to master port.

File:Switch1.png

In essence this configuration is the same as if you had a RouterBoard with 3 ethernet interfaces with ether3 connected to ethernet switch that has 4 ports:

File:Switch2.png

A more general diagram of RouterBoard with switch chip that has 5 port switch chip:

File:Switch3.png

Here you can see that, a packet that gets received by one of the ports always passes through the switch logic at first. Switch logic decides to which ports the packet should be going to. Passing packet 'up' or giving it to RouterOS is also called sending it to switch chips 'cpu' port. That means that at the point switch forwards the packet to cpu port the packet starts to get processed by RouterOS as some interfaces incoming packet. While the packet does not have to go to cpu port it is handled entirely by switch logic and does not require any cpu cycles and happen at wire speed for any frame size.


Ether1 port on RB450G has a feature that allows it to be removed/added to the default switch group. By default ether1 port will be included in the switch group. This configuration can be changed with /interface ethernet switch set switch1 switch-all-ports=no

  • switch-all-ports=yes/no -

"yes" means ether1 is part of switch and supports switch grouping, and all other advanced Atheros8316 features including extended statistics (/interface ethernet print stats).

"no" means ether1 is not part of switch, effectivly making it as stand alone ethernet port, this way increasing its troughtput to other ports in bridged, and routed mode, but removing the switching possibility on this port.

File:Switch4.png

Port Mirroring

Port mirroring lets switch 'sniff' all traffic that is going in and out of one port (mirror-source) and send a copy of those packets out of some other port (mirror-target). This feature can be used to easily set up a 'tap' device that receives all traffic that goes in/out of some specific port. Note that mirror-source and mirror-target ports have to belong to same switch. (See which port belong to which switch in /interface ethernet switch port menu). Also mirror-target can have a special 'cpu' value, which means that 'sniffed' packets should be sent out of switch chips cpu port. Port mirroring happens independently of switching groups that have or have not been set up.

Host Table

Basically the table represents switch chips internal mac address to port mapping. It can contain two kinds of entries: dynamic and static. Dynamic entries get added automatically, this is also called a learning process: when switch chip receives a packet from certain port, it adds the packets source mac address X and port it received the packet from to host table, so when a packet comes in with destination mac address X it knows to which port it should forward the packet. If the destination mac address is not present in host table then it forwards the packet to all ports in the group. Dynamic entries take about 5 minutes to time out. Learning is enabled only on ports that are configured as part of switch group. So you won't see dynamic entries if you have not specified some 'master-ports'. Also you can add static entries that take over dynamic if dynamic entry with same mac-address already exists. Also by adding a static entry you get access to some more functionality that is controlled via following params:

  • copy-to-cpu=yes/no - a packet can be cloned and sent to cpu port
  • redirect-to-cpu=yes/no - a packet can be redirected to cpu port
  • mirror=yes/no - a packet can be cloned and sent to mirror-target port configured in "/interface ethernet switch"
  • drop=yes/no - a packet with certain mac address coming from certain ports can be dropped

copy-to-cpu, redirect-to-cpu, mirror actions are performed for packets which destination mac matches mac address specified in entry drop action is performed for packets which source mac address matches mac address specified in entry

Another possibility for static entries is that mac address can be mapped to more that one port, including 'cpu' port.

Vlan Table

Vlan tables specifies certain forwarding rules for packets that have specific 802.1q tag. Those rules are of higher priority than switch groups configured using 'master-port' property. Basically the table contains entries that map specific vlan tag ids to a group of one or more ports. Packets with vlan tags leave switch chip through one or more ports that are set in corresponding table entry. The exact logic that controls how packets with vlan tags are treated is controlled by vlan-mode parameter that is changeable per switch port in /interface ethernet switch port menu. Vlan-mode can take following values:

  • disabled - ignore vlan table, treat packet with vlan tags just as if they did not contain a vlan tag;
  • fallback - the default mode - handle packets with vlan tag that is not present in vlan table just like packets without vlan tag. Packets with vlan tags that are present in vlan table, but incoming port does not match any port in vlan table entry does not get dropped.
  • check - drop packets with vlan tag that is not present in vlan table. Packets with vlan tags that are present in vlan table, but incoming port does not match any port in vlan table entry does not get dropped.
  • secure - drop packets with vlan tag that is not present in vlan table. Packets with vlan tags that are present in vlan table, but incoming port does not match any port in vlan table entry get dropped.

Vlan tag id based forwarding also take into account the mac addresses learned or manually added in host table.

Packets without vlan tag are treated just like if they had a vlan tag with port default-vlan-id. This means that if "vlan-mode=check or secure" to be able to forward packets without vlan tags you have to add a special entry to vlan table with the same vlan id set according to default-vlan-id.

Vlan-header option (configured in /interface ethernet switch port) sets the VLAN tag mode on egress port. Starting from RouterOS version 6 this option works with AR8316, AR8327, AR8227 and AR7240 switch chips and takes the following values:

  • leave-as-is - packet remains unchanged on egress port;
  • always-strip - if VLAN header is present it is removed from the packet;
  • add-if-missing - if VLAN header is not present it is added to the packet.

Rule Table

Rule table is very powerful tool allowing wire speed packet filtering, forwarding and vlan tagging based on L2,L3,L4 protocol header field condition.

Each rule contains a conditions part and an action part. Action part is controlled by following parameters:

  • copy-to-cpu=yes/no - clones matching packets and sends them to cpu port;
  • redirect-to-cpu=yes/no - redirects matching packets to cpu port;
  • mirror=yes/no - clones matching packets and send them to mirror-target port;
  • new-dst-ports - if set forces the destination port to be as specified, multiple ports allowed, including cpu port. Non obvious feature of this parameter is to pass empty list of ports to drop matching packets;
  • new-vlan-id (only applies to Atheros8316) - if specified changes the vlan tag id, or add new vlan tag if one was not present;
  • new-vlan-priority - if specified changes the vlan tag priority bits;
  • rate (only applies to Atheros8327) - Sets limitation (bits per second) for all matched traffic. Can only be applied to first 32 rule slots.

Conditions part is controlled by rest of parameters:

  • ports - match port that packet came in from (multiple ports allowed);
  • mac layer conditions
    • dst-mac-address - match by destination mac address and mask;
    • src-mac-address - ...;
    • vlan-header - match by vlan header presence;
    • vlan-id (only applies to Atheros8316) - match by vlan tag id;
    • vlan-priority (only applies to Atheros8316) - match by priority in vlan tag;
    • mac-protocol - match by mac protocol (skips vlan tags if any);
  • ip conditions
    • dst-address - match by destination ip and mask;
    • src-address - match by source ip and mask;
    • dscp - match by ip dscp field;
    • protocol - match by ip protocol;
  • ipv6 conditions
    • dst-address6 - match by destination ip and mask;
    • src-address6 - match by source ip and mask;
    • flow-label - match by ipv6 flow label;
    • traffic-class - match by ipv6 traffic class;
    • protocol - match by ip protocol;
  • L4 conditions
    • src-port - match by tcp/udp source port range;
    • dst-port - match by tcp/udp destination port range;

IPv4 and IPv6 specific conditions cannot be present in same rule. Menu contains ordered list of rules just like in /ip firewall filter. Due to the fact that the rule table is processed entirely in switch chips hardware there is limitation to how many rules you may have. Depending on the amount of conditions (MAC layer, IP layer, IPv6, L4 layer) you use in your rules the amount of active rules may vary from 8 to 32 for Atheros8316 switch chip and from 24 to 96 for Atheros8327 switch chip. You can always do /interface ethernet switch rule print after modifying your rule set to see that no rules at the end of the list are 'invalid' which means those rules did not fit into the switch chip.

Example - 802.1Q Trunking with Atheros switch chip in RouterOS v6

File:Ar8316 trunk.png

Routerboards with Atheros switch chips can be used for 802.1Q Trunking. This feature in RouterOS version 6 is supported on AR8316, AR8327, AR8227 and AR7240 switch chips. In this example ether2,ether3 and ether4 interfaces are access ports, while ether5 is trunk port. VLAN IDs for each access port: ether2 - 200, ether3 - 300, ether4 - 400.

  • Create a group of switched ports.
/interface ethernet
set ether3 master-port=ether2
set ether4 master-port=ether2
set ether5 master-port=ether2
  • Assign "vlan-mode" and "vlan-header" mode for each port and "default-vlan-id" on ingress for each access port. Set "vlan-mode=secure" to ensure strict use of VLAN table. Set "vlan-header=always-strip" for access ports - it removes VLAN header from frame when it leaves the switch chip. Set "vlan-header=add-if-missing" for trunk port - it adds VLAN header to untagged frames. "Default-vlan-id" specifies what VLAN ID is added for ingress traffic of the access port.
/interface ethernet switch port
set ether2 vlan-mode=secure vlan-header=always-strip default-vlan-id=200
set ether3 vlan-mode=secure vlan-header=always-strip default-vlan-id=300
set ether4 vlan-mode=secure vlan-header=always-strip default-vlan-id=400
set ether5 vlan-mode=secure vlan-header=add-if-missing
  • Add VLAN table entries to allow frames with specific VLAN IDs between ports.
/interface ethernet switch vlan
add ports=ether2,ether5 switch=switch1 vlan-id=200
add ports=ether3,ether5 switch=switch1 vlan-id=300
add ports=ether4,ether5 switch=switch1 vlan-id=400

Management IP Configuration

This example will show one of the possible management IP address configurations. Management IP will be accessible only through trunk port and it will have a separate VLAN with ID 99.

  • Configure the port which connects switch-chip with CPU, set "vlan-header=leave-as-is" because management traffic already should be tagged.
/interface ethernet switch port
set switch1_cpu vlan-mode=secure vlan-header=leave-as-is
  • Add VLAN table entry to allow management traffic through switch-cpu port and the trunk port.
/interface ethernet switch vlan
add ports=ether5,switch1_cpu switch=switch1 vlan-id=99
  • Add VLAN 99 and assign IP address to it. Since the master-port receives all the traffic coming from switch-cpu port, VLAN has to be configured on master-port, in this case "ether2" port.
/interface vlan
add name=vlan99 vlan-id=99 interface=ether2
/ip address
add address=192.168.88.1/24 interface=vlan99 network=192.168.88.0