Manual:CRS Router: Difference between revisions
Line 217: | Line 217: | ||
<pre> | <pre> | ||
/interface bridge vlan | /interface bridge vlan | ||
add bridge=bridge tagged=sfp-sfpplus1,bridge untagged=ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=1001 | add bridge=bridge tagged=sfp-sfpplus1,bridge untagged=ether2,ether3,ether4,ether5,ether6,ether7,\ | ||
add bridge=bridge tagged=sfp-sfpplus1,bridge untagged=ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16 vlan-ids=1002 | ether8 vlan-ids=1001 | ||
add bridge=bridge tagged=sfp-sfpplus1,bridge untagged=ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24 vlan-ids=1003 | add bridge=bridge tagged=sfp-sfpplus1,bridge untagged=ether9,ether10,ether11,ether12,ether13,\ | ||
ether14,ether15,ether16 vlan-ids=1002 | |||
add bridge=bridge tagged=sfp-sfpplus1,bridge untagged=ether17,ether18,ether19,ether20,ether21,\ | |||
ether22,ether23,ether24 vlan-ids=1003 | |||
</pre> | </pre> | ||
Line 225: | Line 228: | ||
<pre> | <pre> | ||
/interface bridge vlan | /interface bridge vlan | ||
add bridge=bridge tagged=sfp-sfpplus1 untagged=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=1001 | add bridge=bridge tagged=sfp-sfpplus1 untagged=ether1,ether2,ether3,ether4,ether5,ether6,ether7,\ | ||
add bridge=bridge tagged=sfp-sfpplus1 untagged=ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16 vlan-ids=1002 | ether8 vlan-ids=1001 | ||
add bridge=bridge tagged=sfp-sfpplus1 untagged=ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24 vlan-ids=1003 | add bridge=bridge tagged=sfp-sfpplus1 untagged=ether9,ether10,ether11,ether12,ether13,ether14,\ | ||
ether15,ether16 vlan-ids=1002 | |||
add bridge=bridge tagged=sfp-sfpplus1 untagged=ether17,ether18,ether19,ether20,ether21,ether22,\ | |||
ether23,ether24 vlan-ids=1003 | |||
</pre> | </pre> | ||
* In case you are using a CRS1xx/CRS2xx series device: | |||
TODO | |||
[[Category:Interface]] | [[Category:Interface]] | ||
[[Category:Manual]] | [[Category:Manual]] | ||
[[Category:Examples]] | [[Category:Examples]] |
Revision as of 18:57, 15 November 2017
Applies to RouterOS: v6.41 +
Summary
MikroTik's CRS series devices are powerful switches that also have routing capabilities. In some cases it is sufficient to use the CRS built-in CPU to handle some functions that are meant to be done by a router, not a switch. The CRS series devices can be used as a router and as a switch at the same time, this is useful for networks that focus on internal network throughput and don't require a large throughput to the Internet.
Warning: CRS series devices are NOT designed to handle large amounts of traffic through the CPU, for this reason be very careful when designing your network since large amounts of traffic that are passing through the CPU will overload it. Functions that depend on the CPU (for example, NAT and DHCP) will not work properly when the CPU is overloaded.
In this setup SwitchA is going to be our Switch-Router that will use port based VLANs while SwitchB is going to extend the amount of ports. Switch's ports are going to be divided into 3 groups, each group will tag the ingress traffic (access ports) with the appropriate VLAN ID, while the SFP+ port will be used as a trunk port to forward traffic between switches. In this setup a large throughput between each port is expected (except for the WAN port). This guide is written for CRS326-24G-2S+, but it can be used for any other CRS series device that is capable of running RouterOS.
Port switching
- In case you are using a CRS3xx series device:
All switches in this setup require that all used ports are switched together. Use these commands on SwitchA, SwitchB:
/interface bridge add name=bridge vlan-filtering=no
There will be different ports assigned to each switch to a bridge since one switch will have a WAN port. Use these commands on SwitchA:
/interface bridge port add bridge=bridge interface=ether2 pvid=1001 add bridge=bridge interface=ether3 pvid=1001 add bridge=bridge interface=ether4 pvid=1001 add bridge=bridge interface=ether5 pvid=1001 add bridge=bridge interface=ether6 pvid=1001 add bridge=bridge interface=ether7 pvid=1001 add bridge=bridge interface=ether8 pvid=1001 add bridge=bridge interface=ether9 pvid=1002 add bridge=bridge interface=ether10 pvid=1002 add bridge=bridge interface=ether11 pvid=1002 add bridge=bridge interface=ether12 pvid=1002 add bridge=bridge interface=ether13 pvid=1002 add bridge=bridge interface=ether14 pvid=1002 add bridge=bridge interface=ether15 pvid=1002 add bridge=bridge interface=ether16 pvid=1002 add bridge=bridge interface=ether17 pvid=1003 add bridge=bridge interface=ether18 pvid=1003 add bridge=bridge interface=ether19 pvid=1003 add bridge=bridge interface=ether20 pvid=1003 add bridge=bridge interface=ether21 pvid=1003 add bridge=bridge interface=ether22 pvid=1003 add bridge=bridge interface=ether23 pvid=1003 add bridge=bridge interface=ether24 pvid=1003 add bridge=bridge interface=sfp-sfpplus1
Since the other switch will not have a WAN port, use these commands on SwitchB:
/interface bridge port add bridge=bridge interface=ether1 pvid=1001 add bridge=bridge interface=ether2 pvid=1001 add bridge=bridge interface=ether3 pvid=1001 add bridge=bridge interface=ether4 pvid=1001 add bridge=bridge interface=ether5 pvid=1001 add bridge=bridge interface=ether6 pvid=1001 add bridge=bridge interface=ether7 pvid=1001 add bridge=bridge interface=ether8 pvid=1001 add bridge=bridge interface=ether9 pvid=1002 add bridge=bridge interface=ether10 pvid=1002 add bridge=bridge interface=ether11 pvid=1002 add bridge=bridge interface=ether12 pvid=1002 add bridge=bridge interface=ether13 pvid=1002 add bridge=bridge interface=ether14 pvid=1002 add bridge=bridge interface=ether15 pvid=1002 add bridge=bridge interface=ether16 pvid=1002 add bridge=bridge interface=ether17 pvid=1003 add bridge=bridge interface=ether18 pvid=1003 add bridge=bridge interface=ether19 pvid=1003 add bridge=bridge interface=ether20 pvid=1003 add bridge=bridge interface=ether21 pvid=1003 add bridge=bridge interface=ether22 pvid=1003 add bridge=bridge interface=ether23 pvid=1003 add bridge=bridge interface=ether24 pvid=1003 add bridge=bridge interface=sfp-sfpplus1
- In case you are using a CRS1xx/CRS2xx series device:
All switches in this setup require that all used ports are switched together. Use these commands on SwitchA, SwitchB:
/interface bridge add name=bridge vlan-filtering=no
There will be different ports assigned to each switch to a bridge since one switch will have a WAN port. Use these commands on SwitchA:
/interface bridge port add bridge=bridge interface=ether2 add bridge=bridge interface=ether3 add bridge=bridge interface=ether4 add bridge=bridge interface=ether5 add bridge=bridge interface=ether6 add bridge=bridge interface=ether7 add bridge=bridge interface=ether8 add bridge=bridge interface=ether9 add bridge=bridge interface=ether10 add bridge=bridge interface=ether11 add bridge=bridge interface=ether12 add bridge=bridge interface=ether13 add bridge=bridge interface=ether14 add bridge=bridge interface=ether15 add bridge=bridge interface=ether16 add bridge=bridge interface=ether17 add bridge=bridge interface=ether18 add bridge=bridge interface=ether19 add bridge=bridge interface=ether20 add bridge=bridge interface=ether21 add bridge=bridge interface=ether22 add bridge=bridge interface=ether23 add bridge=bridge interface=ether24 add bridge=bridge interface=sfp-sfpplus1
Since the other switch will not have a WAN port, use these commands on SwitchB:
/interface bridge port add bridge=bridge interface=ether1 add bridge=bridge interface=ether2 add bridge=bridge interface=ether3 add bridge=bridge interface=ether4 add bridge=bridge interface=ether5 add bridge=bridge interface=ether6 add bridge=bridge interface=ether7 add bridge=bridge interface=ether8 add bridge=bridge interface=ether9 add bridge=bridge interface=ether10 add bridge=bridge interface=ether11 add bridge=bridge interface=ether12 add bridge=bridge interface=ether13 add bridge=bridge interface=ether14 add bridge=bridge interface=ether15 add bridge=bridge interface=ether16 add bridge=bridge interface=ether17 add bridge=bridge interface=ether18 add bridge=bridge interface=ether19 add bridge=bridge interface=ether20 add bridge=bridge interface=ether21 add bridge=bridge interface=ether22 add bridge=bridge interface=ether23 add bridge=bridge interface=ether24 add bridge=bridge interface=sfp-sfpplus1
Disable the SFP2+ interface for security reasons (in case it is not being used):
/interface ethernet set [find where name="sfp-sfpplus2"] disabled=yes
Note: Create a bridge with VLAN filtering disabled at first. If you have misconfigured the VLAN table, you will not be able to access to switch. Enable VLAN filtering only on CRS3xx series devices and only when you have finished configuring VLANs.
Management port
There are multiple ways how to add a management port, in this example we will use a VLAN interface that accepts already tagged traffic with VLAN ID 99. We will allow management traffic only from ether3 and ether4 on both switches.
Warning: Since a switch was never designed to be a router, then it will be required to have a firewall that blocks unwanted traffic that is destined to the switch. This must be kept in mind since it will be required to allow special packets such as DHCP to the switch that will have a DHCP Server since these packets will be sent to the CPU and they must not be blocked in the switch chip. If a firewall is not implemented, then management port is unneeded since access to the CPU will be granted either way. You can find an example firewall that will block unwanted traffic to the CPU. Keep in mind that each firewall rule will add extra load to the CPU.
For this guide we are going to use these addresses for each device:
Address | Device |
---|---|
192.168.99.1 | SwitchA |
192.168.99.2 | SwitchB |
Use these commands on SwitchA:
/interface vlan add interface=bridge name=MGMT vlan-id=99 /ip address add address=192.168.99.1/24 interface=MGMT
And use these commands on SwitchB:
/interface vlan add interface=bridge name=MGMT vlan-id=99 /ip address add address=192.168.99.2/24 interface=MGMT /ip route add gateway=192.168.99.1
- In case you are using CRS3xx series device:
Use these commands on SwitchA and SwitchB:
/interface bridge vlan add bridge=bridge tagged=bridge,ether3,ether4,sfp-sfpplus1 vlan-ids=99
- In case you are using CRS1xx/CRS2xx series device:
TODO
Note: SWitchB is a pure switch, it does not require a firewall to block unwanted traffic, this can be done in the switch chip instead and it is the preferred way on a switch.
Port based VLANs
- In case you are using a CRS3xx series device:
Ingress traffic is going to be tagged to the VLAN ID specified when each port was added to the bridge. It is required to add each VLAN ID to appropriate ports to the VLAN table that servers as a access list and a egress VLAN table. Tagged ports are our trunk ports and untagged ports are our access ports.
Note: Since one of our switch is going to be a router that requires access to the CPU from all ports that will want to access the Internet, we must add the bridge port itself as tagged port. This must be done only on the switch that will work as a router, otherwise devices will not be able to receive DHCP leases and access the Internet.
Use these commands on SwitchA:
/interface bridge vlan add bridge=bridge tagged=sfp-sfpplus1,bridge untagged=ether2,ether3,ether4,ether5,ether6,ether7,\ ether8 vlan-ids=1001 add bridge=bridge tagged=sfp-sfpplus1,bridge untagged=ether9,ether10,ether11,ether12,ether13,\ ether14,ether15,ether16 vlan-ids=1002 add bridge=bridge tagged=sfp-sfpplus1,bridge untagged=ether17,ether18,ether19,ether20,ether21,\ ether22,ether23,ether24 vlan-ids=1003
Similarly add entries to the VLAN table for the other switch, note that bridge port is not listed as tagged port since we don't need anything accessing the CPU to that switch. Use these commands on SwitchB:
/interface bridge vlan add bridge=bridge tagged=sfp-sfpplus1 untagged=ether1,ether2,ether3,ether4,ether5,ether6,ether7,\ ether8 vlan-ids=1001 add bridge=bridge tagged=sfp-sfpplus1 untagged=ether9,ether10,ether11,ether12,ether13,ether14,\ ether15,ether16 vlan-ids=1002 add bridge=bridge tagged=sfp-sfpplus1 untagged=ether17,ether18,ether19,ether20,ether21,ether22,\ ether23,ether24 vlan-ids=1003
- In case you are using a CRS1xx/CRS2xx series device:
TODO