Manual:CRS1xx/2xx series switches

From MikroTik Wiki
Revision as of 09:38, 29 January 2014 by Becs (talk | contribs) (added CRS VLAN tanslation configuration)
Jump to navigation Jump to search

Applies to RouterOS: v6.8 +


Summary

The Cloud Router Switch series are highly integrated switches with high performance MIPS CPU and feature-rich packet processor. The CRS switches can be designed into various Ethernet applications including unmanaged switch, Layer 2 managed switch, carrier switch and wireless/wired unified packet processing.

Abbreviations and Explanations

CVID - Customer VLAN id: inner VLAN tag id of the IEEE 802.1ad frame

SVID - Service VLAN id: outer VLAN tag id of the IEEE 802.1ad frame

IVL - Independent VLAN learning - learning/lookup is based on both MAC addresses and VLAN IDs.

SVL - Shared VLAN learning - learning/lookup is based on MAC addresses - not on VLAN IDs.

TPID - Tag Protocol Identifier

PCP - Priority Code Point: a 3-bit field which refers to the IEEE 802.1p priority

DEI - Drop Eligible Indicator

DSCP - Differentiated services Code Point

Drop precedence - internal CRS switch QoS attribute used for packet enqueuing or dropping.

Generic Configuration

Sub-menu: /interface ethernet switch


CRS switch chip is configurable from the /interface ethernet switch console menu.

Property Description
bridge-type (customer-vlan-bridge | service-vlan-bridge; Default: service-vlan-bridge) Bridge type defines which VLAN tag is used as Lookup-VID. Lookup-VID serves as the VLAN key for all VLAN-based lookup.
bypass-l2-security-check-filter-for (protocols; Default: none) Protocols which are excluded from Policy rule security check. (arp, dhcpv4, dhcpv6, eapol, igmp, mld, nd, pppoe-discovery, ripv1)
bypass-vlan-ingress-filter-for (protocols; Default: none) Protocols which are excluded from Ingress VLAN filtering. These

protocols are not dropped if they have invalid VLAN. (arp, dhcpv4, dhcpv6,

eapol, igmp, mld, nd, pppoe-discovery, ripv1)
drop-if-invalid-or-src-port-

-not-member-of-vlan-on-ports

(ports; Default: none)
Ports which drop invalid and other port VLAN id frames.
drop-if-no-vlan-assignment-on-ports (ports; Default: none) Ports which drop frames if no VLAN assignment is applied.
egress-mirror-ratio (1/32768..1/1; Default: 1/1) Proportion of egress mirrored packets compared to all packets.
egress-mirror0-enable (yes | no; Default: yes) Enables or disables egress mirroring on Mirror0 port.
egress-mirror0-format (analyzer-configured | modified | original; Default: modified)
  • analyzer-configured - The packet is same as the packet to destination. VLAN format is modified based on the VLAN configurations of the analyzer port.
  • modified - The packet is same as the packet to destination. VLAN format is modified based on the VLAN configurations of the egress port.
  • original - Traffic is mirrored without any change to the original incoming packet format. But service VLAN tag is stripped in edge port.
egress-mirror0-port (port; Default: switch1-cpu) The first egress mirroring analyzer port.
egress-mirror1-enable (yes | no; Default: yes) Enables or disables egress mirroring on Mirror1 port.
egress-mirror1-format (analyzer-configured | modified | original; Default: modified)
  • analyzer-configured - The packet is same as the packet to destination. VLAN format is modified based on the VLAN configurations of the analyzer port.
  • modified - The packet is same as the packet to destination. VLAN format is modified based on the VLAN configurations of the egress port.
  • original - Traffic is mirrored without any change to the original incoming packet format. But service VLAN tag is stripped in edge port.
egress-mirror1-port (port; Default: switch1-cpu) The second egress mirroring analyzer port.
egress-sampling-ratio (1/32768..1/1; Default: 1/1)
fdb-uses (mirror0 | mirror1; Default: mirror0) Analyzer port used for FDB-based mirroring.
forward-invalid-vlan (yes | no; Default: yes) Whether to allow forwarding VLANs which are not members of VLAN table.
ingress-mirror-ratio (1/32768..1/1; Default: 1/1) Proportion of ingress mirrored packets compared to all packets.
ingress-mirror0-enable (yes | no; Default: yes) Enables or disables ingress mirroring on Mirror0 port.
ingress-mirror0-format (analyzer-configured | modified | original; Default: modified)
  • analyzer-configured - The packet is same as the packet to destination. VLAN format is modified based on the VLAN configurations of the analyzer port.
  • modified - The packet is same as the packet to destination. VLAN format is modified based on the VLAN configurations of the egress port.
  • original - Traffic is mirrored without any change to the original incoming packet format. But service VLAN tag is stripped in edge port.
ingress-mirror0-port (port; Default: switch1-cpu) The first ingress mirroring analyzer port.
ingress-mirror1-enable (yes | no; Default: yes) Enables or disables ingress mirroring on Mirror1 port.
ingress-mirror1-format (analyzer-configured | modified | original; Default: modified)
  • analyzer-configured - The packet is same as the packet to destination. VLAN format is modified based on the VLAN configurations of the analyzer port.
  • modified - The packet is same as the packet to destination. VLAN format is modified based on the VLAN configurations of the egress port.
  • original - Traffic is mirrored without any change to the original incoming packet format. But service VLAN tag is stripped in edge port.
ingress-mirror1-port (port; Default: switch1-cpu) The second ingress mirroring analyzer port.
invalid-vlan-lookup-mode (ivl | svl; Default: ivl) Lookup and learning mode for packets with invalid VLAN.
ipv4-multicast-lookup-mode

(dst-ip-and-vid-for-ipv4 | dst-mac-and-vid-always; Default:

dst-mac-and-vid-always)
Lookup mode for IPv4 multicast bridging.
  • dst-mac-and-vid-always - For all packet types lookup key is destination MAC and VLAN id.
  • dst-ip-and-vid-for-ipv4 - For IPv4 packets lookup key is destination IP and VLAN id. For other packet types lookup key is destination MAC and VLAN id.
mac-level-isolation (yes | no; Default: no) Enables or disables MAC level isolation.
mirror-egress-if-ingress-mirrored (yes | no; Default: no) When packet is applied to both ingress and egress mirroring, if this

setting is disabled, only ingress mirroring is performed on the packet; if this

setting is enabled both mirroring types are applied.
mirror-tx-on-mirror-port (yes | no; Default: no)
mirrored-packet-drop-precedence (drop | green | red | yellow; Default: green) Remarked drop precedence in mirrored packets. This QoS attribute is used for mirrored packet enqueuing or dropping.
mirrored-packet-qos-priority (0..7; Default: 0) Remarked priority in mirrored packets.
name (string value; Default: switch1) Name of the switch.
override-existing-when-ufdb-full (yes | no; Default: no) Enable or disable to override existing entry which has the lowest aging value when UFDB is full.
unicast-fdb-timeout (time interval; Default: 5m) Timeout for Unicast FDB entries.
use-cvid-in-one2one-vlan-lookup (yes | no; Default: yes) Whether to use customer VLAN id for 1:1 VLAN switching lookup.
use-svid-in-one2one-vlan-lookup (yes | no; Default: no) Whether to use service VLAN id for 1:1 VLAN switching lookup.
vlan-level-isolation (yes | no; Default: no) Enables or disables VLAN level isolation.
vlan-uses (mirror0 | mirror1; Default: mirror0) Analyzer port used for VLAN-based mirroring.

Port Configuration

Sub-menu: /interface ethernet switch port


Property Description
action-on-restricted-unknown-sa (copy-to-cpu | drop | forward | redirect-to-cpu; Default: forward) Forwarding action for packets with restricted unknown source MAC address.
action-on-static-station-move (copy-to-cpu | drop | forward | redirect-to-cpu; Default: forward) Forwarding action for packets with normal static station move.
allow-multicast-loopback (yes | no; Default: no) Multicast loopback on port. When enabled, it permits sending back when

source port and destination port are the same for registered multicast or

broadcast packets.
allow-unicast-loopback (yes | no; Default: no) Unicast loopback on port. When enabled, it permits sending back when

source port and destination port are the same one for known unicast

packets.
default-customer-pcp (0..7; Default: 0) Default customer priority of the port.
default-service-pcp (0..7; Default: 0) Default service priority of the port.
drop-counter-config (; Default: none)
drop-when-ufdb-entry-sa-drop (yes | no; Default: no) Enable or disable to drop packets when UFDB entry has action "src-drop".
dynamic-mac-move-is-restricted-unknown-sa (yes | no; Default: no)
egress-customer-tpid (0..10000; Default: 0x8100)
egress-mirror-to (mirror0 | mirror1; Default: mirror0) Analyzer port for port-based egress mirroring.
egress-mirroring (yes | no; Default: no) Enable or disable egress mirroring on the port.
egress-pcp-propagation (yes | no; Default: no) Enables or disables egress PCP propagation.
  • If the egress port type is Edge, the customer PCP is copied from the service PCP.
  • If the egress port type is Network, the service PCP is copied from the customer PCP.
egress-sampling (yes | no; Default: no)
egress-service-tpid (0..10000; Default: 0x88A8)
egress-vlan-lookup (according-to-bridge-type |

according-to-egress-vlan-type; Default:

according-to-egress-vlan-type)
Egress VLAN table (VLAN Tagging) lookup:
  • according-to-egress-vlan-type - Lookup VLAN id is CVID when Edge port is configured, SVID when Network port is configured.
  • according-to-bridge-type - Lookup VLAN id is CVID when customer VLAN bridge is configured, SVID when service VLAN bridge is configured. Customer tag is unmodified for edge port in service VLAN bridge.
egress-vlan-mode (tagged | unmodified | untagged; Default: unmodified) Egress VLAN tagging action on the port.
egress-vlan-type (edge-port | network-port; Default: edge-port) Port type for Egress VLAN lookup.
filter-priority-tagged-frame (yes | no; Default: no) Whether to filter tagged frames with priority on the port.
filter-tagged-frame (yes | no; Default: no) Whether to filter tagged frames on the port.
filter-untagged-frame (yes | no; Default: no) Whether to filter untagged frames on the port.
ingress-customer-tpid (0..10000; Default: 0x8100)
ingress-mirror-to (mirror0 | mirror1; Default: mirror0) Analyzer port for port-based ingress mirroring.
ingress-mirroring (yes | no; Default: no) Enable or disable ingress mirroring on the port.
ingress-mirroring-according-to-vlan (yes | no; Default: no)
ingress-sampling (yes | no; Default: no)
ingress-sampling-mode

(all-frames-excluding-filtered | all-frames-without-mac-error; Default:

all-frames-without-mac-error)
ingress-sampling-ratio (1/32768..1/1; Default: 1/1)
ingress-service-tpid (0..10000; Default: 0x88A8)
ingress-vlan-type (edge-port | network-port; Default: edge-port)
isolation-profile (0..31; Default: 30)
  • Port-level isolation profile 0. Uplink port - allows the port to communicate with all ports in the device.
  • Port-level isolation profile 1. Isolated port - allows the port to communicate only with uplink ports.
  • Port-level isolation profile 2 - 31. Community port - allows communication among the same community ports and uplink ports.
learn (yes | no; Default: ) Enable or disable MAC address learning on the port.
learn-limit (1..1023; Default: ) Number of allowed MAC address limit of the port.
learn-restricted-unknown-sa (yes | no; Default: yes) Enable to learn restricted unknown source MAC. Source MAC is classified

as Restricted Unknown if any one of the following conditions are met:

  • MAC address limit is disabled on the incoming port.
  • MAC address limit is enabled on the incoming port and the number of learnt MAC addresses exceeds the MAC limit number of the port.
  • Dynamic source MAC move is not allowed on the port and dynamic source MAC move is treated as security breach.
  • Secure static source MAC move is not allowed on the port and security static source MAC move is treated as security breach.
mac-based-customer-vlan-for (all-frames | none |

tagged-frame-only | untagged-and-priority-tagged-frame-only; Default:

none)
Frame type for which applies MAC-based customer VLAN translation.
mac-based-service-vlan-for (all-frames | none |

tagged-frame-only | untagged-and-priority-tagged-frame-only; Default:

none)
Frame type for which applies MAC-based service VLAN translation.
mac-based-vlan-translate (yes | no; Default: no) Enable or disable MAC-based VLAN translation on the port.
mac-vlan-type (edge-port | network-port; Default: edge-port) Port type for MAC based VLAN translation.
pcp-propagation-for-initial-pcp (yes | no; Default: no)
per-queue-scheduling (strict-priority | wrr-group0 | wrr-group1; Default: )
priority-to-queue (; Default: 0-15:0,1:1,2:2,3:3)
qos-change-dei (yes | no; Default: no) Whether to change DEI on the port.
qos-change-dscp (yes | no; Default: no) Whether to change DSCP on the port.
qos-change-pcp (yes | no; Default: no) Whether to change PCP on the port.
qos-dscp-to-dscp-mapping (yes | no; Default: no) Enable or disable DSCP mapping on the port.
qos-pcp-dei-map-dei (; Default: 0-15:0)
qos-pcp-dei-map-drop-precedence (; Default: 0-15:green)
qos-pcp-dei-map-dscp (; Default: 0-15:0)
qos-pcp-dei-map-pcp (; Default: 0-15:0)
qos-pcp-dei-map-priority (yes | no; Default: 0-15:0)
qos-scheme-precedence (da-based | dscp-based |

pcp-based | protocol-based | sa-based | vlan-based; Default:

pcp-based)
secure-static-mac-move-is-restricted-unknown-sa (yes | no; Default: no)

Ingress/Egress VLAN Translation

Sub-menu: /interface ethernet switch ingress-vlan-translation


Sub-menu: /interface ethernet switch egress-vlan-translation


Property Description
customer-dei (0..1; Default: none) Matching DEI of the customer tag.
customer-pcp (0..7; Default: none) Matching PCP of the customer tag.
customer-vid (0..4095; Default: none) Matching VLAN id of the customer tag.
customer-vlan-lookup-for (all |

priority-tagged-or-tagged | tagged | untagged-or-tagged; Default:

untagged-or-tagged)
Type of frames with customer tag for which VLAN translation rule is valid.
disabled (yes | no; Default: no) Enables or disables VLAN translation entry.
new-customer-vid (0..4095; Default: none) The new customer VLAN id which replaces matching customer VLAN id.
new-service-vid (0..4095; Default: none) The new service VLAN id which replaces matching service VLAN id.
pcp-propagation (yes | no; Default: no) Enables or disables PCP propagation.
  • If the port type is Edge, the customer PCP is copied from the service PCP.
  • If the port type is Network, the service PCP is copied from the customer PCP.
port (port) Matching switch port for VLAN translation rule.
protocol (protocols; Default: none) Matching Ethernet protocol.
sa-learning (yes | no; Default: no) Enables or disables source MAC learning after VLAN translation.
service-dei (0..1; Default: none) Matching DEI of the service tag.
service-pcp (0..7; Default: none) Matching PCP of the service tag.
service-vid (0..4095; Default: none) Matching VLAN id of the service tag.
service-vlan-lookup-for (all |

priority-tagged-or-tagged | tagged | untagged-or-tagged; Default:

untagged-or-tagged)
Type of frames with service tag for which VLAN translation rule is valid.
swap-vids (yes | no; Default: no) Allows swapping original service VLAN id with original customer VLAN id.