Difference between revisions of "Manual:CRS1xx/2xx series switches"

From MikroTik Wiki
Jump to navigation Jump to search
(→‎Port Switching: added Bridge Hardware Offloading)
 
(61 intermediate revisions by 5 users not shown)
Line 7: Line 7:


The Cloud Router Switch series are highly integrated switches with high performance MIPS CPU and feature-rich packet processor. The CRS switches can be designed into various Ethernet applications including unmanaged switch, Layer 2 managed switch, carrier switch and wireless/wired unified packet processing.
The Cloud Router Switch series are highly integrated switches with high performance MIPS CPU and feature-rich packet processor. The CRS switches can be designed into various Ethernet applications including unmanaged switch, Layer 2 managed switch, carrier switch and wireless/wired unified packet processing.
{{Warning | This article applies to CRS1xx and CRS2xx series switches and not to CRS3xx series switches. For CRS3xx series devices read the [[Manual:CRS3xx_series_switches | CRS3xx series switches]] manual.}}


<table class="styled_table">
<table class="styled_table">
Line 21: Line 23:
<li>Configurable Port based MAC learning limit
<li>Configurable Port based MAC learning limit
<li>Jumbo frame support (CRS1xx: 4064 Bytes; CRS2xx: 9204 Bytes)
<li>Jumbo frame support (CRS1xx: 4064 Bytes; CRS2xx: 9204 Bytes)
<li>IGMP Snooping support</li>
</ul></td>
</ul></td>
</tr>
</tr>
Line 119: Line 122:
|  nowrap style="background-color: #CCC;* " | <b>Access Control List</b>
|  nowrap style="background-color: #CCC;* " | <b>Access Control List</b>
|  nowrap style="background-color: #CCC;* " | <b>Jumbo Frame (Bytes)</b>
|  nowrap style="background-color: #CCC;* " | <b>Jumbo Frame (Bytes)</b>
|-
|  style="background-color: #CCC;font-weight: bold;" | CRS105-5S-FB
|  <b>QCA-8511</b>
|  <b>400MHz</b>
|  style="background-color: #F99;" |  <b>-</b>
|  style="background-color: #F99;" |  <b>-</b>
|  <b>+</b>
|  <b>9204</b>
|-  
|-  
|  style="background-color: #CCC;font-weight: bold;" | CRS106-1C-5S
|  style="background-color: #CCC;font-weight: bold;" | CRS106-1C-5S
Line 204: Line 215:


===Port Switching===
===Port Switching===
Similarly to other RouterBoards, port switching on CRS allows wire-speed traffic forwarding among a group of ports, like the ports were a regular Ethernet switch. This feature is configurable by setting a "master-port" property to one or more ports in <code>/interface ethernet menu</code>. The "master-port" will be the port through which the RouterOS will communicate to all ports in the group. Interfaces which have the "master-port" specified become isolated - no traffic can be received and no traffic can be sent out directly from RouterOS.


Here is a general diagram of RouterBoard with a five port switch chip:
In order to setup port switching on CRS1xx/2xx series switches, check the [[Manual:Interface/Bridge#Bridge_Hardware_Offloading | Bridge Hardware Offloading]] page.


[[File:switch-png.png|center]]
{{Note | Dynamic reserved VLAN entries (VLAN4091; VLAN4090; VLAN4089; etc.) are created in CRS switch when switched port groups are added when a hardware offloaded bridge is created. These VLANs are necessary for internal operation and have lower precedence than user configured VLANs.}}


A packet that is received by one of the ports always passes through the switch logic first. Switch logic decides to which ports the packet should be going to. Passing packet "up" or giving it to RouterOS is also called sending it to switch chip's “CPU” port. It means at that point switch forwards the packet to CPU port the packet starts to get processed by RouterOS as incoming packet of the “master-port”. If the packet does not have to go to “CPU” port, it is handled entirely by switch logic, does not require any CPU resources and happen at wire-speed.
====Multiple switch groups====


Additionally, CRS series switches support multiple “master-port” configurations and have no port selection limitations for a port group which makes possible many various switched port combinations with all CRS switch interfaces. But no port can be in more than one switch group.
The CRS1xx/2xx series switches allow you to use multiple bridges with hardware offloading, this allows you to easily isolate multiple switch groups. This can be done by simply creating multiple bridges and enabling hardware offloading.


For example, consider a CRS125 switch with 24 Ethernet interfaces and 1 SFP interface:
{{ Note | Multiple hardware offloaded bridge configuration is designed as fast and simple port isolation solution, but it limits a part of VLAN functionality supported by CRS switch-chip. For advanced configurations use one bridge within CRS switch chip for all ports, configure VLANs and isolate port groups with port isolation profile configuration. }}
<pre>
[admin@MikroTik] > interface ethernet print
Flags: X - disabled, R - running, S - slave
#    NAME            MTU MAC-ADDRESS      ARP        MASTER-PORT          SWITCH       
0 R  ether1        1500 D4:CA:6D:F9:FE:2F enabled    none                switch1       
1    ether2        1500 D4:CA:6D:F9:FE:30 enabled    none                switch1       
2    ether3        1500 D4:CA:6D:F9:FE:31 enabled    none                switch1       
3    ether4        1500 D4:CA:6D:F9:FE:32 enabled    none                switch1       
4 R  ether5        1500 D4:CA:6D:F9:FE:33 enabled    none                switch1       
5 R  ether6        1500 D4:CA:6D:F9:FE:34 enabled    none                switch1       
6    ether7        1500 D4:CA:6D:F9:FE:35 enabled    none                switch1       
7    ether8        1500 D4:CA:6D:F9:FE:36 enabled    none                switch1       
...    
22    ether23        1500 D4:CA:6D:F9:FE:45 enabled    none                switch1       
23 R  ether24        1500 D4:CA:6D:F9:FE:46 enabled    none                switch1       
24    sfp1          1500 D4:CA:6D:F9:FE:47 enabled    none                switch1       
</pre>


And there are configured 3 switch groups:
{{ Warning | CRS1xx/2xx series switches are capable of running multiple hardware offloaded bridges with (R)STP enabled, but it is not recommended since the device is not designed to run multiple (R)STP instances on a hardware level. To isolate multiple switch groups and have (R)STP enabled you should isolate port groups with port isolation profile configuration. }}
1) ether2, ether3, ether4, ether5, ether6;
2) ether13, ether14, ether15, ether16, ether17, ether18, ether19, ether20;
3) ether21, ether22, ether23, ether24, sfp1.


Ports ether1, ether7-ether12 are not switched in this example, they remain as independent router ports.
===Global Settings===
<pre>
[admin@MikroTik] /interface ethernet>
set ether3,ether4,ether5,ether6 master-port=ether2
[admin@MikroTik] /interface ethernet>
set ether14,ether15,ether16,ether17,ether18,ether19,ether20 master-port=ether13
[admin@MikroTik] /interface ethernet>
set ether22,ether23,ether24,sfp1 master-port=ether21


[admin@MikroTik] /interface ethernet> print
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch</code></p><br />
Flags: X - disabled, R - running, S - slave
#    NAME            MTU MAC-ADDRESS      ARP        MASTER-PORT          SWITCH       
0 R  ether1        1500 D4:CA:6D:F9:FE:2F enabled    none                switch1       
1 R  ether2        1500 D4:CA:6D:F9:FE:30 enabled    none                switch1       
2  S ether3        1500 D4:CA:6D:F9:FE:31 enabled    ether2              switch1       
3  S ether4        1500 D4:CA:6D:F9:FE:32 enabled    ether2              switch1       
4 RS ether5        1500 D4:CA:6D:F9:FE:33 enabled    ether2              switch1       
5 RS ether6        1500 D4:CA:6D:F9:FE:34 enabled    ether2              switch1       
6    ether7        1500 D4:CA:6D:F9:FE:35 enabled    none                switch1       
7    ether8        1500 D4:CA:6D:F9:FE:36 enabled    none                switch1       
8    ether9        1500 D4:CA:6D:F9:FE:37 enabled    none                switch1       
9    ether10        1500 D4:CA:6D:F9:FE:38 enabled    none                switch1       
10    ether11        1500 D4:CA:6D:F9:FE:39 enabled    none                switch1       
11    ether12        1500 D4:CA:6D:F9:FE:3A enabled    none                switch1       
12 R  ether13        1500 D4:CA:6D:F9:FE:3B enabled    none                switch1       
13  S ether14        1500 D4:CA:6D:F9:FE:3C enabled    ether13              switch1       
14  S ether15        1500 D4:CA:6D:F9:FE:3D enabled    ether13              switch1       
15 RS ether16        1500 D4:CA:6D:F9:FE:3E enabled    ether13              switch1       
16  S ether17        1500 D4:CA:6D:F9:FE:3F enabled    ether13              switch1       
17  S ether18        1500 D4:CA:6D:F9:FE:40 enabled    ether13              switch1       
18  S ether19        1500 D4:CA:6D:F9:FE:41 enabled    ether13              switch1       
19  S ether20        1500 D4:CA:6D:F9:FE:42 enabled    ether13              switch1       
20 R  ether21        1500 D4:CA:6D:F9:FE:43 enabled    none                switch1       
21  S ether22        1500 D4:CA:6D:F9:FE:44 enabled    ether21              switch1       
22  S ether23        1500 D4:CA:6D:F9:FE:45 enabled    ether21              switch1       
23 RS ether24        1500 D4:CA:6D:F9:FE:46 enabled    ether21              switch1       
24  S sfp1          1500 D4:CA:6D:F9:FE:47 enabled    ether21              switch1       
</pre>


Now ether2 is the “master-port” of the group 1, ether13 – of the group 2 and ether21 – of the group 3.
CRS switch chip is configurable from the <code>/interface ethernet switch</code>
console menu.


Note: Previously a link was detected only on interfaces with a physical connection, but now since the ether2, ether13 and ether21 have connection to CPU, the running flag is propagated to them, as well.
<table class="styled_table">
 
<tr>
[[File:port-switching1.png|center|"711px"|frame|alt=Alt text|CRS Port Switching Example]]
  <th width="50%">Property</th>
 
   <th >Description</th>
In essence this configuration is the same as if you had a RouterBoard with 10 Ethernet interfaces and 3 switches:
</tr>
 
<tr>
[[File:port-switching2.png|center|"711px"|frame|alt=Alt text|CRS Port Switching Logic]]
     <td><var><b>name</b></var> (<em>string value</em>; Default:
 
<b>switch1</b>)</td>
{{Note | Dynamic reserved VLAN entries (VLAN4091; VLAN4090; VLAN4089; etc.) are created in CRS switch when switched port groups are added by setting new master-ports.
    <td>Name of the switch.</td>
These VLANs are necessary for internal operation and have lower precedence than user configured VLANs.}}
</tr>
{{Note | Multiple master-port configuration is designed as fast and simple port isolation solution, but it limits a part of VLAN functionality supported by CRS switch-chip.
<tr>
For advanced configurations use one master-port within CRS switch chip for all ports, configure VLANs and isolate port groups with port isolation profile configuration.}}
    <td><var><b>bridge-type</b></var> (<em>customer-vid-used-as-lookup-vid |
 
service-vid-used-as-lookup-vid</em>; Default: <b>customer-vid-used-as-lookup-vid</b>)</td>
====Bridge Hardware Offloading====
    <td>Bridge type defines which VLAN tag is used as Lookup-VID. Lookup-VID
 
serves as the VLAN key for all VLAN-based lookup.</td>
Since RouterOS v6.40rc29 there are user interface changes which convert RouterBoard master-port configuration into a bridge with hardware offloading.
</tr>
From now on bridges will handle all Layer2 forwarding and the use of switch chip (hw-offload) will automatically turn on if appropriate conditions are met.
<tr>
The rest of RouterOS Switch features remain untouched in usual menus.
    <td><var><b>mac-level-isolation</b></var> (<em>yes | no</em>; Default:
 
<b>yes</b>)</td>
{{Note | Downgrading to previous RouterOS versions will not restore master-port configuration. The bridge with no hw-offload will appear instead and master-port configuration will have to be redone from the beginning.}}
    <td>Globally enables or disables MAC level isolation. Once enabled, the switch will check the source and destination MAC address entries and their <var>isolation-profile</var> from the unicast forwarding table. By default, the switch will learn MAC addresses and place them into a <code>promiscuous</code> isolation profile. Other isolation profiles can be used when creating static unicast entries. If the source or destination MAC address are located on a <code>promiscuous</code> isolation profile, the packet is forwarded. If both source and destination MAC addresses are located on the same <code>community1</code> or <code>community2</code> isolation profile, the packet is forwarded. The packet is dropped when the source and destination MAC address isolation profile is <code>isolated</code>, or when the source and destination MAC address isolation profiles are from different communities (e.g. source MAC address is <code>community1</code> and destination MAC address is <code>community2</code>). When MAC level isolation is globally disabled, the isolation is bypassed.</td>
 
</tr>
* Port switching with master-port configuration before v6.40rc29
<tr>
<pre>
    <td><var><b>use-svid-in-one2one-vlan-lookup</b></var> (<em>yes | no</em>;
[admin@MikroTik] > interface ethernet export
Default: <b>no</b>)</td>
/interface ethernet
    <td>Whether to use service VLAN id for 1:1 VLAN switching lookup.</td>
set [ find default-name=ether3 ] master-port=ether2
</tr>
set [ find default-name=ether4 ] master-port=ether2
<tr>
set [ find default-name=ether5 ] master-port=ether2
    <td><var><b>use-cvid-in-one2one-vlan-lookup</b></var> (<em>yes | no</em>;
[admin@MikroTik] >  
Default: <b>yes</b>)</td>
 
    <td>Whether to use customer VLAN id for 1:1 VLAN switching lookup.</td>
[admin@MikroTik] > interface ethernet print
</tr>
Flags: X - disabled, R - running, S - slave
<tr>
#   NAME            MTU MAC-ADDRESS      ARP            MASTER-PORT          SWITCH       
    <td><var><b>multicast-lookup-mode</b></var>
0 R  ether1          1500 D4:CA:6D:E2:64:64 enabled        none                switch1       
(<em>dst-ip-and-vid-for-ipv4 | dst-mac-and-vid-always</em>;
1 R  ether2          1500 D4:CA:6D:E2:64:65 enabled        none                switch1       
Default:<b>dst-ip-and-vid-for-ipv4</b>)</td>
2 RS ether3          1500 D4:CA:6D:E2:64:66 enabled        ether2              switch1       
    <td>Lookup mode for IPv4 multicast bridging.
3 RS ether4          1500 D4:CA:6D:E2:64:67 enabled        ether2              switch1       
<ul class="bullets">
4 RS ether5          1500 D4:CA:6D:E2:64:68 enabled        ether2              switch1                   
<li> <var>dst-mac-and-vid-always</var> - For all packet types lookup key is
[admin@MikroTik] >  
destination MAC and VLAN id.
</pre>
<li> <var>dst-ip-and-vid-for-ipv4</var> - For IPv4 packets lookup key is
 
destination IP and VLAN id. For other packet types lookup key is destination MAC
* Port switching with bridge configuration and enabled hw-offload since v6.40rc29
and VLAN id.
<pre>
</ul></td>
[admin@MikroTik] > interface bridge export
</tr>
/interface bridge
<tr>
add name=bridge1 igmp-snooping=no  protocol-mode=none
    <td><var><b>unicast-fdb-timeout</b></var> (<em>time interval</em>; Default:
/interface bridge port
<b>5m</b>)</td>
add bridge=bridge1 interface=ether2
    <td>Timeout for Unicast FDB entries.</td>
add bridge=bridge1 interface=ether3
</tr>
add bridge=bridge1 interface=ether4
<tr>
add bridge=bridge1 interface=ether5
    <td><var><b>override-existing-when-ufdb-full</b></var> (<em>yes | no</em>;
[admin@MikroTik] >  
Default: <b>no</b>)</td>
 
    <td>Enable or disable to override existing entry which has the lowest aging
[admin@MikroTik] > interface bridge port print
value when UFDB is full.</td>
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
</tr>
#     INTERFACE              BRIDGE              HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
</table>
0  H ether2                bridge1            yes    1    0x80        10                10      none
<br>
1  H ether3                bridge1            yes    1    0x80        10                10      none
2  H ether4                bridge1            yes    1    0x80        10                10      none
3  H ether5                bridge1            yes    1    0x80        10                10      none
[admin@MikroTik] >  
</pre>
 
 
Following table states what features keep bridge hardware offloading enabled on certain RouterBoard and switch chip models.
 
Notes:
* Enabling this feature maintains hw-offload: +
* Enabling this feature turns off hw-offload: -
 
{| border="1" class="wikitable collapsible sortable" style="text-align: center"
|  nowrap style="background-color: #CCC;* " | <b><u>RouterBoard/[Switch Chip] Model</u></b>
|  nowrap style="background-color: #CCC;* " | <b>Features in Switch menu</b>
|  nowrap style="background-color: #CCC;* " | <b>Bridge STP/RSTP</b>
|  nowrap style="background-color: #CCC;* " | <b>Bridge MSTP</b>
|  nowrap style="background-color: #CCC;* " | <b>Bridge IGMP Snooping</b>
|  nowrap style="background-color: #CCC;* " | <b>Bonding</b>
|-  
|  style="background-color: #CCC;font-weight: bold;" | CRS3xx series
<b>+</b>
<b>+</b>
<b>+</b>
<b>-</b>
<b>-</b>
|-  
|  style="background-color: #CCC;font-weight: bold;" | CRS1xx/CRS2xx series
|  <b>+</b>
<b>+</b>
<b>-</b>
<b>-</b>
<b>-</b>
|-
|  style="background-color: #CCC;font-weight: bold;" | [QCA8337]
<b>+</b>
<b>+</b>
<b>-</b>
<b>-</b>
<b>-</b>
|-
|  style="background-color: #CCC;font-weight: bold;" | [AR8327]
<b>+</b>
<b>+</b>
<b>-</b>
<b>-</b>
<b>-</b>
|-
|  style="background-color: #CCC;font-weight: bold;" | [AR8227]
<b>+</b>
<b>+</b>
<b>-</b>
|  <b>-</b>
<b>-</b>
|-
|  style="background-color: #CCC;font-weight: bold;" | [AR8316]
<b>+</b>
<b>+</b>
<b>-</b>
<b>-</b>
| <b>-</b>
|-
|  style="background-color: #CCC;font-weight: bold;" | [AR7240]
<b>+</b>
<b>+</b>
<b>-</b>
<b>-</b>
<b>-</b>
|-  
|  style="background-color: #CCC;font-weight: bold;" | RB750Gr3 [MT7621]
<b>+</b>
<b>-</b>
<b>-</b>
<b>-</b>
<b>-</b>
|-
|  style="background-color: #CCC;font-weight: bold;" | RB1100AHx4 [RTL8367]
<b>+</b>
<b>-</b>
<b>-</b>
<b>-</b>
<b>-</b>
|-
|  style="background-color: #CCC;font-weight: bold;" | [ICPlus175D]
<b>+</b>
<b>-</b>
<b>-</b>
<b>-</b>
<b>-</b>
|-
|}
 
===Global Settings===
 
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch</code></p><br />
 
CRS switch chip is configurable from the <code>/interface ethernet switch</code>
console menu.


<table class="styled_table">
<table class="styled_table">
Line 442: Line 299:
</tr>
</tr>
<tr>
<tr>
     <td><var><b>name</b></var> (<em>string value</em>; Default:
     <td><var><b>drop-if-no-vlan-assignment-on-ports</b></var> (<em>ports</em>;  
<b>switch1</b>)</td>
Default: <b>none</b>)</td>
     <td>Name of the switch.</td>
     <td>Ports which drop frames if no MAC-based, Protocol-based VLAN assignment or Ingress
VLAN Translation is applied.</td>
</tr>
</tr>
<tr>
<tr>
    <td><var><b>bridge-type</b></var> (<em>customer-vid-used-as-lookup-vid |
<td><var><b>drop-if-invalid-or-src-port-<br>-not-member-of-vlan-on-ports</b></var><br>
service-vid-used-as-lookup-vid</em>; Default: <b>customer-vid-used-as-lookup-vid</b>)</td>
(<em>ports</em>; Default: <b>none</b>)</td>
     <td>Bridge type defines which VLAN tag is used as Lookup-VID. Lookup-VID
     <td>Ports which drop invalid and other port VLAN id frames.</td>
serves as the VLAN key for all VLAN-based lookup.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>mac-level-isolation</b></var> (<em>yes | no</em>; Default:
     <td><var><b>unknown-vlan-lookup-mode</b></var> (<em>ivl | svl</em>; Default:
<b>yes</b>)</td>
<b>svl</b>)</td>
     <td>Enables or disables MAC level isolation.</td>
     <td>Lookup and learning mode for packets with invalid VLAN.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>use-svid-in-one2one-vlan-lookup</b></var> (<em>yes | no</em>;
     <td><var><b>forward-unknown-vlan</b></var> (<em>yes | no</em>; Default:
Default: <b>no</b>)</td>
<b>yes</b>)</td>
     <td>Whether to use service VLAN id for 1:1 VLAN switching lookup.</td>
     <td>Whether to allow forwarding VLANs which are not members of VLAN
table.</td>
</tr>
</tr>
</table>
<br>
<table class="styled_table">
<tr>
<tr>
    <td><var><b>use-cvid-in-one2one-vlan-lookup</b></var> (<em>yes | no</em>;
  <th width="50%">Property</th>
Default: <b>yes</b>)</td>
  <th >Description</th>
    <td>Whether to use customer VLAN id for 1:1 VLAN switching lookup.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>multicast-lookup-mode</b></var>
     <td><var><b>bypass-vlan-ingress-filter-for</b></var> (<em>protocols</em>;
(<em>dst-ip-and-vid-for-ipv4 | dst-mac-and-vid-always</em>;
Default: <b>none</b>)</td>
Default:<b>dst-ip-and-vid-for-ipv4</b>)</td>
     <td>Protocols which are excluded from Ingress VLAN filtering. These
     <td>Lookup mode for IPv4 multicast bridging.
protocols are not dropped if they have invalid VLAN. (arp, dhcpv4, dhcpv6,
<ul class="bullets">
eapol, igmp, mld, nd, pppoe-discovery, ripv1)</td>
<li> <var>dst-mac-and-vid-always</var> - For all packet types lookup key is
destination MAC and VLAN id.
<li> <var>dst-ip-and-vid-for-ipv4</var> - For IPv4 packets lookup key is
destination IP and VLAN id. For other packet types lookup key is destination MAC
and VLAN id.
</ul></td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>unicast-fdb-timeout</b></var> (<em>time interval</em>; Default:
     <td><var><b>bypass-ingress-port-policing-for</b></var> (<em>protocols</em>;
<b>5m</b>)</td>
Default: <b>none</b>)</td>
     <td>Timeout for Unicast FDB entries.</td>
     <td>Protocols which are excluded from Ingress Port Policing. (arp, dhcpv4, dhcpv6,
eapol, igmp, mld, nd, pppoe-discovery, ripv1)</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>override-existing-when-ufdb-full</b></var> (<em>yes | no</em>;
     <td><var><b>bypass-l2-security-check-filter-for</b></var>
Default: <b>no</b>)</td>
(<em>protocols</em>; Default: <b>none</b>)</td>
     <td>Enable or disable to override existing entry which has the lowest aging
     <td>Protocols which are excluded from Policy rule security check. (arp,
value when UFDB is full.</td>
dhcpv4, dhcpv6, eapol, igmp, mld, nd, pppoe-discovery, ripv1)</td>
</tr>
</tr>
</table>
</table>
Line 500: Line 356:
</tr>
</tr>
<tr>
<tr>
     <td><var><b>drop-if-no-vlan-assignment-on-ports</b></var> (<em>ports</em>;  
     <td><var><b>ingress-mirror0</b></var> (<em>port | trunk,format</em>; Default: <b>none,modified</b>)</td>
Default: <b>none</b>)</td>
     <td>The first ingress mirroring analyzer port or trunk and mirroring format:
     <td>Ports which drop frames if no MAC-based, Protocol-based VLAN assignment or Ingress
<ul class="bullets">
VLAN Translation is applied.</td>
<li> <var>analyzer-configured</var> - The packet is same as the packet to
destination. VLAN format is modified based on the VLAN configurations of the
analyzer port.
<li> <var>modified</var> - The packet is same as the packet to destination.
VLAN format is modified based on the VLAN configurations of the egress port.
<li> <var>original</var> - Traffic is mirrored without any change to the
original incoming packet format. But service VLAN tag is stripped in edge port.
</ul>
    </td>
</tr>
</tr>
<tr>
<tr>
<td><var><b>drop-if-invalid-or-src-port-<br>-not-member-of-vlan-on-ports</b></var><br>
    <td><var><b>ingress-mirror1</b></var> (<em>port | trunk,format</em>; Default: <b>none,modified</b>)</td>
(<em>ports</em>; Default: <b>none</b>)</td>
     <td>The second ingress mirroring analyzer port or trunk and mirroring format:
     <td>Ports which drop invalid and other port VLAN id frames.</td>
<ul class="bullets">
<li> <var>analyzer-configured</var> - The packet is same as the packet to
destination. VLAN format is modified based on the VLAN configurations of the
analyzer port.
<li> <var>modified</var> - The packet is same as the packet to destination.
VLAN format is modified based on the VLAN configurations of the egress port.
<li> <var>original</var> - Traffic is mirrored without any change to the
original incoming packet format. But service VLAN tag is stripped in edge port.
</ul>
    </td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>unknown-vlan-lookup-mode</b></var> (<em>ivl | svl</em>; Default:
     <td><var><b>ingress-mirror-ratio</b></var> (<em>1/32768..1/1</em>; Default:
<b>svl</b>)</td>
<b>1/1</b>)</td>
     <td>Lookup and learning mode for packets with invalid VLAN.</td>
     <td>Proportion of ingress mirrored packets compared to all packets.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>forward-unknown-vlan</b></var> (<em>yes | no</em>; Default:
     <td><var><b>egress-mirror0</b></var> (<em>port | trunk,format</em>; Default: <b>none,modified</b>)</td>
<b>yes</b>)</td>
     <td>The first egress mirroring analyzer port or trunk and mirroring format:
     <td>Whether to allow forwarding VLANs which are not members of VLAN
<ul class="bullets">
table.</td>
<li> <var>analyzer-configured</var> - The packet is same as the packet to
destination. VLAN format is modified based on the VLAN configurations of the
analyzer port.
<li> <var>modified</var> - The packet is same as the packet to destination.
VLAN format is modified based on the VLAN configurations of the egress port.
<li> <var>original</var> - Traffic is mirrored without any change to the
original incoming packet format. But service VLAN tag is stripped in edge port.
</ul>
    </td>
</tr>
</tr>
</table>
<br>
<table class="styled_table">
<tr>
<tr>
  <th width="50%">Property</th>
    <td><var><b>egress-mirror1</b></var> (<em>port | trunk,format</em>; Default: <b>none,modified</b>)</td>
  <th >Description</th>
    <td>The second egress mirroring analyzer port or trunk and mirroring format:
<ul class="bullets">
<li> <var>analyzer-configured</var> - The packet is same as the packet to
destination. VLAN format is modified based on the VLAN configurations of the
analyzer port.
<li> <var>modified</var> - The packet is same as the packet to destination.
VLAN format is modified based on the VLAN configurations of the egress port.
<li> <var>original</var> - Traffic is mirrored without any change to the
original incoming packet format. But service VLAN tag is stripped in edge port.
</ul>
    </td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>bypass-vlan-ingress-filter-for</b></var> (<em>protocols</em>;
     <td><var><b>egress-mirror-ratio</b></var> (<em>1/32768..1/1</em>; Default:
Default: <b>none</b>)</td>
<b>1/1</b>)</td>
     <td>Protocols which are excluded from Ingress VLAN filtering. These
     <td>Proportion of egress mirrored packets compared to all packets.</td>
protocols are not dropped if they have invalid VLAN. (arp, dhcpv4, dhcpv6,
eapol, igmp, mld, nd, pppoe-discovery, ripv1)</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>bypass-ingress-port-policing-for</b></var> (<em>protocols</em>;
     <td><var><b>mirror-egress-if-ingress-mirrored</b></var> (<em>yes | no</em>;
Default: <b>none</b>)</td>
Default: <b>no</b>)</td>
     <td>Protocols which are excluded from Ingress Port Policing. (arp, dhcpv4, dhcpv6,
     <td>When packet is applied to both ingress and egress mirroring, if this
eapol, igmp, mld, nd, pppoe-discovery, ripv1)</td>
setting is disabled, only ingress mirroring is performed on the packet; if this
setting is enabled both mirroring types are applied.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>bypass-l2-security-check-filter-for</b></var>
     <td><var><b>mirror-tx-on-mirror-port</b></var> (<em>yes | no</em>; Default:
(<em>protocols</em>; Default: <b>none</b>)</td>
<b>no</b>)</td>
     <td>Protocols which are excluded from Policy rule security check. (arp,
    <td></td>
dhcpv4, dhcpv6, eapol, igmp, mld, nd, pppoe-discovery, ripv1)</td>
</tr>
<tr>
    <td><var><b>mirrored-packet-qos-priority</b></var> (<em>0..7</em>; Default:
<b>0</b>)</td>
    <td>Remarked priority in mirrored packets.</td>
</tr>
<tr>
    <td><var><b>mirrored-packet-drop-precedence</b></var> (<em>drop | green |
red | yellow</em>; Default: <b>green</b>)</td>
     <td>Remarked drop precedence in mirrored packets. This QoS attribute is used
for mirrored packet enqueuing or dropping.</td>
</tr>
<tr>
    <td><var><b>fdb-uses</b></var> (<em>mirror0 | mirror1</em>; Default:
<b>mirror0</b>)</td>
    <td>Analyzer port used for FDB-based mirroring.</td>
</tr>
<tr>
    <td><var><b>vlan-uses</b></var> (<em>mirror0 | mirror1</em>; Default:
<b>mirror0</b>)</td>
    <td>Analyzer port used for VLAN-based mirroring.</td>
</tr>
</tr>
</table>
</table>
<br>
 
<p></p>
 
===Port Settings===
 
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
port</code></p><br />


<table class="styled_table">
<table class="styled_table">
Line 557: Line 469:
</tr>
</tr>
<tr>
<tr>
     <td><var><b>ingress-mirror0</b></var> (<em>port | trunk,format</em>; Default: <b>none,modified</b>)</td>
     <td><var><b>vlan-type</b></var> (<em>edge-port | network-port</em>;
     <td>The first ingress mirroring analyzer port or trunk and mirroring format:
Default: <b>network-port</b>)</td>
<ul class="bullets">
     <td>Port VLAN type specifies whether VLAN id is used in UFDB learning. Network port learns
<li> <var>analyzer-configured</var> - The packet is same as the packet to
VLAN id in UFDB, edge port does not - VLAN 0. It can be observed only in IVL learning mode.</td>
destination. VLAN format is modified based on the VLAN configurations of the
analyzer port.
<li> <var>modified</var> - The packet is same as the packet to destination.
VLAN format is modified based on the VLAN configurations of the egress port.
<li> <var>original</var> - Traffic is mirrored without any change to the
original incoming packet format. But service VLAN tag is stripped in edge port.
</ul>
    </td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>ingress-mirror1</b></var> (<em>port | trunk,format</em>; Default: <b>none,modified</b>)</td>
     <td><var><b>isolation-leakage-profile-override</b></var> (<em>yes | no</em>; Default:
     <td>The second ingress mirroring analyzer port or trunk and mirroring format:
<b>!isolation-leakage-profile-override</b>)<br>
<var><b>isolation-leakage-profile</b></var> (<em>0..31</em>;)</td>
     <td>Custom port profile for port isolation/leakage configurations.
<ul class="bullets">
<ul class="bullets">
<li> <var>analyzer-configured</var> - The packet is same as the packet to
<li> Port-level isolation profile 0. Uplink port - allows the port to
destination. VLAN format is modified based on the VLAN configurations of the
communicate with all ports in the device.
analyzer port.
<li> Port-level isolation profile 1. Isolated port - allows the port to
<li> <var>modified</var> - The packet is same as the packet to destination.
communicate only with uplink ports.
VLAN format is modified based on the VLAN configurations of the egress port.
<li> Port-level isolation profile 2 - 31. Community port - allows
<li> <var>original</var> - Traffic is mirrored without any change to the
communication among the same community ports and uplink ports.
original incoming packet format. But service VLAN tag is stripped in edge port.
</ul></td>
</ul>
    </td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>ingress-mirror-ratio</b></var> (<em>1/32768..1/1</em>; Default:
     <td><var><b>learn-override</b></var> (<em>yes | no</em>; Default: <b>!learn-override</b>)<br>
<b>1/1</b>)</td>
    <var><b>learn-limit</b></var> (<em>1..1023</em>; Default: <b>!learn-limit</b>)</td>
     <td>Proportion of ingress mirrored packets compared to all packets.</td>
     <td>Enable or disable MAC address learning and set MAC limit on the port.
MAC learning limit is disabled by default when !learn-override and !learn-limit. Property <var>learn-override</var> is replaced with <var>learn</var> under <code>/interface bridge port</code> menu since RouterOS v6.42.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>egress-mirror0</b></var> (<em>port | trunk,format</em>; Default: <b>none,modified</b>)</td>
     <td><var><b>drop-when-ufdb-entry-src-drop</b></var> (<em>yes | no</em>;
     <td>The first egress mirroring analyzer port or trunk and mirroring format:
Default: <b>yes</b>)</td>
<ul class="bullets">
     <td>Enable or disable to drop packets when UFDB entry has action
<li> <var>analyzer-configured</var> - The packet is same as the packet to
<var>src-drop</var>.</td>
destination. VLAN format is modified based on the VLAN configurations of the
analyzer port.
<li> <var>modified</var> - The packet is same as the packet to destination.
VLAN format is modified based on the VLAN configurations of the egress port.
<li> <var>original</var> - Traffic is mirrored without any change to the
original incoming packet format. But service VLAN tag is stripped in edge port.
</ul>
    </td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>egress-mirror1</b></var> (<em>port | trunk,format</em>; Default: <b>none,modified</b>)</td>
     <td><var><b>allow-unicast-loopback</b></var> (<em>yes | no</em>; Default:
     <td>The second egress mirroring analyzer port or trunk and mirroring format:
<b>no</b>)</td>
<ul class="bullets">
     <td>Unicast loopback on port. When enabled, it permits sending back when
<li> <var>analyzer-configured</var> - The packet is same as the packet to
source port and destination port are the same one for known unicast
destination. VLAN format is modified based on the VLAN configurations of the
packets.</td>
analyzer port.
<li> <var>modified</var> - The packet is same as the packet to destination.
VLAN format is modified based on the VLAN configurations of the egress port.
<li> <var>original</var> - Traffic is mirrored without any change to the
original incoming packet format. But service VLAN tag is stripped in edge port.
</ul>
    </td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>egress-mirror-ratio</b></var> (<em>1/32768..1/1</em>; Default:
     <td><var><b>allow-multicast-loopback</b></var> (<em>yes | no</em>; Default:
<b>1/1</b>)</td>
<b>no</b>)</td>
     <td>Proportion of egress mirrored packets compared to all packets.</td>
     <td>Multicast loopback on port. When enabled, it permits sending back when
source port and destination port are the same for registered multicast or
broadcast packets.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>mirror-egress-if-ingress-mirrored</b></var> (<em>yes | no</em>;
     <td><var><b>action-on-static-station-move</b></var> (<em>copy-to-cpu | drop
Default: <b>no</b>)</td>
| forward | redirect-to-cpu</em>; Default: <b>forward</b>)</td>
     <td>When packet is applied to both ingress and egress mirroring, if this
     <td>Action for packets when UFDB already contains static entry with such MAC but with a different port.</td>
setting is disabled, only ingress mirroring is performed on the packet; if this
setting is enabled both mirroring types are applied.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>mirror-tx-on-mirror-port</b></var> (<em>yes | no</em>; Default:
     <td><var><b>drop-dynamic-mac-move</b></var> (<em>yes | no</em>; Default:
<b>no</b>)</td>
<b>no</b>)</td>
     <td></td>
     <td>Prevents MAC relearning until UFDB timeout if MAC is already learned on other port.</td>
</tr>
</tr>
</table>
<br>
<table class="styled_table">
<tr>
<tr>
    <td><var><b>mirrored-packet-qos-priority</b></var> (<em>0..7</em>; Default:
  <th width="50%">Property</th>
<b>0</b>)</td>
  <th >Description</th>
    <td>Remarked priority in mirrored packets.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>mirrored-packet-drop-precedence</b></var> (<em>drop | green |
     <td><var><b>allow-fdb-based-vlan-translate</b></var> (<em>yes | no</em>; Default:
red | yellow</em>; Default: <b>green</b>)</td>
<b>no</b>)</td>
     <td>Remarked drop precedence in mirrored packets. This QoS attribute is used
     <td>Enable or disable MAC-based VLAN translation on the port.</td>
for mirrored packet enqueuing or dropping.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>fdb-uses</b></var> (<em>mirror0 | mirror1</em>; Default:
     <td><var><b>allow-mac-based-service-vlan-assignment-for</b></var> (<em>all-frames | none |
<b>mirror0</b>)</td>
tagged-frame-only | untagged-and-priority-tagged-frame-only</em>; Default:
     <td>Analyzer port used for FDB-based mirroring.</td>
<b>none</b>)</td>
     <td>Frame type for which applies MAC-based service VLAN translation.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>vlan-uses</b></var> (<em>mirror0 | mirror1</em>; Default:
     <td><var><b>allow-mac-based-customer-vlan-assignment-for</b></var> (<em>all-frames | none |
<b>mirror0</b>)</td>
tagged-frame-only | untagged-and-priority-tagged-frame-only</em>; Default:
     <td>Analyzer port used for VLAN-based mirroring.</td>
<b>none</b>)</td>
     <td>Frame type for which applies MAC-based customer VLAN translation.</td>
</tr>
</tr>
</table>
<p></p>
===Port Settings===
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
port</code></p><br />
<table class="styled_table">
<tr>
<tr>
  <th width="50%">Property</th>
    <td><var><b>default-customer-pcp</b></var> (<em>0..7</em>; Default:
  <th >Description</th>
<b>0</b>)</td>
    <td>Default customer PCP of the port.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>vlan-type</b></var> (<em>edge-port | network-port</em>;
     <td><var><b>default-service-pcp</b></var> (<em>0..7</em>; Default:
Default: <b>network-port</b>)</td>
<b>0</b>)</td>
     <td>Port VLAN type specifies whether VLAN id is used in UFDB learning. Network port learns
     <td>Default service PCP of the port.</td>
VLAN id in UFDB, edge port does not - VLAN 0. It can be observed only in IVL learning mode.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>isolation-leakage-profile-override</b></var> (<em>yes | no</em>; Default:
     <td><var><b>pcp-propagation-for-initial-pcp</b></var> (<em>yes | no</em>;
<b>!isolation-leakage-profile-override</b>)<br>
Default: <b>no</b>)</td>
<var><b>isolation-leakage-profile</b></var> (<em>0..31</em>;)</td>
    <td>Enables or disables PCP propagation for initial PCP assignment on ingress.
    <td>Custom port profile for port isolation/leakage configurations.
<ul class="bullets">
<ul class="bullets">
<li> Port-level isolation profile 0. Uplink port - allows the port to
<li> If the port <var>vlan-type</var> is Edge port, the service PCP is copied from the
communicate with all ports in the device.
customer PCP.
<li> Port-level isolation profile 1. Isolated port - allows the port to
<li> If the port <var>vlan-type</var> is Network port, the customer PCP is copied from the
communicate only with uplink ports.
service PCP.
<li> Port-level isolation profile 2 - 31. Community port - allows
communication among the same community ports and uplink ports.
</ul></td>
</ul></td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>learn-override</b></var> (<em>yes | no</em>; Default: <b>!learn-override</b>)<br>
     <td><var><b>filter-untagged-frame</b></var> (<em>yes | no</em>; Default:
    <var><b>learn-limit</b></var> (<em>1..1023</em>; Default: <b>!learn-limit</b>)</td>
<b>no</b>)</td>
     <td>Enable or disable MAC address learning and set MAC limit on the port.
     <td>Whether to filter untagged frames on the port.</td>
MAC learning limit is disabled by default when !learn-override and !learn-limit</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>drop-when-ufdb-entry-src-drop</b></var> (<em>yes | no</em>;
     <td><var><b>filter-priority-tagged-frame</b></var> (<em>yes | no</em>;
Default: <b>yes</b>)</td>
Default: <b>no</b>)</td>
     <td>Enable or disable to drop packets when UFDB entry has action
     <td>Whether to filter tagged frames with priority on the port.</td>
<var>src-drop</var>.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>allow-unicast-loopback</b></var> (<em>yes | no</em>; Default:
     <td><var><b>filter-tagged-frame</b></var> (<em>yes | no</em>; Default:
<b>no</b>)</td>
<b>no</b>)</td>
     <td>Unicast loopback on port. When enabled, it permits sending back when
     <td>Whether to filter tagged frames on the port.</td>
source port and destination port are the same one for known unicast
packets.</td>
</tr>
</tr>
<tr>
</table>
    <td><var><b>allow-multicast-loopback</b></var> (<em>yes | no</em>; Default:
<b>no</b>)</td>
    <td>Multicast loopback on port. When enabled, it permits sending back when
source port and destination port are the same for registered multicast or
broadcast packets.</td>
</tr>
<tr>
    <td><var><b>action-on-static-station-move</b></var> (<em>copy-to-cpu | drop
| forward | redirect-to-cpu</em>; Default: <b>forward</b>)</td>
    <td>Action for packets when UFDB already contains static entry with such MAC but with a different port.</td>
</tr>
<tr>
    <td><var><b>drop-dynamic-mac-move</b></var> (<em>yes | no</em>; Default:
<b>no</b>)</td>
    <td>Prevents MAC relearning until UFDB timeout if MAC is already learned on other port.</td>
</tr>
</table>
<br>
<br>


Line 734: Line 594:
</tr>
</tr>
<tr>
<tr>
     <td><var><b>allow-fdb-based-vlan-translate</b></var> (<em>yes | no</em>; Default:
     <td><var><b>egress-vlan-tag-table-lookup-key</b></var> (<em>according-to-bridge-type |
<b>no</b>)</td>
egress-vid</em>; Default: <b>egress-vid</b>)</td>
     <td>Enable or disable MAC-based VLAN translation on the port.</td>
     <td>Egress VLAN table (VLAN Tagging) lookup:
<ul class="bullets">
<li> <var>egress-vid</var> - Lookup VLAN id is CVID when
Edge port is configured, SVID when Network port is configured.
<li> <var>according-to-bridge-type</var> - Lookup VLAN id is CVID when customer
VLAN bridge is configured, SVID when service VLAN bridge is configured. Customer
tag is unmodified for Edge port in service VLAN bridge.
</ul></td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>allow-mac-based-service-vlan-assignment-for</b></var> (<em>all-frames | none |
     <td><var><b>egress-vlan-mode</b></var> (<em>tagged | unmodified |
tagged-frame-only | untagged-and-priority-tagged-frame-only</em>; Default:
untagged</em>; Default: <b>unmodified</b>)</td>
<b>none</b>)</td>
     <td>Egress VLAN tagging action on the port.</td>
     <td>Frame type for which applies MAC-based service VLAN translation.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>allow-mac-based-customer-vlan-assignment-for</b></var> (<em>all-frames | none |
     <td><var><b>egress-pcp-propagation</b></var> (<em>yes | no</em>; Default:
tagged-frame-only | untagged-and-priority-tagged-frame-only</em>; Default:
<b>no</b>)</td>
<b>none</b>)</td>
    <td>Enables or disables egress PCP propagation.
    <td>Frame type for which applies MAC-based customer VLAN translation.</td>
</tr>
<tr>
    <td><var><b>default-customer-pcp</b></var> (<em>0..7</em>; Default:
<b>0</b>)</td>
    <td>Default customer PCP of the port.</td>
</tr>
<tr>
    <td><var><b>default-service-pcp</b></var> (<em>0..7</em>; Default:
<b>0</b>)</td>
    <td>Default service PCP of the port.</td>
</tr>
<tr>
    <td><var><b>pcp-propagation-for-initial-pcp</b></var> (<em>yes | no</em>;
Default: <b>no</b>)</td>
    <td>Enables or disables PCP propagation for initial PCP assignment on ingress.
<ul class="bullets">
<ul class="bullets">
<li> If the port <var>vlan-type</var> is Edge port, the service PCP is copied from the
<li> If the port <var>vlan-type</var> is Edge port, the service PCP is copied from the
Line 771: Line 621:
</ul></td>
</ul></td>
</tr>
</tr>
<tr>
</table>
     <td><var><b>filter-untagged-frame</b></var> (<em>yes | no</em>; Default:
<br>
<b>no</b>)</td>
 
     <td>Whether to filter untagged frames on the port.</td>
<table class="styled_table">
<tr>
  <th width="50%">Property</th>
  <th >Description</th>
</tr>
<tr>
     <td><var><b>ingress-mirror-to</b></var> (<em>mirror0 | mirror1 | none</em>;
Default: <b>none</b>)</td>
     <td>Analyzer port for port-based ingress mirroring.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>filter-priority-tagged-frame</b></var> (<em>yes | no</em>;
     <td><var><b>ingress-mirroring-according-to-vlan</b></var> (<em>yes |
Default: <b>no</b>)</td>
no</em>; Default: <b>no</b>)</td>
     <td>Whether to filter tagged frames with priority on the port.</td>
     <td></td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>filter-tagged-frame</b></var> (<em>yes | no</em>; Default:
     <td><var><b>egress-mirror-to</b></var> (<em>mirror0 | mirror1 | none</em>; Default:
<b>no</b>)</td>
<b>none</b>)</td>
     <td>Whether to filter tagged frames on the port.</td>
     <td>Analyzer port for port-based egress mirroring.</td>
</tr>
</tr>
</table>
</table>
Line 795: Line 653:
</tr>
</tr>
<tr>
<tr>
     <td><var><b>egress-vlan-tag-table-lookup-key</b></var> (<em>according-to-bridge-type |
     <td><var><b>qos-scheme-precedence</b></var> (<em>da-based | dscp-based | ingress-acl-based | pcp-based | protocol-based | sa-based | vlan-based</em>;
egress-vid</em>; Default: <b>egress-vid</b>)</td>
    Default: <b>pcp-based, sa-based, da-based, dscp-based, protocol-based, vlan-based</b>)</td>
     <td>Egress VLAN table (VLAN Tagging) lookup:
     <td>Specifies applied QoS assignment schemes on ingress of the port.
<ul class="bullets">
<ul class="bullets">
<li> <var>egress-vid</var> - Lookup VLAN id is CVID when
<li> <var>da-based</var>
Edge port is configured, SVID when Network port is configured.
<li> <var>dscp-based</var>
<li> <var>according-to-bridge-type</var> - Lookup VLAN id is CVID when customer
<li> <var>ingress-acl-based</var>
VLAN bridge is configured, SVID when service VLAN bridge is configured. Customer
<li> <var>pcp-based</var>
tag is unmodified for Edge port in service VLAN bridge.
<li> <var>protocol-based</var>
<li> <var>sa-based</var>
<li> <var>vlan-based</var>
</ul></td>
</ul></td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>egress-vlan-mode</b></var> (<em>tagged | unmodified |
     <td><var><b>pcp-or-dscp-based-qos-change-dei</b></var> (<em>yes | no</em>; Default:
untagged</em>; Default: <b>unmodified</b>)</td>
<b>no</b>)</td>
     <td>Egress VLAN tagging action on the port.</td>
     <td>Enable or disable PCP or DSCP based DEI change on port.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>egress-pcp-propagation</b></var> (<em>yes | no</em>; Default:
     <td><var><b>pcp-or-dscp-based-qos-change-pcp</b></var> (<em>yes | no</em>; Default:
<b>no</b>)</td>
<b>no</b>)</td>
     <td>Enables or disables egress PCP propagation.
     <td>Enable or disable PCP or DSCP based PCP change on port.</td>
<ul class="bullets">
</tr>
<li> If the port <var>vlan-type</var> is Edge port, the service PCP is copied from the
<tr>
customer PCP.
    <td><var><b>pcp-or-dscp-based-qos-change-dscp</b></var> (<em>yes | no</em>; Default:
<li> If the port <var>vlan-type</var> is Network port, the customer PCP is copied from the
<b>no</b>)</td>
service PCP.
    <td>Enable or disable PCP or DSCP based DSCP change on port.</td>
</ul></td>
</tr>
</tr>
</table>
<br>
<table class="styled_table">
<tr>
<tr>
  <th width="50%">Property</th>
    <td><var><b>dscp-based-qos-dscp-to-dscp-mapping</b></var> (<em>yes | no</em>; Default:
  <th >Description</th>
<b>yes</b>)</td>
    <td>Enable or disable DSCP to internal DSCP mapping on port.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>ingress-mirror-to</b></var> (<em>mirror0 | mirror1 | none</em>;
     <td><var><b>pcp-based-qos-drop-precedence-mapping</b></var> (<em>PCP/DEI-range:drop-precedence</em>; Default:
Default: <b>none</b>)</td>
<b>0-15:green</b>)</td>
     <td>Analyzer port for port-based ingress mirroring.</td>
     <td>The new value of drop precedence for the PCP/DEI to drop precedence (drop | green | red | yellow) mapping.
Multiple mappings allowed separated by comma e.g. "0-7:yellow,8-15:red".</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>ingress-mirroring-according-to-vlan</b></var> (<em>yes |
     <td><var><b>pcp-based-qos-dscp-mapping</b></var> (<em>PCP/DEI-range:DEI</em>; Default:
no</em>; Default: <b>no</b>)</td>
<b>0-15:0</b>)</td>
     <td></td>
     <td>The new value of DSCP for the PCP/DEI to DSCP (0..63) mapping.
Multiple mappings allowed separated by comma e.g. "0-7:25,8-15:50".</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>egress-mirror-to</b></var> (<em>mirror0 | mirror1 | none</em>; Default:
     <td><var><b>pcp-based-qos-dei-mapping</b></var> (<em>PCP/DEI-range:DEI</em>; Default:
<b>none</b>)</td>
<b>0-15:0</b>)</td>
     <td>Analyzer port for port-based egress mirroring.</td>
    <td>The new value of DEI for the PCP/DEI to DEI (0..1) mapping. Multiple mappings allowed separated by comma e.g. "0-7:0,8-15:1".</td>
</tr>
<tr>
    <td><var><b>pcp-based-qos-pcp-mapping</b></var> (<em>PCP/DEI-range:DEI</em>; Default:
<b>0-15:0</b>)</td>
     <td>The new value of PCP for the PCP/DEI to PCP (0..7) mapping.
Multiple mappings allowed separated by comma e.g. "0-7:3,8-15:4".</td>
</tr>
<tr>
    <td><var><b>pcp-based-qos-priority-mapping</b></var> (<em>PCP/DEI-range:DEI</em>; Default:
<b>0-15:0</b>)</td>
    <td>The new value of internal priority for the PCP/DEI to priority (0..15) mapping.
Multiple mappings allowed separated by comma e.g. "0-7:5,8-15:15".</td>
</tr>
</tr>
</table>
</table>
Line 854: Line 724:
</tr>
</tr>
<tr>
<tr>
     <td><var><b>qos-scheme-precedence</b></var> (<em>da-based | dscp-based | ingress-acl-based | pcp-based | protocol-based | sa-based | vlan-based</em>;
     <td><var><b>priority-to-queue</b></var> (<em>priority-range:queue</em>; Default:
    Default: <b>pcp-based, sa-based, da-based, dscp-based, protocol-based, vlan-based</b>)</td>
<b>0-15:0,1:1,2:2,3:3</b>)</td>
     <td>Specifies applied QoS assignment schemes on ingress of the port.
     <td>Internal priority (0..15) mapping to queue (0..7) per port.</td>
<ul class="bullets">
<li> <var>da-based</var>
<li> <var>dscp-based</var>
<li> <var>ingress-acl-based</var>
<li> <var>pcp-based</var>
<li> <var>protocol-based</var>
<li> <var>sa-based</var>
<li> <var>vlan-based</var>
</ul></td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>pcp-or-dscp-based-qos-change-dei</b></var> (<em>yes | no</em>; Default:
     <td><var><b>per-queue-scheduling</b></var> (<em>Scheduling-type:Weight</em>;
<b>no</b>)</td>
Default: <b>wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,
     <td>Enable or disable PCP or DSCP based DEI change on port.</td>
wrr-group0:64,wrr-group0:128</b>)</td>
     <td>Set port to use either strict or weighted round robin policy for traffic shaping for each queue group, each queue is separated by a comma.</td>
</tr>
</tr>
</table>
<br>
<table class="styled_table">
<tr>
<tr>
    <td><var><b>pcp-or-dscp-based-qos-change-pcp</b></var> (<em>yes | no</em>; Default:
  <th width="50%">Property</th>
<b>no</b>)</td>
  <th >Description</th>
    <td>Enable or disable PCP or DSCP based PCP change on port.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>pcp-or-dscp-based-qos-change-dscp</b></var> (<em>yes | no</em>; Default:
     <td><var><b>ingress-customer-tpid-override</b></var> (<em>yes | no</em>;
<b>no</b>)</td>
Default:<b>!ingress-customer-tpid-override</b>)<br>
     <td>Enable or disable PCP or DSCP based DSCP change on port.</td>
<var><b>ingress-customer-tpid</b></var> (<em>0..10000</em>; Default: <b>0x8100</b>)</td>
     <td>Ingress customer TPID override allows accepting specific frames with a custom customer tag TPID.
Default value is for tag of 802.1Q frames.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>dscp-based-qos-dscp-to-dscp-mapping</b></var> (<em>yes | no</em>; Default:
     <td><var><b>egress-customer-tpid-override</b></var> (<em>yes | no</em>; Default:
<b>yes</b>)</td>
<b>!egress-customer-tpid-override</b>)<br>
     <td>Enable or disable DSCP to internal DSCP mapping on port.</td>
<var><b>egress-customer-tpid</b></var> (<em>0..10000</em>; Default:
<b>0x8100</b>)</td>
     <td>Egress customer TPID override allows custom identification for egress frames with a customer tag.
Default value is for tag of 802.1Q frames.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>pcp-based-qos-drop-precedence-mapping</b></var> (<em>PCP/DEI-range:drop-precedence</em>; Default:
     <td><var><b>ingress-service-tpid-override</b></var> (<em>yes | no</em>; Default:
<b>0-15:green</b>)</td>
<b>!ingress-service-tpid-override</b>)<br>
     <td>The new value of drop precedence for the PCP/DEI to drop precedence (drop | green | red | yellow) mapping.
<var><b>ingress-service-tpid</b></var> (<em>0..10000</em>; Default: <b>0x88A8</b>)</td>
Multiple mappings allowed separated by comma e.g. "0-7:yellow,8-15:red".</td>
     <td>Ingress service TPID override allows accepting specific frames with a custom service tag TPID.
Default value is for service tag of 802.1AD frames.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>pcp-based-qos-dscp-mapping</b></var> (<em>PCP/DEI-range:DEI</em>; Default:
     <td><var><b>egress-service-tpid-override</b></var> (<em>yes | no</em>; Default:
<b>0-15:0</b>)</td>
<b>!egress-service-tpid-override</b>)<br>
     <td>The new value of DSCP for the PCP/DEI to DSCP (0..63) mapping.
<var><b>egress-service-tpid</b></var> (<em>0..10000</em>; Default:
Multiple mappings allowed separated by comma e.g. "0-7:25,8-15:50".</td>
<b>0x88A8</b>)</td>
     <td>Egress service TPID override allows custom identification for egress frames with a service tag.
Default value is for service tag of 802.1AD frames.</td>
</tr>
</tr>
</table>
<br>
<table class="styled_table">
<tr>
<tr>
    <td><var><b>pcp-based-qos-dei-mapping</b></var> (<em>PCP/DEI-range:DEI</em>; Default:
  <th width="50%">Property</th>
<b>0-15:0</b>)</td>
  <th >Description</th>
    <td>The new value of DEI for the PCP/DEI to DEI (0..1) mapping. Multiple mappings allowed separated by comma e.g. "0-7:0,8-15:1".</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>pcp-based-qos-pcp-mapping</b></var> (<em>PCP/DEI-range:DEI</em>; Default:
     <td><var><b>custom-drop-counter-includes</b></var> (<em>counters</em>; Default:
<b>0-15:0</b>)</td>
<b>none</b>)</td>
     <td>The new value of PCP for the PCP/DEI to PCP (0..7) mapping.
     <td>Custom include to count dropped packets for switch port <var>custom-drop-packet</var> counter.
Multiple mappings allowed separated by comma e.g. "0-7:3,8-15:4".</td>
*'''device-loopback'''
*'''fdb-hash-violation'''
*'''exceeded-port-learn-limitation'''
*'''dynamic-station-move'''
*'''static-station-move'''
*'''ufdb-source-drop'''
*'''host-source-drop'''
*'''unknown-host'''
*'''ingress-vlan-filtered'''
</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>pcp-based-qos-priority-mapping</b></var> (<em>PCP/DEI-range:DEI</em>; Default:
     <td><var><b>queue-custom-drop-counter0-includes</b></var> (<em>counters</em>;
<b>0-15:0</b>)</td>
Default: <b>none</b>)</td>
    <td>The new value of internal priority for the PCP/DEI to priority (0..15) mapping.
        <td>Custom include to count dropped packets for switch port <var>tx-queue-custom0-drop-packet</var>
Multiple mappings allowed separated by comma e.g. "0-7:5,8-15:15".</td>
and bytes for <var>tx-queue-custom0-drop-byte</var> counters.
*'''red'''
*'''yellow'''
*'''green'''
*'''queue0'''
*'''...'''
*'''queue7'''
</td>
</tr>
</tr>
</table>
<br>
<table class="styled_table">
<tr>
<tr>
  <th width="50%">Property</th>
    <td><var><b>queue-custom-drop-counter1-includes</b></var> (<em>counters</em>;
  <th >Description</th>
Default: <b>none</b>)</td>
        <td>Custom include to count dropped packets for switch port <var>tx-queue-custom1-drop-packet</var>
and bytes for <var>tx-queue-custom1-drop-byte</var> counters.
*'''red'''
*'''yellow'''
*'''green'''
*'''queue0'''
*'''...'''
*'''queue7'''
</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>priority-to-queue</b></var> (<em>priority-range:queue</em>; Default:
     <td><var><b>policy-drop-counter-includes</b></var> (<em>counters</em>;
<b>0-15:0,1:1,2:2,3:3</b>)</td>
Default: <b>none</b>)</td>
    <td>Internal priority (0..15) mapping to queue (0..7) per port.</td>
    <td>Custom include to count dropped packets for switch port <var>policy-drop-packet</var> counter.
</tr>
*'''ingress-policing'''
<tr>
*'''ingress-acl'''
    <td><var><b>per-queue-scheduling</b></var> (<em>Scheduling-type:Weight</em>;
*'''egress-policing'''
Default: <b>wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,
*'''egress-acl'''
wrr-group0:64,wrr-group0:128</b>)</td>
</td>
    <td></td>
</tr>
</tr>
</table>
</table>
<br>
 
<p></p>
 
===Forwarding Databases===
 
====Unicast FDB====
 
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
unicast-fdb</code></p><br />
 
The unicast forwarding database supports up to 16318 MAC entries.


<table class="styled_table">
<table class="styled_table">
Line 944: Line 850:
</tr>
</tr>
<tr>
<tr>
     <td><var><b>ingress-customer-tpid-override</b></var> (<em>yes | no</em>;
     <td><var><b>action</b></var> (<em>action</em>; Default: <b>forward</b>)</td>
Default:<b>!ingress-customer-tpid-override</b>)<br>
    <td>Action for UFDB entry:
<var><b>ingress-customer-tpid</b></var> (<em>0..10000</em>; Default: <b>0x8100</b>)</td>
<ul class="bullets">
    <td>Ingress customer TPID override allows accepting specific frames with a custom customer tag TPID.
<li> <var>dst-drop</var> - Packets are dropped when their destination MAC match
Default value is for tag of 802.1Q frames.</td>
the entry.
</tr>
<li> <var>dst-redirect-to-cpu</var> - Packets are redirected to CPU when their
<tr>
destination MAC match the entry.
    <td><var><b>egress-customer-tpid-override</b></var> (<em>yes | no</em>; Default:
<li> <var>forward</var> - Packets are forwarded.
<b>!egress-customer-tpid-override</b>)<br>
<li> <var>src-and-dst-drop</var> - Packets are dropped when their source MAC or
<var><b>egress-customer-tpid</b></var> (<em>0..10000</em>; Default:
destination MAC match the entry.
<b>0x8100</b>)</td>
<li> <var>src-and-dst-redirect-to-cpu</var> - Packets are redirected to CPU
     <td>Egress customer TPID override allows custom identification for egress frames with a customer tag.
when their source MAC or destination MAC match the entry.
Default value is for tag of 802.1Q frames.</td>
<li> <var>src-drop</var> - Packets are dropped when their source MAC match the
entry.
<li> <var>src-redirect-to-cpu</var> - Packets are redirected to CPU when their
source MAC match the entry.
</ul>
     </td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>ingress-service-tpid-override</b></var> (<em>yes | no</em>; Default:
     <td><var><b>disabled</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
<b>!ingress-service-tpid-override</b>)<br>
     <td>Enables or disables Unicast FDB entry.</td>
<var><b>ingress-service-tpid</b></var> (<em>0..10000</em>; Default: <b>0x88A8</b>)</td>
     <td>Ingress service TPID override allows accepting specific frames with a custom service tag TPID.
Default value is for service tag of 802.1AD frames.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>egress-service-tpid-override</b></var> (<em>yes | no</em>; Default:
     <td><var><b>isolation-profile</b></var> (<em>community1 | community2 |
<b>!egress-service-tpid-override</b>)<br>
isolated | promiscuous</em>; Default: <b>promiscuous</b>)</td>
<var><b>egress-service-tpid</b></var> (<em>0..10000</em>; Default:
     <td>MAC level isolation profile.</td>
<b>0x88A8</b>)</td>
     <td>Egress service TPID override allows custom identification for egress frames with a service tag.
Default value is for service tag of 802.1AD frames.</td>
</tr>
</tr>
</table>
<br>
<table class="styled_table">
<tr>
<tr>
  <th width="50%">Property</th>
    <td><var><b>mac-address</b></var> (<em>MAC address</em>)</td>
  <th >Description</th>
    <td>The <var>action</var> command applies to the packet when the destination MAC or
source MAC matches the entry.</td>
</tr>
<tr>
    <td><var><b>mirror</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
    <td>Enables or disables mirroring based on source MAC or destination
MAC.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>custom-drop-counter-includes</b></var> (<em>counters</em>; Default:
     <td><var><b>port</b></var> (<em>port</em>)</td>
<b>none</b>)</td>
     <td>Matching port for the Unicast FDB entry.</td>
     <td>Custom include to count dropped packets for switch port <var>custom-drop-packet</var> counter.
*'''device-loopback'''
*'''fdb-hash-violation'''
*'''exceeded-port-learn-limitation'''
*'''dynamic-station-move'''
*'''static-station-move'''
*'''ufdb-source-drop'''
*'''host-source-drop'''
*'''unknown-host'''
*'''ingress-vlan-filtered'''
</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>queue-custom-drop-counter0-includes</b></var> (<em>counters</em>;
     <td><var><b>qos-group</b></var> (<em>none</em>; Default: <b>none</b>)</td>
Default: <b>none</b>)</td>
    <td>Defined QoS group from [[#QoS_Group | QoS group]] menu.</td>
        <td>Custom include to count dropped packets for switch port <var>tx-queue-custom0-drop-packet</var>
and bytes for <var>tx-queue-custom0-drop-byte</var> counters.
*'''red'''
*'''yellow'''
*'''green'''
*'''queue0'''
*'''...'''
*'''queue7'''
</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>queue-custom-drop-counter1-includes</b></var> (<em>counters</em>;
     <td><var><b>svl</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
Default: <b>none</b>)</td>
    <td>Unicast FDB learning mode:
        <td>Custom include to count dropped packets for switch port <var>tx-queue-custom1-drop-packet</var>
<ul class="bullets">
and bytes for <var>tx-queue-custom1-drop-byte</var> counters.
<li> Shared VLAN Learning (svl) - learning/lookup is based on MAC addresses -
*'''red'''
not on VLAN IDs.
*'''yellow'''
<li> Independent VLAN Learning (ivl) - learning/lookup is based on both MAC
*'''green'''
addresses and VLAN IDs.
*'''queue0'''
</ul>
*'''...'''
    </td>
*'''queue7'''
</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>policy-drop-counter-includes</b></var> (<em>counters</em>;
     <td><var><b>vlan-id</b></var> (<em>0..4095</em>)</td>
Default: <b>none</b>)</td>
    <td>Unicast FDB lookup/learning VLAN id.</td>
    <td>Custom include to count dropped packets for switch port <var>policy-drop-packet</var> counter.
*'''ingress-policing'''
*'''ingress-acl'''
*'''egress-policing'''
*'''egress-acl'''
</td>
</tr>
</tr>
</table>
</table>
Line 1,036: Line 915:
<p></p>
<p></p>


===Forwarding Databases===
====Multicast FDB====
 
====Unicast FDB====


<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
unicast-fdb</code></p><br />
multicast-fdb</code></p><br />


The unicast forwarding database supports up to 16318 MAC entries.
CRS125 switch-chip supports up to 1024 entries in MFDB for multicast forwarding.
For each multicast packet, destination MAC or destination IP lookup is performed
in MFDB. MFDB entries are not
automatically learnt and can only be configured.


<table class="styled_table">
<table class="styled_table">
Line 1,051: Line 931:
</tr>
</tr>
<tr>
<tr>
     <td><var><b>action</b></var> (<em>action</em>; Default: <b>forward</b>)</td>
     <td><var><b>address</b></var> (<em>X.X.X.X | XX:XX:XX:XX:XX:XX</em>)</td>
     <td>Action for UFDB entry:
     <td>Matching IP address or MAC address for multicast packets.</td>
<ul class="bullets">
</tr>
<li> <var>dst-drop</var> - Packets are dropped when their destination MAC match
<tr>
the entry.
    <td><var><b>bypass-vlan-filter</b></var> (<em>yes | no</em>; Default:
<li> <var>dst-redirect-to-cpu</var> - Packets are redirected to CPU when their
<b>no</b>)</td>
destination MAC match the entry.
    <td>Allow to bypass VLAN filtering for matching multicast packets.</td>
<li> <var>forward</var> - Packets are forwarded.
<li> <var>src-and-dst-drop</var> - Packets are dropped when their source MAC or
destination MAC match the entry.
<li> <var>src-and-dst-redirect-to-cpu</var> - Packets are redirected to CPU
when their source MAC or destination MAC match the entry.
<li> <var>src-drop</var> - Packets are dropped when their source MAC match the
entry.
<li> <var>src-redirect-to-cpu</var> - Packets are redirected to CPU when their
source MAC match the entry.
</ul>
    </td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>disabled</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
     <td><var><b>disabled</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
     <td>Enables or disables Unicast FDB entry.</td>
     <td>Enables or disables Multicast FDB entry.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>isolation-profile</b></var> (<em>community1 | community2 |
     <td><var><b>ports</b></var> (<em>ports</em>)</td>
isolated | promiscuous</em>; Default: <b>promiscuous</b>)</td>
     <td>Member ports for multicast traffic.</td>
     <td>MAC level isolation profile.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>mac-address</b></var> (<em>MAC address</em>)</td>
     <td><var><b>qos-group</b></var> (<em>none</em>; Default: <b>none</b>)</td>
     <td>The <var>action</var> command applies to the packet when the destination MAC or
     <td>Defined QoS group from [[#QoS_Group | QoS group]] menu.</td>
source MAC matches the entry.</td>
</tr>
</tr>
<tr>
<tr>
    <td><var><b>mirror</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
     <td><var><b>svl</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
    <td>Enables or disables mirroring based on source MAC or destination
     <td>Multicast FDB learning mode:
MAC.</td>
<ul class="bullets">
</tr>
<li> Shared VLAN Learning (svl) - learning/lookup is based on MAC addresses -
<tr>
    <td><var><b>port</b></var> (<em>port</em>)</td>
    <td>Matching port for the Unicast FDB entry.</td>
</tr>
<tr>
    <td><var><b>qos-group</b></var> (<em>none</em>; Default: <b>none</b>)</td>
    <td>Defined QoS group from [[#QoS_Group | QoS group]] menu.</td>
</tr>
<tr>
     <td><var><b>svl</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
     <td>Unicast FDB learning mode:
<ul class="bullets">
<li> Shared VLAN Learning (svl) - learning/lookup is based on MAC addresses -
not on VLAN IDs.
not on VLAN IDs.
<li> Independent VLAN Learning (ivl) - learning/lookup is based on both MAC
<li> Independent VLAN Learning (ivl) - learning/lookup is based on both MAC
Line 1,109: Line 963:
</tr>
</tr>
<tr>
<tr>
     <td><var><b>vlan-id</b></var> (<em>0..4095</em>)</td>
     <td><var><b>vlan-id</b></var> (<em>0..4095</em>; Default: <b>0</b>)</td>
     <td>Unicast FDB lookup/learning VLAN id.</td>
     <td>Multicast FDB lookup VLAN id. If VLAN learning mode is IVL, VLAN id is
lookup id, otherwise VLAN id = 0.</td>
</tr>
</tr>
</table>
</table>
Line 1,116: Line 971:
<p></p>
<p></p>


====Multicast FDB====
====Reserved FDB====


<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
multicast-fdb</code></p><br />
reserved-fdb</code></p><br />


CRS125 switch-chip supports up to 1024 entries in MFDB for multicast forwarding.
Cloud Router Switch supports 256 RFDB entries. Each RFDB entry can store either
For each multicast packet, destination MAC or destination IP lookup is performed
Layer2 unicast or multicast MAC address with specific commands.
in MFDB. MFDB entries are not
automatically learnt and can only be configured.


<table class="styled_table">
<table class="styled_table">
Line 1,132: Line 985:
</tr>
</tr>
<tr>
<tr>
     <td><var><b>address</b></var> (<em>X.X.X.X | XX:XX:XX:XX:XX:XX</em>)</td>
     <td><var><b>action</b></var> (<em>copy-to-cpu | drop | forward |
     <td>Matching IP address or MAC address for multicast packets.</td>
redirect-to-cpu</em>; Default: <b>forward</b>)</td>
    <td>Action for RFDB entry:
<ul class="bullets">
<li> <var>copy-to-cpu</var> - Packets are copied to CPU when their destination
MAC match the entry.
<li> <var>drop</var> - Packets are dropped when their destination MAC match the
entry.
<li> <var>forward</var> - Packets are forwarded when their destination MAC
match the entry.
<li> <var>redirect-to-cpu</var> - Packets are redirected to CPU when their
destination MAC match the entry.
</ul>
    </td>
</tr>
<tr>
    <td><var><b>bypass-ingress-port-policing</b></var> (<em>yes | no</em>; Default:
<b>no</b>)</td>
     <td>Allow to bypass Ingress Port Policer for matching packets.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>bypass-vlan-filter</b></var> (<em>yes | no</em>; Default:
     <td><var><b>bypass-ingress-vlan-filter</b></var> (<em>yes | no</em>; Default:
<b>no</b>)</td>
<b>no</b>)</td>
     <td>Allow to bypass VLAN filtering for matching multicast packets.</td>
     <td>Allow to bypass VLAN filtering for matching packets.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>disabled</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
     <td><var><b>disabled</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
     <td>Enables or disables Multicast FDB entry.</td>
     <td>Enables or disables Reserved FDB entry.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>ports</b></var> (<em>ports</em>)</td>
     <td><var><b>mac-address</b></var> (<em>MAC address</em>; Default:
     <td>Member ports for multicast traffic.</td>
<b>00:00:00:00:00:00</b>)</td>
     <td>Matching MAC address for Reserved FDB entry.</td>
</tr>
</tr>
<tr>
<tr>
Line 1,152: Line 1,023:
     <td>Defined QoS group from [[#QoS_Group | QoS group]] menu.</td>
     <td>Defined QoS group from [[#QoS_Group | QoS group]] menu.</td>
</tr>
</tr>
<tr>
</table>
    <td><var><b>svl</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
    <td>Multicast FDB learning mode:
<ul class="bullets">
<li> Shared VLAN Learning (svl) - learning/lookup is based on MAC addresses -
not on VLAN IDs.
<li> Independent VLAN Learning (ivl) - learning/lookup is based on both MAC
addresses and VLAN IDs.
</ul>
    </td>
</tr>
<tr>
    <td><var><b>vlan-id</b></var> (<em>0..4095</em>; Default: <b>0</b>)</td>
    <td>Multicast FDB lookup VLAN id. If VLAN learning mode is IVL, VLAN id is
lookup id, otherwise VLAN id = 0.</td>
</tr>
</table>


<p></p>
<p></p>


====Reserved FDB====
===VLAN===
 
====VLAN Table====


<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
reserved-fdb</code></p><br />
vlan</code></p><br />


Cloud Router Switch supports 256 RFDB entries. Each RFDB entry can store either
The VLAN table supports 4096 VLAN entries for storing VLAN member information as
Layer2 unicast or multicast MAC address with specific commands.
well as
other VLAN information such as QoS, isolation, forced VLAN, learning, and
mirroring.


<table class="styled_table">
<table class="styled_table">
Line 1,186: Line 1,045:
</tr>
</tr>
<tr>
<tr>
     <td><var><b>action</b></var> (<em>copy-to-cpu | drop | forward |
     <td><var><b>disabled</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
redirect-to-cpu</em>; Default: <b>forward</b>)</td>
     <td>Indicate whether the VLAN entry is disabled. Only enabled entry is
     <td>Action for RFDB entry:
applied to lookup process and forwarding decision.</td>
<ul class="bullets">
<li> <var>copy-to-cpu</var> - Packets are copied to CPU when their destination
MAC match the entry.
<li> <var>drop</var> - Packets are dropped when their destination MAC match the
entry.
<li> <var>forward</var> - Packets are forwarded when their destination MAC
match the entry.
<li> <var>redirect-to-cpu</var> - Packets are redirected to CPU when their
destination MAC match the entry.
</ul>
    </td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>bypass-ingress-port-policing</b></var> (<em>yes | no</em>; Default:
     <td><var><b>flood</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
<b>no</b>)</td>
     <td>Enables or disables forced VLAN flooding per VLAN. If the feature is
     <td>Allow to bypass Ingress Port Policer for matching packets.</td>
enabled, the result of destination MAC lookup in the UFDB or MFDB is ignored,
and the packet is forced to flood in the VLAN.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>bypass-ingress-vlan-filter</b></var> (<em>yes | no</em>; Default:
     <td><var><b>ingress-mirror</b></var> (<em>yes | no</em>; Default:
<b>no</b>)</td>
<b>no</b>)</td>
     <td>Allow to bypass VLAN filtering for matching packets.</td>
     <td>Enable the ingress mirror per VLAN to support the VLAN-based mirror
function.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>disabled</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
     <td><var><b>learn</b></var> (<em>yes | no</em>; Default:
     <td>Enables or disables Reserved FDB entry.</td>
<b>yes</b>)</td>
     <td>Enables or disables source MAC learning for VLAN.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>mac-address</b></var> (<em>MAC address</em>; Default:
     <td><var><b>ports</b></var> (<em>ports</em>)</td>
<b>00:00:00:00:00:00</b>)</td>
     <td>Member ports of the VLAN.</td>
     <td>Matching MAC address for Reserved FDB entry.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>qos-group</b></var> (<em>none</em>; Default: <b>none</b>)</td>
     <td><var><b>qos-group</b></var> (<em>none</em>; Default: <b>none</b>)</td>
     <td>Defined QoS group from [[#QoS_Group | QoS group]] menu.</td>
     <td>Defined QoS group from [[#QoS_Group | QoS group]] menu.</td>
</tr>
<tr>
    <td><var><b>svl</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
    <td>FDB lookup mode for lookup in UFDB and MFDB.
<ul class="bullets">
<li> Shared VLAN Learning (svl) - learning/lookup is based on MAC addresses -
not on VLAN IDs.
<li> Independent VLAN Learning (ivl) - learning/lookup is based on both MAC
addresses and VLAN IDs.
</ul>
    </td>
</tr>
<tr>
    <td><var><b>vlan-id</b></var> (<em>0..4095</em>)</td>
    <td>VLAN id of the VLAN member entry.</td>
</tr>
</tr>
</table>
</table>
Line 1,228: Line 1,093:
<p></p>
<p></p>


===VLAN===
====Egress VLAN Tag====
 
====VLAN Table====


<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
vlan</code></p><br />
egress-vlan-tag</code></p><br />


The VLAN table supports 4096 VLAN entries for storing VLAN member information as
Egress packets can be assigned different VLAN tag format. The VLAN tags can be
well as
removed,
other VLAN information such as QoS, isolation, forced VLAN, learning, and
added, or remained as is when the packet is sent to the egress port (destination
mirroring.
port). Each
port has dedicated control on the egress VLAN tag format. The tag formats
include:
* Untagged
* Tagged
* Unmodified
 
The Egress VLAN Tag table includes 4096 entries for VLAN tagging selection.


<table class="styled_table">
<table class="styled_table">
Line 1,247: Line 1,117:
<tr>
<tr>
     <td><var><b>disabled</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
     <td><var><b>disabled</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
     <td>Indicate whether the VLAN entry is disabled. Only enabled entry is
     <td>Enables or disables Egress VLAN Tag table entry.</td>
applied to lookup process and forwarding decision.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>flood</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
     <td><var><b>tagged-ports</b></var> (<em>ports</em>)</td>
     <td>Enables or disables forced VLAN flooding per VLAN. If the feature is
     <td>Ports which are tagged in egress.</td>
enabled, the result of destination MAC lookup in the UFDB or MFDB is ignored,
and the packet is forced to flood in the VLAN.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>ingress-mirror</b></var> (<em>yes | no</em>; Default:
     <td><var><b>vlan-id</b></var> (<em>0..4095</em>)</td>
<b>no</b>)</td>
     <td>VLAN id which is tagged in egress.</td>
     <td>Enable the ingress mirror per VLAN to support the VLAN-based mirror
function.</td>
</tr>
</tr>
<tr>
</table>
    <td><var><b>learn</b></var> (<em>yes | no</em>; Default:
 
<b>yes</b>)</td>
<p></p>
    <td>Enables or disables source MAC learning for VLAN.</td>
 
====Ingress/Egress VLAN Translation====
 
The Ingress VLAN Translation table allows for up to 15 entries for each port. One or multiple fields can be selected from packet header for lookup in the
Ingress VLAN Translation table. The S-VLAN or C-VLAN or both configured in the first matched entry is assigned to the packet.
 
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
ingress-vlan-translation</code></p><br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
egress-vlan-translation</code></p><br />
 
<table class="styled_table">
<tr>
  <th width="50%">Property</th>
  <th >Description</th>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>ports</b></var> (<em>ports</em>)</td>
     <td><var><b>customer-dei</b></var> (<em>0..1</em>; Default:
     <td>Member ports of the VLAN.</td>
<b>none</b>)</td>
     <td>Matching DEI of the customer tag.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>qos-group</b></var> (<em>none</em>; Default: <b>none</b>)</td>
     <td><var><b>customer-pcp</b></var> (<em>0..7</em>; Default:
     <td>Defined QoS group from [[#QoS_Group | QoS group]] menu.</td>
<b>none</b>)</td>
     <td>Matching PCP of the customer tag.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>svl</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
     <td><var><b>customer-vid</b></var> (<em>0..4095</em>; Default:
     <td>FDB lookup mode for lookup in UFDB and MFDB.
<b>none</b>)</td>
<ul class="bullets">
    <td>Matching VLAN id of the customer tag.</td>
<li> Shared VLAN Learning (svl) - learning/lookup is based on MAC addresses -
</tr>
not on VLAN IDs.
<tr>
<li> Independent VLAN Learning (ivl) - learning/lookup is based on both MAC
    <td><var><b>customer-vlan-format</b></var> (<em>any |
addresses and VLAN IDs.
priority-tagged-or-tagged | tagged | untagged-or-tagged</em>; Default:<b>any</b>)</td>
    <td>Type of frames with customer tag for which VLAN translation rule is
valid.</td>
</tr>
<tr>
    <td><var><b>disabled</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
     <td>Enables or disables VLAN translation entry.</td>
</tr>
<tr>
    <td><var><b>new-customer-vid</b></var> (<em>0..4095</em>; Default:
<b>none</b>)</td>
    <td>The new customer VLAN id which replaces matching customer VLAN id. If set to 4095 and ingress VLAN translation is used, then traffic is dropped.</td>
</tr>
<tr>
    <td><var><b>new-service-vid</b></var> (<em>0..4095</em>; Default:
<b>none</b>)</td>
    <td>The new service VLAN id which replaces matching service VLAN id.</td>
</tr>
<tr>
    <td><var><b>pcp-propagation</b></var> (<em>yes | no</em>; Default:
<b>no</b>)</td>
    <td>Enables or disables PCP propagation.
<ul class="bullets">
<li> If the port type is Edge, the customer PCP is copied from the service PCP.
<li> If the port type is Network, the service PCP is copied from the customer PCP.
</ul>
</ul>
     </td>
     </td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>vlan-id</b></var> (<em>0..4095</em>)</td>
     <td><var><b>ports</b></var> (<em>ports</em>)</td>
     <td>VLAN id of the VLAN member entry.</td>
     <td>Matching switch ports for VLAN translation rule.</td>
</tr>
</tr>
</table>
<p></p>
====Egress VLAN Tag====
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
egress-vlan-tag</code></p><br />
Egress packets can be assigned different VLAN tag format. The VLAN tags can be
removed,
added, or remained as is when the packet is sent to the egress port (destination
port). Each
port has dedicated control on the egress VLAN tag format. The tag formats
include:
* Untagged
* Tagged
* Unmodified
The Egress VLAN Tag table includes 4096 entries for VLAN tagging selection.
<table class="styled_table">
<tr>
<tr>
  <th width="50%">Property</th>
    <td><var><b>protocol</b></var> (<em>protocols</em>; Default:
  <th >Description</th>
<b>none</b>)</td>
    <td>Matching Ethernet protocol. ''(only for Ingress VLAN Translation)''</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>disabled</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
     <td><var><b>sa-learning</b></var> (<em>yes | no</em>; Default:
     <td>Enables or disables Egress VLAN Tag table entry.</td>
<b>no</b>)</td>
     <td>Enables or disables source MAC learning after VLAN translation. ''(only for Ingress VLAN Translation)''</td>
</tr>
<tr>
    <td><var><b>service-dei</b></var> (<em>0..1</em>; Default: <b>none</b>)</td>
    <td>Matching DEI of the service tag.</td>
</tr>
<tr>
    <td><var><b>service-pcp</b></var> (<em>0..7</em>; Default: <b>none</b>)</td>
    <td>Matching PCP of the service tag.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>tagged-ports</b></var> (<em>ports</em>)</td>
     <td><var><b>service-vid</b></var> (<em>0..4095</em>; Default:
     <td>Ports which are tagged in egress.</td>
<b>none</b>)</td>
     <td>Matching VLAN id of the service tag.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>vlan-id</b></var> (<em>0..4095</em>)</td>
     <td><var><b>service-vlan-format</b></var> (<em>any |
     <td>VLAN id which is tagged in egress.</td>
priority-tagged-or-tagged | tagged | untagged-or-tagged</em>; Default:<b>any</b>)</td>
     <td>Type of frames with service tag for which VLAN translation rule is
valid.</td>
</tr>
</tr>
</table>
</table>
Line 1,332: Line 1,228:
<p></p>
<p></p>


====Ingress/Egress VLAN Translation====
Below is a table of traffic that triggers a rule that has a certain VLAN format set, note that traffic that is tagged with VLAN ID 0 is a special case that is also taken into account.
 
<table class="styled_table">
<tr>
  <th width="50%">Property</th>
  <th >Description</th>
</tr>
<tr>
    <td><var><b>any</b></var></td>
    <td>Accepts:
* Untagged traffic
* Tagged traffic
* Tagged traffic with priority set
* VLAN 0 traffic
* VLAN 0 traffic with priority set
</td>
</tr>
<tr>
    <td><var><b>priority-tagged-or-tagged</b></var></td>
    <td>Accepts:
* Tagged traffic
* Tagged traffic with priority set
* VLAN 0 traffic
* VLAN 0 traffic with priority set
</td>
</tr>
<tr>
    <td><var><b>tagged</b></var></td>
    <td>Accepts:
* Tagged traffic
* Tagged traffic with priority set
</td>
<tr>
    <td><var><b>untagged-or-tagged</b></var></td>
    <td>Accepts:
* Untagged traffic
* Tagged traffic
* Tagged traffic with priority set
</td>
</tr>
</table>
<br />
 
{{ Warning | If <code>VLAN-format</code> is set to <code>any</code>, then <code>customer-vid/service-vid</code> set to <code>0</code> will trigger the switch rule with VLAN 0 traffic. In this case the switch rule will be looking for untagged traffic or traffic with VLAN 0 tag, only <code>untagged-or-tagged</code> will filter out VLAN 0 traffic in this case. }}
 
====Protocol Based VLAN====


The Ingress VLAN Translation table allows for up to 16 entries for each port. One or multiple fields can be selected from packet header for lookup in the
Ingress VLAN Translation table. The S-VLAN or C-VLAN or both configured in the first matched entry is assigned to the packet.
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
ingress-vlan-translation</code></p><br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
egress-vlan-translation</code></p><br />
protocol-based-vlan</code></p><br />
 
Protocol Based VLAN table is used to assign VID and QoS attributes to related
protocol packet per port.


<table class="styled_table">
<table class="styled_table">
Line 1,348: Line 1,287:
</tr>
</tr>
<tr>
<tr>
     <td><var><b>customer-dei</b></var> (<em>0..1</em>; Default:
     <td><var><b>disabled</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
<b>none</b>)</td>
     <td>Enables or disables Protocol Based VLAN entry.</td>
     <td>Matching DEI of the customer tag.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>customer-pcp</b></var> (<em>0..7</em>; Default:
     <td><var><b>frame-type</b></var> (<em>ethernet | llc | rfc-1042</em>;
<b>none</b>)</td>
Default: <b>ethernet</b>)</td>
     <td>Matching PCP of the customer tag.</td>
     <td>Encapsulation type of the matching frames.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>customer-vid</b></var> (<em>0..4095</em>; Default:
     <td><var><b>new-customer-vid</b></var> (<em>0..4095</em>; Default:
<b>none</b>)</td>
<b>0</b>)</td>
     <td>Matching VLAN id of the customer tag.</td>
     <td>The new customer VLAN id which replaces original customer VLAN id for
specified protocol. If set to 4095, then traffic is dropped.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>customer-vlan-format</b></var> (<em>any |
     <td><var><b>new-service-vid</b></var> (<em>0..4095</em>; Default:
priority-tagged-or-tagged | tagged | untagged-or-tagged</em>; Default:<b>any</b>)</td>
<b>0</b>)</td>
     <td>Type of frames with customer tag for which VLAN translation rule is
     <td>The new service VLAN id which replaces original service VLAN id for
valid.</td>
specified protocol.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>disabled</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
     <td><var><b>ports</b></var> (<em>ports</em>)</td>
     <td>Enables or disables VLAN translation entry.</td>
     <td>Matching switch ports for Protocol based VLAN rule.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>new-customer-vid</b></var> (<em>0..4095</em>; Default:
     <td><var><b>protocol</b></var> (<em>protocol</em>; Default: <b>0</b>)</td>
<b>none</b>)</td>
     <td>Matching protocol for Protocol based VLAN rule.</td>
     <td>The new customer VLAN id which replaces matching customer VLAN id.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>new-service-vid</b></var> (<em>0..4095</em>; Default:
     <td><var><b>qos-group</b></var> (<em>none</em>; Default: <b>none</b>)</td>
<b>none</b>)</td>
     <td>Defined QoS group from [[#QoS_Group | QoS group]] menu.</td>
     <td>The new service VLAN id which replaces matching service VLAN id.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>pcp-propagation</b></var> (<em>yes | no</em>; Default:
     <td><var><b>set-customer-vid-for</b></var> (<em>all | none | tagged |
<b>no</b>)</td>
untagged-or-priority-tagged</em>; Default: <b>all</b>)</td>
     <td>Enables or disables PCP propagation.
     <td>Customer VLAN id assignment command for different packet type.</td>
<ul class="bullets">
<li> If the port type is Edge, the customer PCP is copied from the service PCP.
<li> If the port type is Network, the service PCP is copied from the customer PCP.
</ul>
    </td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>ports</b></var> (<em>ports</em>)</td>
     <td><var><b>set-qos-for</b></var> (<em>all | none | tagged |
     <td>Matching switch ports for VLAN translation rule.</td>
untagged-or-priority-tagged</em>; Default: <b>none</b>)</td>
     <td>Frame type for which QoS assignment command applies.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>protocol</b></var> (<em>protocols</em>; Default:
     <td><var><b>set-service-vid-for</b></var> (<em>all | none | tagged |
<b>none</b>)</td>
untagged-or-priority-tagged</em>; Default: <b>all</b>)</td>
     <td>Matching Ethernet protocol. ''(only for Ingress VLAN Translation)''</td>
     <td>Service VLAN id assignment command for different packet type.</td>
</tr>
</tr>
<tr>
</table>
    <td><var><b>sa-learning</b></var> (<em>yes | no</em>; Default:
 
<b>no</b>)</td>
<p></p>
    <td>Enables or disables source MAC learning after VLAN translation. ''(only for Ingress VLAN Translation)''</td>
 
</tr>
====MAC Based VLAN====
<tr>
    <td><var><b>service-dei</b></var> (<em>0..1</em>; Default: <b>none</b>)</td>
    <td>Matching DEI of the service tag.</td>
</tr>
<tr>
    <td><var><b>service-pcp</b></var> (<em>0..7</em>; Default: <b>none</b>)</td>
    <td>Matching PCP of the service tag.</td>
</tr>
<tr>
    <td><var><b>service-vid</b></var> (<em>0..4095</em>; Default:
<b>none</b>)</td>
    <td>Matching VLAN id of the service tag.</td>
</tr>
<tr>
    <td><var><b>service-vlan-format</b></var> (<em>any |
priority-tagged-or-tagged | tagged | untagged-or-tagged</em>; Default:<b>any</b>)</td>
    <td>Type of frames with service tag for which VLAN translation rule is
valid.</td>
</tr>
</table>
 
<p></p>
 
====Protocol Based VLAN====


<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
protocol-based-vlan</code></p><br />
mac-based-vlan</code></p><br />


Protocol Based VLAN table is used to assign VID and QoS attributes to related
MAC Based VLAN table is used to assign VLAN based on source MAC.
protocol packet per port.


<table class="styled_table">
<table class="styled_table">
Line 1,444: Line 1,352:
<tr>
<tr>
     <td><var><b>disabled</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
     <td><var><b>disabled</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
     <td>Enables or disables Protocol Based VLAN entry.</td>
     <td>Enables or disables MAC Based VLAN entry.</td>
</tr>
<tr>
    <td><var><b>frame-type</b></var> (<em>ethernet | llc | rfc-1042</em>;
Default: <b>ethernet</b>)</td>
    <td>Encapsulation type of the matching frames.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>new-customer-vid</b></var> (<em>0..4095</em>; Default:
     <td><var><b>new-customer-vid</b></var> (<em>0..4095</em>; Default:
<b>0</b>)</td>
<b>0</b>)</td>
     <td>The new customer VLAN id which replaces original customer VLAN id for
     <td>The new customer VLAN id which replaces original service VLAN id for
specified protocol.</td>
matched packets. If set to 4095, then traffic is dropped.</td>
</tr>
</tr>
<tr>
<tr>
Line 1,461: Line 1,364:
<b>0</b>)</td>
<b>0</b>)</td>
     <td>The new service VLAN id which replaces original service VLAN id for
     <td>The new service VLAN id which replaces original service VLAN id for
specified protocol.</td>
matched packets.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>ports</b></var> (<em>ports</em>)</td>
     <td><var><b>src-mac-address</b></var> (<em>MAC address</em>)</td>
     <td>Matching switch ports for Protocol based VLAN rule.</td>
     <td>Matching source MAC address for MAC based VLAN rule.</td>
</tr>
<tr>
    <td><var><b>protocol</b></var> (<em>protocol</em>; Default: <b>0</b>)</td>
    <td>Matching protocol for Protocol based VLAN rule.</td>
</tr>
<tr>
    <td><var><b>qos-group</b></var> (<em>none</em>; Default: <b>none</b>)</td>
    <td>Defined QoS group from [[#QoS_Group | QoS group]] menu.</td>
</tr>
</tr>
</table>
{{Note | All CRS1xx/2xx series switches support up to 1024 MAC Based VLAN table entries.}}
<p></p>
====1:1 VLAN Switching====
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
one2one-vlan-switching</code></p><br />
1:1 VLAN switching can be used to replace the regular L2 bridging for matched
packets.
When a packet hits an 1:1 VLAN switching table entry, the destination port
information in
the entry is assigned to the packet. The matched destination information in UFDB
and MFDB
entry no longer applies to the packet.
<table class="styled_table">
<tr>
<tr>
    <td><var><b>set-customer-vid-for</b></var> (<em>all | none | tagged |
  <th width="50%">Property</th>
untagged-or-priority-tagged</em>; Default: <b>all</b>)</td>
  <th >Description</th>
    <td>Customer VLAN id assignment command for different packet type.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>set-qos-for</b></var> (<em>all | none | tagged |
     <td><var><b>customer-vid</b></var> (<em>0..4095</em>; Default:
untagged-or-priority-tagged</em>; Default: <b>none</b>)</td>
<b>0</b>)</td>
     <td>Frame type for which QoS assignment command applies.</td>
     <td>Matching customer VLAN id for 1:1 VLAN switching.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>set-service-vid-for</b></var> (<em>all | none | tagged |
     <td><var><b>disabled</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
untagged-or-priority-tagged</em>; Default: <b>all</b>)</td>
     <td>Enables or disables 1:1 VLAN switching table entry.</td>
     <td>Service VLAN id assignment command for different packet type.</td>
</tr>
</tr>
</table>
<tr>
 
    <td><var><b>dst-port</b></var> (<em>port</em>)</td>
    <td>Destination port for matched 1:1 VLAN switching packets.</td>
</tr>
<tr>
    <td><var><b>service-vid</b></var> (<em>0..4095</em>; Default: <b>0</b>)</td>
    <td>Matching customer VLAN id for 1:1 VLAN switching.</td>
</tr>
</table>
 
<p></p>
<p></p>


====MAC Based VLAN====
===Port Isolation/Leakage===


<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
mac-based-vlan</code></p><br />
port-isolation</code></p><br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
port-leakage</code></p><br />


MAC Based VLAN table is used to assign VLAN based on source MAC.
The CRS switches support flexible multi-level isolation features, which can be
used for user access control, traffic engineering and advanced security and
network management.
The isolation features provide an organized fabric structure allowing user to
easily program and
control the access by port, MAC address, VLAN, protocol, flow and frame type.
The following isolation and leakage features are supported:
* Port-level isolation
* MAC-level isolation
* VLAN-level isolation
* Protocol-level isolation
* Flow-level isolation
* Free combination of the above


<table class="styled_table">
Port-level isolation supports different control schemes on source port and
destination port. Each
entry can be programmed with access control for either source port or
destination port.
* When the entry is programmed with source port access control, the entry is
applied to the ingress packets.
* When the entry is programmed with destination port access control, the entry
is applied to the egress packets.
 
Port leakage allows bypassing egress VLAN filtering on the port. Leaky port is
allowed to access
other ports for various applications such as security, network control and
management.
Note: When both isolation and leakage is applied to the same port, the port is
isolated.
 
<table class="styled_table">
<tr>
<tr>
   <th width="50%">Property</th>
   <th width="50%">Property</th>
Line 1,508: Line 1,459:
<tr>
<tr>
     <td><var><b>disabled</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
     <td><var><b>disabled</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
     <td>Enables or disables MAC Based VLAN entry.</td>
     <td>Enables or disables port isolation/leakage entry.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>new-customer-vid</b></var> (<em>0..4095</em>; Default:
     <td><var><b>flow-id</b></var> (<em>0..63</em>; Default: <b>none</b>)</td>
<b>0</b>)</td>
     <td></td>
     <td>The new customer VLAN id which replaces original service VLAN id for
matched packets.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>new-service-vid</b></var> (<em>0..4095</em>; Default:
     <td><var><b>forwarding-type</b></var> (<em>bridged; routed</em>; Default: <b>bridged,routed</b>)</td>
<b>0</b>)</td>
     <td>Matching traffic forwarding type on Cloud Router Switch.</td>
     <td>The new service VLAN id which replaces original service VLAN id for
matched packets.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>src-mac-address</b></var> (<em>MAC address</em>)</td>
     <td><var><b>mac-profile</b></var> (<em>community1 | community2 | isolated |
     <td>Matching source MAC address for MAC based VLAN rule.</td>
promiscuous</em>; Default: <b>none</b>)</td>
     <td>Matching MAC isolation/leakage profile.</td>
</tr>
</tr>
</table>
<p></p>
====1:1 VLAN Switching====
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
one2one-vlan-switching</code></p><br />
1:1 VLAN switching can be used to replace the regular L2 bridging for matched
packets.
When a packet hits an 1:1 VLAN switching table entry, the destination port
information in
the entry is assigned to the packet. The matched destination information in UFDB
and MFDB
entry no longer applies to the packet.
<table class="styled_table">
<tr>
<tr>
  <th width="50%">Property</th>
    <td><var><b>port-profile</b></var> (<em>0..31</em>; Default:
  <th >Description</th>
<b>none</b>)</td>
    <td>Matching Port isolation/leakage profile.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>customer-vid</b></var> (<em>0..4095</em>; Default:
     <td><var><b>ports</b></var> (<em>ports</em>; Default: <b>none</b>)</td>
<b>0</b>)</td>
     <td>Isolated/leaked ports.</td>
     <td>Matching customer VLAN id for 1:1 VLAN switching.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>disabled</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
     <td><var><b>protocol-type</b></var> (<em>arp; nd; dhcpv4; dhcpv6; ripv1</em>; Default: <b>arp,nd,dhcpv4,dhcpv6,ripv1</b>)</td>
     <td>Enables or disables 1:1 VLAN switching table entry.</td>
     <td>Included protocols for isolation/leakage.</td>
</tr>
<tr>
    <td><var><b>registration-status</b></var> (<em>known; unknown</em>; Default: <b>known,unknown</b>)</td>
    <td>Registration status for matching packets. Known are present in UFDB and MFDB, unknown are not.</td>
</tr>
<tr>
    <td><var><b>traffic-type</b></var> (<em>unicast; multicast; broadcast</em>; Default: <b>unicast,multicast,broadcast</b>)</td>
    <td>Matching traffic type.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>dst-port</b></var> (<em>port</em>)</td>
     <td><var><b>type</b></var> (<em>dst | src</em>; Default: <b>src</b>)</td>
     <td>Destination port for matched 1:1 VLAN switching packets.</td>
     <td>Lookup type of the isolation/leakage entry:
<ul class="bullets">
<li> <var>src</var> - Entry applies to ingress packets of the ports.
<li> <var>dst</var> - Entry applies to egress packets of the ports.
</ul>
    </td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>service-vid</b></var> (<em>0..4095</em>; Default: <b>0</b>)</td>
     <td><var><b>vlan-profile</b></var> (<em>community1 | community2 | isolated |
     <td>Matching customer VLAN id for 1:1 VLAN switching.</td>
promiscuous</em>; Default: <b>none</b>)</td>
     <td>Matching VLAN isolation/leakage profile.</td>
</tr>
</tr>
</table>
</table>
Line 1,569: Line 1,513:
<p></p>
<p></p>


===Port Isolation/Leakage===
===Trunking===


<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
port-isolation</code></p><br />
trunk</code></p><br />
 
The Trunking in the Cloud Router Switches provides static link aggregation groups with hardware automatic failover and load balancing. IEEE802.3ad and IEEE802.1ax compatible Link Aggregation Control Protocol is not supported. Up to 8 Trunk groups are supported with up to 8 Trunk member ports per Trunk group. CRS Port Trunking calculates transmit-hash based on all following parameters: L2 src-dst MAC + L3 src-dst IP + L4 src-dst Port.
 
<table class="styled_table">
<tr>
  <th width="50%">Property</th>
  <th >Description</th>
</tr>
<tr>
    <td><var><b>disabled</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
    <td>Enables or disables port trunking entry.</td>
</tr>
<tr>
    <td><var><b>member-ports</b></var> (<em>ports</em>)</td>
    <td>Member ports of the Trunk group.</td>
</tr>
<tr>
    <td><var><b>name</b></var> (<em>string value</em>; Default:
<b>trunkX</b>)</td>
    <td>Name of the Trunk group.</td>
</tr>
</table>
 
<p></p>
 
===Quality of Service===
 
====Shaper====
 
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
port-leakage</code></p><br />
shaper</code></p><br />


The CRS switches support flexible multi-level isolation features, which can be
Traffic shaping restricts the rate and burst size of the flow which is
used for user access control, traffic engineering and advanced security and
transmitted out from the
network management.
interface. The shaper is implemented by a token bucket. If the packet exceeds
The isolation features provide an organized fabric structure allowing user to
the maximum rate or
easily program and
the burst size, which means no enough token for the packet, the packet is stored
control the access by port, MAC address, VLAN, protocol, flow and frame type.
to buffer until
The following isolation and leakage features are supported:
there is enough token to transmit it.
* Port-level isolation
* MAC-level isolation
* VLAN-level isolation
* Protocol-level isolation
* Flow-level isolation
* Free combination of the above


Port-level isolation supports different control schemes on source port and
destination port. Each
entry can be programmed with access control for either source port or
destination port.
* When the entry is programmed with source port access control, the entry is
applied to the ingress packets.
* When the entry is programmed with destination port access control, the entry
is applied to the egress packets.


Port leakage allows bypassing egress VLAN filtering on the port. Leaky port is
<table class="styled_table">
allowed to access
<tr>
other ports for various applications such as security, network control and
  <th width="50%">Property</th>
management.
  <th >Description</th>
Note: When both isolation and leakage is applied to the same port, the port is
</tr>
isolated.
 
<table class="styled_table">
<tr>
<tr>
  <th width="50%">Property</th>
    <td><var><b>burst</b></var> (<em>integer</em>; Default:
  <th >Description</th>
<b>100k</b>)</td>
    <td>Maximum data rate which can be transmitted while the burst is
allowed.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>disabled</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
     <td><var><b>disabled</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
     <td>Enables or disables port isolation/leakage entry.</td>
     <td>Enables or disables traffic shaper entry.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>flow-id</b></var> (<em>0..63</em>; Default: <b>none</b>)</td>
     <td><var><b>meter-unit</b></var> (<em>bit | packet</em>; Default:
     <td></td>
<b>bit</b>)</td>
     <td>Measuring units for traffic shaper rate.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>forwarding-type</b></var> (<em>bridged; routed</em>; Default: <b>bridged,routed</b>)</td>
     <td><var><b>port</b></var> (<em>port</em>)</td>
     <td>Matching traffic forwarding type on Cloud Router Switch.</td>
     <td>Physical port for traffic shaper.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>mac-profile</b></var> (<em>community1 | community2 | isolated |
     <td><var><b>rate</b></var> (<em>integer</em>; Default:
promiscuous</em>; Default: <b>none</b>)</td>
<b>1M</b>)</td>
     <td>Matching MAC isolation/leakage profile.</td>
     <td>Maximum data rate limit.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>port-profile</b></var> (<em>0..31</em>; Default:
     <td><var><b>target</b></var> (<em>port | queueX | wrr-groupX</em>; Default:
<b>none</b>)</td>
<b>port</b>)</td>
     <td>Matching Port isolation/leakage profile.</td>
     <td>Three levels of shapers are supported on each port (including CPU port):
<ul class="bullets">
<li> <var>Port level</var> - Entry applies to port of the switch-chip.
<li> <var>WRR group level</var> - Entry applies to one of the 2 Weighted Round
Robin queue groups (wrr-group0, wrr-group1) on port.
<li> <var>Queue level</var> - Entry applies to one of the 8 queues (queue0 -
queue7) on port.
</ul>
    </td>
</tr>
</tr>
</table>
<p></p>
====Ingress Port Policer====
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
ingress-port-policer</code></p><br />
<table class="styled_table">
<tr>
<tr>
    <td><var><b>ports</b></var> (<em>ports</em>; Default: <b>none</b>)</td>
  <th width="50%">Property</th>
    <td>Isolated/leaked ports.</td>
  <th >Description</th>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>protocol-type</b></var> (<em>arp; nd; dhcpv4; dhcpv6; ripv1</em>; Default: <b>arp,nd,dhcpv4,dhcpv6,ripv1</b>)</td>
     <td><var><b>burst</b></var> (<em>integer</em>; Default:
     <td>Included protocols for isolation/leakage.</td>
<b>100k</b>)</td>
     <td>Maximum data rate which can be transmitted while the burst is
allowed.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>registration-status</b></var> (<em>known; unknown</em>; Default: <b>known,unknown</b>)</td>
     <td><var><b>disabled</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
     <td>Registration status for matching packets. Known are present in UFDB and MFDB, unknown are not.</td>
     <td>Enables or disables ingress port policer entry.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>traffic-type</b></var> (<em>unicast; multicast; broadcast</em>; Default: <b>unicast,multicast,broadcast</b>)</td>
     <td><var><b>meter-len</b></var> (<em>layer-1 | layer-2 | layer-3</em>; Default:
     <td>Matching traffic type.</td>
<b>layer-1</b>)</td>
     <td>Packet classification which sets the packet byte length for metering.
<ul class="bullets">
<li> <var>layer-1</var> - includes entire layer-2 frame + FCS + inter-packet gap + preamble.
<li> <var>layer-2</var> - includes layer-2 frame + FCS.
<li> <var>layer-3</var> - includes only layer-3 + ethernet padding without layer-2 header and FCS.
</ul></td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>type</b></var> (<em>dst | src</em>; Default: <b>src</b>)</td>
     <td><var><b>meter-unit</b></var> (<em>bit | packet</em>; Default:
     <td>Lookup type of the isolation/leakage entry:
<b>bit</b>)</td>
<ul class="bullets">
     <td>Measuring units for traffic ingress port policer rate.</td>
<li> <var>src</var> - Entry applies to ingress packets of the ports.
<li> <var>dst</var> - Entry applies to egress packets of the ports.
</ul>
    </td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>vlan-profile</b></var> (<em>community1 | community2 | isolated |
     <td><var><b>new-dei-for-yellow</b></var> (<em>0..1 | remap</em>; Default:
promiscuous</em>; Default: <b>none</b>)</td>
<b>none</b>)</td>
     <td>Matching VLAN isolation/leakage profile.</td>
     <td>Remarked DEI for exceeded traffic if yellow-action is remark.</td>
</tr>
</tr>
</table>
<p></p>
===Trunking===
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
trunk</code></p><br />
The Trunking in the Cloud Router Switches provides static link aggregation groups with hardware automatic failover and load balancing. IEEE802.3ad and IEEE802.1ax compatible Link Aggregation Control Protocol is not supported yet. Up to 8 Trunk groups are supported with up to 8 Trunk member ports per Trunk group. CRS Port Trunking calculates transmit-hash based on all following parameters: L2 src-dst MAC + L3 src-dst IP + L4 src-dst Port.
<table class="styled_table">
<tr>
<tr>
  <th width="50%">Property</th>
    <td><var><b>new-dscp-for-yellow</b></var> (<em>0..63 | remap</em>; Default:
  <th >Description</th>
<b>none</b>)</td>
    <td>Remarked DSCP for exceeded traffic if yellow-action is remark.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>disabled</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
     <td><var><b>new-pcp-for-yellow</b></var> (<em>0..7 | remap</em>; Default:
     <td>Enables or disables port trunking entry.</td>
<b>none</b>)</td>
     <td>Remarked PCP for exceeded traffic if yellow-action is remark.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>member-ports</b></var> (<em>ports</em>)</td>
     <td><var><b>packet-types</b></var> (<em>packet-types</em>; Default:
     <td>Member ports of the Trunk group.</td>
<b>all types from description</b>)</td>
     <td>Matching packet types for which ingress port policer entry is valid.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>name</b></var> (<em>string value</em>; Default:
     <td><var><b>port</b></var> (<em>port</em>)</td>
<b>trunkX</b>)</td>
    <td>Physical port or trunk for ingress port policer entry.</td>
     <td>Name of the Trunk group.</td>
</tr>
<tr>
    <td><var><b>rate</b></var> (<em>integer</em>)</td>
    <td>Maximum data rate limit.</td>
</tr>
<tr>
    <td><var><b>yellow-action</b></var> (<em>drop | forward | remark</em>; Default:
<b>drop</b>)</td>
     <td>Performed action for exceeded traffic.</td>
</tr>
</tr>
</table>
</table>
Line 1,696: Line 1,676:
<p></p>
<p></p>


===Quality of Service===
====QoS Group====
 
====Shaper====


<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
shaper</code></p><br />
qos-group</code></p><br />
 
Traffic shaping restricts the rate and burst size of the flow which is
transmitted out from the
interface. The shaper is implemented by a token bucket. If the packet exceeds
the maximum rate or
the burst size, which means no enough token for the packet, the packet is stored
to buffer until
there is enough token to transmit it.


The global QoS group table is used for VLAN-based, Protocol-based and MAC-based
QoS group assignment configuration.


<table class="styled_table">
<table class="styled_table">
Line 1,718: Line 1,690:
</tr>
</tr>
<tr>
<tr>
     <td><var><b>burst</b></var> (<em>integer</em>; Default:
     <td><var><b>dei</b></var> (<em>0..1</em>; Default: <b>none</b>)</td>
<b>100k</b>)</td>
     <td>The new value of DEI for the QoS group.</td>
     <td>Maximum data rate which can be transmitted while the burst is
allowed.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>disabled</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
     <td><var><b>disabled</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
     <td>Enables or disables traffic shaper entry.</td>
     <td>Enables or disables protocol QoS group entry.</td>
</tr>
<tr>
    <td><var><b>drop-precedence</b></var> (<em>drop | green | red | yellow</em>;
Default: <b>green</b>)</td>
    <td>Drop precedence is internal QoS attribute used for packet enqueuing or
dropping.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>meter-unit</b></var> (<em>bit | packet</em>; Default:
     <td><var><b>dscp</b></var> (<em>0..63</em>; Default: <b>none</b>)</td>
<b>bit</b>)</td>
     <td>The new value of DSCP for the QoS group.</td>
     <td>Measuring units for traffic shaper rate.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>port</b></var> (<em>port</em>)</td>
     <td><var><b>name</b></var> (<em>string value</em>; Default:
     <td>Physical port for traffic shaper.</td>
<b>groupX</b>)</td>
     <td>Name of the QoS group.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>rate</b></var> (<em>integer</em>; Default:
     <td><var><b>pcp</b></var> (<em>0..7</em>; Default: <b>none</b>)</td>
<b>1M</b>)</td>
     <td>The new value of PCP for the QoS group.</td>
     <td>Maximum data rate limit.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>target</b></var> (<em>port | queueX | wrr-groupX</em>; Default:
     <td><var><b>priority</b></var> (<em>0..15</em>; Default: <b>0</b>)</td>
<b>port</b>)</td>
     <td>Internal priority is a local significance of priority for classifying
     <td>Three levels of shapers are supported on each port (including CPU port):
traffics to different egress queues on a port. (1 is highest, 15 is lowest)</td>
<ul class="bullets">
<li> <var>Port level</var> - Entry applies to port of the switch-chip.
<li> <var>WRR group level</var> - Entry applies to one of the 2 Weighted Round
Robin queue groups (wrr-group0, wrr-group1) on port.
<li> <var>Queue level</var> - Entry applies to one of the 8 queues (queue0 -
queue7) on port.
</ul>
    </td>
</tr>
</tr>
</table>
</table>
Line 1,758: Line 1,725:
<p></p>
<p></p>


====Ingress Port Policer====
====DSCP QoS Map====


<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
ingress-port-policer</code></p><br />
dscp-qos-map</code></p><br />
 
The global DSCP to QOS mapping table is used for mapping from DSCP of the packet
to new QoS attributes configured in the table.


<table class="styled_table">
<table class="styled_table">
Line 1,769: Line 1,739:
</tr>
</tr>
<tr>
<tr>
     <td><var><b>burst</b></var> (<em>integer</em>; Default:
     <td><var><b>dei</b></var> (<em>0..1</em>)</td>
<b>100k</b>)</td>
     <td>The new value of DEI for the DSCP to QOS mapping entry.</td>
     <td>Maximum data rate which can be transmitted while the burst is
allowed.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>disabled</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
     <td><var><b>drop-precedence</b></var> (<em>drop | green | red | yellow</em>)</td>
     <td>Enables or disables ingress port policer entry.</td>
     <td>The new value of Drop precedence for the DSCP to QOS mapping entry.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>meter-len</b></var> (<em>layer-1 | layer-2 | layer-3</em>; Default:
     <td><var><b>pcp</b></var> (<em>0..7</em>)</td>
<b>layer-1</b>)</td>
     <td>The new value of PCP for the DSCP to QOS mapping entry.</td>
     <td>Packet classification which sets the packet byte length for metering.
</tr>
<ul class="bullets">
<li> <var>layer-1</var> - includes entire layer-2 frame + FCS + inter-packet gap + preamble.
<li> <var>layer-2</var> - includes layer-2 frame + FCS.
<li> <var>layer-3</var> - includes only layer-3 + ethernet padding without layer-2 header and FCS.
</ul></td>
</tr>
<tr>
<tr>
     <td><var><b>meter-unit</b></var> (<em>bit | packet</em>; Default:
     <td><var><b>priority</b></var> (<em>0..15</em>)</td>
<b>bit</b>)</td>
     <td>The new value of internal priority for the DSCP to QOS mapping
     <td>Measuring units for traffic ingress port policer rate.</td>
entry.</td>
</tr>
</tr>
</table>
<p></p>
====DSCP To DSCP Map====
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
dscp-to-dscp</code></p><br />
The global DSCP to DSCP mapping table is used for mapping from the packet's
original DSCP to new DSCP value configured in the table.
<table class="styled_table">
<tr>
<tr>
    <td><var><b>new-dei-for-yellow</b></var> (<em>0..1 | remap</em>; Default:
  <th width="50%">Property</th>
<b>none</b>)</td>
  <th >Description</th>
    <td>Remarked DEI for exceeded traffic if yellow-action is remark.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>new-dscp-for-yellow</b></var> (<em>0..63 | remap</em>; Default:
     <td><var><b>new-dscp</b></var> (<em>0..63</em>)</td>
<b>none</b>)</td>
     <td>The new value of DSCP for the DSCP to DSCP mapping entry.</td>
     <td>Remarked DSCP for exceeded traffic if yellow-action is remark.</td>
</tr>
</tr>
</table>
<p></p>
====Policer QoS Map====
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
policer-qos-map</code></p><br />
<table class="styled_table">
<tr>
<tr>
    <td><var><b>new-pcp-for-yellow</b></var> (<em>0..7 | remap</em>; Default:
  <th width="50%">Property</th>
<b>none</b>)</td>
  <th >Description</th>
    <td>Remarked PCP for exceeded traffic if yellow-action is remark.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>packet-types</b></var> (<em>packet-types</em>; Default:
     <td><var><b>dei-for-red</b></var> (<em>0..1</em>; Default: <b>0</b>)</td>
<b>all types from description</b>)</td>
     <td>Policer DEI remapping value for red packets.</td>
     <td>Matching packet types for which ingress port policer entry is valid.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>port</b></var> (<em>port</em>)</td>
     <td><var><b>dei-for-yellow</b></var> (<em>0..1</em>; Default: <b>0</b>)</td>
     <td>Physical port or trunk for ingress port policer entry.</td>
     <td>Policer DEI remapping value for yellow packets.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>rate</b></var> (<em>integer</em>)</td>
     <td><var><b>dscp-for-red</b></var> (<em>0..63</em>; Default: <b>0</b>)</td>
     <td>Maximum data rate limit.</td>
    <td>Policer DSCP remapping value for red packets.</td>
</tr>
<tr>
    <td><var><b>dscp-for-yellow</b></var> (<em>0..63</em>; Default: <b>0</b>)</td>
    <td>Policer DSCP remapping value for yellow packets.</td>
</tr>
<tr>
    <td><var><b>pcp-for-red</b></var> (<em>0..7</em>; Default: <b>0</b>)</td>
     <td>Policer PCP remapping value for red packets.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>yellow-action</b></var> (<em>drop | forward | remark</em>; Default:
     <td><var><b>pcp-for-yellow</b></var> (<em>0..7</em>; Default: <b>0</b>)</td>
<b>drop</b>)</td>
     <td>Policer PCP remapping value for yellow packets.</td>
     <td>Performed action for exceeded traffic.</td>
</tr>
</tr>
</table>
</table>
Line 1,830: Line 1,820:
<p></p>
<p></p>


====QoS Group====
===Access Control List===
 
{{Note | See Summary section for Access Control List supported Cloud Router Switch devices.}}
 
Access Control List contains of ingress policy and egress policy engines and allows to configure up to 128 policy rules (limited by RouterOS). It is advanced tool for wire-speed packet filtering, forwarding, shaping and modifying based on Layer2, Layer3 and Layer4 protocol header field conditions.
 
{{ Warning | Due to hardware limitation it is not possible to match broadcast/multicast traffic on specific ports. You should use port isolation, drop traffic on ingress ports or use VLAN filtering to prevent certain broadcast/multicast traffic from being forwarded. }}
 
====ACL====


<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
qos-group</code></p><br />
acl</code></p><br />


The global QoS group table is used for VLAN-based, Protocol-based and MAC-based
ACL condition part for MAC related fields of packets.
QoS group assignment configuration.


<table class="styled_table">
<table class="styled_table">
Line 1,844: Line 1,841:
</tr>
</tr>
<tr>
<tr>
     <td><var><b>dei</b></var> (<em>0..1</em>; Default: <b>none</b>)</td>
     <td><var><b>disabled</b></var> (<em>yes | no</em>; Default:
     <td>The new value of DEI for the QoS group.</td>
<b>no</b>)</td>
     <td>Enables or disables ACL entry.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>disabled</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
     <td><var><b>table</b></var> (<em>egress | ingress</em>; Default:
     <td>Enables or disables protocol QoS group entry.</td>
<b>ingress</b>)</td>
     <td>Selects policy table for incoming or outgoing packets.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>drop-precedence</b></var> (<em>drop | green | red | yellow</em>;
     <td><var><b>invert-match</b></var> (<em>yes | no</em>; Default:
Default: <b>green</b>)</td>
<b>no</b>)</td>
     <td>Drop precedence is internal QoS attribute used for packet enqueuing or
     <td>Inverts whole ACL rule matching.</td>
dropping.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>dscp</b></var> (<em>0..63</em>; Default: <b>none</b>)</td>
     <td><var><b>src-ports</b></var> (<em>ports,trunks</em>)</td>
     <td>The new value of DSCP for the QoS group.</td>
     <td>Matching physical source ports or trunks.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>name</b></var> (<em>string value</em>; Default:
     <td><var><b>dst-ports</b></var> (<em>ports,trunks</em>)</td>
<b>groupX</b>)</td>
     <td>Matching physical destination ports or trunks. It is not possible to match broadcast/multicast traffic on egress port due to a hardware limitation.</td>
     <td>Name of the QoS group.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>pcp</b></var> (<em>0..7</em>; Default: <b>none</b>)</td>
     <td><var><b>mac-src-address</b></var> (<em>MAC address/Mask</em>)</td>
     <td>The new value of PCP for the QoS group.</td>
     <td>Source MAC address and mask.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>priority</b></var> (<em>0..15</em>; Default: <b>0</b>)</td>
     <td><var><b>mac-dst-address</b></var> (<em>MAC address/Mask</em>)</td>
     <td>Internal priority is a local significance of priority for classifying
    <td>Destination MAC address and mask.</td>
traffics to different egress queues on a port. (1 is highest, 15 is lowest)</td>
</tr>
<tr>
    <td><var><b>dst-addr-registered</b></var> (<em>yes | no</em>)</td>
    <td>Defines whether to match packets with registered state - packets which
    destination MAC address is in UFDB/MFDB/RFDB. Valid only in egress table.</td>
</tr>
<tr>
    <td><var><b>mac-protocol</b></var> (<em>802.2 | arp | homeplug-av | ip | ip-or-ipv6 | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | non-ip | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan or integer: 0..65535 decimal format or 0x0000-0xffff hex format</em>)</td>
    <td>Ethernet payload type (MAC-level protocol)
* <b>802.2</b> - 802.2 Frames (0x0004)
* <b>arp</b> - Address Resolution Protocol (0x0806)
* <b>homeplug-av</b> - HomePlug AV MME (0x88E1)
* <b>ip</b> - Internet Protocol version 4 (0x0800)
* <b>ip-or-ipv6</b> - IPv4 or IPv6 (0x0800 or 0x86DD)
* <b>ipv6</b> - Internet Protocol Version 6 (0x86DD)
* <b>ipx</b> - Internetwork Packet Exchange (0x8137)
* <b>lldp</b> - Link Layer Discovery Protocol (0x88CC)
* <b>loop-protect</b> - Loop Protect Protocol (0x9003)
* <b>mpls-multicast</b> - MPLS multicast (0x8848)
* <b>mpls-unicast</b> - MPLS unicast (0x8847)
* <b>non-ip</b> - Not Internet Protocol version 4 (not 0x0800)
* <b>packing-compr</b> - Encapsulated packets with compressed [[Manual:IP/Packing| IP packing]] (0x9001)
* <b>packing-simple</b> - Encapsulated packets with simple [[Manual:IP/Packing| IP packing]] (0x9000)
* <b>pppoe</b> - PPPoE Session Stage (0x8864)
* <b>pppoe-discovery</b> - PPPoE Discovery Stage (0x8863)
* <b>rarp</b> - Reverse Address Resolution Protocol (0x8035)
* <b>service-vlan</b> - Provider Bridging (IEEE 802.1ad) & Shortest Path Bridging IEEE 802.1aq (0x88A8)
* <b>vlan</b> - VLAN-tagged frame (IEEE 802.1Q) and Shortest Path Bridging IEEE 802.1aq with NNI compatibility (0x8100)
</td>
</tr>
<tr>
     <td><var><b>drop-precedence</b></var> (<em>drop | green | red | yellow</em>)</td>
    <td>Matching internal drop precedence. Valid only in egress table.</td>
</tr>
<tr>
    <td><var><b>custom-fields</b></var></td>
    <td></td>
</tr>
</tr>
</table>
</table>
<br>


<p></p>
ACL condition part for VLAN related fields of packets.
 
====DSCP QoS Map====
 
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
dscp-qos-map</code></p><br />
 
The global DSCP to QOS mapping table is used for mapping from DSCP of the packet
to new QoS attributes configured in the table.


<table class="styled_table">
<table class="styled_table">
Line 1,893: Line 1,919:
</tr>
</tr>
<tr>
<tr>
     <td><var><b>dei</b></var> (<em>0..1</em>)</td>
     <td><var><b>lookup-vid</b></var> (<em>0..4095</em>)</td>
     <td>The new value of DEI for the DSCP to QOS mapping entry.</td>
     <td>VLAN id used in lookup. It can be changed before reaching egress table.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>drop-precedence</b></var> (<em>drop | green | red | yellow</em>)</td>
     <td><var><b>service-vid</b></var> (<em>0-4095</em>)</td>
     <td>The new value of Drop precedence for the DSCP to QOS mapping entry.</td>
     <td>Matching service VLAN id.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>pcp</b></var> (<em>0..7</em>)</td>
     <td><var><b>service-pcp</b></var> (<em>0..7</em>)</td>
     <td>The new value of PCP for the DSCP to QOS mapping entry.</td>
     <td>Matching service PCP.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>priority</b></var> (<em>0..15</em>)</td>
     <td><var><b>service-dei</b></var> (<em>0..1</em>)</td>
     <td>The new value of internal priority for the DSCP to QOS mapping
     <td>Matching service DEI.</td>
entry.</td>
</tr>
</tr>
</table>
<p></p>
====DSCP To DSCP Map====
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
dscp-to-dscp</code></p><br />
The global DSCP to DSCP mapping table is used for mapping from the packet's
original DSCP to new DSCP value configured in the table.
<table class="styled_table">
<tr>
<tr>
  <th width="50%">Property</th>
    <td><var><b>service-tag</b></var> (<em>priority-tagged | tagged |
  <th >Description</th>
tagged-or-priority-tagged | untagged</em>)</td>
    <td>Format of the service tag.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>new-dscp</b></var> (<em>0..63</em>)</td>
     <td><var><b>customer-vid</b></var> (<em>0-4095</em>)</td>
     <td>The new value of DSCP for the DSCP to DSCP mapping entry.</td>
     <td>Matching customer VLAN id.</td>
</tr>
</tr>
</table>
<p></p>
====Policer QoS Map====
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
policer-qos-map</code></p><br />
<table class="styled_table">
<tr>
<tr>
  <th width="50%">Property</th>
    <td><var><b>customer-pcp</b></var> (<em>0..7</em>)</td>
  <th >Description</th>
    <td>Matching customer PCP.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>dei-for-red</b></var> (<em>0..1</em>; Default: <b>0</b>)</td>
     <td><var><b>customer-dei</b></var> (<em>0..1</em>)</td>
     <td>Policer DEI remapping value for red packets.</td>
     <td>Matching customer DEI.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>dei-for-yellow</b></var> (<em>0..1</em>; Default: <b>0</b>)</td>
     <td><var><b>customer-tag</b></var> (<em>priority-tagged | tagged |
     <td>Policer DEI remapping value for yellow packets.</td>
tagged-or-priority-tagged | untagged</em>)</td>
    <td>Format of the customer tag.</td>
</tr>
<tr>
    <td><var><b>priority</b></var> (<em>0..15</em>)</td>
     <td>Matching internal priority. Valid only in egress table.</td>
</tr>
</tr>
</table>
<br>
ACL condition part for IPv4 and IPv6 related fields of packets.
<table class="styled_table">
<tr>
<tr>
    <td><var><b>dscp-for-red</b></var> (<em>0..63</em>; Default: <b>0</b>)</td>
  <th width="50%">Property</th>
    <td>Policer DSCP remapping value for red packets.</td>
  <th >Description</th>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>dscp-for-yellow</b></var> (<em>0..63</em>; Default: <b>0</b>)</td>
     <td><var><b>ip-src</b></var> (<em>IPv4/0..32</em>)</td>
     <td>Policer DSCP remapping value for yellow packets.</td>
     <td>Matching source IPv4 address.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>pcp-for-red</b></var> (<em>0..7</em>; Default: <b>0</b>)</td>
     <td><var><b>ip-dst</b></var> (<em>IPv4/0..32</em>)</td>
     <td>Policer PCP remapping value for red packets.</td>
     <td>Matching destination IPv4 address.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>pcp-for-yellow</b></var> (<em>0..7</em>; Default: <b>0</b>)</td>
     <td><var><b>ip-protocol</b></var> (<em>tcp | udp | udp-lite | other</em>)</td>
     <td>Policer PCP remapping value for yellow packets.</td>
     <td>IP protocol type.</td>
</tr>
</tr>
</table>
<p></p>
===Access Control List===
{{Note | See Summary section for Access Control List supported Cloud Router Switch devices.}}
Access Control List contains of ingress policy and egress policy engines and allows to configure up to 128 policy rules (limited by RouterOS). It is advanced tool for wire-speed packet filtering, forwarding, shaping and modifying based on Layer2, Layer3 and Layer4 protocol header field conditions.
====ACL====
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
acl</code></p><br />
ACL condition part for MAC related fields of packets.
<table class="styled_table">
<tr>
<tr>
  <th width="50%">Property</th>
    <td><var><b>src-l3-port</b></var> (<em>0-65535</em>)</td>
  <th >Description</th>
    <td>Matching Layer3 source port.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>disabled</b></var> (<em>yes | no</em>; Default:
     <td><var><b>dst-l3-port</b></var> (<em>0-65535</em>)</td>
<b>no</b>)</td>
     <td>Matching Layer3 destination port.</td>
     <td>Enables or disables ACL entry.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>table</b></var> (<em>egress | ingress</em>; Default:
     <td><var><b>ttl</b></var> (<em>0 | 1 | max | other</em>)</td>
<b>ingress</b>)</td>
     <td>Matching TTL field of the packet.</td>
     <td>Selects policy table for incoming or outgoing packets.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>invert-match</b></var> (<em>yes | no</em>; Default:
     <td><var><b>dscp</b></var> (<em>0..63</em>)</td>
<b>no</b>)</td>
     <td>Matching DSCP field of the packet.</td>
     <td>Inverts whole ACL rule matching.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>src-ports</b></var> (<em>ports,trunks</em>)</td>
     <td><var><b>ecn</b></var> (<em>0..3</em>)</td>
     <td>Matching physical source ports or trunks.</td>
     <td>Matching ECN field of the packet.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>dst-ports</b></var> (<em>ports,trunks</em>)</td>
     <td><var><b>fragmented</b></var> (<em>yes | no</em>)</td>
     <td>Matching physical destination ports or trunks.</td>
     <td>Whether to match fragmented packets.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>mac-src-address</b></var> (<em>MAC address/Mask</em>)</td>
     <td><var><b>first-fragment</b></var> (<em>yes | no</em>)</td>
     <td>Source MAC address and mask.</td>
     <td>YES matches not fragmented and the first fragments, NO matches other fragments.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>mac-dst-address</b></var> (<em>MAC address/Mask</em>)</td>
     <td><var><b>ipv6-src</b></var> (<em>IPv6/0..128</em>)</td>
     <td>Destination MAC address and mask.</td>
     <td>Matching source IPv6 address.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>dst-addr-registered</b></var> (<em>yes | no</em>)</td>
     <td><var><b>ipv6-dst</b></var> (<em>IPv6/0..128</em>)</td>
     <td>Defines whether to match packets with registered state - packets which
     <td>Matching destination IPv6 address.</td>
    destination MAC address is in UFDB/MFDB/RFDB. Valid only in egress table.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>mac-protocol</b></var> (<em>802.2 | arp | ip | ipv6 | ipx | length |  
     <td><var><b>mac-isolation-profile</b></var> (<em>community1 | community2 |
mpls-multicast | mpls-unicast | pppoe | pppoe-discovery | rarp |
isolated | promiscuous</em>)</td>
vlan or integer: 0..65535 decimal format or 0x0000-0xffff hex format</em>)</td>
     <td>Matches isolation profile based on UFDB. Valid only in egress policy table.</td>
     <td>Ethernet payload type (MAC-level protocol)
*'''802.2'''
*'''arp''' - Type 0x0806 - ARP
*'''ip''' - Type 0x0800 - IPv4
*'''ipv6''' - Type 0x86dd - IPv6
*'''ipx''' - Type 0x8137 - "Internetwork Packet Exchange"
*'''mpls-multicast''' - Type 0x8848 - MPLS Multicast
*'''mpls-unicast''' - Type 0x8847 - MPLS Unicast
*'''ppoe''' - Type 0x8864 - PPPoE Session
*'''ppoe-discovery''' - Type 0x8863 - PPPoE Discovery
*'''rarp''' - Type 0x8035 - Reverse ARP
*'''vlan''' - Type 0x8100 - 802.1Q tagged VLAN
</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>drop-precedence</b></var> (<em>drop | green | red | yellow</em>)</td>
     <td><var><b>src-mac-addr-state</b></var> (<em>dynamic-station-move |  
     <td>Matching internal drop precedence. Valid only in egress table.</td>
sa-found | sa-not-found | static-station-move</em>)</td>
     <td>Defines whether to match packets with registered state - packets which
    destination MAC address is in UFDB/MFDB/RFDB. Valid only in egress policy table.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>custom-fields</b></var></td>
     <td><var><b>flow-id</b></var> (<em>0..63</em>)</td>
     <td></td>
     <td></td>
</tr>
</tr>
Line 2,057: Line 2,036:
<br>
<br>


ACL condition part for VLAN related fields of packets.
ACL rule action part.


<table class="styled_table">
<table class="styled_table">
Line 2,065: Line 2,044:
</tr>
</tr>
<tr>
<tr>
     <td><var><b>lookup-vid</b></var> (<em>0..4095</em>)</td>
     <td><var><b>action</b></var> (<em>copy-to-cpu | drop | forward |
     <td>VLAN id used in lookup. It can be changed before reaching egress table.</td>
redirect-to-cpu | send-to-new-dst-ports</em>; Default:
<b>forward</b>)</td>
     <td><ul class="bullets">
<li> <var>copy-to-cpu</var> - Packets are copied to CPU if they match the ACL conditions.
<li> <var>drop</var> - Packets are dropped if they match the ACL conditions.
<li> <var>forward</var> - Packets are forwarded if they match the ACL conditions.
<li> <var>redirect-to-cpu</var> - Packets are redirected to CPU if they match the ACL conditions.
<li> <var>send-to-new-dst-ports</var> - Packets are send to new destination ports if they match the ACL conditions.
</ul></td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>service-vid</b></var> (<em>0-4095</em>)</td>
     <td><var><b>new-dst-ports</b></var> (<em>ports,trunks</em>)</td>
     <td>Matching service VLAN id.</td>
     <td>If action is "send-to-new-dst-ports", then this property sets which ports/trunks is the new destination.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>service-pcp</b></var> (<em>0..7</em>)</td>
     <td><var><b>mirror-to</b></var> (<em>mirror0 | mirror1</em>)</td>
     <td>Matching service PCP.</td>
     <td>Mirroring destination for ACL packets.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>service-dei</b></var> (<em>0..1</em>)</td>
     <td><var><b>policer</b></var> (<em>policer</em>)</td>
     <td>Matching service DEI.</td>
     <td>Applied ACL Policer for ACL packets.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>service-tag</b></var> (<em>priority-tagged | tagged |
     <td><var><b>src-mac-learn</b></var> (<em>yes | no</em>)</td>
tagged-or-priority-tagged | untagged</em>)</td>
     <td>Whether to learn source MAC of the matched ACL packets. Valid only in ingress policy table.</td>
     <td>Format of the service tag.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>customer-vid</b></var> (<em>0-4095</em>)</td>
     <td><var><b>new-service-vid</b></var> (<em>0..4095</em>)</td>
     <td>Matching customer VLAN id.</td>
     <td>New service VLAN id for ACL packets.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>customer-pcp</b></var> (<em>0..7</em>)</td>
     <td><var><b>new-service-pcp</b></var> (<em>0..7</em>)</td>
     <td>Matching customer PCP.</td>
     <td>New service PCP for ACL packets.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>customer-dei</b></var> (<em>0..1</em>)</td>
     <td><var><b>new-service-dei</b></var> (<em>0..1</em>)</td>
     <td>Matching customer DEI.</td>
     <td>New service DEI for ACL packets.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>customer-tag</b></var> (<em>priority-tagged | tagged |
     <td><var><b>new-customer-vid</b></var> (<em>0..4095</em>)</td>
tagged-or-priority-tagged | untagged</em>)</td>
     <td>New customer VLAN id for ACL packets. If set to 4095, then traffic is dropped.</td>
     <td>Format of the customer tag.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>priority</b></var> (<em>0..15</em>)</td>
     <td><var><b>new-customer-pcp</b></var> (<em>0..7</em>)</td>
     <td>Matching internal priority. Valid only in egress table.</td>
     <td>New customer PCP for ACL packets.</td>
</tr>
</tr>
</table>
<br>
ACL condition part for IPv4 and IPv6 related fields of packets.
<table class="styled_table">
<tr>
<tr>
  <th width="50%">Property</th>
    <td><var><b>new-customer-dei</b></var> (<em>0..1</em>)</td>
  <th >Description</th>
    <td>New customer DEI for ACL packets.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>ip-src</b></var> (<em>IPv4/0..32</em>)</td>
     <td><var><b>new-dscp</b></var> (<em>0..63</em>)</td>
     <td>Matching source IPv4 address.</td>
     <td>New DSCP for ACL packets.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>ip-dst</b></var> (<em>IPv4/0..32</em>)</td>
     <td><var><b>new-priority</b></var> (<em>0..15</em>)</td>
     <td>Matching destination IPv4 address.</td>
     <td>New internal priority for ACL packets.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>ip-protocol</b></var> (<em>tcp | udp | udp-lite | other</em>)</td>
     <td><var><b>new-drop-precedence</b></var> (<em>drop | green | red | yellow</em>)</td>
     <td>IP protocol type.</td>
     <td>New internal drop precedence for ACL packets.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>src-l3-port</b></var> (<em>0-65535</em>)</td>
     <td><var><b>new-registered-state</b></var> (<em>yes | no</em>)</td>
     <td>Matching Layer3 source port.</td>
     <td>Whether to modify packet status. YES sets packet status to registered, NO - unregistered. Valid only in ingress policy table.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>dst-l3-port</b></var> (<em>0-65535</em>)</td>
     <td><var><b>new-flow-id</b></var> (<em>0..63</em>)</td>
     <td>Matching Layer3 destination port.</td>
     <td></td>
</tr>
</tr>
</table>
<br>
Filter bypassing part for ACL packets.
<table class="styled_table">
<tr>
<tr>
    <td><var><b>ttl</b></var> (<em>0 | 1 | max | other</em>)</td>
  <th width="50%">Property</th>
    <td>Matching TTL field of the packet.</td>
  <th >Description</th>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>dscp</b></var> (<em>0..63</em>)</td>
     <td><var><b>attack-filter-bypass</b></var> (<em>yes | no</em>; Default:
     <td>Matching DSCP field of the packet.</td>
<b>no</b>)</td>
     <td></td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>ecn</b></var> (<em>0..3</em>)</td>
     <td><var><b>ingress-vlan-filter-bypass</b></var> (<em>yes | no</em>; Default:
     <td>Matching ECN field of the packet.</td>
<b>no</b>)</td>
     <td>Allows to bypass ingress VLAN filtering in VLAN table for matching packets. Applies only to ingress policy table.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>fragmented</b></var> (<em>yes | no</em>)</td>
     <td><var><b>egress-vlan-filter-bypass</b></var> (<em>yes | no</em>; Default:
     <td>Whether to match fragmented packets.</td>
<b>no</b>)</td>
     <td>Allows to bypass egress VLAN filtering in VLAN table for matching packets. Applies only to ingress policy table.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>first-fragment</b></var> (<em>yes | no</em>)</td>
     <td><var><b>isolation-filter-bypass</b></var> (<em>yes | no</em>; Default:
     <td>YES matches not fragmented and the first fragments, NO matches other fragments.</td>
<b>no</b>)</td>
     <td>Allows to bypass Isolation table for matching packets. Applies only to ingress policy table.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>ipv6-src</b></var> (<em>IPv6/0..128</em>)</td>
     <td><var><b>egress-vlan-translate-bypass</b></var> (<em>yes | no</em>; Default:
     <td>Matching source IPv6 address.</td>
<b>no</b>)</td>
     <td>Allows to bypass egress VLAN translation table for matching packets.</td>
</tr>
</tr>
<tr>
</table>
    <td><var><b>ipv6-dst</b></var> (<em>IPv6/0..128</em>)</td>
<br>
    <td>Matching destination IPv6 address.</td>
 
</tr>
<p></p>
<tr>
 
    <td><var><b>mac-isolation-profile</b></var> (<em>community1 | community2 |
====ACL Policer====
isolated | promiscuous</em>)</td>
    <td>Matches isolation profile based on UFDB. Valid only in egress policy table.</td>
</tr>
<tr>
    <td><var><b>src-mac-addr-state</b></var> (<em>dynamic-station-move |
sa-found | sa-not-found | static-station-move</em>)</td>
    <td>Defines whether to match packets with registered state - packets which
    destination MAC address is in UFDB/MFDB/RFDB. Valid only in egress policy table.</td>
</tr>
<tr>
    <td><var><b>flow-id</b></var> (<em>0..63</em>)</td>
    <td></td>
</tr>
</table>
<br>


ACL rule action part.
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
acl policer</code></p><br />


<table class="styled_table">
<table class="styled_table">
Line 2,190: Line 2,166:
</tr>
</tr>
<tr>
<tr>
     <td><var><b>action</b></var> (<em>copy-to-cpu | drop | forward |
     <td><var><b>name</b></var> (<em>string</em>; Default:
redirect-to-cpu | send-to-new-dst-ports</em>; Default:
<b>policerX</b>)</td>
<b>forward</b>)</td>
     <td>Name of the Policer used in ACL.</td>
     <td><ul class="bullets">
<li> <var>copy-to-cpu</var> - Packets are copied to CPU if they match the ACL conditions.
<li> <var>drop</var> - Packets are dropped if they match the ACL conditions.
<li> <var>forward</var> - Packets are forwarded if they match the ACL conditions.
<li> <var>redirect-to-cpu</var> - Packets are redirected to CPU if they match the ACL conditions.
<li> <var>send-to-new-dst-ports</var> - Packets are send to new destination ports if they match the ACL conditions.
</ul></td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>new-dst-ports</b></var> (<em>ports,trunks</em>)</td>
     <td><var><b>yellow-rate</b></var> (<em>integer</em>)</td>
     <td>If action is "send-to-new-dst-ports", then this property sets which ports/trunks is the new destination.</td>
     <td>Maximum data rate limit for packets with yellow drop precedence.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>mirror-to</b></var> (<em>mirror0 | mirror1</em>)</td>
     <td><var><b>yellow-burst</b></var> (<em>integer</em>; Default:
     <td>Mirroring destination for ACL packets.</td>
<b>0</b>)</td>
     <td>Maximum data rate which can be transmitted while the burst is allowed for packets with yellow drop precedence.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>policer</b></var> (<em>policer</em>)</td>
     <td><var><b>red-rate</b></var> (<em>integer</em>); Default:
     <td>Applied ACL Policer for ACL packets.</td>
<b>0</b>)</td>
     <td>Maximum data rate limit for packets with red drop precedence.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>src-mac-learn</b></var> (<em>yes | no</em>)</td>
     <td><var><b>red-burst</b></var> (<em>integer</em>; Default:
     <td>Whether to learn source MAC of the matched ACL packets. Valid only in ingress policy table.</td>
<b>0</b>)</td>
     <td>Maximum data rate which can be transmitted while the burst is allowed for packets with red drop precedence.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>new-service-vid</b></var> (<em>0..4095</em>)</td>
     <td><var><b>meter-unit</b></var> (<em>bit | packet</em>; Default:
     <td>New service VLAN id for ACL packets.</td>
<b>bit</b>)</td>
     <td>Measuring units for ACL traffic rate.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>new-service-pcp</b></var> (<em>0..7</em>)</td>
     <td><var><b>meter-len</b></var> (<em>layer-1 | layer-2 | layer-3</em>; Default:
    <td>New service PCP for ACL packets.</td>
<b>layer-1</b>)</td>
        <td>Packet classification which sets the packet byte length for metering.
<ul class="bullets">
<li> <var>layer-1</var> - includes entire layer-2 frame + FCS + inter-packet gap + preamble.
<li> <var>layer-2</var> - includes layer-2 frame + FCS.
<li> <var>layer-3</var> - includes only layer-3 + ethernet padding without layer-2 header and FCS.
</ul></td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>new-service-dei</b></var> (<em>0..1</em>)</td>
     <td><var><b>color-awareness</b></var> (<em>yes | no</em>; Default:
     <td>New service DEI for ACL packets.</td>
<b>no</b>)</td>
     <td>YES makes policer to take into account pre-colored drop precedence, NO - ignores drop precedence.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>new-customer-vid</b></var> (<em>0..4095</em>)</td>
     <td><var><b>bucket-coupling</b></var> (<em>yes | no</em>; Default:
     <td>New customer VLAN id for ACL packets.</td>
<b>no</b>)</td>
     <td></td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>new-customer-pcp</b></var> (<em>0..7</em>)</td>
     <td><var><b>yellow-action</b></var> (<em>drop | forward | remark</em>; Default:
     <td>New customer PCP for ACL packets.</td>
<b>drop</b>)</td>
     <td>Performed action for exceeded traffic with yellow drop precedence.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>new-customer-dei</b></var> (<em>0..1</em>)</td>
     <td><var><b>new-dei-for-yellow</b></var> (<em>0..1 | remap</em>)</td>
     <td>New customer DEI for ACL packets.</td>
     <td>New DEI for yellow drop precedence packets.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>new-dscp</b></var> (<em>0..63</em>)</td>
    <td><var><b>new-pcp-for-yellow</b></var> (<em>0..7 | remap</em>)</td>
     <td>New DSCP for ACL packets.</td>
    <td>New PCP for yellow drop precedence packets.</td>
</tr>
<tr>
     <td><var><b>new-dscp-for-yellow</b></var> (<em>0..63 | remap</em>)</td>
     <td>New DSCP for yellow drop precedence packets.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>new-priority</b></var> (<em>0..15</em>)</td>
     <td><var><b>red-action</b></var> (<em>drop | forward | remark</em>; Default:
     <td>New internal priority for ACL packets.</td>
<b>drop</b>)</td>
     <td>Performed action for exceeded traffic with red drop precedence.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>new-drop-precedence</b></var> (<em>drop | green | red | yellow</em>)</td>
     <td><var><b>new-dei-for-red</b></var> (<em>0..1 | remap</em>)</td>
     <td>New internal drop precedence for ACL packets.</td>
     <td>New DEI for red drop precedence packets.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>new-registered-state</b></var> (<em>yes | no</em>)</td>
     <td><var><b>new-pcp-for-red</b></var> (<em>0..7 | remap</em>)</td>
     <td>Whether to modify packet status. YES sets packet status to registered, NO - unregistered. Valid only in ingress policy table.</td>
     <td>New PCP for red drop precedence packets.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>new-flow-id</b></var> (<em>0..63</em>)</td>
     <td><var><b>new-dscp-for-red</b></var> (<em>0..63 | remap</em>)</td>
     <td></td>
     <td>New DSCP for red drop precedence packets.</td>
</tr>
</tr>
</table>
</table>
<br>
<br>


Filter bypassing part for ACL packets.
<p></p>


<table class="styled_table">
=See also=
<tr>
  <th width="50%">Property</th>
  <th >Description</th>
</tr>
<tr>
    <td><var><b>attack-filter-bypass</b></var> (<em>yes | no</em>; Default:
<b>no</b>)</td>
    <td></td>
</tr>
<tr>
    <td><var><b>ingress-vlan-filter-bypass</b></var> (<em>yes | no</em>; Default:
<b>no</b>)</td>
    <td>Allows to bypass ingress VLAN filtering in VLAN table for matching packets. Applies only to ingress policy table.</td>
</tr>
<tr>
    <td><var><b>egress-vlan-filter-bypass</b></var> (<em>yes | no</em>; Default:
<b>no</b>)</td>
    <td>Allows to bypass egress VLAN filtering in VLAN table for matching packets. Applies only to ingress policy table.</td>
</tr>
<tr>
    <td><var><b>isolation-filter-bypass</b></var> (<em>yes | no</em>; Default:
<b>no</b>)</td>
    <td>Allows to bypass Isolation table for matching packets. Applies only to ingress policy table.</td>
</tr>
<tr>
    <td><var><b>egress-vlan-translate-bypass</b></var> (<em>yes | no</em>; Default:
<b>no</b>)</td>
    <td>Allows to bypass egress VLAN translation table for matching packets.</td>
</tr>
</table>
<br>
 
<p></p>
 
====ACL Policer====
 
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
acl policer</code></p><br />
 
<table class="styled_table">
<tr>
  <th width="50%">Property</th>
  <th >Description</th>
</tr>
<tr>
    <td><var><b>name</b></var> (<em>string</em>; Default:
<b>policerX</b>)</td>
    <td>Name of the Policer used in ACL.</td>
</tr>
<tr>
    <td><var><b>yellow-rate</b></var> (<em>integer</em>)</td>
    <td>Maximum data rate limit for packets with yellow drop precedence.</td>
</tr>
<tr>
    <td><var><b>yellow-burst</b></var> (<em>integer</em>; Default:
<b>0</b>)</td>
    <td>Maximum data rate which can be transmitted while the burst is allowed for packets with yellow drop precedence.</td>
</tr>
<tr>
    <td><var><b>red-rate</b></var> (<em>integer</em>); Default:
<b>0</b>)</td>
    <td>Maximum data rate limit for packets with red drop precedence.</td>
</tr>
<tr>
    <td><var><b>red-burst</b></var> (<em>integer</em>; Default:
<b>0</b>)</td>
    <td>Maximum data rate which can be transmitted while the burst is allowed for packets with red drop precedence.</td>
</tr>
<tr>
    <td><var><b>meter-unit</b></var> (<em>bit | packet</em>; Default:
<b>bit</b>)</td>
    <td>Measuring units for ACL traffic rate.</td>
</tr>
<tr>
    <td><var><b>meter-len</b></var> (<em>layer-1 | layer-2 | layer-3</em>; Default:
<b>layer-1</b>)</td>
        <td>Packet classification which sets the packet byte length for metering.
<ul class="bullets">
<li> <var>layer-1</var> - includes entire layer-2 frame + FCS + inter-packet gap + preamble.
<li> <var>layer-2</var> - includes layer-2 frame + FCS.
<li> <var>layer-3</var> - includes only layer-3 + ethernet padding without layer-2 header and FCS.
</ul></td>
</tr>
<tr>
    <td><var><b>color-awareness</b></var> (<em>yes | no</em>; Default:
<b>no</b>)</td>
    <td>YES makes policer to take into account pre-colored drop precedence, NO - ignores drop precedence.</td>
</tr>
<tr>
    <td><var><b>bucket-coupling</b></var> (<em>yes | no</em>; Default:
<b>no</b>)</td>
    <td></td>
</tr>
<tr>
    <td><var><b>yellow-action</b></var> (<em>drop | forward | remark</em>; Default:
<b>drop</b>)</td>
    <td>Performed action for exceeded traffic with yellow drop precedence.</td>
</tr>
<tr>
    <td><var><b>new-dei-for-yellow</b></var> (<em>0..1 | remap</em>)</td>
    <td>New DEI for yellow drop precedence packets.</td>
</tr>
<tr>
    <td><var><b>new-pcp-for-yellow</b></var> (<em>0..7 | remap</em>)</td>
    <td>New PCP for yellow drop precedence packets.</td>
</tr>
<tr>
    <td><var><b>new-dscp-for-yellow</b></var> (<em>0..63 | remap</em>)</td>
    <td>New DSCP for yellow drop precedence packets.</td>
</tr>
<tr>
    <td><var><b>red-action</b></var> (<em>drop | forward | remark</em>; Default:
<b>drop</b>)</td>
    <td>Performed action for exceeded traffic with red drop precedence.</td>
</tr>
<tr>
    <td><var><b>new-dei-for-red</b></var> (<em>0..1 | remap</em>)</td>
    <td>New DEI for red drop precedence packets.</td>
</tr>
<tr>
    <td><var><b>new-pcp-for-red</b></var> (<em>0..7 | remap</em>)</td>
    <td>New PCP for red drop precedence packets.</td>
</tr>
<tr>
    <td><var><b>new-dscp-for-red</b></var> (<em>0..63 | remap</em>)</td>
    <td>New DSCP for red drop precedence packets.</td>
</tr>
</table>
<br>


<p></p>
* [[Manual:CRS1xx/2xx_series_switches_examples | CRS1xx/2xx series switches examples]]
* [[Manual:CRS_Router | CRS Router]]
* [[Manual:CRS1xx/2xx_VLANs_with_Trunks | CRS1xx/2xx VLANs with Trunks]]
* [[Manual:Basic_VLAN_switching | Basic VLAN switching]]
* [[Manual:Interface/Bridge#Bridge_Hardware_Offloading | Bridge Hardware Offloading]]
* [[Manual:Interface/Bridge#Spanning_Tree_Protocol | Spanning Tree Protocol]]
* [[Manual:Interface/Bridge#IGMP_Snooping | IGMP Snooping]]
* [[Manual:Interface/Bridge#DHCP_Snooping_and_DHCP_Option_82 | DHCP Snooping and Option 82]]
* [[M:Maximum_Transmission_Unit_on_RouterBoards | MTU on RouterBOARD]]
* [[Manual:Layer2_misconfiguration | Layer2 misconfiguration]]
* [[Manual:Master-port | Master-port]]


{{cont}}
{{cont}}


[[Category:Manual]]
[[Category:Manual]]
[[Category:Interface|Switch Chip Features]]
[[Category:Bridging and switching]]
[[Category:Case Studies|Switch Chip Features]]
[[Category:Routerboard]]
[[Category:Routerboard|Switch Chip Features]]

Latest revision as of 08:12, 8 July 2021

Version.png

Applies to RouterOS: v6.12 +


Summary

The Cloud Router Switch series are highly integrated switches with high performance MIPS CPU and feature-rich packet processor. The CRS switches can be designed into various Ethernet applications including unmanaged switch, Layer 2 managed switch, carrier switch and wireless/wired unified packet processing.

Icon-warn.png

Warning: This article applies to CRS1xx and CRS2xx series switches and not to CRS3xx series switches. For CRS3xx series devices read the CRS3xx series switches manual.


FeaturesDescription
Forwarding
  • Configurable ports for switching or routing
  • Full non-blocking wirespeed switching
  • Up to 16k MAC entries in Unicast FDB for Layer 2 unicast forwarding
  • Up to 1k MAC entries in Multicast FDB for multicast forwarding
  • Up to 256 MAC entries in Reserved FDB for control and management purposes
  • All Forwarding Databases support IVL and SVL
  • Configurable Port based MAC learning limit
  • Jumbo frame support (CRS1xx: 4064 Bytes; CRS2xx: 9204 Bytes)
  • IGMP Snooping support
Mirroring
  • Various types of mirroring:
    • Port based mirroring
    • VLAN based mirroring
    • MAC based mirroring
  • 2 independent mirroring analyzer ports
VLAN
  • Fully compatible with IEEE802.1Q and IEEE802.1ad VLAN
  • 4k active VLANs
  • Flexible VLAN assignment:
    • Port based VLAN
    • Protocol based VLAN
    • MAC based VLAN
  • From any to any VLAN translation and swapping
  • 1:1 VLAN switching - VLAN to port mapping
  • VLAN filtering
Port Isolation and Leakage
  • Applicable for Private VLAN implementation
  • 3 port profile types: Promiscuous, Isolated and Community
  • Up to 28 Community profiles
  • Leakage profiles allow bypassing egress VLAN filtering
Trunking
  • Supports static link aggregation groups
  • Up to 8 Port Trunk groups
  • Up to 8 member ports per Port Trunk group
  • Hardware automatic failover and load balancing
Quality of Service (QoS)
  • Flexible QoS classification and assignment:
    • Port based
    • MAC based
    • VLAN based
    • Protocol based
    • PCP/DEI based
    • DSCP based
    • ACL based
  • QoS remarking and remapping for QoS domain translation between service provider and client networks
  • Overriding of each QoS assignment according to the configured priority
Shaping and Scheduling
  • 8 queues on each physical port
  • Shaping per port, per queue, per queue group
Access Control List
  • Ingress and Egress ACL tables
  • Up to 128 ACL rules (limited by RouterOS)
  • Classification based on ports, L2, L3, L4 protocol header fields
  • ACL actions include filtering, forwarding and modifying of the protocol header fields

Cloud Router Switch models

This table clarifies main differences between Cloud Router Switch models.

Model Switch Chip CPU Wireless SFP+ port Access Control List Jumbo Frame (Bytes)
CRS105-5S-FB QCA-8511 400MHz - - + 9204
CRS106-1C-5S QCA-8511 400MHz - - + 9204
CRS112-8G-4S QCA-8511 400MHz - - + 9204
CRS210-8G-2S+ QCA-8519 400MHz - + + 9204
CRS212-1G-10S-1S+ QCA-8519 400MHz - + + 9204
CRS226-24G-2S+ QCA-8519 400MHz - + + 9204
CRS125-24G-1S QCA-8513L 600MHz - - - 4064
CRS125-24G-1S-2HnD QCA-8513L 600MHz + - - 4064
CRS109-8G-1S-2HnD QCA-8513L 600MHz + - - 4064

Cloud Router Switch configuration examples

Abbreviations and Explanations

CVID - Customer VLAN id: inner VLAN tag id of the IEEE 802.1ad frame

SVID - Service VLAN id: outer VLAN tag id of the IEEE 802.1ad frame

IVL - Independent VLAN learning - learning/lookup is based on both MAC addresses and VLAN IDs.

SVL - Shared VLAN learning - learning/lookup is based on MAC addresses - not on VLAN IDs.

TPID - Tag Protocol Identifier

PCP - Priority Code Point: a 3-bit field which refers to the IEEE 802.1p priority

DEI - Drop Eligible Indicator

DSCP - Differentiated services Code Point

Drop precedence - internal CRS switch QoS attribute used for packet enqueuing or dropping.

Port Switching

In order to setup port switching on CRS1xx/2xx series switches, check the Bridge Hardware Offloading page.

Icon-note.png

Note: Dynamic reserved VLAN entries (VLAN4091; VLAN4090; VLAN4089; etc.) are created in CRS switch when switched port groups are added when a hardware offloaded bridge is created. These VLANs are necessary for internal operation and have lower precedence than user configured VLANs.


Multiple switch groups

The CRS1xx/2xx series switches allow you to use multiple bridges with hardware offloading, this allows you to easily isolate multiple switch groups. This can be done by simply creating multiple bridges and enabling hardware offloading.

Icon-note.png

Note: Multiple hardware offloaded bridge configuration is designed as fast and simple port isolation solution, but it limits a part of VLAN functionality supported by CRS switch-chip. For advanced configurations use one bridge within CRS switch chip for all ports, configure VLANs and isolate port groups with port isolation profile configuration.


Icon-warn.png

Warning: CRS1xx/2xx series switches are capable of running multiple hardware offloaded bridges with (R)STP enabled, but it is not recommended since the device is not designed to run multiple (R)STP instances on a hardware level. To isolate multiple switch groups and have (R)STP enabled you should isolate port groups with port isolation profile configuration.


Global Settings

Sub-menu: /interface ethernet switch


CRS switch chip is configurable from the /interface ethernet switch console menu.

Property Description
name (string value; Default: switch1) Name of the switch.
bridge-type (customer-vid-used-as-lookup-vid | service-vid-used-as-lookup-vid; Default: customer-vid-used-as-lookup-vid) Bridge type defines which VLAN tag is used as Lookup-VID. Lookup-VID serves as the VLAN key for all VLAN-based lookup.
mac-level-isolation (yes | no; Default: yes) Globally enables or disables MAC level isolation. Once enabled, the switch will check the source and destination MAC address entries and their isolation-profile from the unicast forwarding table. By default, the switch will learn MAC addresses and place them into a promiscuous isolation profile. Other isolation profiles can be used when creating static unicast entries. If the source or destination MAC address are located on a promiscuous isolation profile, the packet is forwarded. If both source and destination MAC addresses are located on the same community1 or community2 isolation profile, the packet is forwarded. The packet is dropped when the source and destination MAC address isolation profile is isolated, or when the source and destination MAC address isolation profiles are from different communities (e.g. source MAC address is community1 and destination MAC address is community2). When MAC level isolation is globally disabled, the isolation is bypassed.
use-svid-in-one2one-vlan-lookup (yes | no; Default: no) Whether to use service VLAN id for 1:1 VLAN switching lookup.
use-cvid-in-one2one-vlan-lookup (yes | no; Default: yes) Whether to use customer VLAN id for 1:1 VLAN switching lookup.
multicast-lookup-mode

(dst-ip-and-vid-for-ipv4 | dst-mac-and-vid-always;

Default:dst-ip-and-vid-for-ipv4)
Lookup mode for IPv4 multicast bridging.
  • dst-mac-and-vid-always - For all packet types lookup key is destination MAC and VLAN id.
  • dst-ip-and-vid-for-ipv4 - For IPv4 packets lookup key is destination IP and VLAN id. For other packet types lookup key is destination MAC and VLAN id.
unicast-fdb-timeout (time interval; Default: 5m) Timeout for Unicast FDB entries.
override-existing-when-ufdb-full (yes | no; Default: no) Enable or disable to override existing entry which has the lowest aging value when UFDB is full.


Property Description
drop-if-no-vlan-assignment-on-ports (ports; Default: none) Ports which drop frames if no MAC-based, Protocol-based VLAN assignment or Ingress VLAN Translation is applied.
drop-if-invalid-or-src-port-
-not-member-of-vlan-on-ports

(ports; Default: none)
Ports which drop invalid and other port VLAN id frames.
unknown-vlan-lookup-mode (ivl | svl; Default: svl) Lookup and learning mode for packets with invalid VLAN.
forward-unknown-vlan (yes | no; Default: yes) Whether to allow forwarding VLANs which are not members of VLAN table.


Property Description
bypass-vlan-ingress-filter-for (protocols; Default: none) Protocols which are excluded from Ingress VLAN filtering. These

protocols are not dropped if they have invalid VLAN. (arp, dhcpv4, dhcpv6,

eapol, igmp, mld, nd, pppoe-discovery, ripv1)
bypass-ingress-port-policing-for (protocols; Default: none) Protocols which are excluded from Ingress Port Policing. (arp, dhcpv4, dhcpv6, eapol, igmp, mld, nd, pppoe-discovery, ripv1)
bypass-l2-security-check-filter-for (protocols; Default: none) Protocols which are excluded from Policy rule security check. (arp, dhcpv4, dhcpv6, eapol, igmp, mld, nd, pppoe-discovery, ripv1)


Property Description
ingress-mirror0 (port | trunk,format; Default: none,modified) The first ingress mirroring analyzer port or trunk and mirroring format:
  • analyzer-configured - The packet is same as the packet to destination. VLAN format is modified based on the VLAN configurations of the analyzer port.
  • modified - The packet is same as the packet to destination. VLAN format is modified based on the VLAN configurations of the egress port.
  • original - Traffic is mirrored without any change to the original incoming packet format. But service VLAN tag is stripped in edge port.
ingress-mirror1 (port | trunk,format; Default: none,modified) The second ingress mirroring analyzer port or trunk and mirroring format:
  • analyzer-configured - The packet is same as the packet to destination. VLAN format is modified based on the VLAN configurations of the analyzer port.
  • modified - The packet is same as the packet to destination. VLAN format is modified based on the VLAN configurations of the egress port.
  • original - Traffic is mirrored without any change to the original incoming packet format. But service VLAN tag is stripped in edge port.
ingress-mirror-ratio (1/32768..1/1; Default: 1/1) Proportion of ingress mirrored packets compared to all packets.
egress-mirror0 (port | trunk,format; Default: none,modified) The first egress mirroring analyzer port or trunk and mirroring format:
  • analyzer-configured - The packet is same as the packet to destination. VLAN format is modified based on the VLAN configurations of the analyzer port.
  • modified - The packet is same as the packet to destination. VLAN format is modified based on the VLAN configurations of the egress port.
  • original - Traffic is mirrored without any change to the original incoming packet format. But service VLAN tag is stripped in edge port.
egress-mirror1 (port | trunk,format; Default: none,modified) The second egress mirroring analyzer port or trunk and mirroring format:
  • analyzer-configured - The packet is same as the packet to destination. VLAN format is modified based on the VLAN configurations of the analyzer port.
  • modified - The packet is same as the packet to destination. VLAN format is modified based on the VLAN configurations of the egress port.
  • original - Traffic is mirrored without any change to the original incoming packet format. But service VLAN tag is stripped in edge port.
egress-mirror-ratio (1/32768..1/1; Default: 1/1) Proportion of egress mirrored packets compared to all packets.
mirror-egress-if-ingress-mirrored (yes | no; Default: no) When packet is applied to both ingress and egress mirroring, if this

setting is disabled, only ingress mirroring is performed on the packet; if this

setting is enabled both mirroring types are applied.
mirror-tx-on-mirror-port (yes | no; Default: no)
mirrored-packet-qos-priority (0..7; Default: 0) Remarked priority in mirrored packets.
mirrored-packet-drop-precedence (drop | green | red | yellow; Default: green) Remarked drop precedence in mirrored packets. This QoS attribute is used for mirrored packet enqueuing or dropping.
fdb-uses (mirror0 | mirror1; Default: mirror0) Analyzer port used for FDB-based mirroring.
vlan-uses (mirror0 | mirror1; Default: mirror0) Analyzer port used for VLAN-based mirroring.

Port Settings

Sub-menu: /interface ethernet switch port


Property Description
vlan-type (edge-port | network-port; Default: network-port) Port VLAN type specifies whether VLAN id is used in UFDB learning. Network port learns VLAN id in UFDB, edge port does not - VLAN 0. It can be observed only in IVL learning mode.
isolation-leakage-profile-override (yes | no; Default:

!isolation-leakage-profile-override)

isolation-leakage-profile (0..31;)
Custom port profile for port isolation/leakage configurations.
  • Port-level isolation profile 0. Uplink port - allows the port to communicate with all ports in the device.
  • Port-level isolation profile 1. Isolated port - allows the port to communicate only with uplink ports.
  • Port-level isolation profile 2 - 31. Community port - allows communication among the same community ports and uplink ports.
learn-override (yes | no; Default: !learn-override)
learn-limit (1..1023; Default: !learn-limit)
Enable or disable MAC address learning and set MAC limit on the port. MAC learning limit is disabled by default when !learn-override and !learn-limit. Property learn-override is replaced with learn under /interface bridge port menu since RouterOS v6.42.
drop-when-ufdb-entry-src-drop (yes | no; Default: yes) Enable or disable to drop packets when UFDB entry has action src-drop.
allow-unicast-loopback (yes | no; Default: no) Unicast loopback on port. When enabled, it permits sending back when

source port and destination port are the same one for known unicast

packets.
allow-multicast-loopback (yes | no; Default: no) Multicast loopback on port. When enabled, it permits sending back when

source port and destination port are the same for registered multicast or

broadcast packets.
action-on-static-station-move (copy-to-cpu | drop | forward | redirect-to-cpu; Default: forward) Action for packets when UFDB already contains static entry with such MAC but with a different port.
drop-dynamic-mac-move (yes | no; Default: no) Prevents MAC relearning until UFDB timeout if MAC is already learned on other port.


Property Description
allow-fdb-based-vlan-translate (yes | no; Default: no) Enable or disable MAC-based VLAN translation on the port.
allow-mac-based-service-vlan-assignment-for (all-frames | none |

tagged-frame-only | untagged-and-priority-tagged-frame-only; Default:

none)
Frame type for which applies MAC-based service VLAN translation.
allow-mac-based-customer-vlan-assignment-for (all-frames | none |

tagged-frame-only | untagged-and-priority-tagged-frame-only; Default:

none)
Frame type for which applies MAC-based customer VLAN translation.
default-customer-pcp (0..7; Default: 0) Default customer PCP of the port.
default-service-pcp (0..7; Default: 0) Default service PCP of the port.
pcp-propagation-for-initial-pcp (yes | no; Default: no) Enables or disables PCP propagation for initial PCP assignment on ingress.
  • If the port vlan-type is Edge port, the service PCP is copied from the customer PCP.
  • If the port vlan-type is Network port, the customer PCP is copied from the service PCP.
filter-untagged-frame (yes | no; Default: no) Whether to filter untagged frames on the port.
filter-priority-tagged-frame (yes | no; Default: no) Whether to filter tagged frames with priority on the port.
filter-tagged-frame (yes | no; Default: no) Whether to filter tagged frames on the port.


Property Description
egress-vlan-tag-table-lookup-key (according-to-bridge-type | egress-vid; Default: egress-vid) Egress VLAN table (VLAN Tagging) lookup:
  • egress-vid - Lookup VLAN id is CVID when Edge port is configured, SVID when Network port is configured.
  • according-to-bridge-type - Lookup VLAN id is CVID when customer VLAN bridge is configured, SVID when service VLAN bridge is configured. Customer tag is unmodified for Edge port in service VLAN bridge.
egress-vlan-mode (tagged | unmodified | untagged; Default: unmodified) Egress VLAN tagging action on the port.
egress-pcp-propagation (yes | no; Default: no) Enables or disables egress PCP propagation.
  • If the port vlan-type is Edge port, the service PCP is copied from the customer PCP.
  • If the port vlan-type is Network port, the customer PCP is copied from the service PCP.


Property Description
ingress-mirror-to (mirror0 | mirror1 | none; Default: none) Analyzer port for port-based ingress mirroring.
ingress-mirroring-according-to-vlan (yes | no; Default: no)
egress-mirror-to (mirror0 | mirror1 | none; Default: none) Analyzer port for port-based egress mirroring.


Property Description
qos-scheme-precedence (da-based | dscp-based | ingress-acl-based | pcp-based | protocol-based | sa-based | vlan-based; Default: pcp-based, sa-based, da-based, dscp-based, protocol-based, vlan-based) Specifies applied QoS assignment schemes on ingress of the port.
  • da-based
  • dscp-based
  • ingress-acl-based
  • pcp-based
  • protocol-based
  • sa-based
  • vlan-based
pcp-or-dscp-based-qos-change-dei (yes | no; Default: no) Enable or disable PCP or DSCP based DEI change on port.
pcp-or-dscp-based-qos-change-pcp (yes | no; Default: no) Enable or disable PCP or DSCP based PCP change on port.
pcp-or-dscp-based-qos-change-dscp (yes | no; Default: no) Enable or disable PCP or DSCP based DSCP change on port.
dscp-based-qos-dscp-to-dscp-mapping (yes | no; Default: yes) Enable or disable DSCP to internal DSCP mapping on port.
pcp-based-qos-drop-precedence-mapping (PCP/DEI-range:drop-precedence; Default: 0-15:green) The new value of drop precedence for the PCP/DEI to drop precedence (drop | green | red | yellow) mapping. Multiple mappings allowed separated by comma e.g. "0-7:yellow,8-15:red".
pcp-based-qos-dscp-mapping (PCP/DEI-range:DEI; Default: 0-15:0) The new value of DSCP for the PCP/DEI to DSCP (0..63) mapping. Multiple mappings allowed separated by comma e.g. "0-7:25,8-15:50".
pcp-based-qos-dei-mapping (PCP/DEI-range:DEI; Default: 0-15:0) The new value of DEI for the PCP/DEI to DEI (0..1) mapping. Multiple mappings allowed separated by comma e.g. "0-7:0,8-15:1".
pcp-based-qos-pcp-mapping (PCP/DEI-range:DEI; Default: 0-15:0) The new value of PCP for the PCP/DEI to PCP (0..7) mapping. Multiple mappings allowed separated by comma e.g. "0-7:3,8-15:4".
pcp-based-qos-priority-mapping (PCP/DEI-range:DEI; Default: 0-15:0) The new value of internal priority for the PCP/DEI to priority (0..15) mapping. Multiple mappings allowed separated by comma e.g. "0-7:5,8-15:15".


Property Description
priority-to-queue (priority-range:queue; Default: 0-15:0,1:1,2:2,3:3) Internal priority (0..15) mapping to queue (0..7) per port.
per-queue-scheduling (Scheduling-type:Weight;

Default: wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,

wrr-group0:64,wrr-group0:128)
Set port to use either strict or weighted round robin policy for traffic shaping for each queue group, each queue is separated by a comma.


Property Description
ingress-customer-tpid-override (yes | no;

Default:!ingress-customer-tpid-override)

ingress-customer-tpid (0..10000; Default: 0x8100)
Ingress customer TPID override allows accepting specific frames with a custom customer tag TPID. Default value is for tag of 802.1Q frames.
egress-customer-tpid-override (yes | no; Default:

!egress-customer-tpid-override)
egress-customer-tpid (0..10000; Default:

0x8100)
Egress customer TPID override allows custom identification for egress frames with a customer tag. Default value is for tag of 802.1Q frames.
ingress-service-tpid-override (yes | no; Default:

!ingress-service-tpid-override)

ingress-service-tpid (0..10000; Default: 0x88A8)
Ingress service TPID override allows accepting specific frames with a custom service tag TPID. Default value is for service tag of 802.1AD frames.
egress-service-tpid-override (yes | no; Default:

!egress-service-tpid-override)
egress-service-tpid (0..10000; Default:

0x88A8)
Egress service TPID override allows custom identification for egress frames with a service tag. Default value is for service tag of 802.1AD frames.


Property Description
custom-drop-counter-includes (counters; Default: none) Custom include to count dropped packets for switch port custom-drop-packet counter.
  • device-loopback
  • fdb-hash-violation
  • exceeded-port-learn-limitation
  • dynamic-station-move
  • static-station-move
  • ufdb-source-drop
  • host-source-drop
  • unknown-host
  • ingress-vlan-filtered
queue-custom-drop-counter0-includes (counters; Default: none) Custom include to count dropped packets for switch port tx-queue-custom0-drop-packet

and bytes for tx-queue-custom0-drop-byte counters.

  • red
  • yellow
  • green
  • queue0
  • ...
  • queue7
queue-custom-drop-counter1-includes (counters; Default: none) Custom include to count dropped packets for switch port tx-queue-custom1-drop-packet

and bytes for tx-queue-custom1-drop-byte counters.

  • red
  • yellow
  • green
  • queue0
  • ...
  • queue7
policy-drop-counter-includes (counters; Default: none) Custom include to count dropped packets for switch port policy-drop-packet counter.
  • ingress-policing
  • ingress-acl
  • egress-policing
  • egress-acl

Forwarding Databases

Unicast FDB

Sub-menu: /interface ethernet switch unicast-fdb


The unicast forwarding database supports up to 16318 MAC entries.

Property Description
action (action; Default: forward) Action for UFDB entry:
  • dst-drop - Packets are dropped when their destination MAC match the entry.
  • dst-redirect-to-cpu - Packets are redirected to CPU when their destination MAC match the entry.
  • forward - Packets are forwarded.
  • src-and-dst-drop - Packets are dropped when their source MAC or destination MAC match the entry.
  • src-and-dst-redirect-to-cpu - Packets are redirected to CPU when their source MAC or destination MAC match the entry.
  • src-drop - Packets are dropped when their source MAC match the entry.
  • src-redirect-to-cpu - Packets are redirected to CPU when their source MAC match the entry.
disabled (yes | no; Default: no) Enables or disables Unicast FDB entry.
isolation-profile (community1 | community2 | isolated | promiscuous; Default: promiscuous) MAC level isolation profile.
mac-address (MAC address) The action command applies to the packet when the destination MAC or source MAC matches the entry.
mirror (yes | no; Default: no) Enables or disables mirroring based on source MAC or destination MAC.
port (port) Matching port for the Unicast FDB entry.
qos-group (none; Default: none) Defined QoS group from QoS group menu.
svl (yes | no; Default: no) Unicast FDB learning mode:
  • Shared VLAN Learning (svl) - learning/lookup is based on MAC addresses - not on VLAN IDs.
  • Independent VLAN Learning (ivl) - learning/lookup is based on both MAC addresses and VLAN IDs.
vlan-id (0..4095) Unicast FDB lookup/learning VLAN id.

Multicast FDB

Sub-menu: /interface ethernet switch multicast-fdb


CRS125 switch-chip supports up to 1024 entries in MFDB for multicast forwarding. For each multicast packet, destination MAC or destination IP lookup is performed in MFDB. MFDB entries are not automatically learnt and can only be configured.

Property Description
address (X.X.X.X | XX:XX:XX:XX:XX:XX) Matching IP address or MAC address for multicast packets.
bypass-vlan-filter (yes | no; Default: no) Allow to bypass VLAN filtering for matching multicast packets.
disabled (yes | no; Default: no) Enables or disables Multicast FDB entry.
ports (ports) Member ports for multicast traffic.
qos-group (none; Default: none) Defined QoS group from QoS group menu.
svl (yes | no; Default: no) Multicast FDB learning mode:
  • Shared VLAN Learning (svl) - learning/lookup is based on MAC addresses - not on VLAN IDs.
  • Independent VLAN Learning (ivl) - learning/lookup is based on both MAC addresses and VLAN IDs.
vlan-id (0..4095; Default: 0) Multicast FDB lookup VLAN id. If VLAN learning mode is IVL, VLAN id is lookup id, otherwise VLAN id = 0.

Reserved FDB

Sub-menu: /interface ethernet switch reserved-fdb


Cloud Router Switch supports 256 RFDB entries. Each RFDB entry can store either Layer2 unicast or multicast MAC address with specific commands.

Property Description
action (copy-to-cpu | drop | forward | redirect-to-cpu; Default: forward) Action for RFDB entry:
  • copy-to-cpu - Packets are copied to CPU when their destination MAC match the entry.
  • drop - Packets are dropped when their destination MAC match the entry.
  • forward - Packets are forwarded when their destination MAC match the entry.
  • redirect-to-cpu - Packets are redirected to CPU when their destination MAC match the entry.
bypass-ingress-port-policing (yes | no; Default: no) Allow to bypass Ingress Port Policer for matching packets.
bypass-ingress-vlan-filter (yes | no; Default: no) Allow to bypass VLAN filtering for matching packets.
disabled (yes | no; Default: no) Enables or disables Reserved FDB entry.
mac-address (MAC address; Default: 00:00:00:00:00:00) Matching MAC address for Reserved FDB entry.
qos-group (none; Default: none) Defined QoS group from QoS group menu.

VLAN

VLAN Table

Sub-menu: /interface ethernet switch vlan


The VLAN table supports 4096 VLAN entries for storing VLAN member information as well as other VLAN information such as QoS, isolation, forced VLAN, learning, and mirroring.

Property Description
disabled (yes | no; Default: no) Indicate whether the VLAN entry is disabled. Only enabled entry is applied to lookup process and forwarding decision.
flood (yes | no; Default: no) Enables or disables forced VLAN flooding per VLAN. If the feature is

enabled, the result of destination MAC lookup in the UFDB or MFDB is ignored,

and the packet is forced to flood in the VLAN.
ingress-mirror (yes | no; Default: no) Enable the ingress mirror per VLAN to support the VLAN-based mirror function.
learn (yes | no; Default: yes) Enables or disables source MAC learning for VLAN.
ports (ports) Member ports of the VLAN.
qos-group (none; Default: none) Defined QoS group from QoS group menu.
svl (yes | no; Default: no) FDB lookup mode for lookup in UFDB and MFDB.
  • Shared VLAN Learning (svl) - learning/lookup is based on MAC addresses - not on VLAN IDs.
  • Independent VLAN Learning (ivl) - learning/lookup is based on both MAC addresses and VLAN IDs.
vlan-id (0..4095) VLAN id of the VLAN member entry.

Egress VLAN Tag

Sub-menu: /interface ethernet switch egress-vlan-tag


Egress packets can be assigned different VLAN tag format. The VLAN tags can be removed, added, or remained as is when the packet is sent to the egress port (destination port). Each port has dedicated control on the egress VLAN tag format. The tag formats include:

  • Untagged
  • Tagged
  • Unmodified

The Egress VLAN Tag table includes 4096 entries for VLAN tagging selection.

Property Description
disabled (yes | no; Default: no) Enables or disables Egress VLAN Tag table entry.
tagged-ports (ports) Ports which are tagged in egress.
vlan-id (0..4095) VLAN id which is tagged in egress.

Ingress/Egress VLAN Translation

The Ingress VLAN Translation table allows for up to 15 entries for each port. One or multiple fields can be selected from packet header for lookup in the Ingress VLAN Translation table. The S-VLAN or C-VLAN or both configured in the first matched entry is assigned to the packet.

Sub-menu: /interface ethernet switch ingress-vlan-translation


Sub-menu: /interface ethernet switch egress-vlan-translation


Property Description
customer-dei (0..1; Default: none) Matching DEI of the customer tag.
customer-pcp (0..7; Default: none) Matching PCP of the customer tag.
customer-vid (0..4095; Default: none) Matching VLAN id of the customer tag.
customer-vlan-format (any | priority-tagged-or-tagged | tagged | untagged-or-tagged; Default:any) Type of frames with customer tag for which VLAN translation rule is valid.
disabled (yes | no; Default: no) Enables or disables VLAN translation entry.
new-customer-vid (0..4095; Default: none) The new customer VLAN id which replaces matching customer VLAN id. If set to 4095 and ingress VLAN translation is used, then traffic is dropped.
new-service-vid (0..4095; Default: none) The new service VLAN id which replaces matching service VLAN id.
pcp-propagation (yes | no; Default: no) Enables or disables PCP propagation.
  • If the port type is Edge, the customer PCP is copied from the service PCP.
  • If the port type is Network, the service PCP is copied from the customer PCP.
ports (ports) Matching switch ports for VLAN translation rule.
protocol (protocols; Default: none) Matching Ethernet protocol. (only for Ingress VLAN Translation)
sa-learning (yes | no; Default: no) Enables or disables source MAC learning after VLAN translation. (only for Ingress VLAN Translation)
service-dei (0..1; Default: none) Matching DEI of the service tag.
service-pcp (0..7; Default: none) Matching PCP of the service tag.
service-vid (0..4095; Default: none) Matching VLAN id of the service tag.
service-vlan-format (any | priority-tagged-or-tagged | tagged | untagged-or-tagged; Default:any) Type of frames with service tag for which VLAN translation rule is valid.

Below is a table of traffic that triggers a rule that has a certain VLAN format set, note that traffic that is tagged with VLAN ID 0 is a special case that is also taken into account.

Property Description
any Accepts:
  • Untagged traffic
  • Tagged traffic
  • Tagged traffic with priority set
  • VLAN 0 traffic
  • VLAN 0 traffic with priority set
priority-tagged-or-tagged Accepts:
  • Tagged traffic
  • Tagged traffic with priority set
  • VLAN 0 traffic
  • VLAN 0 traffic with priority set
tagged Accepts:
  • Tagged traffic
  • Tagged traffic with priority set
untagged-or-tagged Accepts:
  • Untagged traffic
  • Tagged traffic
  • Tagged traffic with priority set


Icon-warn.png

Warning: If VLAN-format is set to any, then customer-vid/service-vid set to 0 will trigger the switch rule with VLAN 0 traffic. In this case the switch rule will be looking for untagged traffic or traffic with VLAN 0 tag, only untagged-or-tagged will filter out VLAN 0 traffic in this case.


Protocol Based VLAN

Sub-menu: /interface ethernet switch protocol-based-vlan


Protocol Based VLAN table is used to assign VID and QoS attributes to related protocol packet per port.

Property Description
disabled (yes | no; Default: no) Enables or disables Protocol Based VLAN entry.
frame-type (ethernet | llc | rfc-1042; Default: ethernet) Encapsulation type of the matching frames.
new-customer-vid (0..4095; Default: 0) The new customer VLAN id which replaces original customer VLAN id for specified protocol. If set to 4095, then traffic is dropped.
new-service-vid (0..4095; Default: 0) The new service VLAN id which replaces original service VLAN id for specified protocol.
ports (ports) Matching switch ports for Protocol based VLAN rule.
protocol (protocol; Default: 0) Matching protocol for Protocol based VLAN rule.
qos-group (none; Default: none) Defined QoS group from QoS group menu.
set-customer-vid-for (all | none | tagged | untagged-or-priority-tagged; Default: all) Customer VLAN id assignment command for different packet type.
set-qos-for (all | none | tagged | untagged-or-priority-tagged; Default: none) Frame type for which QoS assignment command applies.
set-service-vid-for (all | none | tagged | untagged-or-priority-tagged; Default: all) Service VLAN id assignment command for different packet type.

MAC Based VLAN

Sub-menu: /interface ethernet switch mac-based-vlan


MAC Based VLAN table is used to assign VLAN based on source MAC.

Property Description
disabled (yes | no; Default: no) Enables or disables MAC Based VLAN entry.
new-customer-vid (0..4095; Default: 0) The new customer VLAN id which replaces original service VLAN id for matched packets. If set to 4095, then traffic is dropped.
new-service-vid (0..4095; Default: 0) The new service VLAN id which replaces original service VLAN id for matched packets.
src-mac-address (MAC address) Matching source MAC address for MAC based VLAN rule.
Icon-note.png

Note: All CRS1xx/2xx series switches support up to 1024 MAC Based VLAN table entries.


1:1 VLAN Switching

Sub-menu: /interface ethernet switch one2one-vlan-switching


1:1 VLAN switching can be used to replace the regular L2 bridging for matched packets. When a packet hits an 1:1 VLAN switching table entry, the destination port information in the entry is assigned to the packet. The matched destination information in UFDB and MFDB entry no longer applies to the packet.

Property Description
customer-vid (0..4095; Default: 0) Matching customer VLAN id for 1:1 VLAN switching.
disabled (yes | no; Default: no) Enables or disables 1:1 VLAN switching table entry.
dst-port (port) Destination port for matched 1:1 VLAN switching packets.
service-vid (0..4095; Default: 0) Matching customer VLAN id for 1:1 VLAN switching.

Port Isolation/Leakage

Sub-menu: /interface ethernet switch port-isolation


Sub-menu: /interface ethernet switch port-leakage


The CRS switches support flexible multi-level isolation features, which can be used for user access control, traffic engineering and advanced security and network management. The isolation features provide an organized fabric structure allowing user to easily program and control the access by port, MAC address, VLAN, protocol, flow and frame type. The following isolation and leakage features are supported:

  • Port-level isolation
  • MAC-level isolation
  • VLAN-level isolation
  • Protocol-level isolation
  • Flow-level isolation
  • Free combination of the above

Port-level isolation supports different control schemes on source port and destination port. Each entry can be programmed with access control for either source port or destination port.

  • When the entry is programmed with source port access control, the entry is

applied to the ingress packets.

  • When the entry is programmed with destination port access control, the entry

is applied to the egress packets.

Port leakage allows bypassing egress VLAN filtering on the port. Leaky port is allowed to access other ports for various applications such as security, network control and management. Note: When both isolation and leakage is applied to the same port, the port is isolated.

Property Description
disabled (yes | no; Default: no) Enables or disables port isolation/leakage entry.
flow-id (0..63; Default: none)
forwarding-type (bridged; routed; Default: bridged,routed) Matching traffic forwarding type on Cloud Router Switch.
mac-profile (community1 | community2 | isolated | promiscuous; Default: none) Matching MAC isolation/leakage profile.
port-profile (0..31; Default: none) Matching Port isolation/leakage profile.
ports (ports; Default: none) Isolated/leaked ports.
protocol-type (arp; nd; dhcpv4; dhcpv6; ripv1; Default: arp,nd,dhcpv4,dhcpv6,ripv1) Included protocols for isolation/leakage.
registration-status (known; unknown; Default: known,unknown) Registration status for matching packets. Known are present in UFDB and MFDB, unknown are not.
traffic-type (unicast; multicast; broadcast; Default: unicast,multicast,broadcast) Matching traffic type.
type (dst | src; Default: src) Lookup type of the isolation/leakage entry:
  • src - Entry applies to ingress packets of the ports.
  • dst - Entry applies to egress packets of the ports.
vlan-profile (community1 | community2 | isolated | promiscuous; Default: none) Matching VLAN isolation/leakage profile.

Trunking

Sub-menu: /interface ethernet switch trunk


The Trunking in the Cloud Router Switches provides static link aggregation groups with hardware automatic failover and load balancing. IEEE802.3ad and IEEE802.1ax compatible Link Aggregation Control Protocol is not supported. Up to 8 Trunk groups are supported with up to 8 Trunk member ports per Trunk group. CRS Port Trunking calculates transmit-hash based on all following parameters: L2 src-dst MAC + L3 src-dst IP + L4 src-dst Port.

Property Description
disabled (yes | no; Default: no) Enables or disables port trunking entry.
member-ports (ports) Member ports of the Trunk group.
name (string value; Default: trunkX) Name of the Trunk group.

Quality of Service

Shaper

Sub-menu: /interface ethernet switch shaper


Traffic shaping restricts the rate and burst size of the flow which is transmitted out from the interface. The shaper is implemented by a token bucket. If the packet exceeds the maximum rate or the burst size, which means no enough token for the packet, the packet is stored to buffer until there is enough token to transmit it.


Property Description
burst (integer; Default: 100k) Maximum data rate which can be transmitted while the burst is allowed.
disabled (yes | no; Default: no) Enables or disables traffic shaper entry.
meter-unit (bit | packet; Default: bit) Measuring units for traffic shaper rate.
port (port) Physical port for traffic shaper.
rate (integer; Default: 1M) Maximum data rate limit.
target (port | queueX | wrr-groupX; Default: port) Three levels of shapers are supported on each port (including CPU port):
  • Port level - Entry applies to port of the switch-chip.
  • WRR group level - Entry applies to one of the 2 Weighted Round Robin queue groups (wrr-group0, wrr-group1) on port.
  • Queue level - Entry applies to one of the 8 queues (queue0 - queue7) on port.

Ingress Port Policer

Sub-menu: /interface ethernet switch ingress-port-policer


Property Description
burst (integer; Default: 100k) Maximum data rate which can be transmitted while the burst is allowed.
disabled (yes | no; Default: no) Enables or disables ingress port policer entry.
meter-len (layer-1 | layer-2 | layer-3; Default: layer-1) Packet classification which sets the packet byte length for metering.
  • layer-1 - includes entire layer-2 frame + FCS + inter-packet gap + preamble.
  • layer-2 - includes layer-2 frame + FCS.
  • layer-3 - includes only layer-3 + ethernet padding without layer-2 header and FCS.
meter-unit (bit | packet; Default: bit) Measuring units for traffic ingress port policer rate.
new-dei-for-yellow (0..1 | remap; Default: none) Remarked DEI for exceeded traffic if yellow-action is remark.
new-dscp-for-yellow (0..63 | remap; Default: none) Remarked DSCP for exceeded traffic if yellow-action is remark.
new-pcp-for-yellow (0..7 | remap; Default: none) Remarked PCP for exceeded traffic if yellow-action is remark.
packet-types (packet-types; Default: all types from description) Matching packet types for which ingress port policer entry is valid.
port (port) Physical port or trunk for ingress port policer entry.
rate (integer) Maximum data rate limit.
yellow-action (drop | forward | remark; Default: drop) Performed action for exceeded traffic.

QoS Group

Sub-menu: /interface ethernet switch qos-group


The global QoS group table is used for VLAN-based, Protocol-based and MAC-based QoS group assignment configuration.

Property Description
dei (0..1; Default: none) The new value of DEI for the QoS group.
disabled (yes | no; Default: no) Enables or disables protocol QoS group entry.
drop-precedence (drop | green | red | yellow; Default: green) Drop precedence is internal QoS attribute used for packet enqueuing or dropping.
dscp (0..63; Default: none) The new value of DSCP for the QoS group.
name (string value; Default: groupX) Name of the QoS group.
pcp (0..7; Default: none) The new value of PCP for the QoS group.
priority (0..15; Default: 0) Internal priority is a local significance of priority for classifying traffics to different egress queues on a port. (1 is highest, 15 is lowest)

DSCP QoS Map

Sub-menu: /interface ethernet switch dscp-qos-map


The global DSCP to QOS mapping table is used for mapping from DSCP of the packet to new QoS attributes configured in the table.

Property Description
dei (0..1) The new value of DEI for the DSCP to QOS mapping entry.
drop-precedence (drop | green | red | yellow) The new value of Drop precedence for the DSCP to QOS mapping entry.
pcp (0..7) The new value of PCP for the DSCP to QOS mapping entry.
priority (0..15) The new value of internal priority for the DSCP to QOS mapping entry.

DSCP To DSCP Map

Sub-menu: /interface ethernet switch dscp-to-dscp


The global DSCP to DSCP mapping table is used for mapping from the packet's original DSCP to new DSCP value configured in the table.

Property Description
new-dscp (0..63) The new value of DSCP for the DSCP to DSCP mapping entry.

Policer QoS Map

Sub-menu: /interface ethernet switch policer-qos-map



Property Description
dei-for-red (0..1; Default: 0) Policer DEI remapping value for red packets.
dei-for-yellow (0..1; Default: 0) Policer DEI remapping value for yellow packets.
dscp-for-red (0..63; Default: 0) Policer DSCP remapping value for red packets.
dscp-for-yellow (0..63; Default: 0) Policer DSCP remapping value for yellow packets.
pcp-for-red (0..7; Default: 0) Policer PCP remapping value for red packets.
pcp-for-yellow (0..7; Default: 0) Policer PCP remapping value for yellow packets.

Access Control List

Icon-note.png

Note: See Summary section for Access Control List supported Cloud Router Switch devices.


Access Control List contains of ingress policy and egress policy engines and allows to configure up to 128 policy rules (limited by RouterOS). It is advanced tool for wire-speed packet filtering, forwarding, shaping and modifying based on Layer2, Layer3 and Layer4 protocol header field conditions.

Icon-warn.png

Warning: Due to hardware limitation it is not possible to match broadcast/multicast traffic on specific ports. You should use port isolation, drop traffic on ingress ports or use VLAN filtering to prevent certain broadcast/multicast traffic from being forwarded.


ACL

Sub-menu: /interface ethernet switch acl


ACL condition part for MAC related fields of packets.

Property Description
disabled (yes | no; Default: no) Enables or disables ACL entry.
table (egress | ingress; Default: ingress) Selects policy table for incoming or outgoing packets.
invert-match (yes | no; Default: no) Inverts whole ACL rule matching.
src-ports (ports,trunks) Matching physical source ports or trunks.
dst-ports (ports,trunks) Matching physical destination ports or trunks. It is not possible to match broadcast/multicast traffic on egress port due to a hardware limitation.
mac-src-address (MAC address/Mask) Source MAC address and mask.
mac-dst-address (MAC address/Mask) Destination MAC address and mask.
dst-addr-registered (yes | no) Defines whether to match packets with registered state - packets which destination MAC address is in UFDB/MFDB/RFDB. Valid only in egress table.
mac-protocol (802.2 | arp | homeplug-av | ip | ip-or-ipv6 | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | non-ip | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan or integer: 0..65535 decimal format or 0x0000-0xffff hex format) Ethernet payload type (MAC-level protocol)
  • 802.2 - 802.2 Frames (0x0004)
  • arp - Address Resolution Protocol (0x0806)
  • homeplug-av - HomePlug AV MME (0x88E1)
  • ip - Internet Protocol version 4 (0x0800)
  • ip-or-ipv6 - IPv4 or IPv6 (0x0800 or 0x86DD)
  • ipv6 - Internet Protocol Version 6 (0x86DD)
  • ipx - Internetwork Packet Exchange (0x8137)
  • lldp - Link Layer Discovery Protocol (0x88CC)
  • loop-protect - Loop Protect Protocol (0x9003)
  • mpls-multicast - MPLS multicast (0x8848)
  • mpls-unicast - MPLS unicast (0x8847)
  • non-ip - Not Internet Protocol version 4 (not 0x0800)
  • packing-compr - Encapsulated packets with compressed IP packing (0x9001)
  • packing-simple - Encapsulated packets with simple IP packing (0x9000)
  • pppoe - PPPoE Session Stage (0x8864)
  • pppoe-discovery - PPPoE Discovery Stage (0x8863)
  • rarp - Reverse Address Resolution Protocol (0x8035)
  • service-vlan - Provider Bridging (IEEE 802.1ad) & Shortest Path Bridging IEEE 802.1aq (0x88A8)
  • vlan - VLAN-tagged frame (IEEE 802.1Q) and Shortest Path Bridging IEEE 802.1aq with NNI compatibility (0x8100)
drop-precedence (drop | green | red | yellow) Matching internal drop precedence. Valid only in egress table.
custom-fields


ACL condition part for VLAN related fields of packets.

Property Description
lookup-vid (0..4095) VLAN id used in lookup. It can be changed before reaching egress table.
service-vid (0-4095) Matching service VLAN id.
service-pcp (0..7) Matching service PCP.
service-dei (0..1) Matching service DEI.
service-tag (priority-tagged | tagged | tagged-or-priority-tagged | untagged) Format of the service tag.
customer-vid (0-4095) Matching customer VLAN id.
customer-pcp (0..7) Matching customer PCP.
customer-dei (0..1) Matching customer DEI.
customer-tag (priority-tagged | tagged | tagged-or-priority-tagged | untagged) Format of the customer tag.
priority (0..15) Matching internal priority. Valid only in egress table.


ACL condition part for IPv4 and IPv6 related fields of packets.

Property Description
ip-src (IPv4/0..32) Matching source IPv4 address.
ip-dst (IPv4/0..32) Matching destination IPv4 address.
ip-protocol (tcp | udp | udp-lite | other) IP protocol type.
src-l3-port (0-65535) Matching Layer3 source port.
dst-l3-port (0-65535) Matching Layer3 destination port.
ttl (0 | 1 | max | other) Matching TTL field of the packet.
dscp (0..63) Matching DSCP field of the packet.
ecn (0..3) Matching ECN field of the packet.
fragmented (yes | no) Whether to match fragmented packets.
first-fragment (yes | no) YES matches not fragmented and the first fragments, NO matches other fragments.
ipv6-src (IPv6/0..128) Matching source IPv6 address.
ipv6-dst (IPv6/0..128) Matching destination IPv6 address.
mac-isolation-profile (community1 | community2 | isolated | promiscuous) Matches isolation profile based on UFDB. Valid only in egress policy table.
src-mac-addr-state (dynamic-station-move | sa-found | sa-not-found | static-station-move) Defines whether to match packets with registered state - packets which destination MAC address is in UFDB/MFDB/RFDB. Valid only in egress policy table.
flow-id (0..63)


ACL rule action part.

Property Description
action (copy-to-cpu | drop | forward |

redirect-to-cpu | send-to-new-dst-ports; Default:

forward)
  • copy-to-cpu - Packets are copied to CPU if they match the ACL conditions.
  • drop - Packets are dropped if they match the ACL conditions.
  • forward - Packets are forwarded if they match the ACL conditions.
  • redirect-to-cpu - Packets are redirected to CPU if they match the ACL conditions.
  • send-to-new-dst-ports - Packets are send to new destination ports if they match the ACL conditions.
new-dst-ports (ports,trunks) If action is "send-to-new-dst-ports", then this property sets which ports/trunks is the new destination.
mirror-to (mirror0 | mirror1) Mirroring destination for ACL packets.
policer (policer) Applied ACL Policer for ACL packets.
src-mac-learn (yes | no) Whether to learn source MAC of the matched ACL packets. Valid only in ingress policy table.
new-service-vid (0..4095) New service VLAN id for ACL packets.
new-service-pcp (0..7) New service PCP for ACL packets.
new-service-dei (0..1) New service DEI for ACL packets.
new-customer-vid (0..4095) New customer VLAN id for ACL packets. If set to 4095, then traffic is dropped.
new-customer-pcp (0..7) New customer PCP for ACL packets.
new-customer-dei (0..1) New customer DEI for ACL packets.
new-dscp (0..63) New DSCP for ACL packets.
new-priority (0..15) New internal priority for ACL packets.
new-drop-precedence (drop | green | red | yellow) New internal drop precedence for ACL packets.
new-registered-state (yes | no) Whether to modify packet status. YES sets packet status to registered, NO - unregistered. Valid only in ingress policy table.
new-flow-id (0..63)


Filter bypassing part for ACL packets.

Property Description
attack-filter-bypass (yes | no; Default: no)
ingress-vlan-filter-bypass (yes | no; Default: no) Allows to bypass ingress VLAN filtering in VLAN table for matching packets. Applies only to ingress policy table.
egress-vlan-filter-bypass (yes | no; Default: no) Allows to bypass egress VLAN filtering in VLAN table for matching packets. Applies only to ingress policy table.
isolation-filter-bypass (yes | no; Default: no) Allows to bypass Isolation table for matching packets. Applies only to ingress policy table.
egress-vlan-translate-bypass (yes | no; Default: no) Allows to bypass egress VLAN translation table for matching packets.


ACL Policer

Sub-menu: /interface ethernet switch acl policer


Property Description
name (string; Default: policerX) Name of the Policer used in ACL.
yellow-rate (integer) Maximum data rate limit for packets with yellow drop precedence.
yellow-burst (integer; Default: 0) Maximum data rate which can be transmitted while the burst is allowed for packets with yellow drop precedence.
red-rate (integer); Default: 0) Maximum data rate limit for packets with red drop precedence.
red-burst (integer; Default: 0) Maximum data rate which can be transmitted while the burst is allowed for packets with red drop precedence.
meter-unit (bit | packet; Default: bit) Measuring units for ACL traffic rate.
meter-len (layer-1 | layer-2 | layer-3; Default: layer-1) Packet classification which sets the packet byte length for metering.
  • layer-1 - includes entire layer-2 frame + FCS + inter-packet gap + preamble.
  • layer-2 - includes layer-2 frame + FCS.
  • layer-3 - includes only layer-3 + ethernet padding without layer-2 header and FCS.
color-awareness (yes | no; Default: no) YES makes policer to take into account pre-colored drop precedence, NO - ignores drop precedence.
bucket-coupling (yes | no; Default: no)
yellow-action (drop | forward | remark; Default: drop) Performed action for exceeded traffic with yellow drop precedence.
new-dei-for-yellow (0..1 | remap) New DEI for yellow drop precedence packets.
new-pcp-for-yellow (0..7 | remap) New PCP for yellow drop precedence packets.
new-dscp-for-yellow (0..63 | remap) New DSCP for yellow drop precedence packets.
red-action (drop | forward | remark; Default: drop) Performed action for exceeded traffic with red drop precedence.
new-dei-for-red (0..1 | remap) New DEI for red drop precedence packets.
new-pcp-for-red (0..7 | remap) New PCP for red drop precedence packets.
new-dscp-for-red (0..63 | remap) New DSCP for red drop precedence packets.


See also

[ Top | Back to Content ]