Manual:CRS1xx/2xx series switches: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
(added CRS RFDB)
(added CRS isolation/leakage tables)
Line 1,139: Line 1,139:
     <td><var><b>qos-group</b></var> (<em>none</em>; Default: <b>none</b>)</td>
     <td><var><b>qos-group</b></var> (<em>none</em>; Default: <b>none</b>)</td>
     <td>Defined QoS group from "QoS group" menu.</td>
     <td>Defined QoS group from "QoS group" menu.</td>
</tr>
</table>
<p></p>
===Port Isolation/Leakage===
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
port-isolation</code></p><br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface ethernet switch
port-leakage</code></p><br />
The CRS switches support flexible multi-level isolation features, which can be
used for user access control, traffic engineering and advanced security and
network management.
The isolation features provide an organized fabric structure allowing user to
easily program and
control the access by port, MAC address, VLAN, protocol, flow and frame type.
The following isolation and leakage features are supported:
* Port-level isolation
* MAC-level isolation
* VLAN-level isolation
* Protocol-level isolation
* Flow-level isolation
* Free combination of the above
Port-level isolation supports different control schemes on source port and
destination port. Each
entry can be programmed with access control for either source port or
destination port.
* When the entry is programmed with source port access control, the entry is
applied to the ingress packets.
* When the entry is programmed with destination port access control, the entry
is applied to the egress packets.
Port leakage allows bypassing egress VLAN filtering on the port. Leaky port is
allowed to access
other ports for various applications such as security, network control and
management.
Note: When both isolation and leakage is applied to the same port, the port is
isolated.
<table class="styled_table">
<tr>
  <th width="50%">Property</th>
  <th >Description</th>
</tr>
<tr>
    <td><var><b>disabled</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
    <td>Enables or disables port isolation/leakage entry.</td>
</tr>
<tr>
    <td><var><b>flow-id</b></var> (<em>0..63</em>; Default: <b>none</b>)</td>
    <td></td>
</tr>
<tr>
    <td><var><b>include-arp</b></var> (<em>yes | no</em>; Default:
<b>yes</b>)</td>
    <td>Includes ARP packets into Port-level isolation/leakage.</td>
</tr>
<tr>
    <td><var><b>include-bridged</b></var> (<em>yes | no</em>; Default:
<b>yes</b>)</td>
    <td>Includes packets which are bridged by switch-chip into Port-level
isolation/leakage.</td>
</tr>
<tr>
    <td><var><b>include-broadcast</b></var> (<em>yes | no</em>; Default:
<b>yes</b>)</td>
    <td>Includes broadcast packets into Port-level isolation/leakage.</td>
</tr>
<tr>
    <td><var><b>include-dhcpv4</b></var> (<em>yes | no</em>; Default:
<b>yes</b>)</td>
    <td>Includes DHCPv4 packets into Port-level isolation/leakage.</td>
</tr>
<tr>
    <td><var><b>include-dhcpv6</b></var> (<em>yes | no</em>; Default:
<b>yes</b>)</td>
    <td>Includes DHCPv6 packets into Port-level isolation/leakage.</td>
</tr>
<tr>
    <td><var><b>include-known</b></var> (<em>yes | no</em>; Default:
<b>yes</b>)</td>
    <td>Includes packets with known destination MAC into Port-level
isolation/leakage.</td>
</tr>
<tr>
    <td><var><b>include-multicast</b></var> (<em>yes | no</em>; Default:
<b>yes</b>)</td>
    <td>Includes multicast packets into Port-level isolation/leakage.</td>
</tr>
<tr>
    <td><var><b>include-nd</b></var> (<em>yes | no</em>; Default:
<b>yes</b>)</td>
    <td>Includes Neighbour Discovery packets into Port-level
isolation/leakage.</td>
</tr>
<tr>
    <td><var><b>include-ripv1</b></var> (<em>yes | no</em>; Default:
<b>yes</b>)</td>
    <td>Includes RIPv1 packets into Port-level isolation/leakage.</td>
</tr>
<tr>
    <td><var><b>include-routed</b></var> (<em>yes | no</em>; Default:
<b>yes</b>)</td>
    <td>Includes packets which are routed by switch-chip into Port-level
isolation/leakage.</td>
</tr>
<tr>
    <td><var><b>include-unicast</b></var> (<em>yes | no</em>; Default:
<b>yes</b>)</td>
    <td>Includes unicast packets into Port-level isolation/leakage.</td>
</tr>
<tr>
    <td><var><b>include-unknown</b></var> (<em>yes | no</em>; Default:
<b>yes</b>)</td>
    <td>Includes packets with unknown destination MAC into Port-level
isolation/leakage.</td>
</tr>
<tr>
    <td><var><b>mac-profile</b></var> (<em>community1 | community2 | isolated |
promiscuous</em>; Default: <b>none</b>)</td>
    <td>Matching MAC isolation/leakage profile.</td>
</tr>
<tr>
    <td><var><b>port-profile</b></var> (<em>0..31</em>; Default:
<b>none</b>)</td>
    <td>Matching Port isolation/leakage profile.</td>
</tr>
<tr>
    <td><var><b>ports</b></var> (<em>ports</em>; Default: <b>none</b>)</td>
    <td>Isolated/leakage ports.</td>
</tr>
<tr>
    <td><var><b>type</b></var> (<em>dst | src</em>; Default: <b>src</b>)</td>
    <td>Lookup type of the isolation/leakage entry:
<ul class="bullets">
<li> <var>src</var> - Entry applies to ingress packets of the ports.
<li> <var>dst</var> - Entry applies to egress packets of the ports.
</ul>
    </td>
</tr>
<tr>
    <td><var><b>vlan-profile</b></var> (<em>community1 | community2 | isolated |
promiscuous</em>; Default: <b>none</b>)</td>
    <td>Matching VLAN isolation/leakage profile.</td>
</tr>
</tr>
</table>
</table>


<p></p>
<p></p>

Revision as of 08:02, 29 January 2014

Version.png

Applies to RouterOS: v6.8 +


Summary

The Cloud Router Switch series are highly integrated switches with high performance MIPS CPU and feature-rich packet processor. The CRS switches can be designed into various Ethernet applications including unmanaged switch, Layer 2 managed switch, carrier switch and wireless/wired unified packet processing.

Abbreviations and Explanations

CVID - Customer VLAN id: inner VLAN tag id of the IEEE 802.1ad frame

SVID - Service VLAN id: outer VLAN tag id of the IEEE 802.1ad frame

IVL - Independent VLAN learning - learning/lookup is based on both MAC addresses and VLAN IDs.

SVL - Shared VLAN learning - learning/lookup is based on MAC addresses - not on VLAN IDs.

TPID - Tag Protocol Identifier

PCP - Priority Code Point: a 3-bit field which refers to the IEEE 802.1p priority

DEI - Drop Eligible Indicator

DSCP - Differentiated services Code Point

Drop precedence - internal CRS switch QoS attribute used for packet enqueuing or dropping.

Generic Configuration

Sub-menu: /interface ethernet switch


CRS switch chip is configurable from the /interface ethernet switch console menu.

Property Description
bridge-type (customer-vlan-bridge | service-vlan-bridge; Default: service-vlan-bridge) Bridge type defines which VLAN tag is used as Lookup-VID. Lookup-VID serves as the VLAN key for all VLAN-based lookup.
bypass-l2-security-check-filter-for (protocols; Default: none) Protocols which are excluded from Policy rule security check. (arp, dhcpv4, dhcpv6, eapol, igmp, mld, nd, pppoe-discovery, ripv1)
bypass-vlan-ingress-filter-for (protocols; Default: none) Protocols which are excluded from Ingress VLAN filtering. These

protocols are not dropped if they have invalid VLAN. (arp, dhcpv4, dhcpv6,

eapol, igmp, mld, nd, pppoe-discovery, ripv1)
drop-if-invalid-or-src-port-

-not-member-of-vlan-on-ports

(ports; Default: none)
Ports which drop invalid and other port VLAN id frames.
drop-if-no-vlan-assignment-on-ports (ports; Default: none) Ports which drop frames if no VLAN assignment is applied.
egress-mirror-ratio (1/32768..1/1; Default: 1/1) Proportion of egress mirrored packets compared to all packets.
egress-mirror0-enable (yes | no; Default: yes) Enables or disables egress mirroring on Mirror0 port.
egress-mirror0-format (analyzer-configured | modified | original; Default: modified)
  • analyzer-configured - The packet is same as the packet to destination. VLAN format is modified based on the VLAN configurations of the analyzer port.
  • modified - The packet is same as the packet to destination. VLAN format is modified based on the VLAN configurations of the egress port.
  • original - Traffic is mirrored without any change to the original incoming packet format. But service VLAN tag is stripped in edge port.
egress-mirror0-port (port; Default: switch1-cpu) The first egress mirroring analyzer port.
egress-mirror1-enable (yes | no; Default: yes) Enables or disables egress mirroring on Mirror1 port.
egress-mirror1-format (analyzer-configured | modified | original; Default: modified)
  • analyzer-configured - The packet is same as the packet to destination. VLAN format is modified based on the VLAN configurations of the analyzer port.
  • modified - The packet is same as the packet to destination. VLAN format is modified based on the VLAN configurations of the egress port.
  • original - Traffic is mirrored without any change to the original incoming packet format. But service VLAN tag is stripped in edge port.
egress-mirror1-port (port; Default: switch1-cpu) The second egress mirroring analyzer port.
egress-sampling-ratio (1/32768..1/1; Default: 1/1)
fdb-uses (mirror0 | mirror1; Default: mirror0) Analyzer port used for FDB-based mirroring.
forward-invalid-vlan (yes | no; Default: yes) Whether to allow forwarding VLANs which are not members of VLAN table.
ingress-mirror-ratio (1/32768..1/1; Default: 1/1) Proportion of ingress mirrored packets compared to all packets.
ingress-mirror0-enable (yes | no; Default: yes) Enables or disables ingress mirroring on Mirror0 port.
ingress-mirror0-format (analyzer-configured | modified | original; Default: modified)
  • analyzer-configured - The packet is same as the packet to destination. VLAN format is modified based on the VLAN configurations of the analyzer port.
  • modified - The packet is same as the packet to destination. VLAN format is modified based on the VLAN configurations of the egress port.
  • original - Traffic is mirrored without any change to the original incoming packet format. But service VLAN tag is stripped in edge port.
ingress-mirror0-port (port; Default: switch1-cpu) The first ingress mirroring analyzer port.
ingress-mirror1-enable (yes | no; Default: yes) Enables or disables ingress mirroring on Mirror1 port.
ingress-mirror1-format (analyzer-configured | modified | original; Default: modified)
  • analyzer-configured - The packet is same as the packet to destination. VLAN format is modified based on the VLAN configurations of the analyzer port.
  • modified - The packet is same as the packet to destination. VLAN format is modified based on the VLAN configurations of the egress port.
  • original - Traffic is mirrored without any change to the original incoming packet format. But service VLAN tag is stripped in edge port.
ingress-mirror1-port (port; Default: switch1-cpu) The second ingress mirroring analyzer port.
invalid-vlan-lookup-mode (ivl | svl; Default: ivl) Lookup and learning mode for packets with invalid VLAN.
ipv4-multicast-lookup-mode

(dst-ip-and-vid-for-ipv4 | dst-mac-and-vid-always; Default:

dst-mac-and-vid-always)
Lookup mode for IPv4 multicast bridging.
  • dst-mac-and-vid-always - For all packet types lookup key is destination MAC and VLAN id.
  • dst-ip-and-vid-for-ipv4 - For IPv4 packets lookup key is destination IP and VLAN id. For other packet types lookup key is destination MAC and VLAN id.
mac-level-isolation (yes | no; Default: no) Enables or disables MAC level isolation.
mirror-egress-if-ingress-mirrored (yes | no; Default: no) When packet is applied to both ingress and egress mirroring, if this

setting is disabled, only ingress mirroring is performed on the packet; if this

setting is enabled both mirroring types are applied.
mirror-tx-on-mirror-port (yes | no; Default: no)
mirrored-packet-drop-precedence (drop | green | red | yellow; Default: green) Remarked drop precedence in mirrored packets. This QoS attribute is used for mirrored packet enqueuing or dropping.
mirrored-packet-qos-priority (0..7; Default: 0) Remarked priority in mirrored packets.
name (string value; Default: switch1) Name of the switch.
override-existing-when-ufdb-full (yes | no; Default: no) Enable or disable to override existing entry which has the lowest aging value when UFDB is full.
unicast-fdb-timeout (time interval; Default: 5m) Timeout for Unicast FDB entries.
use-cvid-in-one2one-vlan-lookup (yes | no; Default: yes) Whether to use customer VLAN id for 1:1 VLAN switching lookup.
use-svid-in-one2one-vlan-lookup (yes | no; Default: no) Whether to use service VLAN id for 1:1 VLAN switching lookup.
vlan-level-isolation (yes | no; Default: no) Enables or disables VLAN level isolation.
vlan-uses (mirror0 | mirror1; Default: mirror0) Analyzer port used for VLAN-based mirroring.

Port Configuration

Sub-menu: /interface ethernet switch port


Property Description
action-on-restricted-unknown-sa (copy-to-cpu | drop | forward | redirect-to-cpu; Default: forward) Forwarding action for packets with restricted unknown source MAC address.
action-on-static-station-move (copy-to-cpu | drop | forward | redirect-to-cpu; Default: forward) Forwarding action for packets with normal static station move.
allow-multicast-loopback (yes | no; Default: no) Multicast loopback on port. When enabled, it permits sending back when

source port and destination port are the same for registered multicast or

broadcast packets.
allow-unicast-loopback (yes | no; Default: no) Unicast loopback on port. When enabled, it permits sending back when

source port and destination port are the same one for known unicast

packets.
default-customer-pcp (0..7; Default: 0) Default customer priority of the port.
default-service-pcp (0..7; Default: 0) Default service priority of the port.
drop-counter-config (; Default: none)
drop-when-ufdb-entry-sa-drop (yes | no; Default: no) Enable or disable to drop packets when UFDB entry has action "src-drop".
dynamic-mac-move-is-restricted-unknown-sa (yes | no; Default: no)
egress-customer-tpid (0..10000; Default: 0x8100)
egress-mirror-to (mirror0 | mirror1; Default: mirror0) Analyzer port for port-based egress mirroring.
egress-mirroring (yes | no; Default: no) Enable or disable egress mirroring on the port.
egress-pcp-propagation (yes | no; Default: no) Enables or disables egress PCP propagation.
  • If the egress port type is Edge, the customer PCP is copied from the service PCP.
  • If the egress port type is Network, the service PCP is copied from the customer PCP.
egress-sampling (yes | no; Default: no)
egress-service-tpid (0..10000; Default: 0x88A8)
egress-vlan-lookup (according-to-bridge-type |

according-to-egress-vlan-type; Default:

according-to-egress-vlan-type)
Egress VLAN table (VLAN Tagging) lookup:
  • according-to-egress-vlan-type - Lookup VLAN id is CVID when Edge port is configured, SVID when Network port is configured.
  • according-to-bridge-type - Lookup VLAN id is CVID when customer VLAN bridge is configured, SVID when service VLAN bridge is configured. Customer tag is unmodified for edge port in service VLAN bridge.
egress-vlan-mode (tagged | unmodified | untagged; Default: unmodified) Egress VLAN tagging action on the port.
egress-vlan-type (edge-port | network-port; Default: edge-port) Port type for Egress VLAN lookup.
filter-priority-tagged-frame (yes | no; Default: no) Whether to filter tagged frames with priority on the port.
filter-tagged-frame (yes | no; Default: no) Whether to filter tagged frames on the port.
filter-untagged-frame (yes | no; Default: no) Whether to filter untagged frames on the port.
ingress-customer-tpid (0..10000; Default: 0x8100)
ingress-mirror-to (mirror0 | mirror1; Default: mirror0) Analyzer port for port-based ingress mirroring.
ingress-mirroring (yes | no; Default: no) Enable or disable ingress mirroring on the port.
ingress-mirroring-according-to-vlan (yes | no; Default: no)
ingress-sampling (yes | no; Default: no)
ingress-sampling-mode

(all-frames-excluding-filtered | all-frames-without-mac-error; Default:

all-frames-without-mac-error)
ingress-sampling-ratio (1/32768..1/1; Default: 1/1)
ingress-service-tpid (0..10000; Default: 0x88A8)
ingress-vlan-type (edge-port | network-port; Default: edge-port)
isolation-profile (0..31; Default: 30)
  • Port-level isolation profile 0. Uplink port - allows the port to communicate with all ports in the device.
  • Port-level isolation profile 1. Isolated port - allows the port to communicate only with uplink ports.
  • Port-level isolation profile 2 - 31. Community port - allows communication among the same community ports and uplink ports.
learn (yes | no; Default: ) Enable or disable MAC address learning on the port.
learn-limit (1..1023; Default: ) Number of allowed MAC address limit of the port.
learn-restricted-unknown-sa (yes | no; Default: yes) Enable to learn restricted unknown source MAC. Source MAC is classified

as Restricted Unknown if any one of the following conditions are met:

  • MAC address limit is disabled on the incoming port.
  • MAC address limit is enabled on the incoming port and the number of learnt MAC addresses exceeds the MAC limit number of the port.
  • Dynamic source MAC move is not allowed on the port and dynamic source MAC move is treated as security breach.
  • Secure static source MAC move is not allowed on the port and security static source MAC move is treated as security breach.
mac-based-customer-vlan-for (all-frames | none |

tagged-frame-only | untagged-and-priority-tagged-frame-only; Default:

none)
Frame type for which applies MAC-based customer VLAN translation.
mac-based-service-vlan-for (all-frames | none |

tagged-frame-only | untagged-and-priority-tagged-frame-only; Default:

none)
Frame type for which applies MAC-based service VLAN translation.
mac-based-vlan-translate (yes | no; Default: no) Enable or disable MAC-based VLAN translation on the port.
mac-vlan-type (edge-port | network-port; Default: edge-port) Port type for MAC based VLAN translation.
pcp-propagation-for-initial-pcp (yes | no; Default: no)
per-queue-scheduling (strict-priority | wrr-group0 | wrr-group1; Default: )
priority-to-queue (; Default: 0-15:0,1:1,2:2,3:3)
qos-change-dei (yes | no; Default: no) Whether to change DEI on the port.
qos-change-dscp (yes | no; Default: no) Whether to change DSCP on the port.
qos-change-pcp (yes | no; Default: no) Whether to change PCP on the port.
qos-dscp-to-dscp-mapping (yes | no; Default: no) Enable or disable DSCP mapping on the port.
qos-pcp-dei-map-dei (; Default: 0-15:0)
qos-pcp-dei-map-drop-precedence (; Default: 0-15:green)
qos-pcp-dei-map-dscp (; Default: 0-15:0)
qos-pcp-dei-map-pcp (; Default: 0-15:0)
qos-pcp-dei-map-priority (yes | no; Default: 0-15:0)
qos-scheme-precedence (da-based | dscp-based |

pcp-based | protocol-based | sa-based | vlan-based; Default:

pcp-based)
secure-static-mac-move-is-restricted-unknown-sa (yes | no; Default: no)

Ingress/Egress VLAN Translation

Sub-menu: /interface ethernet switch ingress-vlan-translation


Sub-menu: /interface ethernet switch egress-vlan-translation


Property Description
customer-dei (0..1; Default: none) Matching DEI of the customer tag.
customer-pcp (0..7; Default: none) Matching PCP of the customer tag.
customer-vid (0..4095; Default: none) Matching VLAN id of the customer tag.
customer-vlan-lookup-for (all |

priority-tagged-or-tagged | tagged | untagged-or-tagged; Default:

untagged-or-tagged)
Type of frames with customer tag for which VLAN translation rule is valid.
disabled (yes | no; Default: no) Enables or disables VLAN translation entry.
new-customer-vid (0..4095; Default: none) The new customer VLAN id which replaces matching customer VLAN id.
new-service-vid (0..4095; Default: none) The new service VLAN id which replaces matching service VLAN id.
pcp-propagation (yes | no; Default: no) Enables or disables PCP propagation.
  • If the port type is Edge, the customer PCP is copied from the service PCP.
  • If the port type is Network, the service PCP is copied from the customer PCP.
port (port) Matching switch port for VLAN translation rule.
protocol (protocols; Default: none) Matching Ethernet protocol.
sa-learning (yes | no; Default: no) Enables or disables source MAC learning after VLAN translation.
service-dei (0..1; Default: none) Matching DEI of the service tag.
service-pcp (0..7; Default: none) Matching PCP of the service tag.
service-vid (0..4095; Default: none) Matching VLAN id of the service tag.
service-vlan-lookup-for (all |

priority-tagged-or-tagged | tagged | untagged-or-tagged; Default:

untagged-or-tagged)
Type of frames with service tag for which VLAN translation rule is valid.
swap-vids (yes | no; Default: no) Allows swapping original service VLAN id with original customer VLAN id.

Protocol Based VLAN

Sub-menu: /interface ethernet switch protocol-based-vlan


Protocol Based VLAN table is used to assign VID and QoS attributes to related protocol packet per port.

Property Description
disabled (yes | no; Default: no) Enables or disables Protocol Based VLAN entry.
frame-type (ethernet | llc | rfc-1042; Default: ethernet) Encapsulation type of the matching frames.
new-customer-vid (0..4095; Default: 0) The new customer VLAN id which replaces original customer VLAN id for specified protocol.
new-service-vid (0..4095; Default: 0) The new service VLAN id which replaces original service VLAN id for specified protocol.
port (port) Matching switch port for Protocol based VLAN rule.
protocol (protocol; Default: 0) Matching protocol for Protocol based VLAN rule.
qos-group (none; Default: none) Defined QoS group from "QoS group" menu.
set-customer-vid-for (all | none | tagged | untagged-or-priority-tagged; Default: none) Customer VLAN id assignment command for different packet type.
set-qos-for (all | none | tagged | untagged-or-priority-tagged; Default: none) Frame type for which QoS assignment command applies.
set-service-vid-for (all | none | tagged | untagged-or-priority-tagged; Default: none) Service VLAN id assignment command for different packet type.

MAC Based VLAN

Sub-menu: /interface ethernet switch mac-based-vlan


MAC Based VLAN table is used to assign VLAN based on source MAC.

Property Description
disabled (yes | no; Default: no) Enables or disables MAC Based VLAN entry.
new-customer-vid (0..4095; Default: 0) The new customer VLAN id which replaces original service VLAN id for matched packets.
new-service-vid (0..4095; Default: 0) The new service VLAN id which replaces original service VLAN id for matched packets.
src-mac-address (MAC address) Matching source MAC address for MAC based VLAN rule.

VLAN Table

Sub-menu: /interface ethernet switch vlan


The VLAN table supports 4096 VLAN entries for storing VLAN member information as well as other VLAN information such as QoS, isolation, forced VLAN, learning, and mirroring.

Property Description
disabled (yes | no; Default: no) Indicate whether the VLAN entry is disabled. Only enabled entry is applied to lookup process and forwarding decision.
flood (yes | no; Default: no) Enables or disables forced VLAN flooding per VLAN. If the feature is

enabled, the result of destination MAC lookup in the UFDB or MFDB is ignored,

and the packet is forced to flood in the VLAN.
ingress-mirror (yes | no; Default: no) Enable the ingress mirror per VLAN to support the VLAN-based mirror function.
isolation-profile (community1 | community2 | isolated | promiscuous; Default: promiscuous) VLAN level isolation profile.
ports (ports) Member ports of the VLAN.
qos-group (none; Default: none) Defined QoS group from "QoS group" menu.
sa-learning (yes | no; Default: no) Enables or disables source MAC learning for VLAN.
svl (yes | no; Default: no) FDB lookup mode for lookup in UFDB and MFDB.
  • Shared VLAN Learning (svl) - learning/lookup is based on MAC addresses - not on VLAN IDs.
  • Independent VLAN Learning (ivl) - learning/lookup is based on both MAC addresses and VLAN IDs.
vlan-id (0..4095) VLAN id of the VLAN member entry.

1:1 VLAN Switching

Sub-menu: /interface ethernet switch one2one-vlan-switching


1:1 VLAN switching can be used to replace the regular L2 bridging for matched packets. When a packet hits an 1:1 VLAN switching table entry, the destination port information in the entry is assigned to the packet. The matched destination information in UFDB and MFDB entry no longer applies to the packet.

Property Description
customer-vid (0..4095; Default: 0) Matching customer VLAN id for 1:1 VLAN switching.
disabled (yes | no; Default: no) Enables or disables 1:1 VLAN switching table entry.
dst-port (port) Destination port for matched 1:1 VLAN switching packets.
service-vid (0..4095; Default: 0) Matching customer VLAN id for 1:1 VLAN switching.

Egress VLAN Tag

Sub-menu: /interface ethernet switch egress-vlan-tag


Egress packets can be assigned different VLAN tag format. The VLAN tags can be removed, added, or remained as is when the packet is sent to the egress port (destination port). Each port has dedicated control on the egress VLAN tag format. The tag formats include:

  • Untagged
  • Tagged
  • Unmodified

The Egress VLAN Tag table includes 4096 entries for VLAN tagging selection.

Property Description
disabled (yes | no; Default: no) Enables or disables Egress VLAN Tag table entry.
tagged-ports (ports) Ports which are tagged in egress.
vlan-id (0..4095) VLAN id which is tagged in egress.

Unicast FDB

Sub-menu: /interface ethernet switch unicast-fdb


The unicast forwarding database supports up to 16318 MAC entries.

Property Description
action (action; Default: forward) Action for UFDB entry:
  • dst-drop - Packets are dropped when their destination MAC match the entry.
  • dst-redirect-to-cpu - Packets are redirected to CPU when their destination MAC match the entry.
  • forward - Packets are forwarded.
  • src-and-dst-drop - Packets are dropped when their source MAC or destination MAC match the entry.
  • src-and-dst-redirect-to-cpu - Packets are redirected to CPU when their source MAC or destination MAC match the entry.
  • src-drop - Packets are dropped when their source MAC match the entry.
  • src-redirect-to-cpu - Packets are redirected to CPU when their source MAC match the entry.
disabled (yes | no; Default: no) Enables or disables Unicast FDB entry.
isolation-profile (community1 | community2 | isolated | promiscuous; Default: promiscuous) MAC level isolation profile.
mac-address (MAC address) The "action" command applies to the packet when the destination MAC or source MAC matches the entry.
mirror (yes | no; Default: no) Enables or disables mirroring based on source MAC or destination MAC.
port (port) Matching port for the Unicast FDB entry.
qos-group (none; Default: none) Defined QoS group from "QoS group" menu.
svl (yes | no; Default: no) Unicast FDB learning mode:
  • Shared VLAN Learning (svl) - learning/lookup is based on MAC addresses - not on VLAN IDs.
  • Independent VLAN Learning (ivl) - learning/lookup is based on both MAC addresses and VLAN IDs.
vlan-id (0..4095) Unicast FDB lookup/learning VLAN id.

Multicast FDB

Sub-menu: /interface ethernet switch multicast-fdb


CRS125 switch-chip supports up to 1024 entries in MFDB for multicast forwarding. For each multicast packet, destination MAC or destination IP lookup is performed in MFDB. MFDB entries are not automatically learnt and can only be configured.

Property Description
addr-type (ip | mac; Default: mac) Matching address type for multicast packets.
bypass-vlan-filter (yes | no; Default: no) Allow to bypass VLAN filtering for matching multicast packets.
disabled (yes | no; Default: no) Enables or disables Multicast FDB entry.
ip-address (IP address; Default: 0.0.0.0) Matching IP address for multicast packets.
mac-address (MAC address; Default: 00:00:00:00:00:00) Matching MAC address for multicast packets.
ports (ports) Member ports for multicast traffic.
qos-group (none; Default: none) Defined QoS group from "QoS group" menu.
svl (yes | no; Default: no) Multicast FDB learning mode:
  • Shared VLAN Learning (svl) - learning/lookup is based on MAC addresses - not on VLAN IDs.
  • Independent VLAN Learning (ivl) - learning/lookup is based on both MAC addresses and VLAN IDs.
vlan-id (0..4095; Default: 0) Multicast FDB lookup VLAN id. If VLAN learning mode is IVL, VLAN id is lookup id, otherwise VLAN id = 0.

Reserved FDB

Sub-menu: /interface ethernet switch reserved-fdb


Cloud Router Switch supports 256 RFDB entries. Each RFDB entry can store either Layer2 unicast or multicast MAC address with specific commands.

Property Description
action (copy-to-cpu | drop | forward | redirect-to-cpu; Default: forward) Action for RFDB entry:
  • copy-to-cpu - Packets are copied to CPU when their destination MAC match the entry.
  • drop - Packets are dropped when their destination MAC match the entry.
  • forward - Packets are forwarded when their destination MAC match the entry.
  • redirect-to-cpu - Packets are redirected to CPU when their destination MAC match the entry.
bypass-vlan-filter (yes | no; Default: no) Allow to bypass VLAN filtering for matching packets.
disabled (yes | no; Default: no) Enables or disables Reserved FDB entry.
mac-address (MAC address; Default: 00:00:00:00:00:00) Matching MAC address for RFDB entry.
qos-group (none; Default: none) Defined QoS group from "QoS group" menu.

Port Isolation/Leakage

Sub-menu: /interface ethernet switch port-isolation


Sub-menu: /interface ethernet switch port-leakage


The CRS switches support flexible multi-level isolation features, which can be used for user access control, traffic engineering and advanced security and network management. The isolation features provide an organized fabric structure allowing user to easily program and control the access by port, MAC address, VLAN, protocol, flow and frame type. The following isolation and leakage features are supported:

  • Port-level isolation
  • MAC-level isolation
  • VLAN-level isolation
  • Protocol-level isolation
  • Flow-level isolation
  • Free combination of the above

Port-level isolation supports different control schemes on source port and destination port. Each entry can be programmed with access control for either source port or destination port.

  • When the entry is programmed with source port access control, the entry is

applied to the ingress packets.

  • When the entry is programmed with destination port access control, the entry

is applied to the egress packets.

Port leakage allows bypassing egress VLAN filtering on the port. Leaky port is allowed to access other ports for various applications such as security, network control and management. Note: When both isolation and leakage is applied to the same port, the port is isolated.

Property Description
disabled (yes | no; Default: no) Enables or disables port isolation/leakage entry.
flow-id (0..63; Default: none)
include-arp (yes | no; Default: yes) Includes ARP packets into Port-level isolation/leakage.
include-bridged (yes | no; Default: yes) Includes packets which are bridged by switch-chip into Port-level isolation/leakage.
include-broadcast (yes | no; Default: yes) Includes broadcast packets into Port-level isolation/leakage.
include-dhcpv4 (yes | no; Default: yes) Includes DHCPv4 packets into Port-level isolation/leakage.
include-dhcpv6 (yes | no; Default: yes) Includes DHCPv6 packets into Port-level isolation/leakage.
include-known (yes | no; Default: yes) Includes packets with known destination MAC into Port-level isolation/leakage.
include-multicast (yes | no; Default: yes) Includes multicast packets into Port-level isolation/leakage.
include-nd (yes | no; Default: yes) Includes Neighbour Discovery packets into Port-level isolation/leakage.
include-ripv1 (yes | no; Default: yes) Includes RIPv1 packets into Port-level isolation/leakage.
include-routed (yes | no; Default: yes) Includes packets which are routed by switch-chip into Port-level isolation/leakage.
include-unicast (yes | no; Default: yes) Includes unicast packets into Port-level isolation/leakage.
include-unknown (yes | no; Default: yes) Includes packets with unknown destination MAC into Port-level isolation/leakage.
mac-profile (community1 | community2 | isolated | promiscuous; Default: none) Matching MAC isolation/leakage profile.
port-profile (0..31; Default: none) Matching Port isolation/leakage profile.
ports (ports; Default: none) Isolated/leakage ports.
type (dst | src; Default: src) Lookup type of the isolation/leakage entry:
  • src - Entry applies to ingress packets of the ports.
  • dst - Entry applies to egress packets of the ports.
vlan-profile (community1 | community2 | isolated | promiscuous; Default: none) Matching VLAN isolation/leakage profile.