Manual:Interface/Bridge

From MikroTik Wiki
< Manual:Interface
Revision as of 17:54, 12 January 2018 by Arturszon (talk | contribs) (Example)
Jump to: navigation, search
Version.png

Applies to RouterOS: v3, v4+

Summary

Sub-menu: /interface bridge
Standards: IEEE802.1D


Ethernet-like networks (Ethernet, Ethernet over IP, IEEE802.11 in ap-bridge or bridge mode, WDS, VLAN) can be connected together using MAC bridges. The bridge feature allows the interconnection of hosts connected to separate LANs (using EoIP, geographically distributed networks can be bridged as well if any kind of IP network interconnection exists between them) as if they were attached to a single LAN. As bridges are transparent, they do not appear in traceroute list, and no utility can make a distinction between a host working in one LAN and a host working in another LAN if these LANs are bridged (depending on the way the LANs are interconnected, latency and data rate between hosts may vary).

Network loops may emerge (intentionally or not) in complex topologies. Without any special treatment, loops would prevent network from functioning normally, as they would lead to avalanche-like packet multiplication. Each bridge runs an algorithm which calculates how the loop can be prevented. STP and RSTP allows bridges to communicate with each other, so they can negotiate a loop free topology. All other alternative connections that would otherwise form loops, are put to standby, so that should the main connection fail, another connection could take its place. This algorithm exchanges configuration messages (BPDU - Bridge Protocol Data Unit) periodically, so that all bridges are updated with the newest information about changes in network topology. (R)STP selects a root bridge which is responsible for network reconfiguration, such as blocking and opening ports on other bridges. The root bridge is the bridge with the lowest bridge ID.

Bridge Interface Setup

Sub-menu: /interface bridge


To combine a number of networks into one bridge, a bridge interface should be created (later, all the desired interfaces should be set up as its ports). One MAC address will be assigned to all the bridged interfaces (the MAC address of first bridge port which comes up will be chosen automatically).

Properties

Property Description
admin-mac (MAC address; Default: none) Static MAC address of the bridge (takes effect if auto-mac=no)
ageing-time (time; Default: 00:05:00) How long a host's information will be kept in the bridge database.
arp (disabled | enabled | proxy-arp | reply-only; Default: enabled) Address Resolution Protocol setting
  • disabled - the interface will not use ARP
  • enabled - the interface will use ARP
  • proxy-arp - the interface will use the ARP proxy feature
  • reply-only - the interface will only reply to requests originated from matching IP address/MAC address combinations which are entered as static entries in the "/ip arp" table. No dynamic entries will be automatically stored in the "/ip arp" table. Therefore for communications to be successful, a valid static entry must already exist.
arp-timeout (auto | integer; Default: auto) ARP timeout is time how long ARP record is kept in ARP table after no packets are received from IP. Value auto equals to the value of arp-timeout in /ip settings, default is 30s.
auto-mac (yes | no; Default: yes) Automatically select one MAC address of bridge ports as a bridge MAC address.
comment (string; Default: ) Short description of the interface.
disabled (yes | no; Default: no) Whether interface is disabled.
fast-forward (yes | no; Default: yes) Special and faster case of Fast Path which works only on bridges with 2 interfaces (enabled by default only for new bridges).
forward-delay (time; Default: 00:00:15) Time which is spent during the initialization phase of the bridge interface (i.e., after router startup or enabling the interface) in listening/learning state before the bridge will start functioning normally.
igmp-snooping (yes | no; Default: no) Enables multicast group and port learning to prevent multicast traffic from flooding all interfaces in a bridge.
max-hops (integer: 6..40; Default: 20) Bridge count which BPDU can pass in a MSTP enabled network in the same region before BPDU is being ignored.
max-message-age (time; Default: 00:00:20) How long to remember Hello messages received from other STP/RSTP enabled bridges.
mtu (integer; Default: 1500) Maximum Transmission Unit
name (text; Default: bridgeN) Name of the bridge interface
priority (integer: 0..65535 decimal format or 0x0000-0xffff hex format; Default: 32768 / 0x8000) Spanning tree protocol priority for bridge interface. Bridge with the smallest (lowest) bridge ID becomes a Root-Bridge. Bridge ID consists of two numbers - priority and MAC address of the bridge. To compare two bridge IDs, the priority is compared first. If two bridges have equal priority, then the MAC addresses are compared.
protocol-mode (none | rstp | stp | mstp; Default: rstp) Select Spanning tree protocol (STP) or Rapid spanning tree protocol (RSTP) to ensure a loop-free topology for any bridged LAN. RSTP provides for faster spanning tree convergence after a topology change. Select MSTP to ensure loop-free topology across multiple VLANs.
pvid (integer: 1..4094; Default: 1) Port VLAN ID (pvid) specifies which VLAN the untagged ingress traffic is assigned to. It applies e.g. to frames sent from bridge IP and destined to a bridge port.
region-name (text; Default: ) Assign a name to a MSTP region.
region-revision (integer: 0..65535; Default: 0) Assign a revision number to the current MSTP configuration.
transmit-hold-count (integer: 1..10; Default: 6) The Transmit Hold Count used by the Port Transmit state machine to limit transmission rate.
vlan-filtering (yes | no; Default: no) Globally enables or disables VLAN functionality for bridge.


Example

To add and enable a bridge interface that will forward all the protocols:

[admin@MikroTik] /interface bridge> add 
[admin@MikroTik] /interface bridge> print 
Flags: X - disabled, R - running 
 0  R name="bridge1" mtu=1500 l2mtu=65535 arp=enabled 
      mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 
      auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s 
      forward-delay=15s transmit-hold-count=6 ageing-time=5m 
[admin@MikroTik] /interface bridge>


Spanning Tree Protocol

RouterOS is capable of running bridge interfaces with (R/M)STP support in order to create loop-free and Layer2 redundant environment. It is always recommended to manually set up each bridge priority, port priority and port path cost to ensure proper Layer2 functionality at all times. Leaving STP related values to defaults are acceptable for a network that consists of of 1 to 2 bridges running with (R/M)STP enabled, but it is highly recommended to manually set these values for larger networks. Since STP elects a root bridge and root ports by checking STP related values from bridges over the network, then leaving STP settings to automatic may elect a undesired root bridge and root ports and in case of a hardware failure can result in an inaccessible network.

You can check the STP status of a bridge by using the /interface bridge monitor command, for example:

/interface bridge monitor bridge
                  state: enabled
    current-mac-address: 64:D1:54:D9:27:E6
            root-bridge: yes
         root-bridge-id: 0x3E8.64:D1:54:D9:27:E6
         root-path-cost: 0
              root-port: none
             port-count: 5
  designated-port-count: 5

You can check the STP status of a bridge port by using the /interface bridge port monitor command, for example:

/interface bridge port monitor 2
               interface: ether3
                  status: in-bridge
             port-number: 3
                    role: root-port
               edge-port: no
     edge-port-discovery: yes
     point-to-point-port: yes
            external-fdb: no
            sending-rstp: yes
                learning: yes
              forwarding: yes
          root-path-cost: 10
       designated-bridge: 0x3E8.64:D1:54:D9:27:E6
         designated-cost: 0
  designated-port-number: 4
        hw-offload-group: switch1

Note that root-bridge-id consists of the bridge priority and the bridge's MAC address, for non-root bridges the root bridge will be shown as designated-bridge. One port can have one role in a STP enabled network, below is a list of possible port roles:

  • root-port - port that is facing towards the root bridge and will be used to forward traffic from/to the root bridge.
  • alternate-port - port that is facing towards root bridge, but is not going to forward traffic (a backup for root port).
  • backup-port - port that is facing away from the root bridge, but is not going to forward traffic (a backup for non-root port).
  • designated-port - port that is facing away from the root bridge and is going to forward traffic .
  • disabled-port - disabled or inactive port.

STP and RSTP

STP and Rapid STP are used very widely across many networks, but almost all networks have switched over using only RSTP since of its benefits. STP is a very old protocol and has a convergence time (the time needed to fully learn network topology changes and to continue properly forwarding traffic) even up to 50 seconds, which was acceptable for 1980s when it was invented. RSTP has a lot smaller convergence time, a few seconds or even a few milliseconds), which is acceptable for nowadays network requirements. It is recommended to use RSTP instead of STP since it is a lot faster and is also backwards compatible with STP. One of the reason why RSTP is faster is because of reduced possible port states, below is a list of possible STP port states:

  • Forwarding - port participates in traffic forwarding and is learning MAC addresses, is receiving BPDUs.
  • Listening - port does not participate in traffic forwarding and is not learning MAC addresses, is receiving BPDUs.
  • Learning - port does not participate in traffic forwarding, but is learning MAC addresses.
  • Blocking - port is blocked since it is causing loops, but is receiving BPDUs.
  • Disabled - port is disabled or inactive.

In RSTP the disabled, listening and blocking port states are replaced with just one state called the Discarding state:

  • Forwarding - port participates in traffic forwarding and is learning MAC addresses, is receiving BPDUs.
  • Learning - port does not participate in traffic forwarding, but is learning MAC addresses.
  • Discarding - port does not participate in traffic forwarding and is not learning MAC addresses, is receiving BPDUs.

In STP connectivity between bridges is determined by sending and receiving BPDUs between neighbour bridges. Designated ports are sending BPDUs to root ports. If a BPDU is not received 3 times the HelloTime in a row, then connection is considered as unavailable and network topology convergence will commence. It is possible for STP to reduce the convergence time in certain scenarios by reducing the forward-delay timer, which is responsible for how long can port be in the learning/listening state.

Default values

When creating a bridge or adding a port to a bridge the following are the default values that are assigned by RouterOS:

  • Default bridge priority: 32768
  • Default bridge port path cost: 10
  • Default bridge port priority: 0x80
  • BPDU message age: 1
  • HelloTime: 2
  • Default max message age: 20

RouterOS does not change port path cost based on the link speed, for 10M, 100M, 1000M and 10000M link speeds the default path cost value when a port is added to a bridge is always 10. The age of a BPDU is determined by how many bridges has the BPDU passed times the message age, since RouterOS uses 1 as the message age, then the BPDU packet can pass as many bridges as specified in the max-message-age parameter. By default this value is set to 20, this means that after the 20th bridge the BPDU packet will be discarded and the next bridge will become a root bridge, note that if max-message-age=20on is set, then it is hard to predict which ports will be the designated port on the 21st bridge and may result in traffic not being able to be forwarded properly. In case bridge filter rules are used, make sure you allow packets with DST-MAC address 01:00:0C:CC:CC:CC since these packets carry BPDUs that are crucial for STP to work properly.

Election process

To properly configure STP in your network you need to understand the election process and which parameters are involved in which order. In RouterOS the root bridge will be elected based on the smallest priority and the smallest MAC address in this particular order:

  1. Bridge priority (lowest)
  2. Bridge MAC address (lowest)

In RouterOS root ports are elected based on lowest port path cost, lowest port priority and lowest bridge port ID in this particular order:

  1. Port path cost (lowest)
  2. Port priority (lowest)
  3. Bridge port ID (lowest)
Icon-note.png

Note: Make sure you are using path cost and priority on the right ports. For example, setting path cost on a ports that are in a root bridge has no effect, only port priority has effect on them. Path cost has effect on ports that are facing towards the root bridge and port priority has effect on ports that are facing away from the root bridge.


Icon-note.png

Note: When electing a root port the path cost will be checked first. If the path cost for multiple paths is the same, then port priority is checked. If port priority is the same, then bridge port ID is checked, port with the lowest values will be elected as a root port. Make sure you take into account the election process when designing your network with STP enabled.


Example

Alt text
Topology of a STP enabled network

In this example we want to ensure Layer2 redundancy for connections from ServerA to ServerB. This is possible by using STP in a network. Below are configuration examples for each switch.

  • Configuration for SW1:
/interface bridge
add name=bridge priority=1000
/interface bridge port
add bridge=bridge interface=ether1 priority=0x60
add bridge=bridge interface=ether2 priority=0x50
add bridge=bridge interface=ether3 priority=0x40
add bridge=bridge interface=ether4 priority=0x30
add bridge=bridge interface=ether5
  • Configuration for SW2:
/interface bridge
add name=bridge priority=2000
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
  • Configuration for SW3:
/interface bridge
add name=bridge priority=3000
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
  • Configuration for SW4:
/interface bridge
add name=bridge priority=4000
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2 path-cost=20
add bridge=bridge interface=ether3

In this example SW1 is the root bridge since it has the lowest bridge priority. SW2 and SW3 has ether1,ether2 connected to the root bridge and ether3 is connected to SW4. When all switches are working properly, the traffic will be flowing from ServerA through SW1_ether2, through SW2, through SW4 to ServerB. In case of SW1 failure, the SW2 becomes the root bridge because of the next lowest priority. Below is a list of ports and their role for each switch:

  • root-port - SW2_ether2, SW3_ether2, SW4_ether1
  • alternate-port - SW2_ether1, SW3_ether1, SW4_ether2
  • designated-port - SW1_ether1, SW1_ether2, SW1_ether3, SW1_ether4, SW1_ether5, SW2_ether3, SW2_ether3, SW4_ether3

http://en.wikipedia.org/wiki/Spanning_Tree_Protocol

Multiple Spanning Tree Protocol

Since RouterOS V6.41rc1 it is possible to enable Multiple Spanning Tree Protocol (MSTP) on a bridge interface to ensure loop-free topology across multiple VLANs, MSTP can also provide Layer2 redundancy and can be used as a load balancing technique for VLANs since it has the ability to have different paths across different VLANs. MSTP is operating very similarly to (R)STP and many concepts from (R)STP can be applied to MSTP, but there are some differences that must be taken into account when designing a MSTP enabled network.

In case (R)STP is used, the BPDUs are sent across all physical interfaces in a bridge to determine loops and stop ports from being able to forward traffic, if it causes a loop. In case there is a loop inside a certain VLAN, (R)STP might not be able to detect it. Some STP variants solve this problem by running a STP instance on every single VLAN (PVSTP), but this has been proven to inefficient and some STP variants solve this problem by running a single STP instance across all VLANs (CST), but it lacks the possibility to do load balancing for each VLAN or VLAN group. MSTP tends to solve both problems by using MST instances that can define a group of VLANs (VLAN mapping) that can be used for load balancing and redundancy, this means that each VLAN (or VLAN group) can have a different root bridge and a different path. Note that it is beneficial to group multiple VLANs in a single instance to reduce the amount of CPU cycles for each network topology change.

Bridge Settings

Sub-menu: /interface bridge settings


Property Description
use-ip-firewall (yes | no; Default: no) Force bridged traffic to also be processed by prerouting, forward and postrouting sections of IP routing (http://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6). This does not apply to routed traffic.
use-ip-firewall-for-pppoe (yes | no; Default: no) Send bridged un-encrypted PPPoE traffic to also be processed by 'IP firewall' (requires use-ip-firewall=yes to work)
use-ip-firewall-for-vlan (yes | no; Default: no) Send bridged VLAN traffic to also be processed by 'IP firewall' (requires use-ip-firewall=yes to work)
allow-fast-path (yes | no; Default: yes) Allows fast path
bridge-fast-path-active (yes | no; Default: ) Shows whether Bridge Fast Path is active
bridge-fast-path-packets (integer; Default: ) Shows packet count forwarded by Bridge Fast Path
bridge-fast-path-bytes (integer; Default: ) Shows byte count forwarded by Bridge Fast Path
bridge-fast-forward-packets (integer; Default: ) Shows packet count forwarded by Bridge Fast Forward
bridge-fast-forward-bytes (integer; Default: ) Shows byte count forwarded by Bridge Fast Forward

Port Settings

Sub-menu: /interface bridge port


Port submenu is used to enslave interfaces in a particular bridge interface.

Property Description
auto-isolate (yes | no; Default:no) Prevents STP blocking port from erroneously moving into a forwarding state if no BPDU's are received on the bridge.
bridge (name; Default: none) The bridge interface the respective interface is grouped in
edge (auto | no | no-discover | yes | yes-discover; Default: auto) Set port as edge port or non-edge port, or enable automatic detection. Edge ports are connected to a LAN that has no other bridges attached. If the port is configured to discover edge port then as soon as the bridge detects a BPDU coming to an edge port, the port becomes a non-edge port.
external-fdb (auto | no | yes; Default: auto) Whether to use wireless registration table to speed up bridge host learning
horizon (none | integer 0..429496729; Default: none) Use split horizon bridging to prevent bridging loops. read more»
interface (name; Default: none) Name of the interface
path-cost (integer: 0..65535; Default: 10) Path cost to the interface, used by STP to determine the "best" path
point-to-point (auto | yes | no; Default: auto)
priority (integer: 0..240; Default: 128) (i=dec*16 dec={0..15}) (i=hex*0x10 hex={0x0..0xF}) The priority of the interface in comparison with other going to the same subnet

Example

To group ether1 and ether2 in the already created bridge1 bridge

[admin@MikroTik] /interface bridge port> add bridge=bridge1 interface=ether1
[admin@MikroTik] /interface bridge port> add bridge=bridge1 interface=ether2
[admin@MikroTik] /interface bridge port> print 
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE              BRIDGE              PRIORITY PATH-COST  HORIZON   
 0    ether1                 bridge1             0x80     10         none      
 1    ether2                 bridge1             0x80     10         none      
[admin@MikroTik] /interface bridge port> 

Bridge Monitoring

Sub-menu: /interface bridge monitor


Used to monitor the current status of a bridge.

Property Description
current-mac-address (MAC address) Current MAC address of the bridge
designated-port-count (integer) Number of designated bridge ports
port-count (integer) Number of the bridge ports
root-bridge (yes | no) Shows whether bridge is the root bridge of the spanning tree
root-bridge-id (text) The root bridge ID, which is in form of bridge-priority.bridge-MAC-address
root-path-cost (integer) The total cost of the path to the root-bridge
root-port (name) Port to which the root bridge is connected to
state (enabled | disabled) State of the bridge

Example

To monitor a bridge:

[admin@MikroTik] /interface bridge> monitor bridge1 
                  state: enabled
    current-mac-address: 00:0C:42:52:2E:CE
            root-bridge: yes
         root-bridge-id: 0x8000.00:00:00:00:00:00
         root-path-cost: 0
              root-port: none
             port-count: 2
  designated-port-count: 0

[admin@MikroTik] /interface bridge>

Bridge Port Monitoring

Sub-menu: /interface bridge port monitor


Statistics of an interface that belongs to a bridge.

Property Description
edge-port (yes | no) Whether port is an edge port or not
edge-port-discovery (yes | no) Whether port is set to automatically detect edge ports
external-fdb (yes | no) Shows whether registration table is used instead of forwarding data base
forwarding (yes | no) Port state
learning (yes | no) Port state
port-number (integer 1..4095) Port identifier
point-to-point-port (yes | no)
role (designated | root port | alternate | backup | disabled)

(R)STP algorithm assigned role of the port:

  • Disabled port - not strictly part of STP, a network administrator can manually disable a port
  • Root port – a forwarding port that is the best port from Nonroot-bridge to Rootbridge
  • Alternative port – an alternate path to the root bridge. This path is different than using the root port
  • Designated port – a forwarding port for every LAN segment
  • Backup port – a backup/redundant path to a segment where another bridge port already connects.
sending-rstp (yes | no) Whether the port is sending BPDU messages
status (in-bridge | inactive) Port status

Example

To monitor a bridge port:

[admin@MikroTik] /interface bridge port> monitor 0     
               status: in-bridge
          port-number: 1
                 role: designated-port
            edge-port: no
  edge-port-discovery: yes
  point-to-point-port: no
         external-fdb: no
         sending-rstp: no
             learning: yes
           forwarding: yes

[admin@MikroTik] /interface bridge port>

Bridge Host Monitoring

Sub-menu: /interface bridge host


Property Description
age (read-only: time) The time since the last packet was received from the host
bridge (read-only: name) The bridge the entry belongs to
external-fdb (read-only: flag) Whether the host was learned using wireless registration table
local (read-only: flag) Whether the host entry is of the bridge itself (that way all local interfaces are shown)
mac-address (read-only: MAC address) Host's MAC address
on-interface (read-only: name) Which of the bridged interfaces the host is connected to

Example

To get the active host table:

[admin@MikroTik] /interface bridge host> print 
Flags: L - local, E - external-fdb 
  BRIDGE           MAC-ADDRESS       ON-INTERFACE          AGE                 
  bridge1          00:00:00:00:00:01 ether2                3s                  
  bridge1          00:01:29:FF:1D:CC ether2                0s                  
L bridge1          00:0C:42:52:2E:CF ether2                0s                  
  bridge1          00:0C:42:52:2E:D0 ether2                3s                  
  bridge1          00:0C:42:5C:A5:AE ether2                0s                  
[admin@MikroTik] /interface bridge host>

Bridge VLAN Filtering

Bridge VLAN Filtering since RouterOS v6.40rc29 provides VLAN aware Layer2 forwarding and VLAN tag modifications within the bridge. This set of features makes bridge operation more like a traditional Ethernet switch and allows to overcome Spanning Tree compatibilty issues compared to configuration when tunnel-like VLAN interfaces are bridged. Bridge VLAN Filtering configuration is highly recommended to comply with STP (802.1D), RSTP (802.1w) standards and is mandatory to enable MSTP (802.1s) support in RouterOS.


Sub-menu: /interface bridge

The main VLAN setting is vlan-filtering which globally controls vlan-awareness and VLAN tag processing in the bridge. If vlan-filtering=no, bridge ignores VLAN tags, works in a shared-VLAN-learning (SVL) mode and cannot modify VLAN tags of packets. Turning on vlan-filtering enables all bridge VLAN related functionality and independent-VLAN-learning (IVL) mode. Besides joining the ports for Layer2 forwarding, bridge itself is also an interface therefore it has Port VLAN ID (pvid).

Property Description
vlan-filtering (yes | no; Default:no) Globally enables or disables VLAN functionality for bridge.
pvid (1..4094; Default:1) Port VLAN ID (pvid) specifies which VLAN the untagged ingress traffic is assigned to. It applies e.g. to frames sent from bridge IP and destined to a bridge port.


Sub-menu: /interface bridge port

The bridge port settings related to vlan filtering are described below.

Property Description
frame-types (admit-all | admit-only-untagged-and-priority-tagged | admit-only-vlan-tagged; Default:admit-all) Specifies allowed ingress frame types on a bridge port.
ingress-filtering (yes | no; Default:no) Enables or disables filtering which looks for an ingress port match in the Bridge VLAN table.
pvid (1..4094; Default:1) Port VLAN ID (pvid) specifies which VLAN the untagged ingress traffic is assigned to.


Sub-menu: /interface bridge vlan

Bridge VLAN table represents per-VLAN port mapping with an egress VLAN tag action. tagged ports send out frames with a learned VLAN ID tag. untagged ports remove VLAN tag before sending out frames if the learned VLAN ID matches the port pvid.

Property Description
bridge (name) The bridge interface which the respective VLAN entry is intended for.
disabled (yes | no; Default:no) Enables or disables Bridge VLAN entry.
tagged (interfaces; Default:none) Interface list with a VLAN tag adding action in egress. This setting accepts comma separated values. E.g. tagged=ether1,ether2.
untagged (interfaces; Default:none) Interface list with a VLAN tag removing action in egress. This setting accepts comma separated values. E.g. tagged=ether3,ether4.
vlan-ids (1..4094) The list of VLAN IDs for certain port configuration. This setting accepts VLAN ID range as well as comma separated values. E.g. vlan-ids=100-115,120,122,128-130.


Sub-menu: /interface bridge host

Bridge Host table allows monitoring learned MAC addresses and when vlan-filtering is enabled shows learned VLAN ID as well.

[admin@MikroTik] > interface bridge host print where !local
Flags: L - local, E - external-fdb 
  BRIDGE                          VID MAC-ADDRESS       ON-INTERFACE                   AGE                 
  bridge1                         200 D4:CA:6D:77:2E:F0 ether3                         7s                  
  bridge1                         200 E4:8D:8C:1B:05:F0 ether2                         2s                  
  bridge1                         300 D4:CA:6D:74:65:9D ether4                         3s                  
  bridge1                         300 E4:8D:8C:1B:05:F0 ether2                         2s                  
  bridge1                         400 4C:5E:0C:4B:89:5C ether5                         0s                  
  bridge1                         400 E4:8D:8C:1B:05:F0 ether2                         0s                  
[admin@MikroTik] > 
Icon-note.png

Note: Make sure you have added all needed interfaces to the bridge VLAN table when using bridge VLAN filtering. For routing functions to work properly on the same device through ports that use bridge VLAN filtering, you will need to allow access to the CPU from those ports, this can be done by adding the bridge interface itself to the VLAN table, for tagged traffic you will need to add the bridge interface as a tagged port and create a VLAN interface on the bridge interface. Examples can be found at the Management port section.


Icon-warn.png

Warning: When allowing access to the CPU, you are allowing access from a certain port to the actual router/switch, this is not always desirable. Make sure you implement proper firewall filter rules to secure your device when access to the CPU is allowed from a certain VLAN ID and port, use firewall filter rules to allow access to only certain services.


VLAN Example #1 (Trunk and Access Ports)

Alt text
Trunk and Access Ports
  • Create a bridge with disabled vlan-filtering to avoid losing access to the router before VLANs are completely configured.
/interface bridge
add name=bridge1 vlan-filtering=no
  • Add bridge ports and specify pvid for VLAN access ports to assign their untagged traffic to the intended VLAN.
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether6 pvid=200
add bridge=bridge1 interface=ether7 pvid=300
add bridge=bridge1 interface=ether8 pvid=400
  • Add Bridge VLAN entries and specify tagged and untagged ports in them.
/interface bridge vlan
add bridge=bridge1 tagged=ether2 untagged=ether6 vlan-ids=200
add bridge=bridge1 tagged=ether2 untagged=ether7 vlan-ids=300
add bridge=bridge1 tagged=ether2 untagged=ether8 vlan-ids=400
  • In the end, when VLAN configuration is complete, enable Bridge VLAN Filtering.
/interface bridge set bridge1 vlan-filtering=yes

VLAN Example #2 (Trunk and Hybrid Ports)

Alt text
Trunk and Hybrid Ports
  • Create a bridge with disabled vlan-filtering to avoid losing access to the router before VLANs are completely configured.
/interface bridge
add name=bridge1 vlan-filtering=no
  • Add bridge ports and specify pvid on hybrid VLAN ports to assign untagged traffic to the intended VLAN.
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether6 pvid=200
add bridge=bridge1 interface=ether7 pvid=300
add bridge=bridge1 interface=ether8 pvid=400
  • Add Bridge VLAN entries and specify tagged and untagged ports in them. In this example egress VLAN tagging is done on ether6,ether7,ether8 ports too, making them into hybrid ports.
/interface bridge vlan
add bridge=bridge1 tagged=ether2,ether7,ether8 untagged=ether6 vlan-ids=200
add bridge=bridge1 tagged=ether2,ether6,ether8 untagged=ether7 vlan-ids=300
add bridge=bridge1 tagged=ether2,ether6,ether7 untagged=ether8 vlan-ids=400
  • In the end, when VLAN configuration is complete, enable Bridge VLAN Filtering.
/interface bridge set bridge1 vlan-filtering=yes

VLAN Example #3 (InterVLAN Routing by Bridge)

Alt text
InterVLAN Routing by Bridge
  • Create a bridge with disabled vlan-filtering to avoid losing access to the router before VLANs are completely configured.
/interface bridge
add name=bridge1 vlan-filtering=no
  • Add bridge ports and specify pvid for VLAN access ports to assign their untagged traffic to the intended VLAN.
/interface bridge port
add bridge=bridge1 interface=ether6 pvid=200
add bridge=bridge1 interface=ether7 pvid=300
add bridge=bridge1 interface=ether8 pvid=400
  • Add Bridge VLAN entries and specify tagged and untagged ports in them. In this example bridge1 interface is the VLAN trunk that will send traffic further to do InterVLAN routing.
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether6 vlan-ids=200
add bridge=bridge1 tagged=bridge1 untagged=ether7 vlan-ids=300
add bridge=bridge1 tagged=bridge1 untagged=ether8 vlan-ids=400
  • Configure VLAN interfaces on the bridge1 to allow handling of tagged VLAN traffic at routing level and set IP addresses to ensure routing between VLANs as planned.
/interface vlan
add interface=bridge1 name=vlan200 vlan-id=200
add interface=bridge1 name=vlan300 vlan-id=300
add interface=bridge1 name=vlan400 vlan-id=400

/ip address
add address=20.0.0.1/24 interface=vlan200 network=20.0.0.0
add address=30.0.0.1/24 interface=vlan300 network=30.0.0.0
add address=40.0.0.1/24 interface=vlan400 network=40.0.0.0
  • In the end, when VLAN configuration is complete, enable Bridge VLAN Filtering.
/interface bridge set bridge1 vlan-filtering=yes

Management port

There are multiple ways to setup management port on a device that uses bridge VLAN filtering. Below are some of the most popular approaches to properly enable access to a router/switch. Start by creating a bridge without VLAN filtering enabled:

/interface bridge
add name=bridge1 vlan-filtering=no
  • In case VLAN filtering will not be used and access with untagged traffic is desired

The only requirement is to create an IP address on the bridge interface.

/ip address
add address=192.168.99.1/24 interface=bridge1
  • In case VLAN filtering is used and access from trunk and/or access ports with tagged traffic is desired

In this example VID99 will be used to access the device, a VLAN interface on the bridge must be created and an IP address must be assigned to it.

/interface vlan
add interface=bridge1 name=MGMT vlan-id=99
/ip address
add address=192.168.99.1/24 interface=MGMT

For example, if you want to allow access to the router/switch from access ports ether3,ether4 and from trunk port sfp-sfpplus1, then you must add this entry to the VLAN table:

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether3,ether4,sfp-sfpplus1 vlan-ids=99

After that you can enable VLAN filtering:

/interface bridge set bridge1 vlan-filtering=yes
  • In case VLAN filtering is used and access from trunk and/or access ports with untagged traffic is desired

To allow untagged traffic to access the router/switch, start by creating an IP address on the bridge interface.

/ip address
add address=192.168.88.1/24 interface=bridge1

It is required to add VID1 to ports from which you want to allow the access to the router/switch, for example, to allow access from access ports ether3,ether4 add this entry to the VLAN table:

/interface bridge vlan
add bridge=bridge1 untagged=ether3,ether4 vlan-ids=1

After that you can enable VLAN filtering:

/interface bridge set bridge1 vlan-filtering=yes
Icon-note.png

Note: If connection to the router/switch through an IP address is not required, then steps adding this IP address can be skipped since connection to the router/switch through Layer2 protocols (e.g. MAC-telnet) will be working either way.


IGMP Snooping

IGMP Snooping which controls multicast streams and prevents multicast flooding is implemented in RouterOS starting from version 6.41.
It's settings are placed in bridge menu and it works independently in every bridge interface.
Software driven implementation works on all devices with RouterOS but CRS1xx/2xx/3xx series switches also support IGMP Snooping with hardware offloading.

Sub-menu: /interface bridge /interface bridge mdb

  • Enabling IGMP Snooping on Bridge.
/interface bridge set bridge1 igmp-snooping=yes
  • Monitoring multicast groups in the Bridge Multicast Database
[admin@MikroTik] > interface bridge mdb print 
BRIDGE                   VID GROUP                                              PORTS           
bridge1                  200 229.1.1.2                                          ether3          
                                                                                ether2          
                                                                                ether1          
bridge1                  300 231.1.3.3                                          ether4          
                                                                                ether3          
                                                                                ether2          
bridge1                  400 229.10.10.4                                        ether4          
                                                                                ether3          
bridge1                  500 234.5.1.5                                          ether5          
                                                                                ether1          
[admin@MikroTik] > 

Bridge Firewall

Sub-menu: /interface bridge filter, /interface bridge nat


The bridge firewall implements packet filtering and thereby provides security functions that are used to manage data flow to, from and through bridge.

Packet flow diagram shows how packets are processed through router. It is possible to force bridge traffic to go through /ip firewall filter rules (see: Bridge Settings)

There are two bridge firewall tables:

  • filter - bridge firewall with three predefined chains:
    • input - filters packets, where the destination is the bridge (including those packets that will be routed, as they are destined to the bridge MAC address anyway)
    • output - filters packets, which come from the bridge (including those packets that has been routed normally)
    • forward - filters packets, which are to be bridged (note: this chain is not applied to the packets that should be routed through the router, just to those that are traversing between the ports of the same bridge)
  • nat - bridge network address translation provides ways for changing source/destination MAC addresses of the packets traversing a bridge. Has two built-in chains:
    • srcnat - used for "hiding" a host or a network behind a different MAC address. This chain is applied to the packets leaving the router through a bridged interface
    • dstnat - used for redirecting some packets to other destinations

You can put packet marks in bridge firewall (filter and NAT), which are the same as the packet marks in IP firewall put by '/ip firewall mangle'. In this way, packet marks put by bridge firewall can be used in 'IP firewall', and vice versa.

General bridge firewall properties are described in this section. Some parameters that differ between nat and filter rules are described in further sections.

Properties

Property Description
802.3-sap (integer) DSAP (Destination Service Access Point) and SSAP (Source Service Access Point) are 2 one byte fields, which identify the network protocol entities which use the link layer service. These bytes are always equal. Two hexadecimal digits may be specified here to match a SAP byte
802.3-type (integer) Ethernet protocol type, placed after the IEEE 802.2 frame header. Works only if 802.3-sap is 0xAA (SNAP - Sub-Network Attachment Point header). For example, AppleTalk can be indicated by SAP code of 0xAA followed by a SNAP type code of 0x809B
arp-dst-address (IP address; default: ) ARP destination address
arp-dst-mac-address (MAC address; default: ) ARP destination MAC address
arp-gratuitous (yes | no; default: ) Matches ARP gratuitous packets
arp-hardware-type (integer; default: 1) ARP hardware type. This is normally Ethernet (Type 1)
arp-opcode (arp-nak | drarp-error | drarp-reply | drarp-request | inarp-reply | inarp-request | reply | reply-reverse | request | request-reverse)

ARP opcode (packet type)

  • arp-nak - negative ARP reply (rarely used, mostly in ATM networks)
  • drarp-error - Dynamic RARP error code, saying that an IP address for the given MAC address can not be allocated
  • drarp-reply - Dynamic RARP reply, with a temporaty IP address assignment for a host
  • drarp-request - Dynamic RARP request to assign a temporary IP address for the given MAC address
  • inarp-reply - InverseARP Reply
  • inarp-request - InverseARP Request
  • reply - standard ARP reply with a MAC address
  • reply-reverse - reverse ARP (RARP) reply with an IP address assigned
  • request - standard ARP request to a known IP address to find out unknown MAC address
  • request-reverse - reverse ARP (RARP) request to a known MAC address to find out unknown IP address (intended to be used by hosts to find out their own IP address, similarly to DHCP service)
arp-packet-type (integer: 0..65535 decimal format or 0x0000-0xffff hex format) ARP Packet Type
arp-src-address (IP address; default: ) ARP source address
arp-src-mac-address (MAC address; default: ) ARP source MAC address
chain (text) Bridge firewall chain, which the filter is functioning in (either a built-in one, or a user defined)
dst-address (IP address; default: ) Destination IP address (only if MAC protocol is set to IPv4)
dst-mac-address (MAC address; default: ) Destination MAC address
dst-port (integer 0..65535) Destination port number or range (only for TCP or UDP protocols)
in-bridge (name) Bridge interface through which the packet is coming in
in-interface (name) Physical interface (i.e., bridge port) through which the packet is coming in
ingress-priority (integer 0..63) Matches ingress priority of the packet. Priority may be derived from VLAN, WMM or MPLS EXP bit. read more»
ip-protocol (ddp | egp | encap | etherip | ggp | gre | hmp | icmp | icmpv6 | idpr-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | ipv6 | ipv6-frag | ipv6-nonxt | ipv6-opts | ipv6-route | iso-tp4 | l2tp | ospf | pim | pup | rdp | rspf | rsvp | st | tcp | udp | vmtp | vrrp | xns-idp | xtp)

IP protocol (only if MAC protocol is set to IPv4)

  • ddp - datagram delivery protocol
  • egp - exterior gateway protocol
  • encap - ip encapsulation
  • etherip -
  • ggp - gateway-gateway protocol
  • gre - general routing encapsulation
  • hmp - host monitoring protocol
  • icmp - IPv4 internet control message protocol
  • icmpv6 - IPv6 internet control message protocol
  • idpr-cmtp - idpr control message transport
  • igmp - internet group management protocol
  • ipencap - ip encapsulated in ip
  • ipip - ip encapsulation
  • ipsec-ah - IPsec AH protocol
  • ipsec-esp - IPsec ESP protocol
  • ipv6 -
  • ipv6-frag -
  • ipv6-nonxt -
  • ipv6-opts -
  • ipv6-route -
  • iso-tp4 - iso transport protocol class 4
  • l2tp -
  • ospf - open shortest path first
  • pim - protocol independent multicast
  • pup - parc universal packet protocol
  • rspf - radio shortest path first
  • rsvp -
  • rdp - reliable datagram protocol
  • st - st datagram mode
  • tcp - transmission control protocol
  • udp - user datagram protocol
  • vmtp - versatile message transport
  • vrrp - Virtual Router Redundancy Protocol
  • xns-idp - xerox ns idp
  • xtp – xpress transfer protocol
jump-target (name) If action=jump specified, then specifies the user-defined firewall chain to process the packet
limit (integer/time,integer)

Restricts packet match rate to a given limit.

  • count - maximum average packet rate, measured in packets per second (pps), unless followed by Time option
  • time - specifies the time interval over which the packet rate is measured
  • burst - number of packets to match in a burst
log-prefix (text) Defines the prefix to be printed before the logging information
mac-protocol (802.2 | arp | ip | ipv6 | ipx | length | mpls-multicast | mpls-unicast | pppoe | pppoe-discovery | rarp | vlan or integer: 0..65535 decimal format or 0x0000-0xffff hex format) Ethernet payload type (MAC-level protocol)
  • 802.2
  • arp - Type 0x0806 - ARP
  • ip - Type 0x0800 - IPv4
  • ipv6 - Type 0x86dd - IPv6
  • ipx - Type 0x8137 - "Internetwork Packet Exchange"
  • length
  • mpls-multicast - Type 0x8848 - MPLS Multicast
  • mpls-unicast - Type 0x8847 - MPLS Unicast
  • ppoe - Type 0x8864 - PPPoE Session
  • ppoe-discovery - Type 0x8863 - PPPoE Discovery
  • rarp - Type 0x8035 - Reverse ARP
  • vlan - Type 0x8100 - 802.1Q tagged VLAN
out-bridge (name) Outgoing bridge interface
out-interface (name) Interface that the packet is leaving the bridge through
packet-mark (name) Match packets with certain packet mark
packet-type (broadcast | host | multicast | other-host)

MAC frame type:

  • broadcast - broadcast MAC packet
  • host - packet is destined to the bridge itself
  • multicast - multicast MAC packet
  • other-host - packet is destined to some other unicast address, not to the bridge itself
src-address (IP address; default: ) Source IP address (only if MAC protocol is set to IPv4)
src-mac-address (MAC address; default: ) Source MAC address
src-port (integer 0..65535) Source port number or range (only for TCP or UDP protocols)
stp-flags (topology-change | topology-change-ack)

The BPDU (Bridge Protocol Data Unit) flags. Bridge exchange configuration messages named BPDU periodically for preventing loops

  • topology-change - topology change flag is set when a bridge detects port state change, to force all other bridges to drop their host tables and recalculate network topology
  • topology-change-ack - topology change acknowledgement flag is sen in replies to the notification packets
stp-forward-delay (time 0..65535) Forward delay timer
stp-hello-time (time 0..65535) STP hello packets time
stp-max-age (time 0..65535) Maximal STP message age
stp-msg-age (time 0..65535) STP message age
stp-port (integer 0..65535) STP port identifier
stp-root-address (MAC address) Root bridge MAC address
stp-root-cost (integer 0..65535) Root bridge cost
stp-root-priority (integer 0..65535) Root bridge priority
stp-sender-address (MAC address) STP message sender MAC address
stp-sender-priority (integer 0..65535) STP sender priority
stp-type (config | tcn)

The BPDU type:

  • config - configuration BPDU
  • tcn - topology change notification
vlan-encap (802.2 | arp | ip | ipv6 | ipx | length | mpls-multicast | mpls-unicast | pppoe | pppoe-discovery | rarp | vlan or integer: 0..65535 decimal format or 0x0000-0xffff hex format) the MAC protocol type encapsulated in the VLAN frame
vlan-id (integer 0..4095) VLAN identifier field
vlan-priority (integer 0..7) The user priority field

Notes

  • STP matchers are only valid if destination MAC address is 01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF (Bridge Group address), also stp should be enabled.
  • ARP matchers are only valid if mac-protocol is arp or rarp
  • VLAN matchers are only valid for vlan ethernet protocol
  • IP-related matchers are only valid if mac-protocol is set as ipv4
  • 802.3 matchers are only consulted if the actual frame is compliant with IEEE 802.2 and IEEE 802.3 standards (note: it is not the industry-standard Ethernet frame format used in most networks worldwide!). These matchers are ignored for other packets.

Bridge Packet Filter

Sub-menu: /interface bridge filter


This section describes bridge packet filter specific filtering options, that are specific to '/interface bridge filter'.

Properties

Property Description
action (accept | drop | jump | log | mark-packet | passthrough | return | set-priority)
  • accept - accept the packet. No action, i.e., the packet is passed through without undertaking any action, and no more rules are processed in the relevant list/chain
  • drop - silently drop the packet (without sending the ICMP reject message)
  • jump - jump to the chain specified by the value of the jump-target argument
  • log - ladd a message to the system log containing following data: in-interface, out-interface, src-mac, dst-mac, eth-proto, protocol, src-ip:port->dst-ip:port and length of the packet. After packet is matched it is passed to next rule in the list, similar as passthrough
  • mark - mark the packet to use the mark later
  • passthrough - ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for ability to count packets
  • return - return to the previous chain, from where the jump took place
  • set-priority - set priority specified by the new-priority parameter on the packets sent out through a link that is capable of transporting priority (VLAN or WMM-enabled wireless interface). Read more>

Bridge NAT

Sub-menu: /interface bridge nat


This section describes bridge NAT options, that are specific to '/interface bridge nat'.

Properties

Property Description
action (accept | drop | jump | mark-packet | redirect | set-priority | arp-reply | dst-nat | log | passthrough | return | src-nat)
  • accept - accept the packet. No action, i.e., the packet is passed through without undertaking any action, and no more rules are processed in the relevant list/chain
  • arp-reply - send a reply to an ARP request (any other packets will be ignored by this rule) with the specified MAC address (only valid in dstnat chain)
  • drop - silently drop the packet (without sending the ICMP reject message)
  • dst-nat - change destination MAC address of a packet (only valid in dstnat chain)
  • jump - jump to the chain specified by the value of the jump-target argument
  • log - log the packet
  • mark - mark the packet to use the mark later
  • passthrough - ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for ability to count packets
  • redirect - redirect the packet to the bridge itself (only valid in dstnat chain)
  • return - return to the previous chain, from where the jump took place
  • set-priority - set priority specified by the new-priority parameter on the packets sent out through a link that is capable of transporting priority (VLAN or WMM-enabled wireless interface). Read more>
  • src-nat - change source MAC address of a packet (only valid in srcnat chain)
to-arp-reply-mac-address (MAC address) Source MAC address to put in Ethernet frame and ARP payload, when action=arp-reply is selected
to-dst-mac-address (MAC address) Destination MAC address to put in Ethernet frames, when action=dst-nat is selected
to-src-mac-address (MAC address) Source MAC address to put in Ethernet frames, when action=src-nat is selected

[ Top | Back to Content ]