Summary

The CCR3xx, CRS5xx series switches and CCR2116, CCR2216 routers have highly integrated switches with high-performance CPU and feature-rich packet processors. These devices can be designed into various Ethernet applications including unmanaged switch, Layer 2 managed switch, carrier switch, inter-VLAN router, and wired unified packet processor.

This article applies to CRS3xx, CRS5xx series switches, CCR2116, CCR2216 routers, and not toCRS1xx/CRS2xx series switches.

Features

Features Description
Forwarding
  • Configurable ports for switching or routing
  • Full non-blocking wire-speed switching
  • Large Unicast FDB for Layer 2 unicast forwarding
  • Forwarding Databases works based on IVL
  • Jumbo frame support
  • IGMP Snooping support
  • DHCP Snooping with Option 82
Routing
  • Layer 3 Hardware Offloading:
    • IPv4 Unicast Routing
    • Supported on Ethernet, Bridge, Bonding, and VLAN interfaces
    • ECMP
    • Blackholes
    • Offloaded Fasttrack connections (applies only to certain switch models)
    • Offloaded NAT for Fasttrack connections (applies only to certain switch models)
    • Multiple MTU profiles
Spanning Tree Protocol
  • STP
  • RSTP
  • MSTP
Mirroring
  • Various types of mirroring:
    • Port based mirroring
    • VLAN based mirroring
    • MAC based mirroring
VLAN
  • Fully compatible with IEEE802.1Q and IEEE802.1ad VLAN
  • 4k active VLANs
  • Flexible VLAN assignment:
    • Port based VLAN
    • Protocol based VLAN
    • MAC based VLAN
  • VLAN filtering
  • From any to any VLAN translation
Bonding
  • Supports 802.3ad (LACP) and balance-xor modes
  • Up to 8 member ports per bonding interface
  • Hardware automatic failover and load balancing
  • MLAG
Traffic Shaping
  • Ingress traffic limiting
    • Port based
    • MAC based
    • IP based
    • VLAN based
    • Protocol based
    • DSCP based
  • Port based egress traffic limiting
Port isolation
  • Applicable for Private VLAN implementation
Access Control List
  • Ingress ACL tables
  • Classification based on ports, L2, L3, L4 protocol header fields
  • ACL actions include filtering, forwarding and modifying of the protocol header fields

Models

This table clarifies the main differences between Cloud Router Switch models and CCR routers.

Model Switch Chip CPU Cores 10G SFP+ 10G Ethernet 25G SFP28 40G QSFP+ 100G QSFP28 ACL rules Unicast FDB entries Jumbo Frame (Bytes)
netPower 15FR (CRS318-1Fi-15Fr-2S) Marvell-98DX224S 800MHz 1 - - - - - 128 16,000 10218
netPower 16P (CRS318-16P-2S+) Marvell-98DX226S 800MHz 1 2 - - - - 128 16,000 10218
CRS310-1G-5S-4S+ (netFiber 9/IN) Marvell-98DX226S 800MHz 1 4 - - - - 128 16,000 10218
CRS326-24G-2S+ (RM/IN) Marvell-98DX3236 800MHz 1 2 - - - - 128 16,000 10218
CRS328-24P-4S+ Marvell-98DX3236 800MHz 1 4 - - - - 128 16,000 10218
CRS328-4C-20S-4S+ Marvell-98DX3236 800MHz 1 4 - - - - 128 16,000 10218
CRS305-1G-4S+ Marvell-98DX3236 800MHz 1 4 - - - - 128 16,000 10218
CRS309-1G-8S+ Marvell-98DX8208 800MHz 2 8 - - - - 1024 32,000 10218
CRS317-1G-16S+ Marvell-98DX8216 800MHz 2 16 - - - - 1024 128,000 10218
CRS312-4C+8XG Marvell-98DX8212 650MHz 1 4 (combo ports) 8 + 4 (combo ports) - - - 512 32,000 10218
CRS326-24S+2Q+ Marvell-98DX8332 650MHz 1 24 - - 2 - 256 32,000 10218
CRS354-48G-4S+2Q+ Marvell-98DX3257 650MHz 1 4 - - 2 - 170 32,000 10218
CRS354-48P-4S+2Q+ Marvell-98DX3257 650MHz 1 4 - - 2 - 170 32,000 10218
CRS504-4XQ (IN/OUT) Marvell-98DX4310 650MHz 1 - - - - 4 1024 128,000 10218
CRS510-8XS-2XQ-IN Marvell-98DX4310 650MHz 1 - - 8 - 2 1024 128,000 10218
CRS518-16XS-2XQ Marvell-98DX8525 650MHz 1 - - 16 - 2 1024 128,000 10218
CCR2116-12G-4S+ Marvell-98DX3255 2000MHz 16 4 - - - - 512 32,000 9570
CCR2216-1G-12XS-2XQ Marvell-98DX8525 2000MHz 16 - - 12 - 2 1024 128,000 9570

For L3 hardware offloading feature support and hardware limits, please refer toFeature SupportandDevice Supportuser manuals.

Abbreviations

  • FDB - Forwarding Database
  • MDB - Multicast Database
  • SVL - Shared VLAN Learning
  • IVL - Independent VLAN Learning
  • PVID - Port VLAN ID
  • ACL - Access Control List
  • CVID - Customer VLAN ID
  • SVID - Service VLAN ID

Port switching

In order to set up a port switching, check theBridge Hardware Offloadingpage.

目前,它是possible to create only one bridge with hardware offloading. Use thehw=yes/noparameter to select which bridge will use hardware offloading.


Bridge STP/RSTP/MSTP, IGMP Snooping and VLAN filtering settings don't affect hardware offloading, since RouterOS v6.42 Bonding interfaces are also hardware offloaded.

VLAN

Since RouterOS version 6.41, a bridge provides VLAN aware Layer2 forwarding and VLAN tag modifications within the bridge. This set of features makes bridge operation more like a traditional Ethernet switch and allows to overcome Spanning Tree compatibility issues compared to the configuration when tunnel-like VLAN interfaces are bridged. Bridge VLAN Filtering configuration is highly recommended to comply with STP (802.1D), RSTP (802.1w) standards and it is mandatory to enable MSTP (802.1s) support in RouterOS.

VLAN Filtering

VLAN filtering is described on theBridge VLAN Filteringsection.

VLAN setup examples

Below are describes some of the most common ways how to utilize VLAN forwarding.

Port-Based VLAN

The configuration is described on theBridge VLAN FIlteringsection.

MAC Based VLAN

  • The Switch Rule table is used for MAC Based VLAN functionality, seethis tableon how many rules each device supports.
  • MAC-based VLANs will only work properly between switch ports and not between switch ports and CPU. When a packet is being forwarded to the CPU, thepvid财产桥端口将总是我nstead ofnew-vlan-idfrom ACL rules.
  • MAC-based VLANs will not work for DHCP packets when DHCP snooping is enabled.

Enable switching on ports by creating a bridge with enabled hw-offloading:

/interface bridge add name=bridge1 vlan-filtering=yes /interface bridge port add bridge=bridge1 interface=ether2 hw=yes add bridge=bridge1 interface=ether7 hw=yes

Add VLANs in the Bridge VLAN table and specify ports:

/interface bridge vlan add bridge=bridge1 tagged=ether2 untagged=ether7 vlan-ids=200,300,400

Add Switch rules which assign VLAN id based on MAC address:

/interface ethernet switch rule add switch=switch1 ports=ether7 src-mac-address=A4:12:6D:77:94:43/FF:FF:FF:FF:FF:FF new-vlan-id=200 add switch=switch1 ports=ether7 src-mac-address=84:37:62:DF:04:20/FF:FF:FF:FF:FF:FF new-vlan-id=300 add switch=switch1 ports=ether7 src-mac-address=E7:16:34:A1:CD:18/FF:FF:FF:FF:FF:FF new-vlan-id=400

Protocol Based VLAN

  • The Switch Rule table is used for Protocol Based VLAN functionality, seethis tableon how many rules each device supports.
  • Protocol-based VLANs will only work properly between switch ports and not between switch ports and CPU. When a packet is being forwarded to the CPU, thepvid财产桥端口将总是我nstead ofnew-vlan-idfrom ACL rules.
  • Protocol-based VLANs will not work for DHCP packets when DHCP snooping is enabled.

Enable switching on ports by creating a bridge with enabled hw-offloading:

/interface bridge add name=bridge1 vlan-filtering=yes /interface bridge port add bridge=bridge1 interface=ether2 hw=yes add bridge=bridge1 interface=ether6 hw=yes add bridge=bridge1 interface=ether7 hw=yes add bridge=bridge1 interface=ether8 hw=yes

Add VLANs in the Bridge VLAN table and specify ports:

/interface bridge vlan add bridge=bridge1 tagged=ether2 untagged=ether6 vlan-ids=200 add bridge=bridge1 tagged=ether2 untagged=ether7 vlan-ids=300 add bridge=bridge1 tagged=ether2 untagged=ether8 vlan-ids=400

Add Switch rules which assign VLAN id based on MAC protocol:

/interface ethernet switch rule add mac-protocol=ip new-vlan-id=200 ports=ether6 switch=switch1 add mac-protocol=ipx new-vlan-id=300 ports=ether7 switch=switch1 add mac-protocol=0x80F3 new-vlan-id=400 ports=ether8 switch=switch1

VLAN Tunneling (Q-in-Q)

Since RouterOS v6.43 it is possible to use a provider bridge (IEEE 802.1ad) and Tag Stacking VLAN filtering, and hardware offloading at the same time. The configuration is described in theBridge VLAN Tunneling (Q-in-Q)section.

Devices with switch chip Marvell-98DX3257 (e.g. CRS354 series) do not support VLAN filtering on 1Gbps Ethernet interfaces for other VLAN types (0x88a8and0x9100).

Ingress VLAN translation

It is possible to translate a certain VLAN ID to a different VLAN ID using ACL rules on an ingress port. In this example we create two ACL rules, allowing bidirectional communication. This can be done by doing the following.

Create a new bridge and add ports to it with hardware offloading:

/interface bridge add name=bridge1 vlan-filtering=no /interface bridge port add interface=ether1 bridge=bridge1 hw=yes add interface=ether2 bridge=bridge1 hw=yes

添加ACL规则将在每个direc VLAN IDtion:

/interface ethernet switch rule add new-dst-ports=ether2 new-vlan-id=20 ports=ether1 switch=switch1 vlan-id=10 add new-dst-ports=ether1 new-vlan-id=10 ports=ether2 switch=switch1 vlan-id=20

Add both VLAN IDs to the bridge VLAN table:

/interface bridge vlan add bridge=bridge1 tagged=ether1 vlan-ids=10 add bridge=bridge1 tagged=ether2 vlan-ids=20

Enable bridge VLAN filtering:

/interface bridge set bridge1 vlan-filtering=yes

Bidirectional communication is limited only between two switch ports. Translating VLAN ID between more ports can cause traffic flooding or incorrect forwarding between the same VLAN ports.

By enablingvlan-filteringyou will be filtering out traffic destined to the CPU, before enabling VLAN filtering you should make sure that you set up aManagement port.

(R/M)STP

CRS3xx, CRS5xx series switches, and CCR2116, CCR2216 routers are capable of running STP, RSTP, and MSTP on a hardware level. For more detailed information you should check out theSpanning Tree Protocolmanual page.

Bonding

CRS3xx, CRS5xx series switches and CCR2116, CCR2216 routers support hardware offloading with bonding interfaces. Only802.3adandbalance-xorbonding modes are hardware offloaded, other bonding modes will use the CPU's resources. You can find more information about the bonding interfaces in theBonding Interfacesection. If802.3admode is used, then LACP (Link Aggregation Control Protocol) is supported.

To create a hardware offloaded bonding interface, you must create a bonding interface with a supported bonding mode:

/interface bonding add mode=802.3ad name=bond1 slaves=ether1,ether2

This interface can be added to a bridge alongside other interfaces:

/interface bridge add name=bridge /interface bridge port add bridge=bridge interface=bond1 hw=yes add bridge=bridge interface=ether3 hw=yes add bridge=bridge interface=ether4 hw=yes

Do not add interfaces to a bridge that are already in a bond, RouterOS will not allow you to add an interface to bridge that is already a slave port for bonding.

Make sure that the bonding interface is hardware offloaded by checking the "H" flag:

/interface bridge port print Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload # INTERFACE BRIDGE HW 0 H bond1 bridge yes 1 H ether3 bridge yes 2 H ether4 bridge yes

With HW-offloaded bonding interfaces, the built-in switch chip will always use Layer2+Layer3+Layer4 for a transmit hash policy, changing the transmit hash policy manually will have no effect.

Multi-chassis Link Aggregation Group

MLAG (Multi-chassis Link Aggregation Group) implementation in RouterOS allows configuring LACP bonds on two separate devices, while the client device believes to be connected on the same machine. This provides a physical redundancy in case of switch failure. All CRS3xx, CRS5xx series and CCR2116, CCR2216 devices can be configured with MLAG. Readherefor more information.

L3 Hardware Offloading

Layer3 hardware offloading (otherwise known as IP switching or HW routing) will allow to offload some of the router features onto the switch chip. This allows reaching wire speeds when routing packets, which simply would not be possible with the CPU.

Offloaded feature set depends on the used chipset. Readherefor more info.

Port isolation

Since RouterOS v6.43 is it possible to create a Private VLAN setup, an example can be found in theSwitch chip port isolationmanual page. Hardware offloaded bonding interfaces are not included in the switch port-isolation menu, but it is still possible to configure port-isolation individually oneach secondary interface of the bonding.

Port isolation can be used with vlan-filtering bridge and it is possible to isolate ports that are members of the same VLAN. The isolation works per-port, it is not possible to isolate ports per-VLAN.


IGMP/MLD Snooping

CRS3xx, CRS5xx series switches and CCR2116, CCR2216 routers are capable of using IGMP/MLD Snooping on a hardware level. To see more detailed information, you should check out theIGMP/MLD snoopingmanual page.

DHCP Snooping and DHCP Option 82

CRS3xx, CRS5xx series switches and CCR2116, CCR2216 routers are capable of using DHCP Snooping with Option 82 on a hardware level. The switch will create a dynamic ACL rule to capture the DHCP packets and redirect them to the main CPU for further processing. To see more detailed information, please visit theDHCP Snooping and DHCP Option 82manual page.

DHCP snooping will not work when hardware offloading bonding interfaces are created.

Controller Bridge and Port Extender

Controller Bridge (CB) and Port Extender (PE) is an IEEE 802.1BR standard implementation in RouterOS. It allows virtually extending the CB ports with a PE device and managing these extended interfaces from a single controlling device. Such configuration provides a simplified network topology, flexibility, increased port density, and ease of manageability. See more details onController Bridge and Port Extender manual.

Mirroring

Mirroring lets the switch sniff all traffic that is going in a switch chip and send a copy of those packets out to another port (mirror-target). This feature can be used to easily set up a tap device that allows you to inspect the traffic on your network on a traffic analyzer device. It is possible to set up a simple port-based mirroring, but it is also possible to set up more complex mirroring based on various parameters. Note that mirror-target port has to belong to the same switch (see which port belongs to which switch in/interface ethernet菜单)。同样,mirror-target可以有特殊的cpu' value, which means that sniffed packets will be sent out of switch chips CPU port. There are many possibilities that can be used to mirror certain traffic, below you can find the most common mirroring examples:

Port Based Mirroring:

/interface ethernet switch set switch1 mirror-source=ether2 mirror-target=ether3

Propertymirror-sourcewill send an ingress and egress packet copies to themirror-targetport. Bothmirror-sourceandmirror-targetare limited to a single interface.

/interface ethernet switch set switch1 mirror-source=none mirror-target=ether3 /interface ethernet switch rule add mirror=yes ports=ether1,ether2 switch=switch1

Using ACL rules, it is possible to mirror packets from multipleportsinterfaces. Only ingress packets are mirrored tomirror-targetinterface.

VLAN Based Mirroring:

/interface bridge set bridge1 vlan-filtering=yes /interface ethernet switch set switch1 mirror-target=ether3 mirror-source=none /interface ethernet switch rule add mirror=yes ports=ether1 switch=switch1 vlan-id=11

By enablingvlan-filteringyou will be filtering out traffic destined to the CPU, before enabling VLAN filtering you should make sure that you set up aManagement port.


MAC Based Mirroring:

/interface ethernet switch set switch1 mirror-target=ether3 mirror-source=none /interface ethernet switch rule add mirror=yes ports=ether1 switch=switch1 dst-mac-address=64:D1:54:D9:27:E6/FF:FF:FF:FF:FF:FF add mirror=yes ports=ether1 switch=switch1 src-mac-address=64:D1:54:D9:27:E6/FF:FF:FF:FF:FF:FF

Protocol Based Mirroring:

/interface ethernet switch set switch1 mirror-target=ether3 mirror-source=none /interface ethernet switch rule add mirror=yes ports=ether1 switch=switch1 mac-protocol=ipx

IP Based Mirroring:

/interface ethernet switch set switch1 mirror-target=ether3 mirror-source=none /interface ethernet switch rule add mirror=yes ports=ether1 switch=switch1 src-address=192.168.88.0/24 add mirror=yes ports=ether1 switch=switch1 dst-address=192.168.88.0/24

There are other options as well, check theACL sectionto find out all possible parameters that can be used to match packets.

Traffic Shaping

It is possible to limit ingress traffic that matches certain parameters with ACL rules and it is possible to limit ingress/egress traffic per port basis. The policer is used for ingress traffic, the shaper is used for egress traffic. The ingress policer controls the received traffic with packet drops. Everything that exceeds the defined limit will get dropped. This can affect the TCP congestion control mechanism on end hosts and achieved bandwidth can be actually less than defined. The egress shaper tries to queue packets that exceed the limit instead of dropping them. Eventually, it will also drop packets when the output queue gets full, however, it should allow utilizing the defined throughput better.

Port-based traffic police and shaper:

/interface ethernet switch port set ether1 ingress-rate=10M egress-rate=5M

MAC-based traffic policer:

/interface ethernet switch rule add ports=ether1 switch=switch1 src-mac-address=64:D1:54:D9:27:E6/FF:FF:FF:FF:FF:FF rate=10M

VLAN-based traffic policer:

/interface bridge set bridge1 vlan-filtering=yes /interface ethernet switch rule add ports=ether1 switch=switch1 vlan-id=11 rate=10M

By enablingvlan-filteringyou will be filtering out traffic destined to the CPU, before enabling VLAN filtering you should make sure that you set up aManagement port.

Protocol-based traffic policer:

/interface ethernet switch rule add ports=ether1 switch=switch1 mac-protocol=ipx rate=10M

There are other options as well, check theACL sectionto find out all possible parameters that can be used to match packets.

The Switch Rule table is used for QoS functionality, seethis tableon how many rules each device supports.

Traffic Storm Control

Since RouterOS v6.42 it is possible to enable traffic storm control. A traffic storm can emerge when certain frames are continuously flooded on the network. For example, if a network loop has been created and no loop avoidance mechanisms are used (e.g.Spanning Tree Protocol), broadcast or multicast frames can quickly overwhelm the network, causing degraded network performance or even complete network breakdown. With CRS3xx, CRS5xx series switches and CCR2116, CCR2216 routers it is possible to limit broadcast, unknown multicast and unknown unicast traffic. Unknown unicast traffic is considered when a switch does not contain a host entry for the destined MAC address. Unknown multicast traffic is considered when a switch does not contain a multicast group entry in the/interface bridge mdbmenu. Storm control settings should be applied to ingress ports, the egress traffic will be limited.

The storm control parameter is specified in percentage (%) of the link speed. If your link speed is 1Gbps, then specifyingstorm-rateas10will allow only 100Mbps of broadcast, unknown multicast and/or unknown unicast traffic to be forwarded.

Sub-menu:/interface ethernet switch port

Property Description
limit-broadcasts(yes | no; Default:yes) Limit broadcast traffic on a switch port.
limit-unknown-multicasts(yes | no; Default:no) Limit unknown multicast traffic on a switch port.
limit-unknown-unicasts(yes | no; Default:no) Limit unknown unicast traffic on a switch port.
storm-rate(integer 0..100; Default:100) Amount of broadcast, unknown multicast and/or unknown unicast traffic is limited to in percentage of the link speed.

Devices with Marvell-98DX3236 switch chip cannot distinguish unknown multicast traffic from all multicast traffic. For example, CRS326-24G-2S+ will limit all multicast traffic whenlimit-unknown-multicastsandstorm-rateis used. For other devices, for example, CRS317-1G-16S+ thelimit-unknown-multicastsparameter will limit only unknown multicast traffic (addresses that are not present in/interface bridge mdb).

For example, to limit 1% (10Mbps) of broadcast and unknown unicast traffic on ether1 (1Gbps), use the following commands:

/interface ethernet switch port set ether1 storm-rate=1 limit-broadcasts=yes limit-unknown-unicasts=yes

MPLS hardware offloading

Since RouterOS v6.41 it is possible to offload certain MPLS functions to the switch chip, the switch must be a (P)rovider router in a PE-P-PE setup in order to achieve hardware offloading. A setup example can be found in theBasic MPLS setup examplemanual page. The hardware offloading will only take place when LDP interfaces are configured as physical switch interfaces (e.g. Ethernet, SFP, SFP+).

Currently onlyCRS317-1G-16S+andCRS309-1G-8S+using RouterOS v6.41 and newer are capable of hardware offloading certain MPLS functions.CRS317-1G-16S+andCRS309-1G-8S+built-in switch chip is not capable of popping MPLS labels from packets, in a PE-P-PE setup you either have to use explicit null or disable TTL propagation in MPLS network to achieve hardware offloading.

The MPLS hardware offloading has been removed since RouterOS v7.


Switch Rules (ACL)

Access Control List contains ingress policy and egress policy engines. Seethis tableon how many rules each device supports. It is an advanced tool for wire-speed packet filtering, forwarding and modifying based on Layer2, Layer3 and Layer4 protocol header field conditions.

ACL规则为每个收到数据包检查螺母il a match has been found. If there are multiple rules that can match, then only the first rule will be triggered. A rule without any action parameters is a rule to accept the packet.

It is not required to setmac-protocolto certain IP version when using L3 or L4 matchers, however, it is recommended to set themac-protocol=ipormac-protocol=ipv6when filtering any IP packets.

When switch ACL rules are modified (e.g. added, removed, disabled, enabled, or moved), the existing switch rules will be inactive for a short time. This can cause some packet leakage during the ACL rule modifications.


Sub-menu:/interface ethernet switch rule

Property Description
copy-to-cpu(no | yes; Default:no) Clones the matching packet and sends it to the CPU.
disabled(yes | no; Default:no) Enables or disables ACL entry.
dscp(0..63) Matching the DSCP field of the packet (only applies to IPv4 packets).
dst-address(IP address/Mask) Matching destination IPv4 address and mask, also matches the destination IP in ARP packets.
dst-address6(IPv6 address/Mask) Matching destination IPv6 address and mask.
dst-mac-address(MAC address/Mask) Matching destination MAC address and mask.
dst-port(0..65535) Matching destination protocol port number (applies to IPv4 and IPv6 packets ifmac-protocolis not specified).
flow-label(0..1048575) Matching IPv6 flow label.
mac-protocol(802.2 | arp | homeplug-av | ip | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan | or 0..65535 | or 0x0000-0xffff) Matching particular MAC protocol specified by protocol name or number
mirror(no | yes) Clones the matching packet and sends it to the mirror-target port.
new-dst-ports(ports) Changes the destination port as specified. An empty setting will drop the packet. A specified port will redirect the packet to it. When the parameter is not used, the packet will be accepted. Multiple "new-dst-ports" are not supported.
new-vlan-id(0..4095) Changes the VLAN ID to the specified value. Requiresvlan-filtering=yes.
new-vlan-priority(0..7) Changes the VLAN priority (priority code point). Requiresvlan-filtering=yes.
ports(ports) Matching ports on which will the rule apply on received traffic.
protocol(dccp | ddp | egp | encap | etherip | ggp | gre | hmp | icmp | icmpv6 | idpr-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | ipv6 | ipv6-frag | ipv6-nonxt | ipv6-opts | ipv6-route | iso-tp4 | l2tp | ospf | pim | pup | rdp | rspf | rsvp | sctp | st | tcp | udp | udp-lite | vmtp | vrrp | xns-idp | xtp | or 0..255) Matching particular IP protocol specified by protocol name or number. Only applies to IPv4 packets ifmac-protocolis not specified. To match certain IPv6 protocols, use themac-protocol=ipv6setting.
rate(0..4294967295) Sets ingress traffic limitation (bits per second) for matched traffic.
redirect-to-cpu(no | yes) Changes the destination port of a matching packet to the CPU.
src-address(IP address/Mask) Matching source IPv4 address and mask, also matches the source IP in ARP packets.
src-address6(IPv6 address/Mask) Matching source IPv6 address and mask.
src-mac-address(MAC address/Mask) Matching source MAC address and mask.
src-port(0..65535) Matching source protocol port number (applies to IPv4 and IPv6 packets ifmac-protocolis not specified).
switch(switch group) Matching switch group on which will the rule apply.
traffic-class(0..255) Matching IPv6 traffic class.
vlan-id(0..4095) Matching VLAN ID. Requiresvlan-filtering=yes.
vlan-header(not-present | present) Matching VLAN header, whether the VLAN header is present or not. Requiresvlan-filtering=yes.
vlan-priority(0..7) Matching VLAN priority (priority code point).

Action parameters:

  • copy-to-cpu
  • redirect-to-cpu
  • mirror
  • new-dst-ports (can be used to drop packets)
  • new-vlan-id
  • new-vlan-priority
  • rate

Layer2 condition parameters:

  • dst-mac-address
  • mac-protocol
  • src-mac-address
  • vlan-id
  • vlan-header
  • vlan-priority

Layer3 condition parameters:

  • dscp
  • protocol
  • IPv4 conditions:
    • dst-address
    • src-address
  • IPv6 conditions:
    • dst-address6
    • flow-label
    • src-address6
    • traffic-class

Layer4 condition parameters:

  • dst-port
  • src-port


For VLAN related matchers or VLAN related action parameters to work, you need to enablevlan-filtering桥上的接口和确保hardware offloading is enabled on those ports, otherwise, these parameters will not have any effect.

When bridge interfaceether-typeis set to0x8100, then VLAN related ACL rules are relevant toframes tagged using regular/customer VLAN (TPID0x8100), this includesvlan-idandnew-vlan-id. When bridge interfaceether-typeis set to0x88a8, then ACL rules are relevant to frames tagged with 802.1ad service tag (TPID 0x88a8).

Port Security

It is possible to limit allowed MAC addresses on a single switch port. For example, to allow64:D1:54:81:EF:8E MAC address on a switch port,start by switching multiple ports together, in this example64:D1:54:81:EF:8E is going to be located behindether1.

Create an ACL rule to allow the given MAC address and drop all other traffic onether1(for ingress traffic):

/interface ethernet switch rule add ports=ether1 src-mac-address=64:D1:54:81:EF:8E/FF:FF:FF:FF:FF:FF switch=switch1 add new-dst-ports="" ports=ether1 switch=switch1

Switch all required ports together, disable MAC learning and disable unknown unicast flooding onether1:

/interface bridge add name=bridge1 /interface bridge port add bridge=bridge1 interface=ether1 hw=yes learn=no unknown-unicast-flood=no add bridge=bridge1 interface=ether2 hw=yes

Add a static hosts entry for64:D1:54:81:EF:8E(for egress traffic):

/interface bridge host add bridge=bridge1 interface=ether1 mac-address=64:D1:54:81:EF:8E

Broadcast traffic will still be sent out fromether1. To limit broadcast traffic flood on a bridge port, you can use thebroadcast-floodparameter to toggle it. Do note that some protocols depend on broadcast traffic, such as streaming protocols and DHCP.

Dual Boot

The “dual boot” feature allows you to choose which operating system you prefer to use on CRS3xx series switches, RouterOS or SwOS. Device operating system could be changed using:

  • Command-line (/system routerboard settings set boot-os=swos)
  • Winbox
  • Webfig
  • Serial Console

More details about SwOS are described here:SwOS manual

Configuring SwOS using RouterOS

Since RouterOS 6.43 it is possible to load, save and reset SwOS configuration, as well as upgrade SwOS and set an IP address for the CRS3xx series switches by using RouterOS.

  • Save configuration with/system swos save-config

The configuration will be saved on the same device withswos.configas a filename, make sure you download the file from your device since the configuration file will be removed after a reboot.

  • Load configuration with/system swos load-config
  • Change password with/system swos password
  • Reset configuration with/system swos reset-config
  • Upgrade SwOS from RouterOS using/system swos upgrade

The upgrade command will automatically install the latest available SwOS primary backup version, make sure that your device has access to the Internet in order for the upgrade process to work properly. When the device is booted into SwOS, the version number will include the letter "p", indicating a primary backup version. You can then install the latest available SwOS secondary main version from the SwOS "Upgrade" menu.

Property Description
address-acquisition-mode(dhcp-only | dhcp-with-fallback | static; Default:dhcp-with-fallback) Changes address acquisition method:

dhcp-only- uses only a DHCP client to acquire address

dhcp-with-fallback- for the first 10 seconds will try to acquire address using a DHCP client. If the request is unsuccessful, then address falls back to static as defined bystatic-ip-addressproperty

static- address is set as defined bystatic-ip-addressproperty
allow-from(IP/Mask; Default:0.0.0.0/0) IP address or a network from which the switch is accessible. By default, the switch is accessible by any IP address.
allow-from-ports(name; Default: ) List of switch ports from which the device is accessible. By default, all ports are allowed to access the switch
allow-from-vlan(integer: 0..4094; Default:0) VLAN ID from which the device is accessible. By default, all VLANs are allowed
identity(name; Default:雷竞技网站) Name of the switch (used for Mikrotik Neighbor Discovery protocol)
static-ip-address(IP; Default:192.168.88.1) IP address of the switch in caseaddress-acquisition-modeis either set todhcp-with-fallbackorstatic. By setting a static IP address, the address acquisition process does not change, which is DHCP with fallback by default. This means that the configured static IP address will become active only when there is going to be no DHCP servers in the same broadcast domain

See also

CRS Router

CRS3xx VLANs with Bonds

Basic VLAN switching

Bridge Hardware Offloading

Route Hardware Offloading

Spanning Tree Protocol

MTU on RouterBOARD

Layer2 misconfiguration

Bridge VLAN Table

Bridge IGMP/MLD snooping

Multi-chassis Link Aggregation Group

  • No labels