Applies to RouterOS: v6.41 +
Warning: This manual is moved to https://help.mikrotik.com/docs/display/ROS/CRS3xx+series+switches
Luckily, the highly convenient screen mirroring app scrcpy is available for Mac OS X devices as well. Unlike Windows computers where you simply download a.zip file and unpack it, Mac does it. Mirroring your iPhone to Mac with AnyTrans requires a WiFi network. Into the unknown (itch) mac os. Requirements for Devices are: The Mac: macOS Catalina beta, macOS Mojave, macOS High Sierra, macOS Sierra, OS X 10.11, 10.10, 10.9, 10.8; The iPhone: iOS 5 or later; Here are the STEPS: Step 1. Make sure your iPhone and Mac on the same wireless network.
- 1Summary
- 3VLAN
- 3.3Setup examples
The Cloud Router Switch series are highly integrated switches with high performance CPU and feature-rich packet processor. The CRS switches can be designed into various Ethernet applications including unmanaged switch, Layer 2 managed switch, carrier switch and wired unified packet processing.
Warning: This article applies to CRS3xx series switches and not to CRS1xx/CRS2xx series switches.
Features
Features | Description |
---|---|
Forwarding |
|
Mirroring |
|
VLAN |
|
Bonding |
|
Quality of Service (QoS) |
|
Port isolation |
|
Access Control List |
|
Models
This table clarifies main differences between Cloud Router Switch models.
Switch Chip | Cores | SFP+ port | Unicast FDB entries |
Property | Description |
---|---|
vlan-filtering (yes | no; Default: no) | Globally enables or disables VLAN functionality for bridge. |
pvid (1.4094; Default: 1) | Port VLAN ID (pvid) specifies which VLAN the untagged ingress traffic is assigned to. It applies e.g. to frames sent from bridge IP and destined to a bridge port. |
Sub-menu:
/interface bridge port
Property | Description |
---|---|
frame-types (admit-all | admit-only-untagged-and-priority-tagged | admit-only-vlan-tagged; Default: admit-all) | Specifies allowed ingress frame types on a bridge port. Only has effect when ingress-filtering is enabled. |
ingress-filtering (yes | no; Default: no) | Enables or disables ingress filtering, which checks if an entry exists for the ingress port and the VLAN ID in the bridge VLAN table. Should be used with frame-types to specify if the ingress traffic should be tagged or untagged. |
pvid (1.4094; Default: 1) | Port VLAN ID (pvid) specifies which VLAN the untagged ingress traffic is assigned to. |
VLAN Table
Bridge VLAN table represents per-VLAN port mapping with an egress VLAN tag action.
tagged
ports send out frames with a learned VLAN ID tag.untagged
ports remove VLAN tag before sending out frames if the learned VLAN ID matches the port pvid
.Sub-menu:
/interface bridge vlan
Property | Description |
---|---|
bridge (name) | The bridge interface which the respective VLAN entry is intended for. |
disabled (yes | no; Default: no) | Enables or disables Bridge VLAN entry. |
tagged (interfaces; Default: none) | Interface list with a VLAN tag adding action in egress. This setting accepts comma separated values. E.g. tagged=ether1,ether2 . |
untagged (interfaces; Default: none) | Interface list with a VLAN tag removing action in egress. This setting accepts comma separated values. E.g. tagged=ether3,ether4 . |
vlan-ids (1.4094) | The list of VLAN IDs for certain port configuration. This setting accepts VLAN ID range as well as comma separated values. E.g. vlan-ids=100-115,120,122,128-130 . |
Setup examples
Port Based VLAN
- The configuration for CRS3xx switches is described in the Bridge VLAN FIltering section.
Note: It is possible to use the built-in switch chip and the CPU at the same time to create a Switch-Router setup, where a device acts as a switch and as a router at the same time. You can find a configuration example in the CRS-Router guide.
MAC Based VLAN
Note: The CRS3xx Switch Rule table is used for MAC Based VLAN functionality, see this table on how many rules each device supports.
Note: MAC-based VLANs will only work properly between switch ports and not between switch ports and CPU. When a packet is being forwarded to the CPU, the pvid property for the bridge port will be always used instead of new-vlan-id from ACL rules.
- Enable switching on ports by creating a bridge with enabled hw-offloading.
- Add VLANs in the Bridge VLAN table and specify ports.
- Add Switch rules which assign VLAN id based on MAC address.
Protocol Based VLAN
Note: The CRS3xx Switch Rule table is used for Protocol Based VLAN functionality, see this table on how many rules each device supports.
- Enable switching on ports by creating a bridge with enabled hw-offloading.
- Add VLANs in the Bridge VLAN table and specify ports.
- Add Switch rules which assign VLAN id based on MAC protocol.
VLAN Tunneling (Q-in-Q)
Since RouterOS v6.43 it is possible to use a provider bridge (IEEE 802.1ad) VLAN filtering and hardware offloading at the same time on CRS3xx series switches. The configuration for CRS3xx switches is described in the Bridge VLAN Tunneling (Q-in-Q) section.
Ingress VLAN translation
It is possible to translate a certain VLAN ID to a different VLAN ID using ACL rules on an ingress port. In this example we create two ACL rules, allowing a bidirectional communication. This can be done by doing the following:
- Create a new bridge and add ports to it with hardware offloading:
- Add ACL rules to translate a VLAN ID in each direction:
- Add both VLAN IDs to the bridge VLAN table:
- Enable bridge VLAN filtering:
Note: Bidirectional communication is limited only between two switch ports. Translating VLAN ID between more ports can cause traffic flooding or incorrect forwarding between same VLAN ports.
Warning: By enabling
vlan-filtering
you will be filtering out traffic destined to the CPU, before enabling VLAN filtering you should make sure that you set up a Management portCRS3xx series switches are capable of running STP, RSTP and MSTP on a hardware level. For more detailed information you should check out the Spanning Tree Protocol manual page.
Since RouterOS v6.42 all CRS3xx series switches support hardware offloading with bonding interfaces. Only 802.3ad and balance-xor bonding modes are hardware offloaded, other bonding modes will use the CPU's resources. You can find more information about the bonding interfaces in the Bonding Interface section. If 802.3ad mode is used, then LACP (Link Aggregation Control Protocol) is supported.
To create a hardware offloaded bonding interface, you must create a bonding interface with a supported bonding mode:
This interface can be added to a bridge alongside with other interfaces:
Note: Don't add interfaces to a bridge that are already in a bond, RouterOS will not allow you to add an interface that is already a slave to a bridge as there is no need to do it since a bonding interface already contains the slave interfaces.
Make sure that the bonding interface is hardware offloaded by checking the 'H' flag:
Note: With HW-offloaded bonding interfaces, the built-in switch chip will always use Layer2+Layer3+Layer4 for transmit hash policy, changing the transmit hash policy manually will have no effect.
Layer3 hardware offloading (otherwise known as IP switching or HW routing) will allow to offload some of the router features on to the switch chip. This allows to reach wire speeds when routing packets, which simply would not be possible with the CPU.
At the moment of writing this article, only CRS317-1G-16S+ supports L3 HW Offloading and RouterOS v7beta6 or newer must be used.
The feature can be enabled with:
Note: After turning off HW Offloading it is recommended to reboot the switch, to make sure that all HW related config is cleared from switch chip.
Currently supported and unsupported feature list:
Status | HW | This feature enables the possibility to drop D/DOS attacks at wire speed | |
'prohibit' routes | CPU | ||
'unreachable' routes | CPU | ||
gateway=<interface_name> | HW/CPU | This works only for directly connected networks. Since HW does not know how to send ARP requests, CPU sends ARP request and waits for a reply to find out a DST MAC address on the first received packet of the connection that matches a DST IP address. After DST MAC is determined, HW entry is added and all further packets will be processed by switch chip. | |
Bridge | HW | Routing from/to bridge interface | |
VLAN | HW | Routing between VLAN interfaces | |
LACP | HW | /interface bonding | |
Firewall | FW | Only Fasttrack connections gets processed by HW, which means that CPU is processing packets until connection gets fasttracked. | |
NAT | FW | NAT rules applied to the offloaded Fasttrack connections are processed by HW. | |
QoS | N/A |
Where:
- CPU - feature is supported but processed by CPU
- HW - feature is supported and offloaded in hardware (works when l3hw=yes)
- FW - feature is supported and offloaded in hardware (works when l3hw=fw)
- N/A - feature is not available, meaning that L3 Hardware offloading MUST be disabled for these features to work
Warning: Currently user must choose whether to use hardware accelerated routing or firewall. It is not possible to use both at the same time.
List of supported devices and their limits:
Routes | ECMP Groups | NAT enties(*2) | ||||
CRS317-1G-16S+ | 7.1beta1 | 150K - 240K | 8K | 4K | 4500 / 3750 (*3) | 4096 |
CRS309-1G-8S+ | 7.1beta2 | 50K - 80K | 8K | 4K | 4500 / 3750 | 4096 |
CRS312-4C+8XG | 7.1beta2 | 50K - 80K | 8K | 4K | 2250 / 1500 | 4096 (*4) |
CRS326-24S+2Q+ | 7.1beta2 | 50K - 80K | 8K | 4K | 2250 / 1500 | 4096 |
*1 When the HW limit of Fasttrack or NAT entries is reached, other connections will fall back to the CPU. MikroTik's smart connection offload algorithm ensures that the connections with the most traffic are offloaded to the hardware.
*2 Fasttrack connections share the same HW memory with ACL rules. Depending on the complexity, one ACL rule may occupy the memory of 3-6 Fasttrack connections.
*3 (Both MPLS and Bridge Port Extender are disabled) / (MPLS, Bridge Port Extender, or both are enabled). MPLS shares the HW memory with Fasttrack connections. Moreover, enabling MPLS requires the allocation of the entire memory region, which could store up to 750 Fasttrack connections otherwise. The same applies to Bridge Port Extender. However, MPLS and Bridge Port Extended may use the same memory region, so enabling them both doesn't double the limitation of Fasttrack connections.
*4 All NAT entries cannot be used due to the limited amount of Fasttrack connections.
Since RouterOS v6.43 it is possible to create a Private VLAN setup on CRS3xx series switches, example can be found in the Switch chip port isolation manual page.
CRS3xx series switches are capable of using IGMP Snooping on a hardware level. To see more detailed information, you should check out the IGMP Snooping manual page.
CRS3xx series switches are capable of using DHCP Snooping with Option 82 on a hardware level. To see more detailed information, you should check out the DHCP Snooping and DHCP Option 82 manual page.
Mirroring lets the switch 'sniff' all traffic that is going in a switch chip and send a copy of those packets out to another port (mirror-target). This feature can be used to easily set up a 'tap' device that allows you to inspect the traffic on your network on a traffic analyzer device. It is possible to set up a simple port based mirroring where, but it is also possible to setup more complex mirroring based on various parameters. Note that mirror-target port has to belong to same switch. (See which port belong to which switch in
/interface ethernet
menu). Also mirror-target can have a special 'cpu' value, which means that 'sniffed' packets will be sent out of switch chips cpu port. There are many possibilities that can be used to mirror certain traffic, below you can find most common mirroring examples:- Port Based Mirroring
Note: Property mirror-source will send an ingress and egress packet copies to the mirror-target port. Both mirror-source and mirror-target are limited to a single interface.
Note: Using ACL rules, it is possible to mirror packets from multiple ports interfaces. Only ingress packets are mirrored to mirror-target interface.
- VLAN Based Mirroring
Warning: By enabling
vlan-filtering
you will be filtering out traffic destined to the CPU, before enabling VLAN filtering you should make sure that you set up a Management port- MAC Based Mirroring
- Protocol Based Mirroring
- IP Based Mirroring
There are other options as well, check the ACL section to find out all possible parameters that can be used to match packets.
It is possible to limit certain type of traffic using ACL rules. For CRS3xx series switches it is possible to limit ingress traffic that matches certain parameters and it is possible to limit ingress/egress traffic per port basis. For ingress traffic QoS policer is used, for egress traffic QoS shaper is used.
- Port Based Traffic Shaping
- MAC Based Traffic Shaping
- VLAN Based Traffic Shaping
Warning: By enabling
vlan-filtering
you will be filtering out traffic destined to the CPU, before enabling VLAN filtering you should make sure that you set up a Management port- Protocol Based Traffic Shaping
There are other options as well, check the ACL section to find out all possible parameters that can be used to match packets.
Note: The CRS3xx Switch Rule table is used for QoS functionality, see this table on how many rules each device supports.
Since RouterOS v6.42 it is possible to enable traffic storm control on CRS3xx series devices. A traffic storm can emerge when certain frames are continuously flooded on the network. For example, if a network loop has been created and no loop avoidance mechanisms are used (e.g. Spanning Tree Protocol), broadcast or multicast frames can quickly overwhelm the network, causing degraded network performance or even complete network breakdown. With CRS3xx series switches it is possible to limit broadcast, unknown multicast and unknown unicast traffic. Unknown unicast traffic is considered when a switch does not contain a host entry for the destined MAC address. Unknown multicast traffic is considered when a switch does not contain a multicast group entry in the
/interface bridge mdb
menu. Storm control settings should be applied to ingress ports, the egress traffic will be limited.Note: The storm control parameter is specified in percentage (%) of the link speed. If your link speed is 1Gbps, then specifying
storm-rate
as 10
will allow only 100Mbps of broadcast, unknown multicast and/or unknown unicast traffic to be forwarded. Sub-menu:
/interface ethernet switch port
Property | Description |
---|---|
limit-broadcasts (yes | no; Default: yes) | Limit broadcast traffic on switch port. |
limit-unknown-multicasts (yes | no; Default: no) | Limit unknown multicast traffic on switch port. |
limit-unknown-unicasts (yes | no; Default: no) | Limit unknown unicast traffic on switch port. |
storm-rate (integer 0.100; Default: 100) | Amount of broadcast, unknown multicast and/or unknown unicast traffic is limited to in percentage of the link speed. |
Warning: Devices with Marvell-98DX3236 switch chip cannot distinguish unknown multicast traffic from all multicast traffic. For example, CRS326-24G-2S+ will limit all multicast traffic when
limit-unknown-multicasts
and storm-rate
is used. For other devices, for example, CRS317-1G-16S+ the limit-unknown-multicasts
parameter will limit only unknown multicast traffic (addresses that are not present in /interface bridge mdb
- For example, to limit 1% (10Mbps) of broadcast and unknown unicast traffic on ether1 (1Gbps), use the following commands:
Since RouterOS v6.41 it is possible to offload certain MPLS functions to the switch chip, the switch must be a (P)rovider router in a PE-P-PE setup in order to achieve hardware offloading. Setup example can be found in the Basic MPLS setup example manual page.
Note: Currently only
CRS317-1G-16S+
and CRS309-1G-8S+
using RouterOS v6.41 and newer are capable of hardware offloading certain MPLS functions. CRS317-1G-16S+
and CRS309-1G-8S+
built-in switch chip is not capable of popping MPLS labels from packets, in a PE-P-PE setup you either have to use explicit null or disable TTL propagation in MPLS network to achieve hardware offloading. Mirror Protocol Mac Os 11
Access Control List contains of ingress policy and egress policy engines. See this table on how many rules each device supports (limited by RouterOS). It is advanced tool for wire-speed packet filtering, forwarding and modifying based on Layer2, Layer3 and Layer4 protocol header field conditions.
Note: ACL rules are checked for each received packet until a match has been found. If there are multiple rules that can match, then only the first rule will be triggered. A rule without any action parameters is a rule to accept the packet.
Sub-menu:
/interface ethernet switch rule
Property | Description |
---|---|
copy-to-cpu (no | yes; Default: no) | Clones the matching packet and sends it to the CPU. |
disabled (yes | no; Default:no) | Enables or disables ACL entry. |
dscp (0.63) | Matching DSCP field of the packet. |
dst-address (IP address/Mask) | Matching destination IP address and mask. |
dst-address6 (IPv6 address/Mask) | Matching destination IPv6 address and mask. |
dst-mac-address (MAC address/Mask) | Matching destination MAC address and mask. |
dst-port (0.65535) | Matching destination protocol port number. |
flow-label (0.1048575) | Matching IPv6 flow label. |
mac-protocol (802.2 | arp | homeplug-av | ip | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan | or 0.65535 | or 0x0000-0xffff) | Matching particular MAC protocol specified by protocol name or number |
mirror (no | yes) | Clones the matching packet and sends it to the mirror-target port. |
new-dst-ports (ports) | Changes the destination port as specified. An empty setting will drop the packet. A specified port will redirect the packet to it. When the parameter is not used, the packet will be accepted.Multiple 'new-dst-ports' are not supported on CRS3xx series switches. |
new-vlan-id (0.4095) | Changes the VLAN ID to the specified value. Requires vlan-filtering=yes . |
new-vlan-priority (0.7) | Changes the VLAN priority tag. Requires vlan-filtering=yes . |
ports (ports) | Matching ports on which will the rule apply on received traffic. |
protocol (dccp | ddp | egp | encap | etherip | ggp | gre | hmp | icmp | icmpv6 | idpr-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | ipv6 | ipv6-frag | ipv6-nonxt | ipv6-opts | ipv6-route | iso-tp4 | l2tp | ospf | pim | pup | rdp | rspf | rsvp | sctp | st | tcp | udp | udp-lite | vmtp | vrrp | xns-idp | xtp | or 0.255) | Matching particular IP protocol specified by protocol name or number. |
rate (0.4294967295) | Sets ingress traffic limitation (bits per second) for matched traffic. |
redirect-to-cpu (no | yes) | Changes the destination port of a matching packet to the CPU. |
src-address (IP address/Mask) | Matching source IP address and mask. |
src-address6 (IPv6 address/Mask) | Matching source IPv6 address and mask. |
src-mac-address (MAC address/Mask) | Matching source MAC address and mask. |
src-port (0.65535) | Matching source protocol port number. |
switch (switch group) | Matching switch group on which will the rule apply. |
traffic-class (0.255) | Matching IPv6 traffic class. |
vlan-id (0.4095) | Matching VLAN ID. Requires vlan-filtering=yes . |
vlan-header (not-present | present) | Matching VLAN header, whether the VLAN header is present or not. Requires vlan-filtering=yes . |
vlan-priority (0.7) | Matching VLAN priority. |
Action parameters:
- copy-to-cpu
- redirect-to-cpu
- mirror
- new-dst-ports (can be used to drop packets)
- new-vlan-id
- new-vlan-priority
- rate
Conditional parameters:
- Layer2 conditions:
- dst-mac-address
- mac-protocol
- src-mac-address
- vlan-id
- vlan-header
- vlan-priority
- Layer3 conditions:
- dscp
- protocol
- IPv4 conditions:
- dst-address
- src-address
- IPv6 conditions:
- dst-address6
- flow-label
- src-address6
- traffic-class
- Layer4 conditions:
- dst-port
- src-port
Note: For VLAN related matchers or VLAN related action parameters to work, you need to enable
vlan-filtering
on the bridge interface and make sure that hardware offloading is enabled on those ports, otherwise these parameters will not have any effect. No zombies mac os.Warning: When
vlan-protocol
is set to 802.1Q, then VLAN related ACL rules are relevant to 0x8100
(CVID) packets, this includes vlan-id
and new-vlan-id
. When vlan-protocol
is set to 802.1ad, then ACL rules are relevant to 0x88A8
(SVID) packets. For example, with 802.1Q the vlan-id
matcher will match CVID packets, but with 802.1ad the vlan-id
matcher will match SVID packets. It is possible to limit allowed MAC addresses on a single switch port on CRS3xx series switches. For example, to allow
64:D1:54:81:EF:8E
start by switching multiple ports together, in this example 64:D1:54:81:EF:8E
is going to be located behind ether1.- Create an ACL rule to allow the given MAC address and drop all other traffic on ether1 (for ingress traffic):
- Switch all required ports together, disable MAC learning and disable unknown unicast flooding on ether1:
- Add a static hosts entry for
64:D1:54:81:EF:8E
(for egress traffic):
Warning: Broadcast traffic will still be sent out from ether1. To limit broadcast traffic flood on a bridge port, you can use the
broadcast-flood
parameter to toggle it. Do note that some protocols depend on broadcast traffic, such as streaming protocols and DHCP. “Dual boot” feature allows you to choose which operating system you prefer to use, RouterOS or SwOS. Device operating system could be changed using:
- Serial Terminal (/system routerboard settings set boot-os=swos)
- Winbox
- Webfig
- Serial Console
Winbox | Webfig | Serial Console |
More details about SwOS are described here: SwOS manual
Since RouterOS 6.43 it is possible to load, save and reset SwOS configuration, as well as upgrade SwOS and set an IP address for the switch by using RouterOS.
- Save configuration with
/system swos save-config
Note: Configuration will be saved on the same device with
swos.config
as filename, make sure you download the file off your device since the configuration file will be removed after a reboot. - Load configuration with
/system swos load-config
- Change password with
/system swos password
- Reset configuration with
/system swos reset-config
Mac Os Catalina
- Upgrade SwOS from RouterOS using
/system swos upgrade
Note: The upgrade command will automatically install the latest available SwOS version, make sure that your device has access to the Internet in order for the upgrade process to work properly.
How To Mirror Os Drive
Property | Description |
---|---|
address-acquisition-mode (dhcp-only | dhcp-with-fallback | static; Default: dhcp-with-fallback) | Changes address acquisition method:
|
allow-from (IP/Mask; Default: 0.0.0.0/0) | IP address or a network from which the switch is accessible. By default, the switch is accessible by any IP address. |
allow-from-ports (name; Default: ) | List of switch ports from which the device is accessible. By default, all ports are allowed to access the switch |
allow-from-vlan (integer: 0.4094; Default: 0) | VLAN ID from which the device is accessible. By defaull, all VLANs are allowed |
identity (name; Default: Mikrotik) | Name of the switch (used for Mikrotik Neighbor Discovery protocol) |
static-ip-address (IP; Default: 192.168.88.1) | IP address of the switch in case address-acquisition-mode is either set to dhcp-with-fallback or static. By setting a static IP address, the address acquisition process does not change, which is DHCP with fallback by default. This means that the configured static IP address will become active only when there is going to be no DHCP servers in the same broadcast domain |
[Top | Back to Content]
Retrieved from 'https://wiki.mikrotik.com/index.php?title=Manual:CRS3xx_series_switches&oldid=34227'