I am trying to understand exactly what configuration items determine whether a CRS326 (running ROS) is being used as a switch-only or as a switch-router.

From reading many prior threads, using the CRS as a switch-only results in much better performance.

I am having a hard time identifying exactly what form of config changes the use from switch to router.

In this context, I have seen references to a determining factor being whether the CRS has an IP address assigned to it's bridge.

I have also seen reference to the determingin factor being whether the bridge is included as a tagged port in "/interface bridge vlans" as being a determining factor.

Both of these make sense because the bridge (in my basic understanding, thanks to many educators here) is what involves the CPU, and the involvement of the CPU is (I think) the distinguishing aspect of using the device as a router.

I am particularly interested in how a CRS passing VLAN-tagged frames (and having access and trunk ports) would be configured as a switch-only.

I am totally unclear about the correct "/ip route" entries because my guess is that ip routing is a CPU (and therefore routing) function.

(Note: Please try, if possible, to keep the explanations simple.)

Perhaps something like this (this is just a partial config to learn about this particular concept of switch vs. router config on the CRS line):

https://www.spiceworks.com/tech/network ... vs-router/

Clues to you are routing.
-DHCP
-WAN and LAN
-NAT
-all subnets have an address
-need firewall rules (layer3)

Switch.....
Single Ip address provided to switch
setup is primarily about vlan traffic
only management or trusted vlan normally need be identified.
only management vlan-id is tagged for the bridge at /interface bridge vlan

This comment I found confusing.......
In this context, I have seen references to a determining factor being whether the CRS has an IP address assigned to it's bridge. ???????????

Why would any sane person attach an IP address to a bridge of powerful switch. Or to put it another way, why would a person have a flat network and spend this much money when a cheap un-managed switch would do.

The example provided is a bit confusing.
- why include ports 5 through spf-sfpplus2 if not relevant (not being used)
- then I see sfp-sfpplus1 is being used but no indication its a trunk port ( frame types or comment missing ) which is inconsistent from the other entries........
- why are you missing the /interface bridge vlan entry for consistency and clarity
/interface bridge vlan
add bridge=bridge tagged=ether1 untagged=ether4 vlan-id=2
- and which vlans going over ether3, or any others going over sfp-sfpplus1 ??

Why not use ntp from the main router as source so all attached devices are synced together?

A networking device can take various header fields of an Ethernet frame and of the packet it carries into account when making a decision where to forward that frame.

If it only chooses the output interface based on the destination MAC address and, possibly, VLAN ID of the incoming frame, it handles that frame as a bridge.

It it chooses the output interface based on the destination IP address (or any other part of the IP headers of the packet), it handles that packet as a router.

Any device that Mikrotik sells as a "switch" can do all bridging (forwarding based on destination MAC address) in hardware, i.e. without engaging CPU to handle every single frame. Many such devices can also do a good part of routing (forwarding based on destination IP address alone) in hardware - including the CRS326. But as soon as you want the routing to take something else than the destination IP address alone into account, the CPU has to get involved, so the throughput drops a lot as compared to the one provided by the "switch" chip alone.

A networking device can take various header fields of an Ethernet frame and the packet it carries into account to make a decision where to forward that frame.

If it only chooses the output interface based on the destination MAC address and, possibly, VLAN ID of the incoming frame, it handles that frame as a bridge.

It it chooses the output interface based on the destination IP address (or any other part of the IP headers of the packet), it handles that packet as a router.

Any device that Mikrotik sells as a "switch" can do all bridging (forwarding based on destination MAC address) in hardware, i.e. without engaging CPU to handle every single frame. Many such devices can also do a good part of routing (forwarding based on destination IP address alone) in hardware - including the CRS326. But as soon as you want the routing to take something else than the destination IP address alone into account, the CPU has to get involved, so the throughput drops a lot as compared to the one provided by the "switch" chip alone.

That is a great explanation (but makes the reader beg for more):

Rules:

Switching (not routing) is occurring when the bridge alone is involved and includes any of the following situations:
1) MAC address alone (not IP) determines output interface
2) Sometimes when VLAN ID of incoming frame determines output interface (I assume the "sometimes" depends on the vlan configuration of the device)

Routing (not switching) is occuring when IP address is used to determine output inteface except when the device can and does forwarding based on IP address in hardware (i.e, without involving the CPU).

Sounds like the key is whether the CPU is involved in determing the output interface of the frame, but that determining that is not so simple.

In short: any RouterOS device, which has more than a single IP address configured (used only for management), can eventually become a router.

So a switch should never have more than one IP address configured, if configuring additional IP address solves a traffic problem, it means that switch became a router.

How exactly is the routing done (either by general-purpose CPU or by capable switch chip) doesn't change the above description.
Routing in ROS is inherently CPU task and also with L3 switches it's not possible to ensure that all routing is indeed performed by switch chips.

https://www.spiceworks.com/tech/network ... vs-router/

Clues to you are routing.
-DHCP
-WAN and LAN
-NAT
-all subnets have an address
-need firewall rules (layer3)

Switch.....
Single Ip address provided to switch
setup is primarily about vlan traffic
only management or trusted vlan normally need be identified.
only management vlan-id is tagged for the bridge at /interface bridge vlan

This comment I found confusing.......
In this context, I have seen references to a determining factor being whether the CRS has an IP address assigned to it's bridge. ???????????

Why would any sane person attach an IP address to a bridge of powerful switch. Or to put it another way, why would a person have a flat network and spend this much money when a cheap un-managed switch would do.

I need more than clues

In the config, I use an OffBridge set up with DHCP. Does that mean that I'm using this a router? Does does it more precisely mean I am using this device as a routing only when a device is connected to ether24 and getting a DHCP-leased IP address?

That is, when we talk about a CRS being used a router (or as a switch) are we referring to it's totality or are we referring to the way it is handling the vast majority of the frames it passes?

When I menat by my confusing comment is simply that I have read in other threads that to use a CRS "as a switch" one must not assign an IP address to the bridge.

As for why any sane person would do that, I would start with one of my many favorite sayings "Never ascribe to malice that which can be explained by stupidity" and from it a derivation that substitutes "insanity" for "malice."

The example provided is a bit confusing.
- why include ports 5 through spf-sfpplus2 if not relevant (not being used)
- then I see sfp-sfpplus1 is being used but no indication its a trunk port ( frame types or comment missing ) which is inconsistent from the other entries........
- why are you missing the /interface bridge vlan entry for consistency and clarity
/interface bridge vlan
add bridge=bridge tagged=ether1 untagged=ether4 vlan-id=2
- and which vlans going over ether3, or any others going over sfp-sfpplus1 ??

Why not use ntp from the main router as source so all attached devices are synced together?

You know I am always truly grateful for the enormous amount of help you have provided to me, but my limited capabilities are focused here, in this thread, on understanding the config items that distinguish router versus switch use in a CRS.

We can definetly (with my appreciation) return to fixing (repeatedly) my config at a later time.

In short: any RouterOS device, which has more than a single IP address configured (used only for management), can eventually become a router.

So a switch should never have more than one IP address configured, if configuring additional IP address solves a traffic problem, it means that switch became a router.

How exactly is the routing done (either by general-purpose CPU or by capable switch chip) doesn't change the above description.
Routing in ROS is inherently CPU task and also with L3 switches it's not possible to ensure that all routing is indeed performed by switch chips.

A short post overflowing with fascinating information!

So now it sounds like whether a CRS is routing or not is not determined by whether the CPU is involved. I think that is what you mean by "how exaclty is the routing done (either by ...CPU or ... switch chip).

Sounds like there are different types of routing that is being done -- L2 vs. L3?

There are very many threads that involves people screaming at others that they are using the CRS as a router. I can understand (basically) the extreme examples of a CRS being used as an edge router with an Internet-connected WAN port and wireguard or multiple networks, etc.

I am trying to understand how to distinguish routing vs. switching in a more common use, such as when a CRS is connected to a 5009 handling VLAN traffic.

There are very many threads that involves people screaming at others that they are using the CRS as a router. I can understand (basically) the extreme examples of a CRS being used as an edge router with an Internet-connected WAN port and wireguard or multiple networks, etc.

I really struggle to understand the question, if any.

The CRS should be written as Cloud Router Switch.
I think that looking at its block diagram it is self-evident:
https://cdn.mikrotik.com/web-assets/pro ... 220921.png
And if you look at test results, the device can do Layer2 at 42,000+ Mbps and Layer3 bridging at 1100 Mbps and Routing at 270 Mbps.
So it is a switch with marginal routing capabilities.

You can use your Lamborghini Huracan as a golf cart , but would it be smart?

The distinction between bridging and routing indeed lays solely in what information is used to determine where to forward the frame/packet.

DHCP is not routing, any kind of VPN handling is not routing; even traffic filtering is, strictly speaking, not routing (you may filter bridged traffic and you may not filter routed traffic). NAT, on the other hand, is so tightly linked to routing that it can be considered part of it, but it is not always necessary.

Both bridging and routing can be done in hardware, but whilst for bridging it is considered nothing special, routing in hardware has some fancy names (like L3 HW) because the hardware chip needs to do way more than when it handles bridging, and the amount of functionality differs chip by chip.

Running DHCP on a switch won't slow down anything as DHCP is only handled now and then; any kind of handling every single packet of every single traffic flow is what matters.

There are very many threads that involves people screaming at others that they are using the CRS as a router. I can understand (basically) the extreme examples of a CRS being used as an edge router with an Internet-connected WAN port and wireguard or multiple networks, etc.

I really struggle to understand the question, if any.

The CRS should be written as Cloud Router Switch.
I think that looking at its block diagram it is self-evident:
https://cdn.mikrotik.com/web-assets/pro ... 220921.png
And if you look at test results, the device can do Layer2 at 42,000+ Mbps and Layer3 bridging at 1100 Mbps and Routing at 270 Mbps.
So it is a switch with marginal routing capabilities.

You can use your Lamborghini Huracan as a golf cart , but would it be smart?

I am not arguing or taking the position that the CRS can or should be used as a router.

My question can be reformulated or restated as: How to I ensure that a CRS ROS configuration is such that the CRS is used as a cloud router SWITCH?

My question can be reformulted or restated as: How to I ensure that a CRS ROS configuration is such that the CRS is used as a cloud router SWITCH?

The answer to that question has already come from @mkx - if everything works as required while there is only a single IP address up on the CRS326, it only acts as an (L2) switch because to act as a router, a device needs at least two IP addresses in different subnets.

My question can be reformulted or restated as: How to I ensure that a CRS ROS configuration is such that the CRS is used as a cloud router SWITCH?

The answer to that question has already come from @mkx - if everything works as required while there is only a single IP address up on the CRS326, it only acts as an (L2) switch because to act as a router, a device needs at least two IP addresses in different subnets.

Seems like the determination is more complex that whether whether the device has a single IP (other that an IP used for management purposes such as an OffBridge IP assignement and DHCP server).

Returning to the first post and the example I used (aside from any errors and omissions), it sounds like this configuration would be called a switch config for the CRS because:
1) Only a single IP address on the device
2) All frame output interface determinations are based on L2 data
3) VLAN routing is a handled by the bridge (and therefore a switching function).

Correct?

3) VLAN routing is a handled by the bridge (and therefore a switching function).

Switch doesn't do any routing ... and "VLAN routing" is either "routing" or "VLAN switching" (depending on the way you abuse phrase VLAN routing). If you're talking about the later, then switch chip (most of chips produced in last 20 years) does the switching and VLAN tags are considered when deciding about egress port. But that's widely considered as switching, not routing.

1) if a single IP address is sufficient for the device to do all what you want it to do, the davice acts as a bridge (switch). You may want to access it for management purposes using multiple IP addresses, but another own IP address must not be required to facilitate forwarding of packets/frames from one interface to another.
2) yes, but that's just another wording of 1)
3) explain what you mean by "VLAN routing". Routing packets from (a subnet in) one VLAN to (a subnet in) another VLAN? For that, you need a router. Bridging packets from one port to another while the source VLAN and destination VLAN is the same? That's bridging.

The common term is forwarding. Bridging or switching means L2 forwarding (MAC address based) and routing means L3 forwarding (IP address based).

Use: "VLAN routing" when frames pass between VLANs as well as between different IP subnets in different VLANs.

Use: "VLAN bridging" or "vlan switching" or "forwarding" when frames pass on the same vlan from one port to another.

Using RouterOS can be confusing at times no matter if you have previous experience from networking or not.

Common things to screw up is MLAG and VLAN/bridge configuration.

Personally I would have prefered if Mikrotik would do the approach of Arista and many others and have a common configuration (switchport mode access/trunk/hybrid along with switchport allowed vlan and switchport native vlan) on how to setup VLANs etc and then do the converting to Linux DSA in the background instead of exposing the DSA nightmare to the admins.

Thankfully SWOS exists for many of the CRS3xx devices so if you just need L2-switching I would recommend that (to begin with at least) over RouterOS.

Josephny,

Some network devices offer more funcionalities than the name suggest but it does not mean that you should use them as fully flagged services.
Routing in CRS line switches is available using ROS just for convenience. I would quote myself from : viewtopic.php?p=1138198#p1138198

You can use a pickup to occasionally transport a dozen bags of cement or a calf but when it comes to bigger tasks, you need proper track and maybe a trailer.

CRSs line should be called SCONSDR - Switch Capable Of Not So Demanding Routing. Even C = CLoud in the CRS line name is a little exaggerated.

For me the rule is simple: if the models' name contains the word "switch" then use it mainly as a switch. Period.

The CRS should be written as Cloud Router Switch.

That is indeed the problem, and by the way, you should note that ONLY one switch in the entire lineup uses the terms Cloud Router Switch and that is the CRS317 ( MT informed to remove). There are couple more that use the term Cloud Switch but most simply say Switch.

I think the problem is many sites like amazon embellish their advertising with incorrect verbiage.

Routers --> both bridge/switch and route have multiple IP addresses
Switches --> only bridge/switch have single IP address (for management of switch)
RoS Unique (confuses some) --> determines function by Software not by hardware.

You know I am always truly grateful for the enormous amount of help you have provided to me, but my limited capabilities are focused here, in this thread, on understanding the config items that distinguish router versus switch use in a CRS.

Sorry, you dont control the narrative in a public space LOL, aka if you post errors, I will point them out, easy solution, simply don't post errors !!

A router is a device that can forward packets based on layer3 information such as destination IP address.

A switch is a device that can forward frames based on layer2 information such as destination MAC address.

And then we have L3-switches (layer3-switches) who can do both (depending on how you configure them).

Nowadays to me a switch and L3-switch is often limited to just be able to deal with ethernet as the layer2 technology and for the case of L3-switch just IPv4 and IPv6 as layer3 technology.

While a router often is modular and can deal with other layer2 (and layer1) protocols such as SDH, DSL etc.

Both a router and a L3-switch can do static and dynamic routing (as in BGP, OSPF, ISIS) and tunneling such as GRE, VXLAN, MPLS etc. But a L3-switch is often (but not always) limited in the size of RIB (routing database) and FIB (forwarding database programmed in the switchchip based on content of RIB). As in a few tens of thousands of entries for a regular L3-switch (except for Arista and a few others) while a router often can do RIB/FIB's entries in the size of millions at once.

So in short router and switch today are same same but different.

While CRS aka Mikrotiks Cloud Router Switch is just some kind of broken marketing. We should be glad they didnt choose to include "AI" (or ML as in Machine Learning) in the naming aswell...

Cloud should be reserved for CHR software.

I am trying to understand exactly what configuration items determine whether a CRS326 (running ROS) is being used as a switch-only or as a switch-router.

(Note: Please try, if possible, to keep the explanations simple.)

The key to confidence in any area is understanding, so start there.

You need to understand the fundamentals before trying to learn the specific syntax of how to apply a concept to a specific situation.

"Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime"

I am sure I have recommended Ed Harmoush's Network Fundamentals and VLANs — Index to you in the past, but you probably think that it isn't worth your time trying to learn the fundamentals. It is well worth the time. Especially for someone that comes back to the forum for his daily fish so frequently.

Your questions are an indication of not understanding. So take the time to learn the fundamentals, then all the specific commands to implement things will start to make sense, whether you are working with MikroTik ROS, MikroTik SwOS, Cisco, Juniper, Ubiquiti, Netgear, TP-Link, ...

Remember, a switch (bridge) is a layer 2 device that only deals with mac addresses. A managed switch has a CPU in addition to a switch ASIC and that CPU can act as a "host" closely coupled to the switch. For example see this part of Everything Switches do - Part 2 - Networking Fundamentals - Lesson 4

A switch forwards ethernet frames within the same broadcast domain, a router forwards ip packets between separate ip networks (in different broadcast domains). A vlan-aware switch is similar to a Server in a datacenter that is running multiple "virtual machines" running on the same hardware. Just like virtual machines being kept separated from each other, traffic on one vlan is kept separate from the traffic on other vlans. To transport data from one vlan to another requires a router to move the data between the vlans. This is what is referred to as inter-vlan routing.

A vlan interace is just a "connection" between the routing block (implemented by the CPU, or possibly by an ASIC in a L3 switch) and a specific vlan in the switch.

If there is only a single ip address on the "host" within the managed switch, then it can't route traffic between networks; it can only be used to manage the switch. This does not mean that a vlan-aware switch can only be "connected" to a single network, just that a switch doesn't understand L3 things like ip addresses, only the management interface routing block understands ip addresses.

When you use a "dumb" switch, all it is aware of is the mac addresses. All the ip information is encapsulated in the "data" portion of the ethernet frame. That's why you don't need to configure anything on a "dumb" switch.

This is all covered in Ed Harmoush's Network Fundamentals and VLANs — Index

Suggest for fish --> https://guide.michelin.com/ca/en/new-yo ... k-new-york

I am sure I have recommended Ed Harmoush's Network Fundamentals and VLANs — Index to you in the past, but you probably think that it isn't worth your time trying to learn the fundamentals. It is well worth the time. Especially for someone that comes back to the forum for his daily fish so frequently.

Your questions are an indication of not understanding. So take the time to learn the fundamentals, then all the specific commands to implement things will start to make sense, whether you are working with MikroTik ROS, MikroTik SwOS, Cisco, Juniper, Ubiquiti, Netgear, TP-Link, ...

Remember, a switch (bridge) is a layer 2 device that only deals with mac addresses. A managed switch has a CPU in addition to a switch ASIC and that CPU can act as a "host" closely coupled to the switch. For example see this part of Everything Switches do - Part 2 - Networking Fundamentals - Lesson 4

A switch forwards ethernet frames within the same broadcast domain, a router forwards ip packets between separate ip networks (in different broadcast domains). A vlan-aware switch is similar to a Server in a datacenter that is running multiple "virtual machines" running on the same hardware. Just like virtual machines being kept separated from each other, traffic on one vlan is kept separate from the traffic on other vlans. To transport data from one vlan to another requires a router to move the data between the vlans. This is what is referred to as inter-vlan routing.

A vlan interace is just a "connection" between the routing block (implemented by the CPU, or possibly by an ASIC in a L3 switch) and a specific vlan in the switch.

If there is only a single ip address on the "host" within the managed switch, then it can't route traffic between networks; it can only be used to manage the switch. This does not mean that a vlan-aware switch can only be "connected" to a single network, just that a switch doesn't understand L3 things like ip addresses, only the management interface routing block understands ip addresses.

When you use a "dumb" switch, all it is aware of is the mac addresses. All the ip information is encapsulated in the "data" portion of the ethernet frame. That's why you don't need to configure anything on a "dumb" switch.

This is all covered in Ed Harmoush's Network Fundamentals and VLANs — Index

Thank you for your help.

I watched (not the first time) the practicalnetworking vlan videos yet again. And, yet again, I learned things.

I think that the comments here taken together with other forms of learning are useful and productive. I know I have learned and progressed a tremendous amount. It nonetheless saddens and frustrates me that I come across here as being either completely ignorant, or unwilling or unable to learn.

I wouldnt take forum responses personally, they are of no consequence. People here are free to speak their mind, sometimes its refreshing and eye opening and humbling.
I make posts based on what I know, and if someone better comes along, who actually knows their stuff, I am all the better for it.
(Except when they tell me capsman is wonnerful!!)
Be a sponge!! keep asking but dont have expectations on the quality or content of any response on a public forum.
One could say, grow a thicker scaly skin.
There are exceptions, look for the bird with the phallic appendage who is on a respectful/knowledge plane, that is in the stratosphere.........

Thank you anav!

I know very well that just about everyone is here to help others, and I try hard to keep that in mind, and appreciate it, with every post.

Being (too) introspective, I nonetheless question my own effort and capability sometimes. But, then, I press on.

The issue with Mikrotik thingies being that just when you think that you have understood something, namely the difference between switching and routing, and decided that inter-vlan is routing, someone comes out with the concept that inter-vlan routing can be configured as "almost switching" (thanks to L3HW), see this other thread, coincidentally about a CRS326:
viewtopic.php?t=216171
viewtopic.php?t=216171#p1138303

So besides "plain" switching and routing there can be either inter-vlan routing (slow via CPU) and inter-vlan almost switching (fast via the switch chip) on a CRS326 .

Switching is switching (happens on L2/MAC addresses) and routing is routing (happens on L3/IP addresses). Where the confusion starts is that people are used to L2 being handled by the hardware (=fast) and L3 being handled by the CPU (=slow). The newer ASICs MT uses in their switches can do L3 in hardware (with some caveats depending on the exact chip used) making it as fast as L2 handling is. It's still routing, though; there is no need to invent new terms for it.

Switching is switching (happens on L2/MAC addresses) and routing is routing (happens on L3/IP addresses). Where the confusion starts is that people are used to L2 being handled by the hardware (=fast) and L3 being handled by the CPU (=slow). The newer ASICs MT uses in their switches can do L3 in hardware (with some caveats depending on the exact chip used) making it as fast as L2 handling is. It's still routing, though; there is no need to invent new terms for it.

I know it is still routing, but *something* is needed to distinguish between slow (normal) and fast (L3HW), at the end of the day a same setup on supported models of switches (depending on how good at Mikrotik is the administrator) can have in practice very different performance.
"L3HW routing" would be fine as well , but it can be confusing, I invented the "almost switching" just for having it in the order of speed:
switching: very fast
routing: slow

Now we can have either:
switching:very fast
almost switching: fast
routing (plain): slow

or:
switching: very fast
LH3W routing: fast
routing (plain): slow
(it is much more correct theoretically, but it looks strange to me as LH3W routing is a subset of routing)

"L3HW routing" would be fine as well , but it can be confusing, I invented the "almost switching" just for having it in the order of speed:

But it's confusing ... as @mbovenka wrote: routing is routing bexause it's L3 function. And switching is switching because it's L2 function. And these definitions don't depend on swiftness of them getting done, caling them anything else causes confusion. So what do you call (CPU-bound) bridging: "almost routing"? Yes, it's better to say "HW routing" than "almost switching"... definitely less confusing for those who know the difference between switching and routing.

for those who know the difference between switching and routing.

All the 10 of them (that use binary) you mean?

Now, seriously, it only depends on each one's own way to make their mental maps of things.

The LH3W routing is logically a sub-division of routing, but it is much faster than its parent.

Somehow most users are aware of diffrences and feel them if it comes to picture & sound rendering done in software, hardware or mixed way.
Same differences apply to routing & switching. They could be done purely by software, hardware or mixed way.
Effects should be same despite the method but speeds are different

Smells like MT testosterone in here! ;-PP

I wouldnt take forum responses personally, they are of no consequence. People here are free to speak their mind, sometimes its refreshing and eye opening and humbling.
I make posts based on what I know, and if someone better comes along, who actually knows their stuff, I am all the better for it.
(Except when they tell me capsman is wonnerful!!)
Be a sponge!! keep asking but dont have expectations on the quality or content of any response on a public forum.
One could say, grow a thicker scaly skin.
There are exceptions, look for the bird with the phallic appendage who is on a respectful/knowledge plane, that is in the stratosphere.........

https://xkcd.com/386/