We have created a CRS feature description document that should clarify many things that the CRS can do, and how to do them:
http://wiki.mikrotik.com/wiki/Manual:CRS_features

We also have an example page here:
http://wiki.mikrotik.com/wiki/Manual:CRS_examples

We are still expanding and updating these documents, so please let us know what questions you have about the CRS, so we can answer them in the article updates later this week.

Thanks !!!

It'll be nice if you deploy one CRS as a demo system (similar to demo.mt.lv and demo2.mt.lv) so that the community can see what's the switch management looks like in the UI on a live system.

It'll be nice if you deploy one CRS as a demo system (similar to demo.mt.lv and demo2.mt.lv) so that the community can see what's the switch management looks like in the UI on a live system.

+1

It'll be nice if you deploy one CRS as a demo system (similar to demo.mt.lv and demo2.mt.lv) so that the community can see what's the switch management looks like in the UI on a live system.

+1

Regards,

It'll be nice if you deploy one CRS as a demo system (similar to demo.mt.lv and demo2.mt.lv) so that the community can see what's the switch management looks like in the UI on a live system.

+1

Regards,

Looking good. I think more examples... ... basic examples of what each setting does along with more descriptions. Also complex examples.

A comparison to the switch config for the RB2011 series would be helpful. For example on the RB2011 I would set the port to secure and then add the vlans to a table... how would I accomplish the same thing on the CRS.

Normis: Any help with http://forum.mikrotik.com/viewtopic.php?f=2&t=81327

Hello! The door insulation is not working in version 6.9, the isolation of active ports for level 1 (isolated) do logout mikrotik when it is back again at 0 (promiscuous).

(google translator)

What do you need to be able to direct console in to the crs?

Hello Folks!

The documentation is great, exept I do not understand what all stuff do, it is to deep down in layer 2 stuff, got to get a book and try translate it but had no time yet. Recommendation is to make a much more simple interface to deal with basic vlan, trunking, bonding, etherchannel etc. but I guess you like me, is very occupied with stuff and upper management asks for that and that all the time

Anyhow we tried everyting now, still the CRS leaks traffic and hence can not be put in to production.

I do not know to much about vlan and layer 2 stuff, but I have all the years being able handling the same on Cisco and HP switches without problems.

With everything means:
1. A brand new untouched CRS was taken ount from shelf.
2. All packages disabled: hotspot, mpls, ppp, routing, wireless.
3. The device was resetted fully with no scripts to be run at boot to configure it.
4. Mac address access to the device was performed
5. IP Settings was fully disabled, ip forward, send redirects, secure redirects, allow fast path.
6. dhcp client was enabled on ether1
Then the device as accessed using the dhcp address on ether1.

The device as then upgraded to RoS6.9 and step 3 -> 6 was repeated and we continued with below steps.

Following mikrotik examples by the book for CRS (http://wiki.mikrotik.com/wiki/Manual:CRS_examples) we put ether2 as "trunk port", by our understanding it will accept all ethernet traffic coming in or going out without exeptions like ALL VLANS trunk something. Must say I do not really understand point 9 below, how can the switch know that ether3 is belonging to vlan 200, does it come from sa-learning, what is that by the way ?

7. switchport ether2 was set as master for ether3
/interface ethernet set ether3 master-port=ether2
8. Tag all ethernet packages coming in to ether3 to vlan 200
/interface ethernet switch ingress-vlan-translation add port=ether3 customer-vid=0 new-customer-vid=200 sa-learning=yes
9. And the reverse, remove vlan tags for traffic going out on ether3.
/interface ethernet switch egress-vlan-translation add port=ether3 customer-vid=200 new-customer-vid=0

That wasnt to hard, now we connected the CRS ether2 to the trunk line containing very many vlans.
Last we connected one RedHat dhcp client to ether3, in a blink it got IP address from our dhcp server on vlan 200.

tcpdump was started on the RedHat dhcp client to see what is going on in vlan 200, sadly we saw a lot of arp requests and other oddities leaking from all other vlans. But it is isolated in some way, because we could not ping servers in other vlans that was not routed to vlan 200 from the RedHat client neither did we got any arp addresses from other vlans so that is positive.

We then went further trying to activate port isolation, but it goes back to promiscues all the time, not possible to change.

Am I doing somthing wrong in the setup ?

It could actually work this way, if it does not cause any conflicts and other oddities.
I would really like to throw out our slow Cisco switches and go gigabit now, also have noted the CRS does not consume by far as much energy as the cisco:s.

What do you experts say, is it safe to go into production with CRS at this stage if you can live with the little leakage ?
I have not experienced any port flapping etc or other problems in our environments for a very long time, and the few we had was sorted out by disabling snmp and the lcd display, and it was on CCR not CRS. Also our RB2011 has performed without any problems.

Hello Folks!

We then went further trying to activate port isolation, but it goes back to promiscues all the time, not possible to change.

We have the same problem in 6.9
MT team, it is bug? Will be fixed in 6.10?

For CRS units that were running a version in the 6.5-6.7 range, you need to do ONE of the following two steps in order to fix the port isolation:

1) Factory reset the unit, do not keep user configuration (obviously not suitable for units in the field)
2) Follow the instructions here: http://forum.mikrotik.com/viewtopic.php ... 00#p407466
-- Just in case the link dies:

[Resetting the unit] was only necessary for CRS125 to prevent speed issues and behaviour of a hub.
Alternatively you can enter this command:

Code: Select all

Code:

/interface ethernet switch port set [find] learn-restricted-unknown-sa=yes

Hello Folks!

CRS still leaks in RoS6.10, exactly like before.

Tested after resetting CRS, followed by the suggested steps in first mikrotik exampe port based.
For simplicity we used one "trunk port" ether2 and one "access port" ether3.
Running tcpdump on a redhat llinux based server connected to ether3 show arp requests from ALL vlans and other traffic.

Please, can anyone come up with a working non leaking example configuration, how to do it so to say, we badly need going gigabit now ?

Hello Folks!

CRS still leaks in RoS6.10, exactly like before.

Tested after resetting CRS, followed by the suggested steps in first mikrotik exampe port based.
For simplicity we used one "trunk port" ether2 and one "access port" ether3.
Running tcpdump on a redhat llinux based server connected to ether3 show arp requests from ALL vlans and other traffic.

Please, can anyone come up with a working non leaking example configuration, how to do it so to say, we badly need going gigabit now ?

This is not just a small bug . This is a huge security vulnerability . Mikrotik should inform users to don't use CRS in production .

Hello Folks!

CRS still leaks in RoS6.10, exactly like before.

Tested after resetting CRS, followed by the suggested steps in first mikrotik exampe port based.
For simplicity we used one "trunk port" ether2 and one "access port" ether3.
Running tcpdump on a redhat llinux based server connected to ether3 show arp requests from ALL vlans and other traffic.

Please, can anyone come up with a working non leaking example configuration, how to do it so to say, we badly need going gigabit now ?

This is not just a small bug . This is a huge security vulnerability . Mikrotik should inform users to don't use CRS in production .

Totally agree, CRS without normal documentation and VLAN operation, is useless. Now my two CRS125 will stand on a shelf until bugs are fixed and CRS is normally documented.

and CRS is normally documented.

the original topic in this post asks what features do you wish to be documented in more detail. the original post is about documentation!

Hello,

I just would like some more configuration examples such as a basic L3 switch with inter-VLAN routing. The way how a VLAN interface interacts with the switch is pretty unclear for me.

Thanks!

Finally we have our new CRS125-24G-1S-RM in our hands, but switch menu changed there is a menu about mirroring makes none sense it seems cpu is mirroring all traffic to one port.
I couldn't find examples and manuals in wiki can any one send a configuration example of where ether2 is fully mirrored to ether3 (ingress and egress) ?

Hello,

I just would like some more configuration examples such as a basic L3 switch with inter-VLAN routing. The way how a VLAN interface interacts with the switch is pretty unclear for me.

Thanks!

AFAIK you can only route via the embedded CPU, so inter-VLAN routing is achieved by switching the affected traffic through the 1G-CPU-Uplink, forwarding is then done in software and the packet is sent back though the same 1G-CPU-Uplink to the switching silicon. Besides MT claiming otherwise, the CRS isn't a L3 switch is a switch combined with a "router on a stick" in networkers terminology.

@timberwolf: I totally agree with you, it is not al true L3 switch, but however, some nice examples about L3 inter-VLAN routing would help. I have managed to do it myself, but I guess that others may find this very helpful, especially if we consider that this new switch chip is rather different from the previous ones.

Over on this thread is a very basic documentation discussion regarding the operation of the switch chip and the meaning of master and slave ports.

Normis, the vlan questions and issues that people are asking here are very important. I would suggest also that missing from the documentation is a clear, unambiguous, understandable description of the meaning of the master and slave designation.

Maybe this is clear to everyone else, but the questions on the post referenced above show that at least some users cannot understand how this supposed to work from the existing documentation.

Oh thank God it's not only me seeing that "leak"!
Using CRS ROS 6.11 - I'm not able to ping, but I can gladly see other MT on other VLAN's with WinBox, also sniffing traffic with Wireshark and I see it leaks traffic.

Seriously.... fucking great! ... I now have (yet again) 8 CRS that are useless

Oh thank God it's not only me seeing that "leak"!
Using CRS ROS 6.11 - I'm not able to ping, but I can gladly see other MT on other VLAN's with WinBox, also sniffing traffic with Wireshark and I see it leaks traffic.

Seriously.... fucking great! ... I now have (yet again) 8 CRS that are useless

Did you reset to defaults after upgrade to 6.10 or 6.11? ...

-Eric

Did you reset to defaults after upgrade to 6.10 or 6.11? ...

-Eric

upgraded firmware, and i always "system reset-configuration no-default=yes"

so by following: http://wiki.mikrotik.com/wiki/Manual:CRS_examples Port Based VLAN, If I connect to eth6 using wireshark, and connect another computer to eth7 I can see wireshark scrolling away.

Sigh. Thought they solved it. Maybe not

Sent from my SCH-I545 using Tapatalk

If I follow the example here: http://wiki.mikrotik.com/wiki/Manual:CRS_examples (Port Based VLAN) and trunk the two CRS, then on VLAN400 i connect a computer with WinBox, and after a while I can see the RB750 pop up in WinBox... - I cannot connect, but I can see it.
If I disconnect the trunk, and connect to VLAN400 on the CRS on the right side.... the WinBox issue won't appear.

Unless I have configured it wrong (following the tutorial), there are still issues...
...Any thoughts?

@trn76: using the same tutorial I have discovered that the access ports are still receiving tagged traffic from the trunk port. You can verify that for yourself by running a tcpdump -nei enX on the "access" port, you will be able to see the VLAN IDs affected as well.
I think that the approach described in the configuration example is far away from what is expected from a basic L2 switch, and I hope that this issue will be addressed soon by the dev team.

@trn76: using the same tutorial I have discovered that the access ports are still receiving tagged traffic from the trunk port. You can verify that for yourself by running a tcpdump -nei enX on the "access" port, you will be able to see the VLAN IDs affected as well.
I think that the approach described in the configuration example is far away from what is expected from a basic L2 switch, and I hope that this issue will be addressed soon by the dev team.

Yeah, that was my discovery too - Trunk is leaking somehow, like I said, if you disconnect the trunk the problem isnt there (no vlan <-> vlan leak on same CRS).
I've tried changing all kind of parameters, and no go.

@trn76: using the same tutorial I have discovered that the access ports are still receiving tagged traffic from the trunk port. You can verify that for yourself by running a tcpdump -nei enX on the "access" port, you will be able to see the VLAN IDs affected as well.
I think that the approach described in the configuration example is far away from what is expected from a basic L2 switch, and I hope that this issue will be addressed soon by the dev team.

Yeah, that was my discovery too - Trunk is leaking somehow, like I said, if you disconnect the trunk the problem isnt there (no vlan <-> vlan leak on same CRS).
I've tried changing all kind of parameters, and no go.

I just grabbed the latest beta which supposedly has a lot of fixes for the CRS. You may want to test that one.

Yeah, that was my discovery too - Trunk is leaking somehow, like I said, if you disconnect the trunk the problem isnt there (no vlan <-> vlan leak on same CRS).
I've tried changing all kind of parameters, and no go.

I guess that is due to the fact that the proposed approach is not a real VLAN encapsulation/decapsulation but a VLAN translation. I would expect a L2 switch to behave in a different manner, but the product is quite young too - perhaps we will see improvement soon.

@efaden: thanks for the heads up, I will give it a go (once I will figure it out how to download it).

I guess that is due to the fact that the proposed approach is not a real VLAN encapsulation/decapsulation but a VLAN translation.

There are always arguments about whether VLAN tagging or detagging is a decapsulation/encapsulation process. Cisco say it is and technically there is a good argument for saying that it is since the frame and FCS change.

So - if it was successfully VLAN tagging/detagging frames the CRS would be decapsulating/encapsulating as much as any other vendor would.

Agreed. But in the current CRS documentation the tagging/untagging is just a basic process of VLAN translation:
- Trunk port VID xxx mapped to Access port VID 0
- Access port VID 0 mapped to trunk port VID xxx

That allows all other tagged VIDs to be copied on the access port, and I think that's not what you'll expect at this level.

Agreed. But in the current CRS documentation the tagging/untagging is just a basic process of VLAN translation:
- Trunk port VID xxx mapped to Access port VID 0
- Access port VID 0 mapped to trunk port VID xxx

That allows all other tagged VIDs to be copied on the access port, and I think that's not what you'll expect at this level.

The VLAN table and such are getting fixed in 6.12... We'll have to wait until the documentation gets updated to see exactly how it all works.

From the descriptions above it sounds like it is the frame forwarding decisions/filters which are not operating as expected.

Since CRS is a switch and a router, I need the following scenario:

On CRS:
ether2-master is a trunk, allowed vlan id's: 100,101
ether3-slave is an access port, vlan100 untagged
CRS's router has vlan100 and vlan101 added on ether2
has IP 10.1.1.3/24 on vlan100

on Router2:
ether5 is linked to ether2 on CRS
on ether5 has vlan100 added (tagged)
has IP 10.1.1.1/24 on vlan100

PC (Windows)
has IP 10.1.1.2/24 on ether (untagged)
it's connected to ether3 on CRS

How to setup switch to get IP's 10.1.1.1, 10.1.1.2, 10.1.1.3 connected?

I've tried different configs using availble manual, but I've never managed to connect CRS with Windows in this scenario.

Post some exaple config, please.

Does anyone else have a feeling that switch chip configuration on CRS is overly complicated?
It looks like Mikrotik decided to expose as much of the switch programming to the end user as possible.
For instance, what's the purpose/benefit of exposing the ability to specify custom TPID values?

It could be useful in multi-vendor VLAN situations. Some other vendors do allow the TPID to be specified - often with some restrictions so you don't accidentally set it to something inappropriate.

is this a right place to ask if CRS is capable of trunk group (aka bondig) with LACP (or alike)?
if so, how?

is this a right place to ask if CRS is capable of trunk group (aka bondig) with LACP (or alike)?
if so, how?

I think all bonding/LACP uses the CPU.....

efaden: well, the port bridging (and filtering) can be done at CPU or switch-chip.

My question was: do the switch chip capable of port trunk group (aka bonding) with LACP?
of course, i wish to use ASIC in switch instead of, since the CPU is definitely NOT capable of bonding 2xGigE.

Seriously, these switches should never have been released. We've had a few for 6 months now, and they've never even been capable of functioning as basic switches. They're not even useful as paper weights because they aren't heavy enough.

We're throwing ours out, and we're def not going to try Mikrotik switches again or recommend them to any clients. It would have been way cheaper from the start to buy Juniper or Cisco considering the massive amount of time wasted on these...

No documentation, no functionality, no support. :/

How complete is the CRS functionality in the latest firmware? Is it able to perform all the basic functions of a VLAN capable switch at this point?

Thanks

Seriously, these switches should never have been released. We've had a few for 6 months now, and they've never even been capable of functioning as basic switches. They're not even useful as paper weights because they aren't heavy enough.

We're throwing ours out, and we're def not going to try Mikrotik switches again or recommend them to any clients. It would have been way cheaper from the start to buy Juniper or Cisco considering the massive amount of time wasted on these...

No documentation, no functionality, no support. :/

Please put them on ebay and PM me your name on there. I'll buy them off of you (depending on how many you have). If no ebay, let me know.

Seriously, these switches should never have been released. We've had a few for 6 months now, and they've never even been capable of functioning as basic switches. They're not even useful as paper weights because they aren't heavy enough.

We're throwing ours out, and we're def not going to try Mikrotik switches again or recommend them to any clients. It would have been way cheaper from the start to buy Juniper or Cisco considering the massive amount of time wasted on these...

No documentation, no functionality, no support. :/

The first ones were sold as pre-production test units, that was made clear. But now with software upgrades they have been made fully functional. Did you see our latest newsletter? It clarifies all the new features we have added to CRS: http://download2.mikrotik.com/news_58.pdf

Any estimate on when the wire speed IP forwarding will be implemented?

Seriously, these switches should never have been released. We've had a few for 6 months now, and they've never even been capable of functioning as basic switches. They're not even useful as paper weights because they aren't heavy enough.

We're throwing ours out, and we're def not going to try Mikrotik switches again or recommend them to any clients. It would have been way cheaper from the start to buy Juniper or Cisco considering the massive amount of time wasted on these...

No documentation, no functionality, no support. :/

The first ones were sold as pre-production test units, that was made clear. But now with software upgrades they have been made fully functional. Did you see our latest newsletter? It clarifies all the new features we have added to CRS: http://download2.mikrotik.com/news_58.pdf

Normis: Why are the ACLs only on the 226?

Hello Folks!

Thanks MT support!
Now the CRS is very useful for us, we did get it working with our classic trunklines and classic access ports, see here for more information abot that: http://forum.mikrotik.com/viewtopic.php?f=3&t=78797 (bottom of link).

There are some remaining questions, how does the switchchip deal with spanning tree and broadcast storms, split horizons etc. I guess many is of these nice to have things is upcoming so to say.

We will put one CRS in production, we had one as a pure switch in production since they came out here in Sweden, that one did work well from start.

However, it now finally work, no leakage between vlans as far we can see.

Hello,

Just wanted to report that with 6.15 CRS becomes perfectly useable.
Thanks for your efforts!

Hi all,

I hope someone could point me to right direction on how to solve my problem.

I have a CRS125-24G-1S, firmware version 3.12, RouterOS 6.15

I wanted to implement InterVLAN routing and I followed http://wiki.mikrotik.com/wiki/Manual:CR ... AN_Routing

The problem is that on access port I receive tagged packets. So for example if I plug a PC to the access port and I try to ping the router I can see ARP replies coming back from the router but they are tagged.

Why packets on access port are coming from the router tagged? How to solve this issue?

Thanks,

Kamil

Hello Folks!

I need to put up CRS125 switch in a datacenter to replace a bunch of cisco2960 switches, they are connected in a circle's and some other in meshes.

How do I activate spanning tree in them ?

As far as I know, you can't use any STP on a CRS unless you use software bridges, which you for sure don't wan't to.

As far as I know, you can't use any STP on a CRS unless you use software bridges, which you for sure don't wan't to.

I solved it by circle the switches an putting in two cisco switches in the circle that can do STP, no loops all looking good so far.

Ok, I understood that CRS don't implement STP protocol in native feature. But ... what is the best way for use STP with CRS ?

Just create a bridge interface and add master port? Please, help me.

Is anyone doing a bit more with a CRS than what you would do with a managed switch ?

I'm trying something very basic like putting a DHCP client on a VLAN and don't get it working because the CRS is not untagging traffic on the ports (which is just a simple concept of an access port).

If someone is willing to have a look at this issue... it is discussed here http://forum.mikrotik.com/viewtopic.php?f=13&t=89595 (sorry it took some time to notice that my PC wasn't capturing VLAN info).

Is anyone doing a bit more with a CRS than what you would do with a managed switch ?

I'm trying something very basic like putting a DHCP client on a VLAN and don't get it working because the CRS is not untagging traffic on the ports (which is just a simple concept of an access port).

If someone is willing to have a look at this issue... it is discussed here http://forum.mikrotik.com/viewtopic.php?f=13&t=89595 (sorry it took some time to notice that my PC wasn't capturing VLAN info).

Maybe this can help you:

http://forum.mikrotik.com/viewtopic.php?f=13&t=83333

Look at my post at the end of the thread...

does anyone has tested QinQ application using this CRS? If any it will be great to share the configuration

does anyone has tested QinQ application using this CRS?

I'm rather interested if any CRS can tunnel VLANs in QinQ-VLANs at line-speed, including 10G for the SFP+ models.

Hello Folks!

Now one year with CRS as a pure switch in pair with CCR1016, works just nice.

(Well the CCR1016 has had some problems, suddenly ports stop working and ipsec tunnel dies afer some months uptime, and the whole device need to be restarted.)

Two months plus using CRS125 as vlan switches with trunks and access ports, no problems except lacking RSPT rapid spanning tree. Otherwise fine.

There seems to be a lot of options that don't have documentation. I'm requesting clarification on two.

Under Bridge Ports, these two are vague or undocumented:
Edge - not much detailed info
Point To Point - Y/N/Auto is the only thing that I can find. OK. Need more than that as I would say that 1 cable plugged in to the port and connected to another is always PTP.

Thanks

Hello
when we do the config on Cisco SW there is 3 option you can choose between them for each Vlan and Ethernet
1- Trunk
2- Access
3- Voice

i look at the CRS125 its don't have these 3 option is there any way can MikroTik can add them or there is anther way that MikroTik SW CRS125 work

for example if i config one of the Ethernet port to two different Vlans (( VOIP & Internet Access ))
and connect the IP Phone to this Ethernet and from the IP Phone to the PC the way in Cisco SW each device should work for the specific Vlan that should work on it
but in CRS125 this way dosnt work its keep working on one Vlan and i need to make it work on two different Vlans on the same Ethernet ........

wait for reply

Dear All,

Can somebody please advise how the egress VLAN tag works when the switch is in service-vid bridge mode ?

As I cannot see any difference in frames captured leaving the interface if I enable / disable the following :
(none of the tags have changes)

Thank you.

As far as I know, you can't use any STP on a CRS unless you use software bridges, which you for sure don't wan't to.

I haven't found any evidence of Spanning Tree except for bridging.

+1 for Rapid STP in switching on the CRS. Love the CRS but need some loop prevention.

Hello!

I've completely lost in CRS QoS concepts. Could anybody help me, please?

I have CRS226-24G-2S+ with 2 VLAN in it (10 and 20). Now I use it as a media-converter - so I have 1 10G connections and bonding with 4 1G connections, both in trunk mode with 802.1Q marked VLANs 10 and 20.

Somehow the switch has made dynamic ingress VLAN translation rules and all MACs are seeable in VLAN 4091 only, but it works, so I think it's something about internal technology of bonding.

But now I need to limit ingress and egress bandwidth to 100Mbps for one of that VLANs (20) on 10G connection and keep VLAN 10 without any limit. Is it possible? If so - could you give me some hints of configuration?

As I understand, both shapers and ingress port policers work only with physical ports, so I can't limit only one VLAN in trunk this way.

Thanks,
Valery

Update on Rapid Spanning Tree for the CRS. We spent the week in Miami with MikroTik as exhibitors at the 10th anniversary USA MUM and were able to get a lot of insight into current development and projects at MikroTik.

After talking with several of the staff at MikroTik, RSTP is in development right now on the CRS, but they are having some stability issues and are trying to work through that, so it is definitely coming.

Not sure if it will be part of a v7 release or not but it looks like it will be this year if all the bugs are worked out.

would it be possible to separate the documentation into v5 and v6? There are a lot of command differences between them and mixing them into same docs is confusing. On top of that all the examples given are for v5 which make it harder for v6 users to get familiar with CRS.

I have been trying to weeks to try to configure something simple like simple queue but way unable to get it working. I tried with and without mangle but both doesn't work. The documentation and examples are not helping as they were designed for v5.

All I wanted to do is simple queue to rate limit bandwidth by port. For eg, rate limit apply for port 80 and 443 only. The reset will have unlimited bandwidth. Right now I cannot even get any packets into the queue.

Also, in CRS docs, there are mention of 3 types of queue. But it is not expanded on how these queue works and whats the difference between queue in CRS and in simple queue/tree queue.

I have been searching this forum and online but documentation is quite lacking. Sorry if I there are proper docs that I might have missed.

All I wanted to do is simple queue to rate limit bandwidth by port. For eg, rate limit apply for port 80 and 443 only. The reset will have unlimited bandwidth. Right now I cannot even get any packets into the queue.

Also, in CRS docs, there are mention of 3 types of queue. But it is not expanded on how these queue works and whats the difference between queue in CRS and in simple queue/tree queue.

i think the confusion started with marketing statements from mikrotik about CRS series establishing it as a layer 3 switch.

In networking a layer 3 switch its a layer 2 switch with some layer 3 capabilities at wire speeds like routing build in in hardware ASIC.

CRS is NOT a layer 3 switch

CRS is a layer 2 switch plus a router (600mhz single core cpu 128 mb ram) embedded in for management purposes, that explains why newer and powerfull CRS 2xx has a lower performance router (400mhz), its only for management purposes.

of course we can take advantage of the embedded router capabilities, but taking in account the limited performance of router functionalities.

With this in mind we must focus efforts on exploiting hardware switch capabilities, that is the purpose of CRS series, provide a layer 2 switch alternative to compliment the existing router products.

Examining CRS switching capabilities, the potential its awesome, i am impressed with the pool of extensive options avaliable to use, practically mikrotik exposes all switch chipset capabilities to the delight of networking engineer.

Its necessary to work documenting this huge capabilities in especific escenarios to make the CRS a practical solution.

I think important points to do this are:
Do not try to do with switch the work suited for a router
Do not try to do witch router the work suited for a switch.
Concentrate efforts on Switch capabilities, (switch menu on winbox) use the other funtionalities only for device management purposes.

I personally have verified following mikrotik CRS examples on version 6.27 and works as expected:
Port Based VLAN
Mac Based VLAN
Port Level Isolation
Protocol Level Isolation

Thats a start to replace other vendor switches with CRS.

take in count CRS miss some key market functionalities:

802.1x authentication
STP and RSTP for loop prevention.
Link Aggregation compatible with other vendors (LACP)
ACL (on CRS 1xx is not supported)

QoS are extensive but its totally different from router os queue tree and simple queue strategies
QoS on hardware switch of CRS its based on industry commonly known as hierarchical modular qos which is widely documented from mayor vendors of the industry.

exploiting CRS huge switching functionalities requires study but the reward its huge, getting provider class functionalities with a 200US switch its simply a win win

If you are new to the switching topic you must familiarize with that, manageable switches are different in purpose and capabilities from routers, and in many cases mikrotik users are very familiar with routers but not manageable switches.

Any plans to introduce support for MST and LACP?

Hello Folks!

I need to put up CRS125 switch in a datacenter to replace a bunch of cisco2960 switches, they are connected in a circle's and some other in meshes.

How do I activate spanning tree in them ?

sorry no stp support on crs

Please provide some clarification on the following statement.

Note: Multiple master-port configuration is designed as fast and simple port isolation solution, but it limits part of VLAN functionality supported by CRS switch-chip. For advanced configurations use one master-port within CRS switch chip for all ports, configure VLANs and isolate port groups with port isolation profile configuration.

Please provide some clarification on the following statement.

Note: Multiple master-port configuration is designed as fast and simple port isolation solution, but it limits part of VLAN functionality supported by CRS switch-chip. For advanced configurations use one master-port within CRS switch chip for all ports, configure VLANs and isolate port groups with port isolation profile configuration.

short answer:

dont use multiple master ports

short answer: don't use multiple master ports

Using multiple master ports will create port isolation groups automatically (marked as default), so I neither understand why is this bad. I was experimenting much and it seems there are still some bugs here - sometimes adding and removing will mess up and reboot is needed. Documentation should clarify more details.

LACP/LAG is a common feature in switchs... but it is not hardware implemented now, and a poor 400Mhz CPU is not enough...

Is there some date for this??

All,

The Cloud Router Switch is very nice. Being able to do mac based vlans or protocol vlans is an awesome feature that requires a certain level of complexity. However, the vlan implementation when trying to do simple tagging and untagging or trunk ports is, well, just the worst. Even with examples shown in documents it is challenging and tedious at best and near impossible at worst. It would be very nice to have a wizard to assist with the vlans. RouterOS makes vlans much easier to understand but I have to build bridges which means I can not get non-blocking throughput because bridges use the CPU.

I have to admit that I avoid using mikrotik switches in situations that require even the most basic vlan configuration due to how complicated it is. It would be very nice to get a wizard or a simplified menu.

Thanks.

All,

The Cloud Router Switch is very nice. Being able to do mac based vlans or protocol vlans is an awesome feature that requires a certain level of complexity. However, the vlan implementation when trying to do simple tagging and untagging or trunk ports is, well, just the worst. Even with examples shown in documents it is challenging and tedious at best and near impossible at worst. It would be very nice to have a wizard to assist with the vlans. RouterOS makes vlans much easier to understand but I have to build bridges which means I can not get non-blocking throughput because bridges use the CPU.

I have to admit that I avoid using mikrotik switches in situations that require even the most basic vlan configuration due to how complicated it is. It would be very nice to get a wizard or a simplified menu.

Thanks.

i think mikrotik have to take more seriously the CRS topic

maybe an update to mikrotik training/certification curriculum to include CRS training and knowledge will help

Would love to see an example of how to rate-limit clients on a specific VLAN. I've got multiple wireless AP's that carry several VLANs, and would like to implement rate-limiting at the switch rather than at the router, but only on a specific VLAN. The rate-limiting would need to apply to each client on the VLAN in question, rather than limiting all traffic for that VLAN on that port.

I'm using Ubiquiti AP's, but their rate-limiting module hurts overall throughput, even on non-rate-limited SSIDs, so I want to set the rate-limiting up on the switch so as not to affect non-throttled SSIDs.

Nice...

Hi Mates

Here i am sharing my query regarding CRS hope if you can help me.

Last few days i am chasing mikrotik support but still dint' get luck, query is like this.


Ether - 24 - TRUNK = vlan 30 should be allowed (directly connected to Cisco switch trunk port)

Ether 1 to 10 - VLAN 30.
here every thing is working fine but all PC behind ether 1 to 10 getting internet connection and without single drop but only issue is i am receiving VLAN1 flapping warning msg in Cisco switch and can't ping managment trunk ip address of vlan1.

Thanks
Abbas

i am receiving VLAN1 flapping warning msg in Cisco switch and can't ping managment trunk ip address of vlan1.

can you post the errmsg on the cisco side?

Hi
Thanks for response

What if want to createT TRUNK between Cisco 2960 switch and mikrotik crs125-24g-1s-2hnd-in,



Cisco 2960
#switchport mode trunk
#no shut

VLAN 1 -192.168.200.0/24 - Management ip address.


mikrotik crs125-24g-1s-2hnd-in

Ether 24 trunk.
Ether 24 - IP address 192.168.200.100/24 (I dont' have any idea here)
default gateway - 192.168.200.1

Ether 1- VLAN 126
Ether 2- 10 VLAN 30


/interface ethernet
set ether1 master-port=ether24
set ether2 master-port=ether24
set ether3 master-port=ether24
set ether4 master-port=ether24
set ether5 master-port=ether24
set ether6 master-port=ether24
set ether7 master-port=ether24
set ether8 master-port=ether24
set ether9 master-port=ether24
set ether10 master-port=ether24

TRUNK PORT
/interface ethernet switch egress-vlan-tag add tagged-ports=ether24,switch1-cpu vlan-id=30 add tagged-ports=ether24 vlan-id=126


ACCESS PORT
/interface ethernet switch ingress-vlan-translation add customer-vid=0 new-customer-vid=30 ports=\
ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,switch1-cpu \
sa-learning=yes
/interface ethernet switch ingress-vlan-translation add customer-vid=0 new-customer-vid=126 ports=\
ether1,switch1-cpu \
sa-learning=yes




NOTE:

Problem is i can access see access and trunk configuration is working perfectly.
but issue is i can't access 192.168.200.100 (mokrotik switch IP address) from cisco network .

I can't ping vlan1 trunk ip address of Mikrotik switch.


Please explain where i am doing wrong.



Thanks
Abbas

This product and related documentation are given under a permit understanding containing limitations on use and exposure and are ensured by licensed innovation laws. But as explicitly allowed in your permit understanding or permitted by law, you may not utilize, duplicate, replicate, interpret, telecast, adjust, permit, transmit, disseminate, show, perform, distribute, or show any part, in any structure, or by any methods. Figuring out, dismantling, or decompilation of this product, unless required by law for interoperability, is disallowed.