Page 1 of 1

vlan bridge (new way) HW offload and performance

Posted: Tue Aug 13, 2019 4:41 pm
by toxicfusion
Hello,

I know it has been mentioned here and also some snippets on the MikroTik Wiki.... Have some existing RB2011 out in field in production. I have a client (decent sized network, 4 attached switches) to the RB2011.

Using RB2011 as router-on-stick, or functioning as collapsed core (RB2011 has all vlans and trunk ports). Each switch connects back into a ethernet port into router, that way switches are not in tandem and not daisy chained...

RB2011 performance now is terrible, as no more HW-offload and relying on CPU. Not extremely terrible, but CPU takes a pounding at times and wire speed is less.

What is recommended upgrade path from RB2011?

Or should I go back and use switch-chip VLAN configuration? Use the switch1 (ports 1 - 5) and configure these with appropriate vlans. But what about tagged/untagged on same port (trunk)? Or should I use multiple bridges and multi-vlan interfaces (same vlan ID, but different name and port assignment)?

as eth1 goes to a managed switch (ie vlan100, vlan 200, vlan300)
eth2 same
eth3 - unmanaged switch, untagged vlan300
eth4 - unmanaged, same
eth5 - untagged and untagged (going to an AP with SSID's configured for vlans on guest SSID). Noticed this was one taking big hit.. So had to move to an actual network switch.

Looking for alternatives on these 'older' devices for slightly larger SMB networks. Meaning, how can I configure same port (trunk) with untagged/tagged on same port?

Is the RB1100ahx2 even an option for HW-offloading, or still switch chip limitation?? Hate to have to spend money on CCR series -- as I can just sell client a Fortigate 60E and be done for that matter.

Re: vlan bridge (new way) HW offload and performance

Posted: Tue Aug 13, 2019 4:49 pm
by toxicfusion
By way - I see the RB4011 and RB1100ahx4 obviously share same ARM CPU, block diagram shows HW acceleration... is this ONLY for IPSec, or this mean HW acceleration on ethernet for wirespeed? If so, perhaps the RB4011 is an upgrade path over RB2011.

Re: vlan bridge (new way) HW offload and performance

Posted: Tue Aug 13, 2019 10:52 pm
by sindy
block diagram shows HW acceleration... is this ONLY for IPSec, or this mean HW acceleration on ethernet for wirespeed? If so, perhaps the RB4011 is an upgrade path over RB2011.
The switch chips used in the 4011 are not VLAN-aware and don't support hardware rules so if you need L2 traffic to be hardware-accelerated and VLANs to be used, a 3011 may be a better choice as it has two VLAN-aware chips with hardware rules (a slower CPU with just 2 cores but still with hardware acceleration of IPsec). In either case, L2 traffic between hosts connected to different switch chips is bridged via the CPU so you have to bear this in mind when designing/configuring your network.

Re: vlan bridge (new way) HW offload and performance

Posted: Wed Aug 14, 2019 3:37 am
by anav
Sindy, is that true for the RB4011 and I think my RB450Gx4? I thought the issue was that Mikrotik has not programmed such capbility into the OS for specific modern routers. The RB450Gx4 has great specs and should be able to do such neat tricks. :-(

Re: vlan bridge (new way) HW offload and performance

Posted: Wed Aug 14, 2019 5:19 am
by Sob
RB4011 and RB450Gx4 have different switch chips, see here. According to that page, switch chip in your RB450Gx4 does support HW VLANs, while the one in RB4011 doesn't (although that might not be entirely true).

Re: vlan bridge (new way) HW offload and performance

Posted: Wed Aug 14, 2019 5:05 pm
by toxicfusion
block diagram shows HW acceleration... is this ONLY for IPSec, or this mean HW acceleration on ethernet for wirespeed? If so, perhaps the RB4011 is an upgrade path over RB2011.
The switch chips used in the 4011 are not VLAN-aware and don't support hardware rules so if you need L2 traffic to be hardware-accelerated and VLANs to be used, a 3011 may be a better choice as it has two VLAN-aware chips with hardware rules (a slower CPU with just 2 cores but still with hardware acceleration of IPsec). In either case, L2 traffic between hosts connected to different switch chips is bridged via the CPU so you have to bear this in mind when designing/configuring your network.
Could you further elaborate? Are you mentioning this fact if one was to use the interface switch config (switch chip config method?). Or in regards to the new bridge vlan config way?

Which would be best on either 3011 or 4011 model? Or is it fact RB4011 has no proper VLAN switch chip so am forced to use the new bridge vlan way (makes config more readable). If that is true, would the 4011 offer faster performance over a 3011 running switch chip vlan method? Or fact the 4011 with bridge vlan will still not be HW accelerated and slower wire speed over the 3011?

I'm confused with the RB4011 mentioning HW Accelerated CPU, so this must only be for IPSec traffic? Or what about the bridge vlan traffic being pumped into the CPU since the switch chip isnt vlan aware like the RB3011. This is my confusion....

Are we to assume the RB3011 would offer better vlan aware wire-speed performance over the RB4011 due the the RB3011 having vlan aware switch chip and it being an ASIC?

Re: vlan bridge (new way) HW offload and performance

Posted: Wed Aug 14, 2019 5:19 pm
by anav
RB4011 and RB450Gx4 have different switch chips, see here. According to that page, switch chip in your RB450Gx4 does support HW VLANs, while the one in RB4011 doesn't (although that might not be entirely true).
Not quite......... I dont have HW offloading in my setup as the router is incapable of it............
https://wiki.mikrotik.com/wiki/Manual:I ... Offloading
Clearly states vlan bridge filtering is something it doesnt do??

So with a single bridge and vlans, its all software not hardware????

Re: vlan bridge (new way) HW offload and performance

Posted: Wed Aug 14, 2019 6:31 pm
by toxicfusion
maybe Normis or another from MT and chime in to clarify...

So if ALL software, it'll hammer or leverage the CPU... the RB4011 has ARM processor, so is it negated performance wise? Or is there sigificant performance boost in say RB3011 with the vlan aware switch chip ASIC (ASIC being faster than CPU???)

Re: vlan bridge (new way) HW offload and performance

Posted: Wed Aug 14, 2019 6:38 pm
by sindy
Could you further elaborate? Are you mentioning this fact if one was to use the interface switch config (switch chip config method?). Or in regards to the new bridge vlan config way?
I am mentioning this fact because "hardware acceleration" of L2 forwarding actually means letting the switch chip do the forwarding between devices connected to its ports. However, probably for cost reasons, Mikrotik often uses two chips with 5 Ethernet ports and additional internal ports rather than a single one with 8 or 10 Ethernet ports, and the internal ports of these chips are only used to connect each chip to the CPU, not the two chips to one another. So if you need to forward a frame from one switch chip to another, the only available path is via the CPU, so via software.

It doesn't depend on whether you use the /interface ethernet switch menu or not. If you are happy with a single VLAN, you can use a single bridge with vlan-filtering switched off and hardware acceleration enabled under /interface bridge port. When you do that, hardware accelerated forwarding is used whenever possible, i.e. between ports of the same switch chip. If you need VLAN tagging and untagging on ingress/egress, with 3011 you can choose whether to configure it using the /interface ethernet switch tree (with some limitations but faster) or using /interface bridge vlan-filtering=yes which means that all L2 forwarding, including between two ports of the same switch chip is done in software (so the frames have to go to the CPU and back); with 4011, you only have the second option.

Which would be best on either 3011 or 4011 model? Or is it fact RB4011 has no proper VLAN switch chip so am forced to use the new bridge vlan way (makes config more readable). If that is true, would the 4011 offer faster performance over a 3011 running switch chip vlan method? Or fact the 4011 with bridge vlan will still not be HW accelerated and slower wire speed over the 3011?
Which one is better depends on the task. If you do mostly routing and IPsec, take the 4011; if you want L2 forwarding in hardware and you need VLAN handling, take the 3011; if you want L2 forwarding in hardware and VLAN handling and MSTP, take a CRS3xx but you have to complete it with the 4011 or a hAP ac2 to have a decent routing and IPsec as the CPU of the CRS (which does the routing) is as weak as the one in the 2011.

I'm confused with the RB4011 mentioning HW Accelerated CPU, so this must only be for IPSec traffic? Or what about the bridge vlan traffic being pumped into the CPU since the switch chip isnt vlan aware like the RB3011. This is my confusion....
Yes, HW acceleration with regard to CPU means HW accelerated encryption. HW accelerated L2 forwarding is automatic when there is a switch chip, but the VLAN and MSTP requirements have a different impact depending on switch chip model.

Are we to assume the RB3011 would offer better vlan aware wire-speed performance over the RB4011 due the the RB3011 having vlan aware switch chip and it being an ASIC?
As said above - yes, under particular conditions. The 3011 allows more complex L2 tasks than 4011 without losing the wirespeed, but it is limited here as compared e.g. to the CRS3xx product line.
And none of 3011 and 4011 gives you more than 1 Gbit/s per direction between the switch chips due to the available bandwidth of the internal ports of the switch chips.

Re: vlan bridge (new way) HW offload and performance

Posted: Wed Aug 14, 2019 7:05 pm
by toxicfusion
@Sindy - Thank you, great explanations and break down! You're always great with laying it out.

I do more of a collapsed core configuration for most SMB networks. Some clients require ipsec tunnel between offices. Other clients single location and I'll do EOIP tunnel to my NOC router to perform network monitoring etc. 99% of time on the routers be configured for internet routing, DHCP, DNS, VLANS, router hardening filter rules, lists, and some mangle for QoS (VOIP).

Usually be MT Router (core) and then 1-3+ switches directly connect to the MT router. I do not do daisy chain switches. I use to always do link aggregation (802.3ad) to a single switch hanging off the MT, but not much benefit for these SMB networks.

Also I've yet to try link aggregation with vlans using the bridge vlan filtering method..... Unsure if possible?! I've not seen any examples of that said config. I'm certain this will just induce more stress on CPU as its all handled by software.

I have a RB2011 in field that I upgraded/migrated to bridge vlan filtering method, was straight forward... But due to complexity of network, number of vlans and traffic - the CPU tends to get hammered. Wanted to upgrade to RB3011, but client wouldnt let me (didnt want to pay).

I probably should do switch chip vlan method on that particular clients RB2011 to gain back performance? I didnt realize be such a penalty as was under impression the bridge vlan filtering method was the 'new way' and old was going to be sunset.

Re: vlan bridge (new way) HW offload and performance

Posted: Wed Aug 14, 2019 7:09 pm
by sindy
@anav,
So with a single bridge and vlans, its all software not hardware????
A single bridge and VLANs can still use hardware forwarding if you don't need to tag and untag the frames or filter them by VLAN ID as they ingress and egress. So if the same VLAN is untagged on all ports and you don't mind that all tagged frames can get from any port to any other one, you can still have a HW-accelerated bridge and VLANs at the same time, and you can access these VLANs from the CPU. But VLAN manipulation/filtering during forwarding between Ethernet ports is a different story.

Re: vlan bridge (new way) HW offload and performance

Posted: Wed Aug 14, 2019 7:16 pm
by toxicfusion
So confusing as block diagram on RB3011 and RB4011 both show switch chips.

RB3011 states ports 6-10 is 2Gb/s aggregated... but ports 1-5 show same 1Gb/s links to each CPU.. sigh.

Also one is Realtek vs QCA. So just have to know which is 100% VLAN capable within switch chip itself and not using software.

Need answers from MT as if they will sunset / remove the 'switch menu' vlan config options. I'm perhaps naive to that configuration. as still unsure how to have access ports and tagged ports (vlan native trunk). Ie: untagged vlan and a tagged vlan on same port(s) with using the switch menu vlan setup. The bridge vlan filtering method makes it easy.

also I know that anytime put vlan's into a bridge port - they're untagged. So maybe just answered my own question, as it would be switch menu vlan configs and then put those into a bridge port [bridge port to IP interface and DHCP interface(s)]

Re: vlan bridge (new way) HW offload and performance

Posted: Wed Aug 14, 2019 7:24 pm
by sindy
I use to always do link aggregation (802.3ad) to a single switch hanging off the MT, but not much benefit for these SMB networks.
well, link aggregation is always done in software unless we talk about CRS (maybe even CRS3xx). And if the member links are 1 Gbit/s ones, the only benefit is redundancy, because the CPU lane of the chip is typically just 2 Gbit/s per direction, so a single pair of aggregated 1 Gbit/s links consumes it completely, i.e. no point in using it for L2 forwarding.

Also I've yet to try link aggregation with vlans using the bridge vlan filtering method..... Unsure if possible?! I've not seen any examples of that said config. I'm certain this will just induce more stress on CPU as its all handled by software.
These are distinct layers. One possibility is to use a bond for all VLANs, another possibility is to use MSTP and operate the links as separate ones instead of bonding them together, where you can set different link weights and priorities to each MST(P) instance. So when everything is fine, one group of VLANs uses one link and the another group ov VLANs uses another one; if one of the links fails, all VLANs start using the remaining one. But again, unless we talk about CRS3xx, MSTP disables wirespeed forwarding.

I probably should do switch chip vlan method on that particular clients RB2011 to gain back performance? I didnt realize be such a penalty as was under impression the bridge vlan filtering method was the 'new way' and old was going to be sunset.
I was hoping this would happen the "soft" way where the switch chip's VLAN filtering capabilities would be automatically configured via the /interface bridge menu to the extent possible for that particular switch chip type, so you would not need the /interface ethernet switch menu at all, but this has only been done on the CRS3xx (so far?).

So yes, you can configure the switch chips in the 2011, just bear in mind that ether6-ether10 use 8227 which cannot handle hybrid ports - it's either access or trunk (and, as stated multiple times, there is no direct path between the switch chips).

Re: vlan bridge (new way) HW offload and performance

Posted: Wed Aug 14, 2019 7:33 pm
by sindy
as still unsure how to have access ports and tagged ports (vlan native trunk). Ie: untagged vlan and a tagged vlan on same port(s) with using the switch menu vlan setup. The bridge vlan filtering method makes it easy.

also I know that anytime put vlan's into a bridge port - they're untagged. So maybe just answered my own question, as it would be switch menu vlan configs and then put those into a bridge port [bridge port to IP interface and DHCP interface(s)]
8327 and 8337 use the default-vlan-id parameter of a port to define the access VLAN for that port in both directions. Although it is a common way of thinking that when a frame travels between two access ports of the same VLAN, it gets tagged on ingress and untagged on egress, the actual behaviour is such that an untagged ingress frame gets only tagged if the default-vlan-id of the destnation port is different; if it is the same, the frame doesn't get tagged. And it doesn't matter whether the destination port is Ethernet or internal (CPU) one. Don't ask me what happens when a frame needs to be broadcast because the dst mac is not yet learned :)
8227 behaves somehow different so while it can tag ingress frames, it cannot untag them on egress depending on VID, it ether untags all or none, hence no hybrid ports are possible.

Re: vlan bridge (new way) HW offload and performance

Posted: Thu Aug 15, 2019 12:06 am
by ksteink
Hi there, related to your questions let me try to address them as I have today 2 L2 access switches connected to my RB2011 with 2 VLANs

What is recommended upgrade path from RB2011?
--> Answer: There are multiple ways to configure VLANs in a Mikrotik. To keep it simple for you we have to separate them in 3 categories:

(1) VLANs configured at the Router chip (Software based): This is the most universal way to configure VLANs but you will be forcing the Routing chip to behave as a L3 switch with inter-VLAN routing. This method works on any Mikrotik device (Switch or Router alike) and requires you to configure 1 VLAN in a separate bridge (1 VLAN = 1 Bridge)

(2) VLANs configured at the Switch Chip for RB series: This is the recommended path for your setup in which you configure in 1 single Bridge interface all your VLANs and with that you will be enabling your switch chip. The RB2011 has two Swich chips (AR8327 for the Gigabit interfaces or ports SFP, 1 to 5 and AR8227 for the Fast Ethernet interfaces or ports 6 to 10). These chips are VLAN aware and you can do HW off-loading for your inter-VLAN routing inside of the only 1 Bridge interface. You can check this on the Block diagram of your RB2011: https://i.mt.lv/cdn/rb_files/Block-RB2011UAS-2HnD.pdf

Other models like the RB4011 has a poor switch chip and they have less capabilities for switching compared with the RB2011 and the RB3011.

Last but not least, pls consider that even your RB2011 has better switch chip than other more recent RB models like the RB4011 it's not a full switch. That means if you enable some specific features such as IGMP snooping or VLAN filtering all the HW off-loading will be disabled automatically so be aware what features you need vs the penalty to not be able to get wired speeds here.

The way I learned how to configure VLANs with HW off-loading using switch chip on my RB2011 was through this Wiki: https://wiki.mikrotik.com/wiki/Manual:S ... p_Features

(3) VLANs configured at the Switch Chip for CRS Series: These are Mikrotik Switches line and they have Gen 1.x / 2.x and Gen 3.x. Gen 3.x Will get you all available features at wired speed including VLAN filtering, IGMP snooping etc. Similarly for non-RB devices there are 2 links that provides input how to configure VLANs with HW off-loading on CRS 1.x/2.x Gen and CRS 3.x

Link for how to configure VLANs with HW off-loading for CRS 1.x/2.x --> https://wiki.mikrotik.com/wiki/Manual:C ... es#Summary
Link for how to configure VLANs with HW off-loading for CRS 3.x --> https://wiki.mikrotik.com/wiki/Manual:C ... s#Features


Or should I go back and use switch-chip VLAN configuration? Use the switch1 (ports 1 - 5) and configure these with appropriate vlans. But what about tagged/untagged on same port (trunk)? Or should I use multiple bridges and multi-vlan interfaces (same vlan ID, but different name and port assignment)?

--> As you have an RB2011 and you want to use VLANs with HW Off-loading your only option is to go with the Category 2 above. That means a single Bridge interface with all the VLANs configured at the Switch Level and yes it supports trunk ports with tagged and untagged (I have it configured in that way at home).

as eth1 goes to a managed switch (ie vlan100, vlan 200, vlan300)
eth2 same
--> You need to configure these 2 Ethernet ports as Trunk ports for the 3 VLANs on your Eth1 and Eth2

eth3 - unmanaged switch, untagged vlan300
eth4 - unmanaged, same
--> You need to configure this port as Access Port with untagged VLAN300 and these ports will be propagated to the unmanaged switch ports.

eth5 - untagged and untagged (going to an AP with SSID's configured for vlans on guest SSID). Noticed this was one taking big hit.. So had to move to an actual network switch.
--> Same setup as your Ether1 and Ether2 where you need to configure the port as Trunk Port. Also you need to configure your WAP to match each SSID to the corresponding VLAN ID.

Looking for alternatives on these 'older' devices for slightly larger SMB networks. Meaning, how can I configure same port (trunk) with untagged/tagged on same port?
--> I did create this configuration that I tested in couple RB including my RB2011 that goes aligned with the Category 2 using the switch chip and follows the guidelines for HW Off-loading for RB with switch chip:

/interface bridge
add name=bridge protocol-mode=none

/interface bridge port
add bridge=bridge interface=ether2 hw=yes
add bridge=bridge interface=ether3 hw=yes
add bridge=bridge interface=ether5 hw=yes

/interface vlan
add interface=bridge name=VLAN100 vlan-id=100
add interface=bridge name=VLAN200 vlan-id=200

/ip address
add address=192.168.90.1/24 interface=VLAN100
add address=192.168.91.1/24 interface=VLAN200

/ip pool
add name=POOL100 ranges=192.168.90.100-192.168.90.200
add name=POOL200 ranges=192.168.91.100-192.168.91.200

/ip dhcp-server
add address-pool=POOL100 disabled=no interface=VLAN100 name=DHCP100
add address-pool=POOL200 disabled=no interface=VLAN200 name=DHCP200

/ip dhcp-server network
add address=192.168.90.0/24 dns-server=8.8.8.8 gateway=192.168.90.1
add address=192.168.91.0/24 dns-server=8.8.8.8 gateway=192.168.91.1

/interface ethernet switch vlan
add ports=ether2,ether5,switch1-cpu switch=switch1 vlan-id=100
add ports=ether3,ether5,switch1-cpu switch=switch1 vlan-id=200

/interface ethernet switch port
set ether5 vlan-mode=secure vlan-header=add-if-missing
set ether2 vlan-mode=secure vlan-header=always-strip default-vlan-id=100
set ether3 vlan-mode=secure vlan-header=always-strip default-vlan-id=200

In this configuration example Ether5 is the Trunk port that will pass VLAN 1 (untagged and default configuration), VLAN 100 and VLAN 200. It's assumed here that you have a bridge configured with no VLANs and valid address pool (i.e. 192.168.88.0/24) and you want to add these 2 new VLANs (100 and 200) in top of the VLAN 1.

Also consider that Ether2 will be an access port on VLAN 200 (any device connected to this port will be on VLAN 200 but for the endpoint will be untagged as typically these devices doesn't read VLAN tags) and Ether3 will be the same but on VLAN 300. Ether 5 will be the Trunk Port and the rest of the ports (Ether4 for example) will be on VLAN 1.

Also consider that you need to repeat this configuration for the Fast Ethernet ports if you want them configured as well but instead of switch1 you need to change it to switch2.

Good luck!

Re: vlan bridge (new way) HW offload and performance

Posted: Thu Aug 15, 2019 12:35 am
by toxicfusion
@ksteink

WOW - awesome, thank you for such big break down and config examples. I appreciate this.

Will inter-vlan routing work by 'default' when configuring the switch chip in this manner? Or will I need ip route rules? As in some cases, some of the vlans need to be able to reach each other, others obviously such as 'guest' networks I can create a firewall filter rule based on access-list that associates with VLAN(s) to drop said traffic into interface.

What about untagged/tagged on same port. Such as vlan native 100, tagged 200, 300.. that way default PVID is set to 100 and untagged. Is this set on the network interface itself for PVID setting, or left alone?

Right now the RB2011 is using the new bridge vlan filter method... I found it straight forward to reconfigure. Prior there wasnt as many VLANS until after I migrated to the "new" method, as their network grew. Added IP-CCTV and audio networked system. With this config of 'bridge vlan filter enabled' I'm not seeing HW offload being enabled on the bridge or ports; which is known when using this method as its software.

I might reconfigure that router to use the switch chip method. Ports 6-10 will not be used as they're only 100Meg, Typically on my RB2011's that are in the field, I designate these 6-10 ports for WAN connection(s). Majority ISP not offering above 100Mbps service. Or maybe just best to migrate to RB3011 series and have more CPU processing power at hand and keep the configuration the same. Perhaps that is the Goal of Mikrotik team - throw CPU power at it to achieve wire speed?

Re: vlan bridge (new way) HW offload and performance

Posted: Thu Aug 15, 2019 12:57 am
by toxicfusion
this wiki which was posted earlier was helpful: https://wiki.mikrotik.com/wiki/Manual:S ... p_Features

amazing how MikroTik used best switch chips in prior RB1100ahx2 model, and for RB1100ahx4 (new) they used lesser vlan capable switch chip! Sigh.. . I loved the 1100ahx2 model, deployed many. Also recently deployed new ahx4, but used the new bridge vlan filter method.

Appears QCA8337, A8327 are the 'best'. and Atheros8316 is OK option.

So must be with the new ARM based CPU's Mikrotik Logis is to use CPU cycles/power in order to process packets at near wirespeed???

Re: vlan bridge (new way) HW offload and performance

Posted: Thu Aug 15, 2019 1:36 am
by ksteink
@ksteink

WOW - awesome, thank you for such big break down and config examples. I appreciate this.
--> My pleasure and I like that you found my insight here useful. It took a me a while with a lot of trail and error and reading to understand it in the way I share it with you and I want to contribute with the rest of the community as they have helped me in the past directly and indirectly :).
Will inter-vlan routing work by 'default' when configuring the switch chip in this manner? Or will I need ip route rules? As in some cases, some of the vlans need to be able to reach each other, others obviously such as 'guest' networks I can create a firewall filter rule based on access-list that associates with VLAN(s) to drop said traffic into interface.
--> Yes it works by default. As you add the VLAN interfaces and configure IP addresses to each VLAN interface the router becomes aware of all these subnets as they are "directly and virtually" attached. When you apply your configuration all the VLANs will be able to see each other. If you want to block one like Guest you need to add Firewall rules to block those specific VLANs subnets.
What about untagged/tagged on same port. Such as vlan native 100, tagged 200, 300.. that way default PVID is set to 100 and untagged. Is this set on the network interface itself for PVID setting, or left alone?
--> The tagged and untagged on the same port is the concept of a Trunk Port. So in my example the untagged is always VLAN 1 and the tagged ones are VLANs 200 and 300 configured on the Ether5.
Right now the RB2011 is using the new bridge vlan filter method... I found it straight forward to reconfigure. Prior there wasnt as many VLANS until after I migrated to the "new" method, as their network grew. Added IP-CCTV and audio networked system. With this config of 'bridge vlan filter enabled' I'm not seeing HW offload being enabled on the bridge or ports; which is known when using this method as its software.
--> Correct if you can live without VLAN filtering you gain HW offloading. If you need VLAN filtering you will loose wired speeds anyway and your Router chip will be the bottleneck here. If this is a strong requirement is better to consider a CRS 3.x that can allow VLAN filtering without impacting the HW off-load / wired speed. If you don't need it then yes you need to reconfigure your VLANs following the switch chip guidelines (Category 2) aligned to your desired use cases / configuration.
I might reconfigure that router to use the switch chip method. Ports 6-10 will not be used as they're only 100Meg, Typically on my RB2011's that are in the field, I designate these 6-10 ports for WAN connection(s). Majority ISP not offering above 100Mbps service. Or maybe just best to migrate to RB3011 series and have more CPU processing power at hand and keep the configuration the same. Perhaps that is the Goal of Mikrotik team - throw CPU power at it to achieve wire speed?
--> If you don't touch the ports 6 to 10 then by default they will remain on VLAN 1. If your switching needs are basic the RB2011 or RB3011 will work just fine with HW off-loading. In my case after all this learning curve I want more and be able to do inter-VLAN filtering at wired speed for segmenting IoT networks from my internal network as an example.

So my new personal standard is to go from now on with a CRS3.x as Layer 3 switch for Inter-VLAN routing and a RB as Router edge to connect my WAN like the hEX S, hAP ac2 or even the RB4011. The RB has to support IPSec HW Acceleration so VPNs performance are also good and I get the best of the 2 worlds (all switch features for VLANs and all routing features including VPNs). Sadly Mikrotik doesn't have a product that combines the best of these 2 worlds (L3 switch + IPSec HW acceleration router) in a single product.

Good luck!!

Re: vlan bridge (new way) HW offload and performance

Posted: Thu Aug 15, 2019 5:21 pm
by toxicfusion
@ksteink - thank you, again!

I may consider your approach to a RB as the router for WAN outbound and termination point, and then a MT switch for inter-vlan traffic and rules. Assuming you're more of a core + access layer style network designs? From the MT CRS switch you do an IP route 0.0.0.0/0 to the IP of the upstream MikroTik RB router? Not all SMB networks need that core + access style design. Most time I've always just done router-on-stick design with router as core and then trunk/linked to access switch.

Router (GW) >> CORE (MikroTik CRS switch) >> ACCESS (Downstream L2/L3 switch) >> Devices.

Core switch has all your VLANS and trunk down to access layer switch(s). Core switch has a single uplink port to your RB gateway device.

Re: vlan bridge (new way) HW offload and performance

Posted: Fri Aug 16, 2019 6:41 pm
by ksteink
@ksteink - thank you, again!

I may consider your approach to a RB as the router for WAN outbound and termination point, and then a MT switch for inter-vlan traffic and rules. Assuming you're more of a core + access layer style network designs?
--> Correct I go with a dedicated Router at the edge and a Core / Access approach if I need to get full switching and routing features
From the MT CRS switch you do an IP route 0.0.0.0/0 to the IP of the upstream MikroTik RB router?
--> What I do is that I create all my internal VLANs for my all Access Layer switches on the CRS. Between the Edge Router (RB) and the Core switch (CRS) I do create a point-to-point link so in order to do that what I do is the following:

- I create a new VLAN on the CRS on the uplink interface that I will use to connect with the Edge Router (RB).
- This VLAN interface on the CRS will be configured an Access Port so for the RB I don't have to deal with VLANs and we use the VLAN 1 on this RB as those are typically not aware / fully capable to manage VLANs at wired speeds.
- For the Edge Router (RB) I just keep native VLAN and define a subnet that is the same that I create for the CRS transit VLAN but with different IP of course.

So to answer your question yes, from the Core Switch (CRS) --> Edge Router (RB) I have a default route (0.0.0.0/0) pointing to the LAN IP of the Edge Router on the Transit VLAN that I have created for this uplink interconnection. In the same reciprocity on the Edge Router I need a route (Static or dynamic) pointing to the CRS with the subnet(s) of the Access VLANs (or the overall subnet of the location)

Not all SMB networks need that core + access style design. Most time I've always just done router-on-stick design with router as core and then trunk/linked to access switch.
--> Agreed and that depends on your business / technical requirements and desired uses cases and features. An RB with a capable switch chip can do the router in a stick but be aware that it will never have all the features that a CRS will provide. So if you have a clear understanding you can define the desired components.
Router (GW) >> CORE (MikroTik CRS switch) >> ACCESS (Downstream L2/L3 switch) >> Devices.
Correct. Router (L3 GW) --> Core Switch (L3 CRS switch with all the VLANs) --> Access Switches (downstream L2 switches) --> Devices
Core switch has all your VLANS and trunk down to access layer switch(s). Core switch has a single uplink port to your RB gateway device.
--> Correct and yes a single up-link from the CRS to the RB gateway unless you want to add redundant core switches and redundant RB with redundant internet circuits and add the spice to deal with VRRP.

Re: vlan bridge (new way) HW offload and performance

Posted: Wed Aug 21, 2019 9:01 pm
by toxicfusion
Correct. Router (L3 GW) --> Core Switch (L3 CRS switch with all the VLANs) --> Access Switches (downstream L2 switches) --> Devices
Core switch has all your VLANS and trunk down to access layer switch(s). Core switch has a single uplink port to your RB gateway device.
--> Correct and yes a single up-link from the CRS to the RB gateway unless you want to add redundant core switches and redundant RB with redundant internet circuits and add the spice to deal with VRRP.
[/quote]

Again, Thank you!

Going to make assumption you're running the CRS in "RouterOS" mode? As appears swOS is only Layer2 mode and no Layer3 for IP route 0.0.0.0/0 back to the Edge Router (RB) device?

Very cost effective L3 switch...... Now if ONLY MikroTik release 48port POE L3 switch =)

Re: vlan bridge (new way) HW offload and performance

Posted: Sat Aug 31, 2019 6:04 pm
by ZiadZone
So to answer your question yes, from the Core Switch (CRS) --> Edge Router (RB) I have a default route (0.0.0.0/0) pointing to the LAN IP of the Edge Router on the Transit VLAN that I have created for this uplink interconnection. In the same reciprocity on the Edge Router I need a route (Static or dynamic) pointing to the CRS with the subnet(s) of the Access VLANs (or the overall subnet of the location)[/b]
thank you kstenik for this great and clear explanation for static routing between two MTs :)
I just wanna make sure of this point: do i have to set an ip subnet based on vlan interface for the CRS ( or RB2011 in my case that will do the vlan switching traffic)
in order to get full wire speed regarding the point-to-point link with the edge router ?
I mean what if i just configure an ip subnet on a physical interface on both MTs and do the static routing configuration?

Re: vlan bridge (new way) HW offload and performance

Posted: Sat Aug 31, 2019 11:51 pm
by sindy
I just wanna make sure of this point: do i have to set an ip subnet based on vlan interface for the CRS ( or RB2011 in my case that will do the vlan switching traffic)
in order to get full wire speed regarding the point-to-point link with the edge router ?
I mean what if i just configure an ip subnet on a physical interface on both MTs and do the static routing configuration?
It only makes sense to think about wirespeed when forwarding frames on L2 from one interface of a device to another; in this case, "wirespeed" means switching and "CPU speed" means bridging. If you route via an interface, it's always CPU speed. So if you have two devices in the same VLAN and IP subnet, each connected to another port of a 2011, it only matters what you do on the 2011 whether the 2011 itself will forward between the devices using its switch chips of using its CPU. If the 2011 itself doesn't need to talk with any of the devices, it doesn't need an /interface vlan in that VLAN at all. If the 2011 is actually one of the two devices which talk to each other, there is no wirespeed to talk about.

Re: vlan bridge (new way) HW offload and performance

Posted: Sun Dec 15, 2019 6:29 pm
by solmel
@ksteink,
thank you so much. I really appreciate your effort to share what you know. I really appreciate it. Your explanation is so understandable that I spend more time reading your comments.
I am new to MikrtoTik routers. I just start reading .
I have two questions :
1) As my understanding 'switch1-cpu' is a port between the switch and cpu. But what is the difference between it and the bridge interface ? I couldn't visualize it.
2) where are ether1 and wlan interfaces gone in your configuration ? It is not in the bridge, isn't it ? What would happen if we bridge wlan with other physical and virtual interfaces ? Vlans route each other using IP of vlan interfaces. But what is bridge interface for ? of course, you didn't include it in your configuration.
3) The bridge contained interfaces like ether2 and ether3 and vlans 100 ,200 but ether2, for example, is in vlan 100, why this redundancy for ? I know there is something I do not understand. That is what I am looking for...
4) what should we do if we include IoT networks ?

Once again thank you so much.