Page 1 of 1
Switching with RouterOS / CRS Questions
Posted: Fri Jul 19, 2013 9:34 pm
by barkas
The announced CRS is to be the first real switch from Mikrotik. Unfortunately RouterOS switching support is very limited at the moment.
On select models with specific switch chips (mostly Atheros 8327 and 8316), VLAN Trunking and VLAN Access Ports are supported.
The most glaring omission is any sort of spanning tree support for switching - spanning tree is only supported for bridges, if poorly - only stp and rstp are supported, no mst or pvst / rapid-pvst.
Also, no port channels or any of the other nice features we have come to expect from managed switches, even if it's the low cost stuff from netgear.
That raises some questions:
- Is CRS with the present software support useable for the enterprise scenarios we have become used to using routerboards for?
- Is extended switching support planned for future RouterOS releases?
- Was CRS delayed because of this - can we hope for better switching support with the CRS release?
Re: AW: Switching with RouterOS / CRS Questions
Posted: Thu Oct 24, 2013 12:59 am
by barkas
I have to bump this now that crs seems to be here.
So what is the functionality of this?
Re: Switching with RouterOS / CRS Questions
Posted: Thu Oct 24, 2013 1:08 am
by cheeze
So, just to add some info here. PVST is Cisco proprietary. Other vendors (Juniper) do it also (they call it Virtual Spanning Tree or VSTP) but they have to license that crap out. Not sure Mikrotik wants to do that. I don't blame em either. You shouldn't expect PVST. I can understand expecting MST though. Even then though, who REALLY uses RSTP in large networks. Not really anyone (if they have sense in actually designing a scalable network). For what it's worth, it's NOT worth having layer 2 be anything past the access layer....and even then I personally recommend going layer 3 right down to the access layer.
From what I've seen so far.....if I remember right.....the RouterOS supports port channels/LAGs/LACP bundles/port aggregation
here.
Re: AW: Switching with RouterOS / CRS Questions
Posted: Thu Oct 24, 2013 9:15 am
by barkas
Ok, the first question here, is CRS a router or a switch?
In my opinion, it's a switch, the CPU is much too weak for so many ports. And I do mean switch here, not bridge. That means the usage scenario is datacenter or access layer and it means primarily L2 through the hardware switching functionality.
In routeros as we know it, switching doesn't support ANY spanning tree. Even proper VLAN support was only added in ROS 6. If it's a switch, I expect it to be usable as one, and the way it stands now, it probably isn't.
So the question stands, what are the new switching features added to ROS for CRS.
Re: Switching with RouterOS / CRS Questions
Posted: Tue Nov 05, 2013 12:55 am
by jbaird
I would like some clarification as well. What makes the CRS a more capable L3 switch compared to any other ROS device?
I found this:
http://wiki.mikrotik.com/wiki/Manual:CRS_examples
Which leads me to believe nothing has changed at all. The VLAN functionality is still just as convultued as ever. I was hoping to be able to replace some small Cisco L3 switches with the CRS, but it doesn't look like that is going to happen. I need multiple L3 VLAN interfaces, and I need to easily be able to configure them as either tagged (trunk) or untagged (access) on any given switch interface.
Re: Switching with RouterOS / CRS Questions
Posted: Tue Nov 05, 2013 9:44 am
by normis
Currently we are still adding Switching features for the CRS. Right now you get only basic Switch functionality, but the hardware allows for much more, and new features will be added with every software update.
Please give us examples of the most important switch functions that you want us to make.
Re: Switching with RouterOS / CRS Questions
Posted: Tue Nov 05, 2013 12:26 pm
by Caci99
In my opinion, it's a switch, the CPU is much too weak for so many ports.
I am not familiar at all with switching configuration, so sorry for the question but is a 600MHz CPU too small for a switch?
Re: Switching with RouterOS / CRS Questions
Posted: Tue Nov 05, 2013 1:34 pm
by onnoossendrijver
If you want to do heavy routing (more than several-hundreds of mbit/s) it is not enough. For management tasks and light routing tasks it is more than enough.
If you want wirespeed layer 3 switching/routing you should consider a CCR.
Re: Switching with RouterOS / CRS Questions
Posted: Tue Nov 05, 2013 9:16 pm
by tywtyw2002
HI,
is crs-125 now support port mirror, QinQ, port base qos?
In other word, we can say is crs125 same as which seriers of cisco L3 switch? 3725, 4500?
Re: Switching with RouterOS / CRS Questions
Posted: Wed Nov 06, 2013 5:28 am
by Neilson
@Normis
The examples look great on the examples page (along with some Winbox screens to implement them please)
Some setups I would like to see:
- Trunk Ports with optional "Native" VLAN (drop down box to select native from all defined VLANS
- Allow us a "VLAN's" section of the cli / Winbox where we define VLANs for the switch
something like / switch vlans add name="VLAN Name" vlan-id=1234 S-VLAN=yes/no
- Use the VLAN's defined to then add to a trunk port with the VLAN' on it like we add channel scan into wireless
- Allow VLAN Groups like frequency scan groups to easily make regular trunks for deployment (like we have 3 VLANS we deploy on most ports)
These are just my very first ideas. mostly making the system much more simple to deploy them onto the ports.
Regards
Alexander
Re: Switching with RouterOS / CRS Questions
Posted: Wed Nov 06, 2013 1:39 pm
by lamersons
Being huge fan of MT i get almost every MT new product to check it out and to play around. This time i got CSR125 ros6.5, and boy...
after spending 5hours trying to acomplish the most generic switching tasks i felt stupid as faq because i failed:
1. didnt find an easy way to assign vlan to a port or easly configure a trunk link and permit all vlans. The way from examples(to match default VID with a "In.Vlan Tran" rule and to apply a different VID) feels complicated. Couldnt get "VLAN" and "VLAN Tagging" tabs to work at all
2. didnt find a way to terminate vlan on a switch(SVI)
3. unclear with STP configuration beeing only for bridge interfaces
4. Lack of documentation on switching functions
Putting my new CSR125 on a shelf for some time, unusable...
Re: Switching with RouterOS / CRS Questions
Posted: Wed Nov 06, 2013 3:45 pm
by jbaird
MT's VLAN configuration has always been overly-complicated and confusing. An example of what the CRS should be able to do (using Cisco):
interface vlan10
ip address 10.1.1.1/24
!
interface vlan20
ip address 10.2.1.1/24
!
interface gigabitethernet0/1
desc trunk to another switch (tagged)
switchport mode trunk
switchport trunk allowed vlan 10,20
!
interface gigabitethernet0/2
desc uplink to PC (untagged)
switchport
switchport mode access
switchport access vlan 10
!
So, we create two L3 VLAN's and assign IP addresses to them (an "SVI" in Cisco). This enables routing between the two VLANs. Next, we turn Port1 into a dot1q trunk port which tags both VL10 and VL20. Port 2 is an access port (untagged). In this configuration, I can easily assign VL10 or VL20 to any switchport on the switch, tagged or untagged. MT needs to be able to do this, ESPECIALLY on a product that you are calling a "fully capable L3 switch."' Otherwise, it's just another MT router.
Until this functionality exists, I won't be purchasing any of these, and I won't recommend them to anyone that is looking for a L3 switch.
Re: Switching with RouterOS / CRS Questions
Posted: Thu Nov 07, 2013 7:43 am
by omega-00
While there are plenty of new options I can concur that the interface and configuration still seems a bit odd and I haven't had much luck getting the example configs working.
For starters the example listings for port based vlan (what I'm interested in) are incorrect on the wiki:
ros code
/interface ethernet switch ingress-vlan-translation
add switch=switch1 port=ether6 customer-vid=0 new-customer-vid=200
Should be:
ros code
/interface ethernet switch ingress-vlan-translation
add switch=switch1 port=ether6 match-customer-vid=0 new-customer-vid=200
Here's the listing from the switch itself of some of the new options:
CRS-switch.PNG
Re: Switching with RouterOS / CRS Questions
Posted: Thu Nov 07, 2013 7:47 am
by omega-00
Along with this it's not really clear how pulling things back to vlan 0 is support to work for configs.
IE:
If I want tagged/trunked vlans 20,30,40 coming in on ether1 and
vlan 20 untagged out ether2
vlan 30 untagged out ether3
vlan 40 untagged out ether4
I would assume I should:
1. accept tagged vlans 20,30,40 on ether1
2. ensure traffic in ether2,ether3,ether4 is tagged as it comes in with the respective vlan (20,30,40)
3. ensure traffic passing out ether2,ether3,ether4 is untagged as it passes out with the respective vlan (20,30,40)
But this does not align with how I configure the ports.
Re: Switching with RouterOS / CRS Questions
Posted: Thu Nov 07, 2013 8:12 am
by omega-00
Please give us examples of the most important switch functions that you want us to make.
Perhaps a graphical configuration model for ease of setup which would then allow us to export configs and see what they're supposed to look like?
IE:
48PS_27_Modify_VLAN.jpg
or
vlans.PNG
U = Untagged
T = Tagged
X = Not included in vlan group
Along with these options:
- DHCP Snooping,
Multicast and Unicast traffic filtering,
port-based mac-address limiting (with a recovery timeout of some sort)
the switch based ACL/firewall options also appear to have gone from the switch config page on the CRS too
Re: Switching with RouterOS / CRS Questions
Posted: Thu Nov 07, 2013 8:55 am
by normis
Omega, OK about the first image, but the second is really confusing
Re: Switching with RouterOS / CRS Questions
Posted: Thu Nov 07, 2013 9:01 am
by normis
The manual mistakes are not really mistakes, the syntax changed for v6.6
Re: Switching with RouterOS / CRS Questions
Posted: Thu Nov 07, 2013 3:53 pm
by jbaird
Also, if it's a Layer3 switch, we really need to [easily] be able to terminate L3 VLAN's (SVI) on the switch it's self.
ie, create a VLAN interface, assign an IP address to it, then be able to assign that VLAN to multiple physical interfaces (tagged or untagged). This would also enable routing between VLANs.
The features that Omega said are most definitely needed, but those are typically found in any off-the-shelf managed L2 switch.
Re: Switching with RouterOS / CRS Questions
Posted: Fri Nov 08, 2013 2:26 am
by CTrain
Is it possible on the cloud router switch to perform bonding/link aggregation/teaming using protocols such as 802.3ad (LACP). I know it is possible to perform the bond using the routerOS functions however that requires a CPU based bond. is it possible to perform the bond with the layer 3 switch chip for wire speed channel bonding? I would like to use the switching hardware because the CPU generally maxes out prior to 1Gb/s throughput thus bonding is actually slowing the network down. Also managed switches from most other vendors support this functionality.
Re: Switching with RouterOS / CRS Questions
Posted: Fri Nov 08, 2013 12:09 pm
by Basdno
The new CRS Switches look very interesting.
I was wondering if there are plans for a "Multiple SFP" CRS switch soon. F.ex. 24 Gig SFP ports (and maybe 4-8 gig etherports, preferably without combo share with SFP ports. But if only possibility with combo for etherports).
An "all" SFP switch is very useful in central points of Optical networks and in distributionpoints of f.ex. FTH.
Could we be seeing such a product in near future?
Also it could be nice with atleast 2 SFP ports on normal CRS switch, so it is possible to have both an inlink AND an outlink on optical SFP port.
Re: Switching with RouterOS / CRS Questions
Posted: Mon Nov 11, 2013 1:17 am
by omega-00
Omega, OK about the first image, but the second is really confusing
Was just some examples, as any sort of bulk changes right now are time consuming.
Re: Switching with RouterOS / CRS Questions
Posted: Mon Nov 11, 2013 2:42 am
by nz_monkey
Currently we are still adding Switching features for the CRS. Right now you get only basic Switch functionality, but the hardware allows for much more, and new features will be added with every software update.
Please give us examples of the most important switch functions that you want us to make.
- 802.3af POE output on all ports
With this, it would make an excellent "branch office" router.
- Sane configuration of L2 functions
Thanks!
Re: Switching with RouterOS / CRS Questions
Posted: Mon Nov 11, 2013 3:09 am
by rjickity
I think Omega's comments are a good place to start. The tagging functionality should be straight forward on the CRS, a simple GUI window with Tag, Untag, Forbid options would be good. Alot of vendors have straight forward illustrations of this (HP, Dell and many others).
Some key features I would like to see (many have already been said already) in order to begin using it is:
- L2 VLAN membership management.
- LAG's (LACP, RR various others. LACP is probably the best to start with. HP do these groupings quite well, super simple)
- SVI's/L3 VLAN management for VLAN routing
- Correct use of a FIB + TCAM in the chip ** this to me is probably the main function that the CRS requires.
- 802.1s MSTP
- UDLD
- BDPU detection/protection
- Jumbo frames (i dont know the chip/chips being used and haven't used a CRS yet, may already be supported)
Of course none of the above should go anywhere near that 600Mhz CPU if possible
After basics have been worked out:
- QoS policies (full 802.1p support if possible)
- CoS policies
- ACL's
- LLDP
- IGMP snooping
And when you get your 802.3at spec CRS's out for the corp/ent offices
:
- LLDP-Med
- 802.1x
Nice to haves
:
-Wifi (CAPWAP) controller
-Virtual stacking (management and when you get bigger xconnect interfaces maybe even backplane)
-full openflow
Re: Switching with RouterOS / CRS Questions
Posted: Mon Nov 11, 2013 6:41 pm
by ropebih
We also need port isolation option.
Re: Switching with RouterOS / CRS Questions
Posted: Tue Nov 12, 2013 12:17 pm
by misza
Hi
What is the difference between service VLAN i customer VLAN (or VID)?
M.
Re: Switching with RouterOS / CRS Questions
Posted: Tue Nov 12, 2013 2:11 pm
by lamersons
Well, service tag is outer tag and customer tag is inner from qinq perspective.
Re: Switching with RouterOS / CRS Questions
Posted: Tue Nov 12, 2013 2:18 pm
by misza
Thx for info
Anybody configured tagged vlans on CRS125? Example shown here do not work for me:
http://wiki.mikrotik.com/wiki/Manual:CRS_examples
Mikrotik guys? When full manual about new switch features will be available?
M.
Re: Switching with RouterOS / CRS Questions
Posted: Thu Nov 14, 2013 5:13 am
by seany
Over 5 hours in trying to get this to work too...
Re: Switching with RouterOS / CRS Questions
Posted: Thu Nov 14, 2013 7:45 am
by normis
Please let us know what you are trying to do, and what didn't work exactly.
Re: Switching with RouterOS / CRS Questions
Posted: Thu Nov 14, 2013 7:08 pm
by seany
Please let us know what you are trying to do, and what didn't work exactly.
Hi Normis,
I have attached a badly drawn diagram which should explain what I'm trying to do. Essentially I just want 2x trunk ports and a couple of access ports.
CRS.png
The example on the Wiki just doesn't seem to work. I can't seem to get isolation working and the Ports, VLAN and VLAN Tagging settings in winbox appear to do nothing most of the time (or interact weirdly with other settings).
Eventually, I want the CRS to do some simple L3 routing instead of the RB450G as written in red text - it's not clear how to do this with the CRS.
Thanks for your help.
Re: Switching with RouterOS / CRS Questions
Posted: Thu Nov 14, 2013 11:18 pm
by seany
Ok, something weird...
I am seeing RX/TX overflows and pauses between the RB450G and CRS. I managed to temporarily fix this, presumably there is some sort of bug.
In /interface ethernet switch vlan, I attempt to set isolation-profile=isolated (through winbox). Upon hitting apply it immediately switches back to promiscuous however the overflows and pauses disappear and throughput jumps from ~7mbit to 'line rate' ~40mbit.
In /interface ethernet switch port, I changed the isolation profile and some other rules for a couple of ports to find they too have now reverted.
I have since somehow managed to get it to revert back to the state where I'm getting overflows and pauses and can no longer fix it by doing what I did above.
Lastly, when I set set forward-invalid-vlan=no I lose all access to the switch. How can I configure it in such a way that things work properly with this set to no?
I'm going to send a supout to support and see where I get.
Re: Switching with RouterOS / CRS Questions
Posted: Fri Nov 15, 2013 11:03 pm
by seany
Ok, I figured out why I am getting slow speeds. It's a 10mbit port as part of the switch group (VoIP adapter). Not figured out how to fix it as of yet.
Re: Switching with RouterOS / CRS Questions
Posted: Sun Nov 17, 2013 7:12 pm
by ryanhaver
Being huge fan of MT i get almost every MT new product to check it out and to play around. This time i got CSR125 ros6.5, and boy...
after spending 5hours trying to acomplish the most generic switching tasks i felt stupid as faq because i failed:
1. didnt find an easy way to assign vlan to a port or easly configure a trunk link and permit all vlans. The way from examples(to match default VID with a "In.Vlan Tran" rule and to apply a different VID) feels complicated. Couldnt get "VLAN" and "VLAN Tagging" tabs to work at all
2. didnt find a way to terminate vlan on a switch(SVI)
3. unclear with STP configuration beeing only for bridge interfaces
4. Lack of documentation on switching functions
Putting my new CSR125 on a shelf for some time, unusable...
I received my CRS on Friday and have been fumbling through different configurations all weekend. I am definitely frustrated with the lack of switching features that aren't there yet, although I am happy that they have committed to adding features with every update. Coming from other hardware/software that I've used in the past I find the current implementation rather convoluted, but I am new to RouterOS so I guess I should expect the learning curve.
I'll be requesting some help with my failed attempts to configure this bad boy! Hopefully I'm overlooking something simple. I'll post in the "Beginner Basics" forum rather than hijack this thread.
Re: Switching with RouterOS / CRS Questions
Posted: Sun Nov 17, 2013 8:31 pm
by lashguti
Well,
Basic L2 managed switch functionality:
1.Vlan access ports ( should be done simply by creating vlan and setting port mode to access and to make it member of this vlan)
2.Vlan trunk ports (should be done by choosing port mode to be trunk)
3.Port isolation (choose with one click)
Advanced L2 switch functionality:
1. to be able exclude vlans from trunk ports(should be done by simply adding/removing vlans from trunk, by default all vlans should be member of the trunk)
2.mac-port binding(and alert administrator on changing incoming src mac on that port and temporary block traffic, Cisco port-security)
L3 switch
1. Inter Vlan routing( create vlans, assign it to interface and set ip address/mask)
2.DHCP server with dynamic arp access-lists
3.make a port L2 or L3 (like cisco command "no switchport")
4. dynamic routing protocol, OSPF or EIGRP would be preferred(I am not sure but heard it is now open for other vendors too)
API should be supported if not now
That's quite simple task, Mikrotik should do it,,
Configurations like now is not logical and is confusing so that you loose motivation to configure such device
Re: Switching with RouterOS / CRS Questions
Posted: Tue Nov 19, 2013 5:00 am
by kitt1977
This is the config of my simple managed 3com/hp switch ..
I'm struggling for hours to get this same setup working on my mikrotik ..
Tagged vlans are working fine between mikrotik & esxi or other vlan aware devices ..
But defining acces port ( untagged only ) or hybrid ports ( untagged in different vlan + tagged ) .. i can't figure it out
http://wiki.mikrotik.com/wiki/Manual:CRS_examples
Tryed the port based lan several times ( with clean config ) .
I have a VLAN81 on other mikrotik device with DHCP , on the crs VLAN0 ( default vlan ) i have also a DHCP running .
I config the acces port to VLAN81 .. connect a laptop to it and sometimes i get lease from VLAN81 when release and renew i get from VLAN 0 .. ( it really is flipping between 2 vlans ) .
Realy hope Mikrotik comes with a more clear/better way to config vlans .. CRS is a real nice device ..when vlans are working like on a competitor managed switch like we are use to ..
For now i made a bridge for the access ports ( removed ports from switch and bridged them with tagged vlan on masterport ) but then traffic goes over over the CPU ...
Re: Switching with RouterOS / CRS Questions
Posted: Wed Nov 27, 2013 10:26 pm
by scampbell
Along with this it's not really clear how pulling things back to vlan 0 is support to work for configs.
IE:
If I want tagged/trunked vlans 20,30,40 coming in on ether1 and
vlan 20 untagged out ether2
vlan 30 untagged out ether3
vlan 40 untagged out ether4
I would assume I should:
1. accept tagged vlans 20,30,40 on ether1
2. ensure traffic in ether2,ether3,ether4 is tagged as it comes in with the respective vlan (20,30,40)
3. ensure traffic passing out ether2,ether3,ether4 is untagged as it passes out with the respective vlan (20,30,40)
But this does not align with how I configure the ports.
For sure.
I looked at this and would have thought you would use ingress rules for ether2,3 &4 to tag the packets entering the switch (PVID) and egress rules to remove the tags on these ports exiting the switch. To remove the tags via an ingress rule on ether1 seems counter-intuitive ??
The menu has the (normally) expected PORT, VLAN and VLAN Tagging options present but they certainly do not appear to work as one would expect....
Re: Switching with RouterOS / CRS Questions
Posted: Tue Dec 10, 2013 5:13 pm
by pingus
I usually use Cisco, HP L3/L2 Switches and Fortigates.
I had many hours to find out how to tag a port or how to get a LACP trunk between two devices. Most of what I tried didn't work. Maybe it's me not clever enough, maybe it's not yet implemented (couldn't believe that the first time I read it) and some of it is because the CLI syntax is, I would say, specially.
For me and maybe also for others it would help much if the CLI syntax would be like HP or Cisco to configure those great Mikrotik Switches and Routers.
Re: Switching with RouterOS / CRS Questions
Posted: Tue Dec 10, 2013 8:06 pm
by ryanhaver
I usually use Cisco, HP L3/L2 Switches and Fortigates.
I had many hours to find out how to tag a port or how to get a LACP trunk between two devices. Most of what I tried didn't work. Maybe it's me not clever enough, maybe it's not yet implemented (couldn't believe that the first time I read it) and some of it is because the CLI syntax is, I would say, specially.
For me and maybe also for others it would help much if the CLI syntax would be like HP or Cisco to configure those great Mikrotik Switches and Routers.
It isn't properly implemented yet. Currently you need to bridge any LACP (802.3ad) trunks with the master port of any switch group you've configured before they'll work, effectively nullifying any bandwidth improvements and taxing the CRS CPU like crazy. I struggled for hours as well in attempts to get things working. I'll admit that the Mikrotik way, as it stands is very counterintuitive and apparently not yet finished.
Here is a response from Mikrotik on a thread I started where they state that it is not yet implemented:
http://forum.mikrotik.com/viewtopic.php ... 37#p396537
Re: Switching with RouterOS / CRS Questions
Posted: Wed Dec 11, 2013 2:31 pm
by Moogman
I want to buy a CRS for my project.
But i would really need 803.2ad link aggregation.
Setup is:
2x Server with 4x LAN Port in LAG mode for a fault tolerance system with vmware.
Is there a date when this feature will be available?
Re: Switching with RouterOS / CRS Questions
Posted: Sun Dec 22, 2013 12:30 pm
by CyberTod
I have a CRS for two days now and I'm even scared to put it in the network.
I want to use it as an L2 switch so when I first connected to it I removed the default configuration which was switching ports 2-24 and using ether1 as wan. Then I upgraded the CRS with the latest router os v6.7
My main concern is that when i go the see the mac-address table (Unicast FDB) a see all entries as invalid. I've tried to reset the configuration a few times and every time it acts differently. Some times I see all entries in vlan42, sometimes in vlan69, i've had one reset where every single mac was shown twice - once in some of these random vlans and once in vlan 0. Keep in mind that the CRS is connected to a vlan unaware switch at the moment so it should not be seeing any vlans and especially these two which are not present in my network at all.
As default the switch is configured as a 'service vlan bridge' and the other option is 'customer vlan bridge' - i can not find any documentation on the difference between the two. When I've changed it to 'customer vlan bridge' in the mac table it sees all macs in vlan 0, but they still show as invalid.
update : I am confused. I downgraded the CRS to v6.5 - The setting of bridge type reverted by itself and again mac address table shows all stations in vlan 42, but at least they are not invalid anymore. I don't see any configuration in the switch for this vlan. I switched to 'customer vlan bridge' from cli and all macs showed in vlan 0. Then I decided to reboot it - after the reboot it is again 'service vlan bridge' with vlan 42. I tried switching the bridge type from winbox and the current state is that I lost all connectivity to the CRS. As I said before I'm afraid now to put it in the network because I am not sure when I will need to do factory reset.
Re: Switching with RouterOS / CRS Questions
Posted: Wed Jan 08, 2014 8:37 am
by nkukard
In /interface ethernet switch vlan, I attempt to set isolation-profile=isolated (through winbox). Upon hitting apply it immediately switches back to promiscuous
Did you manage to solve this? right now setting ports 2-24 in a group as per the examples ends up in a hub-like behavior with traffic transmitted on all ports for all ports.
Re: Switching with RouterOS / CRS Questions
Posted: Wed Jan 08, 2014 9:41 am
by CyberTod
Anyone tried port mirroring ? It doesn't seem to work.
There are 2 mirror targets defined - mirror0 and mirror1 and they default to sending the traffic to cpu. That is exactly what I need so I can 'torch' the traffic on a port i choose. I select both ingress and egress mirroring then go to 'torch' but traffic is not seen. I'm not sure at which port should I look since it is copied to 'cpu'.
I did a test to mirror the traffic to another port and not the cpu, but no traffic goes there.
Re: Switching with RouterOS / CRS Questions
Posted: Sat Jan 18, 2014 5:18 am
by Roberto21
good night!
Could anyone teach me how to do the insulation of doors CRS?
thank you
Re: Switching with RouterOS / CRS Questions
Posted: Fri Feb 21, 2014 5:58 pm
by whoknew
What exactly did they change in RouterOS to make this a switch over say an RB-2011 etc?
Re: Switching with RouterOS / CRS Questions
Posted: Sun Feb 23, 2014 11:22 pm
by ncd
I've a very similar problem to the OP - Has anyone got the CRS to work with two trunk ports? I'm trying to create something like:
routerX ==trunked vlans== CRS125 ==trunked vlans==RB2011
I've created a master port which is effectively the trunk port and then added bridging of that to another but it only seems to traverse traffic in one direction.
ether9 -> master for ether10-24
trunked vlans appear as expected on ether9 when setup as per
http://wiki.mikrotik.com/wiki/Manual:CR ... Based_VLAN
If I try and create the second trunk by bridging ether9 to another port (ether8) I see the traffic come in on the trunk, bridged across to ether9 and appear at routerX. In my example I see arp requests make their way from the RB2011 into ether8, bridged to ether9 and appear correctly tagged at routerX which then replies and I see the reply come back in on ether9 (I can see this with /tool/sniffer quick interface=etherX)
Should this work? or is there another better way of creating two identical vlan trunks out of the CRS125? I don't mind if it goes to the CPU to do this.
Re: Switching with RouterOS / CRS Questions
Posted: Wed Mar 19, 2014 11:05 am
by AnRkey
What exactly did they change in RouterOS to make this a switch over say an RB-2011 etc?
The CRS has a single switch chip that can handle all ports. Other routers like the 2011 have two switch chips, one for the gigabit ports and one for the fast ethernet ports. On the 2011, there is no way to have all 10 ports on a single master port. The CRS fixes this by giving you 24ether + 1sfp port, all can be used on the same switch chip.
All we need now is for it to work and for them to release a manual so that we know what the hell is going on.
Re: Switching with RouterOS / CRS Questions
Posted: Thu Mar 20, 2014 2:03 pm
by AnRkey
For those needing the manual for these switches:
http://wiki.mikrotik.com/wiki/Manual:CRS_features
@Mikrotik: The table of contents does not yet list this link. Can you guys update it please?
R
Re: Switching with RouterOS / CRS Questions
Posted: Tue Apr 01, 2014 11:48 pm
by asdewq
hello all!
for me are needed three functions:
- fully functionally RSTP (HW, no on bridge)
- broadcast storm controll
- loopback detection/protection
is possible to add this futures to Mikrotik CRS? Thanks
Boris
Re: Switching with RouterOS / CRS Questions
Posted: Wed Apr 02, 2014 2:49 pm
by PastuhMedvedey
hello all!
for me are needed three functions:
- broadcast storm controll
- loopback detection/protection
is possible to add this futures to Mikrotik CRS? Thanks
Boris
UP !
Re: Switching with RouterOS / CRS Questions
Posted: Mon Apr 07, 2014 6:14 pm
by asdewq
Normis, i write my post on 1. April but it wasnt joke
. Please can you write, can or not be added this functions on CRS?.
Re: Switching with RouterOS / CRS Questions
Posted: Sat Apr 19, 2014 12:35 am
by michaelahess
I spent a few hours now trying to setup vlan tagging on my CRS125-24G-1S-2HnD-IN. See rough sketch below.
I have the default config with minor changes for wireless. I can get a dhcp lease via the wireless interface. I've done the below config's mirroring the example on the site, but when I plug my laptop into port 3, it won't pull an address from my DMZ scope. I want that port untagged, and I want port 7 which goes to a Cisco 1140G access point, tagged as I have two SSID's each on their own vlan from that device. Any help in making this work would be appreciated. I'm also curious, the master port, since so much "stuff" is tied to it, is it best not to use it for anything or can I make sure it's only actually accessible via a single vlan?
CRS Example.jpg
[admin@blackwidow] /interface ethernet> print
Flags: X - disabled, R - running, S - slave
# NAME MTU MAC-ADDRESS ARP MASTER-PORT SWITCH
0 R 1 - WAN 1500 D4:CA:6D:CE:29:22 enabled none switch1
1 RS 2 - APC ... 1500 D4:CA:6D:CE:29:23 enabled none switch1
2 RS 3 - Work... 1500 D4:CA:6D:CE:29:24 enabled 2 - APC 1500 ... switch1
3 S 4 - KM24... 1500 D4:CA:6D:CE:29:25 enabled 2 - APC 1500 ... switch1
4 S 5 - Back... 1500 D4:CA:6D:CE:29:26 enabled 2 - APC 1500 ... switch1
5 S 6 - Schw... 1500 D4:CA:6D:CE:29:27 enabled 2 - APC 1500 ... switch1
6 S 7 - 1140... 1500 D4:CA:6D:CE:29:28 enabled 2 - APC 1500 ... switch1
7 S 8 - Spac... 1500 D4:CA:6D:CE:29:29 enabled 2 - APC 1500 ... switch1
8 S 9 - Mike... 1500 D4:CA:6D:CE:29:2A enabled 2 - APC 1500 ... switch1
9 S 10 - Eri... 1500 D4:CA:6D:CE:29:2B enabled 2 - APC 1500 ... switch1
10 S 11 - Vau... 1500 D4:CA:6D:CE:29:2C enabled 2 - APC 1500 ... switch1
11 S 12 - Ray... 1500 D4:CA:6D:CE:29:2D enabled 2 - APC 1500 ... switch1
12 S 13 - Liv... 1500 D4:CA:6D:CE:29:2E enabled 2 - APC 1500 ... switch1
13 S 14 - Bed... 1500 D4:CA:6D:CE:29:2F enabled 2 - APC 1500 ... switch1
14 S 15 - Bed... 1500 D4:CA:6D:CE:29:30 enabled 2 - APC 1500 ... switch1
15 S 16 - Del... 1500 D4:CA:6D:CE:29:31 enabled 2 - APC 1500 ... switch1
16 S ether17-... 1500 D4:CA:6D:CE:29:32 enabled 2 - APC 1500 ... switch1
17 S ether18-... 1500 D4:CA:6D:CE:29:33 enabled 2 - APC 1500 ... switch1
18 S ether19-... 1500 D4:CA:6D:CE:29:34 enabled 2 - APC 1500 ... switch1
19 S ether20-... 1500 D4:CA:6D:CE:29:35 enabled 2 - APC 1500 ... switch1
20 S ether21-... 1500 D4:CA:6D:CE:29:36 enabled 2 - APC 1500 ... switch1
21 S ether22-... 1500 D4:CA:6D:CE:29:37 enabled 2 - APC 1500 ... switch1
22 S ether23-... 1500 D4:CA:6D:CE:29:38 enabled 2 - APC 1500 ... switch1
23 S ether24-... 1500 D4:CA:6D:CE:29:39 enabled 2 - APC 1500 ... switch1
24 XS sfp1-gat... 1500 D4:CA:6D:CE:29:3A enabled none switch1
[admin@blackwidow] /interface ethernet switch egress-vlan-tag> print
Flags: X - disabled, I - invalid, D - dynamic
# VLAN-ID TAGGED-PORTS
0 D 4095
1 100 switch1-cpu
2 300 switch1-cpu
3 400 switch1-cpu
[admin@blackwidow] /interface ethernet switch ingress-vlan-translation>
Flags: X - disabled, I - invalid, D - dynamic
0 ports=3 - Workbench service-vlan-format=any customer-vlan-format=a
new-customer-vid=300 pcp-propagation=no sa-learning=yes
1 ports=7 - 1140G - AP service-vlan-format=any customer-vlan-format=
new-customer-vid=100 pcp-propagation=no sa-learning=yes
2 ports=7 - 1140G - AP service-vlan-format=any customer-vlan-format=
new-customer-vid=400 pcp-propagation=no sa-learning=yes
3 D ports=1 - WAN,sfp1-gateway service-vlan-format=any customer-vlan-f
new-customer-vid=0 pcp-propagation=no sa-learning=no
[admin@blackwidow] /interface vlan> print
Flags: X - disabled, R - running, S - slave
# NAME MTU ARP VLAN-ID INTERFACE
0 R vlan100 1500 enabled 100 2 - APC 1500 - UPS
1 R vlan300 1500 enabled 300 2 - APC 1500 - UPS
2 R vlan400 1500 enabled 400 2 - APC 1500 - UPS
[admin@blackwidow] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; default configuration
192.168.88.1/24 192.168.88.0 2 - APC 1500 - UPS
1 10.51.25.1/24 10.51.25.0 vlan300
2 X 10.54.25.1/24 10.54.25.0 vlan100
3 10.52.25.1/24 10.52.25.0 vlan400
4 D 10.54.25.33/24 10.54.25.0 1 - WAN
[admin@blackwidow] /interface ethernet switch vlan> print
Flags: X - disabled, I - invalid, D - dynamic
# VLAN-ID PORTS SVL LEARN FLOOD INGRESS-MIRRO
0 D 4095 1 - WAN no no no no
sfp1-gateway
switch1-cpu
1 300 3 - Workbench no yes no no
switch1-cpu
2 100 7 - 1140G - AP no yes no no
switch1-cpu
3 400 7 - 1140G - AP no yes no no
switch1-cpu
[admin@blackwidow] /interface ethernet switch> print
name: switch1
type: QCA-8513L
bridge-type: customer-vid-used-as-lo
okup-vid
drop-if-no-vlan-assignment-on-ports:
drop-if-invalid-or-src-port-not-member-of-vlan-on-ports:
unknown-vlan-lookup-mode: svl
forward-unknown-vlan: no
use-svid-in-one2one-vlan-lookup: no
use-cvid-in-one2one-vlan-lookup: yes
mac-level-isolation: yes
multicast-lookup-mode: dst-ip-and-vid-for-ipv4
override-existing-when-ufdb-full: no
unicast-fdb-timeout: 5m
ingress-mirror0: switch1-cpu,unmodified
ingress-mirror1: switch1-cpu,unmodified
ingress-mirror-ratio: 1/1
egress-mirror0: switch1-cpu,modified
egress-mirror1: switch1-cpu,modified
egress-mirror-ratio: 1/1
fdb-uses: mirror0
vlan-uses: mirror0
mirror-egress-if-ingress-mirrored: no
mirror-tx-on-mirror-port: no
mirrored-packet-qos-priority: 0
mirrored-packet-drop-precedence: green
bypass-vlan-ingress-filter-for:
bypass-ingress-port-policing-for:
bypass-l2-security-check-filter-for:
[admin@blackwidow] /ip dhcp-server> print
Flags: X - disabled, I - invalid
# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
0 default bridge-local dhcp 3d
1 DHCP-DMZ vlan300 DMZ_DHCP_Pool 1d
2 X DHCP-LAN (unknown) LAN_DHCP_Pool 3d
3 DHCP-Guest vlan400 Guest_DHCP_Pool 1d
Re: Switching with RouterOS / CRS Questions
Posted: Mon Apr 21, 2014 11:08 am
by ners
Has anyone figured out how to set ip a management IP on a CRS in the native VLAN?
Simply adding an IP to the physical master port is not enough, apparently.
172.16.16.8 is unpingable and no other hosts in the network see 172.16.16.8.
the ARP table is also empty.
ros code
/ip address
add address=172.16.16.8/24 interface=ether24 network=172.16.16.0
[admin@MikroTik] /ip address> /int ether exp
# jan/06/2002 03:19:38 by RouterOS 6.12
# software id = IKDF-GH6M
#
/interface ethernet
set [ find default-name=sfp1 ] master-port=ether24
set [ find default-name=ether1 ] master-port=ether24
set [ find default-name=ether2 ] master-port=ether24
set [ find default-name=ether3 ] master-port=ether24
set [ find default-name=ether4 ] master-port=ether24
set [ find default-name=ether5 ] master-port=ether24
set [ find default-name=ether6 ] master-port=ether24
set [ find default-name=ether7 ] master-port=ether24
set [ find default-name=ether8 ] master-port=ether24
set [ find default-name=ether9 ] master-port=ether24
set [ find default-name=ether10 ] master-port=ether24
set [ find default-name=ether11 ] master-port=ether24
set [ find default-name=ether12 ] master-port=ether24
set [ find default-name=ether13 ] master-port=ether24
set [ find default-name=ether14 ] master-port=ether24
set [ find default-name=ether15 ] master-port=ether24
set [ find default-name=ether16 ] master-port=ether24
set [ find default-name=ether17 ] master-port=ether24
set [ find default-name=ether18 ] master-port=ether24
set [ find default-name=ether19 ] master-port=ether24
set [ find default-name=ether20 ] master-port=ether24
set [ find default-name=ether21 ] master-port=ether24
set [ find default-name=ether22 ] master-port=ether24
set [ find default-name=ether23 ] master-port=ether24
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,\
ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24" \
forward-unknown-vlan=no
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether24 vlan-id=59
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=59 ports=ether1 sa-learning=yes
/interface ethernet switch vlan
add ports=ether1,ether24 vlan-id=59
Re: Switching with RouterOS / CRS Questions
Posted: Tue Apr 22, 2014 11:40 am
by becs
michaelahess,
The follwing Cloud Router Switch configuration should be applied for your setup:
1) Add VLAN tagging on CPU port and ether7 port according to diagram:
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether7-slave-local,switch1-cpu vlan-id=100
add tagged-ports=switch1-cpu vlan-id=300
add tagged-ports=ether7-slave-local,switch1-cpu vlan-id=400
2) Ingress VLAN translation rules are necessary only on VLAN access ports to define initial VLAN assigment for untagged packets:
/interface ethernet switch ingress-vlan-translation
add customer-vlan-format=untagged-or-tagged new-customer-vid=100 ports=\
ether2-master-local,ether4-slave-local,ether5-slave-local,ether6-slave-local,ether8-slave-local,ether9-slave-local,ether10-slave-local sa-learning=\
yes service-vlan-format=untagged-or-tagged
add customer-vlan-format=untagged-or-tagged new-customer-vid=300 ports=ether3-slave-local sa-learning=yes service-vlan-format=untagged-or-tagged
3) For security disable invalid VLAN forwarding globally or on each port separately like this:
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether2-master-local,ether3-slave-local,ether4-slave-local,ether5-slave-local,ether6-slave-lo\
cal,ether7-slave-local,ether8-slave-local,ether9-slave-local,ether10-slave-local"
4) VLAN table should contain all ports which accept particular VLAN as valid:
/interface ethernet switch vlan
add ports="ether2-master-local,ether4-slave-local,ether5-slave-local,ether6-slave-local,ether7-slave-local,ether8-slave-local,ether9-slave-local,ether10-\
slave-local,switch1-cpu" vlan-id=100
add ports=ether3-slave-local,switch1-cpu vlan-id=300
add ports=ether7-slave-local,switch1-cpu vlan-id=400
Re: Switching with RouterOS / CRS Questions
Posted: Tue Apr 22, 2014 11:41 am
by becs
ners,
You should add a VLAN interface to master-port in RouterOS and add IP address to it.
From switch point there is switch1-cpu port, not the master-port.
/interface vlan add name=vlan59 vlan-id=59 interface=ether24
/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu vlan-id=59
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=59 ports=ether1 sa-learning=yes
/interface ethernet switch vlan
add ports=ether1,switch1-cpu vlan-id=59
Re: Switching with RouterOS / CRS Questions
Posted: Tue Apr 22, 2014 12:49 pm
by ners
ners,
You should add a VLAN interface to master-port in RouterOS and add IP address to it.
From switch point there is switch1-cpu port, not the master-port.
/interface vlan add name=vlan59 vlan-id=59 interface=ether24
/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu vlan-id=59
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=59 ports=ether1 sa-learning=yes
/interface ethernet switch vlan
add ports=ether1,switch1-cpu vlan-id=59
But my management IPs reside not in a VLAN, but rather in the native VLAN, which is not a 802.1q VLAN at all, it is just normal untagged traffic, this is why I put the IP address on the physical master-port (ether24 in my case).
[admin@MikroTik] /ip address> set 0 interface=switch1-cpu
input does not match any value of interface
I can only add IPs to physical ports or VLANs.
Re: Switching with RouterOS / CRS Questions
Posted: Tue Apr 22, 2014 12:52 pm
by ners
michaelahess,
The follwing Cloud Router Switch configuration should be applied for your setup:
3) For security disable invalid VLAN forwarding globally or on each port separately like this:
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether2-master-local,ether3-slave-local,ether4-slave-local,ether5-slave-local,ether6-slave-lo\
cal,ether7-slave-local,ether8-slave-local,ether9-slave-local,ether10-slave-local"
How do you disable it globally, without listing each individual port in the "drop-if-invalid-or-src-port-not-member-of-vlan-on-ports" setting?
Re: Switching with RouterOS / CRS Questions
Posted: Tue Apr 22, 2014 1:27 pm
by becs
But my management IPs reside not in a VLAN, but rather in the native VLAN, which is not a 802.1q VLAN at all, it is just normal untagged traffic, this is why I put the IP address on the physical master-port (ether24 in my case).
IP address on the master-port is correct for untagged traffic, but in that case you need to ensure untagged traffic is not being filtered as invalid VLAN.
VLAN 0 needs to be added in switch-chip VLAN table.
/interface ethernet switch vlan
add vlan-id=0 ports=ether1,ether2,...,switch1-cpu
How do you disable it globally, without listing each individual port in the "drop-if-invalid-or-src-port-not-member-of-vlan-on-ports" setting?
/interface ethernet switch set forward-unknown-vlan=no
Re: Switching with RouterOS / CRS Questions
Posted: Tue Apr 22, 2014 2:17 pm
by ners
But my management IPs reside not in a VLAN, but rather in the native VLAN, which is not a 802.1q VLAN at all, it is just normal untagged traffic, this is why I put the IP address on the physical master-port (ether24 in my case).
IP address on the master-port is correct for untagged traffic, but in that case you need to ensure untagged traffic is not being filtered as invalid VLAN.
VLAN 0 needs to be added in switch-chip VLAN table.
/interface ethernet switch vlan
add vlan-id=0 ports=ether1,ether2,...,switch1-cpu
How do you disable it globally, without listing each individual port in the "drop-if-invalid-or-src-port-not-member-of-vlan-on-ports" setting?
/interface ethernet switch set forward-unknown-vlan=no
I did exactly that and now the switch will not pass traffic anymore and will not let me see the configuration (reboot does not help):
ros code
[admin@MikroTik] > /int ethernet
[admin@MikroTik] /interface ethernet> switch
[admin@MikroTik] /interface ethernet switch> exp
# jan/02/1970 00:00:26 by RouterOS 6.12
# software id = IKDF-GH6M
#
#error exporting /interface ethernet switch
#interrupted
[admin@MikroTik] /interface ethernet switch> print
action timed out - try again, if error continues contact MikroTik support and send a supout file (13)
[admin@MikroTik] /interface ethernet switch>
I will be resetting the configuration and configuring everything from scratch again :-/
Re: Switching with RouterOS / CRS Questions
Posted: Tue Apr 22, 2014 2:40 pm
by ners
After resetting the configuration and configuring it from scratch it hangs again after issuing /export and also does not pass any traffic:
The configuration is as following:
ros code
/interface ethernet
set [ find default-name=sfp1 ] master-port=ether24
set [ find default-name=ether1 ] master-port=ether24
set [ find default-name=ether2 ] master-port=ether24
set [ find default-name=ether3 ] master-port=ether24
set [ find default-name=ether4 ] master-port=ether24
set [ find default-name=ether5 ] master-port=ether24
set [ find default-name=ether6 ] master-port=ether24
set [ find default-name=ether7 ] master-port=ether24
set [ find default-name=ether8 ] master-port=ether24
set [ find default-name=ether9 ] master-port=ether24
set [ find default-name=ether10 ] master-port=ether24
set [ find default-name=ether11 ] master-port=ether24
set [ find default-name=ether12 ] master-port=ether24
set [ find default-name=ether13 ] master-port=ether24
set [ find default-name=ether14 ] master-port=ether24
set [ find default-name=ether15 ] master-port=ether24
set [ find default-name=ether16 ] master-port=ether24
set [ find default-name=ether17 ] master-port=ether24
set [ find default-name=ether18 ] master-port=ether24
set [ find default-name=ether19 ] master-port=ether24
set [ find default-name=ether20 ] master-port=ether24
set [ find default-name=ether21 ] master-port=ether24
set [ find default-name=ether22 ] master-port=ether24
set [ find default-name=ether23 ] master-port=ether24
/interface ethernet switch
set forward-unknown-vlan=no
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether24 vlan-id=59
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=59 ports=ether1 sa-learning=yes
/interface ethernet switch vlan
add ports=ether24,switch1-cpu
add ports=ether1,ether24 vlan-id=59
/ip address
add address=172.16.16.8/24 interface=ether24
Re: Switching with RouterOS / CRS Questions
Posted: Tue Apr 22, 2014 6:08 pm
by michaelahess
michaelahess,
The following Cloud Router Switch configuration should be applied for your setup:
...
Thanks becs! I'll try this when I get home tonight. One thing I'm still worried about though, the master port of the switch group, is it best to not actually use that port for a real link since it has all that other "stuff" on it?
Re: Switching with RouterOS / CRS Questions
Posted: Wed Apr 23, 2014 7:15 pm
by michaelahess
Still not working. I applied a dhcp server to vlan300 but when I plug a laptop into port 3 I get nothing, like literally no packets coming to the laptop. I verified the port works fine with the laptop when on the default bridge with it's dhcp server. Do I need to do anything with the vlan tab on the ethernet section? Can I apply the dhcp server to port 3 maybe?
Re: Switching with RouterOS / CRS Questions
Posted: Sat Jul 12, 2014 1:42 pm
by mcdebugger
Is L3 switching planned? I mean wire speed L3 switching or at least on-switch-chip arp proxying that is fast as a demon?
Really nice to see it on aggregation to enable fast switching between clients sitting each on his own vlan.
Re: Switching with RouterOS / CRS Questions
Posted: Sat Jul 12, 2014 7:03 pm
by xcom
michaelahess,
The following Cloud Router Switch configuration should be applied for your setup:
...
Thanks becs! I'll try this when I get home tonight. One thing I'm still worried about though, the master port of the switch group, is it best to not actually use that port for a real link since it has all that other "stuff" on it?
I see your post is old and so is this thread so I suppose you gave up?
My setup is similar to yours except I got two gateways. one goes to my firewall/dchp server and one goes out through the CSR gateway port 1.
I cant make the switch hand out ip's on my vlan10.
Re: Switching with RouterOS / CRS Questions
Posted: Tue Jul 15, 2014 12:38 pm
by carlo1980
I want to buy a CRS 125 for my home.
I seen CRS125 has 8513L switch chip, but i haven't found any information about host table , rule table e vlan table in hardware like AR8327, AR8316 ?. Does Crs125 support in future for L3 hardware or the switch chip dont support function?
Re: Switching with RouterOS / CRS Questions
Posted: Thu Jul 17, 2014 4:00 pm
by xcom
michaelahess,
The following Cloud Router Switch configuration should be applied for your setup:
...
Thanks becs! I'll try this when I get home tonight. One thing I'm still worried about though, the master port of the switch group, is it best to not actually use that port for a real link since it has all that other "stuff" on it?
I see your post is old and so is this thread so I suppose you gave up?
My setup is similar to yours except I got two gateways. one goes to my firewall/dchp server and one goes out through the CSR gateway port 1.
I cant make the switch hand out ip's on my vlan10.
I wanted to report that I fixed my issue.
All is working well now.
Thanks!
Re: Switching with RouterOS / CRS Questions
Posted: Fri Aug 08, 2014 10:12 am
by yarda
After resetting the configuration and configuring it from scratch it hangs again after issuing /export and also does not pass any traffic:
The configuration is as following:
ros code
/interface ethernet
set [ find default-name=sfp1 ] master-port=ether24
set [ find default-name=ether1 ] master-port=ether24
set [ find default-name=ether2 ] master-port=ether24
set [ find default-name=ether3 ] master-port=ether24
set [ find default-name=ether4 ] master-port=ether24
set [ find default-name=ether5 ] master-port=ether24
set [ find default-name=ether6 ] master-port=ether24
set [ find default-name=ether7 ] master-port=ether24
set [ find default-name=ether8 ] master-port=ether24
set [ find default-name=ether9 ] master-port=ether24
set [ find default-name=ether10 ] master-port=ether24
set [ find default-name=ether11 ] master-port=ether24
set [ find default-name=ether12 ] master-port=ether24
set [ find default-name=ether13 ] master-port=ether24
set [ find default-name=ether14 ] master-port=ether24
set [ find default-name=ether15 ] master-port=ether24
set [ find default-name=ether16 ] master-port=ether24
set [ find default-name=ether17 ] master-port=ether24
set [ find default-name=ether18 ] master-port=ether24
set [ find default-name=ether19 ] master-port=ether24
set [ find default-name=ether20 ] master-port=ether24
set [ find default-name=ether21 ] master-port=ether24
set [ find default-name=ether22 ] master-port=ether24
set [ find default-name=ether23 ] master-port=ether24
/interface ethernet switch
set forward-unknown-vlan=no
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether24 vlan-id=59
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=59 ports=ether1 sa-learning=yes
/interface ethernet switch vlan
add ports=ether24,switch1-cpu
add ports=ether1,ether24 vlan-id=59
/ip address
add address=172.16.16.8/24 interface=ether24
How did you solve your problem? I have same problem. Freezing CRS on export. It freeze on bridge section. CPU 100%. By profile it look on ipsec service on ROS 6.10 or managment on 6.17. If I take snmpwalk on CRS it freeze on 100% CPU. By profile on ROS 6.10 it is on ipsec too.
Re: Switching with RouterOS / CRS Questions
Posted: Wed Feb 11, 2015 6:58 pm
by hamid1626
Hi all
I have a scenario with crs126 with cloud router 1009
We have some wireless device on the tower that connected to Ethernet port in crs 126
mikrotik switch connected with one cable to mikrotik router in server room
how to configure crs126 that Ethernet port be isolated but have connectivity with router mikrotik 1009
http://wiki.mikrotik.com/wiki/Manual:CRS_features
Re: Switching with RouterOS / CRS Questions
Posted: Sun May 10, 2015 11:01 pm
by chechito
hello all!
for me are needed three functions:
- broadcast storm controll
- loopback detection/protection
is possible to add this futures to Mikrotik CRS? Thanks
Boris
UP !
broadcast storm can be do with ingress policy
http://wiki.mikrotik.com/wiki/Manual:CR ... rm_Control
enabling on port configuration "drop dynamic mac move" prevents unicast fdb poisoning
Re: Switching with RouterOS / CRS Questions
Posted: Tue May 19, 2015 5:45 am
by SoundGuyFYI
Currently we are still adding Switching features for the CRS. Right now you get only basic Switch functionality, but the hardware allows for much more, and new features will be added with every software update.
Please give us examples of the most important switch functions that you want us to make.
I know this is probably already in the works but I really would like to see LAG implemented soon in the CRS.
Mainly I would like to see the matching options from the MikroTik bonding options. Secondly the complete 802.3ad support.
Is there any update on this?
Re: Switching with RouterOS / CRS Questions
Posted: Tue Jan 26, 2016 3:16 pm
by strelokr
hello all!
for me are needed three functions:
- broadcast storm controll
- loopback detection/protection
is possible to add this futures to Mikrotik CRS? Thanks
Boris
UP !
Append to "chechito" message
Read here
http://forum.mikrotik.com/viewtopic.php ... 20#p517620
Re: Switching with RouterOS / CRS Questions
Posted: Wed Feb 17, 2016 3:26 pm
by alexap
to today's date possible stp hardware switch?
Re: Switching with RouterOS / CRS Questions
Posted: Wed Jul 20, 2016 6:27 pm
by alexjhart
Currently we are still adding Switching features for the CRS. Right now you get only basic Switch functionality, but the hardware allows for much more, and new features will be added with every software update.
Please give us examples of the most important switch functions that you want us to make.
How many more updates until we will see spanning tree support?
Re: Switching with RouterOS / CRS Questions
Posted: Fri Sep 09, 2016 5:01 am
by alexap
when spanning tree support?
Re: Switching with RouterOS / CRS Questions
Posted: Tue Mar 07, 2017 11:23 pm
by ploquets
But my management IPs reside not in a VLAN, but rather in the native VLAN, which is not a 802.1q VLAN at all, it is just normal untagged traffic, this is why I put the IP address on the physical master-port (ether24 in my case).
Did you solve this problem ? I'm trying to acheive exactly the same.
EDIT:
Here is the magic.
Now it works.
/interface ethernet switch vlan
add ports=$masterport,switch1-cpu vlan-id=0
/ip address add address=$ip-you-want interface=$masterport
Re: Switching with RouterOS / CRS Questions
Posted: Wed Mar 08, 2017 12:10 am
by chechito
Recently i had to board this topic in a config and finally i think i understand how this work:
i will try to do this as a tutorial with 3 vlans for integrated switch on hap and rb951 series not for CRS, this tutorial was tested on rb951ui rb951g and hap lite and works ok:
In this case ether1 is the master port for ether2 to ether5
1. On switch add vlan0 with VID 0 as your native vlan, i chose vlan0 but it can be any number you want, add all ports you want to work with that vlan as native vlan and the switch cpu port to ensure management and default gateway functionality of the router for that vlan, in my case i want the native vlan to work on all ports
switch 1.jpg
2. add any other vlan you need and add the ports where you want that vlan to work (tagged) in and the switch cpu port to ensure management and default gateway functionality of the router for that vlan, in my case i added vlan10 with VID 10 and vlan 20 with VID 20 only want ether1 and switch cpu to be in that vlan, ether1 will be like the trunk port
switch2.jpg
switch3.jpg
Continue in next post i cannot add more images
Re: Switching with RouterOS / CRS Questions
Posted: Wed Mar 08, 2017 12:20 am
by chechito
continuing:
my vlan list looks like this:
switch4.jpg
now configure the ports:
switch5.jpg
First thing to do is configure native vlan as default vlan on all ports you want, including switch cpu port in this case all ports use vlan0 as native vlan.
Then configure vlan header= always strip on accessports using only one vlan for end devices in this case ether2 to ether5
Configure vlan header= leave as is on trunk ports and switch cpu port, in this case ether1 is a trunk
and finally configure vlan mode=secure to enforce your configuration
Now add your vlan interfaces to configure router ip address using master port of the switch as the physical interface for this vlans:
switch6.jpg
from now on you can do what you want with your vlans, for example add a vlan to a bridge to another interface like virtual ap to use this vlan on a separate wireless lan, or configure dhcp server etc etc.
i invested several hours trying to understand this, i hope this can help somebody to do vlans quickly and take advantage of this nice functionality.
any doubt, errata or comment please comment i will be happy to answer
Re: Switching with RouterOS / CRS Questions
Posted: Thu Mar 09, 2017 10:23 am
by ik3umt
I join this post as I'm trying to setup Vlans on CRS125
Summarizing. if I'm right there are these steps to follow:
1: declare untagged (access) ports , I've seen three methods to do it :
/interface ethernet switch ingress-vlan-translation
add ports=ether6 customer-vid=0 new-customer-vid=200 sa-learning=yes (crs wiki)
/interface ethernet switch ingress-vlan-translation
add ports=ether6 new-customer-vid=200 sa-learning=yes (many internet examples)
/interface ethernet switch ingress-vlan-translation
add ports=ether6 customer-vlan-format=untagged-or-tagged new-customer-vid=200 sa-learning=yes service-vlan-format=untagged-or-tagged (becs suggestion on this post)
What's the best one ?
2: declared tagged port(s) for Vlan trunk :
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether2 vlan-id=200
add tagged-ports=ether2 vlan-id=300
add tagged-ports=ether2 vlan-id=400 (crs wiki)
3: declare Vlan membership definitions :
/interface ethernet switch vlan
add ports=ether2,ether6 vlan-id=200 learn=yes
add ports=ether2,ether7 vlan-id=300 learn=yes
add ports=ether2,ether8 vlan-id=400 learn=yes (crs wiki)
4: if inter-vlan routing or Vlan to wan routing is needed, add switch1-cpu port to tagged vlan and create the Vlan interface with its own ip address :
/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu vlan-id=200
add tagged-ports=switch1-cpu vlan-id=300
add tagged-ports=switch1-cpu vlan-id=400
/interface vlan
add name=vlan200 interface=ether2 vlan-id=200
add name=vlan300 interface=ether2 vlan-id=300
add name=vlan400 interface=ether2 vlan-id=400
/ip address
add address=192.168.20.1/24 interface=vlan200 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan300 network=192.168.30.0
add address=192.168.40.1/24 interface=vlan400 network=192.168.40.0 (crs wiki)
Just two questions please:
What are the purpose of the following declarations , as I have the system working without them ??
/interface ethernet switch vlan
add ports=ether2,ether6 vlan-id=200 learn=yes
add ports=ether2,ether7 vlan-id=300 learn=yes
add ports=ether2,ether8 vlan-id=400 learn=yes
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether2,ether6,ether7,ether8
(or)
/interface ethernet switch
set forward-unknown-vlan=no
Thank you
Re: Switching with RouterOS / CRS Questions
Posted: Thu Mar 09, 2017 6:29 pm
by chechito
i have not configured CRS since 2015 i dont remember very well
i remember you need to uncheck the option forward invalid vlans on switch settings --> vlan tab be carefull you can lost management!!!
that's the way you know if your config are filtering vlas in appropiate way or not, be careful you can lost management
Re: Switching with RouterOS / CRS Questions
Posted: Tue Apr 25, 2017 4:19 am
by chenier
But my management IPs reside not in a VLAN, but rather in the native VLAN, which is not a 802.1q VLAN at all, it is just normal untagged traffic, this is why I put the IP address on the physical master-port (ether24 in my case).
Did you solve this problem ? I'm trying to acheive exactly the same.
EDIT:
Here is the magic.
Now it works.
/interface ethernet switch vlan
add ports=$masterport,switch1-cpu vlan-id=0
/ip address add address=$ip-you-want interface=$masterport
My problem:
Native vlan Management network
Master port is in a bridge so the CRS wifi will work properly with CAPSMAN. However, with a recent update, I
can no longer add a DHCP client on the Master port because my master port is slave to the bridge, and I cannot get cpu management to pass to bridge IP
Ideas on how to solve? I believe I a) need bridge to pass traffic to CAP b) can no longer pass cpu management to bridge IP from switch port but c) cannot create management IP on master port as it is slave to the bridge. So stuck since one of the recent updates. Ideas?
p.s. I've managed to lock myself out of switch management on one of my CRS109s after a software update because of this. It is still performing well otherwise while I figure this out.
Re: Switching with RouterOS / CRS Questions
Posted: Tue Apr 25, 2017 5:37 pm
by AnRkey
The master Ethernet port for your switch is a slave to the software bridge as far as I can understand from your post. To fix DHCP, change DHCP server to run from the bridge interface.
Re: Switching with RouterOS / CRS Questions
Posted: Fri Apr 28, 2017 4:25 am
by chenier
My problem:
Native vlan Management network
Master port is in a bridge so the CRS wifi will work properly with CAPSMAN. However, with a recent update, I
can no longer add a DHCP client on the Master port because my master port is slave to the bridge, and I cannot get cpu management to pass to bridge IP
Ideas on how to solve? I believe I a) need bridge to pass traffic to CAP b) can no longer pass cpu management to bridge IP from switch port but c) cannot create management IP on master port as it is slave to the bridge. So stuck since one of the recent updates. Ideas?
p.s. I've managed to lock myself out of switch management on one of my CRS109s after a software update because of this. It is still performing well otherwise while I figure this out.
I have figured out my problem. All is working well now. I had a couple config errors in the switch chip setup.
a) I was over-using the /interface ethernet switch egress-vlan-tag -- This only needs to be added for trunk ports when the switch has an edge port for that vlan and is not required for pass through vlans or when you have a virtual AP controlled by CAPSMAN
b) I was including switch1-cpu when it should not be in /interface ethernet switch set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=...
My setup: CRS109 with wireless setup as CAP with multiple vlans/vAPs, all ports switched, first 4 ports and sfp as pass through trunk ports and last 4 ethernet ports as edge ports for one of the vlans. Management network on native or vlan0
My setup looks like:
/interface bridge
add name=bridge1
/ip dhcp-client
disabled=no interface=bridge1
/interface wireless cap
set bridge=bridge1 caps-man-addresses=10.20.0.1 enabled=yes interfaces=wlan1
/interface ethernet
set [ find default-name=ether2 ] name=ether2m
set [ find default-name=ether3 ] master-port=ether2m
set [ find default-name=ether4 ] master-port=ether2m
set [ find default-name=ether5 ] master-port=ether2m
set [ find default-name=ether6 ] master-port=ether2m
set [ find default-name=ether7 ] master-port=ether2m
set [ find default-name=ether8 ] master-port=ether2m
set [ find default-name=sfp1 ] master-port=ether2m
set [ find default-name=ether1 ] master-port=ether2m
/interface bridge port
add bridge=bridge1 interface=ether2m
add bridge=bridge1 interface=wlan1
/interface ethernet switch vlan
add ports=ether1,ether2m,ether3,ether4,sfp1,switch1-cpu vlan-id=0
add ports=ether1,ether2m,ether3,ether4,sfp1,switch1-cpu vlan-id=110
add ports=ether1,ether2m,ether3,ether4,sfp1,switch1-cpu vlan-id=120
add ports=ether1,ether2m,ether3,ether4,ether5,ether6,ether7,ether8,sfp1,switch1-cpu vlan-id=150
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1,ether2m,ether3,ether4,sfp1,switch1-cpu vlan-id=150
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=150 ports=ether5,ether6,ether7,ether8
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether3,ether4,ether5,ether6,ether7,ether8,sfp1,ether1,ether2m \
drop-if-no-vlan-assignment-on-ports=ether5,ether6,ether7,ether8 \
forward-unknown-vlan=no
Edit: adding photo of above setup
CRS109 Setup Example (1).jpg
Re: Switching with RouterOS / CRS Questions
Posted: Mon May 01, 2017 11:48 pm
by chenier
Here are my notes on how to achieve the above setup with least possible steps (except some added configuration enhancements).
Aquí están mis notas sobre cómo lograr la configuración anterior con pasos menos posibles (excepto algunas mejoras de configuración agregadas).
took some trial and error to not do stupid things like lock myself out of Webfig. Hope this helps someone else.
Selection_267.jpg
Selection_268.jpg