MikroTik CloudRouterSwitch Features and...
Transcript of MikroTik CloudRouterSwitch Features and...
![Page 1: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/1.jpg)
MikroTik CloudRouterSwitch
MUM EU 2017 Milan | Sebastian Inacker | © FMS Internetservice GmbH
Features and configurations
![Page 2: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/2.jpg)
Overview
Big picture
ƒ Company Profileƒ Introductionƒ Hardware STPƒ Switch Configurations
![Page 3: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/3.jpg)
FMS Internetservice GmbH
Company Profile
![Page 4: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/4.jpg)
About me
ƒ Sebastian Inacker <[email protected]>ƒ FMS Internetservice GmbH, Germanyƒ MikroTik Trainer (TR0011, May 2007)ƒ MTCNA, MTCRE, MTCTCE, MTCUME, MTCWE,
MTCIPv6E, MTCINEƒ Own training center and on site
(So far: Austria, Germany, Hungary, Luxembourg, Malta,Netherlands, Switzerland, Uganda)
![Page 5: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/5.jpg)
FMS Internetservice GmbH
ƒ Value Added Distributorƒ Distributionƒ Trainingƒ Consultingƒ Support
ƒ Founded 1997ƒ 11 employeesƒ Southern Germany
![Page 6: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/6.jpg)
Get in Touch
ƒ Website: http://www.fmsweb.deƒ MikroTik Mirror: http://www.mikrotik-software.deƒ Shop: http://www.mikrotik-shop.deƒ Wiki: http://wiki.fmsweb.deƒ Twitter: https://twitter.com/fmsweb_deƒ Facebook: https://www.facebook.com/fmsinternetservice
ƒ Phone: +49 761 2926500ƒ Email: [email protected]
![Page 7: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/7.jpg)
Training Center
ƒ Official MikroTik trainingsƒ All certification levelsƒ First German speaking
partnerƒ Two trainersƒ Own training facilityƒ Inquiries: [email protected]
Sebastian Inacker: TR11Patrik Schaub: TR23
![Page 8: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/8.jpg)
Distributor Table
![Page 9: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/9.jpg)
Distributor Table
Live Demonstrations:
ƒ Nokia Vplus setup
ƒ Nokia AMS demonstration
ƒ CRS 10G on 10 meter copper
![Page 10: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/10.jpg)
Distributor Table
ƒ Learn about Vectoring,VDSL+ and G.FAST withAlcatel-Lucent
MikroTik Based Accesspoint
Do you need towers or masts? Contact [email protected]
![Page 11: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/11.jpg)
Introduction
![Page 12: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/12.jpg)
About this talk
Topic:RouterOS on CRS(Cloud Router Switch)
Not:CSS (Cloud Smart Switch) with SWosor switch chip on RB (RouterBOARD)
![Page 13: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/13.jpg)
CRS or RB?
RouterBoard or CloudRouterSwitch?
ƒ RouterBOARD intended to be a routerƒ CloudRouterSwitch intended to be a switch
You can use them differently. Success depends on your needs
CRS125-24G-1S Configuration Mbps (1518 bytes)Switching Non blocking Layer 2 throughput 24,674.9Bridging or Routing none (fast path) 983.7
![Page 14: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/14.jpg)
Bridge or switch chip (on CRS)?
Bridging (RouterOS)
Switching (switch chip)
![Page 15: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/15.jpg)
Switch chip on RouterBOARD
Switch chip on RouterBOARD
ƒ Wirespeed switchingƒ Different switch chipsƒ Different features (ACL, VLAN)
![Page 16: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/16.jpg)
Wirespeed
Layer 1 throughput: Wirespeed at all packet sizes
(Capacity only for comparision with other vendors)
Packet sizes / MbpsCRS125-24G-1S Configuration 64 bytes 512 bytes 1518 bytes
Switching Non blocking Layer 1 throughput 25,000 25,000 25,000
Switching Non blocking Layer 1 capacity 50,000 50,000 50,000
![Page 17: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/17.jpg)
CRS overview
Model Ethernet SFP SFP+ ACL CPU / RAM
CRS106-1C-5S 0-1 5-6 - Yes 400 MHz / 128 MB
CRS212-1G-10S-1S+ 1 10 1 Yes 400 MHz / 64 MB
CRS109-8G-1S-2HnD 8 1 - No 600 MHz / 128 MB
CRS112-8G-4S 8 4 - Yes 400 MHz / 128 MB
CRS210-8G-2S+ 8 Up to 1 (sfp1) 1-2 (sfp1, sfp2) Yes 400 MHz / 64 MB
CRS125-24G-1S(-2HnD) 24 1 - No 600 MHz / 128 MB
CRS226-24G-2S+ 24 Up to 1 (sfp1) 1-2 (sfp1, sfp2) Yes 400 MHz / 64 MB
![Page 18: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/18.jpg)
Switch, 16x ethernet
Switch > 16x ethernet
Model Ethernet SFP+ CPU / RAM L1 Throughput ACL
CRS125-24G-1S 24 - 600 MHz / 128 MB 25,000 Mbps No
CRS226-24G-2S+ 24 1-2 (sfp1, sfp2) 400 MHz / 64 MB 44,000 Mbps Yes
![Page 19: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/19.jpg)
Hardware STP
![Page 20: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/20.jpg)
Hardware STP
(R)STP = (Rapid) Spanning Tree Protocol:Detect and prevent loops on your layer 2 network.
Hardware STP available since RouterOS v6.38rc2
![Page 21: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/21.jpg)
Hardware STP
Simple setup:
ƒ Define master portƒ Create bridge(s) with RSTPƒ Add (only) master port to bridge
![Page 22: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/22.jpg)
Hardware STP
Create RSTP bridge Add master port
Result: ether2 dynamic
![Page 23: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/23.jpg)
Reference
/interface ethernetset [ find default-name=ether1 ] name=ether1-masterset [ find default-name=ether2 ] master-port=ether1-master name=ether2-slave
/interface bridgeadd name=bridge1 protocol-mode=rstp
/interface bridge portadd bridge=bridge1 interface=ether1-master
![Page 24: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/24.jpg)
Hardware STP
Changelog: What's new in 6.38 (2016-Dec-30 11:33):
Important note!!!
RouterOS v6.38 contains STP/RSTP changes whichmakes bridges compatible with IEEE 802.1Q-2014 bysending and processing BPDU packets without VLANtag.
To avoid STP/RSTP compatibility issues with olderRouterOS versions, upgrade RouterOS to v6.38 on allrouters in Layer2 networks with VLAN and STP/RSTPconfigurations.
![Page 25: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/25.jpg)
Hardware STP
What does this mean?ƒ Bridge Protocol Data Units (BPDUs, for STP loop detection)
untagged.ƒ Loop detection: Untaggedƒ No dedicated loop detection per-VLAN (yet)
What could be a problem?ƒ More than one VLAN on interfaces: Loop on one VLAN will
disable forwarding on interface, not VLAN
![Page 26: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/26.jpg)
Hardware STP
No Problem (Loop detection as expected), ifƒ Only one VLAN on each interfaceƒ No VLAN
Why did MikroTik do that?ƒ Switch chip hardware uses standard STP/RSTP protocol
(IEEE 802.1Q-2014), which is not VLAN awareƒ SW and HW Spanning Tree implementation compatible
Per-VLAN STP/RSTP: planned in future
![Page 27: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/27.jpg)
Wirespeed configurations
![Page 28: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/28.jpg)
Common configurations
ƒ One device, multiple switchesƒ Access Control Listsƒ Split your trunkƒ Dynamic VLAN definitionsƒ MAC basedƒ Protocol based
ƒ Advanced traffic control exampleƒ Client isolationƒ Throughput control
![Page 29: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/29.jpg)
One device, multiple switches
24 port CRS → 3x 8 port switches
![Page 30: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/30.jpg)
One device, multiple switches
Short, simple:3 master ports:
Effective port isolation ofconnected devices
Switch chip on CRS:Multiple master ports
![Page 31: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/31.jpg)
Reference
/interface ethernetset ether02,ether03,ether04,ether05,ether06,ether07,ether08 master-port=ether01set ether10,ether11,ether12,ether13,ether14,ether15,ether16 master-port=ether09set ether18,ether19,ether20,ether21,ether22,ether23,ether24 master-port=ether17
![Page 32: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/32.jpg)
Access Control Lists
![Page 33: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/33.jpg)
ACL
Access Control Lists:
ƒ ACL tables: Ingress (incoming) and Egress (outgoing)ƒ Up to 128 ACL rules (RouterOS limitation)
Switch Chip CRS1xx / CRS2xx: 512 rules,CSS326 256 rules (SwitchOS)
ƒ Classification based on ports, L2, L3, L4 protocol headerfields
![Page 34: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/34.jpg)
ACL and wirespeed
ACL rules do not affectwirespeed switching!ƒ 128 ACL rulesƒ Tx/Rx Rate: 9.8Gbps
![Page 35: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/35.jpg)
ACL support
Model Switch Chip Access Control List
CRS106-1C-5S QCA-8511 Yes (128 rules available)
CRS112-8G-4S QCA-8511 Yes (128 rules available)
CRS210-8G-2S+ QCA-8519 Yes (128 rules available)
CRS212-1G-10S-1S+ QCA-8519 Yes (128 rules available)
CRS226-24G-2S+ QCA-8519 Yes (128 rules available)
CRS125-24G-1S QCA-8513L No
CRS125-24G-1S-2HnD QCA-8513L No
CRS109-8G-1S-2HnD QCA-8513L No
![Page 36: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/36.jpg)
ACL setups
![Page 37: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/37.jpg)
ACL – stay on your port!
Bind 02:DE:AB:CD:EF:11 to ether2
ether2
ether1
ether3
ether4
![Page 38: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/38.jpg)
ACL – stay on your port!
02:DE:AB:CD:EF:11 only at ether2:
![Page 39: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/39.jpg)
ACL – stay on your port!
Deny 02:DE:AB:CD:EF:11 on other port:
![Page 40: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/40.jpg)
ACL – stay on your port!
Drop anything (other) on ether2:
![Page 41: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/41.jpg)
Reference
/interface ethernetset ether2,ether3,ether4,ether5,ether6,ether7,ether8 master-port=ether1
# MAC 02:DE:AB:CD:EF:11 on ether2.
/interface ethernet switch acl
add table=ingress action=forward mac-src-address=02:DE:AB:CD:EF:11 \src-ports=ether2 comment="Allow MAC 02:DE:AB:CD:EF:11 on ether2"
add table=ingress action=drop mac-src-address=02:DE:AB:CD:EF:11 \comment="Deny MAC 02:DE:AB:CD:EF:11 on any (other) port"
add table=ingress action=drop src-ports=ether2 \comment="Deny anything (other) on ether2"
![Page 42: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/42.jpg)
ACL – stay on your port!
ƒ Bind 02:DE:AB:CD:EF:11 to ether2 (done)
ƒ Allow any MikroTik on ether3
ether2
ether1
ether3
ether4
![Page 43: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/43.jpg)
ACL – stay on your port!
Allow any MikroTik on ether3
![Page 44: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/44.jpg)
Reference
# Allow any MikroTik on ether3 (table=ingress, action=forward)
/interface ethernet switch acl
add mac-src-address=4C:5E:0C:00:00:01/FF:FF:FF:00:00:00 src-ports=ether3add mac-src-address=E4:8D:8C:00:00:01/FF:FF:FF:00:00:00 src-ports=ether3add mac-src-address=D4:CA:6D:00:00:01/FF:FF:FF:00:00:00 src-ports=ether3add mac-src-address=6C:3B:6B:00:00:01/FF:FF:FF:00:00:00 src-ports=ether3add mac-src-address=00:0C:42:00:00:01/FF:FF:FF:00:00:00 src-ports=ether3add mac-src-address=64:D1:54:00:00:01/FF:FF:FF:00:00:00 src-ports=ether3
add action=drop src-ports=ether3
![Page 45: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/45.jpg)
ACL – stay on your port!
Caveat:
Default drop
/interface ethernet switch acl add action=drop
will disconnect you even on non-switch-chip-ports
![Page 46: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/46.jpg)
ACL vs. Bridge filter
ACL = wirespeed
Mode (CRS125-24G-1S) Configuration Mbps (1518 bytes)
Switching Non blocking Layer 2 throughput 24,674.9
Bridging 25 bridge filter rules 983.7
![Page 47: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/47.jpg)
ACL
Many common setups possible without ACL
Model Switch Chip Access Control List
CRS125-24G-1S QCA-8513L No
CRS125-24G-1S-2HnD QCA-8513L No
CRS109-8G-1S-2HnD QCA-8513L No
![Page 48: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/48.jpg)
Multiple possible setups
![Page 49: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/49.jpg)
ƒ One uplink to data centerƒ 3 carriers at data centerƒ VLAN to separate / distribute
Split your trunk
ether1: VLAN 10, 20, 30ether2:VLAN
10
ether4:VLAN30
ether3:VLAN20
ether1: Trunk portether2 – ether4: Access ports
![Page 50: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/50.jpg)
Egress, outgoing to trunk port
Switch → VLAN
![Page 51: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/51.jpg)
Ingress, incomming from access port
Switch → VLAN
![Page 52: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/52.jpg)
Reference
# Create switch/interface ethernetset [ find default-name=ether1 ] name=ether1-trunkset [ find default-name=ether2 ] master-port=ether1-trunk name=ether2-v10set [ find default-name=ether3 ] master-port=ether1-trunk name=ether3-v20set [ find default-name=ether4 ] master-port=ether1-trunk name=ether4-v30
# Assign VLANs to trunk port/interface ethernet switch egress-vlan-tagadd tagged-ports=ether1-trunk vlan-id=10add tagged-ports=ether1-trunk vlan-id=20add tagged-ports=ether1-trunk vlan-id=30
# Translate untagged traffic to specified VLAN/interface ethernet switch ingress-vlan-translationadd customer-vid=0 new-customer-vid=10 ports=ether2-v10add customer-vid=0 new-customer-vid=20 ports=ether3-v20add customer-vid=0 new-customer-vid=30 ports=ether4-v30
# # to be continued…
![Page 53: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/53.jpg)
Reference
# CVID = Customer VLAN ID = inner VLAN tag id of the IEEE 802.1ad frame
# SVID = Service VLAN ID = outer VLAN tag id of the IEEE 802.1ad frame
![Page 54: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/54.jpg)
Split your trunk
Done! Wait… IP management?
IP reachable from access port side.Not from trunk port side!
![Page 55: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/55.jpg)
Split your trunk
Done! Wait… IP management?
IP not reachable from access port sideNot from trunk port side
Switch (chip) does not know aboutVLAN / IP config (RouterOS part)
![Page 56: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/56.jpg)
Management IP
Add “switch1-cpu” to switch egress-vlan-tag:Understanding of VLAN tags also from CPU-port (RouterOS).No performance issue
![Page 57: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/57.jpg)
Reference
# Split your trunk, part 2
/interface vlanadd interface=ether1-trunk name=vlan10.ether1 vlan-id=10add interface=ether1-trunk name=vlan20.ether1 vlan-id=20add interface=ether1-trunk name=vlan30.ether1 vlan-id=30
/ip addressadd address=10.20.20.20/24 interface=vlan20.ether1add address=10.10.10.10/24 interface=vlan10.ether1add address=10.30.30.30/24 interface=vlan30.ether1
/interface ethernet switch egress-vlan-tagadd tagged-ports=ether1-trunk,switch1-cpu vlan-id=10add tagged-ports=ether1-trunk,switch1-cpu vlan-id=20add tagged-ports=ether1-trunk,switch1-cpu vlan-id=30
![Page 58: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/58.jpg)
Unknown VLANs
Potential issue:ƒ Unknown VLANs are not filtered
Specify valid VLANs:
Switch → VLAN
![Page 59: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/59.jpg)
Unknown VLANs
Disable forwarding for unspecified VLANs
Switch → Settings → VLAN
![Page 60: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/60.jpg)
Reference
# Define (all) valid VLANs/interface ethernet switch vlanadd ports=switch1-cpu,ether2-v10,ether1-trunk vlan-id=10add ports=switch1-cpu,ether3-v20,ether1-trunk vlan-id=20add ports=switch1-cpu,ether4-v30,ether1-trunk vlan-id=30
# Disable forwarding of unknown VLANs/interface ethernet switch set forward-unknown-vlan=no
![Page 61: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/61.jpg)
Note
# # Be careful: forward-unknown-vlan=no -> define all used VLANs on that device# ## # Switch 1: No VLAN# # Switch 2: Only VLAN 10# ## # Use:## /interface ethernet switch vlan# add ports=ether5-sw1,ether6-sw1 vlan-id=0# add ports=ether7-sw2,ether8-sw2 vlan-id=10# /interface ethernet switch set forward-unknown-vlan=no
![Page 62: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/62.jpg)
Dynamic VLAN definitions
![Page 63: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/63.jpg)
MAC based dynamic VLAN
VLAN definition, based on MAC addressƒ 4C:5E:0C:C7:47:69 = VLAN 50ƒ F0:DE:F1:78:33:56 = VLAN 60
4C:5E:0C:C7:47:69 = VLAN 50F0:DE:F1:78:33:56 = VLAN 60
Accessport
Accessport
![Page 64: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/64.jpg)
MAC based dynamic VLAN
Switch → Ports → Ports → etherX
Switch → VLAN
![Page 65: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/65.jpg)
MAC based dynamic VLAN
Specific MAC address required (no mask)Switch → VLAN → MAC Based VLAN
![Page 66: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/66.jpg)
Reference
# Create switch/interface ethernetset ether2 master-port=ether1set ether3 master-port=ether1
# Define trunk port/interface ethernet switch egress-vlan-tagadd tagged-ports=ether1 vlan-id=50add tagged-ports=ether1 vlan-id=60
# enable MAC based VLAN translation/interface ethernet switch portset ether2 allow-fdb-based-vlan-translate=yesset ether3 allow-fdb-based-vlan-translate=yes
# Assign VLANs to MAC addresses/interface ethernet switch mac-based-vlanadd src-mac=4c:5E:0c:C7:47:69 new-customer-vid=50add src-mac=F0:DE:F1:78:33:56 new-customer-vid=60
![Page 67: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/67.jpg)
MAC based dynamic VLAN (ACL)
VLAN definition, based on MAC addressƒ VLAN 100 = MikroTik devicesƒ VLAN 200 = All VoIP phonesƒ VLAN 500 = Rest
Accessport
Accessport
Accessport
![Page 68: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/68.jpg)
MAC based dynamic VLAN (ACL)
Switch → ACL
![Page 69: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/69.jpg)
Reference
/interface ethernetset [ find default-name=ether2 ] master-port=ether1
/interface ethernet switch acl# MikroTik devices with MAC 00:0C:42:*:*:* -> VLAN 100add table=ingress action=forward \
mac-src-address=00:0C:42:00:00:00/FF:FF:FF:00:00:00 \new-customer-vid=100 src-ports=ether2
# VoIP phones with MAC 02:B1:B0:*:*:* -> VLAN 200add table=ingress action=forward \
mac-src-address=02:B1:B0:3A:4C:55/FF:FF:FF:00:00:00 \new-customer-vid=200 src-ports=ether2
# Rest -> VLAN 500add table=ingress action=forward new-customer-vid=500 src-ports=ether2
![Page 70: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/70.jpg)
Protocol based dynamic VLAN
VLAN definition, based on protocolƒ PPPoE = VLAN 100ƒ IP = VLAN 200
VLAN 100 = PPPoEVLAN 200 = IP-traffic
Accessport
Accessport
![Page 71: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/71.jpg)
Protocol based dynamic VLAN
Set VLAN for PPPoE (discovery & session)
Switch → VLAN → Protocol Based VLAN
![Page 72: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/72.jpg)
Protocol based dynamic VLAN
Set VLAN for IP (IP & ARP)
Switch → VLAN → Protocol Based VLAN
![Page 73: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/73.jpg)
Protocol based dynamic VLAN
Configure trunk portProtocolƒ pppoe-discoveryƒ pppoe-sessionƒ ipƒ arp
Switch → VLAN → Protocol Based VLAN
![Page 74: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/74.jpg)
Protocol based dynamic VLAN
Switch → VLAN
![Page 75: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/75.jpg)
Reference
/interface ethernetset [ find default-name=ether1 ] name=ether1-trunkset [ find default-name=ether2 ] master-port=ether1-trunk name=ether2-clients
/interface ethernet switch protocol-based-vlan
add ports=ether2-clients protocol=pppoe-discovery set-customer-vid-for=all \new-customer-vid=100 set-service-vid-for=none
add ports=ether2-clients protocol=pppoe set-customer-vid-for=all \new-customer-vid=100 set-service-vid-for=none
add ports=ether2-clients protocol=ip set-customer-vid-for=all \new-customer-vid=200 set-service-vid-for=none
add ports=ether2-clients protocol=arp set-customer-vid-for=all \new-customer-vid=200 set-service-vid-for=none
add ports=ether1-trunk protocol=pppoe-discovery set-customer-vid-for=all \new-customer-vid=0 set-service-vid-for=none
add ports=ether1-trunk protocol=pppoe set-customer-vid-for=all \new-customer-vid=0 set-service-vid-for=none
add ports=ether1-trunk protocol=ip set-customer-vid-for=all \new-customer-vid=0 set-service-vid-for=none
add ports=ether1-trunk protocol=arp set-customer-vid-for=all \new-customer-vid=0 set-service-vid-for=none
![Page 76: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/76.jpg)
Dynamic VLAN
Remember the question about bridge or switch?ƒ How do you bridge some packets from one interface with a
VLAN interface?
Note: Protocol based VLAN and MAC based VLANƒ CRS switch chip: Yesƒ RB switch chip: No
![Page 77: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/77.jpg)
Advanced traffic control (ACL)
![Page 78: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/78.jpg)
Advanced traffic control (ACL)
ƒ ether2: Only PPPoE with VLAN 10ƒ ether3: Access port → VLAN 10ƒ ether4: Allow all - on VLAN 20
PPPoE,VLAN10
Accessport→
V10
AllowVLAN
20
![Page 79: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/79.jpg)
Advanced traffic control (ACL)
ether2: Only PPPoE with VLAN 10
Switch → VLANSwitch → ACL
ƒ Define egress: VLAN 10,VLAN 20 (for ether4)
ƒ 3 ACL rulesƒ 2x fwd pppoeƒ drop other
![Page 80: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/80.jpg)
ether2: Only PPPoE with VLAN 10
Advanced traffic control (ACL)
Switch → ACL
Switch → ACL
Action:forward
![Page 81: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/81.jpg)
ether2: Only PPPoE with VLAN 10
Advanced traffic control (ACL)
Switch → ACL
![Page 82: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/82.jpg)
ether3: Access port → VLAN 10
Advanced traffic control (ACL)
Switch → VLAN → Ingress VLAN Tran.
![Page 83: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/83.jpg)
ether4: Allow (forward) all on VLAN 20. Then: Drop rest.
Advanced traffic control (ACL)
Switch → ACL
![Page 84: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/84.jpg)
Reference
# Create switch/interface ethernetset [ find default-name=ether1 ] name=ether1-trunkset [ find default-name=ether2 ] master-port=ether1-trunk name=ether2-clientsset [ find default-name=ether3 ] master-port=ether1-trunk name=ether3-clientsset [ find default-name=ether4 ] master-port=ether1-trunk name=ether4-clients
# ether1 is uplink / trunk port: VLAN 10, 20/interface ethernet switch egress-vlan-tagadd tagged-ports=ether1-trunk,ether2-clients vlan-id=10add tagged-ports=ether1-trunk,ether4-clients vlan-id=20
# ether2: Block everything apart from PPPoE on VLAN 10/interface ethernet switch acladd table=ingress action=forward customer-tag=tagged customer-vid=10 \
mac-protocol=pppoe-discovery src-ports=ether2-clientsadd table=ingress action=forward customer-tag=tagged customer-vid=10 \
mac-protocol=pppoe src-ports=ether2-clientsadd table=ingress action=drop src-ports=ether2-clients
![Page 85: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/85.jpg)
Reference
# ether3: Automatically VLAN 10 (connect to pppoe server)/interface ethernet switch ingress-vlan-translationadd customer-vid=0 new-customer-vid=10 ports=ether3-clients
# ether4: Allow everything on VLAN 20/interface ethernet switch acladd table=ingress action=forward customer-tag=tagged customer-vid=20 \
src-ports=ether4-clientsadd table=ingress action=drop src-ports=ether4-clients
![Page 86: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/86.jpg)
Client isolation
![Page 87: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/87.jpg)
Client isolation
Client communication blocked.Bridge would use horizon.
ƒ ether1: Uplinkƒ ether2, ether3: Clients
ether2
ether3
ether1
![Page 88: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/88.jpg)
Client isolation
Switch → Ports → ether1
Switch → Ports
Isolation profile 0
![Page 89: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/89.jpg)
Client isolation
Switch → Ports → ether2 and ether3Isolation profile 1
![Page 90: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/90.jpg)
Isolation Profile?
Winbox: Isolation Profile OverrideCLI: isolation-leakage-profile-override
Isolation Profile Function Description
0 Uplink port Communicate with all ports1 Isolated port Communication only with uplink port2-31 Community port Communication with uplink port and ports
of same community
![Page 91: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/91.jpg)
Reference
# Create switch/interface ethernetset [ find default-name=ether1 ] name=ether1-trunkset [ find default-name=ether2 ] master-port=ether1-trunk name=ether2-clientsset [ find default-name=ether3 ] master-port=ether1-trunk name=ether3-clients
/interface ethernet switch portset ether1-trunk isolation-leakage-profile-override=0set ether2-clients isolation-leakage-profile-override=1set ether3-clients isolation-leakage-profile-override=1
# type dst -> egress packets/interface ethernet switch port-isolationadd port-profile=1 ports=ether1-trunk type=dst mac-profile=promiscuous
![Page 92: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/92.jpg)
Evil DHCP server(s)
Block DHCP servers at customer site(s)
ether2
ether3
ether1
ether4
![Page 93: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/93.jpg)
Evil DHCP server(s)
Switch → Ports → ether2, ether3 and ether4Isolation profile 2
![Page 94: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/94.jpg)
Evil DHCP server(s)
Switch → Ports → Port Isolation
![Page 95: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/95.jpg)
Reference
# Create switch/interface ethernetset [ find default-name=ether1 ] name=ether1-trunkset [ find default-name=ether2 ] master-port=ether1-trunk name=ether2-clientsset [ find default-name=ether3 ] master-port=ether1-trunk name=ether3-clientsset [ find default-name=ether4 ] master-port=ether1-trunk name=ether4-clients
/interface ethernet switch portset ether2-clients isolation-leakage-profile-override=2set ether3-clients isolation-leakage-profile-override=2set ether4-clients isolation-leakage-profile-override=2
# Allow DHCPv4 out to ether1-trunk/interface ethernet switch port-isolationadd port-profile=2 protocol-type=dhcpv4 type=dst forwarding-type=bridged \
ports=ether1-trunk registration-status="" traffic-type="“
![Page 96: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/96.jpg)
Max throughput #1
Define max. throughput without queues:ƒ 10 Mbps down of all client interfacesƒ 1 Mbps up of all client interfaces
ether2
ether3
ether1: Rx 10 Mbps / Tx 1 Mbps
![Page 97: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/97.jpg)
Max throughput #1
ether1 (uplink) Rate Resultingress-port-policer 10M Download of all interfacesshaper 1M Upload of all interfaces
Switch → QoS → Ingress Port Policer
Switch → QoS → Shaper
![Page 98: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/98.jpg)
Reference
/interface ethernetset [ find default-name=ether1 ] name=ether1-uplinkset [ find default-name=ether2 ] master-port=ether1-uplink name=ether2-clientsset [ find default-name=ether3 ] master-port=ether1-uplink name=ether3-clients
/interface ethernet switch ingress-port-policeradd port=ether1-uplink meter-unit=bit rate=10M
/interface ethernet switch shaperadd port=ether1-uplink meter-unit=bit rate=1M
![Page 99: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/99.jpg)
Max throughput #2
Define max. throughput without queues:ƒ 10 Mbps down for each client interfaceƒ 1 Mbps up for each client interface
10Mdow
n/1M
up
ether1
10Mdow
n/1M
up
![Page 100: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/100.jpg)
Max throughput #2
ether2 (client) Rate Resultingress-port-policer 1M Download of client(s) on ether2shaper 10M Upload of client(s) on ether2
Switch → QoS → Ingress Port Policer
Switch → QoS → Shaper
![Page 101: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/101.jpg)
Reference
/interface ethernetset [ find default-name=ether1 ] name=ether1-uplinkset [ find default-name=ether2 ] master-port=ether1-uplink name=ether2-clientsset [ find default-name=ether3 ] master-port=ether1-uplink name=ether3-clients
/interface ethernet switch ingress-port-policeradd port=ether2-clients rate=1Madd port=ether3-clients rate=1M
/interface ethernet switch shaperadd port=ether2-clients rate=10Madd port=ether3-clients rate=10M
![Page 102: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/102.jpg)
Thank you!
![Page 103: MikroTik CloudRouterSwitch Features and …mum.mikrotik.com/presentations/EU17/presentation_4068...RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE](https://reader031.fdocuments.in/reader031/viewer/2022041003/5ea52af2cc269e48b35aa1c8/html5/thumbnails/103.jpg)
FMS Internetservice GmbH
Phone: +49 761 2926500Web: www.fmsweb.deShop: www.mikrotik-shop.deEmail: [email protected]: https://twitter.com/fmsweb_de
MUM 2017 Milan | Sebastian Inacker | © FMS Internetservice GmbH