Diving deep into RouterOS: Switching

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello my name is kaspers and welcome to another diving deep session and today i'm joined by our support engineer edgars who will tell us about bridge hardware offloading in microtech routers hello my name is edgars i work at microtech support team and daily i work with bridges and switches today i want to present you a presentation about bridge hardware offloading these are the main objectives i want to teach you about bridge hardware offloading and the packet flow understand how to configure a bridge with vlan filtering show possible layer two testing methods and walk through some of the micro tick switching certification questions so let's start with basics what is the bridge bridge connects multiple lan segments into one it is possible to bridge an interface that has a mac address for example azernet wireless bonding eoip and so on bridges can only forward pockets by layer 2 mark addresses it doesn't look at ipa headers although you can still configure an ip address on the bridge and route traffic through them but how does the bridge know where to send the packet that's a great question bridges when receive packets they look at source market source mark addresses and if the source mark address is new it will store it in the host table it is also sometimes called forwarding database or fdb this table can be used after the boards to forward unicast packets in case bridge bridge doesn't know how to send the packet or the host is missing the bridge will flood the packet to the all ports okay can you tell us more about the unicast multicast broadcast all these types these are the main traffic types unicast means that traffic is sent from one host to another multicast means that one host is sending packets to multiple costs and broadcasts mean that one host is sending packets to multiple uh sorry to all hosts all right uh so if there are multiple bridges yes there might be a loop right sure basically a lot of times you have networks with a lot of bridges and this can cause a problem if you create a loop because bridges doesn't use any bucket time or they pocket timeout techniques like rotors do with time to leave so flooded pockets can be actually forwarded in your layer two network for a long time and this can create a broadcast storm it can degrade your network performance or even create a complete network breakdown to avoid that bridges uses spanning tree protocol it provides the ability to create layer 2 loop free networks okay so now we know a little bit more about the bridges uh can you show us how to configure a bridge in router list sure in this slide you can see all the main bridge commands first you need to add a bridge interface then you can add bridge ports these ports can be all the interfaces with mac address if you don't need to spanning if you don't want to enable spawning tree you can disable it with protocol mode none and you can also disable spanning tree on individual ports with edge setting and to see how the learn hosts you can use host print command okay so now we know also that part let's move on further what is the bridge hardware offload a great question in rotaros there are possible two bridge types the software bridge and hardware bridge software bridge is when packets are forwarded using the cpu all routers devices support software bridge however most of the devices also contains specialized hardware called switch chip or switch asic and this allows offloading some of the bridge functions like pocket forward vlan filtering to this specialized hardware without consuming any cpu resources and this can be done at wire speeds in rotaries we have named this function bridge hardware offload and different microtech devices have different switch chips and each switch chip can have different features okay so here in this slide you also see the block diagram from uh from one of our devices and so these block diagrams can actually show you quite a lot about how how these devices work and how it's all interconnected and these block diagrams are available for each of our products on the products page yeah microtech com products and well now we know what the hardware offloading is but how one can know if the hardware offloading is working actually uh it's quite easy you just need to go to the bridge board settings and see for the h flag if the bridge ports have h flag it means a hardware offloading is working but sometimes you will not see this h flag and it can mean it can mean that some features like vlan filtering or igmp snooping is disabling hardware offload on your particular device okay so different devices have different features uh could you tell us more about what are the main differences between different switch products sure in microtech we have a lot of switches and we can group them in four big categories uh the first one is basic switch chips uh these switch chips are included in most small office home office routers like this one rb 4011. you get basic port switching in the bridge menu also some switches uh how vlan filtering sorry uh vlan support in the switch menu and recently we have added hardware vlan support for some of the switches for example this one rb 4011 and rb 5009 and this hardware offloading is available in rotrus version 7. the next category is crs 100 and 200 series these devices are designed mainly for switching you can see this one this is crs 112. these switches support advanced features like vlans acl quality of service mirroring traffic isolation you also get more fine-tuning configuration options for example you can modify vlog headers on ingress on aggress ports however these switches can be difficult to configure because all the available switching options you can port switching the port switching is available in the bridge menu and all the switch features are available in the switch menu the next one is crs 300 series these devices are also designed mainly for switching hardware offloading works together with bridge features like vlan filtering mstp bonding igmp and dhcp snooping a crs300 example is this switch and yeah and most configuration is done in interface bridge menu these switches are also easier to configure because software bridge and hardware bridge configuration is the same you also get dual boot feature these devices can be booted in router os and switch ways and these devices are also having new capabilities for example layer 3 hardware offloading multi-chassis link aggregation and bridge controller and extender yeah finally we have css series now these devices are also designed for switching but you only get switch wise switch choice can be configured only using your web browser and these devices have switching features like vlans acl link aggregation igmp snooping okay so thank you about explaining differences between different switch groups i've sometimes tinkering around with the hardware offloading and well sometimes when i enable some feature it stops working what yeah what what's with that yeah basically in this table you can see the switch chips have different set of features sometimes if you enable some feature like vlan filtering it will disable hardware offloading so before buying your device check the supported features for each switch chip in the bridge manual also some switches still support vlans and you can do that in the switch menu okay what about the bridge filter rules sometimes they don't work sure this is an overview when we add bridge hardware offloading to the existing router os packet flow bridge hardware offloading takes place before the cpu so packets that are forwarded by the switch can bypass tasks like bridge forward bridge filters and even sniffer and traffic control okay and how can the switch send packets to the cpu uh yeah to do that we need to zoom in into the switching decision block there you can find a few new elements and logic gates the switching decision controls all the switching related tasks like host learning packet forwarding vlan filtering and so on as discussed previously different switches have different features so it depends on the switch model packets will only go to the switching decision if ingress or aggress port is hardware offloaded packets can also be sent to the cpu through the switch cpu port it is a special purpose port for communication between switch ports and cpu please note you don't you cannot control any routers settings on the switch cpu port except in the switch menu for example you cannot add the ip address on this port okay but when does the switch sends these packets to the cpu it can happen in different scenarios for example if a packet destination mark address matches a bridge mark address for example you sent a ip packet to your bridge and this packet will be sent to the cpu also packet might get flooded to the switch cpu because of the broadcast traffic also switch cpu michael learned that some hosts can only be reached from the cpu for example if you connect in the bridge hardware offloaded interfaces and non-hardware offloaded interfaces such as wireless also some devices contains two switch chips and to forward packets between switch chips you only can send that through the cpu like 4011 yeah that's right and um there are two last scenarios a packet can be intentionally copied and sent to the switch cpu and last one a packet is triggered by switch configuration for example you enable igmp snooping or dncp snooping then these packets will be sent to the cpu okay thank you so now we know a little bit more about this part uh can you tell us about vlans and vlan filtering sure vlans allow you to configure multiple networks on the same physical hardware you can isolate your clients for example iot devices ip cameras on different networks and use unique network policies for them vlan itself is only a four byte header and it is inserted in layer 2 packets it contains a vln id and when a bridge or a router receives these packets they can recognize the vlan id and make forwarding decisions okay and the wheel and bridge wheel and filtering uh what does this feature do with bridge wheel and filtering you provide vlan awareness to your bridge and you can modify vlan tags for example you can remove or add vlan tag the main setting is vlan filtering if vlan filtering is disabled the bridge ignore all the vlan tags and it works in shared wheel and learning mode it cannot modify vlan tags tuning on wheel and filtering enables all the vlan related functionality and in the independent vlan learning mode currently only crs 300 series and some new switches support this in the hardware software wheel and filtering is supported on all rotors devices okay and what's the difference between vlan interface vlan switch wheelin this can be confusing because if you go to rotaros you can find vlans at different places for example interface vlan bridge wheel and switch villain but they have some different purposes for example interface vlan is mainly used as a routable interface you can add ip address and dhcp server and road traffic then there is a bridge billing this is a bridgevillain table and you can create wheel entries for your port membership this table represents what vlans are allowed for the bridge to forward access ports configured with the port wheel and id or pvid are dynamically added to this table as untagged members please note you can also add bridge interface itself to this table and not all switches support vlan filtering together with hardware offload but they can still configure through the switch menu so please check out the switch chip manual for more details okay and how do we do on routers how one can configure wheel and filtering and is it possible to also create trunk and access ports sure you can create trunk and access ports in raw choice in this slide you can see all the main vlan filtering commands first you need to add a bridge interface and please note we recommend that you don't enable vlan filtering right away because when you configure bridge ports you can lose access to your device and so we also recommend you to use serial port or dedicated management port so next you add trunk ports it is recommended to enable ingress vlan filtering and only accept target packets next you add your access ports you can set accessport default vlan id using the pivot setting it is recommended to enable ingress wheel on filtering and accept only untagged packets next you need to add the vlon entries for your trunk ports the untagged access ports will be added dynamically due to port wheel and id setting please note we can also add bridge interface as a tag vlan member this is useful when creating wheel and management access or interval and routing next you can add routable vlon interface on the bridge and add ip address last enable vlan filtering you can use vlan print command to see all the available vlon entries and host print to c-learn mac addresses and their vlans the next slide show a complete configuration how to create a trunk port with three access ports and this next example show how you can create an interview and routing configuration see the bridge interface is acting like a trunk for the three vlans okay so next part we move on to the troubleshooting how can you actually troubleshoot all these things and first for example how to detect if packets are even reaching the cpu the most obvious way is to look at the cpu load if you see cpu load is getting 100 it probably means your cpu is getting the traffic also if your inbox is getting unresponsive or device drops ping packets it means that some traffic is still getting to cpu um next sometimes cpu load can be minimal when you are testing your switch or the traffic is low you can also look at ethernet statistics and see if any interfaces are showing fast path receive or driver receive bytes you see if these counters increase the packets are going to the cpu next even more useful feature is rotary sniffer i personally use sniffer a lot because it can give me quite easily a lot of information for the packets for example you can start a quick sniffer mode and see source address mark source and destination address you can see vlan id and priority you can see ip addresses and so on there is no need to stream packets to your network analyzer or open a wireshark but you can still do that you can save all the sniff packets in the file and download to your pc and please note the packets that are forwarded by the hardware will not show up in the switch sniffer okay and can i test how can i test if my vlan configuration is working sure the most obvious way is to configure an ip address on your devices and ping devices using ping so however i like to use traffic generator traffic generator allows you to create packet templates for example most of the time i will create a broadcast packet template and start packets traffic generator to my switch and i can quickly see if the packets are sent to all the interfaces the nice thing about broadcast is that switch will always try to send the packets to all ports and you can quickly see if the switch wheel and configuration is correct next i have shared some of my favorite packet template examples i use multicast broadcast sometimes i need to create some random source mac addresses and you can even stack vlan interfaces on top on each other and create broadcast packet template on this q and q interface another useful feature for the traffic generator is the quick mode if you start the traffic generator in quick mode it will show you a lot of useful information for example uh send packets received packets and bucket laws okay how can i protect my crs device cpu from the rest of the network you can do that in couple of ways the most common way is to use vlan filtering and restrict wheel and boundaries also since routeros 6.48 you can filter vlans that are allowed to enter the cpu and previously all the flooded traffic entered the cpu and you you can only filter them by software this was causing high cpu loads when network consisted of multicast streaming devices however now the bridge interface is mapped with a switch cpu port and you can filter traffic on the hardware next you can configure acl rules to block unnecessary traffic this can protect your switch and your network does your does your router only need to receive pppo packets simply use acl rule to block other traffic last if a network loop has been created a traffic storm can appear and using crs switches you can use storm control to limit broadcast traffic then now we can move on to some of your questions um for example a question from kirill if if traffic congestion there is a traffic congestion one gigabit interface uh how priority is assigned yes switches are using fifo there is no option to change the queue technique how can i set priority of the cpu switch currently there are no option in the switch for the crs 300 to actually take into consideration the priorities uh the switch will try to forward packets by fifo and um you can do this on the crs 100 and 200 switches but not on the crs 300 how can i set priority on the switch cpu yeah you can use access control lists to change the wheel and priority but as i mentioned crs switches doesn't uh take into consideration these vlan priorities question from saurogan uh bridgeport pvid versus bridgeville and untagged port why there are two places to set untagged yeah if you set pvid on the bridge port it will be dynamically added to the bridgevillain table you can also manually set untagged ports in the vlone table but it is not mandatory and you can also for example you can untag multiple vlans for the port is there a way to show bridge route changes in the log currently bridge doesn't have much logging for the rstp we have a improvement logged in our system i hope we can make some logs in the future but currently you can only see for example if the port changed status from forwarding to discarding and learning and that's about it uh okay david savage from south africa is asking will rotorua's version seven bridge wheel and filtering be combined with hardware hardware java layer 3 to build the type of layer 3 switch it actually is already combined you you are creating for example if you are creating vlan interfaces on the bridge you need to enable vlog filtering and then you can route traffic in hardware using this configuration all right uh so kevin myers is asking will vx lan be considered for how hardware offloading in the crs 300 series uh at the moment i cannot answer that because yeah we hope we can make this possible but i cannot promise that all right there was a question for mixing ccr's ccr with crs like using asics for the ppp connections yeah you can already see ccr 2004 you have a switch chip and it has a vlan plan filtering support in the hardware the new one the 2004 the 16 16 yeah i don't know about newer ccr versions but it might come with a better switch chips okay which interface arp mode will override port isolation settings david gonzalez from colombia holla david it must be local proxy art because the local proxy arp if i remember correctly it uh it will always reply on the local network with its own ip address and it's it forces you to send traffic to the bridge and bridge can bridge can actually override port isolation when you are you are using local proxy app okay any more questions about stacking i think we've already told before so apparently stacking is not available in our devices we'll see whether we can can do something about it in future but yeah this is how it currently is hardware offloading for mpls i think that we have there we have um on the crs 300 series but not all of them 317 i think yeah 317 and it was a limited uh you there was uh again i am not an mpls guy but there was an option to hardly offload some of the mpls functions does frame type setting on the bridge port override the frame type settings on bridge interface mohamed razavi from oman actually i don't know it doesn't override all the port settings are individual and if you use frame type setting on the bridge interface it's only for the bridge interface remember that bridge interface is also acting like a bridge port so you can control frame types on the bridge so does the traffic from ports 1 to 8 going to ports 9 to 16 have to go through the cpu yes that's true yeah that's the only way how they can you know the same as with 4011 vpls support on in hardware in crs 300 switches again uh i'm not i'm not very specified i'm not like the vpls guy yeah you need to write to the support and i hope rs will answer that um yeah but as kevin as you know and we not always we can tell you about but even even if we are looking into that direction we not always can answer about things that we are not yet shipping um which microtech router is bonding transmit hash policy will load balance layer 3 routed traffic most equally david uh yeah it it must be layer 2 and layer 3 transmit hash so ush will from philippines uh is asking why wheel and mode names are not the same when you set on a bridge wheel and switch os and others these settings basically they are historical not every device was created at the same time and there was these basic switch chips and we used the strict mode or the secure mode and they basically didn't um they are not the same the names doesn't like we we use different names but the functions are the same so it can be confusing we can try to improve this in future updates uh i i think yeah it's it's a great question um we need to like consistency we need makes some consistency all right mario from argentina is asking which is a better way to bond two vlans using hardware offloading which is the suggested way basically you cannot hardware offload interface vlan these are only software interfaces so that's not an option but you can use bonding with hardware offloading on the crs-300 and you can use vlan filtering with bonding as well weather is very cold today in riga the summer ended like a week ago it's like plus 10 plus 15 every day do you have a plan for implementing cisco vtp or only yeah that one santiago um yeah i don't know about that can you please ask this question to the support i cannot answer that right away okay uh why some switchboard settings work without hardware offloaded bridge alexander ramonov it's yeah it's it could be on some uh the basic switch chips that some of the hardware uh some of the switch functions can work without the hardware offloading um yeah but uh the the ben the main principle is if you want to use the switch features you need hardware offload so it doesn't make sense if you use software interfaces and use the hardware features could you explain a little bit more about the port extender and controller bridge manuel is asking yes okay yeah port extender and port controller is similar to the capsman you add new switches to your controller and these switches these interfaces show up on the controller so you can manage the vlans or rstp on this controller so it's pretty new feature i would like to get some updates how it's working and from you guys because a lot of users are actually using it a lot at this moment miguel is asking which is the best way to limit traffic for a wheel and interface i mean you can use bridge filter rules or firewall rules is there any restrictions for hardware offload when using 802.1x now crs support this dot 1.1 x configuration in hardware offload uh i'm not aware of limitations gvrp what is that generic wheel and registration protocol yeah we haven't made any progress in routers for that at least i'm not aware of moe is asking can i configure switch using python script 12 through the api right yeah you can do it so we have so that's already scripting and api so api can be accessed through python scripts as well yeah so yes you can but well you have to program it of course newest question if trunk port connected with other vendor switch that switch does not allow vlan 1. i don't really get the question perhaps vlan 1 is a default vlan and it must be somehow untagged perhaps that's the issue also bridge is using vlon1 for its default vlan id i'm confused from about frame types ingress filtering in bridge is it only for the cpu port and has it has to be enabled in each bridge board no it's it's actually for bridge ports it's not it can be used for cpu as well but you can use it for the bridge ports and it's an extra filtering options for example in the frame types you can select to accept only tagged packets for example if you have trunk port with a couple of vlans and they only should send target target traffic you can set admit only tag and ingress filtering is additional ingress filtering for example if you have a port uh it accept if you disable english filtering it can be that this port accept packets for vlans that it's not a member of for example these wheels can leak into other ports so it's recommended to enable the ingers filtering and there are also like in the bridge manual there are some examples how you can use it okay next question how to set uh pvid to dynamically added l2tp in bridge alexander this currently is not an option you cannot do that i hope we can improve this i understand you want to use the bridge control protocol and it adds these ppp interfaces but as i remember there is no option to use vlans for these interfaces so yeah it will not work correctly okay is it correct that frame type setting only works when you enable ingress filtering uh actually no you can enable them separately however most of the time you will use them together but you can also only enable frame types or only enable english filtering okay michael is asking i was having a look at the mac based and support and if i understand that config correctly it looks like it would leak broadcast on egress from multiple vlans to those ports where v where mac based vlan is used is this the case and is there any way to avoid this this can happen but uh yeah you i mean you have one wheel and one untucked vlan and you use the muck uh rules or the acl rules to apply vlan id for the correct mac address and and on on the other direction uh switch will send these packets and tagged so you can have these different vlans on antagged port that's true yeah so the question is what about microburst when upstream port speed is 10 gig and downstream is 100 meg this can cause a problem because you have a congestion in your switch switch only have some finite number of resources it cannot absorb all the bursts currently you don't have on the crs you cannot set quality of service you you cannot prioritize one traffic on another traffic so these microbursts can cause a packet loss there are some options you can enable for example you can try out flow control all right one next question please explain the differences between egress filtering and ingress filtering what are the benefits um yeah ingress filtering it means that you the switch checks if the ingersport is also the member of the vlan by default in version six uh this english filtering was disabled and so we recommend to enable it on all your configurations uh but we changed this in the version seven in version seven the english filtering will be enabled at all times and yeah if the english filtering is disabled the bridge will check only the vlan table when the packet is sent out for example if either one is receiving vlan packet and it sees that ezr3 is a member of this vlan it will send packet to other three so that's the difference you can filter the packets faster in ingress filtering kevin is continuing on the microburst topic cake and fq codel can help with microbursts will they be supported in hardware i don't think so uh but i have to check that um i think there was only some uh use like uh random early drop i don't think that cake or kodil was supported in the hardware but i have to check that yes i believe if you turn on horizon the hardware offloading is disabled yeah that's right [Music] any plans for mac address learn limit or lock yeah this is a long ask feature i hope it will be implement implemented some in some day i i reported this like two or three years ago i'm still waiting on crs devices is it better to do vlans on the switch menu or bridge taking into account bridge this cpu i mean there are two crs devices the 100 and 200 you can do vlans in the switch menu and they don't support wheel and filtering in hardware crs 300 they support vlan filtering in hardware so it's recommended to use that you
Info
Channel: MikroTik
Views: 17,627
Rating: 4.9541984 out of 5
Keywords: mikrotik, routerboard, routeros, latvia
Id: 395ThUzwISI
Channel Id: undefined
Length: 40min 12sec (2412 seconds)
Published: Thu Sep 02 2021
Related Videos
This is Why I Hate MikroTik
MikroTik
40K
Optimising Your MikroTik Layer2 configuration
MikroTik
9.7K
MikroTik product news: RB5009
MikroTik
68K
CAPsMAN WiFi Layer 1 Optimisation
MikroTik
34K
How does fiber internet work? 0ms ping!
Snazzy Labs
973K
TOP 10 RouterOS Configuration Mistakes
MikroTik
115K
Common MikroTik WiFi mistakes and how to avoid them
MikroTik
74K
Ubiquiti Access Points Explained
Crosstalk Solutions
1.2M
Most underused and overused RouterOS tools and features
MikroTik
25K
Level1 News September 8 2021: Groom Yourself Before You Zoom Yourself
Level1Techs
25K
2020 Getting started with pfsense 2.4 Tutorial: Network Setup, VLANs, Features & Packages
Lawrence Systems
497K
Mikrotik VLANs - CRS3XX Step by Step - Mikrotik Tutorial
The Network Trip
15K
DIY Home Rack Build
Lawrence Systems
331K
Super Capacitor Bike
Tom Stanton
1.2M
Doing some OSPF labs in RouterOS v7 and just chatting (The Network Berg Stream Ep.08)
The Network Berg
761
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.