CRS documentation

RouterOS General
1

We have created a CRS feature description document that should clarify many things that the CRS can do, and how to do them:
http://wiki.mikrotik.com/wiki/Manual:CRS_features

We also have an example page here:
http://wiki.mikrotik.com/wiki/Manual:CRS_examples

We are still expanding and updating these documents, so please let us know what questions you have about the CRS, so we can answer them in the article updates later this week.

2

Thanks !!!

3

It’ll be nice if you deploy one CRS as a demo system (similar to demo.mt.lv and demo2.mt.lv) so that the community can see what’s the switch management looks like in the UI on a live system.

4

+1

5

+1

Regards,

6

Looking good. I think more examples… … basic examples of what each setting does along with more descriptions. Also complex examples.

A comparison to the switch config for the RB2011 series would be helpful. For example on the RB2011 I would set the port to secure and then add the vlans to a table… how would I accomplish the same thing on the CRS.

Normis: Any help with http://forum.mikrotik.com/t/crs-configuration-help/73763/1

7

Hello! The door insulation is not working in version 6.9, the isolation of active ports for level 1 (isolated) do logout mikrotik when it is back again at 0 (promiscuous).

(google translator) :frowning:

8

What do you need to be able to direct console in to the crs?

9

Hello Folks!

The documentation is great, exept I do not understand what all stuff do, it is to deep down in layer 2 stuff, got to get a book and try translate it but had no time yet. Recommendation is to make a much more simple interface to deal with basic vlan, trunking, bonding, etherchannel etc. but I guess you like me, is very occupied with stuff and upper management asks for that and that all the time :slight_smile:

Anyhow we tried everyting now, still the CRS leaks traffic and hence can not be put in to production.

I do not know to much about vlan and layer 2 stuff, but I have all the years being able handling the same on Cisco and HP switches without problems.

With everything means:

  1. A brand new untouched CRS was taken ount from shelf.
  2. All packages disabled: hotspot, mpls, ppp, routing, wireless.
  3. The device was resetted fully with no scripts to be run at boot to configure it.
  4. Mac address access to the device was performed
  5. IP Settings was fully disabled, ip forward, send redirects, secure redirects, allow fast path.
  6. dhcp client was enabled on ether1
    Then the device as accessed using the dhcp address on ether1.

The device as then upgraded to RoS6.9 and step 3 → 6 was repeated and we continued with below steps.

Following mikrotik examples by the book for CRS (http://wiki.mikrotik.com/wiki/Manual:CRS_examples) we put ether2 as “trunk port”, by our understanding it will accept all ethernet traffic coming in or going out without exeptions like ALL VLANS trunk something. Must say I do not really understand point 9 below, how can the switch know that ether3 is belonging to vlan 200, does it come from sa-learning, what is that by the way ?

  1. switchport ether2 was set as master for ether3
    /interface ethernet set ether3 master-port=ether2
  2. Tag all ethernet packages coming in to ether3 to vlan 200
    /interface ethernet switch ingress-vlan-translation add port=ether3 customer-vid=0 new-customer-vid=200 sa-learning=yes
  3. And the reverse, remove vlan tags for traffic going out on ether3.
    /interface ethernet switch egress-vlan-translation add port=ether3 customer-vid=200 new-customer-vid=0

That wasnt to hard, now we connected the CRS ether2 to the trunk line containing very many vlans.
Last we connected one RedHat dhcp client to ether3, in a blink it got IP address from our dhcp server on vlan 200.

tcpdump was started on the RedHat dhcp client to see what is going on in vlan 200, sadly we saw a lot of arp requests and other oddities leaking from all other vlans. But it is isolated in some way, because we could not ping servers in other vlans that was not routed to vlan 200 from the RedHat client neither did we got any arp addresses from other vlans so that is positive.

We then went further trying to activate port isolation, but it goes back to promiscues all the time, not possible to change.

Am I doing somthing wrong in the setup ?

It could actually work this way, if it does not cause any conflicts and other oddities.
I would really like to throw out our slow Cisco switches and go gigabit now, also have noted the CRS does not consume by far as much energy as the cisco:s.

What do you experts say, is it safe to go into production with CRS at this stage if you can live with the little leakage ?
I have not experienced any port flapping etc or other problems in our environments for a very long time, and the few we had was sorted out by disabling snmp and the lcd display, and it was on CCR not CRS. Also our RB2011 has performed without any problems.

10

We have the same problem in 6.9
MT team, it is bug? Will be fixed in 6.10?

11

For CRS units that were running a version in the 6.5-6.7 range, you need to do ONE of the following two steps in order to fix the port isolation:

  1. Factory reset the unit, do not keep user configuration (obviously not suitable for units in the field)
  2. Follow the instructions here: http://forum.mikrotik.com/t/problem-with-mount-point/94/1
    – Just in case the link dies:
12

Hello Folks!

CRS still leaks in RoS6.10, exactly like before.

Tested after resetting CRS, followed by the suggested steps in first mikrotik exampe port based.
For simplicity we used one “trunk port” ether2 and one “access port” ether3.
Running tcpdump on a redhat llinux based server connected to ether3 show arp requests from ALL vlans and other traffic.

Please, can anyone come up with a working non leaking example configuration, how to do it so to say, we badly need going gigabit now ?

13

http://forum.mikrotik.com/t/cloud-router-switch-crs125-port-based-vlan/74053/1

14

This is not just a small bug . This is a huge security vulnerability . Mikrotik should inform users to don’t use CRS in production .

15

Totally agree, CRS without normal documentation and VLAN operation, is useless. Now my two CRS125 will stand on a shelf until bugs are fixed and CRS is normally documented.

16

the original topic in this post asks what features do you wish to be documented in more detail. the original post is about documentation!

17

Hello,

I just would like some more configuration examples such as a basic L3 switch with inter-VLAN routing. The way how a VLAN interface interacts with the switch is pretty unclear for me.

Thanks!

18

Finally we have our new CRS125-24G-1S-RM in our hands, but switch menu changed there is a menu about mirroring makes none sense it seems cpu is mirroring all traffic to one port.
I couldn’t find examples and manuals in wiki can any one send a configuration example of where ether2 is fully mirrored to ether3 (ingress and egress) ?

19

AFAIK you can only route via the embedded CPU, so inter-VLAN routing is achieved by switching the affected traffic through the 1G-CPU-Uplink, forwarding is then done in software and the packet is sent back though the same 1G-CPU-Uplink to the switching silicon. Besides MT claiming otherwise, the CRS isn’t a L3 switch is a switch combined with a “router on a stick” in networkers terminology.

20

@timberwolf: I totally agree with you, it is not al true L3 switch, but however, some nice examples about L3 inter-VLAN routing would help. I have managed to do it myself, but I guess that others may find this very helpful, especially if we consider that this new switch chip is rather different from the previous ones.