Hi,
I have a CRS125-24G, I’d like to pass several port’s traffic to the CPU so that it does NOT get processed by the switch logic. If I can’t do specific ports, doing all is fine too.
I want to isolate these ports. But not in the method that port isolation works. Port isolation will send the traffic directly out that port. I want it to be processed on the CRS. The CRS is going to be the router. Not some other device on the “uplink” port that port isolation creates.
To put a port in switch mode you have to define a Master port and set the rest of the ports as a slave port to it. When you don’t add the slave configuration to the port it’s automatically a ‘CPU’ port.
Is that what you mean?
Thanks.
What I have is a bridge setup so that I can use the same IP scheme. This way if the guest user swaps to a different interface, they will switch seamlessly.
So the bridge is what is causing the CRS to bypass the CPU? The other Routerboards like 450, 2011, 750, etc… I’ve always used bridge to accomplish this.
I think I found the solution.
Use Split Horizon Bridging
http://wiki.mikrotik.com/wiki/Manual:MPLSVPLS#Split_horizon_bridging
In RouterOS nomenclature, a “bridge” is just a software switch. If you have a RouterOS router with no hardware-switched ports (no switch chip), the only way to emulate a switch is by dumping the ports that you want to be switched into a bridge. Then the CPU itself does the “switching”. You cannot put a switched port in a bridge (or, at least you can’t do that and have it work properly / how you would expect). Only ports that the CPU handles can be in a bridge.
As long as the port has no Master interface defined, it is, by definition, acting as a CPU-controlled port (not being hardware-switched). Ports with Master interfaces are in switch mode (CPU/OS does not see traffic, and so cannot perform routing/firewalling/mangling/etc. on it), and only once traffic egresses the switch via the Master port can the router do anything L3-wise with it. It is exactly analogous to how you would handle a bridge: if you make ports members of a bridge, you will never reference the individual ports themselves: you will reference the bridge interface. Similarly, when a switched interface has a master, you will never reference the individual interfaces, just the master interface.
Note that once you have switch-able interfaces being handled directly by the CPU, there is no way in heck you can expect to achieve wireline speed between those interfaces.
– Nathan
Thanks, that helps get a better understanding.
I’m not concerned about wire speed because the reasoning by sending it to the CPU is to block the traffic between them. So the speed between them should be none.
I didn’t setup Master or Slave ports.
Everything you describe makes sense. I was getting L3 traffic dropped via the Firewall Filter. That means the CPU was processing the bridged ports. But I was missing L2 isolation.
But the Split Horizon Bridging solved the issue. Thanks
But from your explanation. It explains why the default config of a 2011 has both Master/Slave + Bridge configuration. I never understood what the benefit to doing both was for. Now I understand. Thanks.
I guess what I was trying to get at was that you said that the CRS was going to be the router, and I was merely pointing out that because the CRS was designed to be a switch first and foremost, you can’t expect it to be able to route traffic between any of the bridged ports and the other non-bridged interfaces at anything close to 1Gbit/s. Maybe 100Mbit/s if you are lucky. (I don’t think MT has published routing performance benchmark test results for the CRS series.) All 24 ports have a 1Gbit/s total bottleneck that they share between them and the CPU. Add on top of that the software/CPU overhead needed to perform any of the routing/firewalling/queueing that you plan to do, and the fact that the CPU in this guy is no more powerful than the ones in an RB951Ui/G or an RB2011, and you don’t have much headroom. Maybe if each bridged port expects only a few tens of megabits/sec every now and then, you’ll be fine, but anything more than that and you really should be using something more like a CCR instead.
But the default config does. I didn’t know how much prior RouterOS/RouterBoard knowledge to assume on your part; for all I knew, you had not wiped the default config from the box.
Right, because there are 2 switch chips in that thing. Each 5-port group has its own switch chip, and so if you want to “switch” all 10 ports, the most efficient way to do it is to use the switch chips for as much as possible, and then bridge the two master ports together. Any traffic switched between ether1-5 and ether6-10 will not hit the CPU, but any traffic switched between those two port groups will hit the CPU (the CPU & bridge are acting as the “glue” between the two switch chips/groups).
– Nathan
First thing I do with every MikroTik I do is remove the default config and strip to no settings.
It’s not going to be doing a lot of routing. It will be a Single WAN connection coming into it at 10-20 Mbps down / 1-2 Mbps up. And it won’t be constantly pegging that connection out. So I’m sure any configuration you can develop; it will handle that.
The load would be of that similar to what I’ve used 2011s and 951s before for. I just wanted something simple and reliable. Instead of purchasing the router and 2 switches separate and getting cheaper 8-16 port switches. The CRS seemed that it would be more reliable switch for similar to less pricing. CCR is overkill for this install. I have a CCR at another location, those are really powerful.
I did create a small LAN of 8 ports and Master/Slaved them. But they would be more less using the internet than communicating to each other. But the main group of ports are in a bridge to be separated from each other and only communicate with the Internet.
So there is Public and Private LANs.
Thanks for the explanations and info. Helped me understand it better.