Help with routing offload to switch chip

cjbruck · January 26, 2024, 3:43pm

I’m attempting to configure the CRS354-48P-4S+2Q+RM to be used as a router and switch. Its gateway of last resort goes to the firewall which decides on further routing. I am using the CRS328-24P-4S+RM as an IDF and all routing decisions go to the CRS354. I’m using the following features: VLANs, 802.1x, ospf, and snmp.

The only way I could find to create my VLANs and assign them IP addresses for routing was to use the VLAN function in interfaces (which uses the CPU, not the switch chip). The CPU is not powerful enough for all the networking traffic and quickly bottlenecks the bandwidth.

I have come to understand from my research that there are 3 ways to configure VLANs in MikroTik:

Using the Interfaces tab (CPU)
Using the Bridge tab (switch chip or CPU)
Using the Switch tab (I don’t see the VLAN tab, maybe deprecated?)

My issue is this: I don’t know how to do inter-vlan routing when using the bridge tab alone. I would like to assign an IP address to each of my VLANs to be used as the default gateway, but the only items I can assign IP addresses to reside in the Interfaces tab. Is it possible to assign an IP to a VLAN configured in the bridge tab? I have done so much research and watched multiple long videos by MikroTik presenters (of note: https://www.youtube.com/watch?v=JRbAqie1_AM and https://www.youtube.com/watch?v=7x5WjkhlEZg), but I still don’t understand… Is the switch chip not able to be used to accelerate routing? Edit: I just found the option for L3 Hardware Offloading, but when I enabled it on the CRS354 it broke everyone’s connection on both switches. I will continue to research this while I await replies.

Apologies if this is in the wrong forum; I am still new to MikroTik so I thought it would make sense to post here.

Here’s my topology:

Config for the CRS354-48P-4S+2Q+RM:

[admin@MikroTik-MDF] > export
# 2024-01-26 10:16:26 by RouterOS 7.13.3
# software id = 6NPF-TKTK
#
# model = CRS354-48P-4S+2Q+
# serial number = [REDACTED]
/interface bridge
add name=FIREWALL
add name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=VLAN110 vlan-id=110
add interface=bridge name=VLAN108 vlan-id=108
add interface=bridge name=VLAN107 vlan-id=107
add interface=bridge name=VLAN120 vlan-id=120
add interface=bridge name=VLAN150 vlan-id=150
add interface=bridge name=VLAN200 vlan-id=200
add interface=bridge name=VLAN102 vlan-id=102
add interface=bridge name=VLAN103 vlan-id=103
add interface=bridge name=VLAN106 vlan-id=106
add interface=bridge name=VLAN109 vlan-id=109
add interface=bridge name=VLAN101 vlan-id=101
add interface=bridge name=VLAN111 vlan-id=111
add interface=bridge name=VLAN112 vlan-id=112
add interface=bridge name=VLAN113 vlan-id=113
add interface=bridge name=VLAN114 vlan-id=114
add interface=bridge name=VLAN115 vlan-id=115
add interface=bridge name=VLAN116 vlan-id=116
add interface=bridge name=VLAN117 vlan-id=117
add interface=bridge name=VLAN118 vlan-id=118
add interface=bridge name=VLAN119 vlan-id=119
add interface=bridge name=VLAN135 vlan-id=135
add interface=bridge name=VLAN105 vlan-id=105
add interface=bridge name=VLAN104 vlan-id=104
/interface list
add name="802.1x Port"
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=106 ranges=10.9.6.2-10.9.6.254
add name=102 ranges=10.9.2.2-10.9.2.254
add name=103 ranges=10.9.3.2-10.9.3.254
add name=104 ranges=10.9.4.2-10.9.4.254
add name=105 ranges=10.9.5.2-10.9.5.254
add name=107 ranges=10.9.7.2-10.9.7.254
add name=108 ranges=10.9.8.2-10.9.8.254
add name=109 ranges=10.9.9.2-10.9.9.254
add name=110 ranges=10.9.10.2-10.9.10.254
add name=111 ranges=10.9.11.2-10.9.11.254
add name=112 ranges=10.9.12.2-10.9.12.254
add name=113 ranges=10.9.13.2-10.9.13.254
add name=114 ranges=10.9.14.2-10.9.14.254
add name=115 ranges=10.9.15.2-10.9.15.254
add name=116 ranges=10.9.16.2-10.9.16.254
add name=117 ranges=10.9.17.2-10.9.17.254
add name=118 ranges=10.9.18.2-10.9.18.254
add name=119 ranges=10.9.19.2-10.9.19.254
add name=120 ranges=10.9.20.2-10.9.20.254
add name=135 ranges=10.9.35.2-10.9.35.254
add name=150 ranges=10.9.50.2-10.9.50.254
/ip dhcp-server
add address-pool=106 interface=VLAN106 name=106
add address-pool=102 interface=VLAN102 name=102
add address-pool=103 interface=VLAN103 name=103
add address-pool=104 interface=VLAN104 name=104
add address-pool=105 interface=VLAN105 name=105
add address-pool=107 interface=VLAN107 name=107
add address-pool=108 interface=VLAN108 name=108
add address-pool=110 interface=VLAN110 name=110
add address-pool=111 interface=VLAN111 name=111
add address-pool=112 interface=VLAN112 name=112
add address-pool=113 interface=VLAN113 name=113
add address-pool=114 interface=VLAN114 name=114
add address-pool=115 interface=VLAN115 name=115
add address-pool=116 interface=VLAN116 name=116
add address-pool=117 interface=VLAN117 name=117
add address-pool=118 interface=VLAN118 name=118
add address-pool=119 interface=VLAN119 name=119
add address-pool=120 interface=VLAN120 name=120
add address-pool=135 interface=VLAN135 name=135
add address-pool=150 interface=VLAN150 name=150
add address-pool=109 interface=VLAN109 name=109
/port
set 0 name=serial0
/routing ospf instance
add disabled=no name=ospf-instance-1
/routing ospf area
add disabled=no instance=ospf-instance-1 name=backbone
/snmp community
set [ find default=yes ] disabled=yes
add addresses=::/0 name=[REDACTED]
/interface bridge port
add bridge=FIREWALL interface=sfp-sfpplus1 pvid=2
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=ether11
add bridge=bridge interface=ether12
add bridge=bridge interface=ether13
add bridge=bridge interface=ether14
add bridge=bridge interface=ether15
add bridge=bridge interface=ether16
add bridge=bridge interface=ether17
add bridge=bridge interface=ether18
add bridge=bridge interface=ether19
add bridge=bridge interface=ether20
add bridge=bridge interface=ether21
add bridge=bridge interface=ether22
add bridge=bridge interface=ether23
add bridge=bridge interface=ether24
add bridge=bridge interface=sfp-sfpplus2 pvid=200
add bridge=bridge interface=ether25
add bridge=bridge interface=ether26
add bridge=bridge interface=ether27
add bridge=bridge interface=ether28
add bridge=bridge interface=ether29
add bridge=bridge interface=ether30
add bridge=bridge interface=ether31
add bridge=bridge interface=ether32
add bridge=bridge interface=ether33
add bridge=bridge interface=ether34
add bridge=bridge interface=ether35
add bridge=bridge interface=ether36
add bridge=bridge interface=ether37
add bridge=bridge interface=ether38
add bridge=bridge interface=ether39
add bridge=bridge interface=ether40
add bridge=bridge interface=ether41
add bridge=bridge interface=ether42
add bridge=bridge interface=ether43
add bridge=bridge interface=ether44
add bridge=bridge interface=ether45
add bridge=bridge interface=ether46
add bridge=bridge interface=ether47
add bridge=bridge interface=ether48
/interface bridge port-controller
set bridge=bridge
/ip neighbor discovery-settings
set lldp-med-net-policy-vlan=105
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus2 vlan-ids=106
add bridge=bridge tagged=bridge untagged=sfp-sfpplus2 vlan-ids=200
add bridge=bridge tagged=bridge,sfp-sfpplus2 vlan-ids=101
add bridge=bridge tagged=bridge,sfp-sfpplus2 vlan-ids=102
add bridge=bridge tagged=bridge,sfp-sfpplus2 vlan-ids=103
add bridge=bridge tagged=bridge,sfp-sfpplus2 vlan-ids=104
add bridge=bridge tagged=bridge,sfp-sfpplus2 vlan-ids=105
add bridge=bridge tagged=bridge,sfp-sfpplus2 vlan-ids=107
add bridge=bridge tagged=bridge,sfp-sfpplus2 vlan-ids=108
add bridge=bridge tagged=bridge,sfp-sfpplus2 vlan-ids=109
add bridge=bridge tagged=bridge,sfp-sfpplus2 vlan-ids=110
add bridge=bridge tagged=bridge,sfp-sfpplus2 vlan-ids=111
add bridge=bridge tagged=bridge,sfp-sfpplus2 vlan-ids=112
add bridge=bridge tagged=bridge,sfp-sfpplus2 vlan-ids=113
add bridge=bridge tagged=bridge,sfp-sfpplus2 vlan-ids=114
add bridge=bridge tagged=bridge,sfp-sfpplus2 vlan-ids=115
add bridge=bridge tagged=bridge,sfp-sfpplus2 vlan-ids=116
add bridge=bridge tagged=bridge,sfp-sfpplus2 vlan-ids=117
add bridge=bridge tagged=bridge,sfp-sfpplus2 vlan-ids=118
add bridge=bridge tagged=bridge,sfp-sfpplus2 vlan-ids=119
add bridge=bridge tagged=bridge,sfp-sfpplus2 vlan-ids=120
add bridge=bridge tagged=bridge,sfp-sfpplus2 vlan-ids=135
add bridge=bridge tagged=bridge,sfp-sfpplus2 vlan-ids=150
/interface dot1x server
add auth-types=dot1x,mac-auth interface="802.1x Port" mac-auth-mode=mac-as-username-and-password
/interface list member
add interface=ether2 list="802.1x Port"
add interface=ether3 list="802.1x Port"
add interface=ether4 list="802.1x Port"
add interface=ether5 list="802.1x Port"
add interface=ether6 list="802.1x Port"
add interface=ether7 list="802.1x Port"
add interface=ether8 list="802.1x Port"
add interface=ether9 list="802.1x Port"
add interface=ether10 list="802.1x Port"
add interface=ether11 list="802.1x Port"
add interface=ether12 list="802.1x Port"
add interface=ether13 list="802.1x Port"
add interface=ether14 list="802.1x Port"
add interface=ether15 list="802.1x Port"
add interface=ether16 list="802.1x Port"
add interface=ether17 list="802.1x Port"
add interface=ether18 list="802.1x Port"
add interface=ether19 list="802.1x Port"
add interface=ether20 list="802.1x Port"
add interface=ether21 list="802.1x Port"
add interface=ether22 list="802.1x Port"
add interface=ether23 list="802.1x Port"
add interface=ether24 list="802.1x Port"
add interface=ether1 list="802.1x Port"
add interface=ether25 list="802.1x Port"
add interface=ether26 list="802.1x Port"
add interface=ether27 list="802.1x Port"
add interface=ether28 list="802.1x Port"
add interface=ether29 list="802.1x Port"
add interface=ether30 list="802.1x Port"
add interface=ether31 list="802.1x Port"
add interface=ether32 list="802.1x Port"
add interface=ether33 list="802.1x Port"
add interface=ether34 list="802.1x Port"
add interface=ether35 list="802.1x Port"
add interface=ether36 list="802.1x Port"
add interface=ether37 list="802.1x Port"
add interface=ether38 list="802.1x Port"
add interface=ether39 list="802.1x Port"
add interface=ether40 list="802.1x Port"
add interface=ether41 list="802.1x Port"
add interface=ether42 list="802.1x Port"
add interface=ether43 list="802.1x Port"
add interface=ether44 list="802.1x Port"
add interface=ether45 list="802.1x Port"
add interface=ether46 list="802.1x Port"
add interface=ether47 list="802.1x Port"
add interface=ether48 list="802.1x Port"
/ip address
add address=[REDACTED] interface=FIREWALL network=[REDACTED]
add address=10.9.6.1/24 interface=VLAN106 network=10.9.6.0
add address=10.9.0.1/24 interface=VLAN200 network=10.9.0.0
add address=10.9.1.1/24 interface=VLAN101 network=10.9.1.0
add address=10.9.2.1/24 interface=VLAN102 network=10.9.2.0
add address=10.9.3.1/24 interface=VLAN103 network=10.9.3.0
add address=10.9.4.1/24 interface=VLAN104 network=10.9.4.0
add address=10.9.5.1/24 interface=VLAN105 network=10.9.5.0
add address=10.9.7.1/24 interface=VLAN107 network=10.9.7.0
add address=10.9.8.1/24 interface=VLAN108 network=10.9.8.0
add address=10.9.9.1/24 interface=VLAN109 network=10.9.9.0
add address=10.9.10.1/24 interface=VLAN110 network=10.9.10.0
add address=10.9.11.1/24 interface=VLAN111 network=10.9.11.0
add address=10.9.12.1/24 interface=VLAN112 network=10.9.12.0
add address=10.9.13.1/24 interface=VLAN113 network=10.9.13.0
add address=10.9.14.1/24 interface=VLAN114 network=10.9.14.0
add address=10.9.15.1/24 interface=VLAN115 network=10.9.15.0
add address=10.9.16.1/24 interface=VLAN116 network=10.9.16.0
add address=10.9.17.1/24 interface=VLAN117 network=10.9.17.0
add address=10.9.18.1/24 interface=VLAN118 network=10.9.18.0
add address=10.9.19.1/24 interface=VLAN119 network=10.9.19.0
add address=10.9.20.1/24 interface=VLAN120 network=10.9.20.0
add address=10.9.35.1/24 interface=VLAN135 network=10.9.35.0
add address=10.9.50.1/24 interface=VLAN150 network=10.9.50.0
/ip dhcp-server network
add address=10.9.2.0/24 dns-server=[REDACTED] gateway=10.9.2.1
add address=10.9.3.0/24 dns-server=[REDACTED] gateway=10.9.3.1
add address=10.9.4.0/24 dns-server=[REDACTED] gateway=10.9.4.1
add address=10.9.5.0/24 dns-server=[REDACTED] gateway=10.9.5.1
add address=10.9.6.0/24 dns-server=[REDACTED] gateway=10.9.6.1
add address=10.9.7.0/24 dns-server=[REDACTED] gateway=10.9.7.1
add address=10.9.8.0/24 dns-server=[REDACTED] gateway=10.9.8.1
add address=10.9.9.0/24 dns-server=[REDACTED] gateway=10.9.9.1
add address=10.9.10.0/24 dns-server=[REDACTED] gateway=10.9.10.1
add address=10.9.11.0/24 dns-server=[REDACTED] gateway=10.9.11.1
add address=10.9.12.0/24 dns-server=[REDACTED] gateway=10.9.12.1
add address=10.9.13.0/24 dns-server=[REDACTED] gateway=10.9.13.1
add address=10.9.14.0/24 dns-server=[REDACTED] gateway=10.9.14.1
add address=10.9.15.0/24 dns-server=[REDACTED] gateway=10.9.15.1
add address=10.9.16.0/24 dns-server=[REDACTED] gateway=10.9.16.1
add address=10.9.17.0/24 dns-server=[REDACTED] gateway=10.9.17.1
add address=10.9.18.0/24 dns-server=[REDACTED] gateway=10.9.18.1
add address=10.9.19.0/24 dns-server=[REDACTED] gateway=10.9.19.1
add address=10.9.20.0/24 dns-server=[REDACTED] gateway=10.9.20.1
add address=10.9.35.0/24 dns-server=[REDACTED] gateway=10.9.35.1
add address=10.9.50.0/24 dns-server=[REDACTED] gateway=10.9.50.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=[firewall] routing-table=main suppress-hw-offload=no
/radius
add address=[REDACTED] service=dot1x
/routing ospf interface-template
add area=backbone disabled=no interfaces=FIREWALL
add area=backbone disabled=no interfaces=VLAN200
add area=backbone disabled=no interfaces=VLAN101
add area=backbone disabled=no interfaces=VLAN102
add area=backbone disabled=no interfaces=VLAN103
add area=backbone disabled=no interfaces=VLAN104
add area=backbone disabled=no interfaces=VLAN105
add area=backbone disabled=no interfaces=VLAN106
add area=backbone disabled=no interfaces=VLAN107
add area=backbone disabled=no interfaces=VLAN108
add area=backbone disabled=no interfaces=VLAN109
add area=backbone disabled=no interfaces=VLAN110
add area=backbone disabled=no interfaces=VLAN111
add area=backbone disabled=no interfaces=VLAN112
add area=backbone disabled=no interfaces=VLAN113
add area=backbone disabled=no interfaces=VLAN114
add area=backbone disabled=no interfaces=VLAN115
add area=backbone disabled=no interfaces=VLAN116
add area=backbone disabled=no interfaces=VLAN117
add area=backbone disabled=no interfaces=VLAN118
add area=backbone disabled=no interfaces=VLAN119
add area=backbone disabled=no interfaces=VLAN120
add area=backbone disabled=no interfaces=VLAN135
add area=backbone disabled=no interfaces=VLAN150
/snmp
set contact="[REDACTED]" enabled=yes location=[REDACTED] trap-community=[REDACTED] trap-version=2
/system clock
set time-zone-name=[REDACTED]
/system health settings
set fan-min-speed-percent=25%
/system identity
set name=MikroTik-MDF
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=[REDACTED]
/system routerboard settings
set boot-os=router-os

Config for CRS328-24P-4S+RM:

[admin@MikroTik-IDF1] > export
# 2024-01-26 10:16:57 by RouterOS 7.13.1
# software id = T0G4-BFMH
#
# model = CRS328-24P-4S+
# serial number = [REDACTED]
/interface bridge
add name=bridge pvid=200 vlan-filtering=yes
/interface list
add name="802.1x Port"
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge interface=sfp-sfpplus1 pvid=200
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=ether11
add bridge=bridge interface=ether12
add bridge=bridge interface=ether13
add bridge=bridge interface=ether14
add bridge=bridge interface=ether15
add bridge=bridge interface=ether16
add bridge=bridge interface=ether17
add bridge=bridge interface=ether18
add bridge=bridge interface=ether19
add bridge=bridge interface=ether20
add bridge=bridge interface=ether21
add bridge=bridge interface=ether22
add bridge=bridge interface=ether23
add bridge=bridge interface=ether24
/interface bridge vlan
add bridge=bridge tagged=sfp-sfpplus1 vlan-ids=106
add bridge=bridge tagged=sfp-sfpplus1 vlan-ids=101
add bridge=bridge tagged=sfp-sfpplus1 vlan-ids=102
add bridge=bridge tagged=sfp-sfpplus1 vlan-ids=103
add bridge=bridge tagged=sfp-sfpplus1 vlan-ids=104
add bridge=bridge tagged=sfp-sfpplus1 vlan-ids=105
add bridge=bridge tagged=sfp-sfpplus1 vlan-ids=107
add bridge=bridge tagged=sfp-sfpplus1 vlan-ids=108
add bridge=bridge tagged=sfp-sfpplus1 vlan-ids=109
add bridge=bridge tagged=sfp-sfpplus1 vlan-ids=110
add bridge=bridge tagged=sfp-sfpplus1 vlan-ids=111
add bridge=bridge tagged=sfp-sfpplus1 vlan-ids=112
add bridge=bridge tagged=sfp-sfpplus1 vlan-ids=113
add bridge=bridge tagged=sfp-sfpplus1 vlan-ids=114
add bridge=bridge tagged=sfp-sfpplus1 vlan-ids=115
add bridge=bridge tagged=sfp-sfpplus1 vlan-ids=116
add bridge=bridge tagged=sfp-sfpplus1 vlan-ids=117
add bridge=bridge tagged=sfp-sfpplus1 vlan-ids=118
add bridge=bridge tagged=sfp-sfpplus1 vlan-ids=119
add bridge=bridge tagged=sfp-sfpplus1 vlan-ids=120
add bridge=bridge tagged=sfp-sfpplus1 vlan-ids=135
add bridge=bridge tagged=sfp-sfpplus1 vlan-ids=150
/interface dot1x server
add auth-types=dot1x,mac-auth interface="802.1x Port" mac-auth-mode=mac-as-username-and-password
/interface list member
add interface=ether1 list="802.1x Port"
add interface=ether2 list="802.1x Port"
add interface=ether3 list="802.1x Port"
add interface=ether4 list="802.1x Port"
add interface=ether5 list="802.1x Port"
add interface=ether6 list="802.1x Port"
add interface=ether7 list="802.1x Port"
add interface=ether8 list="802.1x Port"
add interface=ether9 list="802.1x Port"
add interface=ether10 list="802.1x Port"
add interface=ether11 list="802.1x Port"
add interface=ether12 list="802.1x Port"
add interface=ether13 list="802.1x Port"
add interface=ether14 list="802.1x Port"
add interface=ether15 list="802.1x Port"
add interface=ether16 list="802.1x Port"
add interface=ether17 list="802.1x Port"
add interface=ether18 list="802.1x Port"
add interface=ether19 list="802.1x Port"
add interface=ether20 list="802.1x Port"
add interface=ether21 list="802.1x Port"
add interface=ether22 list="802.1x Port"
add interface=ether23 list="802.1x Port"
add interface=ether24 list="802.1x Port"
/ip address
add address=10.9.0.2/24 interface=bridge network=10.9.0.0
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.9.0.1 routing-table=main suppress-hw-offload=no
/radius
add address=[REDACTED] service=dot1x
/system clock
set time-zone-name=[REDACTED]
/system identity
set name=MikroTik-IDF1
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=[REDACTED]
/system routerboard settings
set boot-os=router-os

cjbruck · January 26, 2024, 7:17pm

I was able to figure this out. I found the “L3 Hw Offloading” setting and read up about it. I will note that you can only use this on one bridge, so I had to consolidate my 2 bridge setup into 1 bridge (which actually glitched out until I reset the whole config and reapplied it). After that I made sure offloading was enabled on every port and now I’m golden!