RB1100x4 with Bridge VLAN Filtering

Hey everyone,

Just wondering, what would be the performance of RB1100 with Bridge VLAN filtering enabled ? Of course i know that the filtering can not be done in hardware in that model.
So has anyone tested the amount of performance drop in that particular model ?

Thanks…

HW vlan-filtering was added in the RouterOS 7.1rc1 (for RTL8367);
https://help.mikrotik.com/docs/display/ROS/Bridge#Bridge-BridgeHardwareOffloading

@Znevna you’ re right… Since its a router in a production environment, i am not really sure if its better to upgrade it to ROS 7 or keep ROS v6 without HW offload on the Bridge…

That is why i am asking, what is the load added to the device if we enable Bridge VLAN filtering handled by the CPU… Is it significant or not noticeable ?

Does anyone know if RTL8367 has support added for VLANs on the Switch Chip ?
The manual states that RTL8367 has no VLAN Table, so i can’t use VLANs on the Switch in hardware. So actually Bridge Filtering and ROS 7 is the only option…

However, here https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching#Other_devices_without_a_built-in_switch_chip is said that devices with multiple switch chips, like RB1100 can switch in hardware traffic that is in the same switch chip… But RB1100 has models with RTL8327 and 8367, so to which chip is refered, only to 8327 ? …


Any suggestions ?

Which exactly RB1100 are you talking about? RB1100AHx4 has RTL8367 and ROS 7.1rc1 added L2 HW offload for this switch chip (7.1rc1 announcement). Which means that properly configured bridge filtering should be handled by switch chips in ROS v7.x (not counting 7.0.x, these are weird beasts).

The new documentation at https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features also states that VLANs are supported by RTL8367.

@mkx i am talking about RTL8367.
Yes they are supported as long as you upgrade to ROS 7… The switch chip on V6 according to the manual does not support VLANs on hardware… https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features

So unless i miss something on ROS v6 you cant use VLANs on the Switch chip in hardware ( am not talking about Bridge VLAN filtering that obviously does not work in hardware in V6 on that switch, but VLANs on the Switch chip itself, /interface ethernet switch…

As far as ROS V7 is concerned, i am not really sure if i should upgrade…

A semantic thing: ROS upgrade obviously can’t add functionality to switch chip, so VLAN support was there all the time. ROS v6 just doesn’t expose it, hence it’s unusable.

What you can do in v6 is to configure VLANs on bridge … and they’ll be handled by CPU. When you decide that v7 is stable enough, same config will get a big performance boost. For the VLAN bridging performance under v6: I’d look at test results, row “Bridging 25 bridge filter rules” and 512 byte packets.

What you can do in v6 is to configure VLANs on bridge … and they’ll be handled by CPU. When you decide that v7 is stable enough, same config will get a big performance boost.

Yes you 're right @mkx… obviously the VLANs exist on that switch chip but for some reason can not be used on V6…

I was thinking instead of Bridge VLAN filtering, it would be better just creating all my VLANs on a single ethernet port ( Trunk ) and pass them to the Switch… No use of Bridge at all..
Although the VLANs would still be handled by the CPU, i guess it will be better for the CPU in terms of performance instead of Bridge VLANs…

What do you think ?

I’m not sure if, CPU-wise, creating VLAN interfaces on a physical interface, and creating multiple bridges (one per VLAN) would be any better than bridge with VLAN filtering. In any case it would be CPU doing all the work. And configuration would be very convoluted. And not future-proof.

Edit: I’m not sure I understand the config you’re thinking about …

No am not talking about multiple bridges…
You do not always need a bridge on your Router, example https://help.mikrotik.com/docs/display/ROS/Basic+VLAN+switching..
Looking at the photo, VLANs 20,30 and 99 can all be configured on an ethernet port of the Router e.g.

/interface vlan
add interface=eth2 name=vlan20 vlan-id=20
add interface=eth2 name=vlan30 vlan-id=30
add interface=eth2 name=vlan99 vlan-id=99

And ofcourse IP, DHCP etc must be configured on the Router side for each VLAN…

The switch on its side can be configured with Bridge VLAN filtering if we’re talking about CRS3xx series or with switch Chip VLANs if it is for examples a CRS1xx or any other supported ways depending on the Device used…

Except the fact that you “loose” the Router ports that way ( although you can still bridge them with the switch ) its very common way for Trunk ports…

That is what i compared to, VLANs coming from a single interface ( referring to the Router always ), compared to a whole Bridge configured with VLAN filtering in software as well… The second way, supposing you will use the rest of the Router ports, i can only guess the CPU usage will be higher…

I would upgrade to ROS 7 and use Bridge Filtering in hardware, i do prefer it too @mkx, however i want to be sure for the stability of the Router…

If you’re considering router-on-a-stick, then switch chip won’t do anything … HW offload or not … all the traffic will pass from eth2 to cpu-interconnect. And regardless of where you anchor the vlan interfaces (eth2 or bridge), it’ll be CPU untagging and tagging the frames (via vlan interface code). So if you anchor vlan interfaces directly off physical interface (eth2), frames will skip tiny portion of code (bridge), meaning very slightly lower CPU load.

I was considering case where RB1100AHx4 is used also as a switch where some (or considerable) amount of traffic is switched/bridged between physical ports (some tagged, some untagged) … for that one needs either (software) bridge or switch chip … and in that case HW offload (available in ROS v7) helps.

I guess you’ll have to wait until 7.3 or something if you want to be sure about stability. I’ve got two RB951G devices running 7.2rc4 (upgraded from rc3) used as AP/switch … family members didn’t shout yet which means things are stable for me. I’m using switch-chip config though (HW offload on AR8327 isn’t available yet). YMMV.

I agree @mkx…
The fact that i needed the Bridge on the Router ( mostly ), is because there are multiple APs that are configured with CapsMan forwarding right now…
Implementing Router on a Stick means that i will have to reconfigure the APs to Local forwarding… Its not a big deal but anyways…
Thanks for your answers…