I am trying to understand exactly what configuration items determine whether a CRS326 (running ROS) is being used as a switch-only or as a switch-router.
From reading many prior threads, using the CRS as a switch-only results in much better performance.
I am having a hard time identifying exactly what form of config changes the use from switch to router.
In this context, I have seen references to a determining factor being whether the CRS has an IP address assigned to it’s bridge.
I have also seen reference to the determingin factor being whether the bridge is included as a tagged port in “/interface bridge vlans” as being a determining factor.
Both of these make sense because the bridge (in my basic understanding, thanks to many educators here) is what involves the CPU, and the involvement of the CPU is (I think) the distinguishing aspect of using the device as a router.
I am particularly interested in how a CRS passing VLAN-tagged frames (and having access and trunk ports) would be configured as a switch-only.
I am totally unclear about the correct “/ip route” entries because my guess is that ip routing is a CPU (and therefore routing) function.
(Note: Please try, if possible, to keep the explanations simple.)
Perhaps something like this (this is just a partial config to learn about this particular concept of switch vs. router config on the CRS line):
Clues to you are routing.
-DHCP
-WAN and LAN
-NAT
-all subnets have an address
-need firewall rules (layer3)
Switch…
Single Ip address provided to switch
setup is primarily about vlan traffic
only management or trusted vlan normally need be identified.
only management vlan-id is tagged for the bridge at /interface bridge vlan
This comment I found confusing… In this context, I have seen references to a determining factor being whether the CRS has an IP address assigned to it’s bridge. ???
Why would any sane person attach an IP address to a bridge of powerful switch. Or to put it another way, why would a person have a flat network and spend this much money when a cheap un-managed switch would do.
why include ports 5 through spf-sfpplus2 if not relevant (not being used)
then I see sfp-sfpplus1 is being used but no indication its a trunk port ( frame types or comment missing ) which is inconsistent from the other entries…
why are you missing the /interface bridge vlan entry for consistency and clarity
/interface bridge vlan
add bridge=bridge tagged=ether1 untagged=ether4 vlan-id=2
and which vlans going over ether3, or any others going over sfp-sfpplus1 ??
Why not use ntp from the main router as source so all attached devices are synced together?
A networking device can take various header fields of an Ethernet frame and of the packet it carries into account when making a decision where to forward that frame.
If it only chooses the output interface based on the destination MAC address and, possibly, VLAN ID of the incoming frame, it handles that frame as a bridge.
It it chooses the output interface based on the destination IP address (or any other part of the IP headers of the packet), it handles that packet as a router.
Any device that Mikrotik sells as a “switch” can do all bridging (forwarding based on destination MAC address) in hardware, i.e. without engaging CPU to handle every single frame. Many such devices can also do a good part of routing (forwarding based on destination IP address alone) in hardware - including the CRS326. But as soon as you want the routing to take something else than the destination IP address alone into account, the CPU has to get involved, so the throughput drops a lot as compared to the one provided by the “switch” chip alone.
That is a great explanation (but makes the reader beg for more):
Rules:
Switching (not routing) is occurring when the bridge alone is involved and includes any of the following situations:
MAC address alone (not IP) determines output interface
Sometimes when VLAN ID of incoming frame determines output interface (I assume the “sometimes” depends on the vlan configuration of the device)
Routing (not switching) is occuring when IP address is used to determine output inteface except when the device can and does forwarding based on IP address in hardware (i.e, without involving the CPU).
Sounds like the key is whether the CPU is involved in determing the output interface of the frame, but that determining that is not so simple.
In short: any RouterOS device, which has more than a single IP address configured (used only for management), can eventually become a router.
So a switch should never have more than one IP address configured, if configuring additional IP address solves a traffic problem, it means that switch became a router.
How exactly is the routing done (either by general-purpose CPU or by capable switch chip) doesn’t change the above description.
Routing in ROS is inherently CPU task and also with L3 switches it’s not possible to ensure that all routing is indeed performed by switch chips.
In the config, I use an OffBridge set up with DHCP. Does that mean that I’m using this a router? Does does it more precisely mean I am using this device as a routing only when a device is connected to ether24 and getting a DHCP-leased IP address?
That is, when we talk about a CRS being used a router (or as a switch) are we referring to it’s totality or are we referring to the way it is handling the vast majority of the frames it passes?
When I menat by my confusing comment is simply that I have read in other threads that to use a CRS “as a switch” one must not assign an IP address to the bridge.
As for why any sane person would do that, I would start with one of my many favorite sayings “Never ascribe to malice that which can be explained by stupidity” and from it a derivation that substitutes “insanity” for “malice.”
You know I am always truly grateful for the enormous amount of help you have provided to me, but my limited capabilities are focused here, in this thread, on understanding the config items that distinguish router versus switch use in a CRS.
We can definetly (with my appreciation) return to fixing (repeatedly) my config at a later time.
A short post overflowing with fascinating information!
So now it sounds like whether a CRS is routing or not is not determined by whether the CPU is involved. I think that is what you mean by "how exaclty is the routing done (either by …CPU or … switch chip).
Sounds like there are different types of routing that is being done – L2 vs. L3?
There are very many threads that involves people screaming at others that they are using the CRS as a router. I can understand (basically) the extreme examples of a CRS being used as an edge router with an Internet-connected WAN port and wireguard or multiple networks, etc.
I am trying to understand how to distinguish routing vs. switching in a more common use, such as when a CRS is connected to a 5009 handling VLAN traffic.
There are very many threads that involves people screaming at others that they are using the CRS as a router. I can understand (basically) the extreme examples of a CRS being used as an edge router with an Internet-connected WAN port and wireguard or multiple networks, etc.
I really struggle to understand the question, if any.
The CRS should be written as Cloud Router Switch.
I think that looking at its block diagram it is self-evident: https://cdn.mikrotik.com/web-assets/product_files/CRS326-24G-2SRM_220921.png
And if you look at test results, the device can do Layer2 at 42,000+ Mbps and Layer3 bridging at 1100 Mbps and Routing at 270 Mbps.
So it is a switch with marginal routing capabilities.
You can use your Lamborghini Huracan as a golf cart , but would it be smart?
The distinction between bridging and routing indeed lays solely in what information is used to determine where to forward the frame/packet.
DHCP is not routing, any kind of VPN handling is not routing; even traffic filtering is, strictly speaking, not routing (you may filter bridged traffic and you may not filter routed traffic). NAT, on the other hand, is so tightly linked to routing that it can be considered part of it, but it is not always necessary.
Both bridging and routing can be done in hardware, but whilst for bridging it is considered nothing special, routing in hardware has some fancy names (like L3 HW) because the hardware chip needs to do way more than when it handles bridging, and the amount of functionality differs chip by chip.
Running DHCP on a switch won’t slow down anything as DHCP is only handled now and then; any kind of handling every single packet of every single traffic flow is what matters.
The answer to that question has already come from @mkx - if everything works as required while there is only a single IP address up on the CRS326, it only acts as an (L2) switch because to act as a router, a device needs at least two IP addresses in different subnets.
Seems like the determination is more complex that whether whether the device has a single IP (other that an IP used for management purposes such as an OffBridge IP assignement and DHCP server).
Returning to the first post and the example I used (aside from any errors and omissions), it sounds like this configuration would be called a switch config for the CRS because:
Only a single IP address on the device
All frame output interface determinations are based on L2 data
VLAN routing is a handled by the bridge (and therefore a switching function).
Switch doesn’t do any routing … and “VLAN routing” is either “routing” or “VLAN switching” (depending on the way you abuse phrase VLAN routing). If you’re talking about the later, then switch chip (most of chips produced in last 20 years) does the switching and VLAN tags are considered when deciding about egress port. But that’s widely considered as switching, not routing.
if a single IP address is sufficient for the device to do all what you want it to do, the davice acts as a bridge (switch). You may want to access it for management purposes using multiple IP addresses, but another own IP address must not be required to facilitate forwarding of packets/frames from one interface to another.
yes, but that’s just another wording of 1)
explain what you mean by “VLAN routing”. Routing packets from (a subnet in) one VLAN to (a subnet in) another VLAN? For that, you need a router. Bridging packets from one port to another while the source VLAN and destination VLAN is the same? That’s bridging.
The common term is forwarding. Bridging or switching means L2 forwarding (MAC address based) and routing means L3 forwarding (IP address based).
Using RouterOS can be confusing at times no matter if you have previous experience from networking or not.
Common things to screw up is MLAG and VLAN/bridge configuration.
Personally I would have prefered if Mikrotik would do the approach of Arista and many others and have a common configuration (switchport mode access/trunk/hybrid along with switchport allowed vlan and switchport native vlan) on how to setup VLANs etc and then do the converting to Linux DSA in the background instead of exposing the DSA nightmare to the admins.
Thankfully SWOS exists for many of the CRS3xx devices so if you just need L2-switching I would recommend that (to begin with at least) over RouterOS.
You can use a pickup to > occasionally > transport a dozen bags of cement or a calf but when it comes to bigger tasks, you need proper track and maybe a trailer.
CRSs line should be called SCONSDR - Switch Capable Of Not So Demanding Routing. Even C = CLoud in the CRS line name is a little exaggerated.
For me the rule is simple: if the models’ name contains the word “switch” then use it mainly as a switch. Period.
That is indeed the problem, and by the way, you should note that ONLY one switch in the entire lineup uses the terms Cloud Router Switch and that is the CRS317 ( MT informed to remove). There are couple more that use the term Cloud Switch but most simply say Switch.
I think the problem is many sites like amazon embellish their advertising with incorrect verbiage.
, but would it be smart? 