Community discussions

MUM Europe 2020
 
User avatar
shodan
newbie
Topic Author
Posts: 29
Joined: Sun Dec 01, 2013 3:26 pm
Location: Tula, Russia
Contact:

CRS226 - loop protect, how?

Sat Dec 12, 2015 7:45 pm

How i can enable Loop protection on CRS226 ?
As example, if i install pach-cord between ether3 and ether4, switch has died :(

I need connect new user via two 1G channels (with many little kids and complicated hardware config), and i see the loop as the big danger for my network as not far future.
I use right now:
-=CCR1009+8G-1S-1S+RM=- -=CRS226-24G-2S+RM=- -=DXS-1210-12SC=- for little home network.
We... Russian "crazy" sysadmins, loving much CPU power and throughput in reserve.
По русски говоря: Задрот по микротику :)
 
troffasky
Member
Member
Posts: 399
Joined: Wed Mar 26, 2014 4:37 pm

Re: CRS226 - loop protect, how?

Sat Dec 12, 2015 10:10 pm

You can do this by putting the ports into a bridge, but unfortunately that means the CPU is handling every frame, which will lead to performance that is somewhat less than wirespeed [as CPU has 1G link to switch chip].
 
User avatar
shodan
newbie
Topic Author
Posts: 29
Joined: Sun Dec 01, 2013 3:26 pm
Location: Tula, Russia
Contact:

Re: CRS226 - loop protect, how?

Sun Dec 13, 2015 1:07 am

Hm! I hope you are wrong, and support say how i can enable hardware loop protect in these device.
CRS can't be so bad!
Last edited by shodan on Sun Dec 13, 2015 7:20 am, edited 1 time in total.
I use right now:
-=CCR1009+8G-1S-1S+RM=- -=CRS226-24G-2S+RM=- -=DXS-1210-12SC=- for little home network.
We... Russian "crazy" sysadmins, loving much CPU power and throughput in reserve.
По русски говоря: Задрот по микротику :)
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1747
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: CRS226 - loop protect, how?

Sun Dec 13, 2015 1:59 am

some months ago i implemented it and works well

using this guide can help you a lot, i made some changes but today i dont remember well where

http://wiki.mikrotik.com/wiki/Manual:CR ... rm_Control

im very slow haha took me about 20 hours of work to learn how to do things on CRS switch but finally it works very well

the trick for control the loop was implement the traffic storm control, then
action-on-static-station-move 
drop

on ports you want to protect,
unicast-fdb-timeout
15 seconds or something like that
 
User avatar
shodan
newbie
Topic Author
Posts: 29
Joined: Sun Dec 01, 2013 3:26 pm
Location: Tula, Russia
Contact:

Re: CRS226 - loop protect, how?

Sun Dec 13, 2015 7:28 am

Sorry, i dont understand what i need to do.
I already implemented "Manual:CRS_examples#Traffic_Storm_Control", but it do not help.

Please show me you config.
I use right now:
-=CCR1009+8G-1S-1S+RM=- -=CRS226-24G-2S+RM=- -=DXS-1210-12SC=- for little home network.
We... Russian "crazy" sysadmins, loving much CPU power and throughput in reserve.
По русски говоря: Задрот по микротику :)
 
barkas
Member Candidate
Member Candidate
Posts: 260
Joined: Sun Sep 25, 2011 10:51 pm

AW: CRS226 - loop protect, how?

Sun Dec 13, 2015 10:04 am

There is no hardware loop prevention in CRS.
 
User avatar
shodan
newbie
Topic Author
Posts: 29
Joined: Sun Dec 01, 2013 3:26 pm
Location: Tula, Russia
Contact:

Re: CRS226 - loop protect, how?

Sun Dec 13, 2015 10:27 am

Loop protect it is a basic function of EVERY L2 managed switch as i see latter...
I've seen a lot managed switch for my 15 years career. But i never seen that epic-fail until now!

Hm... I see, CRS is a trash!
It is horrible !

My old HP 1810G-24 do all what i want.... i think about return it in rack.
I buy CRS for use 2 10G ports, but CRS is fully unusable actually In my small home network.

Be sure, I'm inform my colleagues in http://habrahabr.ru
I hope they not to do make the mistake like me.
I use right now:
-=CCR1009+8G-1S-1S+RM=- -=CRS226-24G-2S+RM=- -=DXS-1210-12SC=- for little home network.
We... Russian "crazy" sysadmins, loving much CPU power and throughput in reserve.
По русски говоря: Задрот по микротику :)
 
barkas
Member Candidate
Member Candidate
Posts: 260
Joined: Sun Sep 25, 2011 10:51 pm

AW: CRS226 - loop protect, how?

Sun Dec 13, 2015 12:08 pm

My advice is to use Mikrotik routers, and buy switches somewhere else.
 
User avatar
shodan
newbie
Topic Author
Posts: 29
Joined: Sun Dec 01, 2013 3:26 pm
Location: Tula, Russia
Contact:

Re: CRS226 - loop protect, how?

Sun Dec 13, 2015 1:53 pm

Yes... RB450G RB850Gx2 works good... also new CCR1009 now work fine.
But not CRS.... it is terrable!
I use right now:
-=CCR1009+8G-1S-1S+RM=- -=CRS226-24G-2S+RM=- -=DXS-1210-12SC=- for little home network.
We... Russian "crazy" sysadmins, loving much CPU power and throughput in reserve.
По русски говоря: Задрот по микротику :)
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1747
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: CRS226 - loop protect, how?

Sun Dec 13, 2015 4:05 pm

Sorry, i dont understand what i need to do.
I already implemented "Manual:CRS_examples#Traffic_Storm_Control", but it do not help.

Please show me you config.
# dec/13/2015 09:16:10 by RouterOS 6.28
# software id = SMIQ-RJ36
#
/interface ethernet
set [ find default-name=ether24 ] name=ether24-gestion
set [ find default-name=sfp1 ] name=sfp1-MASTER
/interface vlan
add interface=sfp1-MASTER l2mtu=1584 name=vlan1 vlan-id=1
add interface=sfp1-MASTER l2mtu=1584 name=vlan49 vlan-id=49
/interface ethernet
set [ find default-name=ether1 ] master-port=sfp1-MASTER name=ether01-uplink
set [ find default-name=ether2 ] master-port=sfp1-MASTER name=ether02
set [ find default-name=ether3 ] master-port=sfp1-MASTER name=ether03
set [ find default-name=ether4 ] master-port=sfp1-MASTER name=\
    ether04-downlink
set [ find default-name=ether5 ] master-port=sfp1-MASTER name=ether05
set [ find default-name=ether6 ] master-port=sfp1-MASTER name=ether06
set [ find default-name=ether7 ] master-port=sfp1-MASTER name=ether07
set [ find default-name=ether8 ] master-port=sfp1-MASTER name=ether08
set [ find default-name=ether9 ] master-port=sfp1-MASTER name=ether09
set [ find default-name=ether10 ] master-port=sfp1-MASTER
set [ find default-name=ether11 ] master-port=sfp1-MASTER
set [ find default-name=ether12 ] master-port=sfp1-MASTER
set [ find default-name=ether13 ] master-port=sfp1-MASTER
set [ find default-name=ether14 ] master-port=sfp1-MASTER
set [ find default-name=ether15 ] master-port=sfp1-MASTER
set [ find default-name=ether16 ] master-port=sfp1-MASTER
set [ find default-name=ether17 ] master-port=sfp1-MASTER
set [ find default-name=ether18 ] master-port=sfp1-MASTER
set [ find default-name=ether19 ] master-port=sfp1-MASTER
set [ find default-name=ether20 ] master-port=sfp1-MASTER
set [ find default-name=ether21 ] master-port=sfp1-MASTER
set [ find default-name=ether22 ] master-port=sfp1-MASTER
set [ find default-name=ether23 ] master-port=sfp1-MASTER
/interface ethernet switch
set forward-unknown-vlan=no
/ip pool
add name=dhcp_pool1 ranges=192.168.14.50-192.168.14.200
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=vlan49 lease-time=4w2d \
    name=dhcp1
/port
set 0 baud-rate=9600 name=serial0
/queue type
add kind=pcq name=pcq-download pcq-classifier=dst-address pcq-limit=20 \
    pcq-rate=3M pcq-total-limit=20k
add kind=pcq name=pcq-upload pcq-classifier=src-address pcq-limit=20 \
    pcq-rate=2M pcq-total-limit=20k
set 7 pcq-classifier=src-address,src-port pcq-limit=20 pcq-rate=2M \
    pcq-total-limit=20k
set 8 pcq-classifier=dst-address,dst-port pcq-limit=20 pcq-rate=3M \
    pcq-total-limit=20k
/queue simple
add dst=vlan1 max-limit=10M/20M name=queue1 queue=pcq-upload/pcq-download \
    target=vlan49
/queue tree
add max-limit=10M name=TOTAL_U parent=global queue=default
add max-limit=20M name=TOTAL_D parent=global queue=default
add limit-at=9M max-limit=10M name=1_ACK_U packet-mark=ACK_U parent=TOTAL_U \
    priority=1 queue=default
add limit-at=19M max-limit=20M name=1_ACK_D packet-mark=ACK_D parent=TOTAL_D \
    priority=1 queue=default
add limit-at=9M max-limit=10M name=1_DNS_U packet-mark=DNS_U parent=TOTAL_U \
    priority=1 queue=default
add limit-at=19M max-limit=20M name=1_DNS_D packet-mark=DNS_D parent=TOTAL_D \
    priority=1 queue=default
add limit-at=9M max-limit=10M name=4_DUDE_U packet-mark=DUDE_U parent=TOTAL_U \
    priority=4 queue=pcq-upload-default
add limit-at=19M max-limit=20M name=4_DUDE_D packet-mark=DUDE_D parent=\
    TOTAL_D priority=4 queue=pcq-download-default
add limit-at=9M max-limit=10M name=1_ICMP_U packet-mark=ICMP_U parent=TOTAL_U \
    priority=1 queue=default
add limit-at=19M max-limit=20M name=1_ICMP_D packet-mark=ICMP_D parent=\
    TOTAL_D priority=1 queue=default
add limit-at=5M max-limit=10M name=5_HTTP_U packet-mark=HTTP_U parent=TOTAL_U \
    priority=5 queue=pcq-upload-default
add limit-at=10M max-limit=20M name=5_HTTP_D packet-mark=HTTP_D parent=\
    TOTAL_D priority=5 queue=pcq-download-default
add limit-at=100k max-limit=10M name=6_HTTP_U_BIG packet-mark=HTTP_BIG_U \
    parent=TOTAL_U priority=6 queue=pcq-upload-default
add limit-at=250k max-limit=20M name=6_HTTP_D_BIG packet-mark=HTTP_BIG_D \
    parent=TOTAL_D priority=6 queue=pcq-download-default
add limit-at=100k max-limit=10M name=5_OTHER_U packet-mark=OTHER_U parent=\
    TOTAL_U priority=5 queue=pcq-upload-default
add limit-at=250k max-limit=20M name=5_OTHER_D packet-mark=OTHER_D parent=\
    TOTAL_D priority=5 queue=pcq-download-default
add limit-at=19M max-limit=20M name=4_IPSEC_D packet-mark=IPSEC_D parent=\
    TOTAL_D priority=4 queue=pcq-download-default
add limit-at=9M max-limit=10M name=4_IPSEC_U packet-mark=IPSEC_U parent=\
    TOTAL_U priority=4 queue=pcq-upload-default
add limit-at=19M max-limit=20M name=2_VOIP_D packet-mark=VOIP_D parent=\
    TOTAL_D priority=2 queue=default
add limit-at=9M max-limit=10M name=2_VOIP_U packet-mark=VOIP_U parent=TOTAL_U \
    priority=2 queue=default
add limit-at=250k max-limit=20M name=6_MAIL_D packet-mark=MAIL_D parent=\
    TOTAL_D priority=6 queue=pcq-download-default
add limit-at=100k max-limit=10M name=6_MAIL_U packet-mark=MAIL_U parent=\
    TOTAL_U priority=6 queue=pcq-upload-default
add limit-at=100k max-limit=10M name=7_OTHER_BIG_U packet-mark=OTHER_BIG_U \
    parent=TOTAL_U priority=7 queue=pcq-upload-default
add limit-at=250k max-limit=20M name=7_OTHER_D_BIG packet-mark=OTHER_BIG_D \
    parent=TOTAL_D priority=7 queue=pcq-download-default
add limit-at=19M max-limit=20M name=4_RDP_D packet-mark=RDP_D parent=TOTAL_D \
    priority=4 queue=pcq-download-default
add limit-at=9M max-limit=10M name=4_RDP_U packet-mark=RDP_U parent=TOTAL_U \
    priority=4 queue=pcq-upload-default
/snmp community
set [ find default=yes ] addresses=192.168.149.0/24
/interface ethernet switch egress-vlan-tag
add tagged-ports=sfp1-MASTER,switch1-cpu vlan-id=49
add tagged-ports=ether01-uplink,ether04-downlink,sfp1-MASTER,switch1-cpu \
    vlan-id=1
add tagged-ports=ether01-uplink,ether04-downlink,sfp1-MASTER,switch1-cpu \
    vlan-id=61
add tagged-ports=ether01-uplink,ether04-downlink,sfp1-MASTER,switch1-cpu \
    vlan-id=40
add tagged-ports=ether01-uplink,ether04-downlink,sfp1-MASTER,switch1-cpu \
    vlan-id=62
add tagged-ports=ether01-uplink,ether04-downlink,sfp1-MASTER,switch1-cpu \
    vlan-id=63
add tagged-ports=ether01-uplink,ether04-downlink,sfp1-MASTER,switch1-cpu \
    vlan-id=64
add tagged-ports=ether01-uplink,ether04-downlink,sfp1-MASTER,switch1-cpu \
    vlan-id=65
add tagged-ports=ether01-uplink,ether04-downlink,sfp1-MASTER,switch1-cpu \
    vlan-id=66
/interface ethernet switch ingress-port-policer
add burst=2M packet-types=\
    arp-or-nd,broadcast,unregistered-multicast,unknown-unicast port=\
    ether01-uplink
add burst=2M packet-types=\
    arp-or-nd,broadcast,unregistered-multicast,unknown-unicast port=ether02
add burst=2M packet-types=\
    arp-or-nd,broadcast,unregistered-multicast,unknown-unicast port=ether03
add burst=2M packet-types=\
    arp-or-nd,broadcast,unregistered-multicast,unknown-unicast port=\
    ether04-downlink
add burst=2M packet-types=\
    arp-or-nd,broadcast,unregistered-multicast,unknown-unicast port=ether05
add burst=2M packet-types=\
    arp-or-nd,broadcast,unregistered-multicast,unknown-unicast port=ether06
add burst=2M packet-types=\
    arp-or-nd,broadcast,unregistered-multicast,unknown-unicast port=ether07
add burst=2M packet-types=\
    arp-or-nd,broadcast,unregistered-multicast,unknown-unicast port=ether08
add burst=2M packet-types=\
    arp-or-nd,broadcast,unregistered-multicast,unknown-unicast port=ether09
add burst=2M packet-types=\
    arp-or-nd,broadcast,unregistered-multicast,unknown-unicast port=ether10
add burst=2M packet-types=\
    arp-or-nd,broadcast,unregistered-multicast,unknown-unicast port=ether11
add burst=2M packet-types=\
    arp-or-nd,broadcast,unregistered-multicast,unknown-unicast port=ether12
add burst=2M packet-types=\
    arp-or-nd,broadcast,unregistered-multicast,unknown-unicast port=ether13
add burst=2M packet-types=\
    arp-or-nd,broadcast,unregistered-multicast,unknown-unicast port=ether14
add burst=2M packet-types=\
    arp-or-nd,broadcast,unregistered-multicast,unknown-unicast port=ether15
add burst=2M packet-types=\
    arp-or-nd,broadcast,unregistered-multicast,unknown-unicast port=ether16
add burst=2M packet-types=\
    arp-or-nd,broadcast,unregistered-multicast,unknown-unicast port=ether17
add burst=2M packet-types=\
    arp-or-nd,broadcast,unregistered-multicast,unknown-unicast port=ether18
add burst=2M packet-types=\
    arp-or-nd,broadcast,unregistered-multicast,unknown-unicast port=ether19
add burst=2M packet-types=\
    arp-or-nd,broadcast,unregistered-multicast,unknown-unicast port=ether20
add burst=2M packet-types=\
    arp-or-nd,broadcast,unregistered-multicast,unknown-unicast port=ether21
add burst=2M packet-types=\
    arp-or-nd,broadcast,unregistered-multicast,unknown-unicast port=ether22
add burst=2M packet-types=\
    arp-or-nd,broadcast,unregistered-multicast,unknown-unicast port=ether23
add burst=2M packet-types=\
    arp-or-nd,broadcast,unregistered-multicast,unknown-unicast port=\
    ether24-gestion
add burst=2M packet-types=\
    arp-or-nd,broadcast,unregistered-multicast,unknown-unicast port=\
    sfp1-MASTER
add burst=2M packet-types=\
    arp-or-nd,broadcast,unregistered-multicast,unknown-unicast port=\
    switch1-cpu
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 disabled=yes new-customer-vid=49 ports=ether01-uplink \
    sa-learning=yes
add customer-vid=0 new-customer-vid=49 ports=ether02 sa-learning=yes
add customer-vid=0 new-customer-vid=49 ports=ether03 sa-learning=yes
add customer-vid=0 new-customer-vid=49 ports=ether04-downlink sa-learning=yes
add customer-vid=0 new-customer-vid=49 ports=ether05 sa-learning=yes
add customer-vid=0 new-customer-vid=49 ports=ether06 sa-learning=yes
add customer-vid=0 new-customer-vid=49 ports=ether07 sa-learning=yes
add customer-vid=0 new-customer-vid=49 ports=ether08 sa-learning=yes
add customer-vid=0 new-customer-vid=49 ports=ether09 sa-learning=yes
add customer-vid=0 new-customer-vid=49 ports=ether10 sa-learning=yes
add customer-vid=0 new-customer-vid=49 ports=ether11 sa-learning=yes
add customer-vid=0 new-customer-vid=49 ports=ether12 sa-learning=yes
add customer-vid=0 new-customer-vid=49 ports=ether13 sa-learning=yes
add customer-vid=0 new-customer-vid=49 ports=ether14 sa-learning=yes
add customer-vid=0 new-customer-vid=49 ports=ether15 sa-learning=yes
add customer-vid=0 new-customer-vid=49 ports=ether16 sa-learning=yes
add customer-vid=0 new-customer-vid=49 ports=ether17 sa-learning=yes
add customer-vid=0 new-customer-vid=49 ports=ether18 sa-learning=yes
add customer-vid=0 new-customer-vid=49 ports=ether19 sa-learning=yes
add customer-vid=0 new-customer-vid=49 ports=ether20 sa-learning=yes
add customer-vid=0 new-customer-vid=49 ports=ether21 sa-learning=yes
add customer-vid=0 new-customer-vid=49 ports=ether22 sa-learning=yes
add customer-vid=0 new-customer-vid=49 ports=ether23 sa-learning=yes
/interface ethernet switch port
set 0 drop-dynamic-mac-move=yes qos-scheme-precedence="pcp-based,sa-based,da-b\
    ased,dscp-based,protocol-based,vlan-based,pcp-based"
set 1 drop-dynamic-mac-move=yes isolation-leakage-profile-override=2 \
    qos-scheme-precedence="pcp-based,sa-based,da-based,dscp-based,protocol-bas\
    ed,vlan-based,pcp-based"
set 2 drop-dynamic-mac-move=yes isolation-leakage-profile-override=2 \
    qos-scheme-precedence="pcp-based,sa-based,da-based,dscp-based,protocol-bas\
    ed,vlan-based,pcp-based"
set 3 drop-dynamic-mac-move=yes qos-scheme-precedence="pcp-based,sa-based,da-b\
    ased,dscp-based,protocol-based,vlan-based,pcp-based"
set 4 drop-dynamic-mac-move=yes isolation-leakage-profile-override=2 \
    qos-scheme-precedence="pcp-based,sa-based,da-based,dscp-based,protocol-bas\
    ed,vlan-based,pcp-based"
set 5 drop-dynamic-mac-move=yes isolation-leakage-profile-override=2 \
    qos-scheme-precedence="pcp-based,sa-based,da-based,dscp-based,protocol-bas\
    ed,vlan-based,pcp-based"
set 6 drop-dynamic-mac-move=yes isolation-leakage-profile-override=2 \
    qos-scheme-precedence="pcp-based,sa-based,da-based,dscp-based,protocol-bas\
    ed,vlan-based,pcp-based"
set 7 drop-dynamic-mac-move=yes isolation-leakage-profile-override=2 \
    qos-scheme-precedence="pcp-based,sa-based,da-based,dscp-based,protocol-bas\
    ed,vlan-based,pcp-based"
set 8 drop-dynamic-mac-move=yes isolation-leakage-profile-override=2 \
    qos-scheme-precedence="pcp-based,sa-based,da-based,dscp-based,protocol-bas\
    ed,vlan-based,pcp-based"
set 9 drop-dynamic-mac-move=yes isolation-leakage-profile-override=2 \
    qos-scheme-precedence="pcp-based,sa-based,da-based,dscp-based,protocol-bas\
    ed,vlan-based,pcp-based"
set 10 drop-dynamic-mac-move=yes isolation-leakage-profile-override=2 \
    qos-scheme-precedence="pcp-based,sa-based,da-based,dscp-based,protocol-bas\
    ed,vlan-based,pcp-based"
set 11 drop-dynamic-mac-move=yes isolation-leakage-profile-override=2 \
    qos-scheme-precedence="pcp-based,sa-based,da-based,dscp-based,protocol-bas\
    ed,vlan-based,pcp-based"
set 12 drop-dynamic-mac-move=yes isolation-leakage-profile-override=2 \
    qos-scheme-precedence="pcp-based,sa-based,da-based,dscp-based,protocol-bas\
    ed,vlan-based,pcp-based"
set 13 drop-dynamic-mac-move=yes isolation-leakage-profile-override=2 \
    qos-scheme-precedence="pcp-based,sa-based,da-based,dscp-based,protocol-bas\
    ed,vlan-based,pcp-based"
set 14 drop-dynamic-mac-move=yes isolation-leakage-profile-override=2 \
    qos-scheme-precedence="pcp-based,sa-based,da-based,dscp-based,protocol-bas\
    ed,vlan-based,pcp-based"
set 15 drop-dynamic-mac-move=yes isolation-leakage-profile-override=2 \
    qos-scheme-precedence="pcp-based,sa-based,da-based,dscp-based,protocol-bas\
    ed,vlan-based,pcp-based"
set 16 drop-dynamic-mac-move=yes isolation-leakage-profile-override=2 \
    qos-scheme-precedence="pcp-based,sa-based,da-based,dscp-based,protocol-bas\
    ed,vlan-based,pcp-based"
set 17 drop-dynamic-mac-move=yes isolation-leakage-profile-override=2 \
    qos-scheme-precedence="pcp-based,sa-based,da-based,dscp-based,protocol-bas\
    ed,vlan-based,pcp-based"
set 18 drop-dynamic-mac-move=yes isolation-leakage-profile-override=2 \
    qos-scheme-precedence="pcp-based,sa-based,da-based,dscp-based,protocol-bas\
    ed,vlan-based,pcp-based"
set 19 drop-dynamic-mac-move=yes isolation-leakage-profile-override=2 \
    qos-scheme-precedence="pcp-based,sa-based,da-based,dscp-based,protocol-bas\
    ed,vlan-based,pcp-based"
set 20 drop-dynamic-mac-move=yes isolation-leakage-profile-override=2 \
    qos-scheme-precedence="pcp-based,sa-based,da-based,dscp-based,protocol-bas\
    ed,vlan-based,pcp-based"
set 21 drop-dynamic-mac-move=yes isolation-leakage-profile-override=2 \
    qos-scheme-precedence="pcp-based,sa-based,da-based,dscp-based,protocol-bas\
    ed,vlan-based,pcp-based"
set 22 drop-dynamic-mac-move=yes isolation-leakage-profile-override=2 \
    qos-scheme-precedence="pcp-based,sa-based,da-based,dscp-based,protocol-bas\
    ed,vlan-based,pcp-based"
set 23 drop-dynamic-mac-move=yes qos-scheme-precedence="pcp-based,sa-based,da-\
    based,dscp-based,protocol-based,vlan-based,pcp-based"
set 24 drop-dynamic-mac-move=yes qos-scheme-precedence="pcp-based,sa-based,da-\
    based,dscp-based,protocol-based,vlan-based,pcp-based"
set 25 drop-dynamic-mac-move=yes qos-scheme-precedence="pcp-based,sa-based,da-\
    based,dscp-based,protocol-based,vlan-based,pcp-based"
/interface ethernet switch port-isolation
add forwarding-type=bridged port-profile=2 ports=\
    switch1-cpu,ether01-uplink,ether04-downlink,sfp1-MASTER protocol-type=\
    dhcpv4 registration-status="" traffic-type="" type=dst
/interface ethernet switch vlan
add ports="ether02,ether03,ether04-downlink,ether05,ether06,ether07,ether08,et\
    her09,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ethe\
    r18,ether19,ether20,ether21,ether22,ether23,switch1-cpu" vlan-id=49
add ports=ether01-uplink,ether04-downlink,switch1-cpu vlan-id=1
add ports=ether01-uplink,ether04-downlink,switch1-cpu vlan-id=61
add ports=ether01-uplink,ether04-downlink,switch1-cpu vlan-id=40
add ports=ether01-uplink,ether04-downlink,switch1-cpu vlan-id=62
add ports=ether01-uplink,ether04-downlink,switch1-cpu vlan-id=63
add ports=ether01-uplink,ether04-downlink,switch1-cpu vlan-id=64
add ports=ether01-uplink,ether04-downlink,switch1-cpu vlan-id=65
add ports=ether01-uplink,ether04-downlink,switch1-cpu vlan-id=66
/ip address
add address=192.168.14.1/24 interface=vlan49 network=192.168.14.0
add address=192.168.151.24/24 interface=vlan1 network=192.168.151.0
/ip dhcp-server network
add address=192.168.14.0/24 dns-server=192.168.14.1 gateway=192.168.14.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=8h cache-size=65536KiB servers=\
    192.168.151.1
/ip dns static
add address=127.0.0.1 name=zj.dcys.ksmobile.com
add address=127.0.0.1 name=helpcmsecurity1.ksmobile.com
add address=127.0.0.1 name=helpcmsecurity0.ksmobile.com
add address=127.0.0.1 name=cmdts.ksmobile.com
add address=127.0.0.1 name=ctldl.windowsupdate.com
add address=127.0.0.1 name=infoc2.duba.net
add address=127.0.0.1 name=up.cm.ksmobile.com
add address=127.0.0.1 name=weather.ios.ijinshan.com
add address=127.0.0.1 name=www.cm.ksmobile.com
add address=127.0.0.1 name=helpwhitetile1.ksmobile.com
add address=127.0.0.1 name=ads.mopub.com
add address=127.0.0.1 name=cms.utag.ksmobile.com
add address=127.0.0.1 name=dl.cm.ksmobile.com
add address=127.0.0.1 name=weather.ksmobile.com
add address=127.0.0.1 name=kbd.utag.ksmobile.com
add address=127.0.0.1 name=snooper.mojang.com
add address=127.0.0.1 name=cm.gcm.ksmobile.com
add address=127.0.0.1 name=helplauncher1.ksmobile.com
add address=127.0.0.1 name=cmsecurity.ksmobile.com
add address=127.0.0.1 name=live.chartboost.com
add address=127.0.0.1 name=n.m.ksmobile.com
add address=127.0.0.1 name=cb.ksmobile.com
add address=127.0.0.1 name=cfg.cml.ksmobile.com
add address=127.0.0.1 name=helpwhitetile21.ksmobile.com
add address=127.0.0.1 name=ups.ksmobile.com
/ip firewall mangle
add action=set-priority chain=postrouting comment="dscp 46" dscp=46 \
    new-priority=6
add action=set-priority chain=postrouting comment="dscp 48" dscp=48 \
    new-priority=6
add action=mark-connection chain=prerouting comment=DNS connection-mark=\
    no-mark connection-state=new new-connection-mark=DNS passthrough=no port=\
    53 protocol=udp
add action=mark-connection chain=postrouting connection-mark=no-mark \
    connection-state=new new-connection-mark=DNS passthrough=no port=53 \
    protocol=udp
add action=set-priority chain=postrouting connection-mark=DNS new-priority=6
add action=change-dscp chain=postrouting connection-mark=DNS new-dscp=48
add action=mark-packet chain=postrouting connection-mark=DNS new-packet-mark=\
    DNS_U passthrough=no src-address=192.168.14.10-192.168.14.250
add action=mark-packet chain=prerouting connection-mark=DNS dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=DNS_D passthrough=no
add action=mark-connection chain=postrouting comment=ICMP connection-state=\
    new new-connection-mark=ICMP passthrough=no protocol=icmp
add action=mark-connection chain=prerouting connection-state=new \
    new-connection-mark=ICMP passthrough=no protocol=icmp
add action=change-dscp chain=postrouting connection-mark=ICMP new-dscp=48
add action=set-priority chain=postrouting connection-mark=ICMP new-priority=6
add action=change-dscp chain=output connection-mark=ICMP new-dscp=48
add action=set-priority chain=output connection-mark=ICMP new-priority=6
add action=mark-packet chain=postrouting connection-mark=ICMP \
    new-packet-mark=ICMP_U passthrough=no src-address=\
    192.168.14.10-192.168.14.250
add action=mark-packet chain=forward connection-mark=ICMP new-packet-mark=\
    ICMP_U passthrough=no src-address=192.168.14.10-192.168.14.250
add action=mark-packet chain=output connection-mark=ICMP new-packet-mark=\
    ICMP_U passthrough=no src-address=192.168.14.10-192.168.14.250
add action=mark-packet chain=prerouting connection-mark=ICMP dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=ICMP_D passthrough=no
add action=mark-packet chain=forward connection-mark=ICMP dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=ICMP_D passthrough=no
add action=mark-packet chain=input connection-mark=ICMP dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=ICMP_D passthrough=no
add action=change-dscp chain=postrouting comment=ACK new-dscp=48 packet-size=\
    0-123 protocol=tcp tcp-flags=ack
add action=set-priority chain=postrouting new-priority=6 packet-size=0-123 \
    protocol=tcp tcp-flags=ack
add action=mark-packet chain=postrouting new-packet-mark=ACK_U packet-size=\
    0-123 passthrough=no protocol=tcp src-address=\
    192.168.14.10-192.168.14.250 tcp-flags=ack
add action=mark-packet chain=forward new-packet-mark=ACK_U packet-size=0-123 \
    passthrough=no protocol=tcp src-address=192.168.14.10-192.168.14.250 \
    tcp-flags=ack
add action=mark-packet chain=output new-packet-mark=ACK_U packet-size=0-123 \
    passthrough=no protocol=tcp src-address=192.168.14.10-192.168.14.250 \
    tcp-flags=ack
add action=mark-packet chain=prerouting dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=ACK_D packet-size=0-123 \
    passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=forward dst-address=192.168.14.10-192.168.14.250 \
    new-packet-mark=ACK_D packet-size=0-123 passthrough=no protocol=tcp \
    tcp-flags=ack
add action=mark-packet chain=input dst-address=192.168.14.10-192.168.14.250 \
    new-packet-mark=ACK_D packet-size=0-123 passthrough=no protocol=tcp \
    tcp-flags=ack
add action=mark-connection chain=prerouting comment=HTTP connection-mark=\
    !HTTP_BIG connection-state=new dst-port=80,443,8080,554,8000,81,444,8409 \
    new-connection-mark=HTTP protocol=tcp
add action=mark-connection chain=prerouting connection-mark=!HTTP_BIG \
    connection-state=new dst-port=80,443,8080,554,8000,81,444,8409 \
    new-connection-mark=HTTP protocol=udp
add action=mark-connection chain=prerouting connection-bytes=2000000-0 \
    connection-mark=HTTP new-connection-mark=HTTP_BIG passthrough=no \
    protocol=tcp
add action=mark-connection chain=postrouting connection-bytes=2000000-0 \
    connection-mark=HTTP new-connection-mark=HTTP_BIG passthrough=no \
    protocol=tcp
add action=mark-connection chain=prerouting connection-bytes=2000000-0 \
    connection-mark=HTTP new-connection-mark=HTTP_BIG passthrough=no \
    protocol=udp
add action=mark-connection chain=postrouting connection-bytes=2000000-0 \
    connection-mark=HTTP new-connection-mark=HTTP_BIG passthrough=no \
    protocol=udp
add action=mark-packet chain=postrouting comment="HTTP BIG" connection-mark=\
    HTTP_BIG new-packet-mark=HTTP_BIG_U passthrough=no src-address=\
    192.168.14.10-192.168.14.250
add action=mark-packet chain=forward connection-mark=HTTP_BIG \
    new-packet-mark=HTTP_BIG_U passthrough=no src-address=\
    192.168.14.10-192.168.14.250
add action=mark-packet chain=output connection-mark=HTTP_BIG new-packet-mark=\
    HTTP_BIG_U passthrough=no src-address=192.168.14.10-192.168.14.250
add action=mark-packet chain=prerouting connection-mark=HTTP_BIG dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=HTTP_BIG_D passthrough=no
add action=mark-packet chain=forward connection-mark=HTTP_BIG dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=HTTP_BIG_D passthrough=no
add action=mark-packet chain=input connection-mark=HTTP_BIG dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=HTTP_BIG_D passthrough=no
add action=mark-packet chain=postrouting comment=HTTP connection-mark=HTTP \
    new-packet-mark=HTTP_U passthrough=no src-address=\
    192.168.14.10-192.168.14.250
add action=mark-packet chain=forward connection-mark=HTTP new-packet-mark=\
    HTTP_U passthrough=no src-address=192.168.14.10-192.168.14.250
add action=mark-packet chain=output connection-mark=HTTP new-packet-mark=\
    HTTP_U passthrough=no src-address=192.168.14.10-192.168.14.250
add action=mark-packet chain=prerouting connection-mark=HTTP dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=HTTP_D passthrough=no
add action=mark-packet chain=forward connection-mark=HTTP dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=HTTP_D passthrough=no
add action=mark-packet chain=input connection-mark=HTTP dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=HTTP_D passthrough=no
add action=mark-connection chain=prerouting comment=DUDE connection-state=new \
    dst-port=2210,8291,10008,22,23,222 new-connection-mark=DUDE passthrough=\
    no protocol=tcp
add action=mark-packet chain=postrouting connection-mark=DUDE \
    new-packet-mark=DUDE_U passthrough=no src-address=\
    192.168.14.10-192.168.14.250
add action=mark-packet chain=forward connection-mark=DUDE new-packet-mark=\
    DUDE_U passthrough=no src-address=192.168.14.10-192.168.14.250
add action=mark-packet chain=output connection-mark=DUDE new-packet-mark=\
    DUDE_U passthrough=no src-address=192.168.14.10-192.168.14.250
add action=mark-packet chain=prerouting connection-mark=DUDE dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=DUDE_D passthrough=no
add action=mark-packet chain=forward connection-mark=DUDE dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=DUDE_D passthrough=no
add action=mark-packet chain=input connection-mark=DUDE dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=DUDE_D passthrough=no
add action=mark-connection chain=prerouting comment=RDP connection-state=new \
    dst-port=3389 new-connection-mark=RDP passthrough=no protocol=tcp
add action=mark-packet chain=postrouting connection-mark=RDP new-packet-mark=\
    RDP_U passthrough=no src-address=192.168.14.10-192.168.14.250
add action=mark-packet chain=forward connection-mark=RDP new-packet-mark=\
    RDP_U passthrough=no src-address=192.168.14.10-192.168.14.250
add action=mark-packet chain=output connection-mark=RDP new-packet-mark=RDP_U \
    passthrough=no src-address=192.168.14.10-192.168.14.250
add action=mark-packet chain=prerouting connection-mark=RDP dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=RDP_D passthrough=no
add action=mark-packet chain=forward connection-mark=RDP dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=RDP_D passthrough=no
add action=mark-packet chain=input connection-mark=RDP dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=RDP_D passthrough=no
add action=mark-connection chain=prerouting comment=MAIL connection-state=new \
    dst-port=25,110,143,465,585,993,995 new-connection-mark=MAIL passthrough=\
    no protocol=tcp
add action=mark-packet chain=postrouting connection-mark=MAIL \
    new-packet-mark=MAIL_U passthrough=no src-address=\
    192.168.14.10-192.168.14.250
add action=mark-packet chain=forward connection-mark=MAIL new-packet-mark=\
    MAIL_U passthrough=no src-address=192.168.14.10-192.168.14.250
add action=mark-packet chain=output connection-mark=MAIL new-packet-mark=\
    MAIL_U passthrough=no src-address=192.168.14.10-192.168.14.250
add action=mark-packet chain=prerouting connection-mark=MAIL dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=MAIL_D passthrough=no
add action=mark-packet chain=forward connection-mark=MAIL dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=MAIL_D passthrough=no
add action=mark-packet chain=input connection-mark=MAIL dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=MAIL_D passthrough=no
add action=mark-connection chain=prerouting comment=IPSEC connection-state=\
    new new-connection-mark=IPSEC passthrough=no protocol=ipsec-esp
add action=mark-connection chain=postrouting connection-state=new \
    new-connection-mark=IPSEC passthrough=no protocol=ipsec-esp
add action=mark-connection chain=forward connection-state=new \
    new-connection-mark=IPSEC passthrough=no protocol=ipsec-esp
add action=mark-connection chain=input connection-state=new \
    new-connection-mark=IPSEC passthrough=no protocol=ipsec-esp
add action=mark-connection chain=output connection-state=new \
    new-connection-mark=IPSEC passthrough=no protocol=ipsec-esp
add action=mark-connection chain=prerouting connection-state=new dst-port=\
    500,4500 new-connection-mark=IPSEC passthrough=no protocol=udp
add action=mark-connection chain=postrouting connection-state=new dst-port=\
    500,4500 new-connection-mark=IPSEC passthrough=no protocol=udp
add action=mark-connection chain=forward connection-state=new dst-port=\
    500,4500 new-connection-mark=IPSEC passthrough=no protocol=udp
add action=mark-connection chain=input connection-state=new dst-port=500,4500 \
    new-connection-mark=IPSEC passthrough=no protocol=udp
add action=mark-connection chain=output connection-state=new dst-port=\
    500,4500 new-connection-mark=IPSEC passthrough=no protocol=udp
add action=mark-packet chain=postrouting connection-mark=IPSEC \
    new-packet-mark=IPSEC_U passthrough=no src-address=\
    192.168.14.10-192.168.14.250
add action=mark-packet chain=forward connection-mark=IPSEC new-packet-mark=\
    IPSEC_U passthrough=no src-address=192.168.14.10-192.168.14.250
add action=mark-packet chain=output connection-mark=IPSEC new-packet-mark=\
    IPSEC_U passthrough=no src-address=192.168.14.10-192.168.14.250
add action=mark-packet chain=prerouting connection-mark=IPSEC dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=IPSEC_D passthrough=no
add action=mark-packet chain=forward connection-mark=IPSEC dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=IPSEC_D passthrough=no
add action=mark-packet chain=input connection-mark=IPSEC dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=IPSEC_D passthrough=no
add action=mark-connection chain=prerouting comment=VOIP connection-mark=\
    no-mark connection-rate=0-25k new-connection-mark=VOIP passthrough=no \
    protocol=udp
add action=mark-packet chain=postrouting connection-mark=VOIP \
    new-packet-mark=VOIP_U packet-size=0-260 src-address=\
    192.168.14.10-192.168.14.250
add action=mark-packet chain=forward connection-mark=VOIP new-packet-mark=\
    VOIP_U packet-size=0-260 passthrough=no src-address=\
    192.168.14.10-192.168.14.250
add action=mark-packet chain=output connection-mark=VOIP new-packet-mark=\
    VOIP_U packet-size=0-260 passthrough=no src-address=\
    192.168.14.10-192.168.14.250
add action=change-dscp chain=postrouting new-dscp=48 packet-mark=VOIP_U
add action=set-priority chain=postrouting new-priority=6 packet-mark=VOIP_U \
    passthrough=no
add action=mark-packet chain=prerouting connection-mark=VOIP dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=VOIP_D packet-size=0-260 \
    passthrough=no
add action=mark-packet chain=forward connection-mark=VOIP dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=VOIP_D packet-size=0-260 \
    passthrough=no
add action=mark-packet chain=input connection-mark=VOIP dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=VOIP_D packet-size=0-260 \
    passthrough=no
add action=change-dscp chain=postrouting new-dscp=48 packet-mark=VOIP_D
add action=set-priority chain=postrouting new-priority=6 packet-mark=VOIP_D \
    passthrough=no
add action=mark-packet chain=postrouting comment="NO VOIP" connection-mark=\
    VOIP new-packet-mark=OTHER_BIG_U passthrough=no src-address=\
    192.168.14.10-192.168.14.250
add action=mark-packet chain=forward connection-mark=VOIP new-packet-mark=\
    OTHER_BIG_U passthrough=no src-address=192.168.14.10-192.168.14.250
add action=mark-packet chain=output connection-mark=VOIP new-packet-mark=\
    OTHER_BIG_U passthrough=no src-address=192.168.14.10-192.168.14.250
add action=mark-packet chain=prerouting connection-mark=VOIP dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=OTHER_BIG_D passthrough=no
add action=mark-packet chain=forward connection-mark=VOIP dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=OTHER_BIG_D passthrough=no
add action=mark-packet chain=input connection-mark=VOIP dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=OTHER_BIG_D passthrough=no
add action=mark-connection chain=prerouting comment="OTHER TCP" \
    connection-mark=!OTHER_BIG connection-state=new dst-port=\
    !80,443,8080,554,8000,81,444,8409,10008 new-connection-mark=OTHER \
    protocol=tcp
add action=mark-connection chain=prerouting connection-bytes=1000000-0 \
    connection-mark=OTHER dst-port=!80,443,8080,554,8000,81,444,8409,10008 \
    new-connection-mark=OTHER_BIG passthrough=no protocol=tcp
add action=mark-packet chain=postrouting connection-mark=OTHER \
    new-packet-mark=OTHER_U passthrough=no src-address=\
    192.168.14.10-192.168.14.250
add action=mark-packet chain=forward connection-mark=OTHER new-packet-mark=\
    OTHER_U passthrough=no src-address=192.168.14.10-192.168.14.250
add action=mark-packet chain=output connection-mark=OTHER new-packet-mark=\
    OTHER_U passthrough=no src-address=192.168.14.10-192.168.14.250
add action=mark-packet chain=prerouting connection-mark=OTHER dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=OTHER_D passthrough=no
add action=mark-packet chain=forward connection-mark=OTHER dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=OTHER_D passthrough=no
add action=mark-packet chain=input connection-mark=OTHER dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=OTHER_D passthrough=no
add action=mark-packet chain=postrouting connection-mark=OTHER_BIG \
    new-packet-mark=OTHER_BIG_U passthrough=no src-address=\
    192.168.14.10-192.168.14.250
add action=mark-packet chain=forward connection-mark=OTHER_BIG \
    new-packet-mark=OTHER_BIG_U passthrough=no src-address=\
    192.168.14.10-192.168.14.250
add action=mark-packet chain=output connection-mark=OTHER_BIG \
    new-packet-mark=OTHER_BIG_U passthrough=no src-address=\
    192.168.14.10-192.168.14.250
add action=mark-packet chain=prerouting connection-mark=OTHER_BIG \
    dst-address=192.168.14.10-192.168.14.250 new-packet-mark=OTHER_BIG_D \
    passthrough=no
add action=mark-packet chain=forward connection-mark=OTHER_BIG dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=OTHER_BIG_D passthrough=no
add action=mark-packet chain=input connection-mark=OTHER_BIG dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=OTHER_BIG_D passthrough=no
add action=mark-packet chain=postrouting new-packet-mark=OTHER_BIG_U \
    packet-mark=no-mark passthrough=no src-address=\
    192.168.14.10-192.168.14.250
add action=mark-packet chain=forward new-packet-mark=OTHER_BIG_U packet-mark=\
    no-mark passthrough=no src-address=192.168.14.10-192.168.14.250
add action=mark-packet chain=output new-packet-mark=OTHER_BIG_U packet-mark=\
    no-mark passthrough=no src-address=192.168.14.10-192.168.14.250
add action=mark-packet chain=postrouting new-packet-mark=OTHER_BIG_U \
    passthrough=no src-address=192.168.14.10-192.168.14.250
add action=mark-packet chain=prerouting dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=OTHER_BIG_D packet-mark=\
    no-mark passthrough=no
add action=mark-packet chain=forward dst-address=192.168.14.10-192.168.14.250 \
    new-packet-mark=OTHER_BIG_D packet-mark=no-mark passthrough=no
add action=mark-packet chain=input dst-address=192.168.14.10-192.168.14.250 \
    new-packet-mark=OTHER_BIG_D packet-mark=no-mark passthrough=no
add action=mark-packet chain=prerouting dst-address=\
    192.168.14.10-192.168.14.250 new-packet-mark=OTHER_BIG_D passthrough=no
add chain=postrouting disabled=yes
/ip route
add distance=1 gateway=192.168.151.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=22
/lcd
set backlight-timeout=never default-screen=informative-slideshow \
    read-only-mode=yes touch-screen=disabled
/lcd interface
set ether02 disabled=yes
set ether03 disabled=yes
set ether04-downlink disabled=yes
set ether05 disabled=yes
set ether06 disabled=yes
set ether07 disabled=yes
set ether08 disabled=yes
set ether09 disabled=yes
set ether10 disabled=yes
set ether11 disabled=yes
set ether12 disabled=yes
set ether13 disabled=yes
set ether14 disabled=yes
set ether15 disabled=yes
set ether16 disabled=yes
set ether17 disabled=yes
set ether18 disabled=yes
set ether19 disabled=yes
set ether20 disabled=yes
set ether21 disabled=yes
set ether22 disabled=yes
set ether23 disabled=yes
set ether24-gestion disabled=yes
set sfp1-MASTER disabled=yes
/lcd interface pages
set 0 interfaces=ether01-uplink
/lcd screen
set 2 disabled=yes
set 3 disabled=yes
set 4 disabled=yes
set 5 disabled=yes
/romon port
add disabled=no
/snmp
set enabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=America/Bogota
/system identity
set name="sala sistemas 1"
/system ntp client
set enabled=yes primary-ntp=192.168.100.1

 
User avatar
shodan
newbie
Topic Author
Posts: 29
Joined: Sun Dec 01, 2013 3:26 pm
Location: Tula, Russia
Contact:

Re: CRS226 - loop protect, how?

Sun Dec 13, 2015 7:18 pm

Thanks!!!

/interface ethernet switch port
set 2 action-on-static-station-move=drop drop-dynamic-mac-move=yes dscp-based-qos-dscp-to-dscp-mapping=no learn-limit=10 learn-override=yes
set 3 action-on-static-station-move=drop drop-dynamic-mac-move=yes dscp-based-qos-dscp-to-dscp-mapping=no learn-limit=10 learn-override=yes

It is helps!
CRS not bad... not bad! Of course Mikrotik need to do big work with PSU and more in CRS3***, but i think he solve all issue.
I use right now:
-=CCR1009+8G-1S-1S+RM=- -=CRS226-24G-2S+RM=- -=DXS-1210-12SC=- for little home network.
We... Russian "crazy" sysadmins, loving much CPU power and throughput in reserve.
По русски говоря: Задрот по микротику :)
 
troffasky
Member
Member
Posts: 399
Joined: Wed Mar 26, 2014 4:37 pm

Re: CRS226 - loop protect, how?

Mon Dec 14, 2015 6:17 pm

Yeah, this seems to work for mitigating loops. Just wish I'd known about it a few days ago - I installed a CRS125 at a remote site and put everything into a bridge!

Is there any way to monitor the state of this, eg see which ports are hitting the limit?
 
User avatar
shodan
newbie
Topic Author
Posts: 29
Joined: Sun Dec 01, 2013 3:26 pm
Location: Tula, Russia
Contact:

Re: CRS226 - loop protect, how?

Mon Dec 14, 2015 6:27 pm

"action-on-static-station-move=drop drop-dynamic-mac-move=yes" - works without any log entry.
Ports steel active, no traffic on loop ports, and all works fine.
But "chechito" make rights thing, unicast-fdb-timeout must be decrease(i set 120s), because if you reconnect user from one ports to another, her MAC not move between ports until timeout MAC table not expire.
In my network user migrating between ports one time per years, that it is not critical for me. Only between wi-fi AP it is possible, but i do not install this rule on it.

Rules from manual "CRS_examples#Traffic_Storm_Control" i not tested yet. As i think it is sensible only for remote loop(loop on other switch wich connected to CRS).

PS.When i tested storm(without these rules), ethernet interface on my QRT 2 has died until power cycle, be careful on your experiment with other Mikrotik devices who connected to CRS !!! :lol: :lol:
I use right now:
-=CCR1009+8G-1S-1S+RM=- -=CRS226-24G-2S+RM=- -=DXS-1210-12SC=- for little home network.
We... Russian "crazy" sysadmins, loving much CPU power and throughput in reserve.
По русски говоря: Задрот по микротику :)
 
strelokr
just joined
Posts: 16
Joined: Wed Dec 09, 2015 12:11 pm
Location: Ukraine

Re: CRS226 - loop protect, how?

Mon Jan 25, 2016 5:35 pm

Hello all.
I'm have crs125-24g1s-rm
for loop protect on localports i'm use a scripts
/interface ethernet switch port
:local i 1;
:for i from=1 to=24 do={set $i action-on-static-station-move=drop drop-dynamic-mac-move=yes dscp-based-qos-dscp-to-dscp-mapping=no learn-limit=10 learn-override=yes};
For local ports everything work fine, but when I connect my CRS to another using two uplink my CRS freeze. And not answer to req on local ports. removal loops not help. I'm wait around 30 sec. After restart from LCD at network works.

How i can create this loop protect?

Who is online

Users browsing this forum: MSN [Bot] and 96 guests