Understanding bridge HW

offload
Edgars Paberzs
1 / 29
Objectives

●
Learn about bridge hardware offloading and its
packet flow
●
Understand how to configure a bridge with vlan-
filtering
●
Show possible L2 testing methods
●
Walk through some of the MTCSWE questions

2 / 29
 Basic principles of RouterOS
bridge
●
Bridge connects multiple LAN
segments into one
●
Works only with interfaces that have a
MAC address (Ethernet, wireless,
bonding, EoIP, VLAN, VxLAN)
●
Forwards packets by MAC address
●
MAC learning (host table or FDB)
●
Traffic types – unicast, multicast and
broadcast
●
STP (Spanning Tree Protocol)
●
https://help.mikrotik.com/docs/display/RO
S/Bridge 3 / 29
Basic principles of RouterOS
bridge

4 / 29
Software (CPU) and hardware
(switch) bridging

https://help.mikrotik.com/docs/display/ROS/Bridge#Bridge-BridgeHard
wareOffloading
5 / 29
Software (CPU) and hardware
(switch) bridging

6 / 29
Basic switch chips
●
QCA8337, Atheros8327, Atheros8316, Atheros7240,
ICPlus175D, MT7621, RTL8367, 88E6393X
●
Included in most SOHO routers (hEX, hAP ac2)
●
Port switching in the “/interface bridge” menu
●
Some switch features like VLANs and ACL in “/interface
ethernet switch” menu
●
Some chips getting HW vlan-filtering support in
RouterOS v7 (RTL8367, 88E6393X)
●
https://help.mikrotik.com/docs/display/ROS/Switch+Chip
+Features
7 / 29
CRS1xx/2xx series switches
●
Devices designed mainly for switching
●
Support advanced switching features – VLANs, ACL, QoS,
mirroring, traffic isolation
●
More fine-tuning configuration options, e.g. ingress/egress
VLAN header modification
●
Steep learning curve
●
Port switching in “/interface bridge” menu
●
Switch features in “/interface ethernet switch” menu
●
https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_swit
ches_examples
●
https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_swit
8 / 29
ches
CRS3xx series switches
●
Devices designed mainly for switching
●
HW offloading works together with bridge features like vlan-
filtering, MSTP, bonding, IGMP/MLD and DHCP snooping
●
Most configuration is done in “/interface bridge” menu
●
Easier to configure
●
Dual boot – RouterOS/SwOS
●
Unlocking new capabilities – L3 hardware offloading, MLAG,
bridge controller and extender
●
https://help.mikrotik.com/docs/display/ROS/CRS3xx+series+s
witches
9 / 29
CSS series switches

●
Devices designed only for switching – CSS106,
CSS326, CSS610
●
SwOS only
●
Switching features like VLANs, ACL, link
aggregation, IGMP snooping
●
Management only using a web GUI
●
https://help.mikrotik.com/docs/display/SWOS/Sw
OS
10 / 29
Bridge HW offloading on
different switches

https://help.mikrotik.com/docs/display/ROS/Brid
ge#Bridge-BridgeHardwareOffloading
11 / 29
Bridge HW offloading on
different switches

https://help.mikrotik.com/docs/display/ROS/Swit
ch+Chip+Features#SwitchChipFeatures-Introduct
ion
12 / 29
Bridge HW offloading packet
flow

https://help.mikrotik.com/docs/display/ROS/Packet
+Flow+in+RouterOS#PacketFlowinRouterOS-Flowof
HardwareOffloadedPacket 13 / 29
Bridge HW offloading packet
flow

14 / 29
From switch to CPU

●
Destination MAC address match with a local
bridge MAC address
●
Packet flood
●
Bridge contains HW and non-HW offloaded
interfaces (wireless, EoIP), or two switch chips
●
Packet is intentionally copied and sent to the
switch-cpu (for a packet inspection)
●
Switch configuration (BPDU packets for RSTP,
DHCP or IGMP snooping) 15 / 29
Bridge VLAN filtering

16 / 29
Bridge VLAN filtering
●
Enables VLAN-awareness on the bridge and
allows to do tag modification (tag/untag)
●
Main setting “vlan-filtering”
●
Shared VLAN Learning (SVL) vs Independent
VLAN Learning (IVL)
●
HW offloaded on CRS3xx series, RTL8367 switch
(RB4011, RB1100AHx4 RouterOS v7), and
88E6393X switch (RB5009, CCR2004-16G-2S+
RouterOS v7)
●
SW vlan-filtering supported on all RouterOS 17 / 29
devices
Bridge VLAN filtering
●
/interface vlan - mostly used to create routable
interfaces with an IP address
●
/interface bridge vlan – creates VLAN entries for
port-VLAN membership. This table represents what
VLANs are allowed for the bridge to forward. Access
ports set with “pvid” gets dynamically added to the
table as untagged members
●
/interface ethernet switch vlan – not all switches
support bridge vlan-filtering together with HW
offload, but it can still be configured through the
switch menu. 18 / 29
Bridge VLAN filtering

19 / 29
Bridge VLAN filtering

20 / 29
21 / 29
Troubleshooting and testing

22 / 29
Troubleshooting and testing

23 / 29
Troubleshooting and testing

24 / 29
Troubleshooting and testing

25 / 29
Troubleshooting and testing

26 / 29
Troubleshooting and testing

27 / 29
Troubleshooting and testing

●
Vlan-filtering
●
ACL rules
●
Storm control

28 / 29
Possible MTCSWE updates in
future
●
VLANs with wireless and CAPsMAN
●
Bridge Controller and Extender – something similar to CAPsMAN,
but for switches. It needs more feature updates, like PE device
software upgrade, and controller redundancy.
●
L3 hardware offloading
●
MLAG
●
Port “ingress-filtering=yes” is default value in v7
●
New switches and devices with HW vlan-filtering in v7, e.g. the
RB4011 and RB5009.
●
No switch host menu for HW vlan-filtering devices in v7 version, only
bridge host table is available. 29 / 29