![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2021-06-11
Switch Chip & Features
Hardware IC:
RB450G/RB435G/RB850Gx2: Atheros8327
Atheros8327功能:
- Port Switching
- Port Mirroring
- Host table
- Vlan table
- Rule table
Software Bridge vs Hardware Bridge
Software
- can control traffic flow
- can monitor flow
- can do L2 and L3 functions like firewall
- .. but uses CPU power to do it
Hardware
- - faster throughput
- - low CPU load
- .. but can't do any sophisticated processing or monitoring
Checking
# a list of all switch chips present in system
/interface ethernet switch print
# 查看每個 port 在做什麼
/interface ethernet print
# 設置一個 switch group
/interface ethernet set ether4,ether5 master-port=ether3
* Now ports ether4,ether5 and ether3 will act as a switch.
* a link was detected only on ether5 => running flag is propagated to master port
P.S.
一個個 port 設定
/interface ethernet set ether4 master-port=ether3 set ether4 master-port=ether3
Difference between bridge and switch
A bridge joins interfaces together in software.
The switch menu allows you to control functions on the actiual switch chip on the routerboard.
RB450G/RB435G/RB850Gx2 的 Ether1
* ether1 port on RB450G/RB435G/RB850Gx2 能夠成為一個獨立的 port (獨立於 ether2~5)
# By default ether1 port will be included in the switch group.
# 查看 stats
/interface ethernet print stats
# 拆開他們
# "no" means ether1 is not part of switch, effectively making it as stand alone ethernet port
/interface ethernet switch set switch1 switch-all-ports=no
master port
設成 switch 群組後, 有一個 master port 選項
dhcp server 要設置在 master port 上
Port Mirroring
going in and out of one port (mirror-source) -> (mirror-target)
* mirror-source and mirror-target ports have to belong to same switch.
/interface ethernet switch port
Host Table
internal mac address to port mapping
- dynamic ( 5 minutes to time out ) (enabled only on switch group)
- static
* static entries that take over dynamic
* Learning is enabled only on ports that are configured as part of switch group.
copy-to-cpu=yes/no - a packet can be cloned and sent to cpu port
redirect-to-cpu=yes/no - a packet can be redirected to cpu port
Vlan Table
* Those rules are of higher priority than switch groups configured using 'master-port' property.
- disabled => ignore vlan table, treat packet with vlan tags just as if they did not contain a vlan tag;
- fallback (default) =>
# drop packets with vlan tag that is not present in vlan table
- check => incoming port does not match any port in vlan table entry does not get dropped.
- secure =>
* Packets without vlan tag are treated just like if they had a vlan tag with port default-vlan-id.
Vlan-header option:
- leave-as-is - packet remains unchanged on egress port;
- always-strip - if VLAN header is present it is removed from the packet;
- add-if-missing - if VLAN header is not present it is added to the packet.
Rule Table
能保持 wire speed packet filtering 時的 rule 數量
- Atheros8327: 92 rules
- Atheros8316: 32 rules
rate conditions (TX/RX)
Sets limitation (bits per second) for all matched traffic.(only applies to Atheros8327)
Can only be applied to first 32 rule slots.
ports conditions
match port that packet came in from
mac layer conditions
- dst-mac-address - match by destination mac address and mask;
- src-mac-address - ...;
ip conditions
- dst-address - match by destination ip and mask;
- src-address - match by source ip and mask;
- dscp - match by ip dscp field;
- protocol - match by ip protocol;
L4 conditions
- src-port - match by tcp/udp source port range;
- dst-port - match by tcp/udp destination port range;
