Controller Bridge and Port Extender

Note: The feature has been removed from RouterOS since RouterOS v7.18.

Summary

Controller Bridge (CB) and Port Extender (PE) is an IEEE 802.1BR standard implementation in RouterOS for CRS3xx series switches. It allows virtually extending the CB ports with a PE device and manage these extended interfaces from a single controlling device. Such configuration provides a simplified network topology, flexibility, increased port density and ease of manageability.

The Controller Bridge establishes communication with the Port Extender through a cascade port. Similarly, the Port Extender will communicate with the Controller Bridge only through an upstream port. On a PE, control ports must be configured and only one port (closest to the CB) will act as an upstream port, other control ports can act as a backup for upstream port or even cascade port for switches connected in series.

Extended ports are interfaces that are controlled by the CB and they are typically connected to the end hosts. Extended ports only transmit and receive network traffic.

Supported Devices

Model	Controller Bridge	Port Extender
netPower 15FR (CRS318-1Fi-15Fr-2S)	-	+
netPower 16P (CRS318-16P-2S+)	-	+
CRS310-1G-5S-4S+ (netFiber 9/IN)	-	+
CRS326-24G-2S+ (RM/IN)	-	+
CRS328-24P-4S+	-	+
CRS328-4C-20S-4S+	-	+
CRS305-1G-4S+	-	+
CRS309-1G-8S+	+	+
CRS317-1G-16S+	+	+
CRS312-4C+8XG	+	+
CRS326-24S+2Q+	+	+
CRS354-48G-4S+2Q+	+	+
CRS354-48P-4S+2Q+	+	+

Limitations

Although controller allows to configure port extender interfaces, some bridging and switching features cannot be used or will not work properly.

Feature	Support
Bonding for cascade and upstream ports	+
Bridge VLAN filtering	+
Bonding for extended ports	-
Dot1x authenticator (server)	-
Ingress and egress rate	-
Mirroring	-
Port ingress VLAN filtering	-
Port isolation	-
Storm control	-
Switch rules (ACL)	-
L3HW offloading	-
MLAG	-

Quick Setup

This example creates a Controller Bridge (CRS317-1G-16S+) connected to a single Port Extender (CRS326-24G-2S+) through an SFP+1 interface.

Step 1: Configure a bridge with enabled VLAN filtering on the CB:

/interface bridge
add name=bridge1 vlan-filtering=yes

Step 2: Configure a port that is connected to the PE and will act as cascade port:

/interface bridge port-controller
set bridge=bridge1 cascade-ports=sfp-sfpplus1 switch=switch1

Step 3: On the PE, configure a control port:

/interface bridge port-extender
set control-ports=sfp-sfpplus1 switch=switch1

Once PE and CB are connected, all interfaces that are on the same switch group (except for control ports) will be extended and can be further configured on the CB.

Important: Do not include cascade-ports and control-ports in any routing or bridging configurations. These ports are recommended only for CB and PE usage.

To exclude some ports from being extended (e.g., for out-of-band management), configure the excluded-ports property.

Discovery and Control Protocols

Before frame forwarding on extended ports is possible, CB and PE must discover each other and exchange essential information:

LLDP Discovery: CB and PE enabled devices use LLDP with specific Port Extension TLV to advertise support on cascade and control ports.
Control and Status Protocol (CSP): Once LLDP messages are exchanged, CSP over ECP initiates. CSP is used to:
- Assign unique IDs for extended ports
- Control data-path settings (e.g., port VLAN membership)
- Send port status information (e.g., interface stats, PoE-out monitoring)
ECP (Edge Control Protocol): Provides reliable and sequenced frame delivery (EtherType 0x8940).

Limitation: The current CB implementation does not support failover techniques. Once the CB becomes unavailable, the PE will lose all control and data forwarding rules.

Packet Flow

The packet walkthrough explains the underlying principles:

An L2 packet is received on the extended port
The PE encapsulates the packet with an E-TAG header (EtherType 0x85F) and forwards it through an upstream port toward the CB
The CB receives the E-TAG packet, decapsulates it, and proceeds with regular switching decisions
After switching decision, the CB encapsulates the packet with E-TAG and sends it through a cascade port toward the PE
The PE decapsulates and sends the original L2 packet through the extended port

Controller Bridge Settings

Sub-menu: /interface bridge port-controller

Properties

Property	Description
`bridge` (name)	The bridge interface where ports will be extended. CB enables only when `bridge` and `switch` are specified.
`cascade-ports` (interfaces)	Interfaces that act as cascade ports. Bonding interfaces with 802.3ad or balance-xor mode are also supported.
`switch` (name)	The switch that acts as the CB. CB enables only when `bridge` and `switch` are specified.

Monitoring Devices

/interface bridge port-controller device print
/interface bridge port-controller device monitor pe2

Device Properties

Property	Description
`connected-via-devs` (name)	Shows connected devices in the path from PE to CB.
`connected-via-ports` (name)	Shows connection path from PE to CB.
`control-ports` (interfaces)	PE control ports.
`descr` (name)	Short PE description.
`name` (name)	Automatically assigned PE name.
`pe-mac` (MAC address)	PE MAC address.
`status` (active \| inactive)	PE status.

Port Monitoring

/interface bridge port-controller port print where !disabled
/interface bridge port-controller port monitor [find where !disabled]

Port Properties

Property	Description
`device` (name)	Automatically assigned PE name.
`name` (name)	Automatically assigned port name.
`pcid` (integer)	Automatically assigned port identifier.
`port-status` (dev-inactive \| not-added \| ok)	PE port status.
`rate` (bps)	Data rate of the connection.
`status` (link-ok \| no-link \| unknown)	PE port link status.

PoE Monitoring

/interface bridge port-controller port poe print
/interface bridge port-controller port poe monitor pe1-ether2,pe1-ether3

Port Extender Settings

Sub-menu: /interface bridge port-extender

Properties

Property	Description
`control-ports` (interfaces)	Interfaces that connect to CB (upstream port) or other PE devices in series (cascade port). Bonding interfaces supported.
`excluded-ports` (interfaces)	Interfaces that will not be extended.
`switch` (name)	The switch that acts as the extender. PE enables only when this property is specified.

Configuration Examples

Basic CB and PE Configuration

This example uses a CRS317-1G-16S+ as CB and CRS328-24P-4S+ as PE.

CB Configuration:

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus2
/interface bridge port-controller
set bridge=bridge1 cascade-ports=sfp-sfpplus1 switch=switch1

PE Configuration:

/interface bridge port-extender
set control-ports=sfp-sfpplus4 switch=switch1

Once discovery completes, new interfaces are created and added to the bridge on the CB. Interfaces are named with the PE name plus the default interface name.

Trunk and Access Ports

This example creates untagged (access) and tagged (trunk) port configuration.

CB Configuration:

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus2
/interface bridge port-controller
set bridge=bridge1 cascade-ports=sfp-sfpplus1 switch=switch1

PE Configuration:

/interface bridge port-extender
set control-ports=sfp-sfpplus4 switch=switch1

Configure Access Ports:

/interface bridge port
set [find interface=pe1-ether1] pvid=10
set [find interface=pe1-ether2] pvid=20
set [find interface=pe1-ether3] pvid=30

Configure VLAN Entries:

/interface bridge vlan
add bridge=bridge1 tagged=pe1-sfpplus1,sfp-sfpplus2 untagged=pe1-ether1 vlan-ids=10
add bridge=bridge1 tagged=pe1-sfpplus1,sfp-sfpplus2 untagged=pe1-ether2 vlan-ids=20
add bridge=bridge1 tagged=pe1-sfpplus1,sfp-sfpplus2 untagged=pe1-ether3 vlan-ids=30

Apply Frame Filtering:

/interface bridge port
set [find interface=pe1-ether1] frame-types=admit-only-untagged-and-priority-tagged
set [find interface=pe1-ether2] frame-types=admit-only-untagged-and-priority-tagged
set [find interface=pe1-ether3] frame-types=admit-only-untagged-and-priority-tagged
set [find interface=pe1-sfpplus1] frame-types=admit-only-vlan-tagged
set [find interface=sfp-sfpplus2] frame-types=admit-only-vlan-tagged ingress-filtering=yes

Note: Port ingress VLAN filtering is not supported on extended ports.

Cascading Multiple Port Extenders with Bonding

This example adds two PEs to a CB with bonding for increased throughput.

CB Configuration:

/interface bonding
add mode=802.3ad name=bond1 slaves=sfp-sfpplus1,sfp-sfpplus2
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus3
/interface bridge port-controller
set bridge=bridge1 cascade-ports=bond1 switch=switch1

PE1 Configuration (CRS328-24P-4S+):

/interface bonding
add mode=802.3ad name=bond1 slaves=sfp-sfpplus1,sfp-sfpplus2
add mode=802.3ad name=bond2 slaves=sfp-sfpplus3,sfp-sfpplus4
/interface bridge port-extender
set control-ports=bond1,bond2 switch=switch1

PE2 Configuration (CRS326-24G-2S+):

/interface bonding
add mode=802.3ad name=bond1 slaves=sfp-sfpplus1,sfp-sfpplus2
/interface bridge port-extender
set control-ports=bond1 switch=switch1

Monitoring Connection Path:

/interface bridge port-controller device monitor [find]
/interface bridge port-controller port print where running or upstream-port

Configuration Modification and Removal

To modify or remove PE configuration:

Step 1: Disable the PE:

/interface bridge port-extender set switch=none control-ports="" excluded-ports=""

Step 2: Remove related bridge configuration:

/interface bridge port remove [find interface~"pe1"]

Step 3: Remove the PE from CB:

/interface bridge port-controller device remove [find name=pe1]

This command automatically removes all PE interfaces from the CB interface list.