CRS1xx/2xx Series Switches Examples
CRS1xx/2xx Series Switches Examples
Section titled “CRS1xx/2xx Series Switches Examples”Summary
Section titled “Summary”This document provides basic use cases and configuration examples for CRS1xx and CRS2xx series Cloud Router Switches. These switches offer advanced Layer 2 switching capabilities with hardware offloading, including VLAN switching, port isolation, mirroring, and quality of service features.
This guide applies specifically to CRS1xx and CRS2xx series switches. For CRS3xx series devices, refer to the CRS3xx, CRS5xx series switches and CCR2116, CCR2216 documentation.
Port Switching
Section titled “Port Switching”CRS1xx/2xx series switches support hardware-accelerated port switching through the bridge interface with hardware offloading enabled. Port switching combines multiple physical ports into a single switched segment, allowing the switch chip to forward traffic at wire speed without CPU intervention.
To set up port switching, first create a bridge interface and add the desired ports to it with hardware offloading enabled:
/interface bridgeadd name=bridge1/interface bridge portadd bridge=bridge1 interface=ether2 hw=yesadd bridge=bridge1 interface=ether3 hw=yesadd bridge=bridge1 interface=ether4 hw=yesadd bridge=bridge1 interface=ether5 hw=yesA unique feature of CRS1xx/2xx series switches is the ability to create multiple isolated switch groups using multiple bridges with hardware offloading enabled. This allows for simple port isolation without complex VLAN configurations. However, for more complex setups involving VLAN filtering, the port isolation feature should be used instead of multiple bridges.
Management Access Configuration
Section titled “Management Access Configuration”In enterprise network deployments, switches typically forward packets at Layer 2 without allowing direct access to the device itself for security purposes. However, network administrators require management access to configure and monitor the switch. This section describes how to configure secure management access to CRS1xx/2xx switches.
Untagged Management Access
Section titled “Untagged Management Access”By default, if invalid VLAN filtering is not enabled, management access to the device is possible using both tagged and untagged traffic (VLAN 0) from any port. However, this default configuration poses security risks and can potentially overload the device CPU with broadcast traffic.
When implementing invalid VLAN filtering, ports used for management access must be added to the VLAN table for untagged traffic (VLAN 0). For example, to allow management access through ether2:
/interface ethernet switch vlanadd vlan-id=0 ports=ether2,switch1-cpuTagged Management Access
Section titled “Tagged Management Access”A more secure approach restricts management access to tagged traffic only. To allow only VLAN99 to access the device through ether2, first add an entry to the VLAN table that permits the selected port and CPU port to forward VLAN99 traffic:
/interface ethernet switch vlanadd ports=ether2,switch1-cpu vlan-id=99Packets sent from the CPU, such as ping replies, lack VLAN tags by default. To ensure outgoing packets include the appropriate VLAN tag:
/interface ethernet switch egress-vlan-tagadd tagged-ports=ether2,switch1-cpu vlan-id=99After configuring valid VLAN99 access, enable unknown/invalid VLAN filtering to restrict management access to only the specified ports:
/interface ethernet switchset drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether2,ether3,ether4,ether5Finally, create a VLAN interface on the bridge and assign an IP address:
/interface vlanadd interface=bridge1 name=MGMT vlan-id=99/ip addressadd address=192.168.99.1/24 interface=MGMTVLAN Configuration
Section titled “VLAN Configuration”CRS1xx/2xx series switches support multiple VLAN configuration methods including port-based VLANs, protocol-based VLANs, MAC-based VLANs, and advanced features like VLAN tunneling and CVID stacking.
Before configuring VLANs, it is strongly recommended to have a serial console cable available and tested, as VLAN configurations may temporarily disrupt network access.
Some VLAN changes require time to take effect due to learned MAC addresses. Flushing the Unicast Forwarding Database can accelerate convergence:
/interface ethernet switch unicast-fdb flushFor advanced configurations requiring complete VLAN functionality, use a single bridge with all ports, configure VLANs through the switch chip, and implement port isolation profiles for port group separation.
Port-Based VLAN
Section titled “Port-Based VLAN”Port-based VLANs assign traffic to specific VLANs based on the physical port through which packets enter the switch. This is the most common and straightforward VLAN configuration method.
Example 1: Trunk and Access Ports
Section titled “Example 1: Trunk and Access Ports”This configuration creates a typical enterprise network topology with a trunk port carrying multiple VLANs and access ports assigned to specific VLANs.
First, switch together the required ports:
/interface bridgeadd name=bridge1/interface bridge portadd bridge=bridge1 interface=ether2 hw=yesadd bridge=bridge1 interface=ether6 hw=yesadd bridge=bridge1 interface=ether7 hw=yesadd bridge=bridge1 interface=ether8 hw=yesConfigure ingress VLAN translation to assign VLAN IDs to untagged traffic on access ports:
/interface ethernet switch ingress-vlan-translationadd ports=ether6 customer-vid=0 new-customer-vid=200add ports=ether7 customer-vid=0 new-customer-vid=300add ports=ether8 customer-vid=0 new-customer-vid=400When entries are created under ingress-vlan-translation, the switch chip adds VLAN tags to ingress frames on specified ports. To remove VLAN tags on egress frames, create egress-vlan-tag entries. For trunk ports, specify which VLANs should be sent with tags:
/interface ethernet switch egress-vlan-tagadd tagged-ports=ether2 vlan-id=200add tagged-ports=ether2 vlan-id=300add tagged-ports=ether2 vlan-id=400Add entries to the VLAN table to define VLAN memberships for each port:
/interface ethernet switch vlanadd ports=ether2,ether6 vlan-id=200add ports=ether2,ether7 vlan-id=300add ports=ether2,ether8 vlan-id=400Enable unknown/invalid VLAN filtering after valid VLAN configuration:
/interface ethernet switchset drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether2,ether6,ether7,ether8Example 2: Trunk and Hybrid Ports
Section titled “Example 2: Trunk and Hybrid Ports”Hybrid ports simultaneously carry both tagged and untagged traffic, useful when connecting to devices that require different tagging behaviors.
Switch together the required ports:
/interface bridgeadd name=bridge1/interface bridge portadd bridge=bridge1 interface=ether2 hw=yesadd bridge=bridge1 interface=ether6 hw=yesadd bridge=bridge1 interface=ether7 hw=yesadd bridge=bridge1 interface=ether8 hw=yesConfigure ingress VLAN translation for access ports:
/interface ethernet switch ingress-vlan-translationadd ports=ether6 customer-vid=0 new-customer-vid=200add ports=ether7 customer-vid=0 new-customer-vid=300add ports=ether8 customer-vid=0 new-customer-vid=400Configure egress VLAN tagging with tagged ports specified for hybrid behavior:
/interface ethernet switch egress-vlan-tagadd tagged-ports=ether2,ether7,ether8 vlan-id=200add tagged-ports=ether2,ether6,ether8 vlan-id=300add tagged-ports=ether2,ether6,ether7 vlan-id=400Add VLAN table entries with learning enabled:
/interface ethernet switch vlanadd ports=ether2,ether6,ether7,ether8 vlan-id=200 learn=yesadd ports=ether2,ether6,ether7,ether8 vlan-id=300 learn=yesadd ports=ether2,ether6,ether7,ether8 vlan-id=400 learn=yesEnable unknown/invalid VLAN filtering:
/interface ethernet switchset drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether2,ether6,ether7,ether8Protocol-Based VLAN
Section titled “Protocol-Based VLAN”Protocol-based VLANs assign packets to VLANs based on the Layer 3 protocol type. This is useful in networks with mixed protocol traffic requiring different handling.
Switch together the required ports:
/interface bridgeadd name=bridge1/interface bridge portadd bridge=bridge1 interface=ether2 hw=yesadd bridge=bridge1 interface=ether6 hw=yesadd bridge=bridge1 interface=ether7 hw=yesadd bridge=bridge1 interface=ether8 hw=yesConfigure VLAN assignment based on protocol for IP and ARP traffic:
/interface ethernet switch protocol-based-vlanadd port=ether2 protocol=arp set-customer-vid-for=all new-customer-vid=0add port=ether6 protocol=arp set-customer-vid-for=all new-customer-vid=200add port=ether2 protocol=ip set-customer-vid-for=all new-customer-vid=0add port=ether6 protocol=ip set-customer-vid-for=all new-customer-vid=200Configure VLAN assignment for IPX protocol:
/interface ethernet switch protocol-based-vlanadd port=ether2 protocol=ipx set-customer-vid-for=all new-customer-vid=0add port=ether7 protocol=ipx set-customer-vid-for=all new-customer-vid=300Configure VLAN assignment for AppleTalk protocols using their EtherType values:
/interface ethernet switch protocol-based-vlanadd port=ether2 protocol=0x80F3 set-customer-vid-for=all new-customer-vid=0add port=ether8 protocol=0x80F3 set-customer-vid-for=all new-customer-vid=400add port=ether2 protocol=0x809B set-customer-vid-for=all new-customer-vid=0add port=ether8 protocol=0x809B set-customer-vid-for=all new-customer-vid=400MAC-Based VLAN
Section titled “MAC-Based VLAN”MAC-based VLANs assign traffic to VLANs based on the source MAC address. This provides granular control over device placement within VLANs.
Note that internally all MAC addresses are hashed, and certain MAC addresses may produce the same hash. This can prevent MAC address loading into the switch chip if hashes match. For this reason, MAC-based VLANs should be combined with port-based VLANs.
Switch together the required ports:
/interface bridgeadd name=bridge1/interface bridge portadd bridge=bridge1 interface=ether2 hw=yesadd bridge=bridge1 interface=ether7 hw=yesEnable MAC-based VLAN translation on the access port:
/interface ethernet switch portset ether7 allow-fdb-based-vlan-translate=yesAdd MAC-to-VLAN mapping entries:
/interface ethernet switch mac-based-vlanadd src-mac=A4:12:6D:77:94:43 new-customer-vid=200add src-mac=84:37:62:DF:04:20 new-customer-vid=300add src-mac=E7:16:34:A1:CD:18 new-customer-vid=400Configure VLAN tagging on the trunk port:
/interface ethernet switch egress-vlan-tagadd tagged-ports=ether2 vlan-id=200add tagged-ports=ether2 vlan-id=300add tagged-ports=ether2 vlan-id=400Add VLAN table entries and enable unknown/invalid VLAN filtering for complete configuration.
Hybrid VoIP Port Configuration
Section titled “Hybrid VoIP Port Configuration”Hybrid ports allow a single physical port to carry both tagged VoIP traffic and untagged data traffic. This is common when deploying IP phones where the phone connects to the switch port, and a computer connects through the phone’s pass-through port. The voice VLAN is tagged (VLAN 100) while data uses the native untagged VLAN (VLAN 10).
Configure the switch ports with hybrid behavior:
/interface bridgeadd name=bridge1/interface bridge portadd bridge=bridge1 interface=ether2 hw=yesadd bridge=bridge1 interface=ether3 hw=yesSet PVID on access ports to define the untagged VLAN:
/interface bridge portset ether2 pvid=10set ether3 pvid=10Configure the bridge VLAN table with hybrid behavior - the port is untagged for PVID (data) and tagged for voice VLAN:
/interface bridge vlanadd bridge=bridge1 tagged=ether2,ether3 vlan-ids=100add bridge=bridge1 untagged=ether2,ether3 vlan-ids=10The VoIP phone should be configured to tag its traffic with VLAN 100 while the computer connected through the phone uses untagged traffic (VLAN 10).
Verification:
/interface bridge vlan printExpected output shows ether2 and ether3 in both tagged (for VLAN 100) and untagged (for VLAN 10) lists.
InterVLAN Routing
Section titled “InterVLAN Routing”InterVLAN routing enables communication between devices in different VLANs by routing traffic at Layer 3. CRS1xx/2xx switches support this through a combination of switch-chip VLAN tagging and RouterOS routing.
Creating VLAN Interfaces on a Bridge
Section titled “Creating VLAN Interfaces on a Bridge”The key to inter-VLAN routing in RouterOS is creating VLAN interfaces on the bridge itself (not on physical interfaces). This allows the router to route between VLANs while using hardware-accelerated switching for Layer 2 traffic.
Why create VLAN interfaces on the bridge?
- The bridge represents the entire switch fabric
- Creating a VLAN interface on the bridge gives the router a Layer 3 interface in that VLAN
- Traffic between VLANs is routed at the CPU level through these interfaces
Switch together the required access ports:
/interface bridgeadd name=bridge1/interface bridge portadd bridge=bridge1 interface=ether6 hw=yesadd bridge=bridge1 interface=ether7 hw=yesadd bridge=bridge1 interface=ether8 hw=yesConfigure egress VLAN tagging on the CPU port for all VLANs:
/interface ethernet switch egress-vlan-tagadd tagged-ports=switch1-cpu vlan-id=200add tagged-ports=switch1-cpu vlan-id=300add tagged-ports=switch1-cpu vlan-id=400Configure ingress VLAN translation on access ports:
/interface ethernet switch ingress-vlan-translationadd ports=ether6 customer-vid=0 new-customer-vid=200add ports=ether7 customer-vid=0 new-customer-vid=300add ports=ether8 customer-vid=0 new-customer-vid=400Create VLAN interfaces on the bridge (not on physical interfaces):
/interface vlanadd name=VLAN200 interface=bridge1 vlan-id=200add name=VLAN300 interface=bridge1 vlan-id=300add name=VLAN400 interface=bridge1 vlan-id=400Assign IP addresses to each VLAN interface:
/ip addressadd address=192.168.20.1/24 interface=VLAN200add address=192.168.30.1/24 interface=VLAN300add address=192.168.40.1/24 interface=VLAN400Unknown/Invalid VLAN Filtering
Section titled “Unknown/Invalid VLAN Filtering”After configuring valid VLANs, enable filtering to block traffic using VLANs not defined in the VLAN table. This prevents VLAN hopping attacks and improves network security.
/interface ethernet switch vlanadd ports=switch1-cpu,ether6 vlan-id=200add ports=switch1-cpu,ether7 vlan-id=300add ports=switch1-cpu,ether8 vlan-id=400Option 1: Disable invalid VLAN forwarding on specific ports:
/interface ethernet switchset drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether2,ether6,ether7,ether8Option 2: Disable invalid VLAN forwarding globally:
/interface ethernet switchset forward-unknown-vlan=noUsing multiple bridges with enabled unknown/invalid VLAN filtering can cause unexpected behavior. Always use a single bridge configuration when using VLAN filtering, and use port isolation for port group separation.
VLAN Tunneling (Q-in-Q)
Section titled “VLAN Tunneling (Q-in-Q)”Q-in-Q (802.1ad) enables service providers to add outer VLAN tags while preserving customer inner VLAN tags, creating a stacked VLAN architecture for multi-tenant networks.
CRS-1 (Edge Switch 1):
/interface bridgeadd name=bridge1/interface bridge portadd bridge=bridge1 interface=ether1 hw=yesadd bridge=bridge1 interface=ether2 hw=yesadd bridge=bridge1 interface=ether9 hw=yes
/interface ethernet switch ingress-vlan-translationadd customer-vid=200 new-service-vid=400 ports=ether1add customer-vid=300 new-service-vid=500 ports=ether2
/interface ethernet switch egress-vlan-tagadd tagged-ports=ether9 vlan-id=400add tagged-ports=ether9 vlan-id=500
/interface ethernet switchset bridge-type=service-vid-used-as-lookup-vidCRS-2 (Core Switch):
/interface bridgeadd name=bridge1/interface bridge portadd bridge=bridge1 interface=ether9 hw=yesadd bridge=bridge1 interface=ether10 hw=yes
/interface ethernet switchset bridge-type=service-vid-used-as-lookup-vidCRS-3 (Edge Switch 2):
/interface bridgeadd name=bridge1/interface bridge portadd bridge=bridge1 interface=ether3 hw=yesadd bridge=bridge1 interface=ether4 hw=yesadd bridge=bridge1 interface=ether10 hw=yes
/interface ethernet switch ingress-vlan-translationadd customer-vid=200 new-service-vid=400 ports=ether3add customer-vid=300 new-service-vid=500 ports=ether4
/interface ethernet switch egress-vlan-tagadd tagged-ports=ether10 vlan-id=400add tagged-ports=ether10 vlan-id=500
/interface ethernet switchset bridge-type=service-vid-used-as-lookup-vidCVID Stacking
Section titled “CVID Stacking”CVID Stacking allows CRS1xx/CRS2xx switches to add an outer VLAN tag on top of existing customer VLAN tags, enabling complex service provider architectures.
/interface bridgeadd name=bridge1/interface bridge portadd bridge=bridge1 interface=ether1 hw=yesadd bridge=bridge1 interface=ether2 hw=yesConfigure service VLAN-based switching:
/interface ethernet switchset bridge-type=service-vid-used-as-lookup-vidAdd service tag SVID 20 to packets with CVID 10:
/interface ethernet switch ingress-vlan-translationadd customer-vid=10 new-service-vid=20 ports=ether1Configure egress tagging:
/interface ethernet switch egress-vlan-tagadd tagged-ports=ether2 vlan-id=20Add VLAN table entry:
/interface ethernet switch vlanadd ports=ether1,ether2 vlan-id=20Override EtherType on egress:
/interface ethernet switch portset ether2 egress-service-tpid-override=0x8100 ingress-service-tpid-override=0x8100Enable unknown/invalid VLAN filtering:
/interface ethernet switchset drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1,ether2Mirroring
Section titled “Mirroring”CRS1xx/2xx switches support three types of traffic mirroring: port-based, VLAN-based, and MAC-based. Mirroring copies traffic to a designated analyzer port for monitoring and troubleshooting.
Port-Based Mirroring
Section titled “Port-Based Mirroring”Port-based mirroring copies all traffic on specified ports to an analyzer port:
/interface ethernet switchset ingress-mirror0=ether5 egress-mirror0=ether5
/interface ethernet switch portset ether6 ingress-mirror-to=mirror0 egress-mirror-to=mirror0VLAN-Based Mirroring
Section titled “VLAN-Based Mirroring”VLAN-based mirroring copies traffic from all ports in a specified VLAN:
/interface bridgeadd name=bridge1/interface bridge portadd bridge=bridge1 interface=ether2 hw=yesadd bridge=bridge1 interface=ether7 hw=yes
/interface ethernet switchset ingress-mirror0=ether5 vlan-uses=mirror0
/interface ethernet switch vlanadd ports=ether2,ether7 vlan-id=300 learn=yes ingress-mirror=yesMAC-Based Mirroring
Section titled “MAC-Based Mirroring”MAC-based mirroring copies traffic to and from specific MAC addresses:
/interface bridgeadd name=bridge1/interface bridge portadd bridge=bridge1 interface=ether2 hw=yesadd bridge=bridge1 interface=ether8 hw=yes
/interface ethernet switchset ingress-mirror0=ether5 fdb-uses=mirror0
/interface ethernet switch unicast-fdbadd port=ether8 mirror=yes svl=yes mac-address=E7:16:34:A1:CD:18Trunking
Section titled “Trunking”Trunking provides static link aggregation with automatic failover and load balancing. Up to 8 trunk groups are supported with up to 8 member ports each.
/interface bridgeadd name=bridge1 protocol-mode=none/interface bridge portadd bridge=bridge1 interface=ether2 hw=yesadd bridge=bridge1 interface=ether6 hw=yesadd bridge=bridge1 interface=ether7 hw=yesadd bridge=bridge1 interface=ether8 hw=yes
/interface ethernet switch trunkadd name=trunk1 member-ports=ether6,ether7,ether8Configure bonding on the remote device:
/interface bondingadd name=bonding1 slaves=ether2,ether3,ether4 mode=balance-xor transmit-hash-policy=layer-2-and-3Note that bridge STP is not aware of trunking configuration. When connecting to other bridges, either disable STP or filter BPDUs using ACL rules.
Limited MAC Access per Port
Section titled “Limited MAC Access per Port”Control which devices can communicate through the switch by disabling MAC learning and configuring static MAC entries:
/interface bridgeadd name=bridge1/interface bridge portadd bridge=bridge1 interface=ether2 hw=yesadd bridge=bridge1 interface=ether6 hw=yes learn=no unknown-unicast-flood=noadd bridge=bridge1 interface=ether7 hw=yes learn=no unknown-unicast-flood=no
/interface ethernet switch unicast-fdbadd mac-address=4C:5E:0C:00:00:01 port=ether6 svl=yesadd mac-address=D4:CA:6D:00:00:02 port=ether7 svl=yes
/interface ethernet switch acladd action=drop src-mac-addr-state=sa-not-found src-ports=ether6,ether7 table=egressadd action=drop src-mac-addr-state=static-station-move src-ports=ether6,ether7 table=egressAlternatively, limit to one dynamic MAC per port:
/interface ethernet switch portset ether6 learn-limit=1set ether7 learn-limit=1Isolation
Section titled “Isolation”Port Level Isolation
Section titled “Port Level Isolation”Port-level isolation implements Private VLAN functionality where ports are grouped into different isolation levels:
/interface bridgeadd name=bridge1/interface bridge portadd bridge=bridge1 interface=ether2 hw=yesadd bridge=bridge1 interface=ether6 hw=yesadd bridge=bridge1 interface=ether7 hw=yesadd bridge=bridge1 interface=ether8 hw=yesadd bridge=bridge1 interface=ether9 hw=yesadd bridge=bridge1 interface=ether10 hw=yesConfigure uplink port (isolation profile 0):
/interface ethernet switch portset ether2 isolation-leakage-profile-override=0Configure isolated ports (isolation profile 1):
/interface ethernet switch portset ether5 isolation-leakage-profile-override=1set ether6 isolation-leakage-profile-override=1
/interface ethernet switch port-isolationadd port-profile=1 ports=ether2 type=dstConfigure community ports (isolation profiles 2 and 3):
/interface ethernet switch portset ether7 isolation-leakage-profile-override=2set ether8 isolation-leakage-profile-override=2
/interface ethernet switch port-isolationadd port-profile=2 ports=ether2,ether7,ether8 type=dst
/interface ethernet switch portset ether9 isolation-leakage-profile-override=3set ether10 isolation-leakage-profile-override=3
/interface ethernet switch port-isolationadd port-profile=3 ports=ether2,ether9,ether10 type=dstProtocol Level Isolation
Section titled “Protocol Level Isolation”Protocol-level isolation restricts specific protocol traffic between ports, useful for security such as preventing DHCP spoofing:
/interface bridgeadd name=bridge1/interface bridge portadd bridge=bridge1 interface=ether1 hw=yesadd bridge=bridge1 interface=ether2 hw=yesadd bridge=bridge1 interface=ether3 hw=yesadd bridge=bridge1 interface=ether4 hw=yesadd bridge=bridge1 interface=ether5 hw=yesConfigure community profile for client ports:
/interface ethernet switch portset ether2 isolation-leakage-profile-override=2set ether3 isolation-leakage-profile-override=2set ether4 isolation-leakage-profile-override=2set ether5 isolation-leakage-profile-override=2Allow DHCP traffic only to trusted server port:
/interface ethernet switch port-isolationadd port-profile=2 protocol-type=dhcpv4 type=dst forwarding-type=bridged ports=ether1 registration-status="" traffic-type=""Quality of Service
Section titled “Quality of Service”MAC-Based Traffic Scheduling
Section titled “MAC-Based Traffic Scheduling”Configure strict priority scheduling based on MAC addresses:
/interface ethernet switch qos mac-groupadd dst-mac-address=00:0C:00:00:00:01 new-priority=7add dst-mac-address=00:0C:00:00:00:02 new-priority=6Apply priority mapping to egress queue:
/interface ethernet switch egress-queueset switch1-cpu schedulername=sp map2queue=7,6,5,4,3,2,1,0MAC-Based Traffic Shaping
Section titled “MAC-Based Traffic Shaping”Apply bandwidth limits based on MAC addresses:
/interface ethernet switch shaperadd port=ether1 rate=100M target=YESadd port=ether2 rate=200M target=YESVLAN-Based QoS
Section titled “VLAN-Based QoS”Apply QoS based on VLAN priority (PCP):
/interface ethernet switch portset ether1 priority=0set ether2 priority=7Configure priority-to-queue mapping:
/interface ethernet switch egress-queueset switch1-cpu schedulername=wfq map2queue=0,1,2,3,4,5,6,7Bandwidth Limiting
Section titled “Bandwidth Limiting”/interface ethernet switch shaperadd port=ether5 rate=10M target=YESTraffic Storm Control
Section titled “Traffic Storm Control”Limit broadcast and multicast traffic rates:
/interface ethernet switch storm-controlset ether5 broadcast-rate=1000 multicast-rate=1000 unknown-unicast-rate=1000