CRS1xx/2xx Series Switch Chip Features
CRS1xx/2xx Series Switch Chip Features
Section titled “CRS1xx/2xx Series Switch Chip Features”Summary
Section titled “Summary”The CRS1xx and CRS2xx series Cloud Router Switches feature advanced switch chips with comprehensive Layer 2 switching capabilities. These devices provide hardware-accelerated switching, extensive VLAN support, Quality of Service features, and Access Control List capabilities suitable for enterprise network deployments.
This documentation covers the switch chip features available on CRS1xx and CRS2xx series devices. For configuration examples and practical use cases, refer to the CRS1xx/2xx Series Switches Examples guide. For CRS3xx, CRS5xx series devices, and CCR2116/CCR2216 routers, consult the CRS3xx, CRS5xx, CCR2116, CCR2216 Switch Chip Features documentation.
Hardware Overview
Section titled “Hardware Overview”Switch Chip Capabilities
Section titled “Switch Chip Capabilities”The CRS1xx and CRS2xx series switches utilize Qualcomm Atheros switch chips with varying capabilities depending on the specific model. The switch chips provide wire-speed Layer 2 forwarding with hardware acceleration, enabling efficient traffic switching without CPU intervention for standard forwarding operations.
| Switch Chip | Models | CPU Speed | ACL Support | Jumbo Frame Support |
|---|---|---|---|---|
| QCA-8511 | CRS105-5S-FB, CRS106-1C-5S, CRS112-8G-4S | 400MHz | Yes | 9204 bytes |
| QCA-8519 | CRS210-8G-2S+, CRS212-1G-10S-1S+, CRS226-24G-2S+ | 400MHz | Yes | 9204 bytes |
| QCA-8513L | CRS125-24G-1S, CRS125-24G-1S-2HnD, CRS109-8G-1S-2HnD | 600MHz | No | 4064 bytes |
The switch chips provide dedicated hardware tables for forwarding databases, VLAN processing, and ACL rules. These tables operate independently of the main CPU, allowing the switch to process traffic at full wire speed regardless of CPU load. The available resources vary by switch chip model, with higher-end chips offering larger forwarding databases and more ACL rule capacity.
Supported Models
Section titled “Supported Models”Compact Desktop Switches
Section titled “Compact Desktop Switches”| Model | Ports | SFP+ | PoE | Switch Chip | FDB Entries |
|---|---|---|---|---|---|
| CRS105-5S-FB | 5x SFP | - | - | QCA-8511 | 2048 |
| CRS106-1C-5S | 5x SFP + 1x combo | - | - | QCA-8511 | 2048 |
| CRS109-8G-1S-2HnD | 8x GE + 1x SFP | - | - | QCA-8513L | 2048 |
Rackmount Switches
Section titled “Rackmount Switches”| Model | Ports | SFP+ | PoE | Switch Chip | FDB Entries |
|---|---|---|---|---|---|
| CRS112-8G-4S | 8x GE + 4x SFP | - | - | QCA-8511 | 2048 |
| CRS125-24G-1S | 24x GE + 1x SFP | - | - | QCA-8513L | 2048 |
| CRS125-24G-1S-2HnD | 24x GE + 1x SFP | - | - | QCA-8513L | 2048 |
SFP+ Enabled Switches
Section titled “SFP+ Enabled Switches”| Model | Ports | SFP+ | PoE | Switch Chip | FDB Entries |
|---|---|---|---|---|---|
| CRS210-8G-2S+ | 8x GE + 2x SFP+ | Yes | - | QCA-8519 | 2048 |
| CRS212-1G-10S-1S+ | 1x GE + 10x SFP + 1x SFP+ | Yes | - | QCA-8519 | 2048 |
| CRS226-24G-2S+RM | 24x GE + 2x SFP+ | Yes | - | QCA-8519 | 2048 |
Features
Section titled “Features”Forwarding Database
Section titled “Forwarding Database”The switch chip maintains forwarding databases for Layer 2 packet forwarding. The Unicast Forwarding Database (UFDB) stores MAC address to port mappings for unicast traffic, while the Multicast Forwarding Database (MFDB) handles multicast group registrations. These databases enable the switch to make intelligent forwarding decisions without flooding traffic to all ports.
The CRS1xx/2xx series supports 2048 Unicast FDB entries and 1024 Multicast FDB entries. The switch learns MAC addresses dynamically as traffic passes through ports with hardware offloading enabled. Static entries can be manually added for specific MAC addresses that should always map to particular ports, useful for servers or infrastructure devices with fixed locations.
Dynamic entries age out after approximately 5 minutes of inactivity, allowing the MAC address table to adapt to network changes such as device reboots or cable reconnections. This aging behavior prevents the table from filling with stale entries from devices that have been removed from the network.
Forwarding database entries can be viewed and managed through the /interface ethernet switch unicast-fdb and /interface ethernet switch multicast-fdb menus. The multicast database supports IGMP snooping registration entries that track multicast group membership across switch ports.
VLAN Support
Section titled “VLAN Support”Comprehensive VLAN support enables network segmentation at Layer 2. The switch supports IEEE 802.1Q VLAN tagging with 4096 possible VLAN IDs, allowing extensive network segmentation for security, performance isolation, and administrative separation.
The VLAN table stores VLAN membership information including which ports belong to each VLAN and optional attributes such as learning mode and mirroring configuration. VLAN table entries can specify whether learning is enabled for that VLAN, controlling whether the switch learns source MAC addresses from traffic in that VLAN context.
Ingress VLAN translation allows the switch to modify VLAN tags as packets enter the switch, useful for double-tagged configurations or when interfacing with equipment that uses non-standard VLAN tagging. Egress VLAN tag configuration controls how VLAN tags appear on outgoing traffic, supporting tagged, untagged, and priority-tagged formats.
Port-based VLAN assignment provides the simplest configuration model where each port belongs to a configured VLAN. Protocol-based VLAN assignment extends this by allowing different VLANs based on the Layer 3 protocol type, useful for networks carrying mixed protocol traffic. MAC-based VLAN assignment enables per-MAC address VLAN assignment, providing granular control over which VLAN a device appears on regardless of which physical port it connects to.
Port Isolation
Section titled “Port Isolation”Port isolation features provide traffic separation between ports for security and network design requirements. Private VLAN functionality allows ports to be grouped into isolated, community, and promiscuous categories, controlling which ports can communicate with each other.
Promiscuous ports can communicate with all other ports in the private VLAN, typically used for gateway connections or management access points. Isolated ports can only communicate with promiscuous ports, preventing direct communication between devices on isolated ports. Community ports can communicate with other ports in their community and with promiscuous ports, enabling controlled sharing within a group while maintaining isolation from other communities.
The port isolation leakage profile system allows fine-grained control over traffic flow between ports. Each port can be assigned a leakage profile that specifies which destination ports received traffic may be forwarded to. This enables complex isolation topologies that do not fit the standard Private VLAN model.
Quality of Service
Section titled “Quality of Service”Quality of Service features enable traffic prioritization and bandwidth management. Eight egress queues per port support different priority levels, allowing critical traffic to receive preferential treatment during congestion. Queue scheduling modes include strict priority and weighted round-robin variants, configurable to match network requirements.
Traffic classification supports multiple methods including port-based classification, MAC address-based classification using destination MAC address priority fields, VLAN priority (PCP) preservation, DSCP value mapping, and ACL-based classification for arbitrary header field matching. The classification result determines which egress queue the packet uses and can influence remarking operations.
Shaping capabilities allow limiting the bandwidth available to specific ports or traffic classes. Port-based shapers apply a global rate limit to all traffic on a port, useful for enforcing subscriber access rates. Queue-based shapers apply limits to specific egress queues, enabling differentiated rate limiting within a port’s traffic.
Policing provides ingress rate limiting with configurable burst sizes and committed rates. Policers can drop or remark traffic that exceeds configured limits, protecting the switch and downstream devices from traffic bursts or denial of service attempts.
Access Control Lists
Section titled “Access Control Lists”Hardware-accelerated Access Control Lists enable wire-speed packet filtering based on Layer 2, Layer 3, and Layer 4 header fields. The CRS1xx/2xx series supports up to 128 ACL rules across ingress and egress tables, with rule evaluation occurring in hardware for maximum performance.
ACL rules can match on source and destination MAC addresses, MAC protocol type, VLAN ID and priority, source and destination IP addresses, IP protocol type, TCP and UDP port numbers, DSCP values, and packet length. Multiple match conditions can be combined in a single rule using AND logic.
Actions available for matching packets include dropping the packet, forwarding to specific ports, copying to the CPU for inspection, or redirecting all matched traffic to the CPU. Actions can also include modifying packet fields such as VLAN ID or priority values, enabling advanced traffic manipulation scenarios.
Rules are evaluated in order from lowest to highest priority, with the first matching rule determining the packet’s action. This evaluation order is critical when designing ACLs with overlapping match conditions. Invalid rules that cannot be implemented in hardware are marked as such and do not participate in packet processing.
Mirroring
Section titled “Mirroring”Traffic mirroring capabilities enable network monitoring and troubleshooting by copying selected traffic to designated analyzer ports. The switch supports multiple mirror instances, allowing simultaneous monitoring of different traffic flows to different destinations.
Port-based mirroring copies all traffic entering or leaving specified ports to the analyzer. This provides complete visibility into traffic patterns on individual ports but generates substantial mirror traffic when monitoring high-bandwidth links.
VLAN-based mirroring filters mirrored traffic to specific VLANs, useful when monitoring traffic belonging to particular network segments without capturing traffic from other VLANs that may be unrelated to the troubleshooting scenario.
MAC-based mirroring mirrors traffic associated with specific source or destination MAC addresses, enabling targeted monitoring of particular devices or servers without affecting other traffic on the monitored ports.
Link Aggregation
Section titled “Link Aggregation”Static link aggregation groups multiple physical ports into a single logical link for increased bandwidth and redundancy. The CRS1xx/2xx series supports up to eight trunk groups with up to eight member ports each.
Traffic distribution across member ports uses a hash of source and destination MAC addresses, ensuring consistent traffic ordering within individual flows while providing load balancing across the aggregate. The hash calculation cannot be modified, so traffic patterns may not achieve perfect load balancing in all scenarios.
Failover between member ports occurs automatically when a link failure is detected, with traffic from the failed link redistributing across remaining members. The failover time is hardware-determined and typically occurs within milliseconds, minimizing service disruption.
Static aggregation differs from LACP-based bonding in that it does not exchange control messages with the peer device. This simplifies configuration but removes the ability to detect unidirectional link failures or receive indications of remote configuration changes. Static aggregation is suitable when connecting to equipment that does not support LACP or when deterministic behavior is required.
Configuration Reference
Section titled “Configuration Reference”Port Switching
Section titled “Port Switching”Port switching combines multiple physical ports into a single Layer 2 domain with hardware acceleration:
/interface bridgeadd name=bridge1/interface bridge portadd bridge=bridge1 interface=ether2 hw=yesadd bridge=bridge1 interface=ether3 hw=yesadd bridge=bridge1 interface=ether4 hw=yesadd bridge=bridge1 interface=ether5 hw=yesThe hw=yes parameter enables hardware offloading for the port, allowing the switch chip to perform forwarding without CPU involvement. Without hardware offloading, the bridge operates in software mode with significantly reduced performance for high-throughput scenarios.
Multiple bridges can be created to form isolated switch groups, each with its own set of ports and forwarding domain. This provides simple port isolation without requiring VLAN configuration, though VLAN-based isolation offers more flexibility for complex scenarios.
Global Switch Settings
Section titled “Global Switch Settings”Global switch settings apply to the entire switch chip and affect all ports:
/interface ethernet switchset drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether2,ether3,ether4,ether5set forward-unknown-vlan=noThe drop-if-invalid-or-src-port-not-member-of-vlan-on-ports parameter enables strict VLAN enforcement on specified ports, dropping traffic that does not match any VLAN table entry. The forward-unknown-vlan parameter controls forwarding of traffic using VLAN IDs not present in the VLAN table.
Port Settings
Section titled “Port Settings”Per-port settings control individual port behavior for VLAN processing, QoS, and isolation:
/interface ethernet switch portset ether1 isolation-leakage-profile-override=0set ether2 priority=7set ether3 allow-fdb-based-vlan-translate=yesThe isolation-leakage-profile-override parameter assigns a port to an isolation profile for Private VLAN functionality. The priority parameter sets the default priority for untagged traffic on the port, used for QoS classification when no other priority information is available. The allow-fdb-based-vlan-translate parameter enables MAC-based VLAN translation on the port.
VLAN Table Configuration
Section titled “VLAN Table Configuration”The VLAN table defines VLAN membership and attributes:
/interface ethernet switch vlanadd ports=ether2,ether3,ether4,ether5 vlan-id=100 learn=yesadd ports=ether2,ether6,ether7 vlan-id=200 learn=yesadd ports=ether2,ether8,ether9 vlan-id=300 learn=yesEach entry specifies the VLAN ID, the ports that belong to that VLAN, and whether learning is enabled for that VLAN. The learning parameter controls whether the switch learns source MAC addresses from traffic in that VLAN context.
Ingress VLAN Translation
Section titled “Ingress VLAN Translation”Ingress VLAN translation modifies VLAN tags as packets enter the switch:
/interface ethernet switch ingress-vlan-translationadd ports=ether6 customer-vid=0 new-customer-vid=200add ports=ether7 customer-vid=0 new-customer-vid=300add ports=ether8 customer-vid=0 new-customer-vid=400Translation entries match on the customer VLAN ID in the packet and replace it with a new value. This enables VLAN mapping scenarios such as connecting different VLAN numbering schemes or implementing QinQ tunneling.
Egress VLAN Tagging
Section titled “Egress VLAN Tagging”Egress VLAN tag configuration controls how VLAN tags appear on outgoing traffic:
/interface ethernet switch egress-vlan-tagadd tagged-ports=ether2 vlan-id=200add tagged-ports=ether2 vlan-id=300add tagged-ports=ether2 vlan-id=400The tagged-ports parameter specifies which ports should include the VLAN tag in outgoing traffic. The switch CPU port (switch1-cpu) is typically included when the device needs to send or receive tagged traffic for routing or management purposes.
ACL Rule Configuration
Section titled “ACL Rule Configuration”ACL rules provide wire-speed packet filtering:
/interface ethernet switch acladd action=drop src-mac-addr-state=sa-not-found src-ports=ether6,ether7 table=egressadd action=drop src-mac-addr-state=static-station-move src-ports=ether6,ether7 table=egressThe example rules drop packets with source MAC addresses not found in the forwarding database and packets that would cause a static MAC address move, useful for security enforcement scenarios.
Trunk Configuration
Section titled “Trunk Configuration”Static link aggregation configuration:
/interface ethernet switch trunkadd name=trunk1 member-ports=ether6,ether7,ether8The trunk group name is used when assigning the aggregate to a bridge interface. Member ports must be added to a bridge to participate in switching, and traffic will be distributed across all healthy members according to the hardware hash algorithm.
Abbreviations
Section titled “Abbreviations”- ACL: Access Control List
- FDB: Forwarding Database
- MFDB: Multicast Forwarding Database
- UFDB: Unicast Forwarding Database
- PCP: Priority Code Point
- DSCP: Differentiated Services Code Point
- QoS: Quality of Service
- CVID: Customer VLAN ID
- SVID: Service VLAN ID
- IGMP: Internet Group Management Protocol