CRS3xx, CRS5xx, CCR2116, CCR2216 Switch Chip Features

CRS3xx, CRS5xx, CCR2116, CCR2216 Switch Chip Features

Summary

The CRS3xx, CRS5xx series switches and CCR2116, CCR2216 routers feature highly integrated switches with high-performance CPUs and feature-rich packet processors. These devices support versatile Ethernet applications including unmanaged switches, Layer 2 managed switches, carrier switches, inter-VLAN routing, and unified packet processing.

This documentation applies to CRS3xx, CRS5xx series switches and CCR2116, CCR2216 routers. For CRS1xx/CRS2xx series switches, refer to CRS1xx/2xx Series Switches Examples.

Features

Forwarding Capabilities

• Configurable Ports: Ports can be configured for switching or routing operations
• Wire-Speed Switching: Full non-blocking forwarding at maximum port speeds
• Large Unicast FDB: Forwarding Database supports extensive Layer 2 unicast entries
• IVL-Based Learning: Forwarding Databases operate using Independent VLAN Learning
• Jumbo Frame Support: Handles frames up to 10218 bytes on most models
• IGMP Snooping: Hardware-accelerated multicast group management
• DHCP Snooping: Security feature with Option 82 support

Routing Features

Layer 3 Hardware Offloading enables wire-speed routing by offloading packet processing to the switch chip:

• IPv4/IPv6 Unicast Routing: Full routing protocol support in hardware
• Interface Support: Ethernet, Bridge, Bonding, and VLAN interfaces
• ECMP: Equal-Cost Multi-Path routing for load balancing
• Blackholes: Route filtering and null routing capabilities
• Fasttrack Offloading: Accelerated connections for performance-critical traffic
• NAT for Fasttrack: Hardware-accelerated NAT for offloaded connections
• Multiple MTU Profiles: Flexible MTU configuration per interface

Spanning Tree Protocol

Full STP family support with hardware acceleration:

• STP: Classical Spanning Tree Protocol (802.1D)
• RSTP: Rapid Spanning Tree Protocol (802.1w)
• MSTP: Multiple Spanning Tree Protocol (802.1s)
• Port Features: Edge port, BPDU Guard, Root Guard support

Mirroring Capabilities

Multiple mirroring types for network analysis and troubleshooting:

• Port-Based Mirroring: Mirror traffic by source port
• VLAN-Based Mirroring: Mirror traffic based on VLAN membership
• MAC-Based Mirroring: Mirror traffic from specific MAC addresses
• RSPAN: Remote Switch Port Analyzer for distributed monitoring

VLAN Support

Comprehensive VLAN functionality:

• Standards Compliance: IEEE 802.1Q and IEEE 802.1ad compatible
• Active VLANs: Support for up to 4096 VLANs
• VLAN Assignment Methods:
  • Port-based VLAN assignment
  • Protocol-based VLAN assignment
  • MAC-based VLAN assignment
• VLAN Filtering: Hardware-accelerated packet filtering
• Ingress VLAN Translation: Modify VLAN IDs on ingress
• MVRP: Multiple VLAN Registration Protocol support

Bonding Features

Link aggregation with hardware acceleration:

• Modes: 802.3ad (LACP), balance-xor, active-backup
• Member Ports: Up to 8 ports per bonding interface
• Hardware Offload: Automatic failover and load balancing
• MLAG: Multi-Chassis Link Aggregation support

Quality of Service (QoS)

Advanced traffic management:

• Output Queues: 8 queues per port
• DSCP/PCP Mapping: Layer 3 and Layer 2 QoS marking support
• Trust Settings: Port-based Layer 2 and Layer 3 trust configuration
• Rate Limiting: Port and queue-based egress shaping
• Policy-Based QoS: ACL-based traffic classification
• Scheduling: Strict Priority and SDWRR queuing
• ETS: Enhanced Transmission Selection
• WRED: Weighted Random Early Detection (select models)
• ECN: Explicit Congestion Notification (select models)
• PFC: Priority-based Flow Control (select models)
• Traffic Storm Control: Prevent broadcast/multicast storms
• RoCE Compatible: Ready for RDMA over Converged Ethernet

Port Isolation

Private VLAN implementation support for network segmentation.

Access Control List

Hardware-accelerated packet filtering:

• Ingress ACL: Packet filtering on ingress ports
• Classification: Layer 2, 3, and 4 header field matching
• Actions: Filter, forward, or modify packet headers

Precision Time Protocol

Hardware timestamping for nanosecond-level synchronization:

• Clock Types: Two-step Ordinary Clock and Boundary Clock
• Transport Modes: IPv4 and Layer 2 multicast
• Delay Mechanisms: E2E and P2P support
• Standards: IEEE 1588-2008 (PTPv2)
• Profiles: 802.1AS, AES67, G.8275.1, SMPTE support

For L3 hardware offloading details and limits, consult the L3 Hardware Offloading documentation. For QoS hardware offloading information, refer to the Quality of Service guide.

Supported Models

Compact Switches

Model	Switch Chip	CPU	RAM	Ethernet Ports	PoE	ACL Rules	FDB Entries	Jumbo
CRS305-1G-4S+IN	98DX3236	ARM 2-core 800MHz	512 MB	1x GE + 4x 10G SFP+	-	128	16K	10218
CRS305-1G-4S+OUT	98DX226S	ARM 2-core 800MHz	256 MB	1x GE + 4x 10G SFP+	-	128	16K	10218
CRS304-4XG-IN	98DX2528	ARM64 2-core 1200MHz	512 MB	4x 1/2.5/5/10G	-	128	16K	10218

24-Port Switches

Model	Switch Chip	CPU	RAM	Ethernet Ports	PoE	ACL Rules	FDB Entries	Jumbo
CRS326-24G-2S+	98DX3236	ARM 2-core 800MHz	512 MB	24x GE + 2x 10G SFP+	-	128	16K	10218
CRS326-24S+2Q+RM	98DX8332	MIPSBE 1-core 650MHz	128 MB	24x 10G SFP+	-	256	32K	10218
CRS328-24P-4S+RM	98DX3236	ARM 1-core 800MHz	512 MB	24x GE + 4x 10G SFP+	24x af/at	128	16K	10218

48-Port Switches

Model	Switch Chip	CPU	RAM	Ethernet Ports	PoE	ACL Rules	FDB Entries	Jumbo
CRS354-48G-4S+2Q+RM	98DX3257	MIPSBE 1-core 650MHz	128 MB	48x GE + 4x 10G SFP+	-	170	32K	10218
CRS354-48P-4S+2Q+RM	98DX3257	MIPSBE 1-core 650MHz	128 MB	48x GE + 4x 10G SFP+	48x af/at	170	32K	10218

High-Port Density

Model	Switch Chip	CPU	RAM	Ethernet Ports	PoE	ACL Rules	FDB Entries	Jumbo
CRS312-4C+8XG-RM	98DX8212	MIPSBE 1-core 650MHz	64 MB	4x 10G combo + 8x 10G	-	512	32K	10218
CRS328-4C-20S-4S+RM	98DX3236	ARM 2-core 800MHz	512 MB	20x 1G SFP + 4x combo + 4x 10G	-	128	16K	10218
CRS326-4C+20G+2Q+RM	98DX8332	MIPSBE 1-core 650MHz	128 MB	4x 2.5G combo + 20x 2.5G	-	256	32K	10218

SFP+ Aggregation

Model	Switch Chip	CPU	RAM	Ethernet Ports	PoE	ACL Rules	FDB Entries	Jumbo
CRS309-1G-8S+IN	98DX8208	ARM 2-core 800MHz	512 MB	1x GE + 8x 10G SFP+	-	1024	32K	10218
CRS317-1G-16S+RM	98DX8216	ARM 2-core 800MHz	1 GB	1x GE + 16x 10G SFP+	-	1024	128K	10218

25G/100G Platforms

Model	Switch Chip	CPU	RAM	Ethernet Ports	PoE	ACL Rules	FDB Entries	Jumbo
CRS504-4XQ	98DX4310	MIPSBE 1-core 650MHz	64 MB	4x 100G QSFP28	-	1024	128K	10218
CRS510-8XS-2XQ-IN	98DX4310	MIPSBE 1-core 650MHz	128 MB	8x 25G SFP28 + 2x 100G	-	1024	128K	10218
CRS518-16XS-2XQ-RM	98DX8525	MIPSBE 1-core 650MHz	64 MB	16x 25G SFP28 + 2x 100G	-	1024	128K	10218

High-Performance Routers

Model	Switch Chip	CPU	RAM	Ethernet Ports	PoE	ACL Rules	FDB Entries	Jumbo
CCR2116-12G-4S+	98DX3255	ARM64 16-core 2000MHz	16 GB	12x GE + 4x 10G SFP+	-	512	32K	9570
CCR2216-1G-12XS-2XQ	98DX8525	ARM64 16-core 2000MHz	16 GB	12x 25G SFP28 + 2x 100G	-	1024	128K	9570

NetFiber Series

Model	Switch Chip	CPU	RAM	Ethernet Ports	PoE	ACL Rules	FDB Entries	Jumbo
CRS318-1Fi-15Fr-2S-OUT	98DX224S	ARM 2-core 800MHz	256 MB	16x 100M + 2x 1G SFP	1x passive	128	16K	10218
CRS318-16P-2S+OUT	98DX226S	ARM 2-core 800MHz	256 MB	16x GE + 2x 10G SFP+	16x af/at	128	16K	10218
CRS310-1G-5S-4S+	98DX226S	ARM 2-core 800MHz	256 MB	1x GE + 5x 1G SFP + 4x 10G	-	128	16K	10218
CRS310-8G+2S+IN	98DX226S	ARM 2-core 800MHz	256 MB	8x 2.5G + 2x 10G SFP+	-	128	16K	10218
CRS320-8P-8B-4S+RM	98DX226S	ARM 2-core 800MHz	256 MB	16x GE + 4x 10G SFP+	8x af/at + 8x bt	128	16K	10218
CRS418-8P-8G-2S+RM	98DX226S	ARM64 4-core 2208MHz	1 GB	16x GE + 2x 10G SFP+	8x af/at	128	16K	10218

Ultra-High Performance

Model	Switch Chip	CPU	RAM	Ethernet Ports	PoE	ACL Rules	FDB Entries	Jumbo
CRS520-4XS-16XQ-RM	98CX8410	ARM64 4-core 2000MHz	4 GB	4x 25G SFP28 + 16x 100G	-	682	256K	9570
CRS812-8DS-2DQ-2DDQ-RM	98DX7335	ARM64 4-core 2000MHz	4 GB	8x 50G + 2x 200G + 2x 400G	-	1365	128K	9570
RDS2216-2XG-4S+4XS-2XQ	98DX4310	ARM64 16-core 2000MHz	32 GB	2x 10G + 4x 10G + 4x 25G + 2x 100G	-	1024	128K	9570

Abbreviations

• ACL: Access Control List
• CVID: Customer VLAN ID
• FDB: Forwarding Database
• IVL: Independent VLAN Learning
• MDB: Multicast Database
• PVID: Port VLAN ID - the default VLAN assigned to untagged traffic entering a port. When an untagged frame arrives, the switch assigns it to the PVID and processes it accordingly. When frames leave through an untagged port, they are sent without a VLAN tag.
• SVID: Service VLAN ID
• SVL: Shared VLAN Learning

Port Switching

Port switching combines multiple physical ports into a single switching domain. To enable hardware-accelerated port switching:

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether7 hw=yes

Only one bridge can use hardware offloading at a time. Use the hw parameter to select which bridge receives hardware acceleration.

VLAN Configuration

VLAN Filtering

Bridge VLAN filtering provides standards-compliant Layer 2 forwarding with VLAN tag manipulation. This approach ensures compatibility with STP standards and enables MSTP support.

Understanding PVID (Port VLAN ID)

For users new to 802.1Q VLANs, PVID (Port VLAN ID) is a fundamental concept that defines how untagged traffic is handled on a switch port.

What is PVID?

• PVID assigns a default VLAN ID to any untagged Ethernet frame entering a port
• When a device sends traffic without a VLAN tag (untagged), the switch assigns it to the PVID
• This allows devices that don’t support VLAN tagging to participate in VLAN networks

How PVID works:

1. Untagged traffic arrives at the switch port
2. The switch examines the port’s PVID setting
3. The frame is assigned to that VLAN internally
4. When the frame exits through a port configured as untagged for that VLAN, the tag is removed

Example: Setting PVID on access ports

/interface bridge port
add bridge=bridge1 interface=ether2 pvid=10
add bridge=bridge1 interface=ether3 pvid=10

In this example, any untagged traffic entering ether2 or ether3 is assigned to VLAN 10. When this traffic leaves through another port configured as untagged for VLAN 10, it leaves without a VLAN tag.

PVID and Bridge VLAN Table In RouterOS with VLAN filtering enabled, the PVID setting on bridge ports works together with the bridge VLAN table:

• The pvid property on a bridge port defines the VLAN for untagged ingress traffic
• The bridge VLAN table defines which ports carry each VLAN as tagged or untagged

Port-Based VLAN

Configure VLANs based on switch port membership:

/interface bridge vlan
add bridge=bridge1 tagged=ether2 untagged=ether7 vlan-ids=200,300,400

MAC-Based VLAN

Assign VLANs based on source MAC address using ACL rules:

/interface ethernet switch rule
add switch=switch1 ports=ether7 src-mac-address=A4:12:6D:77:94:43/FF:FF:FF:FF:FF:FF new-vlan-id=200
add switch=switch1 ports=ether7 src-mac-address=84:37:62:DF:04:20/FF:FF:FF:FF:FF:FF new-vlan-id=300
add switch=switch1 ports=ether7 src-mac-address=E7:16:34:A1:CD:18/FF:FF:FF:FF:FF:FF new-vlan-id=400

MAC-based VLANs only work between switch ports, not between switch ports and CPU. DHCP packets with DHCP snooping enabled are not affected by MAC-based VLAN rules.

Protocol-Based VLAN

Assign VLANs based on EtherType protocol:

/interface ethernet switch rule
add mac-protocol=ip new-vlan-id=200 ports=ether6 switch=switch1
add mac-protocol=ipx new-vlan-id=300 ports=ether7 switch=switch1
add mac-protocol=0x80F3 new-vlan-id=400 ports=ether8 switch=switch1

Protocol-based VLANs only work between switch ports. DHCP packets with DHCP snooping enabled are not affected.

VLAN Tunneling (Q-in-Q)

Provider bridge (IEEE 802.1ad) with tag stacking enables service provider VLAN deployments:

/interface bridge
set bridge1 ether-type=0x88a8

CRS354 series devices with Marvell-98DX3255 chip do not support VLAN filtering on 1Gbps interfaces for 0x88a8 and 0x9100 VLAN types.

Ingress VLAN Translation

Translate VLAN IDs on ingress using ACL rules:

/interface bridge
add name=bridge1 vlan-filtering=no
/interface bridge port
add interface=ether1 bridge=bridge1 hw=yes
add interface=ether2 bridge=bridge1 hw=yes

/interface ethernet switch rule
add new-dst-ports=ether2 new-vlan-id=20 ports=ether1 switch=switch1 vlan-id=10
add new-dst-ports=ether1 new-vlan-id=10 ports=ether2 switch=switch1 vlan-id=20

/interface bridge vlan
add bridge=bridge1 tagged=ether1 vlan-ids=10
add bridge=bridge1 tagged=ether2 vlan-ids=20

/interface bridge set bridge1 vlan-filtering=yes

Bidirectional VLAN translation is limited to two switch ports. Translation between multiple ports may cause traffic flooding.

Spanning Tree Protocol

These devices support STP, RSTP, and MSTP at the hardware level. Configure spanning tree:

/interface bridge
add name=bridge1 protocol-mode=rstp
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3

Bonding Configuration

Create hardware-offloaded bonding interfaces:

/interface bonding
add mode=802.3ad name=bond1 slaves=ether1,ether2

/interface bridge
add name=bridge
/interface bridge port
add bridge=bridge interface=bond1 hw=yes
add bridge=bridge interface=ether3 hw=yes
add bridge=bridge interface=ether4 hw=yes

Only 802.3ad (LACP), balance-xor, and active-backup modes support hardware offloading. Do not add interfaces that are already slaves in a bonding configuration to a bridge.

Verify hardware offloading with:

/interface bridge port print

Look for the H flag indicating hardware offload.

Layer 3 Hardware Offloading

L3 hardware offloading enables wire-speed routing by processing packets in the switch chip. This significantly improves routing performance for IPv4 and IPv6 traffic.

Offloaded routing supports:

• Ethernet, Bridge, Bonding, and VLAN interfaces
• ECMP for load balancing
• Blackhole routes
• Fasttrack connections
• NAT for Fasttrack traffic

Port Isolation

Private VLAN implementation restricts communication between ports:

/interface ethernet switch port
set ether1 isolated=yes
set ether2 isolated=yes

Port isolation works with VLAN filtering and can isolate ports within the same VLAN. Hardware-offloaded bonding interfaces require individual port configuration.

IGMP/MLD Snooping

Hardware-accelerated multicast snooping reduces unnecessary multicast traffic:

/interface bridge
add name=bridge1 igmp-snooping=yes
/interface bridge mdb
add bridge=bridge1 interface=ether2 group=224.1.1.1

DHCP Snooping

DHCP snooping with Option 82 provides security for DHCP deployments:

/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether3 hw=yes
/ip dhcp-snooping
set enabled=yes
/interface bridge port
set [find] dhcp-snooping=yes

DHCP snooping creates dynamic ACL rules to redirect DHCP packets to the CPU. Starting from RouterOS v7.17, DHCP snooping supports hardware-offloaded bonding interfaces.

Traffic Mirroring

Mirror traffic for analysis and monitoring.

Port-Based Mirroring (RouterOS 7.15+)

/interface ethernet switch port
set ether2 mirror-egress=yes mirror-ingress=yes
set ether3 mirror-target=yes

VLAN-Based Mirroring

/interface ethernet switch rule
add mirror=yes ports=ether1 switch=switch1 vlan-id=100

MAC-Based Mirroring

/interface ethernet switch rule
add mirror=yes ports=ether1 switch=switch1 src-mac-address=64:D1:54:D9:27:E6/FF:FF:FF:FF:FF:FF

IP-Based Mirroring

/interface ethernet switch rule
add mirror=yes ports=ether1 switch=switch1 src-address=192.168.88.0/24

Remote Switch Port Analyzer (RSPAN)

/interface bridge
add name=bridge1
/interface bridge vlan
add bridge=bridge1 tagged=ether3 vlan-ids=999

The mirror-target port must be on the same switch. The mirror-target can be a standalone interface or part of a bridge.

Traffic Shaping

Port-Based Rate Limiting

/interface ethernet switch port
set ether1 ingress-rate=10M egress-rate=5M

MAC-Based Policer

/interface ethernet switch rule
add ports=ether1 switch=switch1 src-mac-address=64:D1:54:D9:27:E6/FF:FF:FF:FF:FF:FF rate=10M

VLAN-Based Policer

/interface bridge
set bridge1 vlan-filtering=yes
/interface ethernet switch rule
add ports=ether1 switch=switch1 vlan-id=11 rate=10M

Protocol-Based Policer

/interface ethernet switch rule
add ports=ether1 switch=switch1 mac-protocol=ipx rate=10M

The ingress policer drops excess traffic. The egress shaper queues packets and drops when queues are full. Traffic shaping affects TCP congestion control on end hosts.

The egress-rate and storm-rate settings do not work correctly on 10Gbps ports when linked at lower speeds for 98DX224S, 98DX226S, 98DX2528, and 98DX3236 switch chips.

Traffic Storm Control

Prevent network overload from broadcast storms:

/interface ethernet switch port
set ether1 storm-rate=10 limit-broadcasts=yes limit-unknown-unicasts=yes

Parameters:

• storm-rate: Percentage of link speed (0-100)
• limit-broadcasts: Limit broadcast traffic (default: yes)
• limit-unknown-multicasts: Limit unknown multicast traffic
• limit-unknown-unicasts: Limit unknown unicast traffic

For a 1Gbps link, storm-rate=10 allows 100Mbps of storm traffic.

Devices with 98DX224S, 98DX226S, 98DX2528, 98DX3236 chips cannot distinguish unknown multicast from all multicast traffic.

Switch Rules (ACL)

Access Control Lists provide wire-speed packet filtering and modification.

Rule Properties

Matching Conditions:

Property	Description
copy-to-cpu	Clone matching packet to CPU
redirect-to-cpu	Redirect packet to CPU
mirror	Clone packet to mirror target
new-dst-ports	Change destination port
new-vlan-id	Modify VLAN ID
new-vlan-priority	Modify VLAN priority
rate	Limit ingress traffic rate

Layer 2 Matchers:

Property	Description
dst-mac-address	Destination MAC address
mac-protocol	Ethernet protocol type. In RouterOS 7.17 and later, this property matches against the inner protocol for double-tagged frames (Q-in-Q), matching the actual payload protocol rather than the outer VLAN tag EtherType.
src-mac-address	Source MAC address
vlan-id	VLAN ID
vlan-header	VLAN header presence
vlan-priority	VLAN priority (PCP)

Layer 3 Matchers:

Property	Description
dscp	DSCP value
protocol	IP protocol number
dst-address	Destination IPv4 address
src-address	Source IPv4 address
dst-address6	Destination IPv6 address
src-address6	Source IPv6 address
flow-label	IPv6 flow label
traffic-class	IPv6 traffic class

Layer 4 Matchers:

Property	Description
dst-port	Destination port number
src-port	Source port number

ACL Configuration Example

/interface ethernet switch rule
add disabled=no mirror=no new-dst-ports="" ports=ether1 switch=switch1 \
    src-mac-address=64:D1:54:81:EF:8E/FF:FF:FF:FF:FF:FF
add disabled=no new-dst-ports="" ports=ether1 switch=switch1

ACL rules are checked sequentially. The first matching rule determines the action. Use the place-before property or move command to adjust rule order.

:::caution RouterOS 7.17 mac-protocol Behavior Change Starting from RouterOS 7.17, the mac-protocol matcher in switch rules behaves differently for double-tagged (Q-in-Q) frames:

• Before 7.17: mac-protocol matched against the outer VLAN tag EtherType (0x8100 for C-TAG or 0x88a8 for S-TAG)
• 7.17 and later: mac-protocol matches against the inner protocol (the actual payload protocol, such as 0x0800 for IPv4, 0x0806 for ARP, etc.)

This change affects configurations that rely on mac-protocol matching for VLAN-tagged traffic. If you have switch rules that use mac-protocol filtering and upgraded to 7.17, you may need to adjust your rules.

Example adjustment for matching IPv4 traffic in a Q-in-Q scenario:

# Before 7.17 - matching outer tag
/interface ethernet switch rule
add mac-protocol=0x8100 new-vlan-id=200 ports=ether1 switch=switch1

# 7.17 and later - matching inner payload
/interface ethernet switch rule
add mac-protocol=ip new-vlan-id=200 ports=ether1 switch=switch1

:::

Modifying ACL rules may cause temporary packet leakage during the update process.

Port Security

Limit allowed MAC addresses on individual ports:

/interface ethernet switch rule
add ports=ether1 src-mac-address=64:D1:54:81:EF:8E/FF:FF:FF:FF:FF:FF switch=switch1
add new-dst-ports="" ports=ether1 switch=switch1

/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1 hw=yes learn=no unknown-unicast-flood=no
add bridge=bridge1 interface=ether2 hw=yes

/interface bridge host
add bridge=bridge1 interface=ether1 mac-address=64:D1:54:81:EF:8E

Disable flooding parameters to prevent broadcast/multicast leakage. Some protocols like DHCP and streaming media may require flooding.

Dual Boot

CRS3xx/CRS5xx switches support dual boot with SwOS. Configure SwOS from RouterOS:

/system routerboard settings
set boot-os=swos

After reboot, the device runs SwOS. To return to RouterOS:

/system routerboard settings
set boot-os=routeros

Related Resources

• Bridge VLAN Filtering
• Spanning Tree Protocol
• Bonding Interface
• L3 Hardware Offloading
• Quality of Service
• DHCP Snooping