Switch Chip Features
Switch Chip Features
Section titled “Switch Chip Features”Summary
Section titled “Summary”MikroTik RouterBOARD devices contain various built-in switch chips that provide hardware-accelerated Layer 2 forwarding. These switch chips enable efficient packet switching without CPU intervention, significantly improving network performance for VLANs, QoS, and access control lists.
This documentation covers switch chip features available on non-CRS series RouterBOARD devices. For CRS series switches, refer to the dedicated CRS3xx/CRS5xx and CCR2116/CCR2216 switch chip documentation.
Switch Chip Overview
Section titled “Switch Chip Overview”RouterBOARD devices feature different switch chip models with varying capabilities. Understanding your device’s switch chip is essential for proper configuration and feature utilization.
Supported Switch Chips
Section titled “Supported Switch Chips”| Feature | QCA8337 | Atheros8327 | Atheros8316 | Atheros8227 | Atheros7240 | MT7621 | MT7531 | 88E6393X | 88E6191X |
|---|---|---|---|---|---|---|---|---|---|
| Port Switching | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Port Mirroring | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| TX Rate Limit | Yes | Yes | Yes | Yes | No | No | Yes | Yes | Yes |
| RX Rate Limit | Yes | Yes | No | No | No | No | Yes | Yes | Yes |
| Host Table | 2048 | 2048 | 2048 | 1024 | 2048 | 2048 | 2048 | 16K | 16K |
| VLAN Table | 4096 | 4096 | 4096 | 4096 | 16 | 4096 | 4096 | 4096 | 4096 |
| Rule Table | 92 | 92 | 32 | No | No | No | No | 256 | No |
Device-to-Switch Chip Mapping
Section titled “Device-to-Switch Chip Mapping”| Device Series | Switch Chip | Ports |
|---|---|---|
| RB3011 series | QCA8337 | ether1-ether5, ether6-ether10 |
| RB750Gr3 (hEX) | MT7621 | ether1-ether5 |
| RB4011iGS+ | RTL8367 | ether1-ether5, ether6-ether10 |
| RB5009 series | 88E6393X | ether1-ether8, sfp-sfpplus1 |
| L009 series | 88E6190 | ether2-ether8, sfp1 |
| CCR2004-16G-2S+ | 88E6191X | ether1-ether8, ether9-ether16 |
| RB1100AHx4 | RTL8367 | ether1-ether5, ether6-ether10, ether11-ether13 |
| RB2011 series | Atheros8327 | ether1-ether5+sfp1, ether6-ether10 |
Feature Comparison Notes
Section titled “Feature Comparison Notes”For QCA8337 and Atheros8327 switch chips, TX/RX rate limits are configured using the bandwidth property under /interface ethernet. For RTL8367, 88E6393X, 88E6191X, MT7621, MT7531, and EN7523 chips, rate limits use egress-rate and ingress-rate properties under /interface ethernet switch port.
Devices with MT7621, MT7531, EN7523, and RTL8367 switch chips support hardware-offloaded VLAN filtering starting from RouterOS v7. These chips only support EtherType 0x8100 and do not support 0x88a8 or 0x9100, nor tag-stacking features. Enabling these features will disable hardware offload.
Multi-Switch-Chip VLAN Forwarding
Section titled “Multi-Switch-Chip VLAN Forwarding”Some MikroTik devices have multiple independent switch chips, each managing a different group of ports. For example, the RB3011 has two QCA8337 chips:
- Switch 1: ether1 through ether5
- Switch 2: ether6 through ether10
By default, traffic between ports on different switch chips must go through the CPU. However, with proper configuration, VLAN traffic can be forwarded between switch chips using hardware offloading.
Configuration for VLAN forwarding across switch chips:
# Create a single bridge spanning all ports/interface bridgeadd name=bridge1 vlan-filtering=yes
# Add ports from both switch chips to the bridge/interface bridge portadd bridge=bridge1 interface=ether2 hw=yesadd bridge=bridge1 interface=ether3 hw=yesadd bridge=bridge1 interface=ether6 hw=yesadd bridge=bridge1 interface=ether7 hw=yesImportant considerations:
- Both switch chips must be connected through the bridge
- VLAN filtering must be enabled on the bridge
- The bridge VLAN table must include ports from both switch chips for each VLAN
/interface bridge vlanadd bridge=bridge1 tagged=ether2,ether3,ether6,ether7 vlan-ids=10Without proper bridge VLAN configuration, traffic between ports on different switch chips will be forwarded by the CPU rather than hardware-accelerated.
Devices with multiple switch chips:
- RB3011 series: ether1-5 (switch1), ether6-10 (switch2)
- RB4011iGS+: ether1-5 (switch1), ether6-10 (switch2)
- RB1100AHx4: ether1-5 (switch1), ether6-10 (switch2), ether11-13 (switch3)
Port Switching
Section titled “Port Switching”Port switching combines multiple physical ports into a single switching domain, enabling hardware-accelerated Layer 2 forwarding between ports. This feature is fundamental to all switch chip operations.
Configuration
Section titled “Configuration”Port switching in RouterOS v6.41 and later is configured using bridge interfaces with hardware offloading enabled:
/interface bridgeadd name=bridge1 vlan-filtering=yes/interface bridge portadd bridge=bridge1 interface=ether2 hw=yesadd bridge=bridge1 interface=ether3 hw=yesadd bridge=bridge1 interface=ether4 hw=yesThe hw=yes parameter enables hardware offloading for the specified bridge port. Before RouterOS v6.41, port switching used the deprecated master-port property.
Switch All Ports Feature
Section titled “Switch All Ports Feature”On RB450G, RB435G, and RB850Gx2 devices, ether1 has a special feature allowing it to be optionally included or excluded from the default switch group:
/interface ethernet switchset switch1 switch-all-ports=yes| Property | Value | Description |
|---|---|---|
| switch-all-ports | yes (default) | Ether1 is part of the switch and supports all advanced features including extended statistics |
| switch-all-ports | no | Ether1 operates as a standalone port, increasing throughput to other ports but removing switching capability |
Setting switch-all-ports=no removes ether1 from the switching domain, allowing it to function as an independent port with full bandwidth for routing and bridging operations.
Port Mirroring
Section titled “Port Mirroring”Port mirroring copies traffic from a source port to a target port for monitoring and analysis purposes. This feature is useful for troubleshooting, security analysis, and network monitoring.
Configuration
Section titled “Configuration”Basic port mirroring configuration:
/interface ethernet switchset switch1 mirror-source=ether2 mirror-target=ether3Port Mirroring Properties
Section titled “Port Mirroring Properties”| Property | Description |
|---|---|
| mirror-source | Selects the source port for mirroring. Ingress and egress traffic is copied to the mirror-target |
| mirror-target | Selects the target port for mirrored traffic. Can be set to “cpu” to send mirrored packets to the switch CPU |
| mirror-egress-target | Selects egress mirror target port (88E6393X, 88E6191X, 88E6190 only) |
Advanced Mirroring
Section titled “Advanced Mirroring”For 88E6393X switch chips, multiple mirroring target ports can be configured:
/interface ethernet switch ruleadd mirror=yes mirror-ports=ether3,ether4 ports=ether2 switch=switch1Mirroring Restrictions
Section titled “Mirroring Restrictions”The mirror-source and mirror-target ports must belong to the same switch chip. Configuring mirror-source on ports from different switch chips with both targets set to CPU will create a loop that can make the device inaccessible.
Port Settings
Section titled “Port Settings”Port settings configure VLAN switching and filtering options for switch chips with VLAN table support.
VLAN Mode Configuration
Section titled “VLAN Mode Configuration”| Mode | Description |
|---|---|
| disabled | Disables VLAN table checking entirely. No traffic is dropped |
| fallback | Checks tagged traffic against VLAN Table. Forwards untagged traffic. Drops tagged traffic if egress port not found in VLAN table |
| check | Checks tagged traffic and drops untagged. Drops tagged traffic if egress port not found |
| secure | Strictest mode. Both ingress and egress ports must be in VLAN Table. Drops untagged traffic |
VLAN Header Actions
Section titled “VLAN Header Actions”| Action | Description |
|---|---|
| add-if-missing | Adds VLAN tag on egress using default-vlan-id. Use for trunk ports |
| always-strip | Removes VLAN tag on egress. Use for access ports |
| leave-as-is | Does not modify VLAN tag. Use for hybrid ports |
Default VLAN ID
Section titled “Default VLAN ID”The default-vlan-id property assigns a VLAN tag to all untagged ingress traffic:
/interface ethernet switch portset ether2 default-vlan-id=200 vlan-header=always-strip vlan-mode=secureOn QCA8337 and Atheros8327 chips, use vlan-header=leave-as-is. The switch chip determines access ports using the default-vlan-id property.
VLAN Table
Section titled “VLAN Table”The VLAN table specifies forwarding rules for 802.1Q tagged packets. VLAN table entries take precedence over bridge hardware offloading configuration.
Configuration
Section titled “Configuration”/interface ethernet switch vlanadd ports=ether2,ether3 switch=switch1 vlan-id=200add ports=ether2,ether4 switch=switch1 vlan-id=300VLAN Table Properties
Section titled “VLAN Table Properties”| Property | Description |
|---|---|
| disabled | Enables or disables the VLAN entry |
| independent-learning | Enables Independent VLAN Learning (IVL) instead of Shared VLAN Learning (SVL) |
| ports | Comma-separated list of interface members for this VLAN |
| switch | Name of the switch this VLAN applies to |
| vlan-id | VLAN ID (0-4095) |
VLAN Forwarding Matrix
Section titled “VLAN Forwarding Matrix”The following matrix shows traffic behavior based on VLAN mode and header settings:
| VLAN Mode | Egress Port | Untagged | Tagged VID Match | Tagged No VID Match |
|---|---|---|---|---|
| disabled | Present | Forward | Forward | Forward |
| fallback | Present | Forward | Forward | Drop |
| check | Present | Drop | Forward | Drop |
| secure | Present | Drop | Forward | Drop |
Host Table
Section titled “Host Table”The host table maintains the switch chip’s MAC address to port mapping for Layer 2 forwarding.
Dynamic Learning
Section titled “Dynamic Learning”Switch chips automatically learn MAC addresses from incoming packet source addresses. Dynamic entries timeout after approximately 5 minutes. Learning only occurs on ports configured as part of a hardware-offloaded bridge.
Static Host Entries
Section titled “Static Host Entries”Static entries provide additional control over traffic handling:
/interface ethernet switch hostadd mac-address=00:11:22:33:44:55 ports=ether2 switch=switch1Host Table Properties
Section titled “Host Table Properties”| Property | Description |
|---|---|
| copy-to-cpu | Send frame copy to CPU for matching MAC destination |
| drop | Drop frames from matching MAC source address |
| mac-address | Host MAC address |
| mirror | Send frame copy to mirror-target port |
| ports | Interface(s) the MAC address maps to |
| redirect-to-cpu | Redirect frame to CPU |
| vlan-id | VLAN ID for the static entry |
Host Table Behavior
Section titled “Host Table Behavior”When the host table is full, switch chips use different strategies: QCA8337 and Atheros8327 remove older entries to make space; Atheros8316, Atheros8227, Atheros7240, and ICPlus175D ignore new MACs until timeout; MT7621, MT7531, and EN7523 use a hybrid approach.
QCA8337 and Atheros8327 chips automatically add reserved multicast MAC addresses (01:80:C2:00:00:0x) when a hardware-offloaded bridge is created with forward-reserved-addresses=no and STP enabled.
Rule Table
Section titled “Rule Table”The rule table provides wire-speed packet filtering, forwarding, and VLAN tagging based on L2, L3, and L4 header conditions.
Rule Configuration
Section titled “Rule Configuration”/interface ethernet switch ruleadd disabled=no ports=ether2 switch=switch1Action Parameters
Section titled “Action Parameters”| Property | Description |
|---|---|
| copy-to-cpu | Send packet copy to switch CPU |
| mirror | Send packet copy to mirror-target port |
| new-dst-ports | Change destination port(s). Empty value drops packet |
| new-vlan-id | Change VLAN ID (Atheros8316, 88E6393X only) |
| new-vlan-priority | Change VLAN priority (Atheros8327, QCA8337, Atheros8316) |
| rate | Ingress rate limit in bps (first 32 rules, Atheros8327/QCA8337) |
| redirect-to-cpu | Redirect packet to CPU |
Matching Conditions
Section titled “Matching Conditions”| Property | Description |
|---|---|
| dscp | Match DSCP field (0-63) |
| dst-address | Match destination IPv4 address/mask |
| dst-address6 | Match destination IPv6 address/mask |
| dst-mac-address | Match destination MAC address/mask |
| dst-port | Match destination port number/range |
| mac-protocol | Match MAC protocol (ip, arp, ipv6, tcp, udp, etc.) |
| ports | Match interface(s). Empty matches all switch interfaces |
| protocol | Match IP protocol |
| src-address | Match source IPv4 address/mask |
| src-address6 | Match source IPv6 address/mask |
| src-mac-address | Match source MAC address/mask |
| src-port | Match source port number/range |
| vlan-id | Match VLAN ID |
| vlan-header | Match VLAN header presence |
| vlan-priority | Match VLAN priority (0-7) |
Rule Limitations
Section titled “Rule Limitations”Atheros8316 supports 8-32 rules depending on conditions used; Atheros8327/QCA8337 supports 8-16 rules; 88E6393X supports 42-256 rules. IPv4 and IPv6 conditions cannot be combined in the same rule.
Port Isolation
Section titled “Port Isolation”Port isolation divides network segments to prevent communication between specific ports while allowing uplink access.
Configuration
Section titled “Configuration”/interface ethernet switch port-isolationset ether1 forwarding-override=sfp1set ether2 forwarding-override=sfp1set ether3 forwarding-override=sfp1Private VLAN
Section titled “Private VLAN”Private VLAN configuration forwards all traffic to an uplink port while isolating downstream ports from each other:
/interface bridgeadd name=bridge1/interface bridge portadd interface=sfp1 bridge=bridge1 hw=yesadd interface=ether1 bridge=bridge1 hw=yesadd interface=ether2 bridge=bridge1 hw=yesadd interface=ether3 bridge=bridge1 hw=yes
/interface ethernet switch port-isolationset ether1 forwarding-override=sfp1set ether2 forwarding-override=sfp1set ether3 forwarding-override=sfp1Multiple uplink ports can be specified by separating them with commas.
Isolated Switch Groups
Section titled “Isolated Switch Groups”Isolated switch groups prevent communication between different port groups:
/interface bridgeadd name=bridge1/interface bridge portadd bridge=bridge1 interface=ether1 hw=yesadd bridge=bridge1 interface=ether2 hw=yesadd bridge=bridge1 interface=ether3 hw=yesadd bridge=bridge1 interface=ether4 hw=yesadd bridge=bridge1 interface=ether5 hw=yes
/interface ethernet switch port-isolationset ether1 forwarding-override=ether2,ether3set ether2 forwarding-override=ether1,ether3set ether3 forwarding-override=ether1,ether2set ether4 forwarding-override=ether5set ether5 forwarding-override=ether4VLAN Table Interaction
Section titled “VLAN Table Interaction”Switch chips with VLAN table support (QCA8337, Atheros8327, Atheros8316, Atheros8227, Atheros7240) can override port isolation when VLAN lookup is enabled. For additional isolation between ports on the same VLAN, use switch rules with new-dst-ports.
CPU Flow Control
Section titled “CPU Flow Control”CPU flow control prevents CPU port congestion by sending pause frames when link capacity is exceeded.
Configuration
Section titled “Configuration”/interface ethernet switch set switch1 cpu-flow-control=noDisabling CPU flow control is available on QCA8337, Atheros8227, Atheros8327, Atheros7240, Atheros8316, 88E6191X, and 88E6393X switch chips. Other chips have CPU flow control enabled by default and cannot be changed.
Statistics
Section titled “Statistics”Switch chips can report detailed statistics for monitoring and troubleshooting.
Viewing Statistics
Section titled “Viewing Statistics”/interface ethernet switch print statsStatistics Output
Section titled “Statistics Output”| Statistic | Description |
|---|---|
| rx-bytes | Total bytes received |
| rx-packet | Total packets received |
| rx-broadcast | Broadcast packets received |
| rx-multicast | Multicast packets received |
| rx-fcs-error | Frames with checksum errors |
| rx-drop | Dropped packets |
| tx-bytes | Total bytes transmitted |
| tx-packet | Total packets transmitted |
| tx-broadcast | Broadcast packets transmitted |
| tx-multicast | Multicast packets transmitted |
| tx-drop | Dropped transmit packets |
Devices with multiple CPU cores connected to the switch chip report statistics per data lane.
Setup Examples
Section titled “Setup Examples”VLAN Trunk and Access Ports
Section titled “VLAN Trunk and Access Ports”/interface bridgeadd name=bridge1/interface bridge portadd bridge=bridge1 interface=ether2 hw=yesadd bridge=bridge1 interface=ether3 hw=yesadd bridge=bridge1 interface=ether4 hw=yesadd bridge=bridge1 interface=ether5 hw=yes
/interface ethernet switch vlanadd ports=ether2,ether3 switch=switch1 vlan-id=200add ports=ether2,ether4 switch=switch1 vlan-id=300add ports=ether2,ether5 switch=switch1 vlan-id=400
/interface ethernet switch portset ether2 vlan-mode=secure vlan-header=add-if-missingset ether3 vlan-mode=secure vlan-header=always-strip default-vlan-id=200set ether4 vlan-mode=secure vlan-header=always-strip default-vlan-id=300set ether5 vlan-mode=secure vlan-header=always-strip default-vlan-id=400VLAN Hybrid Ports
Section titled “VLAN Hybrid Ports”/interface bridgeadd name=bridge1/interface bridge portadd bridge=bridge1 interface=ether2 hw=yesadd bridge=bridge1 interface=ether3 hw=yesadd bridge=bridge1 interface=ether4 hw=yesadd bridge=bridge1 interface=ether5 hw=yes
/interface ethernet switch vlanadd ports=ether2,ether3,ether4,ether5 switch=switch1 vlan-id=200add ports=ether2,ether3,ether4,ether5 switch=switch1 vlan-id=300add ports=ether2,ether3,ether4,ether5 switch=switch1 vlan-id=400
/interface ethernet switch portset ether2 vlan-mode=secure vlan-header=leave-as-isset ether3 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=200set ether4 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=300set ether5 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=400Management Access (Tagged)
Section titled “Management Access (Tagged)”/interface vlanadd name=MGMT vlan-id=99 interface=bridge1/ip addressadd address=192.168.99.1/24 interface=MGMT
/interface ethernet switch vlanadd ports=ether1,switch1-cpu switch=switch1 vlan-id=99
/interface ethernet switch portset ether1 vlan-header=add-if-missing vlan-mode=secureset ether2 default-vlan-id=100 vlan-header=always-strip vlan-mode=secureset switch1-cpu vlan-header=leave-as-is vlan-mode=secureManagement Access (Untagged)
Section titled “Management Access (Untagged)”/interface vlanadd name=MGMT vlan-id=100 interface=bridge1/ip addressadd address=192.168.100.1/24 interface=MGMT
/interface ethernet switch vlanadd ports=ether2,switch1-cpu switch=switch1 vlan-id=100
/interface ethernet switch portset ether1 vlan-header=add-if-missing vlan-mode=secureset ether2 default-vlan-id=100 vlan-header=always-strip vlan-mode=secureset switch1-cpu vlan-header=leave-as-is vlan-mode=secureInter-VLAN Routing
Section titled “Inter-VLAN Routing”/interface bridgeadd name=bridge1/interface bridge portadd bridge=bridge1 interface=ether2 hw=yesadd bridge=bridge1 interface=ether3 hw=yes
/interface ethernet switch vlanadd ports=ether2,ether3,switch1-cpu switch=switch1 vlan-id=10add ports=ether2,ether3,switch1-cpu switch=switch1 vlan-id=20
/interface vlanadd interface=bridge1 vlan-id=10 name=VLAN10add interface=bridge1 vlan-id=20 name=VLAN20
/ip addressadd address=192.168.10.1/24 interface=VLAN10add address=192.168.20.1/24 interface=VLAN20