Skip to main content
Version: current

L3 Hardware Offloading

Layer 3 Hardware Offloading (L3HW, otherwise known as IP switching or HW routing) allows offloading some router features onto the switch chip. This allows reaching wire speeds when routing packets, which would simply not be possible with the CPU.

Switch Configuration

To enable Layer 3 Hardware Offloading, set l3-hw-offloading=yes for the switch:

/interface/ethernet/switch/set 0 l3-hw-offloading=yes

Switch Port Configuration

Layer 3 Hardware Offloading can be configured for each physical switch port. For example:

/interface/ethernet/switch/port/set sfp-sfpplus1 l3-hw-offloading=yes

Note that l3hw settings for switch and ports are different:

  • Setting l3-hw-offloading``=no for the switch completely disables offloading - all packets will be routed by the CPU.
  • However, setting l3-hw-offloading``=no for a switch port only disables hardware routing from/to this particular port. Moreover, the port can still participate in Fasttrack connection offloading.

To enable full hardware routing, enable l3hw on all switch ports:

/interface/ethernet/switch/set 0 l3-hw-offloading=yes
/interface/ethernet/switch/port/set [find] l3-hw-offloading=yes

To make all packets go through the CPU first, and offload only the Fasttrack connections, disable l3hw on all ports but keep it enabled on the switch chip itself:

/interface/ethernet/switch/set 0 l3-hw-offloading=yes
/interface/ethernet/switch/port/set [find] l3-hw-offloading=no
info

Packets are routed by hardware when both the ingress and egress ports have l3-hw-offloading=yes.

If both ingress and egress ports have l3-hw-offloading=no, packets will go through the CPU/Firewall while offloading only the Fasttrack connections.

It is possible to direct packets to go through the CPU/Firewall by setting l3-hw-offloading=no on just the egress port. However, setting l3-hw-offloading=no only the ingress port may cause unpredictable behavior, for example, packets might still be routed by hardware and completely bypass the CPU/firewall.

The next example enables hardware routing on all ports but the upstream port (sfp-sfpplus16). Packets going to/from sfp-sfpplus16 will enter the CPU and, therefore, be subject to Firewall/NAT processing.

/interface/ethernet/switch/set 0 l3-hw-offloading=yes
/interface/ethernet/switch/port/set [find] l3-hw-offloading=yes
/interface/ethernet/switch/port/set sfp-sfpplus16 l3-hw-offloading=no
danger

The existing connections may be unaffected by the l3-hw-offloading setting change.

L3HW Settings

The L3HW Settings menu allows configuring global parameters for the Layer 3 Hardware Offloading driver.

Sub-menu: /interface/ethernet/switch/l3hw-settings

PropertyDescription
autorestart (*yesno*; Default: no)
fasttrack-hw (*yesno*; Default: yes (if supported))
ipv6-hw (*yesno*; Default: no)
icmp-reply-on-error (*yesno*; Default: yes)

Basic Settings

The L3HW Settings menu has been introduced in RouterOS version 7.6.

Sub-menu: /interface/ethernet/switch/l3hw-settings

PropertyDescription
autorestart (yes | no; Default: no)Automatically restarts the l3hw driver in case of an error. Otherwise, if an error occurs, l3-hw-offloading gets disabled, and the error code is displayed in the switch settings and #monitor. Autorestart does not work for system failures, such as OOM (Out Of Memory).
fasttrack-hw (yes | no; Default: yes(if supported))Enables or disables FastTrack HW Offloading. Keep it enabled unless HW TCAM memory reservation is required, e.g., for dynamic switch ACL rules creation. Not all switch chips support FastTrack HW Offloading (see hw-supports-fasttrack).
ipv6-hw (yes | no; Default: no)Enables or disables IPv6 Hardware Offloading. Since IPv6 routes occupy a lot of HW memory, enable it only if IPv6 traffic speed is significant enough to benefit from hardware routing.
icmp-reply-on-error (yes | no; Default: yes)Since the hardware cannot send ICMP messages, the packet must be redirected to the CPU to send an ICMP reply in case of an error (e.g., "Time Exceeded", "Fragmentation required", etc.). Enabling icmp-reply-on-error helps with network diagnostics but may open potential vulnerabilities for DDoS attacks. Disabling icmp-reply-on-error silently drops the packets on the hardware level in case of an error.

Read-Only Properties

PropertyDescription
hw-supports-fasttrack (yes | no)Indicates if the hardware (switch chip) supports FastTrack HW Offloading.

Advanced Settings

This menu allows tweaking l3hw settings for specific use cases.

danger

It is NOT recommended to change the advanced L3HW settings unless instructed by MikroTik Support or a MikroTik Certified Routing Engineer. Applying incorrect settings may break the L3HW operation.

Sub-menu: /interface/ethernet/switch/l3hw-settings

PropertyDescription
route-queue-limit-high (number; Default: 256)The switch driver stops route indexing when route-queue-size (see #monitor exceeds this value. Lowering this value leads to faster route processing but increases the lag between a route's appearance in RouterOS and hardware memory.
Setting route-queue-limit-high=0 disables route indexing when there are any routes in the processing queue - the most efficient CPU usage but the longest delay before hardware offloading. Useful when there are static routes only. Not recommended together with routing protocols (such as BGP or OSPF) when there are frequent routing table changes.
route-queue-limit-low (number; Default: 0)Re-enable route indexing when route-queue-size drops down to this value. Must not exceed the high limit.
Setting route-queue-limit-low=0 tells the switch driver to process all pending routes before the next hw-offloading attempt. While this is the desired behavior, it may completely block the hw-offloading under a constant BGP feed.
shwp-reset-counter (number; Default: 128)Reset the Shortest HW Prefix (see ipv4-shortest-hw-prefix / ipv6-shortest-hw-prefix in #monitor and try the full route table offloading after this number of changes in the routing table. At a partial offload, when the entire routing table does not fit into the hardware memory and shorter prefixes are redirected to the CPU, there is no need to try offloading route prefixes shorter than SHWP since those will get redirected to the CPU anyway, theoretically. However, significant changes to the routing table may lead to a different index layout and, therefore, a different number of routes that can be hw-offloaded. That's why it is recommended to do the full table re-indexing occasionally.
Lowering this value may allow more routes to be hw-offloaded but increases CPU usage and vice-versa. Setting shwp-reset-counter=0 always does full re-indexing after each routing table change.
This setting is used only during Partial Offloading and has no effect when ipv4-shortest-hw-prefix=0 (and ipv6, respectively).
partial-offload-chunk (number; Default: 1024, min: 16)The minimum number of routes for incremental adding in Partial Offloading. Depending on the switch chip model, routes are offloaded either as-is (each routing entry in RouterOS corresponds to an entry in the hardware memory) or get indexed, and the index entries are the ones that are written into the hardware memory. This setting is used only for the latter during Partial Offloading.
Depending on index fragmentation, a single IPv4 route addition can occupy from -3 to +6 LPM blocks of HW memory (some route additions may lower the amount of required HW memory thanks to index defragmentation). Hence, it is impossible to predict the exact number of routes that may fit in the hardware memory. The switch driver uses a binary split algorithm to find the maximum number of routes that fit in the hardware.
Let's imagine 128k routes, all of them not fitting into the hardware memory. The algorithm halves the number and tries offloading 64k routes. Let's say offloading succeeded. In the next iteration, the algorithm picks 96k, let's say it fails; then 80k - fails again, 72k - succeeds, 76k, etc. until the difference between succeeded and failed numbers drops below the partial-offload-chunk value.
Lowering the partial-offload-chunk value increases the number of hw-offloaded routes but also raises CPU usage and vice-versa.
route-index-delay-min (time; Default: 1s)The minimum delay between route processing and its offloading. The delay allows processing more routes together and offloading them at once, saving CPU usage. It also makes offloading the entire routing table faster by reducing the per-route processing work. On the other hand, it slows down the offloading of an individual route.
If an additional route is received during the delay, the latter resets to the route-index-delay-min value**.** Adding more and more routes within the delay keeps resetting the timer until the route-index-delay-max is reached.
route-index-delay-max (time; Default: 10s)The maximum delay between route processing and its offloading. When the maximum delay is reached, the processed routes get offloaded despite more routes pending. However, route-queue-limit-highhas higher priority than this, meaning that the indexing/offloading gets paused anyway when a certain queue size is reached.
neigh-keepalive-interval (time; Default: 1****5s, min: 5s)Neighbor (host) keepalive interval. When a host (IP neighbor) gets hw-offloaded, all traffic from/to it is routed by the switch chip, and RouterOS may think the neighbor is inactive and delete it. To prevent that, the switch driver must keep the offloaded neighbors alive by sending periodic refreshes to RouterOS.
neigh-discovery-interval (time; Default: 1m37s, min: 30s)Unfortunately, switch chips do not provide per-neighbor stats. Hence, the only way to check if the offloaded host is still active is by sending occasional ARP (IPv4) / Neighbor Discovery (IPv6) requests to the connected network. Increasing the value lowers the broadcast traffic but may leave inactive hosts in hardware memory for longer.
Neighbor discovery is triggered within the neighbor keepalive work. Hence, the discovery time is rounded up to the next keepalive session. Choose a value for neigh-discovery-interval not divisible by neigh-keepalive-interval to send ARP/ND requests in various sessions, preventing broadcast bursts.
neigh-discovery-burst-limit(number; Default: 64)The maximum number of ARP/ND requests that can be sent at once.
neigh-discovery-burst-delay (time; Default: 300ms, min: 10ms)The delay between ARP/ND subsequent bursts if the number of requests exceeds neigh-discovery-burst-limit**.**
info

Some settings only apply to certain switch models.

Monitor

The L3HW Monitor feature has been introduced in RouterOS version 7.10. It allows monitoring of switch chip and driver stats related to L3HW.

/interface/ethernet/switch/l3hw-settings/monitor
        ipv4-routes-total: 99363
           ipv4-routes-hw: 61250
          ipv4-routes-cpu: 38112
  ipv4-shortest-hw-prefix: 24
               ipv4-hosts: 87
        ipv6-routes-total: 15
           ipv6-routes-hw: 11
          ipv6-routes-cpu: 4
  ipv6-shortest-hw-prefix: 0
               ipv6-hosts: 7
         route-queue-size: 118
     fasttrack-ipv4-conns: 2031
   fasttrack-hw-min-speed: 0
              nexthop-cap: 8192
            nexthop-usage: 93
    vxlan-mtu-packet-drop: 0

Stats

PropertyDescription
PropertyDescription
:---:---
ipv4-routes-totalThe total number of IPv4 routes handled by the switch driver.
ipv4-routes-hwThe number of hardware-offloaded IPv4 routes (a.k.a. hardware routes)
ipv4-routes-cpuThe number of IPv4 routes redirected to the CPU (a.k.a. software routes)
ipv4-shortest-hw-prefixShortest Hardware Prefix (SHWP) for IPv4. If the entire IPv4 routing table does not fit into the hardware memory, partial offloading is applied, where the longest prefixes are hw-offloaded while the shorter ones are redirected to the CPU. This field shows the shortest route prefix (/x) that is offloaded to the hardware memory. All prefixes shorter than this are processed by the CPU. ipv4-shortest-hw-prefix=0 means the entire IPv4 routing table is offloaded to the hardware memory.
ipv4-hostsThe number of hardware-offloaded IPv4 hosts (/32 routes)
ipv6-routes-total 1The total number of IPv6 routes handled by the switch driver.
ipv6-routes-hw 1The number of hardware-offloaded IPv6 routes (a.k.a. hardware routes)
ipv6-routes-cpu 1The number of IPv6 routes redirected to the CPU (a.k.a. software routes)
ipv6-shortest-hw-prefix 1Shortest Hardware Prefix (SHWP) for IPv6. If the entire IPv6 routing table does not fit into the hardware memory, partial offloading is applied, where the longest prefixes are hw-offloaded while the shorter ones are redirected to the CPU. This field shows the shortest route prefix (/x) that is offloaded to the hardware memory. All prefixes shorter than this are processed by the CPU. ipv6-shortest-hw-prefix=0 means the entire IPv6 routing table is offloaded to the hardware memory.
ipv6-hosts 1The number of hardware-offloaded IPv6 hosts (/128 routes)
route-queue-sizeThe number of routes in the queue for processing by the switch chip driver. Under normal working conditions, this field is 0, meaning that all routes are processed by the driver.
nexthop-capThe nexthop capacity.
nexthop-usageThe number of currently used nexthops.
vxlan-mtu-packet-dropThe number of dropped VXLAN packets due to exceeded interface MTU settings.
fasttrack-ipv4-conns 2The number of hardware-offloaded FastTrack connections.
fasttrack-hw-min-speed 2When the hardware memory for storing FastTrack is full, this field shows the minimum speed (in bytes per second) of a hw-offloaded FastTrack connection. Slower connections are routed by the CPU.

1 IPv6 stats appear only when IPv6 hardware routing is enabled (ipv6-hw=yes)
2 FastTrack stats appear only when hardware offloading of FastTrack connections is enabled (fasttrack-hw=yes)

Advanced Monitor

An enhanced version of Monitor with extra telemetry data for advanced users. Advanced Monitor contains all data from the basic monitor plus the fields listed below.

/interface/ethernet/switch/l3hw-settings/advanced> monitor once
        ipv4-routes-total: 29968
           ipv4-routes-hw: 29957
          ipv4-routes-cpu: 11
  ipv4-shortest-hw-prefix: 0
               ipv4-hosts: 3
        ipv6-routes-total: 4
           ipv6-routes-hw: 0
          ipv6-routes-cpu: 4
  ipv6-shortest-hw-prefix: 0
               ipv6-hosts: 0
         route-queue-size: 0
         route-queue-rate: 0
       route-process-rate: 0
     fasttrack-ipv4-conns: 0
     fasttrack-queue-size: 0
     fasttrack-queue-rate: 0
   fasttrack-process-rate: 0
   fasttrack-hw-min-speed: 0
   fasttrack-hw-offloaded: 0
    fasttrack-hw-unloaded: 0
                  lpm-cap: 54560
                lpm-usage: 31931
             lpm-bank-cap: 2728
           lpm-bank-usage: 46,0,0,0,2589,2591,1983,0,2728,2728,2728,2728,2728,2728,2728,2728,2728,170,0,0
                  pbr-cap: 8192
                pbr-usage: 0
             pbr-lpm-bank: 3
                nat-usage: 0
              nexthop-cap: 8192
            nexthop-usage: 85

Stats

PropertyDescription
route-queue-rateThe rate at which routes are added to the queue for processing by the switch driver. In other words, the growth rate of route-queue-size (routes per second)
route-process-rateThe rate at which previously queued routes are processed by the switch driver. In other words, the shrink rate of route-queue-size (routes per second)
fasttrack-queue-sizeThe number of FastTrack connections in the queue for processing by the switch chip driver.
fasttrack-queue-rateThe rate at which FastTrack connections are added to the queue for processing by the switch driver. In other words, the growth rate of fasttrack-queue-size (connections per second)
fasttrack-process-rateThe rate at which previously queued FastTrack connections are processed by the switch driver. In other words, the shrink rate of fasttrack-queue-size (connections per second)
fasttrack-hw-offloadedThe number of FastTrack connections offloaded to the hardware. The counter resets every second (or every monitor interval).
fasttrack-hw-unloadedThe number of FastTrack connections unloaded from the hardware (redirected to software routing). The counter resets every second (or every monitor interval).
lpm-capThe size of the LPM hardware table (LPM = Longest Prefix Match). LPM stores route indexes for hardware routing. Not every switch chip model uses LPM. Others use TCAM.
lpm-usageThe number of used LPM blocks. lpm-usage/ lpm-cap = usage percentage.
lpm-bank-capLPM memory is organized in banks - special memory units. The bank size depends on the switch chip model. This value shows the size of a single bank (in LPM blocks). lpm-cap / lpm-bank-cap = the number of banks (usually, 20).
lpm-bank-usagePer-bank LPM usage (in LPM blocks)
pbr-capThe size of the Policy-Based Routing (PBR) hardware table. PBR is used for NAT offloading of FastTrack connections.
pbr-usageThe number of used PBR entries. pbr-usage/ pbr-cap = usage percentage.
pbr-lpm-bankPBR shares LPM memory banks with routing tables. This value shows the LPM bank index shared with PBR (0 = the first bank).
nat-usageThe number of used NAT hardware entries (for FastTrack connections).

Interface Lists

It is impossible to use interface lists directly to control l3-hw-offloading because an interface list may contain virtual interfaces (such as VLAN) while the l3-hw-offloading setting must be applied to physical switch ports only. For example, if there are two VLAN interfaces (vlan20 and vlan30) running on the same switch port (trunk port), it is impossible to enable hardware routing on vlan20 but keep it disabled on vlan30.

However, an interface list may be used as a port selector. The following example demonstrates how to enable hardware routing on LAN ports (ports that belong to the "LAN" interface list) and disable it on WAN ports:

:foreach i in=[/interface/list/member/find where list=LAN] do={
    /interface/ethernet/switch/port/set [/interface/list/member/get $i interface] l3-hw-offloading=yes
}

:foreach i in=[/interface/list/member/find where list=WAN] do={
    /interface/ethernet/switch/port/set [/interface/list/member/get $i interface] l3-hw-offloading=no
}

Please take into account that since interface lists are not directly used in hardware routing control, modifying the interface list also does not automatically reflect in l3hw changes. For instance, adding a switch port to the "LAN" interface list does not automatically enable l3-hw-offloading on it. The user has to rerun the above script to apply the changes.

MTU

The hardware supports up to 8 MTU profiles, meaning that the user can set up to 8 different MTU values for interfaces: the default 1500 + seven custom ones.

info

It is recommended to disable l3-hw-offloading while changing the MTU/L2MTU values on the interfaces.

MTU Change Example

/interface/ethernet/switch/set 0 l3-hw-offloading=no
/interface/set sfp-sfpplus1 mtu=9000 l2mtu=9022
/interface/set sfp-sfpplus2 mtu=9000 l2mtu=9022
/interface/set sfp-sfpplus3 mtu=10000 l2mtu=10022
/interface/ethernet/switch/set 0 l3-hw-offloading=yes

Layer 2 Dependency

Layer 3 hardware processing lies on top of Layer 2 hardware processing. Therefore, L3HW offloading requires L2HW offloading on the underlying interfaces. The latter is enabled by default, but there are some exceptions. For example, MikroTik devices with Marvell Prestera switch support only one hardware bridge. If there are multiple bridges, others are processed by the CPU and are not subject to L3HW.

Another example is ACL rules. If a rule redirects traffic to the CPU for software processing, then hardware routing (L3HW) is not triggered:

ACL rule to disable hardware processing on a specific port

/interface/ethernet/switch/rule/add switch=switch1 ports=ether1 redirect-to-cpu=yes
info

It is recommended to turn off L3HW offloading during L2 configuration.

To make sure that Layer 3 is in sync with Layer 2 on both the software and hardware sides, we recommend disabling L3HW while configuring Layer 2 features. The recommendation applies to the following configuration:

  • Adding/removing/enabling/disabling bridges.
  • Adding/removing switch ports to/from the bridge.
  • Bonding switch ports / removing bonds.
  • Changing VLAN settings.
  • Changing MTU/L2MTU on switch ports.
  • Changing ethernet (MAC) addresses.

In short, disable l3-hw-offloading while making changes under /interface/bridge/ and /interface/vlan/:

Layer 2 Configuration Template

/interface/ethernet/switch/set 0 l3-hw-offloading=no

/interface/bridge
# put bridge configuration changes here

/interface/vlan
# define/change VLAN interfaces
/interface/ethernet/switch/set 0 l3-hw-offloading=yes

MAC telnet

There is a limitation for MAC telnet when L3HW offloading is enabled on 98DX8xxx, 98DX4xxx, or 98DX325x switch chips. Packets from MAC Telnet are dropped and do not reach the CPU, thus access to the device will fail.

If MAC telnet is desired in combination with L3HW, a certain ACL rule can be created to force these packets to the CPU.

For example, if MAC telnet access on sfp-sfpplus1 and sfp-sfpplus2 is needed, you will need to add this ACL rule. It is possible to select even more interfaces with the ports setting.

/interface/ethernet/switch/rule
add dst-port=20561 ports=sfp-sfpplus1,sfp-sfpplus2 protocol=udp redirect-to-cpu=yes switch=switch1

Inter-VLAN Routing

Since L3HW depends on L2HW, and L2HW is the one that does VLAN processing, Inter-VLAN hardware routing requires a hardware bridge underneath. Even if a particular VLAN has only one tagged port member, the port must be a bridge member. Do not assign a VLAN interface directly to a switch port! Otherwise, L3HW offloading fails and the traffic will get processed by the CPU:

/interface/vlan/add interface=ether2 name=vlan20 vlan-id=20

Assign the VLAN interface to the bridge instead. This way, VLAN configuration gets offloaded to the hardware, and, with L3HW enabled, the traffic is subject to inter-VLAN hardware routing.

VLAN Configuration Example

/interface/ethernet/switch/set 0 l3-hw-offloading=no
/interface/bridge/port/add bridge=bridge interface=ether2
/interface/bridge/vlan/add bridge=bridge tagged=bridge,ether2 vlan-ids=20
/interface/vlan/add interface=bridge name=vlan20 vlan-id=20
/ip/address/add address=192.0.2.1/24 interface=vlan20
/interface/bridge/set bridge vlan-filtering=yes
/interface/ethernet/switch/set 0 l3-hw-offloading=yes
info

For Inter-VLAN routing, the bridge interface must be a tagged member of every routable /interface/bridge/vlan/ entry.

Per-VLAN offloading

Since RouterOS 7.21, it is possible to configure L3HW offloading per individual VLAN interface using the l3-hw-offloading=yes|no setting in the /interface/vlan menu. This provides finer control over which VLANs (and their related routes) are offloaded to the switch chip, and which are processed by the CPU. It is no longer necessary to disable L3HW on a switch port in order to disable L3HW routing for specific VLANs.

VLAN interface gets offloaded (receives the H flag) only when ALL the following conditions are met:

  • VLAN interface has l3-hw-offloading=yes.
  • VLAN interface is created on a hardware-offloaded, vlan-filtering bridge.
  • All switch ports that are the members of the VLAN have l3-hw-offloading=yes.

For inter-VLAN routing, both ingress and egress VLANs must be hw-offloaded, otherwise, packets are sent to the CPU.

info

If a switch port carries multiple VLANs with different L3HW settings, keep the port's l3-hw-enabled=yes.

L3HW MAC Address Range Limitation (DX2000/DX3000 series only)

Marvell Prestera DX2000 and DX3000 switch chips have a hardware limitation that allows configuring only the last (least significant) octet of the MAC address for each interface. The other five (most significant) octets are configured globally and, therefore, must be equal for all interfaces (switch ports, bridge, VLANs). In other words, the MAC addresses must be in the format "XX:XX:XX:XX:XX:??", where:

  • "XX:XX:XX:XX:XX" part is common for all interfaces.
  • "??" is a variable part.

This requirement applies only to Layer 3 (routing). Layer 2 (bridging) does not use the switch's ethernet addresses. Moreover, it does not apply to bridge ports because they use the bridge's MAC address.

The requirement for common five octets applies to:

  • Standalone switch ports (not bridge members) with hardware routing enabled (l3-hw-offloading=yes).
  • Bridge itself.
  • VLAN interfaces (those that use the bridge's MAC address by default).

Route Configuration

Suppressing HW Offload

By default, all the routes are hardware candidate routes. To further fine-tune which traffic to offload, there is an option for each route to disable/enable suppress-hw-offload.

For example, if we know that the majority of traffic flows to the network where servers are located, we can enable offloading only to that specific destination:

/ip/route/set [find where static && dst-address!="192.168.3.0/24"] suppress-hw-offload=yes

Now only the route to 192.168.3.0/24 has H-flag, indicating that it will be the only one eligible to be selected for HW offloading:

[admin@MikroTik] > /ip/route/print where static
Flags: A - ACTIVE; s - STATIC, y - COPY; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS       GATEWAY         D
0 As  0.0.0.0/0         172.16.2.1      1
1 As  10.0.0.0/8        10.155.121.254  1
2 AsH 192.168.3.0/24    172.16.2.1      1
danger

H-flag does not indicate that the route is actually HW offloaded; it indicates only that the route can be selected to be HW offloaded.

Routing Filters

For dynamic routing protocols like OSPF and BGP, it is possible to suppress HW offloading using routing filters. For example, to suppress HW offloading on all OSPF instance routes, use the "suppress-hw-offload yes" property:

/routing/ospf/instance
set [find name=instance1] in-filter-chain=ospf-input
/routing/filter/rule
add chain="ospf-input" rule="set suppress-hw-offload yes; accept"

Offloading Fasttrack Connections

Firewall filter rules have the hw-offload option for Fasttrack, allowing fine-tuning connection offloading. Since the hardware memory for Fasttrack connections is very limited, we can choose what type of connections to offload and, therefore, benefit from near-the-wire-speed traffic. The next example offloads only TCP connections while UDP packets are routed via the CPU and do not occupy HW memory:

/ip/firewall/filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes protocol=tcp
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=no
add action=accept chain=forward connection-state=established,related

Stateless Hardware Firewall

While connection tracking and stateful firewalling can be performed only by the CPU, the hardware can perform stateless firewalling via switch rules (ACL). The next example prevents (on a hardware level) accessing a MySQL server from ether1, and redirects packets from ether2 and ether3 to the CPU/Firewall:

/interface/ethernet/switch/rule
add switch=switch1 dst-address=10.0.1.2/32 dst-port=3306 ports=ether1 new-dst-ports=""
add switch=switch1 dst-address=10.0.1.2/32 dst-port=3306 ports=ether2,ether3 redirect-to-cpu=yes

Switch Rules (ACL) vs. Fasttrack HW Offloading

Some firewall rules may be implemented via both switch rules (ACL) and CPU Firewall Filter + Fasttrack HW Offloading. Both options grant near-the-wire-speed performance. So the question is which one to use?

First, not all devices support Fasttrack HW Offloading, and without HW offloading, Firewall Filter uses only software routing, which is dramatically slower than its hardware counterpart. Second, even if Fasttrack HW Offloading is an option, a rule of thumb is:

info

Always use Switch Rules (ACL), if possible.

Switch rules share the hardware memory with Fasttrack connections. However, hardware resources are allocated for each Fasttrack connection while a single ACL rule can match multiple connections. For example, if you have a guest WiFi network connected to sfp-sfpplus1 VLAN 10 and you don't want it to access your internal network, simply create an ACL rule:

/interface/ethernet/switch/rule
add switch=switch1 ports=sfp-sfpplus1 vlan-id=10 dst-address=10.0.0.0/8 new-dst-ports=""

The matched packets will be dropped on the hardware level. It is much better than letting all guest packets go to the CPU for Firewall filtering.

Of course, ACL rules cannot match everything. For instance, ACL rules cannot filter connection states: accept established, drop others. That is where Fasttrack HW Offloading gets into action - redirect the packets to the CPU by default for firewall filtering, then offload the established Fasttrack connections. However, disabling l3-hw-offloading for the entire switch or port is not the only option.

info

Define ACL rules with redirect-to-cpu=yes instead of setting l3-hw-offloading=no on the switch port for narrowing down the traffic that goes to the CPU.

Configuration Examples

Inter-VLAN Routing with Upstream Port Behind Firewall/NAT

This example demonstrates how to benefit from near-to-wire-speed inter-VLAN routing while keeping Firewall and NAT running on the upstream port. Moreover, Fasttrack connections to the upstream port get offloaded to hardware as well, boosting the traffic speed close to wire-level. Inter-VLAN traffic is fully routed by the hardware, not entering the CPU/Firewall, and, therefore, not occupying the hardware memory of Fasttrack connections.

We use the CRS317-1G-16S+ model with the following setup:

  • sfp1-sfp4 - bridged ports, VLAN ID 20, untagged.
  • sfp5-sfp8 - bridged ports, VLAN ID 30, untagged.
  • sfp16 - the upstream port.
  • ether1 - management port.

Set up interface lists for easy access:

Interface Lists

/interface/list
add name=LAN
add name=WAN
add name=MGMT 

/interface/list/member
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
add interface=sfp-sfpplus5 list=LAN
add interface=sfp-sfpplus6 list=LAN
add interface=sfp-sfpplus7 list=LAN
add interface=sfp-sfpplus8 list=LAN
add interface=sfp-sfpplus16 list=WAN
add interface=ether1 list=MGMT

Bridge Setup

/interface/bridge
add name=bridge vlan-filtering=yes

/interface/bridge/port
add bridge=bridge interface=sfp-sfpplus1 pvid=20
add bridge=bridge interface=sfp-sfpplus2 pvid=20
add bridge=bridge interface=sfp-sfpplus3 pvid=20
add bridge=bridge interface=sfp-sfpplus4 pvid=20
add bridge=bridge interface=sfp-sfpplus5 pvid=30
add bridge=bridge interface=sfp-sfpplus6 pvid=30
add bridge=bridge interface=sfp-sfpplus7 pvid=30
add bridge=bridge interface=sfp-sfpplus8 pvid=30

/interface/bridge/vlan
add bridge=bridge tagged=bridge untagged=sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4 vlan-ids=20
add bridge=bridge tagged=bridge untagged=sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8 vlan-ids=30

Routing requires dedicated VLAN interfaces. For standard L2 VLAN bridging (without inter-VLAN routing), the next step can be omitted.

VLAN Interface Setup for Routing

/interface/vlan
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan30 vlan-id=30

/ip/address
add address=192.168.20.17/24 interface=vlan20 network=192.168.20.0
add address=192.168.30.17/24 interface=vlan30 network=192.168.30.0

Configure management and upstream ports, a basic firewall, NAT, and enable hardware offloading of Fasttrack connections:

Firewall Setup

/ip/address
add address=192.168.88.1/24 interface=ether1
add address=10.0.0.17/24 interface=sfp-sfpplus16

/ip/route
add gateway=10.0.0.1

/ip/firewall/filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related

/ip/firewall/nat
add action=masquerade chain=srcnat out-interface-list=WAN

At this moment, all routing still is performed by the CPU. Enable hardware routing on the switch chip:

Enable Layer 3 Hardware Offloading

# Enable full hardware routing on LAN ports
:foreach i in=[/interface/list/member/find where list=LAN] do={ 
    /interface/ethernet/switch/port/set [/interface/list/member/get $i interface] l3-hw-offloading=yes 
} 

# Disable full hardware routing on WAN or Management ports
:foreach i in=[/interface/list/member/find where list=WAN or list=MGMT] do={ 
    /interface/ethernet/switch/port/set [/interface/list/member/get $i interface] l3-hw-offloading=no 
}

# Activate Layer 3 Hardware Offloading on the switch chip
/interface/ethernet/switch/set 0 l3-hw-offloading=yes

Results:

  • Within the same VLAN (e.g., sfp1-sfp4), traffic is forwarded by the hardware on Layer 2 (L2HW).
  • Inter-VLAN traffic (e.g. sfp1-sfp5) is routed by the hardware on Layer 3 (L3HW).
  • Traffic from/to the WAN port gets processed by the CPU/Firewall first. Then Fasttrack connections get offloaded to the hardware (Hardware-Accelerated L4 Stateful Firewall). NAT applies both on CPU- and HW-processed packets.
  • Traffic to the management port is protected by the Firewall.

Typical Misconfiguration

Below are typical user errors in configuring Layer 3 Hardware Offloading.

VLAN interface on a switch port or bond

/interface/vlan
add name=vlan10 vlan-id=10 interface=sfp-sfpplus1
add name=vlan20 vlan-id=20 interface=bond1

Due to Layer 2 dependency, only VLAN interfaces created on a hardware-offloaded, vlan-filtering bridge is capable of L3HW offloading. The correct configuration is:

/interface/bridge/port
add bridge=bridge1 interface=sfp-sfpplus1 frame-types=admit-only-vlan-tagged
add bridge=bridge1 interface=bond1 frame-types=admit-only-vlan-tagged
 
/interface/bridge/vlan
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 vlan-ids=10
add bridge=bridge1 tagged=bridge1,bond1 vlan-ids=20
 
/interface/vlan
add name=vlan10 vlan-id=10 interface=bridge1
add name=vlan20 vlan-id=20 interface=bridge1
info

If VLAN interfaces are created directly on Ethernet or bonding interfaces, packets may be offloaded incorrectly - bypassing CPU processing (such as firewall and NAT) and causing undefined behavior.

If this type of configuration is required, L3HW offloading must be disabled on the related switch ports under the /interface/ethernet/switch/port menu by setting l3-hw-offloading=no.

Not adding the bridge interface to /interface/bridge/vlan/

For Inter-VLAN routing, the bridge interface itself needs to be added to the tagged members of the given VLANs. In the next example, Inter-VLAN routing works between VLAN 10 and 11, but packets are NOT routed to VLAN 20.

/interface/bridge/vlan
add bridge=bridge1 vlan-ids=10 tagged=bridge1,sfp-sfpplus1
add bridge=bridge1 vlan-ids=11 tagged=bridge1 untagged=sfp-sfpplus2,sfp-sfpplus3 
add bridge=bridge1 vlan-ids=20 tagged=sfp-sfpplus1 untagged=sfp-sfpplus4,sfp-sfpplus5

The above example does not always mean an error. Sometimes, you may want the device to act as a simple L2 switch in some/all VLANs. Just make sure you set such behavior on purpose, not due to a mistake.

Creating multiple bridges

The devices support only one hardware bridge. If there are multiple bridges created, only one gets hardware offloading. While for L2 that means software forwarding for other bridges, in the case of L3HW, multiple bridges may lead to undefined behavior.

info

Instead of creating multiple bridges, create one and segregate L2 networks with VLAN filtering.

Using ports that do not belong to the switch

Some devices have two switch chips or the management port directly connected to the CPU. For example, CRS312-4C+8XG has an ether9 port connected to a separate switch chip. Trying to add this port to a bridge or involve it in the L3HW setup leads to unexpected results. Leave the management port for management!

[admin@crs312] /interface/ethernet/switch> print
Columns: NAME, TYPE, L3-HW-OFFLOADING
# NAME     TYPE              L3-HW-OFFLOADING
0 switch1  Marvell-98DX8212  yes            
1 switch2  Atheros-8227      no   
           
[admin@crs312] /interface/ethernet/switch> port print
Columns: NAME, SWITCH, L3-HW-OFFLOADING, STORM-RATE
 # NAME         SWITCH   L3-HW-OFFLOADING  STORM-RATE
 0 ether9       switch2                             
 1 ether1       switch1  yes                      100
 2 ether2       switch1  yes                      100
 3 ether3       switch1  yes                      100
 4 ether4       switch1  yes                      100
 5 ether5       switch1  yes                      100
 6 ether6       switch1  yes                      100
 7 ether7       switch1  yes                      100
 8 ether8       switch1  yes                      100
 9 combo1       switch1  yes                      100
10 combo2       switch1  yes                      100
11 combo3       switch1  yes                      100
12 combo4       switch1  yes                      100
13 switch1-cpu  switch1                           100
14 switch2-cpu  switch2

Relying on Fasttrack HW Offloading too much

Since Fasttrack HW Offloading offers near-the-wire-speed performance at zero configuration overhead, users are tempted to use it as the default solution. However, the number of HW Fasttrack connections is very limited, leaving the other traffic for the CPU. Try using the hardware routing as much as possible, reduce the CPU traffic to the minimum via switch ACL rules, and then fine-tune which Fasttrack connections to offload with firewall filter rules.

Trying to offload slow-path connections

Using certain configurations (e.g. enabling bridge "use-ip-firewall" setting, creating bridge nat/filter rules) or running specific features like sniffer or torch can disable RouterOS FastPath, which will affect the ability to properly FastTrack and HW offload connections. If HW offloaded Fasttrack is required, make sure that there are no settings that disable the FastPath and verify that connections are getting the "H" flag or use the L3HW monitor command to see the number of HW offloaded connections.

L3HW Feature Support

  • HW - The feature is supported and offloaded to the hardware.
  • CPU - The feature is supported but performed by software (CPU).
  • N/A - The feature is not available together with L3HW. Layer 3 hardware offloading must be completely disabled (switch l3-hw-offloading=no) to make this feature work.
  • FW - The feature requires l3-hw-offloading=no for a given switch port. On the switch level, l3-hw-offloading=yes.
FeatureSupportCommentsRelease
IPv4 Unicast RoutingHW7.1
IPv6 Unicast RoutingHW
<br/>/interface/ethernet/switch/l3hw-settings/set ipv6-hw=yes<br/>
7.6
IPv4 Multicast RoutingCPU
IPv6 Multicast RoutingCPU
ECMPHWMultipath routing7.1
BlackholesHW
<br/>/ip/route/add dst-address=10.0.99.0/24 blackhole<br/>
7.1
gateway=<interface_name>CPU/HW
<br/>/ip/route/add dst-address=10.0.0.0/24 gateway=ether1 <br/>

This works only for directly connected networks. Since HW does not know how to send ARP requests, CPU sends an ARP request and waits for a reply to find out the DST MAC address on the first received packet of the connection that matches a DST IP address. After DST MAC is determined, HW entry is added and all further packets will be processed by the switch chip.		7.1
BridgeHWRouting from/to hardware-offloaded bridge interface.7.1
VLANHWRouting between VLAN interfaces that are created on hardware-offloaded bridge interface with vlan-filtering.


<br/>/interface/vlan<br/>
7.1
BondingHWRouting between bonding interfaces.


<br/>/interface/bonding<br/>

Only 802.3ad and balance-xor bonding modes are hardware offloaded.		7.1
IPv4 FirewallFWUsers must choose either HW-accelerated routing or firewall. Firewall rules get processed by the CPU. Fasttrack connections get offloaded to HW.7.1
IPv4 NATFWNAT rules applied to the offloaded Fasttrack connections get processed by HW too.7.1
MLAGN/A
VRFN/AOnly the main routing table gets offloaded. If VRF is used together with L3HW and packets arrive on a switch port with l3-hw-offloadin``g=yes, packets can be incorrectly routed through the main routing table. To avoid this, disable L3HW on needed switch ports or use ACL rules to redirect specific traffic to the CPU.
VRRPN/A
Controller Bridge and Port ExtenderN/A
Traffic-FlowN/AL3HW offloaded traffic is not reported through Traffic Flow.
VXLANHWSupport for hardware-offloaded VXLAN data plane, VXLAN encapsulation and decapsulation. This allows for static one-to-one VLAN-to-VXLAN mappings within a vlan-filtering bridge. At this point, some known features are not yet implemented.
Underlay (routing encapsulated VXLAN packets):
1. VTEPs are not supported over ECMP
2. VTEPs are not supported over bond, bridge, VLAN interfaces (only stand-alone routed Ethernet interfaces are supported)
3. VTEPs are not supported over multicast
4. VTEPs cannot operate within VRFs
5. VTEPs are not supported with IPv6
Overlay (forwarding between Ethernet and VXLAN):
1. VLAN tagging over VXLAN is not supported
2. Routing between different VXLAN VNIs is not supported
3. VTEPs are isolated, and there is no mechanism to control "horizon" between them.
4. Bridged VXLAN interfaces do not support IGMP snooping. When snooping is enabled, MDB entries on VXLAN are not offloaded, and multicast traffic gets restricted between Ethernet and VXLAN.
5. Bridged VXLAN interfaces are not supported by MLAG.


<br/>/interface/vxlan<br/>
7.18
MTUHWThe hardware supports up to 8 MTU profiles.7.1
QinQ RoutingCPUStacked routable VLAN interfaces will lose L3HW offloading, while routable VLAN interfaces created directly on the bridge interface can still use HW offloading.

Only the devices listed in the table below support L3 HW Offloading.

L3HW Device Support

Only the devices listed in the table below support L3 HW Offloading.

CRS3xx: Switch 98DX3xxx and 98DX2xxx Series

The devices below are based on Marvell 98DX224S, 98DX226S, 98DX2528, or 98DX3236 switch chip models.

info

The 98DX3255 and 98DX3257 models are exceptions, which have a feature set of the 98DX8xxx rather than the 98DX3xxx series.

Caution: Below are some important features that these devices are missing when compared to other switch models:

  • Fasttrack and NAT connection offloading;
  • per-VLAN packet and byte counters;
  • VXLAN offloading.
Switch ChipModelsIPv4 Route Prefixes 1IPv6 Route Prefixes 2NexthopsECMP paths per prefix 3
98DX3236CRS305-1G-4S+IN
CRS326-24G-2S+ (RM/IN)
CRS328-24P-4S+RM
CRS328-4C-20S-4S+RM		1331233284K8
98DX226SCRS305-1G-4S+OUT (FiberBox Plus)
CRS310-1G-5S-4S+ (netFiber 9/IN)
CRS310-8G+2S+IN
CRS318-16P-2S+OUT (netPower 16P)
CRS320-8P-8B-4S+RM
CRS418-8P-8G-2S+RM
CRS418-8P-8G-2S+5axQ2axQ-RM		1331233284K8
98DX224SCRS318-1Fi-15Fr-2S-OUT (netPower 15FR)1331233284K8
98DX2528CRS304-4XG-IN1331233284K8

1 Since the total number of routes that can be offloaded is limited, prefixes with higher netmask are preferred to be forwarded by hardware (e.g., /32, /30, /29, etc.). Any other prefixes that do not fit in the HW table will be processed by the CPU. Directly connected hosts are offloaded as /32 (IPv4) or /128 (IPv6) route prefixes. The number of hosts is also limited by max-neighbor-entries in IP Settings / IPv6 Settings.
2 IPv4 and IPv6 routing tables share the same hardware memory.
3 If a route has more paths than the hardware ECMP limit (X), only the first X paths get offloaded.

Partial offloading

In the case of 98DX3xxx, 98DX2xxx switch chip series, it is quite simple: one RouterOS route entry (/ip/route/) reflects into one HW IPv4 route prefix entry. Connected hosts (/32 routes) also occupy the same table. As long as the total number of routes ("/ip/route/print count-only") + connected host count ("/ip/arp/print count-only where status=reachable or status=stale"), does not exceed 13312 (13k), everything gets offloaded. Exceeding the number, routes with shorter prefixes stay on the CPU.

CCR2xxx, CRS3xx, CRS5xx: Switch 98DX8xxx and 98DX4xxx Series

The devices below are based on Marvell 98DX8xxx, 98DX4xxx switch chips, or 98DX325x model.

Switch ChipModelsIPv4 Routes 1IPv4 Hosts 5IPv6 Routes 1IPv6 Hosts 5NexthopsIPv4 Fasttrack connections 2, 3, 4IPv4 NAT entries 2, 4IPv4 Fasttrack/NAT, VXLAN offloading Per-VLAN packet/byte counters
98DX8208CRS309-1G-8S+INup to 36Kup to 16Kup to 6Kup to 12K8K4.5K3.9K+
98DX8212CRS312-4C+8XG-RMup to 36Kup to 16Kup to 6Kup to 12K8K2.25K2.25K+
98DX8216CRS317-1G-16S+RMup to 240Kup to 64Kup to 40Kup to 48K8K4.5K4K+
98DX8332CRS326-24S+2Q+RM
CRS326-4C+20G+2Q+RM		up to 36Kup to 16Kup to 6Kup to 12K8K2.25K2.25K+
98DX3257 6CRS354-48G-4S+2Q+RM
CRS354-48P-4S+2Q+RM		up to 36Kup to 16Kup to 6Kup to 12K8K2.25K2.25K+
98DX4310CRS504-4XQ (IN/OUT)
CRS510-8XS-2XQ-IN
RDS2216-2XG-4S+4XS-2XQ		up to 120Kup to 64Kup to 20Kup to 48K8K4.5K4K+
98DX8525CCR2216-1G-12XS-2XQ
CRS518-16XS-2XQ-RM		up to 120Kup to 64Kup to 20Kup to 48K8K4.5K4K+
98CX8410CRS520-4XS-16XQ-RMup to 240Kup to 64Kup to 40Kup to 48K8K4.5K4K+
98DX3255 6CCR2116-12G-4S+up to 36Kup to 16Kup to 6Kup to 12K8K2.25K2.25K+
98DX8525CCR2216-1G-12XS-2XQ
CRS518-16XS-2XQ-RM		up to 120Kup to 64Kup to 20Kup to 48K8K4.5K4K+

1 Depends on the complexity of the routing table. Whole-byte IP prefixes (/8, /16, /24, etc.) occupy less HW space than others (e.g., /22). When the Routing HW table gets full, only routes with longer subnet prefixes are offloaded (/30, /29, /28, etc.) while the CPU processes the shorter prefixes. Users can fine-tune what routes to offload via routing filters (for dynamic routes) or suppressing hardware offload per switch port, static route or VLAN. IPv4 and IPv6 routing tables share the same hardware memory.
2 When the HW limit of Fasttrack or NAT entries is reached, other connections will fall back to the CPU. MikroTik's smart connection offload algorithm ensures that the connections with the most traffic are offloaded to the hardware.
3 Fasttrack connections share the same HW memory with ACL rules. Depending on the complexity, one ACL rule may occupy the memory of 3-6 Fasttrack connections.
4 If a Fasttrack connection requires Network Address Translation, a hardware NAT entry is created. The hardware supports both SRCNAT and DSTNAT.
5 DX4000/DX8000 switch chips store directly connected hosts, IPv4 /32, and IPv6 /128 route entries in the FDB table rather than the routing table. The HW memory is shared between regular FDB L2 entries (MAC), IPv4, and IPv6 addresses. The number of hosts is also limited by max-neighbor-entries in IP Settings / IPv6 Settings.
6 The switch chip has a feature set of the DX8000 series.

Partial offloading

The 98DX8xxx, 98DX4xxx have entirely different routing tables. Instead of prefixes, we have to offload route indexes. The entire IPv4 address range (same for IPv6) must be indexed, i.e., 0.0.0.0 - 255.255.255.255. Adding new route entries causes an index rebuild, increasing hardware memory by 0-5 entries depending on the complexity of the routing table. That's why no exact numbers are given. For example, some routing tables containing 240K entries can be fully offloaded to CRS317 HW, while others with 160K entries barely fit. And you will never know until you try.

When indexing the entire IP address range (0.0.0.0 - 255.255.255.255), you can offload as many routes as needed, as long as you also have a default route (0.0.0.0/0) using the same next-hop.

For example, on a CCR2216 router around 950k routes with a /30 prefix are created, all using the same next-hop along with a default route. As a result, all routes were offloaded, while the lmp-usage remained minimal.

[admin@MikroTik] > /interface/ethernet/switch/l3hw-settings/advanced/monitor 
        ipv4-routes-total: 942338
           ipv4-routes-hw: 942326
          ipv4-routes-cpu:     11
  ipv4-shortest-hw-prefix:      0
               ipv4-hosts:      1
         route-queue-size:      0
         route-queue-rate:      0
       route-process-rate:      0
              nexthop-cap:   8192
            nexthop-usage:     85
    vxlan-mtu-packet-drop:      0
     fasttrack-ipv4-conns:      0
     fasttrack-queue-size:      0
     fasttrack-queue-rate:      0
   fasttrack-process-rate:      0
   fasttrack-hw-min-speed:      0
   fasttrack-hw-offloaded:      0
    fasttrack-hw-unloaded:      0
                  lpm-cap:  27200
                lpm-usage:     11
             lpm-bank-cap:   1360
           lpm-bank-usage:      1
                                0
                                0
                                0
                                1
                                0
                                0
                                0
                                4
                                0
                                0
                                0
                                5
                                0
                                0
                                0
                                0
                                0
                                0
                                0
                  pbr-cap:   8192
                pbr-usage:      0
             pbr-lpm-bank:      2
                nat-usage:      0

However, if there are "gaps" in the address range, such as not using a default route or having multiple next-hops, this consumes HW table. When the routing HW table gets full, only routes with longer subnet prefixes are offloaded (/30, /29, /28, etc.) while the CPU processes the shorter prefixes. Here is what happens when the default route gets disabled or different next-hops are used: only 37k routes with a /30 prefix fit in the HW table. This is the worst-case scenario for the CCR2216.

[admin@MikroTik] > /interface/ethernet/switch/l3hw-settings/advanced/monitor 
        ipv4-routes-total: 942337
           ipv4-routes-hw:  37729
          ipv4-routes-cpu: 904608
  ipv4-shortest-hw-prefix:     30
               ipv4-hosts:      1
         route-queue-size:      0
         route-queue-rate:      0
       route-process-rate:      0
              nexthop-cap:   8192
            nexthop-usage:     85
    vxlan-mtu-packet-drop:      0
     fasttrack-ipv4-conns:      0
     fasttrack-queue-size:      0
     fasttrack-queue-rate:      0
   fasttrack-process-rate:      0
   fasttrack-hw-min-speed:      0
   fasttrack-hw-offloaded:      0
    fasttrack-hw-unloaded:      0
                  lpm-cap:  27200
                lpm-usage:  22392
             lpm-bank-cap:   1360
           lpm-bank-usage:   1022
                             1033
                             1027
                             1028
                             1221
                             1033
                             1040
                              678
                             1358
                             1245
                             1254
                             1242
                             1246
                             1249
                             1273
                             1260
                             1101
                             1024
                             1031
                             1027
                  pbr-cap:   8192
                pbr-usage:      0
             pbr-lpm-bank:      2
                nat-usage:      0

In many cases, the default behavior "offloading only routes with longer subnet prefixes" is not optimal, especially if the ratio of CPU-handled routes to HW-offloaded routes is too high. When this happens, the chances of a packet being hardware-forwarded drop significantly.

If HW memory is insufficient and partial offloading occurs, a better approach for you as a network administrator would be to offload only the routes that carry the most traffic while keeping less demanding routes on the CPU, and not letting the partial offloading happen.

Fortunately, there are several ways to manage this. There is per-switch-port and static route suppression, and filtering dynamic routes using a wide range of attributes. One example is to use as-path to filter most demanding prefixes (Google, Meta), while all other routes get L3HW suppressed.

CRS8xx: Switch 98DX7xxx Series

The devices below are based on Marvell 98DX7xxx switch chip models.

danger

The software support for the following features is still in development and not available yet:

  • FastTrack and NAT connection offloading
  • VXLAN offloading
Switch ChipModelsIPv4 Routes 1IPv4 Hosts 2IPv6 Routes 1IPv6 Hosts 2NexthopsIPv4 Fasttrack connectionsIPv4 NAT entriesVXLAN offloadingPer-VLAN packet/byte counters
98DX7335CRS812-8DS-2DQ-2DDQ-RMup to 240Kup to 64Kup to 40Kup to 48K16Kto be announcedto be announcedto be announced+
98DX7335CRS804-4DDQ-hRMup to 240Kup to 64Kup to 40Kup to 48K16Kto be announcedto be announcedto be announced+

1 Depends on the complexity of the routing table. Whole-byte IP prefixes (/8, /16, /24, etc.) occupy less HW space than others (e.g., /22). When the Routing HW table gets full, only routes with longer subnet prefixes are offloaded (/30, /29, /28, etc.) while the CPU processes the shorter prefixes. Users can fine-tune what routes to offload via routing filters (for dynamic routes) or suppressing hardware offload of static routes. IPv4 and IPv6 routing tables share the same hardware memory.
2 98DX7xxx switch chips store directly connected hosts, IPv4 /32 route entries, and IPv6 /128 route entries in the FDB table rather than the routing table. The HW memory is shared between regular FDB L2 entries (MAC), IPv4 addresses, and IPv6 addresses. The number of hosts is also limited by max-neighbor-entries in IP Settings / IPv6 Settings.