10 gigabit inter-VLAN with a Mikrotik RB4011

10 gigabit inter-VLAN with a Mikrotik RB4011

Something I see pop up fairly regularly on a few of the forums, Discords, and subreddits that I hang out on is that the RB4011 is not capable of 10 gigabit routing

Guess what?

THAT’S WRONG

I’d be lying if I said that this xkcd wasn’t me sometimes:

Of course, whenever this pops up I’m not in a position to demonstrate the proof. It definitely can go almost full 10Gb.

But you say, it’s only got a single SFP+ port!

That’s what full-duplex is for!

I’ve got a number of these devices and have tested them extensively. The RB4011 is definitely capable of 10 gigabit routing, in a router-on-a-stick fashion.

The Proof

As this is something that comes up almost weekly, I have decided it’s time to officially document an RB4011 going almost full 10 gigabit.

For this setup, I reset the config on a RB4011 to empty, spun up a simple Debian VM, and connected an existing host and the VM through the RB4011.

As you can see, the hacky result on my desktop:

The Configs:

This config is about as simple as it gets. Two VLANs on the sfp-sfpplus1 interface, and IP addresses on the respective interfaces.

# jan/02/1970 00:27:33 by RouterOS 6.45.5
# software id = K5KS-T8WB
#
# model = RB4011iGS+
# serial number = xxxxxxxxxx
/interface vlan
add interface=sfp-sfpplus1 name=VLAN22 vlan-id=22
add interface=sfp-sfpplus1 name=VLAN2222 vlan-id=2222
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=10.22.22.10/24 interface=VLAN22 network=10.22.22.0
add address=10.222.222.1/24 interface=VLAN2222 network=10.222.222.0

VLAN2222 is a new VLAN I spun up for this test, and VLAN22 is an existing VLAN on my network, where a host is running iperf3 -s

The Debian VM is also very straightforward. ESXi, with a few vCPUs (sometimes at higher iperf3 tests, the CPU can get tapped out), and network connected to VLAN2222

A static IP and default route, and we are ready to roll:


The Results

The results sort of speak for themselves. With an iperf3 to a host on VLAN22 (two streams), we have no issues going 10Gb:

10Gb yo

With a single stream, it fairs moderately worse:

Note that is on a basic 1500 MTU network, so I did not set jumbo frames.

And what’s the CPU doing during this?

Firewalls and IPv6

While I’m not going to do it here, I have done testing in the past with IPv6 and firewalling:

  • With a fairly extensive firewall, the RB4011 will still do 10Gb, as long as fast track is enabled!! The CPU in this scenario runs at about 80%
  • IPv6 performance is abysmal, which is part of the reason I’ve started moving away from these.
  • Without fasttrack, the CPU will be at 100% at about 1.6Gbps. IPv6 can’t use fasttrack, therefore IPv6 inter-VLAN stalls out at less than 2Gbps.

3 Comments

  1. Jørn Madsen

    Hi
    I just bought 2 4011’s (and 2 HaPac2’s),- and startet testing. Beautiful, well made boxes.
    I had an RB1100AHx4 running, always thinking it needed a sfp interface,- and then Mikrotik made one with sfp+!! Nice move.
    I think the 4011 gonna be a success. It can take a lot of beating (ipv4).
    Cheers
    Jørn Madsen

  2. Christian Palecel

    Ipv6 doesn’t use connection tracking at all, therefore fasttrack it is not needed. If you can avoid nat with static subnets, keep fastpath active by avoiding complex firewall rules and queues(there is a list), as well as keep resources low then all of the mikrotiks will perform well. Usually correlating with their clock speed and cpu count.

Leave a Reply

Your email address will not be published. Required fields are marked *