MikroTik CRS112 Basic switching setup

CRS112-8G-4S-IN CRS112-8P-4S-IN

The MikroTik CRS switches are absolutely awesome! You get a full featured, managed, wire speed switch combined with a SoC running RouterOS.
But on the “downside” the configuration can be very complex and requires some deeper knowledge about switching and linux networking in general – as a linux user you will love it ;)

Step 1 – Create Bridge with hardware offloading#

# STEP-1
# add all ports to the main bridge and enabled hardware offloading
# exclude the dedicated management port ether1 !

/interface bridge
add name=br0 comment="main switching bridge"

/interface bridge port
#add bridge=br0 interface=ether1 hw=yes
add bridge=br0 interface=ether2 hw=yes
add bridge=br0 interface=ether3 hw=yes
add bridge=br0 interface=ether4 hw=yes
add bridge=br0 interface=ether5 hw=yes
add bridge=br0 interface=ether6 hw=yes
add bridge=br0 interface=ether7 hw=yes
add bridge=br0 interface=ether8 hw=yes
add bridge=br0 interface=sfp9 hw=yes
add bridge=br0 interface=sfp10 hw=yes
add bridge=br0 interface=sfp11 hw=yes
add bridge=br0 interface=sfp12 hw=yes

Step 2 – Configure management interface#

In this example we’re configuring ether1 as dedicated management port (192.168.88.1)

/interface ethernet

# ether1 - management interface; 100mbps in case auto negotiation has been disabled
set [ find default-name=ether1 ] \
    comment="management (eth1)" \
    speed=100Mbps

# add ip for direct management
/ip address
add address=192.168.88.1/24 comment="direct management" interface=ether1

Step 3- Configure VLANs and port tagging#

  • ether1 – management port
  • sfp11,sfp12 – tagged uplink ports (vlan100 + vlan200)
  • ether2-ether6,sfp9,sfp10 – untagged vlan100
  • ether7,ether8 – untagged vlan200
# vlan membership
# -------------------------------------------

# switch vlan config
/interface ethernet switch vlan

# direct management (required due to vlan filtering feature! allows untagged traffic to pass to the cpu on eth8)
add vlan-id=0 \
    ports=switch1-cpu,ether1

# main vlan 100 on all ports
add vlan-id=100 \
    ports=ether2,ether3,ether5,ether6,sfp9,sfp10,sfp11,sfp12

# WAN VLAN 200 on some ports
add vlan-id=200 \
    ports=ether7,ether8,sfp11,sfp12

# ingress mapping (PVID)
# -------------------------------------------

# ingress
/interface ethernet switch ingress-vlan-translation

# vlan 100 untagged on ether2-ether6,sfp9,sfp10
add customer-vid=0 \
    new-customer-vid=100 \
    ports=ether2,ether3,ether5,ether6

# vlan 200 untagged on ports ether7,ether8
add customer-vid=0 \
    new-customer-vid=200 \
    ports=ether7,ether8

# tagged egress ports (all other vlan members are untagged!)
# -------------------------------------------
/interface ethernet switch egress-vlan-tag

# tagged ports (all other vlan members are untagged!)
add vlan-id=100 \
    tagged-ports=sfp11,sfp12

# tagged WAN (all other vlan members are untagged!)
add vlan-id=200 \
    tagged-ports=sfp11,sfp12

Step 4 – Enable VLAN filtering#

# Enable VLAN filtering
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,sfp9,sfp10,sfp11,sfp12"

Additional resources#

July 5, 2020 - This entry was posted in: Uncategorized