MikroTik CRS112 Basic switching setup
CRS112-8G-4S-IN CRS112-8P-4S-IN
The MikroTik CRS switches are absolutely awesome! You get a full featured, managed, wire speed switch combined with a SoC running RouterOS.
But on the “downside” the configuration can be very complex and requires some deeper knowledge about switching and linux networking in general – as a linux user you will love it ;)
Step 1 – Create Bridge with hardware offloading#
# STEP-1
# add all ports to the main bridge and enabled hardware offloading
# exclude the dedicated management port ether1 !
/interface bridge
add name=br0 comment="main switching bridge"
/interface bridge port
#add bridge=br0 interface=ether1 hw=yes
add bridge=br0 interface=ether2 hw=yes
add bridge=br0 interface=ether3 hw=yes
add bridge=br0 interface=ether4 hw=yes
add bridge=br0 interface=ether5 hw=yes
add bridge=br0 interface=ether6 hw=yes
add bridge=br0 interface=ether7 hw=yes
add bridge=br0 interface=ether8 hw=yes
add bridge=br0 interface=sfp9 hw=yes
add bridge=br0 interface=sfp10 hw=yes
add bridge=br0 interface=sfp11 hw=yes
add bridge=br0 interface=sfp12 hw=yes
# STEP-1
# add all ports to the main bridge and enabled hardware offloading
# exclude the dedicated management port ether1 !
/interface bridge
add name=br0 comment="main switching bridge"
/interface bridge port
#add bridge=br0 interface=ether1 hw=yes
add bridge=br0 interface=ether2 hw=yes
add bridge=br0 interface=ether3 hw=yes
add bridge=br0 interface=ether4 hw=yes
add bridge=br0 interface=ether5 hw=yes
add bridge=br0 interface=ether6 hw=yes
add bridge=br0 interface=ether7 hw=yes
add bridge=br0 interface=ether8 hw=yes
add bridge=br0 interface=sfp9 hw=yes
add bridge=br0 interface=sfp10 hw=yes
add bridge=br0 interface=sfp11 hw=yes
add bridge=br0 interface=sfp12 hw=yes
# STEP-1 # add all ports to the main bridge and enabled hardware offloading # exclude the dedicated management port ether1 ! /interface bridge add name=br0 comment="main switching bridge" /interface bridge port #add bridge=br0 interface=ether1 hw=yes add bridge=br0 interface=ether2 hw=yes add bridge=br0 interface=ether3 hw=yes add bridge=br0 interface=ether4 hw=yes add bridge=br0 interface=ether5 hw=yes add bridge=br0 interface=ether6 hw=yes add bridge=br0 interface=ether7 hw=yes add bridge=br0 interface=ether8 hw=yes add bridge=br0 interface=sfp9 hw=yes add bridge=br0 interface=sfp10 hw=yes add bridge=br0 interface=sfp11 hw=yes add bridge=br0 interface=sfp12 hw=yes
Step 2 – Configure management interface#
In this example we’re configuring ether1 as dedicated management port (192.168.88.1)
/interface ethernet
# ether1 - management interface; 100mbps in case auto negotiation has been disabled
set [ find default-name=ether1 ] \
comment="management (eth1)" \
speed=100Mbps
# add ip for direct management
/ip address
add address=192.168.88.1/24 comment="direct management" interface=ether1
/interface ethernet
# ether1 - management interface; 100mbps in case auto negotiation has been disabled
set [ find default-name=ether1 ] \
comment="management (eth1)" \
speed=100Mbps
# add ip for direct management
/ip address
add address=192.168.88.1/24 comment="direct management" interface=ether1
/interface ethernet
# ether1 - management interface; 100mbps in case auto negotiation has been disabled
set [ find default-name=ether1 ] \
comment="management (eth1)" \
speed=100Mbps
# add ip for direct management
/ip address
add address=192.168.88.1/24 comment="direct management" interface=ether1
Step 3- Configure VLANs and port tagging#
ether1– management portsfp11,sfp12– tagged uplink ports (vlan100 + vlan200)ether2-ether6,sfp9,sfp10– untagged vlan100ether7,ether8– untagged vlan200
# vlan membership
# -------------------------------------------
# switch vlan config
/interface ethernet switch vlan
# direct management (required due to vlan filtering feature! allows untagged traffic to pass to the cpu on eth8)
add vlan-id=0 \
ports=switch1-cpu,ether1
# main vlan 100 on all ports
add vlan-id=100 \
ports=ether2,ether3,ether5,ether6,sfp9,sfp10,sfp11,sfp12
# WAN VLAN 200 on some ports
add vlan-id=200 \
ports=ether7,ether8,sfp11,sfp12
# ingress mapping (PVID)
# -------------------------------------------
# ingress
/interface ethernet switch ingress-vlan-translation
# vlan 100 untagged on ether2-ether6,sfp9,sfp10
add customer-vid=0 \
new-customer-vid=100 \
ports=ether2,ether3,ether5,ether6
# vlan 200 untagged on ports ether7,ether8
add customer-vid=0 \
new-customer-vid=200 \
ports=ether7,ether8
# tagged egress ports (all other vlan members are untagged!)
# -------------------------------------------
/interface ethernet switch egress-vlan-tag
# tagged ports (all other vlan members are untagged!)
add vlan-id=100 \
tagged-ports=sfp11,sfp12
# tagged WAN (all other vlan members are untagged!)
add vlan-id=200 \
tagged-ports=sfp11,sfp12
# vlan membership
# -------------------------------------------
# switch vlan config
/interface ethernet switch vlan
# direct management (required due to vlan filtering feature! allows untagged traffic to pass to the cpu on eth8)
add vlan-id=0 \
ports=switch1-cpu,ether1
# main vlan 100 on all ports
add vlan-id=100 \
ports=ether2,ether3,ether5,ether6,sfp9,sfp10,sfp11,sfp12
# WAN VLAN 200 on some ports
add vlan-id=200 \
ports=ether7,ether8,sfp11,sfp12
# ingress mapping (PVID)
# -------------------------------------------
# ingress
/interface ethernet switch ingress-vlan-translation
# vlan 100 untagged on ether2-ether6,sfp9,sfp10
add customer-vid=0 \
new-customer-vid=100 \
ports=ether2,ether3,ether5,ether6
# vlan 200 untagged on ports ether7,ether8
add customer-vid=0 \
new-customer-vid=200 \
ports=ether7,ether8
# tagged egress ports (all other vlan members are untagged!)
# -------------------------------------------
/interface ethernet switch egress-vlan-tag
# tagged ports (all other vlan members are untagged!)
add vlan-id=100 \
tagged-ports=sfp11,sfp12
# tagged WAN (all other vlan members are untagged!)
add vlan-id=200 \
tagged-ports=sfp11,sfp12
# vlan membership
# -------------------------------------------
# switch vlan config
/interface ethernet switch vlan
# direct management (required due to vlan filtering feature! allows untagged traffic to pass to the cpu on eth8)
add vlan-id=0 \
ports=switch1-cpu,ether1
# main vlan 100 on all ports
add vlan-id=100 \
ports=ether2,ether3,ether5,ether6,sfp9,sfp10,sfp11,sfp12
# WAN VLAN 200 on some ports
add vlan-id=200 \
ports=ether7,ether8,sfp11,sfp12
# ingress mapping (PVID)
# -------------------------------------------
# ingress
/interface ethernet switch ingress-vlan-translation
# vlan 100 untagged on ether2-ether6,sfp9,sfp10
add customer-vid=0 \
new-customer-vid=100 \
ports=ether2,ether3,ether5,ether6
# vlan 200 untagged on ports ether7,ether8
add customer-vid=0 \
new-customer-vid=200 \
ports=ether7,ether8
# tagged egress ports (all other vlan members are untagged!)
# -------------------------------------------
/interface ethernet switch egress-vlan-tag
# tagged ports (all other vlan members are untagged!)
add vlan-id=100 \
tagged-ports=sfp11,sfp12
# tagged WAN (all other vlan members are untagged!)
add vlan-id=200 \
tagged-ports=sfp11,sfp12
Step 4 – Enable VLAN filtering#
# Enable VLAN filtering
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,sfp9,sfp10,sfp11,sfp12"
# Enable VLAN filtering
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,sfp9,sfp10,sfp11,sfp12"
# Enable VLAN filtering /interface ethernet switch set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,sfp9,sfp10,sfp11,sfp12"