I’ve seen a few posts recently in the MikroTik forums and MikroTik Subreddit about the confusing nature of creating native (wirespeed) vlans on the CRS range of hardware and wanted to put together a template that gives you a good idea of how these work, and what the configuration of a few different port types looks like.
While I will go into more detail on this soon – the following (designed for a CRS328-24P-4S+RM) has:
- PC Connected ports
- PC Connected ports with support for an inline VoIP Phone
- Tagged/Untagged ports for Access Point administration and wireless network passthrough
- Untagged port for a server
- Tagged Trunk ports for passing vlans between switches
- Adding an IP address to an Admin vlan for access to the configured switch
Please note this is just a basic guide and doesn’t go into any detail on RSTP or MSTP configuration for preventing loops in the network.
Note 1: All this configuration is done with the devices in “RouterOS” mode, not “SwOS”. I would highly recommend using RouterOS mode for any of these configurations because it gives you access to the Routing functions and Winbox for the device which is useful for any troubleshooting.
Note 2: You should upgrade to at least v6.43.4 in order to avoid any of the early v6.43 switching related bugs
/interface bridge
add comment="Vlan Switch Bridge" name=switchbridge1 protocol-mode=rstp vlan-filtering=yes
/interface bridge port
#interfaces without a defined pvid default to vlan1
add bridge=switchbridge1 interface=ether1 pvid=10 comment="PC - Untagged V10"
add bridge=switchbridge1 interface=ether2 pvid=10 comment="PC - Untagged V10"
add bridge=switchbridge1 interface=ether3 pvid=10 comment="PC - Untagged V10"
add bridge=switchbridge1 interface=ether4 pvid=10 comment="PC - Untagged V10"
add bridge=switchbridge1 interface=ether5 pvid=10 comment="Hybrid - Untagged V10 with tagged V20"
add bridge=switchbridge1 interface=ether6 pvid=10 comment="Hybrid - Untagged V10 with tagged V20"
add bridge=switchbridge1 interface=ether7 pvid=10 comment="Hybrid - Untagged V10 with tagged V20"
add bridge=switchbridge1 interface=ether8 pvid=10 comment="Hybrid - Untagged V10 with tagged V20"
add bridge=switchbridge1 interface=ether9 pvid=123 comment="AP - Untagged V123 with tagged V10"
add bridge=switchbridge1 interface=ether10 pvid=123 comment="AP - Untagged V123 with tagged V10"
add bridge=switchbridge1 interface=ether11 pvid=123 comment="AP - Untagged V123 with tagged V10"
add bridge=switchbridge1 interface=ether12 pvid=123 comment="AP - Untagged V123 with tagged V10"
add bridge=switchbridge1 interface=ether22 pvid=20 comment="VoIP Server - Untagged V20"
add bridge=switchbridge1 interface=ether23 comment="Trunk Port Tagged V10,20,123"
add bridge=switchbridge1 interface=ether24 comment="Trunk Port Tagged V10,20,123"
add bridge=switchbridge1 interface=sfp-sfpplus1 comment="Trunk Port Tagged V10,20,123"
add bridge=switchbridge1 interface=sfp-sfpplus2 comment="Trunk Port Tagged V10,20,123"
add bridge=switchbridge1 interface=sfp-sfpplus3 comment="Trunk Port Tagged V10,20,123"
add bridge=switchbridge1 interface=sfp-sfpplus4 comment="Trunk Port Tagged V10,20,123"
#note switchbridge1 is tagged on the admin vlan we want to allow the Router access to this vlan
/interface bridge vlan
add bridge=switchbridge1 comment="Office VLAN" vlan-ids=10 \
untagged=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8 \
tagged=ether9,ether10,ether11,ether12,ether23,ether24,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4
add bridge=switchbridge1 comment="VoIP VLAN" vlan-ids=20 \
untagged=ether22 \
tagged=ether5,ether6,ether7,ether8,ether23,ether24,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4
add bridge=switchbridge1 comment="Admin VLAN" vlan-ids=123 \
untagged=ether9,ether10,ether11,ether12 \
tagged=ether23,ether24,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,switchbridge1
/interface vlan
add vlan-id=123 interface=switchbridge1 name=swbr1v123 comment="admin vlan access"
#This switch will be reachable on vlan123
/ip address
add interface=swbr1v123 address=192.168.1.2/24
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1To be updated, but please feel free to submit any questions below!