Introduction
Many MikroTik devices come with built-in switch chips that usually have an option to do VLAN switching on a hardware level, this means that you can achieve wire-speed performance using VLANs if a proper configuration method is used. The configuration method changes across different models, this guide will focus on setting up a basic trunk/access port set up with a management port from the trunk port using different devices with the right configuration to achieve the best performance and to fully utilize the available hardware components.
CRS3xx, CRS5xx series switches, CCR2116, CCR2216 andRTL8367, 88E6393X, 88E6191X, 88E6190, MT7621 and MT7531 switch chips
/interface bridge add name=bridge1 frame-types=admit-only-vlan-tagged /interface bridge port add bridge=bridge1 interface=ether1 frame-types=admit-only-vlan-tagged add bridge=bridge1 interface=ether2 pvid=20 frame-types=admit-only-untagged-and-priority-tagged add bridge=bridge1 interface=ether3 pvid=30 frame-types=admit-only-untagged-and-priority-tagged /interface bridge vlan add bridge=bridge1 tagged=ether1 vlan-ids=20 add bridge=bridge1 tagged=ether1 vlan-ids=30 add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=99 /interface vlan add interface=bridge1 vlan-id=99 name=MGMT /ip address add address=192.168.99.1/24 interface=MGMT /interface bridge set bridge1 vlan-filtering=yes
More detailed examples can be foundhere.
RTL8367, 88E6393X, 88E6191X,88E6190,MT7621 and MT7531 switch chips can use HW offloaded vlan-filtering since RouterOS v7.
Bridge ports withframe-typesset toadmit-alloradmit-only-untagged-and-priority-taggedwill be automatically added as untagged ports for thepvidVLAN.
CRS1xx/CRS2xx series switches
/interface bridge add name=bridge1 /interface bridge port add bridge=bridge1 interface=ether1 add bridge=bridge1 interface=ether2 add bridge=bridge1 interface=ether3 /interface ethernet switch ingress-vlan-translation add ports=ether2 customer-vid=0 new-customer-vid=20 add ports=ether3 customer-vid=0 new-customer-vid=30 /interface ethernet switch egress-vlan-tag add tagged-ports=ether1 vlan-id=20 add tagged-ports=ether1 vlan-id=30 add tagged-ports=ether1,switch1-cpu vlan-id=99 /interface ethernet switch vlan add ports=ether1,ether2 vlan-id=20 add ports=ether1,ether3 vlan-id=30 add ports=ether1,switch1-cpu vlan-id=99 /interface vlan add interface=bridge1 vlan-id=99 name=MGMT /ip address add address=192.168.99.1/24 interface=MGMT /interface ethernet switch set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1,ether2,ether3
More detailed examples can be foundhere.
Other devices with a built-in switch chip
/interface bridge add name=bridge1 /interface bridge port add bridge=bridge1 interface=ether1 add bridge=bridge1 interface=ether2 add bridge=bridge1 interface=ether3 /interface ethernet switch vlan add ports=ether1,ether2 switch=switch1 vlan-id=20 add ports=ether1,ether3 switch=switch1 vlan-id=30 add ports=ether1,switch1-cpu switch=switch1 vlan-id=99 /interface vlan add interface=bridge1 vlan-id=99 name=MGMT /ip address add address=192.168.99.1/24 interface=MGMT /interface ethernet switch port set ether1 vlan-mode=secure vlan-header=add-if-missing set ether2 vlan-mode=secure vlan-header=always-strip default-vlan-id=20 set ether3 vlan-mode=secure vlan-header=always-strip default-vlan-id=30 set switch1-cpu vlan-header=leave-as-is vlan-mode=secure
More detailed examples can be foundhere.
Not all devices with a switch chip are capable of VLAN switching on a hardware level, check the supported features for each switch chip, the compatibility table can be foundhere. If a device hasVLAN table支持,那么is capable of VLAN switching using the built-in switch chip. You can check the device's switch chip either in the provided link or by using/interface ethernet switch print
OnQCA8337andAtheros8327switch chips, a defaultvlan-header=leave-as-isproperty should be used. The switch chip will determine which ports are access ports by using thedefault-vlan-idproperty. Thedefault-vlan-idshould only be used on access/hybrid ports to specify which VLAN the untagged ingress traffic is assigned to.
This type of configuration should be used on RouterBOARD series devices, this includes RB4xx, RB9xx, RB2011, RB3011, hAP, hEX, cAP and other devices.
By default, the bridge interface is configured with protocol-mode set torstp. For some devices, this can disable hardware offloading because specific switch chips do not support this feature. See theBridge Hardware Offloadingsection with supported features.
For devices that have multiple switch chips (for example, RB2011, RB3011, RB1100), each switch chip is only able to switch VLAN traffic between ports that are on the same switch chip, VLAN filtering will not work on a hardware level between ports that are on different switch chips, this means you should not add all ports to a single bridge if you are intending to use VLAN filtering using the switch chip, VLANs between switch chips will not get filtered. You can connect a single cable between both switch chips to work around this hardware limitation, another option is to use Bridge VLAN Filtering, but it disables hardware offloading (and lowers the total throughput).
Other devices without a built-in switch chip
It is possible to do VLAN filtering using the CPU, there are multiple ways to do it, but it is highly recommended by using bridge VLAN filtering.
/interface bridge add name=bridge1 frame-types=admit-only-vlan-tagged /interface bridge port add bridge=bridge1 interface=ether1 frame-types=admit-only-vlan-tagged add bridge=bridge1 interface=ether2 pvid=20 frame-types=admit-only-untagged-and-priority-tagged add bridge=bridge1 interface=ether3 pvid=30 frame-types=admit-only-untagged-and-priority-tagged /interface bridge vlan add bridge=bridge1 tagged=ether1 vlan-ids=20 add bridge=bridge1 tagged=ether1 vlan-ids=30 add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=99 /interface vlan add interface=bridge1 vlan-id=99 name=MGMT /ip address add address=192.168.99.1/24 interface=MGMT /interface bridge set bridge1 vlan-filtering=yes
More detailed examples can be foundhere.
Overview
Content Tools