Hello everyone.

I'm planning on placing a CRS317 on the WAN side of things so that I can distribute the incoming connection to several routers. We have 16 static ips and plan on assigning some to a CCR2004 and a few to a couple CHRs. I've never put a switch on the WAN side and want to make sure I set it up securely. Naturally it will also need to be connected to the LAN side so that we can manage it, so I need to make sure the management isn't available on the WAN connections. Currently on the LAN side all management is available on VLAN 200. It would be nice to have the WAN switch management connected to that as well and only available on one port. This would be a trivial setup for me on an actual router, but I need some handholding since it's a switch. Any pointers? Thanks

Confirm if you are doing this under RouterOS or SwitchOS? I ask because of your statement that if it was a router, it would be trivial.
If you are using RouterOS, it would still be trivial.
If you are using SwitchOS, the way I would do it is to create two VLANs. One would be your VLAN 200 Management LAN. That would be assigned to only one port, and Management would be restricted to that one port. Then create a second VLAN (pick almost any number except 1 or 200). All ports other than the Management LAN are assigned to that VLAN. One of those ports connects to your internet connection, and each of the routes connects to other ports on that VLAN. If you are using SwitchOS, I extensively use SwitchOS and am happy to give more details or answer questions.
Note, there are lots of ways of doing this.
Also note, I did exactly what you are doing for many years, except I had up to four consumer grade routers and my DSL modem connected to a dumb hub (yes, it was that long ago).

Thanks for the info k6ccc

For simplicity’s sake I’d like to use switchos, but I have very little experience with it compared to the years I’ve used routeros. I’m sure I can figure out most of what you wrote, but how would I restrict management to one port in switchos? Or I guess how would I limit management to a vlan in switchos?

but how would I restrict management to one port in switchos? Or I guess how would I limit management to a vlan in switchos?

On the System tab, there is a row of checkboxes for "Allow from ports". That is the ports of the switch from which switch management is allowed.
Below that is "Allow from VLAN". That lets you specify which VLAN management traffic is allowed on. A word of warning about that. If a VLAN is specified, then inbound traffic MUST be VLAN tagged with the correct VLAN ID. Even if a port is set with a Default VLAN ID (on the VLAN tab) of the Management VLAN, you can not manage the switch coming into that port with untagged traffic. More than one person has gotten locked out of a switch because of this. Before setting this, do a backup so that if you do lock yourself out, you can do a reset, restore from the backup and then make sure you know what you are expecting.

I don't know this for sure, but isin't there a drastic drop of band speed when the 317 switch is used in router mode? If that is true there might be a unacceptable speed drop on the CCR. Will this be true?