Correct way of switch in RouterOS

RouterOS General
1

Hi,

I have a CRS112-8P-4S at home and it’s a great little PoE-switch. I’m using the setup as done in Example 1
https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples#VLAN

However, I find the configuration a bit… double and redundant..

/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu,ether1,ether2,ether3,ether4,sfp10,sfp9 vlan-id=50
add tagged-ports=ether1,ether2,ether3,ether4,sfp10,sfp9 vlan-id=55
add tagged-ports=switch1-cpu,ether1,ether2,ether3,ether4,sfp10,sfp9 vlan-id=59

/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=50 ports=ether5
add customer-vid=0 new-customer-vid=50 ports=ether6
add customer-vid=0 new-customer-vid=50 ports=ether7
add customer-vid=0 new-customer-vid=50 ports=ether8
add customer-vid=0 new-customer-vid=50 ports=sfp11
add customer-vid=0 new-customer-vid=50 ports=sfp12

/interface ethernet switch vlan
add ports=switch1-cpu,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,sfp10,sfp9,sfp12,sfp11 vlan-id=50
add ports=ether1,ether2,ether3,ether4,sfp10,sfp9 vlan-id=55
add ports=switch1-cpu,ether1,ether2,ether3,ether4,sfp10,sfp9 vlan-id=59

/interface bridge
add admin-mac=XXXXXXXXXXXXXXX auto-mac=no igmp-snooping=yes name=bridge1

/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridge1 edge=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=50
add bridge=bridge1 edge=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=50
add bridge=bridge1 edge=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=50
add bridge=bridge1 edge=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=50
add bridge=bridge1 edge=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=50
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=sfp9
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=sfp10
add bridge=bridge1 edge=yes frame-types=admit-only-untagged-and-priority-tagged interface=sfp11 pvid=50
add bridge=bridge1 edge=yes frame-types=admit-only-untagged-and-priority-tagged interface=sfp12 pvid=50

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1,ether2,ether3,ether4,sfp9,sfp10 vlan-ids=1,51-59
add bridge=bridge1 tagged=bridge1,ether1,ether2,ether3,ether4,sfp9,sfp10 untagged=ether5,ether6,ether7,ether8,sfp11,sfp12 vlan-ids=50

/interface vlan
add interface=bridge1 name=vlan50 vlan-id=50
add interface=bridge1 name=vlan59 vlan-id=59

Do I really have to do the same under /interface bridge port and vlan?

Is there a more simple way to do this. Imagine handling several 48-ports devices on an Enterprise and doing everything twice…

2

No. When you do VLANs under /interface ethernet switch, you should not do any VLAN stuff under /interface bridge. In your particular case all setup under /interface bridge is actually ignored because you don’t have vlan-filtering=yes set on bridge1 under /interface bridge.

3

I see. VLAN50 and 59 must reach the CPU since it runs DHCP for VLAN50, and VLAN59 for management. How should the bridge setup look like then?

Something like this?

/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether4
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=sfp9
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=sfp10

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1,ether2,ether3,ether4,sfp9,sfp10 vlan-ids=1-59

/interface vlan
add interface=bridge1 name=vlan50 vlan-id=50
add interface=bridge1 name=vlan59 vlan-id=59
4

Not quite.
/interface bridge
add admin-mac=XXXXXXXXXXXXXXX auto-mac=no igmp-snooping=yes name=bridge1

/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=sfp9
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=sfp10
add bridge=bridge1 interface=sfp11
add bridge=bridge1 interface=sfp12

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1,ether2,ether3,ether4,sfp9,sfp10 vlan-ids=1-59

/interface vlan
add interface=bridge1 name=vlan50 vlan-id=50
add interface=bridge1 name=vlan59 vlan-id=59

and drop invalid VLANs in the switching setup
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,sfp9,sfp10,sfp11,sfp12

5

You know there is a great Wiki for this switch:
https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples

6

Thanks tdw, I have now cleaned up my configuration as you gave example on. Works as good as before.