What are the configuration differences between CRS226 to CRS326

TLDR

I’m planing new management network for Networking lab, I had very bad experience with CRS226 and whining about it a bit, asking if it got improve in newer versions of the switch CRS326 in order to decide if it worth more time and investments.

Hello everyone,

Recently I’m working on renovation plan for networking lab where I need the management network to support everything that will come in the future.

Three days ago I decided to give a change to CRS226 which I bought second hand and never used it since then, my goal was pretty simple something that takes 5 minute in other devices where most part of the time is the switch booting.

Simple 2 Trunk interfaces with 3 Vlans configured on them and few other ports in Access mode, I believed this small and simple practice would help me to better understand if I feel confidant with planing the Labs management network with Mikrotik switches.

Boy ho boy, this simple practice toke me 3 days to complete, following the Mikrotik guides that even ChatGPT and Perplexity got confused from, finally I’ve managed to achieve my goal.

CRS226 require too many entries and setting for simple access port vlan configuration as well as trunk port.

Some things need to be added to bridge some stuff need to be manage from the switch there is no clear way or method to configure things.

1. You need to create Bridge with no vlan filtering cause if filtering is enabled packet will hit the cpu (something I learned the hard way which doesn’t notified anywhere).

2. Adding ports to the interfaces to the bridge although you never going to use this screen for vlan management.

3. Create vlan on the switch.

4. Add all relevant port to the vlan.

5. Learn new terms such as ingress-vlan-translation and egress-vlan-tag.

CRS226 is real hassle and I’m asking myself what tomorrow bring, what would happen if new guy would come to my team, what would be the Mikrotik learning curve for him, does it really worth it?

The actual question is – In newer version of the switch let say CRS326 does the configuration method got simpler with clearer way of doing things?

Does the operator can accidentally press a button that cause a performance issue such as happened to me in CRS226 when enabled vlan filtering in the bridge and HW offload went off.

I’m now at a point where I’m hesitating to order few CRS326 and CRS317 due to all I’ve pass though with the CRS226 I don’t know if it worth my time and work place investment.

Please share with me you advice if you have experience with those devices.

Well, RouterOs is RouterOS.

A different device may have more (or less) features, but the base OS remains exactly the same.

Mikrotik has some "own" peculiarities (which are relatively fast/easy to learn) but someone with a good Linux network knowledge/experience should have no particularly issues in getting familiar on how the things are done (differently) in RouterOS when compared to Linux.

If you did not manage to learn enough "general" networking, Mikrotik becomes very difficult, particularly VLANs.

A mis-configuration is a mis-configuration, you can create havoc by pressing the "wrong" button (after having got access to the router with credentials, so not easy to do accidentally).

CRS326 easy peasy.

1. Assume you have a management vlan from an upstream router

2. Assume you have a trunk port from upstream router

3. Add only management vlan to switch

4. GIve it an IP address desired ( on the management vlan )

5. Take one port off the bridge OFFBRIDGEX

6. Give it an IP address 192.168.77.1/30 interface=OFFBRIDGEX network=192.168.77.0

7. Plug laptop into the port X, change ipv4 settings to 192.168.77.2 and with username and password get back into the switch and make all further changes from this SAFE location.

8. Assign single interface list of TRUSTED and add to this members , the vlan and the offbridge port

9. Assign trusted to neighbours discovery and tool macserver winmac server ( modify tool macserver only to none.

10. Add bridge ports as required ( trunk ports - frame types vlan tagged only, access ports - framte types priority-and-untagged

11. Add bridge vlan (only management vlanid gets tagged with bridge, all other entries are tagged with TRUNK port to router, and whattever else is required.

Give it a shot and come back here for questions or help.

https://www.youtube.com/watch?v=YLtGQAQ8iS0&t=1366s&pp=ygUKd2lsbWVyIDMyNg%3D%3D

Yes. The CRS1xx and CRS2xx devices are completely different to other devices when it comes to switching - it’s almost as though the UI exposes the switch chip registers rather than abstracting them.

The CRS3xx and CRS5xx devices all use the same hardware-offloaded VLAN-aware bridge model so much more simple to use. Once set up it switching changes should simply be changing PVID on access/hybrid ports under /interface bridge port and changing tagged membership under /interface bridge vlan

Thank you, it is seems a bit simplified and clear although it was visualized devices.
I still don't get way i need to configure untagged ports in to places on in bridge vlan and other one is bridge port for participating port.

thank you for replaying, I agree that mis-configuration is mis-configuration - but when the knowledge base is such a mess and there is a difference configuration methods for every device i believe that this can cause higher mis-configuration rate.

I can't remember major differences between Cisco switches and devices configuration during the years.

Thank you for conforming and clarifying that.

For me the easiest way of thinking is:

• /interface/bridge/port is about ingress.
  What kind of frames are allowed to enter switch from the wire (property frame-types), what do we do with untagged frames if allowed (property pvid), etc.
• /interface/bridge/vlan is about egress.
  Vhich VLANs are allowed to exit switch to the wire via this port. And are they (kept) tagged on the wire?

These two categories are in principle unrelated (recent ROS versions do add some automatic config to the vlan part depending on config in port part) unless one sets property ingress-filtering=yes on ports in port part of config. With this setting egress VLAN membersip gets also applied on ingress (e.g. dropping frame with VLAN ID set to value not allowed in vlan part for a particular port).

To add to confusion, MT tries to simplify entries for users such that it adds things dynamically, makes sense for an experienced admin attempting to make complicated or repeated setups, not so good for a new person learning how the router works. For example if one puts a pvid on a bridge port setting ( as one does for both an access port and a hybrid port ), the router automatically makes an entry on /bridge vlan settings ( caveat: but only if that pvid has an entry in /bridge vlan settings)

so for ex.

/interface bridge port
add bridge=bridge frame-types=admit-priority-and-untagged interface=ether2  pvid=20
/interface bridge vlan
add bridge=bridge tagged=ether1(trunk2router),ether3  vlan-id=20

Works because the router dynamically includes ether 2 as untagged due to the /bridge port setting that includes pvid=20.

However I always prefer clear communication and understanding and I like to cross check visually so

/interface bridge port
add bridge=bridge frame-types=admit-priority-and-untagged interface=ether2  pvid=20
/interface bridge vlan
add bridge=bridge tagged=ether1(trunk2router),ether3  untagged=ether2  vlan-id=20

Note: Router default is for all /interface bridge port settings to include ingress-filtering=yes.

Thanks everyone for replaying but still MT switches configuration make no sense, my own philosophy says that network devices should be single point of truth when issues arise and the configuration should be easy to read for fast analyses - if device doesn't speaks to you its just not a good one.

I'm at the point where I really want to give MT switches a go, but its switches doesn't feels mature enough and prone for changes in the future.
Personally I'm using MT devices almost everywhere I can.

I'm using Cumulus linux for the data plane use, kind of its early days, Cumulus is by far the worst user experience I've ever had and one of the hardest to figure, but it seems that when it come to complication Routeros switches (CRS) wins with its way to many places to configure a simple thing ideology.

Can you please explain what does it means - 'admit-priority-and-untagged'

Yep, but - to be fair - the issue at hand is that the device is chatty, but it is speaking a foreign language that you cannot understand.

I once got a new not-so-smart TV with (I hope by mistake) OSD pre-set in Chinese, it took me hours to find the setting to change the OSD language, with Mikrotik you don't have this possibility, the device speaks Mikrotikish and that's it.

Frame types is what the ingress port will allow for traffic type ( access port, its expecting untagged frames only ). The pvid of 20 tells the router to add the tag of vlan20 to the frames upon ingress.
The opposite is tagged only vlans, ( trunk port, its expecting one or more tagged vlans ).

In terms of configuring CRS3 switches its very similar to PCUNites bible on vlan filtering=yes

and a practical example:
https://www.youtube.com/watch?v=YLtGQAQ8iS0&t=1366s&pp=ygUNd2lsbWVyIGNyczMyNg%3D%3D

Why are you even contemplating CR2 switches, are you planning on using sony walkmans??

@anav you have a typo in the way the vlan(s) are specified in /interface bridge vlan.

Should be

/interface bridge vlan
add bridge=bridge tagged=ether1(trunk2router),ether3  vlan-ids=20

or (if you don't like dynamic)

/interface bridge vlan
add bridge=bridge tagged=ether1(trunk2router),ether3  untagged=ether2  vlan-ids=20

Right sorry bout that, will edit..............

This is what I had in hand.

You made it clear, that you were planning NEW investments............. so why bother discuss something so old........
pacmen

Oct 24

TLDR

I’m planing new management network for Networking lab, I had very bad experience with CRS226 and whining about it a bit, asking if it got improve in newer versions of the switch CRS326 in order to decide if it worth more time and investments.