Mikrotik VLAN Switching

Many MikroTik devices come with a built-in switch chips that usually have an option to do VLAN switching on a hardware level, this means that you can achieve wire-speed performance using VLANs if a proper configuration method is used. The configuration method changes across different models, this guide will focus on setting up a basic trunk/access port setup with a management port from the trunk port using different devices with the right configuration to achieve best performance and to fully utilize the available hardware components.

Viele MikroTik Geräte kommen mit einem eingebauten Switch Chip der VLAN Switchting auf Hardware Ebene beherscht. Damit ist es möglich auch mit VLANs eine Geschwindigkeit wie auf dem Kabel direkt zu erreichen. Für die Konfiguration gibt es verschiedene Optionen. Diese Anleitung wird den Fokus auf die Trunk/Access Port Konfiguration inkl. Management auf dem Trunk Port haben und dabei bei verschiedenen Geräten die beste Leistung zu erzielen.

Warning: Not all devices with a switch chip are capable of VLAN switching on a hardware level, check the supported features for each switch chip, the compatibility table can be found Here. If a device has VLAN table support, then it is capable of VLAN switching using the built-in switch chip. You can check the device's switch chip either in the provided link or by using:

/interface ethernet switch print

Achtung: Nicht alle Geräte mit einem Switch Chip unterstützten VLAN-Switching auf Hardware Ebene! Prüfe bei jedem Gerät die kompatibilität! Wenn ein Gerät eine VLAN-Switchin Tabelle hat ist es unterstützt. Du kannst die Funktion bei einem MikroTik mit folgendem Befehl prüfen:

/interface ethernet switch print

Hier ein Beispiel eines RB2011LS(mipsbe)

[admin@MikroTik] > /interface ethernet switch print
Flags: I - invalid 
 0   switch1  Atheros-8327     none             none            
 1   switch2  Atheros-8227     none             none           
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1 hw=yes
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether3 hw=yes
/interface ethernet switch vlan
add ports=ether1,ether2 switch=switch1 vlan-id=20
add ports=ether1,ether3 switch=switch1 vlan-id=30
add ports=ether1,switch1-cpu switch=switch1 vlan-id=99
/interface vlan
add interface=bridge1 vlan-id=99 name=MGMT
/ip address
add address= interface=MGMT
/interface ethernet switch port
set ether1 vlan-mode=secure vlan-header=add-if-missing
set ether2 vlan-mode=secure vlan-header=always-strip default-vlan-id=20
set ether3 vlan-mode=secure vlan-header=always-strip default-vlan-id=30
set switch1-cpu vlan-header=leave-as-is vlan-mode=secure
bridge -> vlan filtering an!

More detailed examples can be found here. https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Setup_Examples

Note: This type of configuration should be used on RouterBOARD series devices, this includes RB4xx, RB9xx, RB2011, RB3011, hAP, hEX, cAP and other devices.

Note: By default, the bridge interface is configured with protocol-mode set to rstp. For some devices, this can disable hardware offloading because specific switch chips do not support this feature. See the Bridge Hardware Offloading section with supported features. https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_Hardware_Offloading

Note: For devices that have multiple switch chips (for example, RB2011, RB3011, RB1100), each switch chip is only able to switch VLAN traffic between ports that are on the same switch chip, VLAN filtering will not work on a hardware level between ports that are on different switch chips, this means you should not add all ports to a single bridge if you are intending to use VLAN filtering using the switch chip, VLANs between switch chips will not get filtered. You can connect a single cable between both switch chips to work around this hardware limitation, another option is to use Bridge VLAN Filtering, but it disables hardware offloading (and lowers the total throughput). https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching#Other_devices_without_a_built-in_switch_chip

It is possible to do VLAN filtering using the CPU, there are multiple ways to do it, but it is highly recommended by using bridge VLAN filtering.

/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1 hw=no
add bridge=bridge1 interface=ether2 hw=no pvid=20
add bridge=bridge1 interface=ether3 hw=no pvid=30
/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=ether2 vlan-ids=20
add bridge=bridge1 tagged=ether1 untagged=ether3 vlan-ids=30
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=99
/interface vlan
add interface=bridge1 vlan-id=99 name=MGMT
/ip address
add address= interface=MGMT
/interface bridge
set bridge1 vlan-filtering=yes

More detailed examples can be found here: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_VLAN_Filtering

Bad Config

/interface bridge
add name=bridge
add name=bridge10
add name=bridge20
add name=bridge30
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface ethernet
set [ find default-name=ether1 ] name=ether1-RPI-TRUNK
set [ find default-name=ether2 ] name=ether2-ISP1-10
set [ find default-name=ether3 ] name=ether3-ISP2-20
set [ find default-name=ether4 ] name=ether4-ISP3-30
set [ find default-name=ether5 ] name=ether5-LAN
/interface vlan
add interface=bridge name=ether1-vlan10 vlan-id=10
add interface=bridge name=ether1-vlan20 vlan-id=20
add interface=bridge name=ether1-vlan30 vlan-id=30
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge interface=ether5-LAN
add bridge=bridge interface=ether1-RPI-TRUNK
add bridge=bridge10 interface=ether2-ISP1-10
add bridge=bridge10 interface=ether1-vlan10
add bridge=bridge20 interface=ether1-vlan20
add bridge=bridge20 interface=ether3-ISP2-20
add bridge=bridge30 interface=ether4-ISP3-30
add bridge=bridge30 interface=ether1-vlan30
/ip dhcp-client
add disabled=no interface=bridge
/ip dns
set servers=,
/system clock
set time-zone-name=Europe/Berlin
/system identity
/system ntp client
set enabled=yes server-dns-names=de.pool.ntp.org
