Basic VLAN Switching

Basic VLAN Switching

Summary

This guide explains how to configure basic VLAN switching on MikroTik devices using RouterOS. VLAN switching allows you to segment network traffic using VLAN tags while leveraging hardware offloading for optimal performance. The configuration method varies significantly depending on the switch chip model in your device.

This document covers VLAN switching configuration for:

• CRS3xx, CRS5xx series switches, CCR2116, CCR2216
• CRS1xx/CRS2xx series switches
• Devices with built-in switch chips (RTL8367, 88E6393X, MT7621, etc.)
• Devices without built-in switch chips

Introduction

VLAN switching enables traffic forwarding based on VLAN tags at Layer 2 while maintaining hardware offload capabilities. Unlike basic VLAN filtering, VLAN switching performs actual traffic forwarding based on VLAN IDs at wire speed.

The switch chip in your MikroTik device determines which configuration method to use. Using the wrong configuration method can result in traffic being processed by the CPU instead of being hardware-offloaded, significantly reducing performance.

VLAN Switching on CRS3xx, CRS5xx, CCR2116, CCR2216

Devices with these switch chips support advanced VLAN switching with full hardware offloading. These include the CRS3xx series, CRS5xx series, CCR2116, CCR2216, and devices with RTL8367, 88E6393X, 88E6191X, 88E6190, MT7621, MT7531, and EN7523 switch chips.

Bridge VLAN Filtering Configuration

Create a bridge with VLAN filtering enabled:

/interface bridge
add name=bridge1 vlan-filtering=yes

Add ports to the bridge:

/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3

Configure VLANs on the bridge:

/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=10
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=20
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=30

Configure access ports (ports that strip VLAN tags):

/interface bridge port
add bridge=bridge1 interface=ether2 pvid=10
add bridge=bridge1 interface=ether3 pvid=20

The pvid (Port VLAN ID) parameter assigns incoming untagged traffic to a specific VLAN and automatically removes the VLAN tag when forwarding out of that port.

Example: Trunk Port to Uplink, Access Ports to Devices

This configuration connects ether1 as a trunk port carrying multiple VLANs to an upstream switch or router, while ether2 and ether3 provide untagged access to devices:

/interface bridge
add name=bridge1 vlan-filtering=yes

/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3

/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=10
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=20
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=30

/interface bridge port
add bridge=bridge1 interface=ether2 pvid=10
add bridge=bridge1 interface=ether3 pvid=20

Verify the configuration:

/interface bridge vlan print

Expected output:

Flags: X - disabled, R - runtime
 0 R bridge=bridge1 vlan-ids=10 current-tagged=ether1,bridge1 current-untagged=ether2
 1 R bridge=bridge1 vlan-ids=20 current-tagged=ether1,bridge1 current-untagged=ether3
 2 R bridge=bridge1 vlan-ids=30 current-tagged=ether1,bridge1 current-untagged=<none>

VLAN Switching on CRS1xx/CRS2xx Series

CRS1xx and CRS2xx series switches use a different configuration method through the switch chip menu rather than bridge VLAN filtering.

Example: Trunk and Access Ports

Create the bridge and add ports:

/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether6 hw=yes
add bridge=bridge1 interface=ether7 hw=yes
add bridge=bridge1 interface=ether8 hw=yes

Configure ingress VLAN translation to assign VLAN IDs to untagged traffic on access ports:

/interface ethernet switch ingress-vlan-translation
add ports=ether6 customer-vid=0 new-customer-vid=200
add ports=ether7 customer-vid=0 new-customer-vid=300
add ports=ether8 customer-vid=0 new-customer-vid=400

Configure egress VLAN tagging for the trunk port:

/interface ethernet switch egress-vlan-tag
add tagged-ports=ether2 vlan-id=200
add tagged-ports=ether2 vlan-id=300
add tagged-ports=ether2 vlan-id=400

Add VLAN table entries:

/interface ethernet switch vlan
add ports=ether2,ether6 vlan-id=200
add ports=ether2,ether7 vlan-id=300
add ports=ether2,ether8 vlan-id=400

Enable unknown/invalid VLAN filtering:

/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether2,ether6,ether7,ether8

Other Devices with Built-in Switch Chip

Devices with built-in switch chips (such as hAP series, RB750 series, etc.) use the bridge VLAN filtering method similar to CRS3xx series but may have limited offloading capabilities.

Example: Simple VLAN Switching

/interface bridge
add name=bridge1 vlan-filtering=yes

/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3

/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=100
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=200

/interface bridge port
add bridge=bridge1 interface=ether2 pvid=100
add bridge=bridge1 interface=ether3 pvid=200

Management VLAN Configuration

To access the router management interface on a specific VLAN:

/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=99

/interface vlan
add interface=bridge1 name=MGMT vlan-id=99

/ip address
add address=192.168.99.1/24 interface=MGMT

Devices Without Built-in Switch Chip

Devices without a built-in switch chip (such as CCR routers or devices using only the CPU for switching) cannot hardware-offload VLAN switching. However, you can still configure VLAN switching using software bridging.

Limitations

• All VLAN switching traffic is processed by the CPU
• Performance is significantly lower than hardware-offloaded solutions
• Not suitable for high-throughput applications

Configuration

The configuration is similar to devices with switch chips, but you must disable hardware offloading:

/interface bridge
add name=bridge1 vlan-filtering=yes

/interface bridge port
add bridge=bridge1 interface=ether1 hw=no
add bridge=bridge1 interface=ether2 hw=no
add bridge=bridge1 interface=ether3 hw=no

/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=10
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=20

/interface bridge port
add bridge=bridge1 interface=ether2 pvid=10
add bridge=bridge1 interface=ether3 pvid=20

Verifying VLAN Switching

Check VLAN Status

/interface bridge vlan print

Check Bridge Ports

/interface bridge port print

Check Hardware Offloading

Verify that hardware offloading is active:

/interface bridge port print

The hw column shows yes for hardware-offloaded ports. If you see no, the port is being processed by the CPU.

Check MAC Address Table

For CRS3xx and similar devices, you can view the VLAN-aware MAC address table:

/interface bridge mac-table print

Troubleshooting

Traffic Not Being Forwarded

1. Verify VLAN IDs match on trunk ports
2. Ensure pvid is set correctly on access ports
3. Check that VLANs are added to the VLAN table with correct tagged/untagged assignments

No Hardware Offloading

1. Confirm your device has a supported switch chip
2. Ensure hw=yes is set on bridge ports
3. Check that you’re using the correct configuration method for your device

Intermittent Connectivity

1. Check for VLAN ID conflicts
2. Verify the trunk link is properly configured
3. Ensure all VLANs are allowed on trunk ports

See Also

• Bridge VLAN Table
• CRS3xx, CRS5xx, CCR2116, CCR2216 Switch Chip Features
• CRS1xx/2xx Series Switches Examples
• Bridge Hardware Offloading
• VLAN