Switch Ports and VLAN Configuration
Switch Ports and VLAN Configuration
Section titled “Switch Ports and VLAN Configuration”TL;DR (Quick Start)
Section titled “TL;DR (Quick Start)”For the impatient: basic trunk and access port setup with VLANs.
# Create bridge (VLAN filtering disabled initially)/interface/bridge/add name=bridge1 vlan-filtering=no
# Add trunk port (tagged VLANs)/interface/bridge/port/add bridge=bridge1 interface=ether1 frame-types=admit-only-vlan-tagged
# Add access ports (untagged, with PVID)/interface/bridge/port/add bridge=bridge1 interface=ether2 pvid=10/interface/bridge/port/add bridge=bridge1 interface=ether3 pvid=20
# Configure VLAN table/interface/bridge/vlan/add bridge=bridge1 tagged=ether1 untagged=ether2 vlan-ids=10/interface/bridge/vlan/add bridge=bridge1 tagged=ether1 untagged=ether3 vlan-ids=20
# Enable VLAN filtering (do this last!)/interface/bridge/set bridge1 vlan-filtering=yesVerify with:
/interface/bridge/port/print# Look for "H" flag indicating hardware offloadingOverview
Section titled “Overview”What this does: Configures switch ports for VLAN segmentation, allowing you to separate traffic into virtual networks on the same physical infrastructure. MikroTik offers two approaches: bridge VLAN filtering (recommended) and direct switch chip configuration (legacy).
When to use this:
- Separating network segments (guest, IoT, management, etc.)
- Connecting to other switches via trunk ports
- Implementing access ports for end devices
- Optimizing performance with hardware offloading
Prerequisites:
- Bridge interface created
- Understanding of VLAN concepts (tagged vs untagged)
- Physical ports not already in use by another bridge
Two Configuration Approaches
Bridge VLAN Filtering (Recommended): Unified interface across all devices, hardware offloading where supported.
Switch Chip Configuration (Legacy): Direct hardware access, device-specific, maximum control on supported chips.
This guide focuses on bridge VLAN filtering. See the Reference section for switch chip commands.
Configuration Steps
Section titled “Configuration Steps”Step 1: Create Bridge (VLAN Filtering Disabled)
Section titled “Step 1: Create Bridge (VLAN Filtering Disabled)”Always start with VLAN filtering disabled to avoid losing management access:
/interface/bridge/add name=bridge1 vlan-filtering=noStep 2: Add Trunk Port
Section titled “Step 2: Add Trunk Port”Trunk ports carry multiple VLANs with tags. Configure to accept only tagged frames:
/interface/bridge/port/add bridge=bridge1 interface=ether1 frame-types=admit-only-vlan-taggedStep 3: Add Access Ports
Section titled “Step 3: Add Access Ports”Access ports connect end devices. Set the PVID (Port VLAN ID) for each:
# VLAN 10 for office devices/interface/bridge/port/add bridge=bridge1 interface=ether2 pvid=10 \ frame-types=admit-only-untagged-and-priority-tagged
# VLAN 20 for guest devices/interface/bridge/port/add bridge=bridge1 interface=ether3 pvid=20 \ frame-types=admit-only-untagged-and-priority-taggedStep 4: Configure VLAN Table
Section titled “Step 4: Configure VLAN Table”Define which ports belong to which VLANs:
# VLAN 10: trunk (tagged) + ether2 (untagged)/interface/bridge/vlan/add bridge=bridge1 tagged=ether1 untagged=ether2 vlan-ids=10
# VLAN 20: trunk (tagged) + ether3 (untagged)/interface/bridge/vlan/add bridge=bridge1 tagged=ether1 untagged=ether3 vlan-ids=20Step 5: Enable VLAN Filtering
Section titled “Step 5: Enable VLAN Filtering”Critical: Only enable after all configuration is complete:
/interface/bridge/set bridge1 vlan-filtering=yesStep 6: Verify Hardware Offloading
Section titled “Step 6: Verify Hardware Offloading”Check that ports show hardware offloading:
/interface/bridge/port/printExpected output:
Flags: I - INACTIVE; H - HW-OFFLOAD # INTERFACE BRIDGE HW PVID PRIORITY PATH-COST HORIZON 0 H ether1 bridge1 yes 1 0x80 10 none 1 H ether2 bridge1 yes 10 0x80 10 none 2 H ether3 bridge1 yes 20 0x80 10 noneThe “H” flag indicates hardware offloading is active.
Common Scenarios
Section titled “Common Scenarios”Scenario: Management VLAN Access
Section titled “Scenario: Management VLAN Access”Allow router management through a dedicated VLAN:
# Add management VLAN with bridge as tagged member/interface/bridge/vlan/add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=99
# Create VLAN interface for management/interface/vlan/add interface=bridge1 name=vlan99-mgmt vlan-id=99
# Assign IP address/ip/address/add address=192.168.99.1/24 interface=vlan99-mgmtOrder Matters
Configure management VLAN and IP address before enabling vlan-filtering=yes, or you will lose access to the router.
Scenario: Multiple VLANs on Trunk Port
Section titled “Scenario: Multiple VLANs on Trunk Port”Add several VLANs to a trunk connection:
# Add multiple VLANs at once/interface/bridge/vlan/add bridge=bridge1 tagged=ether1,ether8 vlan-ids=10,20,30,99Scenario: Hybrid Port (Tagged + Untagged)
Section titled “Scenario: Hybrid Port (Tagged + Untagged)”A port that sends one VLAN untagged and others tagged (common for VoIP phones with PC passthrough):
# Port carries VLAN 10 untagged (for PC) and VLAN 100 tagged (for phone)/interface/bridge/port/add bridge=bridge1 interface=ether4 pvid=10 frame-types=admit-all
/interface/bridge/vlan/add bridge=bridge1 untagged=ether4 vlan-ids=10/interface/bridge/vlan/add bridge=bridge1 tagged=ether1,ether4 vlan-ids=100Scenario: Enable Ingress Filtering (Security)
Section titled “Scenario: Enable Ingress Filtering (Security)”Block traffic from unauthorized VLANs:
/interface/bridge/port/set [find bridge=bridge1] ingress-filtering=yesScenario: Inter-VLAN Routing
Section titled “Scenario: Inter-VLAN Routing”Route between VLANs on the router:
# Create VLAN interfaces/interface/vlan/add interface=bridge1 name=vlan10 vlan-id=10/interface/vlan/add interface=bridge1 name=vlan20 vlan-id=20
# Assign IP addresses (act as gateway for each VLAN)/ip/address/add address=192.168.10.1/24 interface=vlan10/ip/address/add address=192.168.20.1/24 interface=vlan20
# Routing happens automatically between directly connected networksScenario: Storm Control (CRS3xx)
Section titled “Scenario: Storm Control (CRS3xx)”Limit broadcast/multicast flooding to prevent storms:
/interface/ethernet/switch/port/set ether1 storm-rate=1 \ limit-broadcasts=yes limit-unknown-unicasts=yes limit-unknown-multicasts=yesNote: storm-rate is a percentage. On a 1Gbps port, 1% = 10Mbps minimum.
Scenario: Port Mirroring for Monitoring
Section titled “Scenario: Port Mirroring for Monitoring”Mirror traffic from one port to a monitoring port:
# Hardware mirroring (switch chip)/interface/ethernet/switch/set switch1 mirror-source=ether2 mirror-target=ether5
# Or software mirroring (bridge)/interface/bridge/set bridge1 mirror-source=ether2 mirror-target=ether5Scenario: Rate Limiting per Port
Section titled “Scenario: Rate Limiting per Port”Limit bandwidth on a specific port:
# Hardware rate limiting (if supported)/interface/ethernet/switch/port/set ether2 ingress-rate=100000000 egress-rate=50000000
# Software rate limiting (works on all devices)/queue/simple/add name=ether2-limit target=ether2 max-limit=100M/50MVerification
Section titled “Verification”Confirm your switch port configuration is working:
Check 1: Verify Bridge Ports and Offloading
Section titled “Check 1: Verify Bridge Ports and Offloading”/interface/bridge/port/printExpected: Ports listed with “H” flag for hardware offloading.
Check 2: Verify VLAN Table
Section titled “Check 2: Verify VLAN Table”/interface/bridge/vlan/printExpected: VLANs with correct tagged/untagged port assignments.
Check 3: Monitor Port Status
Section titled “Check 3: Monitor Port Status”/interface/bridge/port/monitor [find interface=ether1]Expected: status: in-bridge, forwarding: yes.
Check 4: View MAC Address Table
Section titled “Check 4: View MAC Address Table”/interface/bridge/host/printExpected: MAC addresses learned on correct ports/VLANs.
Check 5: Check Switch Chip Capabilities
Section titled “Check 5: Check Switch Chip Capabilities”/interface/ethernet/switch/printShows available hardware features for your device.
Troubleshooting
Section titled “Troubleshooting”| Symptom | Cause | Solution |
|---|---|---|
| No “H” flag on bridge ports | Device doesn’t support HW offload, or config incompatible | Check switch chip capabilities; verify configuration |
| Lost management access after enabling VLAN filtering | Management traffic filtered | Configure management VLAN before enabling filtering |
| VLANs not working between ports | Ports on different switch chips | Include bridge as tagged member of all cross-chip VLANs |
| VLAN interface on bridge port doesn’t work | Bridge captures traffic before VLAN | Create VLAN interfaces on bridge, not slave ports |
| Unexpected VLAN membership | PVID auto-adds untagged membership | Use frame-types=admit-only-vlan-tagged on trunks |
| Unauthorized VLAN traffic passing | Ingress filtering disabled | Enable ingress-filtering=yes on ports |
| LLDP/802.1X/LACP not working | STP filtering reserved addresses | Set protocol-mode=none on bridge if no loops |
| High CPU with switch traffic | Hardware offloading not working | Verify “H” flag; check chip compatibility |
Multi-Switch-Chip Devices
Section titled “Multi-Switch-Chip Devices”Some devices (RB4011, RB5009) have multiple switch chips. Traffic between ports on different chips goes through CPU.
Solution: Include the bridge as a tagged member for any VLAN that needs to cross chips:
/interface/bridge/vlan/add bridge=bridge1 tagged=ether1,ether10,bridge1 vlan-ids=10Debug: Check Hardware Offload Group
Section titled “Debug: Check Hardware Offload Group”/interface/bridge/port/print detailPorts in the same hw-offload-group can communicate at wire speed.
Common Mistakes
- Enabling VLAN filtering before configuring management access - Always set up management VLAN first
- Creating VLAN interfaces on slave ports - Must be on the bridge interface, not individual ports
- Forgetting
frame-typeson trunk ports - PVID will auto-add port as untagged to VLAN 1 - Assuming hardware offloading works - Always verify with “H” flag in port list
- Mixing bridge and switch chip VLAN config - Use one approach, not both
- Not enabling ingress filtering - Unauthorized VLAN traffic may still pass
Hardware Offloading Support Matrix
Section titled “Hardware Offloading Support Matrix”| Device/Chip | Bridge VLAN | Storm Control | Rate Limit | Notes |
|---|---|---|---|---|
| CRS3xx/CRS5xx | Yes (HW) | Yes | Yes | Full L2/L3 offload |
| CRS1xx/CRS2xx | Limited | No | Limited | Older chips |
| RB4011 | Yes (2 chips) | No | No | Cross-chip = CPU |
| RB5009 | Yes (2 chips) | No | No | Cross-chip = CPU |
| hEX/hAP (MT7621) | Yes (v7+) | No | No | Good HW offload in v7 |
| CCR/CHR | Yes (CPU) | No | No | Software only |
Related Topics
Section titled “Related Topics”Bridge & VLAN
Section titled “Bridge & VLAN”- Bridge Configuration - Layer 2 forwarding fundamentals
- Bridge VLAN Filtering - VLAN configuration
- VLAN Configuration - creating VLAN interfaces for routing
Switch Features
Section titled “Switch Features”- Switch Rules - hardware ACLs
- Bonding/LACP - link aggregation
Security
Section titled “Security”- 802.1X - port-based access control
- Firewall Basics - traffic filtering
Reference
Section titled “Reference”- MikroTik Basic VLAN Switching
- MikroTik Bridge VLAN Table
- MikroTik Switch Chip Features
- MikroTik Layer2 Misconfiguration
Key Properties Reference
Section titled “Key Properties Reference”Bridge Port Properties (/interface/bridge/port)
Section titled “Bridge Port Properties (/interface/bridge/port)”| Property | Type | Default | Description |
|---|---|---|---|
bridge | string | - | Bridge interface name (required) |
interface | string | - | Physical interface (required) |
pvid | integer | 1 | Port VLAN ID for untagged traffic (1-4094) |
frame-types | enum | admit-all | Ingress frame filtering |
ingress-filtering | yes/no | no | Drop packets from disallowed VLANs |
hw | yes/no | yes | Enable hardware offloading |
trusted | yes/no | no | DHCP snooping trusted port |
edge | enum | auto | Edge port for (R)STP |
bpdu-guard | yes/no | no | Disable port on BPDU receive |
horizon | integer | none | Split-horizon group |
broadcast-flood | yes/no | yes | Allow broadcast flooding |
unknown-unicast-flood | yes/no | yes | Allow unknown unicast flooding |
Frame-Types Values
Section titled “Frame-Types Values”| Value | Use Case |
|---|---|
admit-all | Default, accepts all frames |
admit-only-untagged-and-priority-tagged | Access port |
admit-only-vlan-tagged | Trunk port |
Bridge VLAN Properties (/interface/bridge/vlan)
Section titled “Bridge VLAN Properties (/interface/bridge/vlan)”| Property | Type | Default | Description |
|---|---|---|---|
bridge | string | - | Bridge interface (required) |
vlan-ids | integer/range | - | VLAN ID(s) 1-4094 (required) |
tagged | interface list | - | Ports sending tagged frames |
untagged | interface list | - | Ports stripping VLAN tags |
Switch Port Properties (/interface/ethernet/switch/port)
Section titled “Switch Port Properties (/interface/ethernet/switch/port)”| Property | Type | Default | Description |
|---|---|---|---|
vlan-mode | enum | fallback | VLAN table checking mode |
vlan-header | enum | leave-as-is | Egress VLAN tag handling |
default-vlan-id | integer | 1 | Default VLAN for untagged |
storm-rate | integer | 100 | Storm control threshold (%) |
ingress-rate | integer | 0 | Ingress rate limit (bps) |
egress-rate | integer | 0 | Egress rate limit (bps) |
mirror | yes/no | no | Enable port mirroring |
VLAN Mode Values (Switch Chip)
Section titled “VLAN Mode Values (Switch Chip)”| Value | Behavior |
|---|---|
disabled | Ignore VLAN table |
fallback | Check table for tagged frames only |
check | Require untagged match default-vlan-id |
secure | Strictest validation |