VLAN Configuration on Mikrotik CRS3xx Switches in RouterOS Mode

    折腾

Preface

This article is translated from Chinese. Please excuse any unnatural phrasing.

Original article (Chinese)

Recently I had a job requirement involving VLAN setup on Mikrotik’s CRS3xx switches. After some research, the configuration turned out to be different from the CRS1xx I use at home, so I’m sharing the quirky setup process here.

For CRS1xx, refer to my earlier article: My Home Network Setup - Switch Edition(Chinese)

As everyone knows, RouterOS is Linux under the hood — which is exactly why the configuration varies between switch models. GPT wasn’t much help here either, so I’m documenting this myself.

Note: This article contains no screenshots as there were sections I couldn’t capture.

Main Content

Make Sure You Have the Right Model

First, check whether your device has this switch chip:

[admin@MikroTik] > /interface/ethernet/switch/print
Columns: NAME, TYPE, L3-HW-OFFLOADING, QOS-HW-OFFLOADING
# NAME     TYPE              L3-HW-OFFLOADING  QOS-HW-OFFLOADING
0 switch1  Marvell-98DX3257  no                no
1 switch2  Atheros-8227      no                no
[admin@MikroTik] >

If it matches, you’re good to continue. My specific model for reference:

[admin@MikroTik] > /system/routerboard/print
       routerboard: yes
             model: CRS354-48G-4S+2Q+
          revision: r4
     serial-number: xxx
     firmware-type: qca9531L
  factory-firmware: 7.18.2
  current-firmware: 7.18.2
  upgrade-firmware: 7.21.3
[admin@MikroTik] >

Create a Bridge

Similar to CRS1xx — first create a software bridge, then add all the VLANs you want to communicate through:

/interface bridge add name=bridge vlan-filtering=yes pvid=1

/interface vlan add interface=bridge name=MGNT vlan-id=888 disabled=no
/interface vlan add interface=bridge name=WAN vlan-id=101 disabled=no
/interface vlan add interface=bridge name=LAN vlan-id=1001 disabled=no

Add VLAN Rules

I’m only showing VLAN 101 here for brevity — the actual config is more complex, use your imagination

Access

ether1 = vlan101 = untag

/interface bridge port add bridge=bridge interface=ether1 pvid=101 frame-types=admit-only-untagged-and-priority-tagged

Trunk

/interface bridge port add bridge=bridge interface=sfp-sfpplus1 frame-types=admit-only-vlan-tagged
/interface bridge port add bridge=bridge interface=sfp-sfpplus2 frame-types=admit-only-vlan-tagged
/interface bridge port add bridge=bridge interface=sfp-sfpplus3 frame-types=admit-only-vlan-tagged
/interface bridge port add bridge=bridge interface=sfp-sfpplus4 frame-types=admit-only-vlan-tagged

Hybrid

By analogy:

pvid=101 frame-types=admit-all

Add Bridge VLAN Rules

The tagged here is roughly equivalent to standard Linux bridge VLAN syntax. untagged can be omitted — RouterOS will populate it automatically based on the pvid set earlier (I only discovered this while reviewing the config after the fact). That said, it’s better to include it explicitly.

/interface bridge vlan add bridge=bridge vlan-ids=101 tagged=sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4 untagged=ether1

Basic ACL

The switch also supports a limited set of ACL rules. Here’s roughly how it works.

First, find out which switch chip your bridge is using — most likely switch1. ether49 is the management port and runs on a separate switch chip:

[admin@MikroTik]> /interface/ethernet/switch/port/print
Flags: R - RUNNING
Columns: NAME, SWITCH, L3-HW-OFFLOADING, STORM-RATE
 #   NAME                SWITCH   L3-HW-OFFLOADING  STORM-RATE
 0   qsfpplus1-1         switch1  yes                      100
...
 8 R sfp-sfpplus1        switch1  yes                      100
...
12 R ether1              switch1  yes                      100
...
60 R ether49             switch2  yes                      100

So the pattern is clear — add ACL rules against switch1 to get basic Layer 4 filtering:

/interface/ethernet/switch/rule add switch=switch1 protocol=tcp dst-port=23 new-dst-ports="" comment="ban telnet anywhere"

Note there’s no explicit drop/reject action. Instead, matched traffic is redirected via new-dst-ports="" to a non-existent interface, causing the packets to be silently discarded.

Conclusion

This is quite a peculiar device. Managing a switch with a Linux mindset is already rare, and it’s even rarer for the commands to differ based on the switch chip hardware.

And don’t expect to run Layer 3 NAT on this CPU:

[admin@MikroTik] > /system/resource/print
                   uptime: 8m56s
                  version: 7.21.3 (stable)
               build-time: 2026-02-12 13:10:04
         factory-software: 7.16.2
              free-memory: 75.4MiB
             total-memory: 128.0MiB
                      cpu: MIPS 24Kc V7.4
                cpu-count: 1
            cpu-frequency: 650MHz
                 cpu-load: 100%
           free-hdd-space: 19.8MiB
          total-hdd-space: 32.0MiB
  write-sect-since-reboot: 385
         write-sect-total: 5750
        architecture-name: mipsbe
               board-name: CRS354-48G-4S+2Q+
                 platform: MikroTik
[admin@MikroTik] >




That’s all.





End