Mikrotik – Cloud Router Switch – Switch Chip VLANs


Mikrotik – CRS – Switch Chip VLANs

Well, this all came in last week — 8x Cloud Router Switches (CRS125-24G-1S), 33x WAPs, 4x BaseBox 2s, and a 12 Port Fiber Switch (CRS212-1G-10S-1S+), enough gear to hook together an a minor-league baseball stadium, fun stuff!

TWhat did I get myself into with this much gear?his post is regarding how to use the CRS Switch Chip. The CRS series operates very differently than the standard RouterOS featureset. The CPU is very weak in these devices — any heavy lifting should be handled internally by the switch chip. Think of it as a separate processor specialized for passing traffic contained entirely within the switch-chip — it can understand VLANs, protocols, and the data passing through without burdening the CPU, but is not intended for functions like firewall rules or Layer3 (IP) routing.

If you are using a CRS, the Switch menu has six additional submenus under it, not visible under a standard RouterOS Router.

  1. ACL – Access Control List — Allow/Deny rules based on MAC Addresses
  2. FDB – Forwarding Database — Cache / Remembered MAC addresses for which ports — E.g. your laptop is connected on ETH23, your desktop on ETH5.
  3. Ports – Physical Ports – A lot fo settings here, the most important is how the ethernet interfaces are linked together.
  4. QoS – Quality of Service – Priority of Traffic under load (VOIP is more important than bulk data)
  5. Settings – Definitions for the switch to use, pretty advanced
  6. VLAN – Virtual Local Area Network — The rules affecting traffic as they pass through the switch, for separating traffic through the use of trunk ports.

We are going to focus on #6, as that is the submenu I find most useful, and have spent too much time working on 😉


Trunk vs Access

Let’s start with a simple picture of a trunk port, vs access ports.

Trunk: A “master” wire, that carries the data of multiple VLANs to another destination to be split up — on the other side is another smart/managed switch or a router able to understand VLANs.

Access: A “standard” wire, that carries data to/from devices like computers or printers.

In this very simple example — not including a router to transfer traffic between VLANs or to the internet– computers on VLAN100 can only talk to other computers in VLAN100, computers in VLAN300 to other machines in VLAN300, and they all share a single trunk fiber (SFP) carrying the data of all three VLANs.

VLAN Tagging

A VLAN Tag is an ID number assigned to data as it travels through an interface. The tags are used to define where the traffic ends up — what network it belongs to. Most commonly, traffic comes in as untagged access traffic (VLAN 0,) the switch then “tags” the traffic with a VLAN ID (e.g. VLAN100) as it passes through a specific port. Now that the switch has a tag, the traffic will be directed somewhere depending on what rules the Switch Chip or Router follow.

Ingress (Inbound) and Egress (Outbound)

Ingress simply means traffic going into the switch, and Egress means traffic leaving the switch. The reason these terms are used instead of inbound or outbound, is Egress/Ingress contains ALL of the data passing through, not just the data that matters, but headers, VLAN tags, MAC addresses, every single 1 and 0 related to the traffic going through. Inbound/Outbound are often related to traffic going into/leaving your site via the internet. Ingress/Egress can be for example, leaving (egress) the master router to be received (ingress) by a switch, which then sends data (egress) to your desktop (ingress).

Configuring VLANs via the Switch Chip

There are three things that matter to get a VLAN working on a Mikrotik Cloud Router Switch.

  • The VLAN Table – What VLANs are allowed to communicate on which ports. It’s a rule-list for which VLANs can talk on which physical plugs.
    • The ports allowed to “Speak” VLAN800 are ETH1, ETH8-20, and SFP1.
    • The ports allowed to “Speak” VLAN900 are ETH1, ETH8, ETH21-24, SFP1.
  • Ingress VLAN Translation – If it comes in (Access) with VLAN X, tag it with VLAN Y.
    • Ingress VLAN Translation, traffic on ports ETH21-24 coming in with a Customer VLAN ID of 0 (Access), will be tagged with Customer VLAN ID 900. Ports ETH9-20 coming in as VLAN0 (access) will be tagged with VLAN800.
  • Egress VLAN Tagging – If it goes out this physical plug (Trunk), add on this VLAN tag.
    • I am using ports ETH1 and SFP1 – either can be used as the trunk port.

That’s all that is needed for the switch chip to assign VLANs. If it comes in on an access (ingress) port, add on a VLAN ID tag, then send out the tag through the trunk (egress). It then depends on the receiving switch/router to understand the traffic it is getting.

If I plugged my laptop into ETH21, I would be on VLAN900. If I plugged my laptop into ETH9, I would be on VLAN800.


In this “in-production scenario”, the traffic was going out SFP1, and into SFP2 into a Fiber Switch, which then passed traffic via it’s one ethernet port (ETH1), to the Router’s ETH3.

Getting the traffic to flow between ports is quite straight-forward. Interfaces > VLAN > Add > ID# – apply to each physical interface.

For example, if I want Fibers SFP2, SFP3, and ETH1 to all communicate on the VLAN800 network, I just make a VLAN tag and apply to each physical interface. Each physical interface with that tag on it will be “on that VLAN ID’s network”, able to talk with each other.

In addition, you can still have standard access traffic — for Example, the Cloud Router Switch if it has an IP on it, will still speak “access, VLAN0” on it’s primary port. This can be helpful for standard switching, or managing your switches from a central point. You can stick an IP address onto your trunk (access), in addition to having VLANs assigned under that trunk. Powerful stuff. In my example, ports ETH2-ETH7 are not given a VLAN tag — those are standard access ports, and they will communicate over SFP1 with everything else. In this example, I was connected to ETH5, I would be on standard access traffic. Since SFP1 and ETH are in the switching interfaces I’m just another part of the network, no VLANs involved.

By default, your VLANs are isolated, but the Master Router (which knows everything that is inside the network), may let traffic be visible between them. To stop this, simply use firewall rules on your master router, and block by inbound/outbound bridges, interfaces/VLANS, or IP ranges — depending on what setup you are using.


Hoping that was helpful, good luck, and have fun!

Leave a Reply

Your email address will not be published. Required fields are marked *