published: 8th of December 2022
I recently purchased a Mikrotik switch for my lab network to replace my ageing Juniper switches. I am documenting the process to get connected and configure common scenarios here for future Brad and anyone else that might be Mikrotik curious.
The following harware and software was used in this post.
Default connectivity options to configure the device are via the serial console port or by IP with one of the ethernet ports.
The console settings for the CRS326 are as follows:
| Parameter | Value |
|---|---|
| Speed | 115200 |
| Data Bits | 8 |
| Stop Bits | 1 |
| Parity | None |
| Flow Control | RTS/CTS |
There is a default network configured that allows you to connect by IP. The default network is 192.168.88.0/24 and the devices IP address is 192.168.88.1.
There are a number of tools available to manage Mikrotik devices.
The default username is admin with no password.
Upgrading the software is pretty straight forward. Copy the desired image to the root of the file system and reboot. I used the Winbox GUI tool to copy the image to the device and also reboot. A detailed process can be found in the docs here.
The hostname configuration is set in the system/identity/ section.
system/identity/set name=<hostname>Confirm the hostname with the system/identity/print command.
system/identity/print
name: <hostname>In Mikrotik land, a bridge is a logical grouping of interfaces. Bridge config lives in the interface/bridge/ section.
The below example creates a bridge, enables VLAN filtering and sets the native VLAN.
interface/bridge/add name=<bridge-name> vlan-filtering=yes pvid=<vlan-id>VLAN's are added to bridges and are configured under the interface/bridge/vlan/ section.
interface/bridge/vlan/add name=<bridge-name> vlan-ids=<vlan-id>Access ports are defined by applying the untagged property to an interface.
interface/bridge/vlan/add bridge=<bridge-name> untagged=<interface-name>,<interface-name> vlan-ids=<vlan-id>It's possible to also set the native VLAN for an interface.
interface/bridge/port/add bridge=<bridge-name> interface=<interface-name> pvid=<vlan-id>Trunk ports are defined by applying the tagged property to an interface.
interface/bridge/vlan/add bridge=<bridge-name> tagged=ether15 vlan-ids=<vlan-ids>VLAN interfaces are logical Layer 3 interface assigned to a VLAN that have an IP address and are similar to SVI's or IRB's on other vendor platforms.
The below example configures a VLAN interface and assigns and IP address.
interface/vlan/add interface=<bridge-name> name=<vlan-name> vlan-id=<vlan-id>
ip/address/add address=<ip-address>/<prefix-length> interface=<vlan-name> network=<network-address>Create a static default route. Routes are configured under the ip/route/ section.
ip/route/add disabled=no dst-address=0.0.0.0/0 gateway=<gateway-ip> routing-table=main suppress-hw-offload=noDNS servers are set under the ip/dns/ section.
ip/dns/set servers=<server-1>,<server-2>Confirm the DNS configuration with the ip/dns/print command.
ip/dns/print
servers: <server-1>,<server-2>
dynamic-servers:
use-doh-server:
verify-doh-cert: no
allow-remote-requests: no
max-udp-packet-size: 4096
query-server-timeout: 2s
query-total-timeout: 10s
max-concurrent-queries: 100
max-concurrent-tcp-sessions: 20
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 28KiBConfirm name resolution works by pinging a host by domain name.
ping codingpackets.com
SEQ HOST SIZE TTL TIME STATUS
0 13.224.174.66 56 245 24ms339us
1 13.224.174.66 56 245 22ms431us
2 13.224.174.66 56 245 19ms577us
sent=3 received=3 packet-loss=0% min-rtt=19ms577us avg-rtt=22ms115us max-rtt=24ms339usNTP servers are set under the system/ntp/client/ section.
system/ntp/client/set enabled=yes mode=unicast servers=<server-1>,<server-2>Confirm the NTP configuration with the system/ntp/client/print command.
system/ntp/client/print
enabled: yes
mode: unicast
servers: <server-1>,<server-2>
vrf: main
freq-drift: 0 PPM
status: synchronized
synced-server: <server-1>
synced-stratum: 2
system-offset: 1.474 msSee the current time with the system/clock/print command
system/clock/print
time: 21:07:48
date: dec/08/2022
time-zone-autodetect: yes
time-zone-name: Australia/Brisbane
gmt-offset: +10:00
dst-active: noLLDP is configured under the ip/neighbor/discovery-settings/ section.
ip/neighbor/discovery-settings/set protocol=lldpConfirm the LLDP configuration with the ip/neighbor/discovery-settings/print command.
ip/neighbor/discovery-settings/print
discover-interface-list: static
lldp-med-net-policy-vlan: disabled
protocol: cdp,lldp,mndpSee the LLDP neighbors with the ip/neighbor/print command.
ip/neighbor/print
Columns: INTERFACE, MAC-ADDRESS, IDENTITY
# INTERFACE MAC-ADDRESS IDENTITY
0 ether1 88:C9:B3:B0:DE:5F
bridge1
1 ether23 54:4B:22:11:AA:BB sw01
bridge1ip/neighbor/print detail
0 interface=ether1,bridge1 mac-address=88:C9:B3:B0:DE:5F identity="" platform="" version="" unpack=none age=2m40s
system-caps=other,repeater system-caps-enabled=router
1 interface=ether23,bridge1 mac-address=54:4B:22:11:AA:BB identity="sw01" platform="" version="" unpack=none age=24s
interface-name="ge-0/0/7.0" system-description="Juniper Networks, Inc. ex2200-c-12p-2g Ethernet Switch, kernel
JUNOS 15.1R6-S3, Build date: 2017-08-11 09:23:44 UTC Copyright (c) 1996-2017 Juniper Networks,
Inc."
system-caps=bridge,router system-caps-enabled=bridge,routerGenerate a TLS cert to assign to the HTTPS web server. I am using a self-signed cert in the below example.
# Create and sign a Root Cert
certificate/add name=root-cert common-name=<hostname> days-valid=365 key-usage=key-cert-sign,crl-sign, key-size=4096
certificate/sign root-cert
# Create and sign a HTTPS cert
certificate/add name=https-cert common-name=<hostname>.<domain> subject-alt-name=IP:<mgmt-ip>,DNS:<hostname> days-valid=365 key-usage=tls-server key-size=4096
certificate/sign ca=root-cert https-certApply the certificate to the HTTP server for both the www-ssl and api-ssl services.
ip/service/set www-ssl certificate=https-cert disabled=no tls-version=only-1.2
ip/service/set api-ssl certificate=https-cert disabled=no tls-version=only-1.2Out of the box, device have alot of services enabled. Disable the unused/insecure ones.
ip/service/disable www
ip/service/disable ftp
ip/service/disable telnet
ip/service/disable apiYou can view the service status with the ip/service/print command.
ip/service/print
Flags: X, I - INVALID
Columns: NAME, PORT, ADDRESS, CERTIFICATE, VRF
# NAME PORT ADDRESS CERTIFICATE VRF
0 X telnet 23 main
1 X ftp 21
2 X www 80 main
3 ssh 22 main
4 www-ssl 443 https-cert main
5 X api 8728 main
6 winbox 8291 main
7 api-ssl 8729 https-cert mainIn this post I showed you how to configure common network scenarios on a Mikrotik switch running Router OS. I am pretty happy with the decision to go with a Mikrotik switch. For ~$350 AUD, it's a very capable device that supports a ton of features.
https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge
https://wiki.mikrotik.com/wiki/Manual:Initial_Configuration#Summary
https://help.mikrotik.com/docs/display/ROS/Command+Line+Interface
https://www.timigate.com/2022/11/mikrotik-trunk-and-access-port-configuration.html
https://wiki.mikrotik.com/wiki/Manual:Upgrading_RouterOS
https://forum.mikrotik.com/viewtopic.php?p=839603
https://stubarea51.net/2019/02/06/cisco-to-mikrotik-switching-and-vlans/
https://www.ispsupplies.com/blog/creating-trunk-and-access-ports-on-mikrotik-crs3xx-series-switches
https://www.timigate.com/2022/11/mikrotik-trunk-and-access-port-configuration.html
https://wiki.mikrotik.com/wiki/Manual:Simple_Static_Routing
https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching
https://forum.mikrotik.com/viewtopic.php?t=143620
https://it4allsite.wordpress.com/2019/03/21/trunk-and-access-ports-on-mikrotik-switch-with-routeros/
https://help.mikrotik.com/docs/display/ROS/Serial+Console
https://help.mikrotik.com/docs/display/ROS/Spanning+Tree+Protocol