Intro

I recently purchased a Mikrotik switch for my lab network to replace my ageing Juniper switches. I am documenting the process to get connected and configure common scenarios here for future Brad and anyone else that might be Mikrotik curious.

Lab Environment

The following harware and software was used in this post.

  • Mikrotik CRS326-24G-2S+ - RouterOS 7.6

Administration

Connectivity

Default connectivity options to configure the device are via the serial console port or by IP with one of the ethernet ports.

The console settings for the CRS326 are as follows:

Parameter Value
Speed 115200
Data Bits 8
Stop Bits 1
Parity None
Flow Control RTS/CTS

There is a default network configured that allows you to connect by IP. The default network is 192.168.88.0/24 and the devices IP address is 192.168.88.1.

Management Tools

There are a number of tools available to manage Mikrotik devices.

  • CLI via Telnet or SSH.
  • HTTP via WebFig and REST API.
  • On Windows, the Winbox application (PC Master Race FTW).

Default Credentials

The default username is admin with no password.

Software Update

Upgrading the software is pretty straight forward. Copy the desired image to the root of the file system and reboot. I used the Winbox GUI tool to copy the image to the device and also reboot. A detailed process can be found in the docs here.

Hostname

The hostname configuration is set in the system/identity/ section.

cmd
system/identity/set name=<hostname>

Confirm the hostname with the system/identity/print command.

cmd
system/identity/print 

name: <hostname>

Bridge

In Mikrotik land, a bridge is a logical grouping of interfaces. Bridge config lives in the interface/bridge/ section.

The below example creates a bridge, enables VLAN filtering and sets the native VLAN.

cmd
interface/bridge/add name=<bridge-name> vlan-filtering=yes pvid=<vlan-id>

VLAN

VLAN's are added to bridges and are configured under the interface/bridge/vlan/ section.

cmd
interface/bridge/vlan/add name=<bridge-name> vlan-ids=<vlan-id>

Access Port

Access ports are defined by applying the untagged property to an interface.

cmd
interface/bridge/vlan/add bridge=<bridge-name> untagged=<interface-name>,<interface-name> vlan-ids=<vlan-id>

It's possible to also set the native VLAN for an interface.

cmd
interface/bridge/port/add bridge=<bridge-name> interface=<interface-name> pvid=<vlan-id>

Trunk Port

Trunk ports are defined by applying the tagged property to an interface.

cmd
interface/bridge/vlan/add bridge=<bridge-name> tagged=ether15 vlan-ids=<vlan-ids>

VLAN Interface

VLAN interfaces are logical Layer 3 interface assigned to a VLAN that have an IP address and are similar to SVI's or IRB's on other vendor platforms.

The below example configures a VLAN interface and assigns and IP address.

cmd
interface/vlan/add interface=<bridge-name> name=<vlan-name> vlan-id=<vlan-id>
ip/address/add address=<ip-address>/<prefix-length> interface=<vlan-name> network=<network-address>

Static Route

Create a static default route. Routes are configured under the ip/route/ section.

cmd
ip/route/add disabled=no dst-address=0.0.0.0/0 gateway=<gateway-ip> routing-table=main suppress-hw-offload=no

DNS Client

DNS servers are set under the ip/dns/ section.

cmd
ip/dns/set servers=<server-1>,<server-2>

Confirm the DNS configuration with the ip/dns/print command.

cmd
ip/dns/print

                    servers: <server-1>,<server-2>
            dynamic-servers: 
             use-doh-server: 
            verify-doh-cert: no
      allow-remote-requests: no
        max-udp-packet-size: 4096
       query-server-timeout: 2s
        query-total-timeout: 10s
     max-concurrent-queries: 100
max-concurrent-tcp-sessions: 20
                 cache-size: 2048KiB
              cache-max-ttl: 1w
                 cache-used: 28KiB

Confirm name resolution works by pinging a host by domain name.

cmd
ping codingpackets.com

SEQ HOST                                     SIZE TTL TIME       STATUS                                              
  0 13.224.174.66                              56 245 24ms339us 
  1 13.224.174.66                              56 245 22ms431us 
  2 13.224.174.66                              56 245 19ms577us 
  sent=3 received=3 packet-loss=0% min-rtt=19ms577us avg-rtt=22ms115us max-rtt=24ms339us

NTP Client

NTP servers are set under the system/ntp/client/ section.

cmd
system/ntp/client/set enabled=yes mode=unicast servers=<server-1>,<server-2>

Confirm the NTP configuration with the system/ntp/client/print command.

cmd
system/ntp/client/print

       enabled: yes
          mode: unicast
       servers: <server-1>,<server-2>
           vrf: main
    freq-drift: 0 PPM
        status: synchronized
 synced-server: <server-1>
synced-stratum: 2
 system-offset: 1.474 ms

See the current time with the system/clock/print command

cmd
system/clock/print

                time: 21:07:48
                date: dec/08/2022
time-zone-autodetect: yes
      time-zone-name: Australia/Brisbane
          gmt-offset: +10:00
          dst-active: no

LLDP Client

LLDP is configured under the ip/neighbor/discovery-settings/ section.

cmd
ip/neighbor/discovery-settings/set protocol=lldp

Confirm the LLDP configuration with the ip/neighbor/discovery-settings/print command.

cmd
ip/neighbor/discovery-settings/print 

 discover-interface-list: static
lldp-med-net-policy-vlan: disabled
                protocol: cdp,lldp,mndp

See the LLDP neighbors with the ip/neighbor/print command.

cmd
ip/neighbor/print

Columns: INTERFACE, MAC-ADDRESS, IDENTITY
#  INTERFACE  MAC-ADDRESS        IDENTITY
0  ether1     88:C9:B3:B0:DE:5F          
   bridge1                               
1  ether23    54:4B:22:11:AA:BB  sw01    
   bridge1
Note
Detailed output can be obtained by adding the detail keyword to the command.
cmd
ip/neighbor/print detail
 
0 interface=ether1,bridge1 mac-address=88:C9:B3:B0:DE:5F identity="" platform="" version="" unpack=none age=2m40s 
  system-caps=other,repeater system-caps-enabled=router 

1 interface=ether23,bridge1 mac-address=54:4B:22:11:AA:BB identity="sw01" platform="" version="" unpack=none age=24s 
  interface-name="ge-0/0/7.0" system-description="Juniper Networks, Inc. ex2200-c-12p-2g Ethernet Switch, kernel 
                  JUNOS 15.1R6-S3, Build date: 2017-08-11 09:23:44 UTC Copyright (c) 1996-2017 Juniper Networks, 
                  Inc." 
  system-caps=bridge,router system-caps-enabled=bridge,router

HTTP Server

Generate a TLS cert to assign to the HTTPS web server. I am using a self-signed cert in the below example.

cmd
# Create and sign a Root Cert
certificate/add name=root-cert common-name=<hostname> days-valid=365 key-usage=key-cert-sign,crl-sign, key-size=4096
certificate/sign root-cert

# Create and sign a HTTPS cert
certificate/add name=https-cert common-name=<hostname>.<domain> subject-alt-name=IP:<mgmt-ip>,DNS:<hostname> days-valid=365 key-usage=tls-server key-size=4096
certificate/sign ca=root-cert https-cert

Apply the certificate to the HTTP server for both the www-ssl and api-ssl services.

cmd
ip/service/set www-ssl certificate=https-cert disabled=no tls-version=only-1.2
ip/service/set api-ssl certificate=https-cert disabled=no tls-version=only-1.2

Disable Services

Out of the box, device have alot of services enabled. Disable the unused/insecure ones.

cmd
ip/service/disable www
ip/service/disable ftp
ip/service/disable telnet
ip/service/disable api

Service Status

You can view the service status with the ip/service/print command.

cmd
ip/service/print

Flags: X, I - INVALID
Columns: NAME, PORT, ADDRESS, CERTIFICATE, VRF
#   NAME     PORT  ADDRESS      CERTIFICATE  VRF
0 X telnet     23                             main
1 X ftp        21    
2 X www        80                             main
3   ssh        22                             main
4   www-ssl   443                https-cert   main
5 X api      8728                             main
6   winbox   8291                             main
7   api-ssl  8729                https-cert   main

Outro

In this post I showed you how to configure common network scenarios on a Mikrotik switch running Router OS. I am pretty happy with the decision to go with a Mikrotik switch. For ~$350 AUD, it's a very capable device that supports a ton of features.