published: 8th of December 2022
I recently purchased a Mikrotik switch for my lab network to replace my ageing Juniper switches. I am documenting the process to get connected and configure common scenarios here for future Brad and anyone else that might be Mikrotik curious.
The following harware and software was used in this post.
Default connectivity options to configure the device are via the serial console port or by IP with one of the ethernet ports.
The console settings for the CRS326 are as follows:
There is a default network configured that allows you to connect by IP. The default network is 192.168.88.0/24 and the devices IP address is 192.168.88.1.
There are a number of tools available to manage Mikrotik devices.
The default username is admin with no password.
Upgrading the software is pretty straight forward. Copy the desired image to the root of the file system and reboot. I used the Winbox GUI tool to copy the image to the device and also reboot. A detailed process can be found in the docs here.
The hostname configuration is set in the system/identity/ section.
Confirm the hostname with the system/identity/print command.
system/identity/print name: <hostname>
In Mikrotik land, a bridge is a logical grouping of interfaces. Bridge config lives in the interface/bridge/ section.
The below example creates a bridge, enables VLAN filtering and sets the native VLAN.
interface/bridge/add name=<bridge-name> vlan-filtering=yes pvid=<vlan-id>
VLAN's are added to bridges and are configured under the interface/bridge/vlan/ section.
interface/bridge/vlan/add name=<bridge-name> vlan-ids=<vlan-id>
Access ports are defined by applying the untagged property to an interface.
interface/bridge/vlan/add bridge=<bridge-name> untagged=<interface-name>,<interface-name> vlan-ids=<vlan-id>
It's possible to also set the native VLAN for an interface.
interface/bridge/port/add bridge=<bridge-name> interface=<interface-name> pvid=<vlan-id>
Trunk ports are defined by applying the tagged property to an interface.
interface/bridge/vlan/add bridge=<bridge-name> tagged=ether15 vlan-ids=<vlan-ids>
VLAN interfaces are logical Layer 3 interface assigned to a VLAN that have an IP address and are similar to SVI's or IRB's on other vendor platforms.
The below example configures a VLAN interface and assigns and IP address.
interface/vlan/add interface=<bridge-name> name=<vlan-name> vlan-id=<vlan-id> ip/address/add address=<ip-address>/<prefix-length> interface=<vlan-name> network=<network-address>
Create a static default route. Routes are configured under the ip/route/ section.
ip/route/add disabled=no dst-address=0.0.0.0/0 gateway=<gateway-ip> routing-table=main suppress-hw-offload=no
DNS servers are set under the ip/dns/ section.
Confirm the DNS configuration with the ip/dns/print command.
ip/dns/print servers: <server-1>,<server-2> dynamic-servers: use-doh-server: verify-doh-cert: no allow-remote-requests: no max-udp-packet-size: 4096 query-server-timeout: 2s query-total-timeout: 10s max-concurrent-queries: 100 max-concurrent-tcp-sessions: 20 cache-size: 2048KiB cache-max-ttl: 1w cache-used: 28KiB
Confirm name resolution works by pinging a host by domain name.
ping codingpackets.com SEQ HOST SIZE TTL TIME STATUS 0 22.214.171.124 56 245 24ms339us 1 126.96.36.199 56 245 22ms431us 2 188.8.131.52 56 245 19ms577us sent=3 received=3 packet-loss=0% min-rtt=19ms577us avg-rtt=22ms115us max-rtt=24ms339us
NTP servers are set under the system/ntp/client/ section.
system/ntp/client/set enabled=yes mode=unicast servers=<server-1>,<server-2>
Confirm the NTP configuration with the system/ntp/client/print command.
system/ntp/client/print enabled: yes mode: unicast servers: <server-1>,<server-2> vrf: main freq-drift: 0 PPM status: synchronized synced-server: <server-1> synced-stratum: 2 system-offset: 1.474 ms
See the current time with the system/clock/print command
system/clock/print time: 21:07:48 date: dec/08/2022 time-zone-autodetect: yes time-zone-name: Australia/Brisbane gmt-offset: +10:00 dst-active: no
LLDP is configured under the ip/neighbor/discovery-settings/ section.
Confirm the LLDP configuration with the ip/neighbor/discovery-settings/print command.
ip/neighbor/discovery-settings/print discover-interface-list: static lldp-med-net-policy-vlan: disabled protocol: cdp,lldp,mndp
See the LLDP neighbors with the ip/neighbor/print command.
ip/neighbor/print Columns: INTERFACE, MAC-ADDRESS, IDENTITY # INTERFACE MAC-ADDRESS IDENTITY 0 ether1 88:C9:B3:B0:DE:5F bridge1 1 ether23 54:4B:22:11:AA:BB sw01 bridge1
ip/neighbor/print detail 0 interface=ether1,bridge1 mac-address=88:C9:B3:B0:DE:5F identity="" platform="" version="" unpack=none age=2m40s system-caps=other,repeater system-caps-enabled=router 1 interface=ether23,bridge1 mac-address=54:4B:22:11:AA:BB identity="sw01" platform="" version="" unpack=none age=24s interface-name="ge-0/0/7.0" system-description="Juniper Networks, Inc. ex2200-c-12p-2g Ethernet Switch, kernel JUNOS 15.1R6-S3, Build date: 2017-08-11 09:23:44 UTC Copyright (c) 1996-2017 Juniper Networks, Inc." system-caps=bridge,router system-caps-enabled=bridge,router
Generate a TLS cert to assign to the HTTPS web server. I am using a self-signed cert in the below example.
# Create and sign a Root Cert certificate/add name=root-cert common-name=<hostname> days-valid=365 key-usage=key-cert-sign,crl-sign, key-size=4096 certificate/sign root-cert # Create and sign a HTTPS cert certificate/add name=https-cert common-name=<hostname>.<domain> subject-alt-name=IP:<mgmt-ip>,DNS:<hostname> days-valid=365 key-usage=tls-server key-size=4096 certificate/sign ca=root-cert https-cert
Apply the certificate to the HTTP server for both the www-ssl and api-ssl services.
ip/service/set www-ssl certificate=https-cert disabled=no tls-version=only-1.2 ip/service/set api-ssl certificate=https-cert disabled=no tls-version=only-1.2
Out of the box, device have alot of services enabled. Disable the unused/insecure ones.
ip/service/disable www ip/service/disable ftp ip/service/disable telnet ip/service/disable api
You can view the service status with the ip/service/print command.
ip/service/print Flags: X, I - INVALID Columns: NAME, PORT, ADDRESS, CERTIFICATE, VRF # NAME PORT ADDRESS CERTIFICATE VRF 0 X telnet 23 main 1 X ftp 21 2 X www 80 main 3 ssh 22 main 4 www-ssl 443 https-cert main 5 X api 8728 main 6 winbox 8291 main 7 api-ssl 8729 https-cert main
In this post I showed you how to configure common network scenarios on a Mikrotik switch running Router OS. I am pretty happy with the decision to go with a Mikrotik switch. For ~$350 AUD, it's a very capable device that supports a ton of features.