By default a switch will send packets to all connected ports each time it receives a new packet. When the switch has learned which MAC addresses responds to which ports, it will only send the packets for the correct ports and save internal bandwidth (on the backplane). If you attach another device to a port, the new NIC will have another MAC address, and the switch will again send the packet to all ports, to learn where the correct MAC address is now, and after that it will again operate point-to-point between the relevant ports. All MikroTik devices work as a managed switch, and all devices include the full RouterOS feature set.

Switches work on the OSI Layer 2, which means that they don't know about IP addresses. To move packets based on IP addresses, layer 3 is needed, and such a device is called a router.


Most of the MikroTik devices can function both as a switch or as a router, either using the internal switch chip, using the CPU or a combination of the switch and CPU, to move packets. Some devices even has several switch chips. The high end CCR devices, only use CPU as their focus is on routing and they  have no switch chips.

You can reconfigure the ports to use switch/cpu as you please. Setting a port as type None makes it a switch chip master port, and you may then set all the other ports to this port as a master port. In this configuration, all ports communicate through the switch chip. In RouterOS v6.41 and later, the hardware off-loading to the switch chip is instead being handled by the bridge.


In switches VLANs are widely used to separate the traffic, using three VLAN modes on the ports: Access, Trunk and Hybrid. 802.1Q VLANs work by adding 4 bytes to the header, thereby increasing the packet size from 1518 to 1522 bytes. After having these 4 bytes added to the header, the packet is know known as being tagged - you might think of it as the tags added to your suitcase in the airport.

Off the 4 bytes, 12 bits are used to identify the id of the VLAN ranging from 0 to 4095. VLAN id 0, means that there is no VLAN. Cisco put all packets on id 1 as default. In VMware id 4095 is used for broadcasting to all VLANs. Ids from 1-99 are often used on internal virtual networks. Ids from 100-999 are commonly used by ISPs. Ids 1002-1005 are still reserved for outdated technologies on many routers. VLANs ids starting with 2000, are usually safe to use. Note that if you have Cisco equipment, they do not propagate ids 1006-4094 by VTP.

"Multiple master-port configuration is designed as fast and simple port isolation solution, but it limits part of VLAN functionality supported by CRS switch-chip. For advanced configurations use one master-port within CRS switch chip for all ports, configure VLANs and isolate port groups with port isolation profile configuration."

Dynamic reserved VLAN entries (VLAN4091; VLAN4090; VLAN4089; etc.) are created in CRS switch when switched port groups are added by setting new master-ports. These VLANs are necessary for internal operation and have lower precedence than user configured VLANs.

If you use the switch only as layer 2, the traffic in the VLANs will be totally isolated from other traffic. If you add an IP address to the interfaces, the MikroTik becomes a layer 3 router, and will route all traffic between the VLANs. You may then use ACLs to isolate the traffic.

Step 1: Create the VLAN on the switch.

Ingress - packets going Into the switch -

Ingress is settings for packets going into your switch. What you change with ingress on a port, happens to the packet entering the port from the outside.

This is the path of the packet: Other hardware ⇢ Ingress ⇢ (switching/routing) ⇢ Egress ⇢ Other hardware.

A very common usage is Ingress VLAN translation, where you use Ingress to set a VLAN id for all packets from a client or server attached to a switch port.

Step 2: Ingress translate your client packages for the switch ports they are connected to.

Egress - packets Exiting the switch

Egress traffic is the packets exiting your switch out of a port. In common VLAN setups, you do not need to egress translate, as usually the packet has already been translated to the right VLAN with ingress translation. You may use egress translation to translate packets on a specific VLAN on a specific port, to another VLAN id.

Step 3: Egress tag the VLAN ids on the uplink ports, to allow these VLAN packages to go out to from the switch.

Example: 1 uplink trunked and 2 access ports with servers

In this example we have 2 servers connected to a switch, and the servers needs to connect to different VLANs. The switch is connected with an uplink to a router.

Ingress VLAN translation: First we add the necessary VLANs to all packets coming into our switch from the servers. We ingress translate the untagged packets to the desired VLAN id.

The above will add VLAN 100/200 to all packets from the ports. If you also have tagged packets coming into the switch from the same port, you can add customer-vid=0 to the above lines, so only packets with vid=0 will be translated to VLAN 100/200. vid=0 means untagged packets, without vid=0 all packages will be set to the new vid, even if they are tagged already.

Egress VLAN tagging: Next we need to trunk all the VLANs on the uplink port, to allow the VLAN tagged packets to travel through the trunked uplink port.

If you already have the VLAN id added to a tagged port, you need instead to edit the already created egress VLAN tag. Use print to find the id of the egress VLAN tag, and then edit X tagged-ports to open an editor where you can change the ports, one port name on each line. Or you can remove X, and then use the line above, you can also add more ports on the same line with add tagged-ports=ether1,ether7,ether9 vlan-id=200.

VLAN membership: In the switch VLAN table, we need to set the VLANs.

Secure your VLANs: After all your VLAN configurations are valid, you may now remove unknown/invalid VLAN forwarding by disabling it in the global switch settings:

Be careful and use safe mode! If you have misconfigured your management VLAN, you might remove your own access to the switch!

Q-in-Q, QinQ

Queue in Queue, means adding another VLAN inside the first VLAN. Tunnels provided by ISPs, are often delivered as QinQ, letting the customer add their own VLANs inside the ISP provided VLAN tunnel. QinQ 802.1ad are simply created by adding another 4 byte VLAN header to the packet. In MikroTik RouterOS, you can simply put a VLAN inside a QinQ VLAN, by setting the interface of your own VLAN to the QinQ VLAN.