Manual - Switch Chip Features - MikroTik Wiki
Manual - Switch Chip Features - MikroTik Wiki
Manual - Switch Chip Features - MikroTik Wiki
Contents
Introduction
Features
Port Switching
Switch All Ports Feature
Port Settings
VLAN Forwarding
Port Mirroring
Hosts Table
VLAN Table
Rule Table
Port isolation
Private VLAN
Isolated switch groups
CPU Flow Control
Statistics
Setup Examples
VLAN Example 1 (Trunk and Access Ports)
VLAN Example 2 (Trunk and Hybrid Ports)
Management access configuration
Tagged
Untagged
Untagged from tagged port
See also
Introduction
There are several types of switch chips on Routerboards and they have a different set of features. Most of
them (from now on "Other") have only basic "Port Switching" feature, but there are few with more features:
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Introduction 1/21
8/30/2021 Manual:Switch Chip Features - MikroTik Wiki
Note: Cloud Router Switch (CRS) series devices have highly advanced switch chips built-in, they
support wide variety of features. For more details about switch chip capabilities on
CRS1xx/CRS2xx series devices check the CRS1xx/CRS2xx series switches manual, for CRS3xx
series devices check the CRS3xx series switches manual.
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Introduction 2/21
8/30/2021 Manual:Switch Chip Features - MikroTik Wiki
RBOmniTikUPA-5HnDr2 (OmniTIK 5
PoE)
RB750Gr2 (hEX); RB962UiGS- QCA8337 (ether1-ether5)
5HacT2HnT (hAP ac); RB960PGS (hEX
PoE); RB960PGS-PB (PowerBox Pro)
RB953GS Atheros8327 (ether1-ether3+sfp1)
RB850Gx2 Atheros8327 (ether1-ether5) with ether1 optional [more (http://
wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#switch-all
-ports)]
RB2011 series Atheros8327 (ether1-ether5+sfp1); Atheros8227 (ether6-
ether10)
RB750GL; RB751G-2HnD; RB951G- Atheros8327 (ether1-ether5)
2HnD; RBD52G-5HacD2HnD (hAP ac²)
cAP ac Atheros8327 (ether1-ether2)
RB1100AH Atheros8327 (ether1-ether5); Atheros8327 (ether6-ether10)
RB1100AHx2 Atheros8327 (ether1-ether5); Atheros8327 (ether6-ether10)
CCR1009-8G-1S-1S+; CCR1009-8G-1S Atheros8327 (ether1-ether4)
RB493G Atheros8316 (ether1+ether6-ether9); Atheros8316 (ether2-
ether5)
RB435G Atheros8316 (ether1-ether3) with ether1 optional [more (http://
wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#switch-all
-ports)]
RB450G Atheros8316 (ether1-ether5) with ether1 optional [more (http://
wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#switch-all
-ports)]
RB450Gx4 Atheros8327 (ether1-ether5)
RB433GL Atheros8327 (ether1-ether3)
RB750G Atheros8316 (ether1-ether5)
RB1200 Atheros8316 (ether1-ether5)
RB1100 Atheros8316 (ether1-ether5); Atheros8316 (ether6-ether10)
DISC Lite5 Atheros8227 (ether1)
RBmAP2nD Atheros8227 (ether1-ether2)
RBmAP2n Atheros7240 (ether1-ether2)
RB750 Atheros7240 (ether2-ether5)
RB750UP Atheros7240 (ether2-ether5)
RB751U-2HnD Atheros7240 (ether2-ether5)
RB951-2n Atheros7240 (ether2-ether5)
RB951Ui-2HnD Atheros8227 (ether1-ether5)
RB433 series ICPlus175D (ether2-ether3); older models had ICPlus175C
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Introduction 3/21
8/30/2021 Manual:Switch Chip Features - MikroTik Wiki
Flags: I - invalid
Depending on switch type there might be available or not available some configuration capabilities.
Features
Port Switching
In order to setup port switching on non-CRS series devices, check the Bridge Hardware Offloading page.
Note: Port switching in RouterOS v6.41 and newer is done using the bridge configuration. Prior
to RouterOS v6.41 port switching was done using the master-port property, for more details
check the Master-port page.
Ether1 port on RB450G/RB435G/RB850Gx2 has a feature that allows it to be removed/added to the default
switch group. By default ether1 port will be included in the switch group. This configuration can be changed
with /interface ethernet switch set switch1 switch-all-ports=no
switch-all-ports=yes/no -
"yes" means ether1 is part of switch and supports switch grouping, and all other advanced
Atheros8316/Atheros8327 features including extended statistics (/interface ethernet print stats).
"no" means ether1 is not part of switch, effectively making it as stand alone ethernet port, this way increasing
its throughput to other ports in bridged, and routed mode, but removing the switching possibility on this
port.
File:Switch4.png
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Introduction 4/21
8/30/2021 Manual:Switch Chip Features - MikroTik Wiki
Port Settings
Properties under this menu are used to configure VLAN switching and filtering options for switch chips that
support a VLAN Table. These properties are only available to switch chips that have VLAN Table support,
check the Switch Chip Features table to make sure your device supports such a feature.
Warning: Ingress traffic is considered as traffic that is being sent IN a certain port, this port is
sometimes called ingress port. Egress traffic is considered as traffic that is being sent OUT of a
certain port, this port is sometimes called egress port. Distinguishing them is very important in
order to properly set up VLAN filtering since some properties apply only to either ingress or egress
traffic.
Property Description
vlan-mode(check | disabled | fallback | Changes the VLAN lookup mechanism against the VLAN Table
secure; Default: disabled) for ingress traffic.
disabled - disables checking against the VLAN Table
completely for ingress traffic. No traffic is dropped when set
on ingress port.
fallback - checks tagged traffic against the VLAN Table
for ingress traffic, forwards all untagged traffic. If ingress
traffic is tagged and egress port is not found in the VLAN
table for the appropriate VLAN ID, then traffic is dropped. If
a VLAN ID is not found in the VLAN Table, then traffic is
forwarded. Used to allow known VLANs only in specific
ports.
check - checks tagged traffic against the VLAN Table for
ingress traffic, drops all untagged traffic. If ingress traffic is
tagged and egress port is not found in the VLAN table for
the appropriate VLAN ID, then traffic is dropped.
secure - checks tagged traffic against the VLAN Table for
ingress traffic, drops all untagged traffic. Both ingress and
egress port must be found in the VLAN Table for the
appropriate VLAN ID, otherwise traffic is dropped.
vlan-header (add-if-missing | always-strip | Sets action which is performed on the port for egress traffic.
leave-as-is; Default: leave-as-is)
add-if-missing - adds a VLAN tag on egress traffic and
uses default-vlan-id from the ingress port. Should be used
for trunk ports.
always-strip - removes a VLAN tag on egress traffic.
Should be used for access ports.
leave-as-is - does not add nor removes a VLAN tag on
egress traffic. Should be used for hybrid ports.
default-vlan-id (auto | integer: 0..4095; Adds a VLAN tag with the specified VLAN ID on all untagged
Default: auto) ingress traffic on a port, should be used with vlan-header set to
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Introduction 5/21
8/30/2021 Manual:Switch Chip Features - MikroTik Wiki
Note: QCA8337 and Atheros8327 switch chips ignore the vlan-header property and uses the
default-vlan-id property to determine which ports are access ports. The vlan-header is set to
leave-as-is and cannot be changed while the default-vlan-id property should only be used
on access ports to tag all ingress traffic.
VLAN Forwarding
Both vlan-mode and vlan-header along with the VLAN Table can be used to configure VLAN tagging,
untagging and filtering, there are multiple combinations that are possible, each achieving a different result.
Below you can find a table of what kind of traffic is going to be sent out through an egress port when a certain
traffic is received on an ingress port for each VLAN Mode.
NOTES:
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Introduction 6/21
8/30/2021 Manual:Switch Chip Features - MikroTik Wiki
Note: The tables above are meant for more advanced configurations and to double check your
own understand of how packets will be processed with each VLAN related property.
Port Mirroring
Port mirroring lets switch 'sniff' all traffic that is going in and out of one port (mirror-source) and send a copy
of those packets out of some other port (mirror-target). This feature can be used to easily set up a 'tap' device
that receives all traffic that goes in/out of some specific port. Note that mirror-source and mirror-target ports
have to belong to same switch. (See which port belong to which switch in /interface ethernet menu). Also
mirror-target can have a special 'cpu' value, which means that 'sniffed' packets should be sent out of switch
chips cpu port. Port mirroring happens independently of switching groups that have or have not been set up.
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Introduction 7/21
8/30/2021 Manual:Switch Chip Features - MikroTik Wiki
Warning: If you set mirror-source as a Ethernet port for a device with at least two switch chips
and these mirror-source ports are in a single bridge while mirror-target for both switch chips are
set to send the packets to the CPU, then this will result in a loop, which can make your device
inaccessible.
Hosts Table
Basically the hosts table represents switch chips internal mac address to port mapping. It can contain two
kinds of entries: dynamic and static. Dynamic entries get added automatically, this is also called a learning
process: when switch chip receives a packet from certain port, it adds the packets source mac address X and
port it received the packet from to host table, so when a packet comes in with destination mac address X it
knows to which port it should forward the packet. If the destination mac address is not present in host table
then it forwards the packet to all ports in the group. Dynamic entries take about 5 minutes to time out.
Learning is enabled only on ports that are configured as part of switch group. So you won't see dynamic
entries if you have not set up port switching.
Also you can add static entries that take over dynamic if dynamic
entry with same mac-address already exists. Also by adding a static entry you get access to some more
functionality that is controlled via following params:
copy-to-cpu, redirect-to-cpu, mirror actions are performed for packets which destination mac matches mac
address specified in entry
drop action is performed for packets which source mac address matches mac
address specified in entry
Another possibility for static entries is that mac address can be mapped to more that one port, including 'cpu'
port.
VLAN Table
VLAN table specifies certain forwarding rules for packets that have specific 802.1Q tag. Those rules are of
higher priority than switch groups configured using the Bridge Hardware Offloading feature. Basically the
table contains entries that map specific VLAN tag ids to a group of one or more ports. Packets with VLAN tags
leave switch chip through one or more ports that are set in corresponding table entry. The exact logic that
controls how packets with VLAN tags are treated is controlled by vlan-mode parameter that is changeable per
switch port in /interface ethernet switch port menu.
Vlan-mode can take following values:
disabled - ignore VLAN table, treat packet with VLAN tags just as if they did not contain a VLAN tag;
fallback - the default mode - handle packets with VLAN tag that is not present in vlan table just like
packets without VLAN tag. Packets with VLAN tags that are present in VLAN table, but incoming port
does not match any port in VLAN table entry does not get dropped.
check - drop packets with VLAN tag that is not present in VLAN table. Packets with VLAN tags that are
present in VLAN table, but incoming port does not match any port in VLAN table entry does not get
dropped.
secure - drop packets with VLAN tag that is not present in VLAN table. Packets with VLAN tags that are
present in VLAN table, but incoming port does not match any port in VLAN table entry get dropped.
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Introduction 8/21
8/30/2021 Manual:Switch Chip Features - MikroTik Wiki
VLAN tag id based forwarding takes into account the MAC addresses dynamically learned or manually added
in the host table.
QCA8337 and Atheros8327 switch-chips also support Independent VLAN learning (IVL)
which does the learning based on both MAC addresses and VLAN IDs thus allowing the same MAC to be used
in multiple VLANs. The option "independent-learning" in VLAN table entries enables this feature.
Packets without VLAN tag are treated just like if they had a VLAN tag with port default-vlan-id. This
means that if "vlan-mode=check or secure" to be able to forward packets without VLAN tags you have to add
a special entry to VLAN table with the same VLAN ID set according to default-vlan-id.
Vlan-header option (configured in /interface ethernet switch port) sets the VLAN tag mode on egress
port. Starting from RouterOS version 6 this option works with QCA8337, Atheros8316, Atheros8327,
Atheros8227 and Atheros7240 switch chips and takes the following values:
Rule Table
Rule table is very powerful tool allowing wire speed packet filtering, forwarding and vlan tagging based on
L2,L3,L4 protocol header field condition.
ports - match port that packet came in from (multiple ports allowed);
mac layer conditions
dst-mac-address - match by destination mac address and mask;
src-mac-address - ...;
vlan-header - match by vlan header presence;
vlan-id (only applies to Atheros8316) - match by vlan tag id;
vlan-priority (only applies to Atheros8316) - match by priority in vlan tag;
mac-protocol - match by mac protocol (skips vlan tags if any);
ip conditions
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Introduction 9/21
8/30/2021 Manual:Switch Chip Features - MikroTik Wiki
ipv6 conditions
dst-address6 - match by destination ip and mask;
src-address6 - match by source ip and mask;
flow-label - match by ipv6 flow label;
traffic-class - match by ipv6 traffic class;
protocol - match by ip protocol;
L4 conditions
src-port - match by tcp/udp source port range;
dst-port - match by tcp/udp destination port range;
Port isolation
Port isolation provides the possibility to divide (isolate) certain parts of your network, this might be useful
when need to make sure that certain devices cannot access other devices, this can be done by isolating switch
ports. Switch port isolation is available on all switch chips since RouterOS v6.43.
Property Description
forwarding-override (interface; Default: ) Forces ingress traffic to be forwarded to a specific interface.
Multiple interfaces can be specified by separating them with a
comma.
Note: (R/M)STP will only work properly in PVLAN setups, (R/M)STP will not work properly in
setups, where there are multiple isolated switch groups, because switch groups might not properly
receive BPDUs and therefore fail to detect network loops.
Warning: The forwarding-override property that has an effect on ingress traffic only. Switch
ports that do not have the forwarding-override specified are able to send packets through all
switch ports.
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Introduction 10/21
8/30/2021 Manual:Switch Chip Features - MikroTik Wiki
Warning: Switch chips with a VLAN table support (QCA8337, Atheros8327, Atheros8316,
Atheros8227 and Atheros7240) can override the port isolation configuration when enabling a
VLAN lookup on the switch port (a vlan-mode is set to fallback, check or secure). If additional
port isolation is needed between ports on the same VLAN, a switch rule with a new-dst-ports
property can be implemented. Other devices without switch rule support cannot overcome this
limitation.
Private VLAN
In some scenarios you might need to forward all traffic to a uplink port while all other ports are isolated from
each other. This kind of setup is called Private VLAN configuration, the Switch will forward all Ethernet
frames directly to the uplink port allowing the Router to filter unwanted packets and limit access between
devices that are behind switch ports.
To configure switch port isolation, you need to switch all required ports:
/interface bridge
add name=bridge1
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Introduction 11/21
8/30/2021 Manual:Switch Chip Features - MikroTik Wiki
Note: By default, the bridge interface is configured with protocol-mode set to rstp. For some
devices, this can disable hardware offloading because specific switch chips do not support this
feature. See the Bridge Hardware Offloading section with supported features.
Override the egress port for each switch port that needs to be isolated (excluding the uplink port):
Note: It is possible to set multiple uplink ports for a single switch chip, this can be done by
specifying multiple interfaces and separating them with a comma.
In some scenarios you might need to isolate a group of devices from other groups, this can be done using the
switch port isolation feature. This is useful when you have multiple networks but you want to use a single
switch, with port isolation you can allow certain switch ports to be able to communicate through only a set of
switch ports. In this example devices on ether1-4 will only be able to communicate with devices that are on
ether1-4, while devices on ether5-8 will only be able to communicate with devices on ether5-8 (ether1-4
is not able to communicate with ether5-8)
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Introduction 12/21
8/30/2021 Manual:Switch Chip Features - MikroTik Wiki
To configure isolated switch groups you must first switch all ports:
/interface bridge
add name=bridge
Note: By default, the bridge interface is configured with protocol-mode set to rstp. For some
devices, this can disable hardware offloading because specific switch chips do not support this
feature. See the Bridge Hardware Offloading section with supported features.
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Introduction 13/21
8/30/2021 Manual:Switch Chip Features - MikroTik Wiki
Then specify in the forwarding-override property all ports that you want to be in the same isolated switch
group (except the port on which you are applying the property), for example, to create an isolated switch
group for A devices:
All switch chips have a special port that is called switchX-cpu, this is the CPU port for a switch chip, it is
meant to forward traffic from a switch chip to the CPU, such a port is required for management traffic and for
routing features. By default the switch chip ensures that this special CPU port is not congested and sends out
Pause Frames when link capacity is exceeded to make sure the port is not oversaturated, this feature is called
CPU Flow Control. Without this feature packets that might be crucial for routing or management purposes
might get dropped.
Since RouterOS v6.43 it is possible to disable the CPU Flow Control feature on some devices that are using
one of the follow switch chips: Atheros8227, QCA8337, Atheros8327, Atheros7240 or Atheros8316. Other
switch chips have this feature enabled by default and cannot be changed. To disable CPU Flow Control use
the following command:
Statistics
Some switch chips are capable of reporting statistics, this can be useful to monitor how many packets are sent
to the CPU from the built-in switch chip. These statistics can also be used to monitor CPU Flow Control. You
can find an example of switch chip's statistics below:
name: switch1
rx-too-short: 0
rx-too-long: 0
rx-pause: 0
rx-fcs-error: 0
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Introduction 14/21
8/30/2021 Manual:Switch Chip Features - MikroTik Wiki
rx-align-error: 0
rx-fragment: 0
rx-control: 0
rx-unknown-op: 0
rx-length-error: 0
rx-code-error: 0
rx-carrier-error: 0
rx-jabber: 0
rx-drop: 0
tx-too-short: 0
tx-too-long: 8 397
tx-broadcast: 2 518
tx-pause: 2 112
tx-multicast: 7 142
tx-excessive-collision: 0
tx-multiple-collision: 0
tx-single-collision: 0
tx-excessive-deferred: 0
tx-deferred: 0
tx-late-collision: 0
tx-total-collision: 0
tx-drop: 0
tx-jabber: 0
tx-fcs-error: 0
tx-control: 2 112
tx-fragment: 0
tx-rx-64: 6 646
tx-rx-512-1023: 953
tx-rx-1024-1518: 672
tx-rx-1519-max: 0
Some devices have multiple CPU cores that are directly connected to a built-in switch chip using separate
data lanes. These devices can report which data lane was used to forward the packet from or to the CPU port
from the switch chip. For such devices an extra line is added for each row, the first line represents data that
was sent using the first data lane, the second line represent data that was sent using the second data line and
so on. You can find an example of switch chip's statistics for a device with multiple data lanes connecting the
CPU and the built-in switch chip:
name: switch1
rx-too-short: 0
rx-too-long: 0
rx-pause: 0
rx-fcs-error: 0
rx-overflow: 0
tx-total-collision: 0
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Introduction 15/21
8/30/2021 Manual:Switch Chip Features - MikroTik Wiki
0
Setup Examples
Note: Make sure you have added all needed interfaces to the VLAN table when using secure vlan-
mode. For routing functions to work properly on the same device through ports that use secure
vlan-mode, you will need to allow access to the CPU from those ports, this can be done by adding
the switchX-cpu interface itself to the VLAN table. Examples can be found at the Management port
section.
Warning: When allowing access to the CPU, you are allowing access from a certain port to the
actual router/switch, this is not always desirable. Make sure you implement proper firewall filter
rules to secure your device when access to the CPU is allowed from a certain VLAN ID and port,
use firewall filter rules to allow access to only certain services.
Note: It is possible to use the built-in switch chip and the CPU at the same time to create a
Switch-Router setup, where a device acts as a switch and as a router at the same time. You can
find a configuration example in the Switch-Router guide.
RouterBOARDs with Atheros switch chips can be used for 802.1Q Trunking. This feature in RouterOS v6 is
supported by QCA8337, Atheros8316, Atheros8327, Atheros8227 and Atheros7240 switch chips.
In this example ether3, 'ether4 and ether5 interfaces are access ports, while ether2 is a trunk port. VLAN
IDs for each access port: ether3 - 200, ether4 - 300, ether5 - 400.
/interface bridge
add name=bridge1
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Introduction 16/21
8/30/2021 Manual:Switch Chip Features - MikroTik Wiki
add bridge=bridge1 interface=ether3 hw=yes
Note: By default, the bridge interface is configured with protocol-mode set to rstp. For some
devices, this can disable hardware offloading because specific switch chips do not support this
feature. See the Bridge Hardware Offloading section with supported features.
Add VLAN table entries to allow frames with specific VLAN IDs between ports:
Assign vlan-mode and vlan-headermode for each port and also default-vlan-id on ingress for each
access port:
Note: For devices with QCA8337 and Atheros8327 switch chips a default vlan-
header=leave-as-is should be used. When vlan-mode=secure is configured, it ignore switch
port vlan-header options. VLAN table entries handle all the egress tagging/untagging and works
as vlan-header=leave-as-is on all ports. It means what comes in tagged, goes out tagged as
well, only default-vlan-id frames are untagged at the egress of port.
VLAN Hybrid ports which can forward both tagged and untagged traffic are supported only by some Gigabit
switch chips (QCA8337, Atheros8327)
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Introduction 17/21
8/30/2021 Manual:Switch Chip Features - MikroTik Wiki
/interface bridge
add name=bridge1
Note: By default, the bridge interface is configured with protocol-mode set to rstp. For some
devices, this can disable hardware offloading because specific switch chips do not support this
feature. See the Bridge Hardware Offloading section with supported features.
Add VLAN table entries to allow frames with specific VLAN IDs between ports.
In switch port menu set vlan-mode on all ports and also default-vlan-id on planned hybrid ports:
In these examples there will be shown examples for multiple scenarios, but each of these scenarios require
you to have switched ports. Below you can find how to switch multiple ports:
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Introduction 18/21
8/30/2021 Manual:Switch Chip Features - MikroTik Wiki
/interface bridge
add name=bridge1
Note: By default, the bridge interface is configured with protocol-mode set to rstp. For some
devices, this can disable hardware offloading because specific switch chips do not support this
feature. See the Bridge Hardware Offloading section with supported features.
In these examples it will be assumed that ether1 is the trunk port and ether2 is the access port, for
configuration as the following:
Tagged
In order to make the device accessible only from a certain VLAN, you need to create a new VLAN interface on
the bridge interface and assign an IP address to it:
/interface vlan
/ip address
Note: Only specify trunk ports in this VLAN table entry, it is not possible to allow access to the
CPU with tagged traffic through an access port since the access port will tag all ingress traffic with
the specified default-vlan-id value.
When VLAN table is configured, you can enable vlan-mode=secure to limit access to the CPU:
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Introduction 19/21
8/30/2021 Manual:Switch Chip Features - MikroTik Wiki
Untagged
In order to make the device accessible from the access port, create a VLAN interface with the same VLAN ID
as set in default-vlan-id, for example VLAN 100, and add an IP address to it:
/interface vlan
/ip address
Specify which access (untagged) ports are allowed to access the CPU:
Warning: Most commonly an access (untagged) port is accompanied with a trunk (tagged) port.
In case of untagged access to the CPU, you are forced to specify both the access port and the trunk
port, this gives access to the CPU from the trunk port as well. Not always this is desired and
Firewall might be required on top of VLAN filtering.
When VLAN table is configured, you can enable vlan-mode=secure to limit access to the CPU:
Note: To setup management port using untagged traffic on a device with the Atheros7240
switch chip, you will need to set vlan-header=add-if-missing for the CPU port.
It is possible to allow access to the device from the trunk (tagged) port with untagged traffic. To do so, assign
an IP address on the bridge interface:
/ip address
Specify which ports are allowed to access the CPU. Use vlan-id that is used in default-vlan-id for switch-
cpu and trunk ports, by default it is set to 0 or 1.
When VLAN table is configured, you can enable vlan-mode=secure to limit access to the CPU:
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Introduction 20/21
8/30/2021 Manual:Switch Chip Features - MikroTik Wiki
Note: This configuration example is not possible for devices with the Atheros8316 and
Atheros7240 switch chips.
Note: For devices with QCA8337 and Atheros8327 switch chips it is possible to use any other
default-vlan-id as long as it stays the same on switch-cpu and trunk ports. For devices with
Atheros8227 switch chip only default-vlan-id=0 can be used and trunk port must use vlan-
header=leave-as-is.
See also
Switch Router
Basic VLAN Switching
Bridge Hardware Offloading
Spanning Tree Protocol
DHCP Snooping and Option 82
MTU on RouterBOARD
Layer2 misconfiguration
Master-port
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Introduction 21/21