Skip to content

Instantly share code, notes, and snippets.

@shaposhnikoff

shaposhnikoff/RB5009_trunk_CRS326.md

Last active February 25, 2026 12:35
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save shaposhnikoff/dc5c58d6914c1116a693255dc2c741ec to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save shaposhnikoff/dc5c58d6914c1116a693255dc2c741ec to your computer and use it in GitHub Desktop.
Download ZIP
DAC between RB5009 and CRS326 as a 10G trunk
Raw
RB5009_trunk_CRS326.md

MikroTik VLAN Trunk: RB5009 ↔ CRS326-24G-2S+ via SFP+ DAC

F3350C9B-7228-4FAD-8B7A-4DA2AA677E39_4_5005_c

Trunk link: sfp-sfpplus1 on RB5009 ↔ sfp-sfpplus1 on CRS326
Link speed: 10G (DAC cable)
VLANs: 10 VLANs (IDs 10–100)

Architecture

RB5009 (sfp-sfpplus1) ──DAC 10G──► CRS326 (sfp-sfpplus1)
       trunk: VLANs 10-100 tagged        trunk: VLANs 10-100 tagged
       │                                       │
  VLAN interfaces                         access ports per VLAN
  (vlan10..vlan100)                       (ether1..ether24)
  Gateway + DHCP server
  Firewall / inter-VLAN routing

VLAN Plan

VLAN ID Subnet Gateway Purpose
10 192.168.10.0/24 192.168.10.1 Management
20 192.168.20.0/24 192.168.20.1 Servers
30 192.168.30.0/24 192.168.30.1 IoT / Home Auto
40 192.168.40.0/24 192.168.40.1 Trusted WiFi
50 192.168.50.0/24 192.168.50.1 Guest WiFi
60 192.168.60.0/24 192.168.60.1 CCTV
70 192.168.70.0/24 192.168.70.1 VoIP
80 192.168.80.0/24 192.168.80.1 Lab
90 192.168.90.0/24 192.168.90.1 Storage
100 192.168.100.0/24 192.168.100.1 Backup

RB5009 Configuration (Router-on-a-Stick)

1. VLAN Interfaces on sfp-sfpplus1

/interface vlan
add name=vlan10  interface=sfp-sfpplus1 vlan-id=10
add name=vlan20  interface=sfp-sfpplus1 vlan-id=20
add name=vlan30  interface=sfp-sfpplus1 vlan-id=30
add name=vlan40  interface=sfp-sfpplus1 vlan-id=40
add name=vlan50  interface=sfp-sfpplus1 vlan-id=50
add name=vlan60  interface=sfp-sfpplus1 vlan-id=60
add name=vlan70  interface=sfp-sfpplus1 vlan-id=70
add name=vlan80  interface=sfp-sfpplus1 vlan-id=80
add name=vlan90  interface=sfp-sfpplus1 vlan-id=90
add name=vlan100 interface=sfp-sfpplus1 vlan-id=100

2. IP Addresses (Gateways)

/ip address
add address=192.168.10.1/24  interface=vlan10
add address=192.168.20.1/24  interface=vlan20
add address=192.168.30.1/24  interface=vlan30
add address=192.168.40.1/24  interface=vlan40
add address=192.168.50.1/24  interface=vlan50
add address=192.168.60.1/24  interface=vlan60
add address=192.168.70.1/24  interface=vlan70
add address=192.168.80.1/24  interface=vlan80
add address=192.168.90.1/24  interface=vlan90
add address=192.168.100.1/24 interface=vlan100

3. DHCP Pools

/ip pool
add name=pool-vlan10  ranges=192.168.10.100-192.168.10.200
add name=pool-vlan20  ranges=192.168.20.100-192.168.20.200
add name=pool-vlan30  ranges=192.168.30.100-192.168.30.200
add name=pool-vlan40  ranges=192.168.40.100-192.168.40.200
add name=pool-vlan50  ranges=192.168.50.100-192.168.50.200
add name=pool-vlan60  ranges=192.168.60.100-192.168.60.200
add name=pool-vlan70  ranges=192.168.70.100-192.168.70.200
add name=pool-vlan80  ranges=192.168.80.100-192.168.80.200
add name=pool-vlan90  ranges=192.168.90.100-192.168.90.200
add name=pool-vlan100 ranges=192.168.100.100-192.168.100.200

4. DHCP Servers

/ip dhcp-server
add name=dhcp-vlan10  interface=vlan10  address-pool=pool-vlan10  disabled=no
add name=dhcp-vlan20  interface=vlan20  address-pool=pool-vlan20  disabled=no
add name=dhcp-vlan30  interface=vlan30  address-pool=pool-vlan30  disabled=no
add name=dhcp-vlan40  interface=vlan40  address-pool=pool-vlan40  disabled=no
add name=dhcp-vlan50  interface=vlan50  address-pool=pool-vlan50  disabled=no
add name=dhcp-vlan60  interface=vlan60  address-pool=pool-vlan60  disabled=no
add name=dhcp-vlan70  interface=vlan70  address-pool=pool-vlan70  disabled=no
add name=dhcp-vlan80  interface=vlan80  address-pool=pool-vlan80  disabled=no
add name=dhcp-vlan90  interface=vlan90  address-pool=pool-vlan90  disabled=no
add name=dhcp-vlan100 interface=vlan100 address-pool=pool-vlan100 disabled=no

5. DHCP Networks

/ip dhcp-server network
add address=192.168.10.0/24  gateway=192.168.10.1  dns-server=192.168.10.1
add address=192.168.20.0/24  gateway=192.168.20.1  dns-server=192.168.10.1
add address=192.168.30.0/24  gateway=192.168.30.1  dns-server=192.168.10.1
add address=192.168.40.0/24  gateway=192.168.40.1  dns-server=192.168.10.1
add address=192.168.50.0/24  gateway=192.168.50.1  dns-server=192.168.10.1
add address=192.168.60.0/24  gateway=192.168.60.1  dns-server=192.168.10.1
add address=192.168.70.0/24  gateway=192.168.70.1  dns-server=192.168.10.1
add address=192.168.80.0/24  gateway=192.168.80.1  dns-server=192.168.10.1
add address=192.168.90.0/24  gateway=192.168.90.1  dns-server=192.168.10.1
add address=192.168.100.0/24 gateway=192.168.100.1 dns-server=192.168.10.1

6. Firewall — Inter-VLAN Isolation

# Create interface list for all VLANs
/interface list
add name=VLANS

/interface list member
add interface=vlan10  list=VLANS
add interface=vlan20  list=VLANS
add interface=vlan30  list=VLANS
add interface=vlan40  list=VLANS
add interface=vlan50  list=VLANS
add interface=vlan60  list=VLANS
add interface=vlan70  list=VLANS
add interface=vlan80  list=VLANS
add interface=vlan90  list=VLANS
add interface=vlan100 list=VLANS

/ip firewall filter
# Allow established/related traffic
add chain=forward connection-state=established,related action=accept comment="Allow established"

# Allow management VLAN (vlan10) to reach all VLANs
add chain=forward in-interface=vlan10 out-interface-list=VLANS action=accept comment="Mgmt VLAN full access"

# Drop all other inter-VLAN traffic
add chain=forward in-interface-list=VLANS out-interface-list=VLANS action=drop comment="Block inter-VLAN default"

CRS326-24G-2S+ Configuration (L2 Switch)

⚠️ Apply vlan-filtering=yes LAST — after all bridge VLAN config is in place, otherwise you will lose switch access.

1. Create Bridge with VLAN Filtering

/interface bridge
add name=bridge1 vlan-filtering=no frame-types=admit-all
# Note: vlan-filtering enabled at the very end

2. Add All Ports to Bridge

/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1  # uplink trunk to RB5009
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether14
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=ether17
add bridge=bridge1 interface=ether18
add bridge=bridge1 interface=ether19
add bridge=bridge1 interface=ether20
add bridge=bridge1 interface=ether21
add bridge=bridge1 interface=ether22
add bridge=bridge1 interface=ether23
add bridge=bridge1 interface=ether24

3. Configure Trunk Port (sfp-sfpplus1 → RB5009)

/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus1 vlan-ids=10,20,30,40,50,60,70,80,90,100

4. Configure Access Ports (Example Port-to-VLAN Mapping)

# Assign pvid and set untagged frame policy per port
/interface bridge port
set [find interface=ether1]  pvid=10  frame-types=admit-only-untagged-and-priority-tagged
set [find interface=ether2]  pvid=10  frame-types=admit-only-untagged-and-priority-tagged
set [find interface=ether3]  pvid=20  frame-types=admit-only-untagged-and-priority-tagged
set [find interface=ether4]  pvid=20  frame-types=admit-only-untagged-and-priority-tagged
set [find interface=ether5]  pvid=30  frame-types=admit-only-untagged-and-priority-tagged
set [find interface=ether6]  pvid=30  frame-types=admit-only-untagged-and-priority-tagged
set [find interface=ether7]  pvid=40  frame-types=admit-only-untagged-and-priority-tagged
set [find interface=ether8]  pvid=40  frame-types=admit-only-untagged-and-priority-tagged
set [find interface=ether9]  pvid=50  frame-types=admit-only-untagged-and-priority-tagged
set [find interface=ether10] pvid=50  frame-types=admit-only-untagged-and-priority-tagged
set [find interface=ether11] pvid=60  frame-types=admit-only-untagged-and-priority-tagged
set [find interface=ether12] pvid=60  frame-types=admit-only-untagged-and-priority-tagged
set [find interface=ether13] pvid=70  frame-types=admit-only-untagged-and-priority-tagged
set [find interface=ether14] pvid=70  frame-types=admit-only-untagged-and-priority-tagged
set [find interface=ether15] pvid=80  frame-types=admit-only-untagged-and-priority-tagged
set [find interface=ether16] pvid=80  frame-types=admit-only-untagged-and-priority-tagged
set [find interface=ether17] pvid=90  frame-types=admit-only-untagged-and-priority-tagged
set [find interface=ether18] pvid=90  frame-types=admit-only-untagged-and-priority-tagged
set [find interface=ether19] pvid=100 frame-types=admit-only-untagged-and-priority-tagged
set [find interface=ether20] pvid=100 frame-types=admit-only-untagged-and-priority-tagged
set [find interface=ether21] pvid=10  frame-types=admit-only-untagged-and-priority-tagged
set [find interface=ether22] pvid=10  frame-types=admit-only-untagged-and-priority-tagged
set [find interface=ether23] pvid=10  frame-types=admit-only-untagged-and-priority-tagged
set [find interface=ether24] pvid=10  frame-types=admit-only-untagged-and-priority-tagged

# Register untagged ports per VLAN in bridge VLAN table
/interface bridge vlan
add bridge=bridge1 untagged=ether1,ether2,ether21,ether22,ether23,ether24 vlan-ids=10
add bridge=bridge1 untagged=ether3,ether4   vlan-ids=20
add bridge=bridge1 untagged=ether5,ether6   vlan-ids=30
add bridge=bridge1 untagged=ether7,ether8   vlan-ids=40
add bridge=bridge1 untagged=ether9,ether10  vlan-ids=50
add bridge=bridge1 untagged=ether11,ether12 vlan-ids=60
add bridge=bridge1 untagged=ether13,ether14 vlan-ids=70
add bridge=bridge1 untagged=ether15,ether16 vlan-ids=80
add bridge=bridge1 untagged=ether17,ether18 vlan-ids=90
add bridge=bridge1 untagged=ether19,ether20 vlan-ids=100

5. Management IP on CRS326 (VLAN10)

/interface vlan
add name=mgmt-vlan10 interface=bridge1 vlan-id=10

/ip address
add address=192.168.10.2/24 interface=mgmt-vlan10

/ip route
add gateway=192.168.10.1

/ip service
set telnet disabled=yes
set ftp    disabled=yes
set www    disabled=yes
set ssh    port=22 disabled=no
set winbox disabled=no

6. Enable VLAN Filtering (⚠️ Do This Last!)

/interface bridge
set bridge1 vlan-filtering=yes

Deployment Checklist

  • Verify DAC link is up: sfp-sfpplus1 on both devices
  • Apply RB5009 config — VLAN interfaces, IPs, DHCP, firewall
  • Apply CRS326 config — bridge, all ports, VLAN table
  • Set management IP on CRS326 before enabling vlan-filtering
  • Enable vlan-filtering=yes on CRS326 last
  • Verify connectivity: ping gateway from each VLAN
  • Verify inter-VLAN isolation where required
  • Verify CRS326 management access via 192.168.10.2

Verification Commands

# RB5009 — check VLAN interfaces
/interface vlan print

# RB5009 — check DHCP leases
/ip dhcp-server lease print

# CRS326 — check bridge VLAN table
/interface bridge vlan print

# CRS326 — check port PVID assignments
/interface bridge port print detail

# Both — check interface status
/interface print where running

Generated for: RB5009 sfp-sfpplus1 ↔ CRS326-24G-2S+ sfp-sfpplus1 via DAC — 10 VLANs (ID 10–100)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment