Mastering MikroTik & Managed Switches: Routing, VLANs, PPPoE, Failover, QoS & Security

J M C Dias — Tue, 08 Jul 2025 23:22:26 +0000

📘 Complete Guide: MikroTik in Practice — VLANs, PPPoE, Failover, NAT, Mangle, QoS & Firewall

This guide is the result of in-depth, real-world study in networking using MikroTik and Cisco managed switches.

It covers everything from the OSI model to real configurations — including VLANs, PPPoE, routing marks, NAT, firewalling, automatic failover, and Queue Tree QoS.

If you're aiming to level up your networking skills for professional environments, this is a hands-on starting point.

🧠 This article is part of my upcoming eBook:

🛠️ The Practical Network Blueprint: Real Infrastructure with MikroTik, Cisco & Cloud Edge

A complete and evolving resource that compiles content from all my technical posts into one cohesive reference.

📘 Module 1 — Networking Fundamentals: Layers, Switches & Routers

🧠 OSI Model Explained with Real-Life Analogy

The OSI model breaks network communication into 7 logical layers.

Think of it like sending a letter:

Layer 1: Physical → The envelope being passed hand-to-hand → Cables, signals
Layer 2: Data Link → Sender/receiver address → MAC address, Switches
Layer 3: Network → ZIP/Postal code → IP, Routing
Layer 4: Transport → Type of delivery (express, registered) → TCP, UDP
Layers 5–7: Session–Application → The letter content → Browser, Email, WinBox

🔎 In daily usage:

Layer 2 → Plugging a cable into a switch
Layer 3 → MikroTik routing packets by IP
Layer 4 → Browser initiating a TCP connection

🔹 How This Applies to MikroTik

When configuring VLANs, PPPoE, NAT, or mangle rules, you're working across:

Layer 2 → VLANs, MAC addresses
Layer 3 → IP addresses and routing
Layer 4+ → Ports like 80, 443, etc.

🖧 Switches and VLANs (Layer 2)

🎯 What is a VLAN?

A VLAN (Virtual LAN) is a logically isolated network on the same physical switch.

Example – A 24-port switch:

Ports 1–8 → VLAN 10 (Admin)
Ports 9–16 → VLAN 20 (Finance)
Ports 17–24 → VLAN 30 (Guests)

💡 Devices in different VLANs cannot communicate unless routed.

🔀 Tagged vs Untagged Traffic

Type	Where	Meaning
Tagged	Trunk port	Packet includes VLAN ID
Untagged	Access port	Packet already assigned VLAN

🔄 Access vs Trunk Ports

Access port → Connects to end devices (PCs, printers). One VLAN.
Trunk port → Connects to MikroTik or other switches. Multiple VLANs (tagged).

🧪 Topology Example (Cisco Switch + MikroTik)


\[Fiber ISP]
|
Cisco Switch (Gi1/1/2 — trunk)
|
MikroTik (ether13)
|
VLAN 13 → Link C
VLAN 10 → Link A
VLAN 20 → Internal LAN

🔧 Cisco Switch Configuration

vlan 10
 name LINK_A
vlan 13
 name LINK_C
vlan 20
 name LAN_LOCAL

interface Gi1/1/2
 description Trunk to MikroTik
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 10,13,20

📘 How MikroTik Sees This

MikroTik uses virtual VLAN interfaces over physical ports.

/interface vlan
add name=vlan13 vlan-id=13 interface=ether13 comment="LINK C"

/ip address
add address=192.0.2.2/30 interface=vlan13

📌 Use Case — Isolating Departments

VLAN 100 → Management
VLAN 200 → Finance
VLAN 300 → Guest Wi-Fi
VLAN 400 → IP Cameras

Use MikroTik firewall rules to allow or deny communication between them.

🧠 Module Summary

VLAN → Logical network segmentation
Trunk → Port carrying multiple VLANs
Access → Port for end-user device (1 VLAN)
Tagged → Packet includes VLAN ID
Untagged → Already assigned to VLAN

📘 Module 2 — Creating VLANs on Cisco Switch + MikroTik

🧠 Real Scenario

You’ve added a new internet link (Link C) via Ethernet to your Cisco switch.
You must deliver this link to MikroTik using VLAN 13.

You’ll need to:

Create VLAN 13 on Cisco
Allow it on the trunk port to MikroTik
Create VLAN interface in MikroTik
Assign public IP and routing

🎯 Setup Summary

Device	Task
Cisco Switch	Create VLAN, allow on trunk
MikroTik	Create `/interface vlan`, IP

🧪 Example Setup

VLAN ID: 13
Switch Port: Gi1/1/2
MikroTik Port: ether13
Public IP: 192.0.2.2/30
Gateway: 192.0.2.1

🔧 Cisco Configuration

conf t
vlan 13
 name LINK_C
exit

interface Gi1/1/2
 description Trunk to MikroTik
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan add 13
 switchport mode trunk
exit

⚠️ Make sure the port is set to trunk mode.

🌐 MikroTik VLAN Configuration

/interface vlan
add name=vlan13 vlan-id=13 interface=ether13 comment="LINK C - VLAN 13"

/ip address
add address=192.0.2.2/30 interface=vlan13 comment="Public IP - LINK C"

✅ MikroTik now sees VLAN 13 as a normal interface.

📈 Connectivity Test (in MikroTik)

ping 192.0.2.1

✅ If it replies, the VLAN and trunk are working correctly.

💡 Use Clear Naming

Interface	Description
vlan10	Link A (VLAN 10)
vlan13	Link C (VLAN 13)
vlan20	Internal LAN

⚠️ Common Problems & Fixes

Symptom	Likely Cause	Solution
No ping to gateway	VLAN not in trunk	Check `switchport trunk allowed`
No MikroTik traffic	Wrong VLAN ID/port	Confirm VLAN + physical port
No public IP	PPPoE required	See Module 3 for config

🧠 Module Summary

Create VLANs on the switch
Allow them on trunk ports
Use /interface vlan on MikroTik
Assign IPs as if physical interface
Use ping to test connectivity
Use clear naming conventions

🔗 What’s Next?

This is just the beginning. Modules 3–7 cover:

PPPoE
Routing marks
NAT & Mangle
QoS
Firewall security
Real-world failover diagnostics

👉 Continue the full 7-module series on Medium

Forem: J M C Dias

Mastering MikroTik & Managed Switches: Routing, VLANs, PPPoE, Failover, QoS & Security

📘 Complete Guide: MikroTik in Practice — VLANs, PPPoE, Failover, NAT, Mangle, QoS & Firewall

📘 Module 1 — Networking Fundamentals: Layers, Switches & Routers

🧠 OSI Model Explained with Real-Life Analogy

🔎 In daily usage:

🔹 How This Applies to MikroTik

🖧 Switches and VLANs (Layer 2)

🎯 What is a VLAN?

🔀 Tagged vs Untagged Traffic

🔄 Access vs Trunk Ports

🧪 Topology Example (Cisco Switch + MikroTik)

🔧 Cisco Switch Configuration

📘 How MikroTik Sees This

📌 Use Case — Isolating Departments

🧠 Module Summary

📘 Module 2 — Creating VLANs on Cisco Switch + MikroTik

🧠 Real Scenario

🎯 Setup Summary

🧪 Example Setup

🔧 Cisco Configuration

🌐 MikroTik VLAN Configuration

📈 Connectivity Test (in MikroTik)

💡 Use Clear Naming

⚠️ Common Problems & Fixes

🧠 Module Summary

🔗 What’s Next?