Mikrotik Switch Configuration Step By Step

[Cesar Sergeantson]

Theultimate heavy-duty home lab router with USB 3.0, 1G and2.5G Ethernet and a 10G SFP+ cage. You can mount four of thesenew routers in a single 1U rackmount space! Unprecedentedprocessing power in such a small form factor.

The new MikroTik flagship with the power of a whole fleet.Unleash the power of 100 Gigabit networking with L3 HardwareOffloading! This router can be a handy drop-in upgrade forexisting CCR1072 setups.

Your most affordable, compact, energy-efficient doorway tothe world of 100 Gigabit networking. This switch is the nextstep in upgrading existing 10 or 25 Gigabit networks.Multiple powering options, dual hot-swap power supplies.

MikroTik training sessions are organized and provided by MikroTik Training Centers at various locations around the World. They are attended by network engineers, integrators and managers, who would like to learn about routing and managing wired and wireless networks using MikroTik RouterOS.

MikroTik Academies are educational institutions such as universities, technical schools, colleges, vocational schools, and other educational institutions offering semester time based Internet networking courses for their academic students using MikroTik RouterOS as a learning tool.

Every year there are around 2000 - 3000 graduates who have successfully completed a MikroTik courses. Our certificates are recognized world wide and stand for good knowledge about network administration, using RouterBOARD and RouterOS.

RouterOS is the operating system of RouterBOARD hardware. It has all the necessary features for an ISP - routing, firewall, bandwidth management, wireless access point, backhaul link, hotspot gateway, VPN server and more. Quick and simple installation and an easy to use interface!

MikroTik manufactures routers, switches and wireless systems for every purpose, from small office or home, to carrier ISP networks, there is a device for every purpose. See our product catalog for a complete list of our products and their features.

To purchase our RouterBOARD, CCR, CRS and other products, and also to receive technical support and pre-sales consultation, please contact our wide network of distributors. See the map to find the nearest one.

This post is for those that want to know how to configure a MikroTik router; step by step. It is important to understand what must be done to successfully install a MikroTik router for internet access.

There are seven basic configuration requirements that must be met on a MikroTik router to provide internet access to all connected users. These tasks, some of which are not compulsory, are listed below and will be looked into one after the other.

System Identity is to MikroTik what hostname is to Cisco. Configuring system identity is part of the administrative configuration and is not compulsory. This is not part of the requirement to connect a router to the internet but is recommended especially when managing multiple routers. It allows an administrator easily identify a router.

Though not compulsorily required to connect a router to the internet, it highly recommended for the security of your network and network device. MikroTik routers have default username as admin with no password. Users are advised to change these settings.

To change username, click on system>>users>>double click on the admin user and change username from admin to something else. See image below.

At the most basic level, two IPs are required on the router to successfully connect users behind a Mikrotik router to the internet. These are the WAN and LAN IPs. Before the assignment of IPs, the WAN and LAN interfaces must have been chosen. In most cases, the ISP connection goes to ether1 while the LAN connection is plugged to ether2. If the ISP has dhcp enabled, then the ether1 on the Mikrotik can be configured as a dhcp client, otherwise, an IP will be configured manually. See here for how to configure a Mikrotik router interface as a dhcp client.

In most cases, a dhcp server will be required to help lease out IP addresses to connected users. Without a dhcp server, assignment of IPs can become a fulltime job, and if not properly done, there will IP conflicts.

Nat configuration is required for systems on the LAN to have access to the internet. It allows packets source IPs to be masqueraded with the public IP on the Mikrotik router as they exit the router via the WAN interface to the internet. To configure NAT on a Mikrotik simply enter the commands below.

Basic idea between different layers of switching/routing comes from the fact that earlier a device learns where the traffic needs to be directed (routed or switched to), the faster and more efficient it can perform its task. This may sound trivial in home or small office environments with less than e.g. 10 devices, but enter enterprise and service providers world, where constant saturated streams of information occur, and suddenly total switching or routing capacity (throughput) becomes an important factor. Additional features like traffic shaping, prioritizing applications etc. also comes into play.

This mode is derived from Switch / Wireless Access Point Bridge Mode configuration above. You must have a working MikroTik router configured with previous steps first (PART 1) before proceeding to the following steps (hence the continuous STEPs numbering scheme in parentheses).

MikroTik router is now configured as a basic Ethernet LAN 2 Wireless Bridge / Switch (LAN 2 Wi-Fi adapter), allowing you to connect multiple wired LAN devices to Internet over Wi-Fi wireless network bridge to your main ISP router/gateway or another router in another room or department using the same network segment (no subnet change). Remember, your ISP router/gateway is still doing all the smart routing and DHCP stuff!

I have been looking around these instructions and these are the most well explained instructions that I have come across. Despite this, I am having challenges to get the two routers to work together. I followed step 2. Route 2 connected to the wifi from router 1 but router 2 is not transmitting wifi for gadgets to connect to. The wifi coverage is still limited to the router 1 wifi radius.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".

Enabling RADIUS accounting on your network devices will significantly increase the database size and may cause performance issues. You should be aware of this and only use RADIUS accounting if it is really needed.

PacketFence supports a whole lot of different wireless and wired network equipment from various vendors running different versions. Since we want to provide the most accurate information and avoid duplication of that same information, please refer to our website

If your management authentication on your switch is default, applying theconfiguration above will have your authentication switch to a RADIUS based onewith PacketFence as the authentication server. It is almost certain that youdo not want that!

If your management authentication on your switch is default, applying the configuration abovewill have your authentication switch to a RADIUS based one with PacketFence as theauthentication server. It is almost certain that you do not want that!

The switch needs to be configure to do MAC Authentication and or 802.1x.Then on the PacketFence side in the switch roles, enable "Role by Access List" and fill the appropriate role with the acl you want.

Those versions are now supported using 802.1X for networks with or without VoIP.You can also use port-security with static MAC address but we can not securea MAC on the data VLAN specifically so enable it if there is no VoIP, uselinkUp/linkDown and MAC notification otherwise.So on setup that needs tohandle VoIP with this switch, go with a 802.1X configuration.Note: This module is renamed from the old 2950 module and therefore inherits all its capabilities.

Since version PacketFence 2.2.1, the way to handle VoIP when usingport-security dramatically changed. Ensure that you follow the instructionsbelow. To make the story short, instead on relying on the dynamicMAC learning for VoIP, we use a static entry on the voice VLAN so we can trigger a new securityviolation, and then authorize the phone MAC address on the network.

When doing 802.1X and network interface teaming on the same switch or stack, you might consider using the mac-move feature of the Cisco switches. When you authenticate the primary link of the team, the virtual MAC address will be published and authorized on the switchport. When something breaks on that link (ie. cable disconnected), the teaming driver will publish the MAC address on the secondary link, and the switch will try to authorize it. However, since the switch already has the MAC address in a session on another switchport, the switch will put the secondary link into err-disabled mode.

But, as it is difficult for us to maintain the whole list of commands toconfigure each and every different model of 2960 with different IOS,please refer to Cisco documentation for very specific cases.

The Cisco IOS 15.5 supports RADIUS pushed ACLs which means that you can define the ACLs centrally in PacketFence without configuring them in your switches and their rules will be applied to the switch during the authentication.

3a8082e126