Mastering MikroTik & Managed Switches: Routing, VLANs, PPPoE, Failover, QoS & Security

📘 Complete Guide: MikroTik in Practice — VLANs, PPPoE, Failover, NAT, Mangle, QoS & Firewall

This guide is the result of in-depth, real-world study in networking using MikroTik and Cisco managed switches.

It covers everything from the OSI model to real configurations — including VLANs, PPPoE, routing marks, NAT, firewalling, automatic failover, and Queue Tree QoS.

If you're aiming to level up your networking skills for professional environments, this is a hands-on starting point.

🧠 This article is part of my upcoming eBook:

🛠️ The Practical Network Blueprint: Real Infrastructure with MikroTik, Cisco & Cloud Edge

A complete and evolving resource that compiles content from all my technical posts into one cohesive reference.

---

📘 Module 1 — Networking Fundamentals: Layers, Switches & Routers

🧠 OSI Model Explained with Real-Life Analogy

The OSI model breaks network communication into 7 logical layers.

Think of it like sending a letter:

• Layer 1: Physical → The envelope being passed hand-to-hand → Cables, signals
• Layer 2: Data Link → Sender/receiver address → MAC address, Switches
• Layer 3: Network → ZIP/Postal code → IP, Routing
• Layer 4: Transport → Type of delivery (express, registered) → TCP, UDP
• Layers 5–7: Session–Application → The letter content → Browser, Email, WinBox

🔎 In daily usage:

• Layer 2 → Plugging a cable into a switch
• Layer 3 → MikroTik routing packets by IP
• Layer 4 → Browser initiating a TCP connection

---

🔹 How This Applies to MikroTik

When configuring VLANs, PPPoE, NAT, or mangle rules, you're working across:

• Layer 2 → VLANs, MAC addresses
• Layer 3 → IP addresses and routing
• Layer 4+ → Ports like 80, 443, etc.

---

🖧 Switches and VLANs (Layer 2)

🎯 What is a VLAN?

A VLAN (Virtual LAN) is a logically isolated network on the same physical switch.

Example – A 24-port switch:

• Ports 1–8 → VLAN 10 (Admin)
• Ports 9–16 → VLAN 20 (Finance)
• Ports 17–24 → VLAN 30 (Guests)

💡 Devices in different VLANs cannot communicate unless routed.

---

🔀 Tagged vs Untagged Traffic

Type	Where	Meaning
Tagged	Trunk port	Packet includes VLAN ID
Untagged	Access port	Packet already assigned VLAN

---

🔄 Access vs Trunk Ports

• Access port → Connects to end devices (PCs, printers). One VLAN.
• Trunk port → Connects to MikroTik or other switches. Multiple VLANs (tagged).

---

🧪 Topology Example (Cisco Switch + MikroTik)

\[Fiber ISP]
|
Cisco Switch (Gi1/1/2 — trunk)
|
MikroTik (ether13)
|
VLAN 13 → Link C
VLAN 10 → Link A
VLAN 20 → Internal LAN

---

🔧 Cisco Switch Configuration

vlan 10
 name LINK_A
vlan 13
 name LINK_C
vlan 20
 name LAN_LOCAL

interface Gi1/1/2
 description Trunk to MikroTik
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 10,13,20

---

📘 How MikroTik Sees This

MikroTik uses virtual VLAN interfaces over physical ports.

/interface vlan
add name=vlan13 vlan-id=13 interface=ether13 comment="LINK C"

/ip address
add address=192.0.2.2/30 interface=vlan13

---

📌 Use Case — Isolating Departments

• VLAN 100 → Management
• VLAN 200 → Finance
• VLAN 300 → Guest Wi-Fi
• VLAN 400 → IP Cameras

Use MikroTik firewall rules to allow or deny communication between them.

---

🧠 Module Summary

• VLAN → Logical network segmentation
• Trunk → Port carrying multiple VLANs
• Access → Port for end-user device (1 VLAN)
• Tagged → Packet includes VLAN ID
• Untagged → Already assigned to VLAN

---

📘 Module 2 — Creating VLANs on Cisco Switch + MikroTik

🧠 Real Scenario

You’ve added a new internet link (Link C) via Ethernet to your Cisco switch.
You must deliver this link to MikroTik using VLAN 13.

You’ll need to:

• Create VLAN 13 on Cisco
• Allow it on the trunk port to MikroTik
• Create VLAN interface in MikroTik
• Assign public IP and routing

---

🎯 Setup Summary

Device	Task
Cisco Switch	Create VLAN, allow on trunk
MikroTik	Create /interface vlan, IP

---

🧪 Example Setup

• VLAN ID: 13
• Switch Port: Gi1/1/2
• MikroTik Port: ether13
• Public IP: 192.0.2.2/30
• Gateway: 192.0.2.1

---

🔧 Cisco Configuration

conf t
vlan 13
 name LINK_C
exit

interface Gi1/1/2
 description Trunk to MikroTik
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan add 13
 switchport mode trunk
exit

⚠️ Make sure the port is set to trunk mode.

---

🌐 MikroTik VLAN Configuration

/interface vlan
add name=vlan13 vlan-id=13 interface=ether13 comment="LINK C - VLAN 13"

/ip address
add address=192.0.2.2/30 interface=vlan13 comment="Public IP - LINK C"

✅ MikroTik now sees VLAN 13 as a normal interface.

---

📈 Connectivity Test (in MikroTik)

ping 192.0.2.1

✅ If it replies, the VLAN and trunk are working correctly.

---

💡 Use Clear Naming

Interface	Description
vlan10	Link A (VLAN 10)
vlan13	Link C (VLAN 13)
vlan20	Internal LAN

---

⚠️ Common Problems & Fixes

Symptom	Likely Cause	Solution
No ping to gateway	VLAN not in trunk	Check switchport trunk allowed
No MikroTik traffic	Wrong VLAN ID/port	Confirm VLAN + physical port
No public IP	PPPoE required	See Module 3 for config

---

🧠 Module Summary

• Create VLANs on the switch
• Allow them on trunk ports
• Use /interface vlan on MikroTik
• Assign IPs as if physical interface
• Use ping to test connectivity
• Use clear naming conventions

---

🔗 What’s Next?

This is just the beginning. Modules 3–7 cover:

• PPPoE
• Routing marks
• NAT & Mangle
• QoS
• Firewall security
• Real-world failover diagnostics

👉 Continue the full 7-module series on Medium