Advanced Bridge and Spanning Tree on MikroTik: Building a Loop-Free Layer 2 Print

Hey there again! Emmanuel Corels from Emmanuel Corels Creatives, continuing our deep-dive into MikroTik’s powerful features. We’ve tackled routing protocols, VPNs, MPLS, VRRP for high availability, and more. But what about Layer 2? Specifically, how do we manage bridges and Spanning Tree Protocol (STP) to keep our switched networks clean and loop-free? Let’s jump right into advanced bridging on MikroTik!

What Is a Bridge in MikroTik?

A bridge essentially merges multiple network interfaces (ethernet, VLAN, wireless, etc.) into a single Layer 2 domain, acting like a virtual switch. This is super handy when you need devices on different physical ports to behave as if they’re all on the same LAN, or if you’re bridging a wireless AP with your LAN.

Key points to remember:

• You can create multiple bridges, each with its own set of ports.
• You can run services like DHCP, Hotspot, or firewall rules on top of a bridge interface, just like a normal interface.

Basic Bridge Creation

Let’s start with something simple—merging two ethernet ports into one logical interface:

1. WinBox Method: Go to Bridge → Bridge, click the plus sign to create a new bridge (say, bridge-lan). Then under Bridge → Ports, add ether2 and ether3 to bridge-lan.
2. CLI Method:

   /interface bridge add name=bridge-lan
   /interface bridge port add bridge=bridge-lan interface=ether2
   /interface bridge port add bridge=bridge-lan interface=ether3
   

Now any devices on ether2 and ether3 share a single broadcast domain.

Spanning Tree Protocol (STP) Basics

Bridging multiple switches and routers can create loops, where broadcast traffic spins in circles forever. Spanning Tree Protocol prevents this by blocking redundant paths and ensuring only one loop-free path exists between any two points.

MikroTik supports various STP flavors:

• STP (802.1D): The original, slow to converge.
• RSTP (802.1w): Rapid STP, faster convergence, commonly used.
• MSTP (802.1s): Multiple Spanning Tree, can have multiple instances for different VLANs.

Usually, RSTP is a good default. It’s faster than classic STP and simpler than MSTP if you don’t need per-VLAN spanning trees.

Enabling RSTP on a Bridge

In recent RouterOS (v6 and v7), bridging with RSTP is handled in Bridge Settings:

1. WinBox: Under Bridge → Settings, choose protocol-mode=rstp.
2. CLI:

   /interface bridge set bridge-lan protocol-mode=rstp
   

If you have multiple bridges, you can set protocol-mode individually for each. RSTP automatically exchanges BPDUs (Bridge Protocol Data Units) with other RSTP devices to figure out a loop-free topology.

Priority and Root Bridge

Spanning Tree elects a root bridge (the “boss” of the network). By default, the bridge with the lowest bridge ID (a combo of priority and MAC) becomes root. If you want a specific device to be root, lower its priority:

/interface bridge set bridge-lan priority=0x1000

(Valid increments are usually in steps of 4096 for STP priority, but MikroTik might let you set various values.)

Lower priority = more likely to be root. Being the root can help you control traffic flow and reduce path cost if this router is at the core of your network.

Port Roles, Port Cost, and Path Selection

Each bridge port in STP has a role—root port, designated port, or alternate/blocking port. RSTP calculates which ports forward traffic vs. which ones block. You can manually tweak port cost to influence path selection:

/interface bridge port set [find interface=ether3] cost=10

A lower cost makes that port more attractive as a forwarding path. This can help if you want a certain physical link to be the primary link and another to be the backup.

Advanced: Per-VLAN Spanning Tree (MSTP)

If you’re dealing with multiple VLANs across multiple switches, you might want different VLANs to prefer different paths. MSTP can do that, creating multiple instances of STP inside the same network. Each instance handles a group of VLANs, potentially balancing load across different trunk links. MikroTik supports MSTP, but it’s more complex to set up—especially if you’re mixing with other vendors. Typically you configure:

• MST Region Name, revision, and an MST configuration table mapping VLANs to instances.
• Then each instance has a priority and can choose a different root or cost structure.

For many simpler networks, RSTP is enough. MSTP shines in large enterprise or service provider networks with dozens or hundreds of VLANs.

Bridge VLAN Filtering

In RouterOS 6.41+ and especially in v7, you have the option to do Bridge VLAN Filtering. This is a hardware-offloaded approach to manage VLANs on a bridge. You define which ports carry which VLAN tags, whether they’re tagged or untagged, and so on. Spanning Tree can operate in tandem with that, ensuring loops in your VLAN bridging are still prevented.

Example:

/interface bridge vlan add bridge=bridge-lan vlan-ids=10 tagged=ether2 untagged=ether3

Then RSTP or MSTP can handle blocking if there’s a loop on VLAN 10. Keep in mind bridging VLANs can get tricky if you have multiple trunk ports to different switches, so watch your STP states to avoid loops.

Common Pitfalls

1. Protocol Mismatch: If your upstream switch is using MSTP but you’re on RSTP, they might not play nice. Typically, RSTP and MSTP can interoperate in a basic way, but advanced MSTP configs need both sides to match.
2. Forgetting STP on All Switches: If some device doesn’t run STP or RSTP, loops can occur. Usually all bridging devices in the network must cooperate.
3. Hidden Loops: If you have multiple bridges or multiple VLAN trunk links, watch carefully for loops at the VLAN level. Bridge VLAN filtering helps, but misconfiguration can lead to broadcast storms.
4. Priority Values: Using random priority values can be messy. Stick to multiples of 4096 or 8192 for clarity.
5. LACP vs. STP: If you use bonding (LACP) for link aggregation, STP sees that as one logical port. That’s usually good, but be aware of how your network might form loops if you do bonding in multiple places.

Verification and Monitoring

• /interface bridge print: Shows basic bridge settings, like protocol-mode.
• /interface bridge port print: Lists ports, their cost, and STP states (forwarding, blocking, etc.).
• /interface bridge monitor bridge-lan: Real-time info about STP root, root path cost, etc.
• In WinBox, Bridge → Ports tab can show “F” for forwarding, “B” for blocking, so you know which links are active.

If you see unexpected blocked ports, re-check your priority or port costs to see why RSTP is picking that path as a backup.

Real-World Examples

1. Redundant Access Switches: Suppose you have two core switches and multiple edge switches, forming a ring. RSTP ensures only one path is active at a time, preventing broadcast loops.
2. Wi-Fi + Wired: If a MikroTik device provides both Wi-Fi and ethernet and you want them bridged, STP can save you from accidental loops if someone cables your Wi-Fi AP back into the same LAN.
3. Data Center with Multiple VLANs: MSTP can help you load-balance VLAN traffic across multiple links, ensuring no single trunk saturates if you have parallel links.

Summing It Up

Bridging is simple in concept—just link multiple interfaces into one broadcast domain—but scaling that to multiple switches and VLANs requires Spanning Tree Protocol to avoid havoc. MikroTik gives you a robust set of tools to manage bridging, from basic RSTP setups to advanced MSTP and VLAN filtering. A bit of planning goes a long way in ensuring a stable Layer 2 network.

Try it out step by step: create a test bridge, enable RSTP, connect two or three MikroTik devices in a loop, and watch them decide which ports to block. With practice, you’ll be orchestrating large loop-free bridging domains like a pro.

As always, keep learning, keep experimenting, and let me know how your bridging adventure unfolds. Until next time, happy networking!

Authored with clarity by
Emmanuel Corels – Admin, Emmanuel Corels Creatives