MikroTik CRS326-24G-2S+RM — 24-Port Gigabit Managed Switch with 2x10G SFP+ | The ASIC-Powered Dual-OS Switch That Delivers Professional 10G Performance at an Unmatched Price Point

The Switch That Proves Enterprise-Grade Performance and Professional Intelligence Do Not Have to Cost Enterprise Prices

In the world of professional network infrastructure, there has always existed a frustrating gap — the space between what network professionals genuinely need from a managed switch and what their available budget realistically permits them to deploy. Switches with dedicated switching ASICs delivering true non-blocking performance have traditionally sat behind price tags that reserve them for enterprise organisations with enterprise procurement budgets. Switches accessible to cost-conscious professional deployments have typically compromised somewhere — on forwarding performance, on feature depth, on uplink speed, or on management flexibility.

The MikroTik CRS326-24G-2S+RM was engineered to close that gap permanently.

Built on the same Marvell 98DX3236 dedicated switching ASIC that powers its more expensive siblings, the CRS326-24G-2S+RM delivers 52 Gbps of true non-blocking, hardware-accelerated Gigabit switching performance across 24 full-speed Ethernet ports, with two dedicated 10-Gigabit SFP+ uplink ports connecting your access layer to 10G distribution and core infrastructure at speeds that 1G uplink switches simply cannot match. Add the dual operating system architecture supporting both MikroTik SwOS for effortless switch management and full RouterOS for professional routing intelligence — and the result is a switch that competes with managed switching solutions at significantly higher price points across every specification that professionally matters.

No PoE. No unnecessary complexity. No compromises on the specifications that define switching performance, management intelligence, and uplink capability. Just 24 ports of clean Gigabit connectivity, two 10G SFP+ uplinks, a dedicated Marvell ASIC, and the complete MikroTik dual-OS ecosystem — in a 1U rackmountable chassis that belongs in the most demanding professional network environments.

For network architects, IT professionals, ISPs, managed service providers, and technically sophisticated organisations who understand exactly what they need and refuse to pay for what they do not — the CRS326-24G-2S+RM is the answer that MikroTik engineering has been building toward.

---

MikroTik CRS326-24G-2S+RM — Complete Technical Specifications

Every specification in the CRS326-24G-2S+RM reflects deliberate engineering choices that prioritise real-world performance over marketing headline numbers:

• Switching Chip: Marvell 98DX3236 — dedicated Layer 2+ switching ASIC for hardware-accelerated line-rate forwarding
• Management CPU: QCA8531 — 800 MHz ARM processor for SwOS and RouterOS management plane operations
• RAM: 512MB DDR3 — substantial management plane memory for routing tables, firewall rules, and OS operations
• Storage: 16MB NAND Flash — RouterOS and SwOS system storage with persistent configuration retention
• 24 x 10/100/1000 Mbps Gigabit Ethernet Ports — full auto-negotiating Gigabit connectivity on every downlink port
• 2 x 10G SFP+ Ports — dedicated 10-Gigabit fiber or DAC cable uplink and backbone connectivity
• PoE: None — clean non-PoE design for switching-only deployment scenarios
• Switching Capacity: 52 Gbps — full non-blocking wire-speed ASIC-accelerated forwarding architecture
• Forwarding Rate: 38.69 Mpps — near-maximum theoretical line-rate packet processing across all 26 ports
• MAC Address Table: 16,000 entries — hardware-maintained forwarding table for large, complex topologies
• Dual Operating System: MikroTik SwOS + RouterOS — switchable between operating systems based on deployment requirements
• RouterOS License: Level 5 — professional routing, tunnelling, VPN, and management capabilities included
• VLAN Support: IEEE 802.1Q — hardware-accelerated VLAN segmentation and trunking
• Spanning Tree: STP, RSTP, MSTP — complete loop prevention and rapid topology convergence
• Link Aggregation: IEEE 802.3ad LACP — bonded ports for bandwidth multiplication and redundancy
• ACL Support — hardware-accelerated access control lists at full switching line rate
• IGMP Snooping — intelligent multicast traffic management for bandwidth efficiency
• Port Mirroring (SPAN) — flexible traffic capture for monitoring and analysis
• 1U Rackmountable Form Factor — standard 19-inch rack deployment with included mounting hardware
• Operating Temperature: 0°C to +40°C — standard data centre and network closet ambient range
• Dimensions: 443 x 144 x 44mm — compact 1U depth for space-efficient rack installation
• Power Consumption: Approximately 18W typical — exceptionally energy-efficient operation for 24-port density

---

Why Non-PoE? The Strategic Case for the Right Switch for the Right Deployment

Paying Only for What Your Network Actually Needs

The absence of Power over Ethernet on the CRS326-24G-2S+RM is not an omission — it is a deliberate engineering and commercial decision that delivers compelling advantages for the substantial number of professional networking scenarios where PoE is neither required nor desirable:

Infrastructure Cost Efficiency PoE circuitry — the components required to deliver electrical power through Ethernet cables — adds measurable cost to every port on a managed switch. In deployments where connected devices have their own power supplies — servers, workstations, storage arrays, desktop computers, legacy network equipment, and managed switches — that PoE capability is paid for at every port but utilised at none of them. The CRS326-24G-2S+RM eliminates this cost entirely, delivering the switching performance and management intelligence that these deployments require at a price that reflects what they actually need.

Dedicated Distribution and Aggregation Layer Switching In multi-tier network architectures — where access layer switches provide PoE to endpoints and distribution or aggregation layer switches interconnect those access switches with uplinks to core routing — the distribution layer switch never needs PoE. Its purpose is high-speed, low-latency interconnection of access switches and upward connectivity to core infrastructure. The CRS326-24G-2S+RM is architecturally perfect for this role — delivering 24 Gigabit uplinks to access switches and 2x10G SFP+ connections to core routers with Marvell ASIC performance that makes it the fastest possible distribution layer switch at its price point.

Data Centre Server Switching In data centre environments, servers connect to top-of-rack switches via standard Ethernet without any PoE requirement — and paying for PoE capability on server-facing switch ports wastes infrastructure budget. The CRS326-24G-2S+RM serves as an efficient, high-performance top-of-rack or end-of-row server access switch — connecting 24 server management interfaces, IPMI/BMC ports, or dedicated 1G server NICs with Marvell ASIC throughput while maintaining 10G SFP+ uplinks to the data centre fabric.

Management and Out-of-Band Networks Dedicated management networks — connecting out-of-band management interfaces, IPMI/iDRAC/iLO ports, console servers, and network device management interfaces — do not require PoE on any connected port. A CRS326-24G-2S+RM dedicated to management network switching delivers the VLAN isolation, ACL security, and performance required without PoE budget complexity.

Mixed Infrastructure Environments Many professional network environments combine PoE-requiring endpoints (IP phones, APs, cameras) with non-PoE devices (servers, workstations, storage). Rather than provisioning expensive PoE-capable ports for every device regardless of need, a mixed deployment architecture — PoE access switches for powered device zones and CRS326-24G-2S+RM for non-PoE zones — delivers the optimal cost profile across the complete infrastructure.

Reduced Power Consumption and Heat Generation Without PoE power delivery circuitry operating, the CRS326-24G-2S+RM draws approximately 18 watts for its own operation — making it one of the most energy-efficient 24-port Gigabit switches available with 10G SFP+ uplinks. In rack environments where power and cooling budgets are constrained, this exceptional efficiency advantage is genuinely significant over PoE-capable alternatives drawing 50-80W before any PoE device power is factored in.

---

Marvell 98DX3236 Switching ASIC — The Hardware Foundation That Makes Everything Else Possible

The Same Professional ASIC. Applied to Pure Switching Perfection.

The architecture of the CRS326-24G-2S+RM begins and ends with the Marvell 98DX3236 dedicated network switching ASIC — the same silicon that powers the more expensive CRS328-24P-4S+RM and other professional switching platforms. This is not a software-switching architecture running on a general-purpose processor. It is not a budget ASIC with limited feature support. It is a purpose-built network forwarding chip designed from silicon up for professional Layer 2+ switching applications — and its presence in the CRS326-24G-2S+RM is the single most important reason this switch performs the way it does.

The Architectural Significance of a Dedicated Switching ASIC

In switches that process forwarding decisions on a general-purpose CPU — even a fast one — performance is variable, feature-dependent, and ultimately bounded by the CPU’s processing capacity. Enable VLANs, and the CPU processes tag operations. Enable ACLs, and the CPU evaluates rules against every packet. Enable IGMP snooping, and the CPU maintains the group membership table and makes multicast forwarding decisions. As features accumulate, CPU utilisation increases, and forwarding performance degrades — creating a switch whose advertised performance is achievable only in idealised, feature-free conditions that production networks never actually present.

The Marvell 98DX3236 eliminates this fundamental limitation by processing every forwarding decision — MAC table lookups, VLAN tag operations, spanning tree calculations, IGMP group tracking, ACL rule evaluation, and QoS queue assignment — entirely in dedicated hardware silicon at speeds that no software implementation can approach:

• 52 Gbps non-blocking switching fabric — every port simultaneously at full line rate, simultaneously, continuously, regardless of which features are enabled
• 38.69 Mpps forwarding rate — near-maximum theoretical 64-byte packet forwarding rate across the complete 26-port topology at line speed
• 16,000 entry MAC address table — maintained in ASIC hardware for microsecond lookup times without software table management overhead
• Hardware VLAN processing — 802.1Q tag insertion, removal, and lookup executed in silicon at full forwarding rate
• Hardware ACL evaluation — access control rules assessed in dedicated ASIC logic with zero throughput impact
• Hardware IGMP snooping — multicast group tracking and forwarding decisions in silicon without CPU involvement
• Hardware spanning tree — STP/RSTP/MSTP BPDU processing and port state management in ASIC

The practical consequence for your network: the CRS326-24G-2S+RM delivers its full 52 Gbps, 38.69 Mpps performance specification under real production conditions — with VLANs configured, ACLs active, IGMP snooping enabled, and MSTP running simultaneously — because every one of these functions executes in dedicated hardware rather than competing for software CPU resources.

This is the performance guarantee that distinguishes professional ASIC-based switching from software-processed alternatives — and it is the guarantee that makes the CRS326-24G-2S+RM the most cost-effective professionally-performing 24-port switch available to the budget-conscious but performance-uncompromising network architect.

---

52 Gbps Non-Blocking Switching Fabric — Full Line-Rate Performance Across Every Port

The Mathematical Certainty That Every Port Gets Its Full Gigabit — Always

The 52 Gbps non-blocking switching fabric of the CRS326-24G-2S+RM delivers a performance guarantee that transforms the way you think about your network’s capacity ceiling. Non-blocking means exactly what it states — there is no combination of simultaneous traffic flows across the 26 ports of this switch that creates internal switching fabric congestion, that causes one port to wait for another, or that reduces any port below its full rated throughput.

Consider what this means in a fully-utilised production environment:

24 Gigabit ports simultaneously carrying full 1 Gbps bidirectional traffic — 24 Gbps inbound and 24 Gbps outbound — combined with the 2x10G SFP+ uplinks carrying aggregate traffic at full 10 Gbps capacity simultaneously. Total simultaneous traffic demand: 52 Gbps of switching capacity required for every port at full line rate. Total switching capacity available: 52 Gbps. The match is exact — a true non-blocking architecture with zero oversubscription that delivers on the performance promise at every port simultaneously.

At 38.69 million packets per second, the CRS326-24G-2S+RM processes network traffic at near-maximum theoretical line rate for minimum 64-byte frames — the most demanding packet processing scenario — ensuring that high-frequency, high-connection-count workloads including VoIP signalling, DNS resolution, small-transaction database queries, and connection-intensive applications receive the full forwarding throughput their performance depends on.

Real-World Implications of Non-Blocking Architecture

• Server environments where multiple servers simultaneously transfer data to shared storage experience no throughput degradation from switch internal congestion — each server receives its full Gigabit at all times
• Distribution layer deployments where multiple upstream access switches simultaneously forward aggregated traffic experience no bottleneck at the distribution switch fabric level
• High-frequency trading and financial applications where consistent sub-millisecond switching latency is a commercial requirement benefit from the deterministic, congestion-free switching behaviour of the Marvell ASIC
• Video editing and media workflows where large file transfers must complete at full Gigabit speed without competing for switching resources with concurrent management and production traffic
• ISP subscriber access switching where many simultaneous subscriber sessions generate concurrent traffic flows requiring consistent, non-degrading forwarding performance

---

2 x 10G SFP+ Uplinks — The Uplink Architecture That Defines Network Performance Potential

Two 10-Gigabit Paths. Complete Connectivity Flexibility. Permanent Uplink Headroom.

The two dedicated 10-Gigabit SFP+ uplink ports of the CRS326-24G-2S+RM are the connectivity tier that determines the switch’s position in your network architecture — enabling 10G-speed connections to core routing infrastructure, distribution switching, server resources, and upstream connectivity that define the performance ceiling for everything connected through the 24 Gigabit access ports.

Why 10G Uplinks Matter Even for a 24-Port Gigabit Switch

The aggregation reality of 24 simultaneous Gigabit connections demands uplink bandwidth that Gigabit uplinks fundamentally cannot provide at scale. Twenty-four active Gigabit devices simultaneously transmitting to upstream resources theoretically demand 24 Gbps of upstream capacity. A single 1G uplink serves this demand with a catastrophic 24:1 oversubscription ratio — creating a persistent upstream bottleneck regardless of how capable the access switch itself is.

Two 10G SFP+ uplinks transform this equation entirely. A 2x10G LACP aggregate delivers 20 Gbps of upstream capacity — reducing the worst-case oversubscription to approximately 1.2:1 against theoretical maximum simultaneous demand, and eliminating uplink congestion as a practical concern under all but the most extreme simultaneous-transfer scenarios. For most real-world deployments where average utilisation across 24 ports is well below 100%, the 10G uplink capacity provides effectively unlimited upstream bandwidth headroom relative to actual traffic patterns.

Complete SFP+ Connectivity Options

Multi-Mode Fiber for In-Building 10G Connectivity Install MikroTik S+85DLC03D or compatible 850nm SFP+ transceivers for 10-Gigabit connections over OM3 multi-mode fiber at up to 300 metres, or OM4 at up to 400 metres — covering every in-building scenario from same-floor cross-room connections to inter-floor runs in multi-storey facilities, with complete immunity to electrical interference and ground loop issues that affect copper uplinks.

Single-Mode Fiber for Long-Distance 10G Connectivity Install MikroTik S+1310DLC03D or compatible 1310nm SFP+ transceivers for 10-Gigabit single-mode fiber connections at up to 10 kilometres — enabling the CRS326-24G-2S+RM to serve as a remote access switch connected to a central distribution or core switch over long-haul fiber infrastructure, extending 10G-speed access switching across campus and multi-building environments without performance compromise.

Direct Attach Copper for Same-Rack 10G Connections For connections within the same rack or between adjacent racks — to MikroTik CCR routers, core distribution switches, server 10G NICs, or NAS storage controllers — 10G SFP+ Direct Attach Copper (DAC) twinax cables provide cost-effective 10-Gigabit connectivity at distances up to 5-7 metres with near-zero latency and zero optical transceiver cost.

LACP-Bonded 10G for Bandwidth and Resilience Combine both SFP+ ports using IEEE 802.3ad LACP for a bonded 20 Gbps logical uplink with automatic failover — delivering doubled upstream bandwidth and eliminating the uplink as a single point of failure simultaneously. In the event of either physical 10G link failure, traffic automatically redistributes to the surviving link within milliseconds with zero manual intervention.

Architectural Uplink Separation Alternatively, use the two SFP+ ports as independent uplinks to different upstream infrastructure — one connecting to a primary core router or distribution switch and the second connecting to a secondary device, a directly-attached NAS array, or a dedicated server segment — creating flexible topologies that leverage both 10G paths for maximum architectural value simultaneously.

Direct Integration With MikroTik CCR Routers The CRS326-24G-2S+RM is architecturally designed as the natural switching companion to MikroTik Cloud Core Router platforms — connecting via DAC cable or SFP+ fiber from the CRS326’s uplink ports directly to the CCR’s SFP+ ports, creating a clean separation of routing and switching functions across two devices managed through a unified WinBox interface. A CCR2116-12G-4S+ paired with one or more CRS326-24G-2S+RM access switches represents the archetypal high-performance, cost-efficient MikroTik network architecture.

---

Dual Operating System — SwOS and RouterOS

The Management Flexibility That No Competing Switch in This Price Category Offers

The defining competitive advantage of the MikroTik CRS326-24G-2S+RM that no specification table fully captures is its dual operating system capability — the ability to run as either a professionally-managed Layer 2+ switch under SwOS or as a full routing and switching platform under RouterOS, switchable at any point as deployment requirements evolve.

MikroTik SwOS — Professional Switching Without Complexity

SwOS is MikroTik’s purpose-built switch operating system — a clean, browser-accessible management interface that exposes the complete capability of the Marvell 98DX3236 ASIC through one of the most intuitive managed switch interfaces available at any price point:

SwOS Management Capabilities

• Visual port status dashboard — real-time per-port link status, speed indication, and traffic statistics displayed in a clean grid layout providing instant operational visibility across all 26 ports
• Comprehensive VLAN management — create, name, and assign VLANs across access and trunk ports through a visual VLAN table interface with per-port tagged/untagged/excluded assignment
• Spanning tree configuration — STP, RSTP, and MSTP mode selection with per-port edge designation and guard configuration through the GUI
• LACP link aggregation — bonded group creation and member port assignment for 10G SFP+ uplink aggregation without command-line configuration
• IGMP snooping control — enable, configure, and monitor multicast group management across the switch through the SwOS interface
• Port mirroring setup — source and destination port selection for traffic capture configurations
• ACL rule configuration — access control entry creation through the SwOS rule interface
• Forwarding table inspection — view and flush the hardware MAC address forwarding table for network troubleshooting
• Bandwidth monitoring — per-port traffic rate graphs with configurable time windows for real-time utilisation visibility
• Firmware management — one-click firmware update through the SwOS interface with current version display and changelog access
• Statistics and counters — comprehensive per-port packet and error counters for network diagnostics

SwOS is the operating system that transforms the CRS326-24G-2S+RM into a professionally managed switch accessible to IT administrators without RouterOS expertise — delivering the hardware ASIC performance of the Marvell chip through a management interface that requires no specialised knowledge beyond standard network administration concepts.

MikroTik RouterOS — Complete Professional Network Intelligence

When deployment requirements expand beyond pure Layer 2 switching — when routing protocols, VPN connectivity, advanced security policy, traffic shaping, or sophisticated network services are required on the same hardware — RouterOS transforms the CRS326-24G-2S+RM from a managed switch into a full-featured routing and switching platform:

RouterOS Routing and Protocol Capabilities

• Static routing with policy-based route selection, multiple routing tables, and recursive route tracking for multi-path and failover scenarios
• OSPF (OSPFv2 and OSPFv3) for dynamic inter-VLAN and inter-network routing with full multi-area support, stub areas, and BFD integration
• RIP and RIPng for simple dynamic routing in legacy and straightforward environments
• BGP basic capabilities under Level 5 licensing for networks requiring external routing protocol integration at the access switching tier
• MPLS label switching with LDP for Layer 2 and Layer 3 VPN service construction

RouterOS VPN and Security Features

• IPsec site-to-site and remote access VPN with hardware-assisted cryptographic processing
• WireGuard native high-performance VPN in RouterOS v7 for modern encrypted connectivity
• L2TP/IPsec for Windows-native remote access VPN without additional client software
• OpenVPN for cross-platform VPN client compatibility
• GRE and EoIP tunnels for Layer 2 and Layer 3 network extension across IP infrastructure
• VXLAN Layer 2 network extension over Layer 3 for data centre and cloud connectivity scenarios
• Stateful firewall with connection tracking, NAT, and comprehensive rule-based packet filtering
• Connection rate limiting for per-source DoS mitigation and abuse prevention

RouterOS Network Services

• DHCP server and relay — integrated address management eliminating separate server infrastructure requirements
• DNS caching server with static entries and DoH (DNS over HTTPS) support in RouterOS v7
• NTP client and server — network time synchronisation service for connected devices
• SNTP client — simple network time synchronisation from public NTP infrastructure
• Bandwidth testing (BTest) — built-in throughput measurement between RouterOS devices for link performance validation

RouterOS Monitoring and Automation

• SNMP v1/v2c/v3 — comprehensive monitoring data exposure for NMS platform integration
• REST API — modern HTTP-based programmatic management in RouterOS v7
• RouterOS scripting — built-in scripting language for configuration automation and event-triggered management
• Scheduler — time-based script execution for maintenance window automation
• The Dude integration — network topology mapping and monitoring through MikroTik’s free network management application
• NETCONF — industry-standard network configuration protocol for enterprise automation
• Syslog — event logging to external syslog servers for centralised audit trails

RouterOS Performance Architecture Clarification When running RouterOS on the CRS326-24G-2S+RM, ASIC-accelerated hardware switching continues to operate for bridging and Layer 2 forwarding — maintaining the Marvell chip’s 52 Gbps performance for switched traffic. Layer 3 routing decisions, firewall processing, NAT, and advanced RouterOS features are handled by the management CPU. For deployments requiring simultaneous high-throughput routing and switching, the architecturally optimal approach pairs the CRS326 as the switching platform with a dedicated MikroTik CCR router handling routing and security policy — leveraging each device at its respective strength.

---

Advanced Managed Switch Features — Professional Intelligence in Hardware

The Feature Set That Separates Professional Switching From Basic Connectivity

The combination of the Marvell 98DX3236 ASIC and dual-OS software support equips the CRS326-24G-2S+RM with a managed feature set that justifies its professional designation across every capability dimension:

VLAN Architecture — Hardware-Accelerated Network Segmentation

The Marvell ASIC processes IEEE 802.1Q VLAN operations entirely in hardware — enabling complex multi-VLAN architectures to operate at full switching throughput without any performance penalty:

Port-Based VLAN Assignment Assign individual ports to specific access VLANs for untagged endpoint connectivity — connecting each device to its appropriate logical network segment transparently without requiring VLAN awareness on the endpoint device itself.

Tagged Trunk Configuration Configure SFP+ uplink ports and inter-switch connections as 802.1Q VLAN trunks carrying tagged traffic for multiple VLANs simultaneously — maintaining complete VLAN integrity across multi-switch topologies connecting the CRS326 to distribution switches, core routers, and other access switches.

Management VLAN Isolation Assign the switch management interface to a dedicated management VLAN — completely isolating switch administration traffic from all user data VLANs and ensuring the management interface remains accessible only through the designated management network path.

VLAN Filtering and Isolation Configure permitted VLAN lists on trunk ports — restricting which VLANs traverse specific inter-switch links and enforcing precise VLAN topology control across complex multi-switch deployments.

Typical CRS326-24G-2S+RM VLAN Deployment Architecture

For a distribution-layer deployment aggregating multiple access switches:

• VLAN 10 — Corporate Data (aggregated from downstream access switches)
• VLAN 20 — VoIP Traffic (QoS-tagged, priority-forwarded upward)
• VLAN 30 — Wireless Infrastructure Management
• VLAN 40 — Surveillance and Physical Security
• VLAN 50 — Guest and Visitor Access (internet-only)
• VLAN 60 — Server and Storage Infrastructure
• VLAN 70 — IoT and Building Automation
• VLAN 99 — Out-of-Band Switch Management

For a server-access deployment in a data centre:

• VLAN 100 — Production Server Traffic
• VLAN 200 — Storage Network (iSCSI or NFS)
• VLAN 300 — Management and IPMI/BMC Access
• VLAN 400 — Backup Traffic (rate-limited via QoS)
• VLAN 500 — Development and Testing Environments

Spanning Tree Protocol — Loop Prevention and Topology Resilience

IEEE 802.1D Classic Spanning Tree (STP) Foundational loop prevention for all network topologies incorporating the CRS326-24G-2S+RM alongside other switches — automatically computing the loop-free forwarding topology and blocking redundant paths that would otherwise create catastrophic broadcast storms propagating across the entire switching infrastructure.

IEEE 802.1w Rapid Spanning Tree (RSTP) Sub-second topology reconvergence following link failures — reducing recovery time from the 30-50 seconds of classic STP to typically under one second for most topologies. RSTP is essential in production environments where extended convergence delays create unacceptable service disruptions for active users and real-time applications during link failure events.

IEEE 802.1s Multiple Spanning Tree (MSTP) Per-VLAN spanning tree instance optimisation — enabling different VLAN groups to use different active uplink paths across physically redundant inter-switch connections. In a topology with two uplinks from the CRS326 to distribution switches, MSTP can route some VLANs through one uplink and other VLANs through the second — distributing traffic load across redundant paths rather than blocking one path entirely as classic STP would.

Port-Level STP Controls

• Edge port designation — rapid access port transition to forwarding state for directly-connected end devices, eliminating the 30-second STP delay on device connection events
• BPDU guard — automatic port disabling on edge ports receiving unexpected BPDUs from unauthorised switch connections
• Root guard — protection against rogue switches assuming the STP root bridge role in topologies where the CRS326 should maintain consistent root designation

Link Aggregation — Bandwidth and Resilience Combined

IEEE 802.3ad LACP Dynamic Aggregation Dynamic link aggregation with automatic member negotiation and failure detection — configurable on both the 10G SFP+ uplink ports and the Gigabit downlink ports for connections to servers, NAS arrays, or other devices supporting LACP:

• 2x10G SFP+ LACP aggregate — 20 Gbps bonded uplink to core router or distribution switch with automatic failover
• Gigabit port LACP aggregate — bonded 2G, 3G, or 4G connections to servers and high-demand infrastructure
• Flexible load balancing — configurable traffic distribution based on source/destination MAC, IP address, or Layer 4 port combinations for optimal aggregate member utilisation

Static Link Aggregation Manual aggregation configuration for connections to devices without LACP support — delivering the bandwidth multiplication benefit of bonded links in environments where dynamic LACP negotiation is unavailable.

Access Control Lists — Security Policy at Silicon Speed

The Marvell 98DX3236 ASIC evaluates ACL rules entirely in hardware — enforcing security policy at full 52 Gbps switching throughput with zero forwarding performance impact. This hardware-rate ACL processing is a capability that software-switching alternatives cannot credibly replicate under production traffic loads:

Layer 2 MAC Address ACLs

• Permit or deny traffic based on source and destination MAC addresses across any port or port group
• Block specific devices from communicating with protected switch ports or VLAN segments
• Enforce hardware address-based access policy independent of IP addressing for non-IP protocol traffic control

Layer 3 IP Address and Protocol ACLs

• Filter traffic based on source and destination IP address prefixes — blocking or permitting specific subnet-to-subnet communication paths across the switching fabric
• Protocol and port-based filtering — permit or deny specific IP protocols and TCP/UDP port numbers at hardware switching speed
• Combined Layer 2 and Layer 3 criteria for multi-parameter traffic classification rules

Practical ACL Security Applications

• Prevent specific server VLANs from being accessible from guest network VLANs while maintaining internet connectivity for guest users
• Block cross-department data access at the switching layer — enforcing that the Finance VLAN cannot communicate directly with the Engineering VLAN without traversing the firewall
• Restrict management VLAN access to specific authorised IP addresses — preventing unauthorised management access attempts from non-management VLANs
• Deny specific MAC addresses access to any switch port following a security incident — immediate device isolation without physical disconnection

IGMP Snooping — Bandwidth-Efficient Multicast Management

For networks transporting multicast traffic — IP surveillance streams to NVR storage, IPTV distribution, multicast-dependent application protocols, or multicast routing protocol traffic — the CRS326-24G-2S+RM’s hardware-accelerated IGMP snooping prevents the bandwidth waste of flooding multicast streams to every port simultaneously:

• IGMP v1, v2, and v3 snooping — comprehensive version support for all current multicast application types
• Hardware multicast forwarding table — group membership and forwarding decisions maintained in ASIC silicon for line-rate multicast distribution
• Querier functionality — IGMP querier role support for environments without a dedicated multicast router sending periodic membership queries
• Fast leave processing — immediate multicast forwarding cessation on ports where the last active group member sends a leave message
• Static multicast group entries — manual multicast forwarding configuration for non-IGMP-capable multicast applications

In a distribution layer deployment aggregating multiple access switches carrying surveillance traffic, IGMP snooping on the CRS326 ensures that NVR-destined multicast streams traverse only the uplink path toward the NVR — not flooding across every downlink to every access switch simultaneously, preserving bandwidth across the entire distribution tier.

Port Mirroring — Network Visibility and Traffic Analysis

Port Mirroring (SPAN) Configure any port or VLAN as a mirroring source — directing a complete copy of all transmitted, received, or bidirectional traffic to a designated analysis port connecting a network monitor, IDS sensor, packet capture workstation, or network analysis appliance:

• Single port mirroring — capture all traffic on any individual Gigabit or SFP+ port for focused per-link analysis
• Multiple source mirroring — aggregate mirrored traffic from several source ports to a single analysis destination for consolidated visibility
• VLAN mirroring — capture all traffic within a specific VLAN regardless of which physical ports carry that VLAN’s traffic
• Ingress, egress, or bidirectional — flexible capture direction selection for targeted traffic analysis

Port mirroring transforms the CRS326-24G-2S+RM into a platform for comprehensive network visibility — enabling Wireshark capture sessions, security incident investigation, application protocol analysis, bandwidth utilisation profiling, and IDS/IPS inline sensor integration from the switch infrastructure itself.

---

Management Interface — Three Paths to Complete Control

WinBox, WebFig, SwOS, SSH, and REST API — Every Administrator’s Preferred Interface

SwOS Web Interface — The Effortless Switch Management Experience

The SwOS management interface presents the CRS326-24G-2S+RM’s complete configuration through one of the most thoughtfully designed browser-based switch management interfaces available:

• Persistent session from any browser — Chrome, Firefox, Safari, and Edge on Windows, macOS, and Linux without application installation requirements
• Port grid dashboard — visual representation of all 26 ports showing link state, speed, duplex, and traffic rate at a glance
• VLAN table editor — spreadsheet-style VLAN configuration with per-port tagged/untagged/excluded designation across all VLANs simultaneously
• Real-time traffic graphs — per-port bandwidth utilisation visualisation with selectable time windows for trend analysis
• MAC address forwarding table — browse, search, and flush the hardware forwarding table for network topology investigation
• System information panel — CPU utilisation, temperature, uptime, firmware version, and system identity at a glance
• One-click firmware update — direct firmware upgrade from the SwOS interface with version verification and changelog display

MikroTik WinBox — Professional RouterOS GUI Management

When operating under RouterOS, WinBox provides MikroTik’s native Windows management application with complete RouterOS configuration access:

• MAC address direct connection — initial management access before IP configuration through direct Layer 2 connectivity
• Neighbours panel — automatic discovery and direct connection to all adjacent MikroTik devices on the network
• Complete RouterOS configuration tree — access to every RouterOS configuration element through a structured, hierarchical GUI
• Real-time interface traffic graphs — per-interface bandwidth monitoring with configurable averaging periods
• Multi-session support — manage multiple MikroTik devices simultaneously from a single WinBox instance
• Terminal window — integrated CLI access alongside GUI elements for mixed management workflows
• Available on Windows natively and Linux via Wine — broad platform accessibility for MikroTik administrators

SSH Command-Line Interface

For professional network engineers, scripted deployments, and automation workflows:

• Complete RouterOS configuration access through a structured, consistent command-line syntax
• Bulk configuration deployment through scripted CLI sequences for rapid multi-switch provisioning
• Ansible netmiko integration for automated configuration management through industry-standard automation frameworks
• Configuration export for complete router state backup and documentation
• Scheduled CLI execution through RouterOS scheduler for automated maintenance operations

REST API — Modern Programmatic Management in RouterOS v7

• Full HTTP/HTTPS-based configuration read and write through standard REST operations
• JSON data format for straightforward integration with Python, JavaScript, and other languages
• Integration with network orchestration platforms, monitoring systems, and custom management portals
• Webhook-compatible event notifications for automated response to network state changes

The Dude Network Monitor

MikroTik’s free The Dude network monitoring application discovers, maps, and monitors CRS326-24G-2S+RM units and all other MikroTik infrastructure automatically — providing network topology maps, device status monitoring, interface utilisation graphs, and configurable alerts for the complete MikroTik estate.

---

Where the MikroTik CRS326-24G-2S+RM Delivers Its Greatest Value

The Right Switch for the Right Deployment — Every Time

Distribution and Aggregation Layer Switching In multi-tier network architectures, the CRS326-24G-2S+RM serves as the distribution tier switch par excellence — aggregating uplinks from multiple access switches across its 24 Gigabit downlink ports and connecting to core routing infrastructure via 10G SFP+ uplinks. The Marvell ASIC delivers the non-blocking forwarding performance that distribution tier switching demands, while VLAN trunking, MSTP, and LACP provide the topology management and resilience that multi-switch deployments require.

ISP Subscriber Access Infrastructure Regional ISPs and community broadband operators deploy the CRS326-24G-2S+RM as a VLAN-per-subscriber access switch — connecting CPE uplinks or GPON OLT handoffs across 24 Gigabit ports with per-subscriber VLAN isolation providing complete customer traffic separation on shared physical infrastructure. Two 10G SFP+ uplinks connect to CCR routers for BGP-controlled internet transit and per-subscriber bandwidth management. The non-PoE design eliminates unnecessary cost in environments where no subscriber-facing PoE delivery is required.

Data Centre Top-of-Rack Server Switching Colocation facilities, private data centres, and server room operators deploy CRS326-24G-2S+RM switches as top-of-rack server access switches — connecting server 1G management interfaces, IPMI/BMC out-of-band management ports, and application server NICs across 24 Gigabit access ports. The 18W power consumption minimises PDU loading and cooling requirements, while 10G SFP+ uplinks connect to the data centre switching fabric at speeds appropriate for aggregated server management traffic. Multiple VLANs isolate production, management, storage, backup, and development traffic on a single physical ToR switch.

Management and Out-of-Band Network Infrastructure Dedicated management networks — connecting out-of-band management interfaces across server farms, switch estates, router platforms, and network appliances — benefit from the CRS326-24G-2S+RM’s combination of professional VLAN segmentation, ACL-enforced access control, and ASIC-level performance in a non-PoE package that optimally matches management port requirements. VLAN isolation between production management, emergency access, and monitoring interfaces provides security compartmentalisation across the management plane.

MikroTik Ecosystem Access Switching Organisations building comprehensive MikroTik network infrastructure — CCR2116 or CCR2004 core routers, CRS3xx distribution switches, and wireless access points — deploy the CRS326-24G-2S+RM as the non-PoE access layer switch for connectivity-only zones: server rooms, data closets, workstation areas with desk power, and infrastructure equipment aggregation points. The seamless RouterOS and WinBox management integration with CCR routers and other CRS switches makes the CRS326 a natural ecosystem fit managed through unified MikroTik tooling.

Network Laboratory and Testing Environments Research institutions, university computer science departments, IT training facilities, and professional network test labs deploy CRS326-24G-2S+RM switches as flexible, high-performance test environment switches — providing VLAN-segmented test network isolation, programmable ACL-based traffic filtering for scenario simulation, port mirroring for packet capture and analysis, and RouterOS-mode routing protocol support for dynamic routing topology testing. The dual-OS architecture enables rapid environment reconfiguration between simple switching and routing protocol test scenarios.

Enterprise Server Room and Infrastructure Switching Enterprise IT departments deploy CRS326-24G-2S+RM switches as infrastructure aggregation switches in server rooms and communications closets — connecting patch panels, UPS management interfaces, environmental monitoring equipment, console servers, and server management ports in a single professionally-managed switch with VLAN isolation, ACL security, and 10G uplink connectivity to the core network without requiring or paying for PoE on infrastructure-facing ports.

Wireless Service Provider (WISP) Backhaul Distribution WISPs aggregating multiple point-to-point backhaul links at distribution sites deploy CRS326-24G-2S+RM switches as backhaul aggregation switches — connecting sector backhaul radios and distribution links across 24 Gigabit ports with per-link VLAN isolation, traffic prioritisation, and 10G SFP+ uplinks to the regional network core. The RouterOS mode enables per-link bandwidth management and OSPF-based backhaul routing when switching sophistication alone is insufficient.

Managed Service Provider — Standard Client Access Switch MSPs standardising on MikroTik infrastructure for client deployments use the CRS326-24G-2S+RM as the standard non-PoE client access switch — deploying SwOS for straightforward client environments requiring simple managed switching and transitioning to RouterOS for clients requiring inter-VLAN routing, VPN connectivity, or advanced firewall policy at the access layer. A single hardware platform serving both deployment profiles reduces spare part complexity and enables consistent tooling across the MSP’s client portfolio.

---

The CRS326-24G-2S+RM vs CRS328-24P-4S+RM — Choosing the Right Switch for Your Deployment

Understanding When Each Platform Is the Optimal Choice

Both the CRS326-24G-2S+RM and CRS328-24P-4S+RM share the same Marvell 98DX3236 switching ASIC and dual-OS architecture — but differ in specifications that determine optimal deployment context:

Choose the CRS326-24G-2S+RM when:

• Your deployment does not require PoE power delivery on any of the 24 Gigabit ports — servers, workstations, distribution switching, infrastructure equipment
• Energy efficiency is a priority — 18W vs the CRS328’s 65W base consumption represents substantial operational savings at scale
• Budget optimisation is important — the non-PoE design is available at a meaningfully lower price point while delivering the same ASIC switching performance
• You need 10G uplinks but not 4 — two 10G SFP+ ports satisfy most distribution and aggregation tier uplink architectures efficiently
• The deployment is a data centre, server room, management network, or distribution layer — environments where PoE is categorically not required

Choose the CRS328-24P-4S+RM when:

• Your deployment powers PoE devices — wireless APs, IP cameras, VoIP phones, access control, or IoT devices requiring IEEE 802.3at power delivery
• The 500W PoE budget is needed for high-density powered device environments
• Four 10G SFP+ uplinks provide architectural advantages — additional redundancy paths, dedicated server uplinks, or higher aggregate uplink bandwidth

Both switches deliver identical Marvell ASIC switching performance, identical dual-OS flexibility, and identical Layer 2+ managed feature depth. The selection criterion is straightforward: if your ports power devices, choose the CRS328. If your ports only connect devices, choose the CRS326 and invest the savings in the infrastructure that your network actually needs.

---

Frequently Asked Questions About the MikroTik CRS326-24G-2S+RM

Q: Is it possible to add PoE capability to the CRS326-24G-2S+RM through accessories or adapters? No. The CRS326-24G-2S+RM has no PoE circuitry in its hardware design — it is a non-PoE switch by design, and PoE capability cannot be added through software, accessories, or configuration changes. For deployments requiring PoE power delivery, the CRS328-24P-4S+RM or another PoE-capable switch in the CRS series is the appropriate choice. Mid-span PoE injectors can be used upstream of the switch if PoE power delivery to specific devices is required without switching to a PoE-capable platform.

Q: What is the practical Layer 3 routing throughput when running RouterOS on the CRS326-24G-2S+RM? In RouterOS mode, Layer 2 bridging continues to leverage the Marvell ASIC at full hardware switching speed. Layer 3 routing decisions are processed by the QCA8531 management CPU at 800 MHz — meaning inter-VLAN routing throughput is substantially lower than the ASIC’s 52 Gbps capacity, typically in the range of several hundred Mbps for routed traffic depending on feature complexity. For deployments requiring high-throughput Layer 3 routing, pairing the CRS326 with a MikroTik CCR router — using the CRS326 for Layer 2 switching and the CCR for routing decisions — delivers optimal combined performance.

Q: Can I use the two SFP+ ports with 1G SFP transceivers instead of 10G SFP+? Yes — the SFP+ ports on the CRS326-24G-2S+RM are backwards compatible with standard 1G SFP transceivers including MikroTik S-31DLC20D and other 1G SFP modules. Installing a 1G SFP transceiver in an SFP+ port operates the link at 1 Gbps — useful when connecting to 1G-only upstream switches or routers that do not support 10G connectivity. For maximum value, 10G SFP+ transceivers or DAC cables are recommended to leverage the full 10-Gigabit capability of the uplink ports.

Q: How does transitioning between SwOS and RouterOS work, and what happens to my configuration? OS transition is initiated from the current OS management interface and requires a system reboot — accessible via the SwOS web interface or via the RouterOS system menu. SwOS and RouterOS use separate configuration stores — transitioning to RouterOS does not import SwOS VLAN or port configurations, and returning to SwOS does not import RouterOS configurations. Each OS boots with its own configuration, with SwOS retaining previous SwOS settings across OS transitions. Most administrators settle on one OS for their deployment, with transitions typically planned during configuration redesign events.

Q: What third-party SFP+ transceivers are compatible with the CRS326-24G-2S+RM? The CRS326-24G-2S+RM’s SFP+ ports are generally compatible with IEEE-compliant 10G SFP+ transceivers from major vendors in addition to MikroTik-branded modules. MikroTik’s CRS series has a historically accommodating attitude toward third-party optics compared to some competing switch platforms. For production-critical uplinks, MikroTik-branded or well-tested compatible transceivers from established vendors are recommended. Community testing results for specific third-party SFP+ modules on CRS series switches are extensively documented in the MikroTik Forum for reference.

Q: Does the CRS326-24G-2S+RM support SNMP monitoring for integration with PRTG, Zabbix, or LibreNMS? In RouterOS mode, full SNMP v1/v2c/v3 monitoring is supported — exposing per-port interface statistics, forwarding table data, system health metrics, and standard MIB objects to all compatible NMS platforms including PRTG, Zabbix, LibreNMS, Nagios, SolarWinds, and ManageEngine. In SwOS mode, basic SNMP support provides fundamental device monitoring. For comprehensive per-port traffic graphing, threshold-based alerting, and detailed interface statistics in NMS platforms, RouterOS mode provides the most complete SNMP implementation.

Q: What warranty does MikroTik provide on the CRS326-24G-2S+RM? MikroTik provides a 3-year limited hardware warranty covering manufacturing defects under normal operating conditions. RouterOS and SwOS software updates are provided at no additional charge throughout the product’s supported lifetime. MikroTik’s extensive online documentation, active community forum, and The Dude network monitoring application are all available without additional licensing or subscription fees.

Q: How many VLANs can the CRS326-24G-2S+RM support simultaneously? The Marvell 98DX3236 ASIC supports up to 4,096 VLAN IDs (the complete IEEE 802.1Q address space) with a hardware VLAN table that accommodates the VLANs actively configured on the switch. For practical deployments — even complex ISP or enterprise implementations requiring hundreds of VLANs — the ASIC’s VLAN capacity is effectively unlimited relative to real-world requirements. Both SwOS and RouterOS expose full VLAN range configuration through their respective management interfaces.

Q: Is the CRS326-24G-2S+RM appropriate for high-density surveillance network switching? Yes — particularly for surveillance networks where cameras and NVRs are already powered by separate power infrastructure and only data connectivity is required from the switch. The Marvell ASIC’s hardware IGMP snooping is specifically valuable in surveillance deployments, efficiently directing multicast camera streams to NVR ports without flooding all switch ports with video data. VLAN isolation separates surveillance traffic from other network segments, and ACLs restrict camera access to NVR-only communication paths. For surveillance networks also requiring camera PoE power, the CRS328-24P-4S+RM with its 500W PoE budget is the more appropriate choice.

---

The Bottom Line — Why the MikroTik CRS326-24G-2S+RM Is the Professional Network Architect’s Most Intelligent Switching Investment

The professional networking market contains many switches that claim to deliver performance, intelligence, and value simultaneously. Very few deliver all three without a hidden compromise — the capable switch that costs enterprise pricing, the affordable switch that performs adequately but lacks professional feature depth, the feature-rich switch that struggles under real-world traffic loads.

The MikroTik CRS326-24G-2S+RM makes no such hidden compromises. It delivers the Marvell 98DX3236 ASIC’s 52 Gbps non-blocking hardware switching performance — the same silicon as switches at significantly higher price points — without a performance asterisk. It delivers the complete dual-OS flexibility of SwOS and RouterOS — enabling both effortless switch management and professional routing intelligence in the same hardware — without a software licensing surcharge. It delivers two dedicated 10-Gigabit SFP+ uplinks that eliminate aggregation bottlenecks and connect the switch to 10G backbone infrastructure — without the PoE hardware cost that deployments not requiring device power have no reason to pay for.

For every network architect who has looked at professional ASIC-based switching platforms and wondered why the hardware required to achieve genuine non-blocking performance at line rate costs what it costs — the CRS326-24G-2S+RM is MikroTik’s answer. The Marvell ASIC is here. The 10G uplinks are here. The dual-OS flexibility is here. The professional feature set is here. And the investment required to deploy it — for 24 ports of non-blocking Gigabit switching with two 10G SFP+ uplinks, hardware ACLs, MSTP, LACP, IGMP snooping, and complete dual-OS management — represents the most compelling value proposition in the professional managed switch market today.

• ✅ 24 x Gigabit Ethernet ports — full line-rate connectivity for every connected device simultaneously
• ✅ 2 x 10G SFP+ uplinks — 20 Gbps of LACP-bonded or independent high-speed backbone connectivity
• ✅ Marvell 98DX3236 dedicated switching ASIC — hardware-accelerated forwarding that never degrades under feature load
• ✅ 52 Gbps non-blocking switching fabric — mathematical guarantee of simultaneous full-rate operation at every port
• ✅ 38.69 Mpps forwarding rate — near-maximum theoretical line-rate packet processing across all 26 ports
• ✅ 16,000 MAC address table — hardware-maintained forwarding for the most complex network topologies
• ✅ Dual SwOS + RouterOS operating system — effortless switch simplicity or professional routing intelligence, switchable on demand
• ✅ RouterOS Level 5 license — routing protocols, VPN, firewall, traffic shaping, and automation included
• ✅ Hardware-accelerated ACLs — security policy enforcement at 52 Gbps with zero forwarding performance impact
• ✅ Hardware IGMP snooping — intelligent multicast management for surveillance and video environments
• ✅ Full STP/RSTP/MSTP — complete loop prevention with sub-second convergence for multi-switch topologies
• ✅ IEEE 802.3ad LACP — bonded 10G uplinks to 20 Gbps with automatic failover resilience
• ✅ Port mirroring (SPAN) — flexible traffic capture for monitoring, analysis, and security investigation
• ✅ 18W typical power consumption — exceptional energy efficiency for 24-port 10G-uplink switching
• ✅ WinBox, WebFig, SwOS, SSH, REST API — complete management flexibility for every administrator preference
• ✅ 1U rack-mountable compact chassis — professional rack deployment in 443 x 144 x 44mm footprint
• ✅ MikroTik 3-year hardware warranty — hardware protection backed by the world’s most active networking community

Order the MikroTik CRS326-24G-2S+RM today — and deploy the 24-port managed switch that professional network architects choose when they refuse to pay for what they do not need and refuse to compromise on what they do. Marvell ASIC performance. Dual-OS intelligence. 10-Gigabit uplinks. Professional feature depth. At the price point that makes it the most strategically intelligent switching investment in the non-PoE 24-port category — today, and for every year of network growth that follows.