MikroTik CRS328-24P-4S+RM — 24-Port Gigabit PoE+ Switch with 4x10G SFP+ | The Dual-OS Smart Switch That Bridges the Gap Between Switching and Routing

The Switch That Refuses to Choose Between Simplicity and Power — Delivering Both, Simultaneously, Without Compromise

In professional networking, the most persistent tension is between simplicity and capability. Simple switches are easy to manage but limited in intelligence. Full-featured routers are endlessly capable but demand expertise and complexity that many deployments neither need nor can sustain. For years, network architects have been forced to choose one or the other — accepting limitations in whichever direction they did not select.

The MikroTik CRS328-24P-4S+RM was engineered to end that compromise entirely.

As the most capable entry in MikroTik’s acclaimed Cloud Router Switch series at this port density, the CRS328-24P-4S+RM combines the hardware foundation of a professional 10-Gigabit backbone switch — featuring a Marvell 98DX3236 dedicated switching ASIC, 128 Gbps non-blocking switching fabric, 24 Gigabit PoE+ ports, four dedicated 10G SFP+ uplink ports, and an industry-leading 500-watt PoE power budget — with the software flexibility of dual operating system support. Run it as a sophisticated Layer 2+ switch under MikroTik SwOS for effortless simplicity. Run it as a full RouterOS Layer 3 routing and switching platform for professional-grade network intelligence. Or leverage both operating systems across different deployment phases as your network requirements evolve.

No other switch at this price point delivers this combination of raw PoE power, 10G uplink performance, dedicated ASIC-accelerated switching throughput, and the flexibility to operate as both a managed switch and a routing-capable network platform.

This is the switch that growing networks, demanding IT professionals, and ambitious organisations choose when they refuse to accept the traditional trade-off between what is manageable and what is possible.

---

MikroTik CRS328-24P-4S+RM — Complete Technical Specifications

The specifications of the CRS328-24P-4S+RM tell the story of a switch engineered with professional intent at every level of its architecture:

• Switching Chip: Marvell 98DX3236 — dedicated Layer 2+ switching ASIC for hardware-accelerated forwarding
• Management CPU: QCA8531 — 800 MHz ARM processor for SwOS and RouterOS management plane operations
• RAM: 512MB DDR3 — substantial management plane memory for routing tables, firewall rules, and OS operations
• Storage: 16MB NAND Flash — RouterOS and SwOS system storage with configuration retention
• 24 x 10/100/1000 Mbps PoE+ RJ45 Ports — IEEE 802.3at compliant, up to 30W per port
• 4 x 10G SFP+ Ports — dedicated 10-Gigabit fiber or DAC cable uplink connectivity
• Total PoE Power Budget: 500W — the largest PoE budget in its class, industry-leading for 24-port density
• Switching Capacity: 128 Gbps — full non-blocking wire-speed ASIC-accelerated forwarding architecture
• Forwarding Rate: 95.23 Mpps — near-maximum line-rate packet processing across all 28 ports
• MAC Address Table: 16,000 entries — accommodates large, complex, device-dense network environments
• Dual Operating System Support: MikroTik SwOS + RouterOS — switch between operating systems based on deployment requirements
• RouterOS License: Level 5 — advanced routing, tunnelling, and management capabilities
• VLAN Support: IEEE 802.1Q — comprehensive hardware-accelerated VLAN segmentation
• Spanning Tree: STP, RSTP, MSTP — complete loop prevention and rapid convergence
• Link Aggregation: IEEE 802.3ad LACP — bonded ports for bandwidth multiplication and redundancy
• ACL Support — hardware-accelerated access control lists for line-rate security policy enforcement
• IGMP Snooping — intelligent multicast traffic management for bandwidth optimisation
• 1U Rackmountable Form Factor — standard 19-inch rack deployment with included mounting hardware
• Operating Temperature: 0°C to +40°C — standard data centre and network closet ambient range
• Dimensions: 443 x 270 x 44mm — standard 1U depth for conventional rack environments
• Power Consumption: Up to 65W (excluding PoE delivery) — efficient management plane operation

---

The Dual OS Advantage — SwOS and RouterOS in a Single Switch

The Most Strategically Flexible Switch Platform Available to Professional Network Architects

What fundamentally differentiates the MikroTik CRS328-24P-4S+RM from every competitor at its price point is not any single hardware specification — it is the dual operating system architecture that gives every deployment of this switch a capability ceiling far higher than the hardware alone would suggest.

The CRS328-24P-4S+RM ships capable of running either SwOS or RouterOS — and the choice between them is not permanent, not irrevocable, and not determined by licensing. It is an operational decision made by the network administrator, changeable at any time the network’s requirements evolve:

MikroTik SwOS — Pure Switching Simplicity at Professional Speed

SwOS (Switch Operating System) is MikroTik’s purpose-built, switch-optimised operating system designed to expose the full capability of the Marvell 98DX3236 switching ASIC through an exceptionally clean, browser-based management interface that requires no RouterOS expertise, no command-line knowledge, and no complex configuration wizardry:

• Intuitive web-based GUI — configure VLANs, port isolation, spanning tree, LACP, IGMP snooping, and mirroring through a visual, point-and-click interface accessible from any browser
• Hardware ASIC-accelerated switching — SwOS exposes the full forwarding capability of the Marvell ASIC, delivering 128 Gbps non-blocking performance for all switching operations
• VLAN management — comprehensive port-based and 802.1Q tagged VLAN configuration with trunk and access port assignments
• Port mirroring — traffic capture and analysis configuration for network monitoring and troubleshooting
• LACP link aggregation — bonded uplink configuration for bandwidth and redundancy
• STP/RSTP loop prevention — automatic spanning tree configuration for multi-switch deployments
• IGMP snooping — intelligent multicast traffic management for video and surveillance environments
• ACL rule implementation — access control for traffic filtering at hardware line rate
• Zero CLI requirement — complete professional switch management through the browser interface alone

SwOS is the operating system of choice when the CRS328-24P-4S+RM is deployed as a pure access or distribution layer switch — where the requirement is for high-performance, intelligently managed Layer 2+ switching without the complexity of a full routing operating system. It is also the preferred choice for IT teams whose expertise lies in switch management rather than MikroTik RouterOS administration.

MikroTik RouterOS — Full Professional Routing and Switching Intelligence

When the network demands more than switching — when routing protocols, VPN connectivity, advanced firewall policy, traffic shaping, or sophisticated Layer 3 intelligence are required on the same hardware — the CRS328-24P-4S+RM switches to RouterOS, transforming from a managed switch into a routing-capable network platform:

• Layer 3 routing — static routes, OSPF, RIP, and BGP (with Level 5 license capabilities) for inter-VLAN and inter-network routing directly on the switch hardware
• Advanced VLAN architecture — router-on-a-stick configurations, inter-VLAN routing, and complex VLAN bridging with RouterOS’s flexible bridging engine
• Firewall and NAT — stateful packet inspection, connection tracking, and NAT implementation at the switch level for edge security policy enforcement
• Traffic shaping and QoS — RouterOS queue trees and traffic shaping policies for bandwidth management per-port, per-VLAN, or per-IP address range
• IPsec VPN — encrypted tunnel connectivity for secure site-to-site and remote access scenarios
• WireGuard — modern high-performance VPN in RouterOS v7 for secure overlay connectivity
• DHCP server and relay — integrated DHCP services without requiring a separate server infrastructure
• DNS caching — local DNS resolution and caching for improved client DNS performance
• Scripting and automation — RouterOS scripting language and REST API for configuration automation and event-triggered management operations
• SNMP monitoring — comprehensive SNMP exposure for integration with network monitoring platforms
• CAPsMAN — centralised wireless management for MikroTik access points deployed throughout the network

The operating system transition between SwOS and RouterOS is accomplished through the management interface — requiring a reboot but no hardware changes, no additional licensing purchase, and no physical modification to the switch. This architectural flexibility means the CRS328-24P-4S+RM adapts to your network’s requirements as they evolve, rather than requiring hardware replacement when those requirements outgrow a simpler switch platform.

---

Marvell 98DX3236 Switching ASIC — The Hardware Engine That Makes 128 Gbps Real

Dedicated Silicon for Dedicated Switching Performance

The switching performance of the CRS328-24P-4S+RM is not the product of a software routing engine processing packets on a general-purpose CPU — it is delivered by the Marvell 98DX3236 dedicated switching ASIC, a purpose-built network forwarding chip that processes Layer 2 and Layer 3 switching decisions entirely in silicon at speeds that software processing cannot approach.

Why Dedicated Switching ASIC Architecture Matters

In consumer and low-end managed switches, switching decisions are often partially or wholly processed by a general-purpose CPU — creating a scenario where performance degrades as traffic volume increases and where features like ACLs, VLAN processing, and IGMP snooping consume CPU cycles that compete with switch management functions. The result is a switch whose advertised performance is achievable only under idealised conditions, not under the real-world mixed-traffic loads of production environments.

The Marvell 98DX3236 eliminates this compromise entirely. As a dedicated network switching ASIC, it processes every forwarding decision — MAC table lookups, VLAN tag insertion and removal, spanning tree calculations, IGMP group tracking, ACL rule evaluation, and QoS queue assignment — entirely in hardware at silicon speed, consuming zero CPU resources and maintaining performance consistently regardless of traffic volume, feature complexity, or management load:

• 128 Gbps non-blocking switching fabric — mathematical guarantee of simultaneous full-speed operation across all 28 ports without internal congestion
• 95.23 Mpps forwarding rate — near-maximum theoretical line-rate packet processing at 64-byte minimum frame size
• 16,000 MAC address table — hardware-maintained forwarding table supporting large, complex network topologies without software lookup overhead
• Hardware VLAN processing — VLAN tag operations executed in ASIC at line rate without CPU involvement
• Hardware ACL enforcement — access control rules evaluated in dedicated ASIC logic at full forwarding speed with zero throughput impact
• Hardware IGMP snooping — multicast group membership tracking and forwarding decisions executed in silicon

The practical consequence for your network: the CRS328-24P-4S+RM delivers its full 128 Gbps, 95.23 Mpps performance specification under real-world production conditions — with VLANs configured, ACLs active, IGMP snooping enabled, and STP running simultaneously — because all of these functions execute in dedicated hardware rather than competing for software processing resources.

---

500W PoE Budget — The Most Generous PoE Power Allocation in Its Class

Half a Kilowatt of Intelligent Power Delivery Across 24 Ports

The 500-watt total PoE+ power budget of the MikroTik CRS328-24P-4S+RM is the specification that most immediately distinguishes this switch from competitors at similar price points — and its operational impact is transformative for organisations deploying high-density powered device ecosystems across all 24 Gigabit ports simultaneously.

At an average of nearly 21 watts per port available across the full 24-port population, the CRS328-24P-4S+RM provides one of the most generous per-port PoE allocations available in the 24-port managed switch category — enabling full deployment of demanding PoE devices across every port without budget contention, power rationing, or device prioritisation compromises.

Understanding 500W in Real-World Deployment Context

The 500W PoE budget transforms what is achievable in a single-switch 24-port deployment. Consider the practical power consumption of common business PoE device categories and what 500W enables simultaneously:

A deployment of twelve Wi-Fi 6E access points drawing 20W each consumes 240W — leaving 260W available for the remaining 12 ports to power VoIP phones at 6W each (72W for 12 phones), IP cameras at 10W each (remaining capacity for 18 cameras on remaining ports), or any combination of access control devices, IoT sensors, and digital signage players. The 500W ceiling means that even high-draw device combinations across all 24 ports remain achievable without complex power budget engineering.

The Complete PoE-Powered Device Ecosystem at 500W Capacity

Enterprise Wi-Fi 6 and Wi-Fi 6E Access Points Power the most demanding enterprise wireless access points — including high-performance Wi-Fi 6E APs drawing up to 25-30W each — from every available port simultaneously. With 500W available across 24 ports, even a full deployment of maximum-draw Wi-Fi 6E access points across every port remains within budget, enabling wireless infrastructure density that lower-budget switches cannot support without power-disabling ports.

IP Surveillance — High-Resolution and PTZ Cameras Power a complete IP surveillance deployment including HD, 4K fixed cameras, and power-hungry PTZ cameras with motorised pan, tilt, and zoom mechanisms drawing up to 25W each across multiple switch ports — with sufficient budget to maintain full simultaneous operation without camera power cycling or surveillance gaps.

VoIP Telephony Deployment Power a complete 24-handset VoIP telephone deployment across all downlink ports at typical 5-7W per phone consumption — consuming only 120-168W of the 500W budget and leaving over 330W available for concurrent wireless, surveillance, and IoT device power delivery on the same switch.

High-Density Mixed Deployment Architecture The true power of the 500W budget emerges in mixed-device environments where multiple device categories — wireless APs, VoIP phones, cameras, access control, digital signage, and IoT sensors — are distributed across 24 ports with varying individual power requirements. At 500W total capacity, most realistic mixed deployments operate comfortably within budget without careful per-port power rationing, enabling network architects to focus on connectivity design rather than power budget engineering.

Smart Building and IoT Infrastructure Power the growing ecosystem of intelligent building devices — occupancy sensors, environmental monitors, smart HVAC controllers, digital clock systems, building automation endpoints, emergency lighting controllers, and industrial IoT gateways — from a single switch delivering both data connectivity and centralised power management for the complete building automation estate.

Physical Security and Access Control Connect and power electronic door access controllers, biometric terminals, video intercoms, turnstile control units, and card readers throughout your facility — creating a unified data and power infrastructure for physical security systems that eliminates separate power circuit installation at every access control mounting location.

MikroTik PoE Management Intelligence: Both SwOS and RouterOS expose per-port PoE control — enabling administrators to enable or disable PoE on individual ports, set per-port power limits, monitor real-time power consumption per device, and remotely reboot connected PoE devices through power cycling from the management interface. This granular control is essential for efficient 500W budget management across high-density deployments.

---

4 x 10G SFP+ Ports — High-Speed Uplink Architecture at the Heart of Your Network

The 10-Gigabit Connectivity That Transforms the CRS328 From Access Switch to Network Backbone

The four dedicated 10-Gigabit SFP+ uplink ports of the CRS328-24P-4S+RM elevate this switch from a capable access layer device into a genuine network backbone and distribution tier platform — enabling high-speed connections to core routing infrastructure, data centre switching fabric, server infrastructure, and upstream connectivity that define the performance ceiling of everything connected below.

10G Fiber Optic Uplinks — Speed, Distance, and Interference Immunity

Short-Range Multi-Mode Fiber Install MikroTik S+85DLC03D or compatible IEEE-compliant 850nm SFP+ transceivers for 10-Gigabit connections over OM3 multi-mode fiber at distances up to 300 metres, or OM4 at up to 400 metres — covering every in-building scenario from floor-to-floor connections to runs between adjacent buildings with complete immunity to electrical interference.

Long-Range Single-Mode Fiber Install MikroTik S+1310DLC03D or compatible 1310nm SFP+ transceivers for 10-Gigabit single-mode fiber connections at distances up to 10 kilometres — enabling the CRS328-24P-4S+RM to serve as an access switch connected to a remote distribution or core switch over existing long-haul fiber infrastructure, extending 10G access layer performance across campus and multi-building environments.

Direct Attach Copper (DAC) for Same-Rack Connections For connections within the same rack or between adjacent racks — to MikroTik CCR2116 or CCR2004 routers, core switches, server 10G NICs, or storage array controllers — 10G SFP+ DAC twinax cables provide cost-effective 10-Gigabit connectivity at distances up to 5-7 metres with near-zero latency and zero optical transceiver cost.

LACP-Bonded 10G Uplinks — Bandwidth Multiplication With Built-In Resilience Combine SFP+ ports using IEEE 802.3ad LACP to create bonded logical uplinks:

• 2x10G LACP — 20 Gbps aggregate with dual-path failover redundancy
• 4x10G LACP — 40 Gbps aggregate delivering maximum upstream bandwidth with four-path resilience
• Mixed configurations — 2-port LACP to primary core router plus 2 independent uplinks to secondary infrastructure and dedicated server connections simultaneously

Direct Connection to MikroTik CCR Routers The CRS328-24P-4S+RM is architecturally designed to serve as the perfect switching companion to MikroTik’s Cloud Core Router series — including the CCR2116-12G-4S+ covered earlier in this catalogue. Connect the CRS328’s SFP+ uplinks directly to the CCR2116’s SFP+ ports via DAC cables or fiber — creating a combined routing and switching infrastructure where the CCR handles L3 routing, BGP, IPsec, and WAN management while the CRS328 provides the 24-port PoE+ access layer and 10G distribution tier in a clean two-device architecture.

---

VLAN Architecture — Hardware-Accelerated Network Segmentation

Logical Network Design at the Speed of Silicon

The CRS328-24P-4S+RM’s Marvell ASIC implements IEEE 802.1Q VLAN processing entirely in hardware — enabling complex multi-VLAN network architectures to operate at full switching line rate without any performance penalty for VLAN tag insertion, removal, or lookup operations:

Port-Based VLAN Assignment Assign each of the 24 Gigabit ports to specific access VLANs — defining which network segment each connected device joins without requiring individual device configuration. Untagged access port assignment is automatic and transparent to connected endpoints, enabling consistent VLAN deployment across devices that are not VLAN-aware.

802.1Q Tagged Trunking Configure 10G SFP+ uplink ports and inter-switch connections as VLAN trunks carrying tagged traffic for multiple VLANs simultaneously — maintaining VLAN integrity across multi-switch topologies with full 802.1Q compliance on every trunk interface.

Typical CRS328 VLAN Architecture Examples

Corporate Office Deployment:

• VLAN 10 — Staff Workstations and Laptop Docking Stations
• VLAN 20 — VoIP Telephony (QoS-prioritised)
• VLAN 30 — Wireless Infrastructure Backhaul (AP management and client traffic)
• VLAN 40 — IP Surveillance (dedicated NVR bandwidth allocation)
• VLAN 50 — Guest Wi-Fi (internet-only, isolated from corporate resources)
• VLAN 60 — IoT and Building Automation
• VLAN 70 — Server and NAS Infrastructure
• VLAN 99 — Switch Management (isolated from all user data VLANs)

ISP and Service Provider Access Deployment:

• Per-customer VLANs for subscriber isolation in multi-tenant environments
• Management VLAN for network device administration
• Infrastructure VLAN for uplink and routing protocol traffic
• Out-of-band management VLAN for emergency access

The CRS328-24P-4S+RM’s hardware ASIC supports the VLAN complexity that professional network segmentation demands — without the performance degradation that software-processed VLAN architectures impose under high traffic loads.

---

Spanning Tree — Loop Prevention and Network Resilience

Automatic Topology Management for Multi-Switch Professional Networks

The CRS328-24P-4S+RM implements the complete suite of IEEE spanning tree protocols — ensuring that complex multi-switch topologies incorporating the CRS328 as an access or distribution switch remain loop-free, stable, and resilient to link failures:

IEEE 802.1D Classic STP Foundational loop prevention for any network topology where the CRS328 connects to other switches — automatically calculating the loop-free forwarding topology and blocking redundant paths that would otherwise create devastating broadcast storms.

IEEE 802.1w Rapid Spanning Tree (RSTP) Sub-second topology reconvergence following link failures — critical in production environments where extended STP convergence times create unacceptable connectivity disruptions for active users and real-time applications. RSTP reduces convergence from the 30-50 seconds of classic STP to typically under 1 second for most topologies.

IEEE 802.1s Multiple Spanning Tree (MSTP) Per-VLAN spanning tree instance optimisation for complex multi-VLAN deployments — enabling different VLANs to use different active uplinks for load distribution across redundant inter-switch connections, eliminating the bandwidth waste of a single active uplink path in spanning tree topologies with physical link redundancy.

Edge Port and Guard Features

• Edge port (PortFast equivalent) — rapid transition to forwarding state for access ports connecting end devices, eliminating the 30-second STP delay on device connection
• BPDU guard — automatic port disabling on access ports that receive unexpected BPDU frames from unauthorised switch connections
• Root guard — protection against rogue switches assuming the STP root bridge role in topologies anchored by the CRS328

---

Link Aggregation — Multiplying Bandwidth With Built-In Redundancy

Bonded Connections That Deliver More Than the Sum of Their Parts

The CRS328-24P-4S+RM supports IEEE 802.3ad LACP link aggregation across both its Gigabit downlink ports and 10G SFP+ uplink ports — enabling bonded logical connections that simultaneously increase bandwidth capacity and eliminate single physical links as points of failure:

10G SFP+ Port Aggregation Bond two, three, or all four 10G SFP+ ports into LACP aggregates for upstream connectivity:

• 2x10G aggregate (20 Gbps) to a core router or distribution switch — doubling uplink bandwidth while providing automatic failover if either physical link fails
• 4x10G aggregate (40 Gbps) for maximum uplink capacity — eliminating uplink as a performance constraint even under simultaneous maximum-load traffic from all 24 access ports

Gigabit Port Aggregation Bond multiple Gigabit downlink ports for connections to servers, NAS arrays, or other devices requiring bandwidth beyond a single Gigabit link — delivering 2, 3, or 4 Gbps bonded connections to high-demand infrastructure endpoints.

Mixed Aggregation Architecture Implement a sophisticated mixed topology — a 2-port 20 Gbps LACP aggregate to the primary core router, a single 10G port dedicated to a directly-connected NAS storage array, and a fourth 10G port connecting to a secondary distribution switch for resilience — maximising the architectural value of four independent 10G paths simultaneously.

---

Advanced Access Control Lists — Hardware-Rate Security Policy

Line-Rate Traffic Filtering That Never Slows Your Network

The Marvell 98DX3236 ASIC implements hardware-accelerated ACL processing — enabling access control rules to be evaluated at full 128 Gbps switching throughput with zero forwarding performance impact. This is the critical distinction between hardware ASIC-based ACL enforcement and software ACL processing that must trade throughput for security:

Layer 2 ACLs — MAC Address-Based Control

• Filter traffic based on source and destination MAC addresses across any port or VLAN
• Permit or deny traffic from specific hardware addresses at the port level — preventing specific device types from communicating with protected network segments
• Time-based MAC ACL enforcement for scheduled access policy changes

Layer 3 ACLs — IP Address and Protocol-Based Control

• Filter traffic based on source and destination IP address ranges — blocking specific subnet-to-subnet communication at hardware speed
• Protocol-based filtering permitting or denying specific IP protocols and port numbers across the switching fabric
• Combined Layer 2 and Layer 3 ACL rules for precise multi-criteria traffic classification

VLAN-Level ACL Application Apply ACL policies to specific VLANs — enforcing security rules against all traffic within a VLAN segment regardless of which physical port the traffic originates from, providing consistent intra-VLAN security policy without per-port rule replication.

Practical ACL Deployment Examples

• Block IoT VLAN devices from initiating connections to corporate data VLAN resources while allowing data VLAN users to access IoT monitoring interfaces
• Restrict surveillance camera VLAN traffic exclusively to the NVR storage server IP address — preventing any camera from communicating with any other network resource
• Deny guest Wi-Fi VLAN traffic from accessing any RFC1918 private IP address range while permitting unrestricted internet access
• Block specific MAC addresses from accessing the management VLAN while permitting all other traffic

---

IGMP Snooping — Intelligent Multicast Traffic Management

Bandwidth Preservation for Multicast-Intensive Applications

In environments deploying IP-based surveillance, IPTV distribution, or multicast-dependent applications across the 24-port access population, unconstrained multicast flooding wastes bandwidth on every port — regardless of whether devices on those ports are interested in receiving the multicast stream.

The CRS328-24P-4S+RM’s hardware-accelerated IGMP snooping eliminates this waste by monitoring IGMP group membership signalling and building a hardware forwarding table that directs multicast streams exclusively to ports where active receivers have registered group membership:

• IGMP v1, v2, and v3 snooping — comprehensive IGMP version support for all multicast application types
• Hardware multicast forwarding table — maintained entirely in ASIC silicon for line-rate multicast forwarding decisions without software lookup overhead
• Querier election participation — active IGMP querier role for environments without a dedicated multicast router
• Fast leave processing — rapid multicast stream termination on ports where the last receiver leaves the group
• Static multicast group configuration — manual multicast forwarding entries for applications that do not implement IGMP signalling

For IP surveillance deployments where multiple camera streams flow simultaneously to NVR storage, IGMP snooping ensures camera multicast streams are directed only to NVR ports — not flooded to workstation, phone, and access point ports that have no use for surveillance video data. The bandwidth savings across 24 ports in a high-camera-count environment are substantial and directly improve the effective performance of every non-surveillance device on the switch.

---

Port Mirroring — Network Visibility and Traffic Analysis

Complete Traffic Capture Capability for Professional Network Management

The CRS328-24P-4S+RM supports port mirroring (SPAN) — directing a copy of all traffic from a monitored source port or VLAN to a designated analysis port where a network monitoring device, IDS/IPS sensor, or packet capture tool receives a complete replica of the traffic stream:

• Single-port mirroring — monitor all inbound, outbound, or bidirectional traffic from any individual Gigabit or SFP+ port
• Multi-port mirroring — aggregate mirrored traffic from multiple source ports to a single analysis port for consolidated visibility across multiple switch segments
• VLAN mirroring — capture all traffic within a specific VLAN regardless of which physical ports carry that VLAN’s traffic
• Remote SPAN (RSPAN) — in RouterOS mode, tunnel mirrored traffic across the network to a remote analysis workstation not physically connected to the switch

Port mirroring transforms the CRS328-24P-4S+RM into a complete network visibility platform — enabling Wireshark packet capture, IDS/IPS inline analysis, bandwidth monitoring, security incident investigation, and application protocol analysis from the switch infrastructure itself, without requiring dedicated tap hardware or passive fiber taps.

---

MikroTik RouterOS Level 5 — Professional Routing and Management Capability

The Software Intelligence That Makes CRS More Than a Switch

When deployed under RouterOS rather than SwOS, the CRS328-24P-4S+RM’s capability set expands dramatically — transforming from a managed switch into a routing-capable network platform with the following RouterOS features available under the included Level 5 license:

Routing Protocol Support

• Static routing with policy-based route selection and multiple routing tables
• OSPF (OSPFv2 for IPv4 and OSPFv3 for IPv6) for dynamic inter-VLAN and inter-network routing
• RIP and RIPng for simple dynamic routing environments
• BGP basics available under Level 5 licensing for networks requiring external routing protocol integration

VPN and Tunnelling

• IPsec site-to-site and remote access VPN
• WireGuard modern high-performance VPN in RouterOS v7
• L2TP/IPsec for Windows-native VPN client compatibility
• OpenVPN for cross-platform VPN client support
• GRE and EoIP tunnels for Layer 2 and Layer 3 network extension

Advanced Network Services

• DHCP server and relay — integrated address management without separate server infrastructure
• DNS caching server — local DNS resolution with DoH support in RouterOS v7
• Firewall and NAT — stateful packet inspection, connection tracking, and comprehensive NAT
• Traffic shaping — queue trees and per-subscriber bandwidth management
• SNMP v1/v2c/v3 — comprehensive monitoring integration with NMS platforms
• REST API — modern programmatic management in RouterOS v7
• Scripting — RouterOS scripting language for configuration automation

Important RouterOS Performance Note When running RouterOS on the CRS328-24P-4S+RM, it is important to understand the performance architecture: the Marvell ASIC handles hardware-accelerated forwarding for bridge and switch operations, while the management CPU (QCA8531 @ 800MHz) handles routing decisions, firewall processing, and advanced RouterOS features. For deployments requiring intense routing and firewall processing at high packet rates — such as full internet-facing stateful firewall with many simultaneous connections — pairing the CRS328 with a dedicated MikroTik CCR router for the routing plane delivers optimal combined performance, with the CRS328 handling switching and PoE delivery and the CCR managing routing and security policy.

---

WinBox, WebFig, and SwOS Web Interface — Management Flexibility for Every Administrator

The Management Approach That Matches Your Team’s Expertise

SwOS Web Interface — Effortless Switch Management When running SwOS, the CRS328-24P-4S+RM presents a clean, intuitive browser-based management interface specifically designed for switch configuration without RouterOS knowledge requirements:

• Visual port status dashboard — real-time per-port link status, speed, PoE consumption, and traffic statistics at a glance
• VLAN configuration wizard — guided VLAN creation and port assignment through a visual interface
• Spanning tree status — live STP topology visualisation showing root bridge, port states, and active forwarding paths
• LACP aggregate status — bonded link operational status and traffic distribution visualisation
• PoE management panel — per-port PoE enable/disable, power limit configuration, and real-time consumption monitoring across all 24 ports
• Firmware update management — one-click firmware updates from the SwOS interface

MikroTik WinBox — Professional RouterOS Management When running RouterOS, WinBox provides complete management through MikroTik’s native Windows GUI application:

• MAC address direct connection — initial router access before IP configuration through direct MAC-level connectivity
• Real-time traffic graphs — per-interface bandwidth monitoring with configurable time windows
• Complete RouterOS configuration tree — visual access to every RouterOS configuration element
• Multi-session management — simultaneous management of multiple MikroTik devices from a single WinBox instance
• Neighbour discovery — automatic identification and direct connection to adjacent MikroTik infrastructure

SSH CLI and REST API For automation, scripting, and professional network engineering workflows:

• Complete configuration access through RouterOS SSH command-line
• REST API integration with Ansible, Python netmiko, and custom automation platforms
• Configuration export and bulk deployment through scripted CLI operations

---

Who Is the MikroTik CRS328-24P-4S+RM Built For?

The High-Density PoE Switch for Every Environment That Demands Both Power and Intelligence

Small and Regional ISPs — Subscriber Access Infrastructure Regional ISPs and community broadband operators deploy the CRS328-24P-4S+RM as a subscriber access switch — connecting CPE (Customer Premises Equipment) uplinks or GPON OLT Ethernet handoffs across 24 Gigabit ports, with VLAN-per-subscriber isolation providing complete customer traffic separation on shared physical infrastructure. The 10G SFP+ uplinks connect to CCR2116 or CCR2004 routers for BGP-controlled internet transit and per-subscriber bandwidth management.

Enterprise Access Layer — Department and Floor Coverage Medium to large enterprises deploy CRS328-24P-4S+RM switches as access layer infrastructure for individual floors, departments, or building wings — connecting workstations, VoIP phones, wireless access points, and IP surveillance across 24 PoE+ ports while 10G SFP+ uplinks carry aggregated traffic to distribution switches or directly to core routing infrastructure. The 500W PoE budget eliminates power infrastructure concerns for even the most device-dense floor deployments.

MikroTik Network Ecosystem Integration Organisations building comprehensive MikroTik network infrastructure — including CCR2116 or CCR2004 core routers, CRS3xx distribution switches, and hAP or cAP wireless access points — deploy the CRS328-24P-4S+RM as the PoE access layer switch that completes the ecosystem. DAC cable connections between CRS328 SFP+ ports and CCR router SFP+ ports create a clean, cost-effective, high-performance combined routing and switching architecture managed through a unified WinBox or The Dude interface.

Wireless Service Providers (WISPs) WISPs deploying large numbers of sector antennas, backhaul radios, and base station equipment benefit from the CRS328-24P-4S+RM’s 500W PoE budget powering MikroTik and other PoE-compatible radio equipment, with per-port VLAN isolation providing subscriber traffic separation and RouterOS traffic shaping delivering per-customer bandwidth management.

Education Technology Deployments Schools, colleges, and universities deploying high-density wireless infrastructure — powering multiple Wi-Fi 6 access points per switch across teaching areas, libraries, and student spaces — leverage the 500W PoE budget to support maximum-draw APs on every port simultaneously, while VLAN segmentation separates student, staff, and guest wireless traffic on the same physical infrastructure.

Hospitality and Venue Networks Hotels, conference centres, and entertainment venues deploy the CRS328-24P-4S+RM to power and manage guest-facing wireless infrastructure, IP surveillance throughout the property, POS terminals, digital signage, and staff communication devices — with VLAN isolation ensuring complete separation between guest internet access, payment infrastructure, and property management systems.

Data Centre Top-of-Rack (ToR) Switching Colocation facilities and private data centres deploy CRS328-24P-4S+RM switches as top-of-rack access switches — connecting server 1G management interfaces and IPMI/BMC ports across 24 Gigabit ports, with 10G SFP+ uplinks connecting to the data centre fabric. SwOS simplicity makes ToR switch management straightforward while the Marvell ASIC delivers the non-blocking forwarding performance that server rack environments demand.

Smart Building and Facility Management Building managers, facilities engineers, and smart building integrators deploy the CRS328-24P-4S+RM as the central connectivity and power infrastructure for intelligent building systems — powering and connecting access control, environmental monitoring, HVAC controllers, lighting management, occupancy sensing, IP intercoms, and digital signage from a single 500W-capable switch with complete VLAN segmentation isolating each building system from others.

Managed Service Providers — Client Site Standard MSPs standardising on MikroTik infrastructure for client site deployments benefit from the CRS328-24P-4S+RM’s dual OS flexibility — deploying SwOS for straightforward client environments and RouterOS for clients requiring more sophisticated network policy — while maintaining a single hardware platform across the client portfolio, reducing spare parts complexity and enabling consistent management tooling regardless of operating mode.

---

Frequently Asked Questions About the MikroTik CRS328-24P-4S+RM

Q: Can I switch between SwOS and RouterOS at any time, and do I lose my configuration when I do? Yes — transitioning between SwOS and RouterOS requires a reboot initiated from the current operating system’s management interface. Configuration from the previous OS is not directly portable — SwOS and RouterOS use different configuration formats and data models. When transitioning from SwOS to RouterOS, you will reconfigure the switch from a clean RouterOS default state. When transitioning back to SwOS, the SwOS configuration is preserved from the previous SwOS session. For this reason, most deployments settle on one operating system based on requirements, with OS transitions typically occurring during planned reconfiguration events rather than routine operations.

Q: What is the difference between using the CRS328 in SwOS vs RouterOS for switching performance? In SwOS, all switching operations are performed entirely by the Marvell 98DX3236 ASIC — delivering the full 128 Gbps, 95.23 Mpps performance specification for Layer 2 switching with complete hardware ASIC utilisation. In RouterOS, bridging and VLAN switching operations still leverage the ASIC for hardware-accelerated forwarding, but routing decisions, firewall processing, NAT, and advanced RouterOS features are processed by the management CPU (QCA8531 @ 800MHz). Pure Layer 2 switching performance in RouterOS bridge mode remains ASIC-accelerated, while Layer 3 routing throughput is bounded by the management CPU’s processing capacity.

Q: How does the 500W PoE budget compare to competing 24-port PoE switches? The 500W PoE budget is among the highest available in the 24-port managed switch market segment at this price point — substantially exceeding the 370W PoE budgets common in competing 24-port switches and approaching the PoE capacity of some 48-port switches from other manufacturers. This budget advantage is particularly significant for deployments powering high-draw devices including Wi-Fi 6E APs, PTZ cameras, and high-power PoE lighting controllers.

Q: What SFP+ transceivers and DAC cables are compatible with the CRS328-24P-4S+RM? MikroTik-branded SFP+ transceivers including S+85DLC03D (multi-mode fiber, 300-400m) and S+1310DLC03D (single-mode fiber, up to 10km) are fully supported and recommended for guaranteed compatibility. MikroTik SFP+ DAC cables are available for short-distance copper connections. Many third-party IEEE-compliant 10G SFP+ transceivers and standard DAC cables are also compatible — MikroTik’s CRS series is generally accommodating of third-party optics, though compatibility testing is advisable for critical infrastructure connections.

Q: Can the CRS328-24P-4S+RM operate as a Layer 3 router for inter-VLAN routing? In RouterOS mode, yes — the CRS328-24P-4S+RM can perform inter-VLAN routing using RouterOS’s bridge and IP routing engine. However, inter-VLAN routing decisions are processed by the management CPU rather than the ASIC, meaning inter-VLAN routing throughput is bounded by the 800MHz management CPU’s processing capacity rather than the ASIC’s 128 Gbps capacity. For deployments requiring high-throughput inter-VLAN routing, pairing the CRS328 with a dedicated CCR router for the routing plane — using the CRS328 as a pure access switch and the CCR for routing decisions — delivers optimal combined performance.

Q: Does the CRS328-24P-4S+RM support SNMP monitoring for integration with network management platforms? Yes. In RouterOS mode, full SNMP v1/v2c/v3 monitoring is supported — exposing per-port interface statistics, PoE consumption data, system health information, and all standard MIB data to NMS platforms including PRTG, Zabbix, LibreNMS, SolarWinds, and Nagios. In SwOS mode, basic SNMP monitoring is available through the SwOS management interface. For comprehensive NMS integration with per-port traffic graphing and alerting, RouterOS mode provides the most complete SNMP implementation.

Q: What is the RouterOS license level included and what are its limitations compared to Level 6? The CRS328-24P-4S+RM includes RouterOS Level 5 licensing. Level 5 provides extensive routing and switching capabilities with some limits compared to the unlimited Level 6 license — including a cap on simultaneous PPPoE connections (200 active sessions) and limits on certain tunnel counts. For most enterprise and managed service deployments, Level 5 is entirely sufficient. ISP deployments requiring unlimited PPPoE subscriber sessions should evaluate the Level 6 upgrade path or consider CCR series routers for the PPPoE concentration function with the CRS328 serving as the access switch.

Q: Is the CRS328-24P-4S+RM compatible with non-MikroTik PoE devices and network infrastructure? Absolutely. All 24 downlink ports implement IEEE 802.3at (PoE+) — the universal industry standard — ensuring complete compatibility with PoE devices from any manufacturer including Cisco, Ubiquiti, Hikvision, Axis, Yealink, Poly, and thousands of other IEEE-compliant device vendors. The SFP+ uplink ports accept standard 10G SFP+ transceivers, and standard Layer 2 protocols including 802.1Q, LACP, RSTP, LLDP, and SNMP ensure complete interoperability with network equipment from any vendor.

Q: What is the warranty and support provision for the MikroTik CRS328-24P-4S+RM? MikroTik provides a 3-year limited hardware warranty on the CRS328-24P-4S+RM covering manufacturing defects under normal operating conditions. RouterOS software updates are provided free of charge throughout the product’s supported lifetime. MikroTik maintains comprehensive documentation through the MikroTik Wiki, and community support through the MikroTik Forum provides one of the most active and knowledgeable peer support communities in the professional networking space.

---

The Bottom Line — Why the MikroTik CRS328-24P-4S+RM Is the Most Strategically Compelling 24-Port PoE Switch in Professional Networking

Every specification of the MikroTik CRS328-24P-4S+RM tells the story of a switch that was designed by engineers who refused to accept the compromises that typically define this price category. The compromises of a limited PoE budget that forces careful device selection across 24 ports. The compromise of 1G uplinks that create aggregation bottlenecks at the distribution tier. The compromise of a fixed operating system that cannot adapt to evolving network requirements. The compromise of switching performance that degrades when features are enabled.

The CRS328-24P-4S+RM eliminates every one of these compromises simultaneously.

500 watts of PoE power that makes device selection a connectivity decision rather than a power budget engineering exercise. Four 10-Gigabit SFP+ uplinks that eliminate uplink as a performance consideration regardless of how busy all 24 access ports become. Dual SwOS and RouterOS operating system support that adapts the switch’s operational capability to your network’s requirements rather than constraining your network to the switch’s fixed feature set. And a Marvell 98DX3236 dedicated switching ASIC delivering 128 Gbps of non-blocking, hardware-accelerated forwarding performance that operates identically whether one feature or twenty features are simultaneously enabled.

There is no other 24-port PoE+ switch at this price point that delivers this combination. And for the network professionals, ISPs, enterprise architects, and ambitious organisations who understand what these specifications mean for their infrastructure — the CRS328-24P-4S+RM is not merely a compelling option. It is the obvious choice.

• ✅ 24 x Gigabit PoE+ ports — connect and power your complete device ecosystem simultaneously
• ✅ 500W total PoE budget — the most generous PoE power allocation in its class by a substantial margin
• ✅ 4 x 10G SFP+ uplinks — 40 Gbps of high-speed backbone, core, and server connectivity
• ✅ 128 Gbps non-blocking ASIC switching fabric — Marvell-powered line-rate performance under any feature load
• ✅ 95.23 Mpps forwarding rate — near-maximum theoretical throughput across all 28 ports simultaneously
• ✅ Dual SwOS + RouterOS operating system — simple switch management or full routing intelligence, your choice
• ✅ RouterOS Level 5 license — professional routing, VPN, firewall, and advanced management included
• ✅ Hardware-accelerated ACLs — line-rate security policy without any forwarding performance impact
• ✅ Hardware IGMP snooping — intelligent multicast management for surveillance and video deployments
• ✅ IEEE 802.3ad LACP — bonded 10G uplinks up to 40 Gbps with automatic failover resilience
• ✅ Full STP/RSTP/MSTP — comprehensive loop prevention and rapid convergence for multi-switch topologies
• ✅ 16,000 MAC address table — handles the most complex device-dense professional network environments
• ✅ WinBox, WebFig, SwOS, SSH, REST API — every management interface for every administrator preference
• ✅ 1U rack-mountable chassis — professional rack deployment ready with included mounting hardware
• ✅ MikroTik 3-year hardware warranty — hardware protection backed by the world’s most active networking community

Order the MikroTik CRS328-24P-4S+RM today — and deploy the 24-port PoE+ switch that professional network architects choose when half measures are not an option: 500 watts of power, 10-gigabit uplinks, ASIC-accelerated switching performance, and the dual-OS flexibility to operate as both the world’s most capable access switch and a routing-intelligent network platform — in a single 1U chassis, at a price that redefines what ambitious organisations can afford to build their networks on.