Mikrotik has recently made bridging much saner, which makes their portfolio complete for datacenter use and pretty close on bridging users in the access layer.
Their CCR-series is very much bang per buck if L4-filtering is enough, which should be enough in today's world of end-to-end encrypted communications.
The CRS3xx-series as stated has become much saner with changes to bridging and with most features implemented are also worth the cost.
The upside with affordable devices and the licensing model they have, make it possible to keep cold spares available in case of disaster.
It does however make sense to study the management interfaces and disable all but SSH and HTTPS in order to minimize attack surface.
I have a phobia of MikroTik, especially in the hands of general IT people. Amazing bang per-buck, but I took over a network with 6 sites all with Mikrotik routers and there were some staggering config mistakes. The more I dug the more I became convinced that the OS was, if not to blame, but certainly was a major factor.
I used to test changes (when duties allowed) with nmap, and several times I showed experienced engineers that they had left a service open to the WAN by mistake! When a network is in the hands of general engineers, like it often is in the SME space, I like Watchguard firewalls. Very good defaults, helpful os.
I can imagine in a datacenter where you have network specialists, and robust working procedures Mikrotik could work well.
I use Unifi for Wifi, and have used their routers for a dedicated guest wifi network. For switches I know nothing other than HP, but don't see a lot of issues, especially with the Aruba kit.
I again have phobias regarding Watchguard and other products that have the consumer style special WAN-ports and related configuration restraints. Many Mikrotik-devices come preconfigured like consumer devices but the recent CCR-series does not.
The firewall in Mikrotik-devices is among the cleanest I've seen and very hard to miss-configure as long as the firewall is otherwise configured to not let unauthorized traffic through.
And yes, people are people and this is why we educate people when needed.
Their CCR-series is very much bang per buck if L4-filtering is enough, which should be enough in today's world of end-to-end encrypted communications.
The CRS3xx-series as stated has become much saner with changes to bridging and with most features implemented are also worth the cost.
The upside with affordable devices and the licensing model they have, make it possible to keep cold spares available in case of disaster.
It does however make sense to study the management interfaces and disable all but SSH and HTTPS in order to minimize attack surface.