Last edited on March 17, 2020

Certified Switching Engineer (MTCSWE)

Training syllabus for trainers only

Duration: 3 days
Outcomes: By the end of this training session, the student will be familiar with RouterOS Layer 2 forwarding software
and RouterBOARD hardware switch chip features. The student will be able to configure and control Layer
2 forwarding using MikroTik networking solutions.

This course will cover an introduction to MikroTik switch hardware and Layer2 features:
 How to configure VLANs on RouterOS
 How to utilize built in switch chips
 Look at how SwOS works
 How bridge VLAN filtering works in CRS3xx series switches
 Layer2 security features
 Spanning Tree Protocol, link aggregation
This course will not cover how CRS1xxx/2xx units and basic switch chips are configured.
Target audience: Network engineers and technicians wanting to deploy and support Layer 2 based networks.
Course prerequisites: MTCNA certificate
Suggested reading: Search for ‘Layer2 networking’, ‘Bridging’, ‘Switching’, ‘VLAN’
Notes to trainers: LABS: It is recommended that students have access to a RouterBOARD of your choice (e.g. hAP Lite)
and a CRS3xx series switch per student for the labs.
All the labs are shown at the end of each module, it is up to you when you do these, and you might want
to split them up throughout each module.
All training should be done using RouterOS version 6.43 and SwOS version 2.10 as a minimum.
THIS DOCUMENT IS FOR TRAINERS ONLY - NOT TO BE PUBLISHED!
1
 Last edited on March 17, 2020

Title Objective Details

 Introduce Take a quick look over different types of RouterBOARD
Module 1 RouterBOARD
Introduction hardware  Remind students that some RouterBOARDs are optimised as routers and some as switches and
therefore need to be chosen appropriately for their end purpose.
 Cover how the switch chip in different RouterBOARDs are different and have different set of features and
how the CLI is sometimes different so configurations cannot be exported between units easily.
 Show Ethernet test results from https://mikrotik.com/products page for a router and for a switch. Switch is
NOT a router.
 Block diagrams can be showed as well. Both for switches and RouterBOARDs. Show a block diagram of
a router with 2 switch chips, e.g. RB4011iGS+RM

Make sure you cover the following points:

 RouterBOARDs with basic switch chips and features -

https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features
 RouterBOARDs without switch chips.
 Cloud Router Switch (CRS) series devices with advanced switch chips, CRS3xx support dual boot - can
run both RouterOS or SwOS.
 Cloud Smart Switch (CSS) series devices that run only SwOS.
 CRS1xx/2xx series switches and the main differences from 3xx. These run only RouterOS. CRS1xx/2xx
will not be covered in depth in this course.
 Layer 2 overview and  Network design/best practice
traffic types  Cover Hierarchical Network Model
 Access layer
 Distribution layer
 Core Layer - also cover you can combine core and distribution
 Network diameter - this is used in spanning tree
 Cover the 3 different Layer 2 traffic types and the difference between them:
 Unicast
 Multicast
 Broadcast
 Layer 2 forwarding concepts
 Cover MAC learning in bridges and switches
 Explain what happens if the bridge has not yet learned a destination MAC address or multicast
group (unknown unicast and unknown multicast flood).

2
 Last edited on March 17, 2020
 Cover that MAC learning from a wireless interface is by default taken from the registration table.
 Basic Interface settings  Cover Duplex and speed settings
and types  Ports have duplex or half duplex and speed settings which can either be automatically determined
or manually selected
 Ports must match, cover that sometimes auto does not always bring up both ends at the same
speed and duplex
 SFP/SFP+/QSFP+ ports
 show hardware compatibility table -
https://wiki.mikrotik.com/wiki/MikroTik_SFP_module_compatibility_table
 Cover that 1Gb fiber modules in SFP+ ports need manual speed settings
 SFP RJ45 modules in SFP+ work with auto-negotiation on.
 Cover that some units have combo ports - only the copper OR SFP can be used at a time
 RouterOS bridge  Explain that if HW-offloading is running it is using the physical hardware switch chip for frame forwarding
overview and not the main CPU -
https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_Hardware_Offloading
 Forward traffic is using HW-offloading, bridge input/output is still using the main CPU
 A good way to explain this is to see switching logic and software related packet processing (e.g. routing,
firewall, traffic control) as separate functions. If some frames from switch chip need to reach the device
CPU for additional processing, then both of these separate functions can interact through switch-cpu port
or bridge interface
 Cover that most RouterBOARDs only support 1 bridge with HW-offloading
 Cover that, depending on the switch chip fitted to a RouterBOARD, some of the bridge features will
disable HW-offloading
 Explain how some of the features that are available in the switch menu and on the switch chip don’t work
when bridge HW-offloading is disabled due to selecting those specific features.
 SwitchOS (SwOS) brief  Briefly cover that there is a second OS from MikroTik called SwOS (SwitchOS).
overview  http://wiki.mikrotik.com/wiki/SwOS
 Explain that this is a second OS that runs on only some MikroTik switch hardware and some are also dual
boot between SwOS and RouterOS
 (We will look more at SwOS later on in the course - therefore do not go into great detail at this stage)
 Module 1 laboratory  Create your class lab
 The minimum RouterOS Version level is stated at the header of this document
 Suggested class setup is shown at the end of this document
 Student need their own network with a simple RouterBOARD with DHCP Server and internet access
 Student also needs a CRS3xx series switch connected to this
 Student need to configure their router to join the class WIFI on trainer router. Students to configure a
DHCP server and NAT rules needed to get internet access on their RouterBOARD
 Students should now make a backup of their initial configuration
3
 Last edited on March 17, 2020

 MTU  Explain MTU

Module 2  L2MTU  What it is
MTU Jumbo Frames  Difference between MTU (L3MTU) and L2MTU
 Show examples of packets with headers and indicate the parts that are Layer 3 & Layer 2
 Explain that some RouterBOARDs have different Max MTU's
https://wiki.mikrotik.com/wiki/Manual:Maximum_Transmission_Unit_on_RouterBoards
 Explain what are Jumbo frames and how to configure Jumbo frames on RouterOS
 Explain the effect of VLAN & QinQ on MTU
 Potential MTU issues - fragmentation
 Explain how ping size in Windows is before adding the IP (20 byte) and ICMP (8 byte) headers and in
RouterOS, Linux and macOS it is included!
 Module 2 laboratory  To see the overhead of the OS, create a lab with variable ping sizes and 'do not fragment' flag on different
OSs. Use the default L2MTU/MTU interface settings.
 Lab to configure jumbo frames.

Module 3  802.1Q VLAN  Optionally remind what is a VLAN, why VLANs are used.
VLAN Overview  Cover VLAN ranges. There are 0-4095 VLAN ID’s and RouterOS supports all of them.
 VLAN tagging concepts  Remind students that one should be careful when using vlan-id=1 as it can be a default VLAN ID on other
 VLAN Terms & Port devices in the network. If there is no specific requirement, it is suggested to avoid using vlan-id=1
types:  You can mention that Cisco VLAN IDs are split into: Normal and Extended range
 Cover reserved VLANs and what they are reserved for
 Cover the VLAN Terms & Port types used in RouterOS:
 Trunk port
 Untagged (or access) port
 Hybrid port
 Native VLAN equivalent in RouterOS
 Explain that there are different ways to VLAN tag traffic. The most common ones being:
 Port based VLAN
 MAC based VLAN
 Protocol based VLAN
 Explain how VLAN tag is inserted into the packet and increases the size and remind students you need to
make sure you have sufficient L2MTU for this to work.
 Managing VLANs in  Cover the 3 ways of doing VLANs in RouterOS and how not to mix and match them.
RouterOS  Virtual VLAN interface (and bridging together):
4
 Last edited on March 17, 2020
 VLANs on switch menu (found on some units with basic switch chips)
 Bridge VLAN filtering
 Briefly mention on RouterBOARDs with basic switch chips, that VLANs can be done in the switch menu.
This course will not cover this in any more detail.
 On a CRS3xx there is no VLAN section in the switch menu, so bridge VLAN filtering needs to be used.
 RouterOS VLAN  Explain how '/interface vlan' works on RouterOS
Interface  Explain how creating 2 interfaces on different physical interfaces will not join them together.
 RouterOS Port based VLAN interfaces
 Port based VLAN (VLAN bridging)
 Inter-VLAN routing ('router on a stick') - Using one single ethernet interface with VLANs
 Explain how Port based VLAN bridging, even though this has been a widely used configuration, and still
valid, this is not the preferred option. Using bridge-vlan filtering can make configuration less complicated
and it supports other features like IGMP and DHCP snooping, HW-offloading (hardware dependent),
(R/M) Spanning Tree
 Bridge VLAN Filtering  Explain how to create and manage VLANs using Bridge VLAN filtering.
 Cover the creation of the 3 port types:
 Untagged port
 Trunk port
 Hybrid port
 Cover how to create common non-port based VLANs on the CRS3xxx switch
 MAC based VLAN
 Protocol based VLAN
 Explain how ingress filtering works and why we need it and how this secures your network.
 Explain how egress filtering works
 Explain how dynamic untagged entries are created in VLAN table based on PVID of bridge and bridge
port interfaces. Explain how this does not happen with ingress filtering
 Explain how to use frame-types setting with ingress filtering
 Explain how to create a Management interface in a VLAN and how the only link between Switch and CPU
is the bridge interface.
 Explain how ingress filtering works on bridge interface, this is not a global setting for bridge but for
interface between switch and the CPU.
 Look at the VLAN table in WinBox and show the addition of the extra columns.
 Explain why NOT to add vlan interfaces as untagged ports in a bridge, for both regular traffic and
management interface.
 QinQ (802.1ad)  QinQ concept, packet header stack, where QinQ should be used
 Explain that with QinQ there are 2 VLAN tags inserted into the packet and that increases the size, you
need to make sure you have sufficient L2MTU for this to work.
 Explain EtherType - SVID (0x88A8) and CVID (0x8100)
5
 Last edited on March 17, 2020
 Explain how QinQ works on VLAN interfaces, the use of service-tag setting and how VLAN stacking
works
 Explain how Bridge-vlan filtering is only aware of one VLAN type so filters VLANs on either CVID or SVID
and how bridges can be used to tunnel CVID unfiltered.
 Explain that if using Bridge VLAN filtering with SVID then creation of Management port will need to use
the 'service-tag' parameter
 Explain how with Bridge VLAN filtering Tag Stacking is achieved.
 The bridge is not aware of the packet contents, even though there might be another VLAN tag, only the
first VLAN tag is checked.
 Module 3  Do a set of labs to show the following things with bridge VLAN filtering. These labs can be split up
laboratory(s) throughout this module for whatever works for you and your students
 Untagged Ports
 Trunk Ports
 MAC based VLAN
 Protocol based VLAN
 Create a management interface on the CRS3xx switch
 Lab using RouterOS VLAN interfaces for “Router on a stick” and do some inter-vlan routing
 Lab with a DHCP server per VLAN

Module 4  Spanning tree protocol  Explain how network loops can emerge both intentionally and not.
Spanning (STP) concepts  Explain how Ethernet frames don’t have a TTL so can cause an infinite loop
Tree  STP and RSTP &  Explain how (R)STP can be used to create a loop free network, and still have backup paths for
Protocol MSTP comparison redundancy.
 Explain how a broadcast storm can quickly take over your network
 Explain how STP works by use of root bridge based upon BridgeID,
 Explain that the automatically chosen Root bridge may not be most desirable one so set BridgeID to elect
correct one
 Explain Spanning Tree algorithm and STP steps of Operation and Topology Change flow
 STP bridge priority should only be set in steps of 4096 to comply with 802.1t standard (merged into
802.1D now 802.1Q)
 STP port path cost
 BPDU & BPDU timers
 BPDU header and used MAC destination address
 Explain the STP Port Types
 Root port
 Designated ports
 Non-designated ports
 Edge ports
6
 Last edited on March 17, 2020
 STP Topology Change
 Cover also which units support spanning tree with HW offloading
 Cover how MSTP is different and works and creates one or more STP instance to which VLAN are then
mapped. Explain how this can be used to make some VLANs take one path and other VLAN’s take a
different path.
 Spanning Tree Security  Explain how (and demo with lab) how you can send BPDU packets from a “hacker” which can cause
spanning tree to re-converge or alter the topology causing network issues
 Explain the importance of using BDPU guard on ports not facing other switches (not taking part in STP)
e.g. Edge Ports
 Module 4 laboratory  A Spanning Tree LAB with at least 3 students, showing how spanning tree is used for redundancy not just
stopping loops due to user error.
 Lab could be done first with STP and then (R)STP and show how much quicker convergence is achieved
 If time really does allow, you can also show how MSTP will send traffic for different VLANs over different
links
 You could also do a LAB showing what happens when a “hacker” injects BPDU packets and how to
configure BPDU Guard

Module 5  RouterOS bonding  Cover all bonding modes, limitations of and benefits of
Link  802.3ad
Aggregation  Active-backup
 Balance-alb
 Balance-rr
 Balance-tbl
 Balance-xor
 Broadcast
 Cover how not all modes create single interface of higher speed but increase throughput for multi stream
traffic
 Cover that currently only 802.3ad and balance-xor are supported with HW-offloading
 802.3ad is compatible with other vendors using LACP
 Balance-xor is compatible with other vendors static LAG
 Cover how a bonded interface can be added into a bridge and used with VLANs just like any physical
interface
 Module 5 laboratory  With at least 2 bonded interfaces - show how LACP does not create 1x2Gb interface and other types
might do. This can be done using different speed test tools, ones that send several streams and one that
use single streams

Module 6  RouterOS bridge  Explain the use of split-horizon and how traffic will not flow out of a port with horizon value the same as it
Port horizon came in
7
 Last edited on March 17, 2020
Isolation  Explain that using split-horizon works in software and will disable hw-offloading
 Switch port isolation  Explain how switch port isolation works, and how to create a private VLAN
 Explain the drawbacks of this and how then there is no access client to client unless explicitly allowed to
the egress ports (Forwarding override). This is because layer 2 traffic is forward directly client to client
and the private VLAN blocks this.
 Another potential drawback can appear when using port isolation together with STP. The STP is not
aware of the underlying port isolation configuration, so there are no separate spanning trees for each
isolated network, but a single one for all isolated networks. This can cause some unwanted behaviour
(e.g. devices on isolated ports might select a root bridge from a different isolated network).
 Note that with Local Proxy ARP Port isolation changes things - this is covered in the ARP section of the
Security Module
 Explain how Switch port isolation will not work if HW-offloading has been disabled and RouterOS will not
tell you. By default, bridge settings have RSTP enabled. This means this will not work on any
RouterBOARD which doesn't not support HW offloading for RSTP unless spanning tree is turned off.
 Module 6 laboratory  Lab to show bridge split horizon in action
 Lab to show CRS Port isolation

 Layer2 QoS (802.1p)  RouterOS bridge filter priority

Module 7  CRS priority configuration
QoS  Traffic shaping  Bandwidth limiting in bridge with queues
 Need to use bridge setting ‑ use IP firewall (or use IP Firewall for VLAN) so that you can use
RouterOS Queues with bridged traffic.
 Another option is to set bridge filter to mark packets and then use parent=interface in the queue
tree.
 Both options require CPU packet processing, so HW-offloading should be disabled. This will create
a higher CPU load on the unit as all L2 traffic will now go through CPU
 Bandwidth limiting in CRS switch chip
 Explain how we can limit ingress/egress traffic using the switch chip in CRS3xx.
 For ingress traffic QoS policer is used, for egress traffic QoS shaper is used.
 Any matching option “can” be used when using ACL rules. Common ones are:
 MAC based QoS
 Port based QoS
 VLAN based QoS
 Protocol based QoS
 DSCP QoS
 Explain there is a limit of ACL entries in the switch rule table depending on the switch chip -
https://wiki.mikrotik.com/wiki/Manual:CRS3xx_series_switches#Models
8
 Last edited on March 17, 2020
 Module 7 laboratory  Do a lab with some traffic shaping on the CRS3xx.

Module 8  IGMP Snooping  Explain how this controls multicast streams and prevents multicast flooding. There is both a software
Layer 2 implementation and a hw-offloaded version depending on hardware so will work in all bridge
Security configurations
 DHCP Snooping  Cover the security risks of having unauthorized DHCP servers on your network
 Cover how DHCP is a broadcast request
 Cover how you can block DHCP request from unauthorized ports as its UDP 67,68 traffic
 Show how this can be done in the bridge configuration and require uplink ports and port facing server to
be trusted as the RouterOS implication of DHCP Snooping blocks ALL DHCP packets not just replies like
some other vendors
 Cover which units and which configurations support this with HW-offloading
 Explain the use of DHCP option 82 with DHCP Snooping
 Cover DHCP snooping works both with HW-offloading and in software
 Loop protect  Explain how loop protect can prevent Layer2 loops. The feature works by checking source MAC address
of received loop protect packet against MAC addresses of loop protect enabled interfaces. If the match is
found, loop protect disables the interface which received the loop protect packet.
 Explain that recommended to use (R/M)STP as its compatible with other switches and provides much
more options to fine tune network
 Traffic Storm Control  Explain it is possible to limit broadcast, unknown multicast and unknown unicast. These rules are set as
a % of the link speed.
 Layer 2 firewall  RouterOS bridge filter features
 Switch access control list rules
 Option to also force traffic through IP Firewall
 Layer2 Firewalls can also be used to restrict routing between networks. this blocking traffic near to
source.
 BPDU Guard  Note to trainers (though this is a Layer2 security issue) I have covered this in the spanning tree module,
then you can use a tool to inject BPDU packets into your student’s networks. If you want to you can move
it here instead, its up to you.
 ARP enable / disable /  Remind students how the network will not function at Layer2 without ARP.
proxy ARP / reply only  Show students that max size of arp-table can be changed (/ip settings set max-neighbor-entries)
 ARP is covered in MTCNA but not all ARP Interface Modes in detail
 Explain the 5 ARP Interface modes
 Enable
 Disable
 Proxy ARP
 Reply only
 Local Proxy ARP
9
 Last edited on March 17, 2020
 Explain how static ARP entries can be used for “security”
 Explain how DHCP-server can add ARP entries for you
 Explain how you can use DHCP static only, to give out static IP Addresses based on MAC Address and
how this will then add an ARP entry when the user requests a DHCP Address and then will work,
however anyone with manually configured IP will not work.
 ARP request can be shown really well in Wireshark to show a client device doing broadcast say “who has
this address” - this will show why big Layer2 networks are bad or/and Layer2 networks latency are bad.
 Cover how Local Proxy ARP works and means that L2 traffic can be filter on the router and how 2 devices
can now communicate with port isolation which they could not before
 Bridge Hosts  Explain to students the bridge Hosts table
 Explain the bridge port learn mode settings
 Explain how bridge hosts table learn mac addresses
 Explain how static bridge host entries can be made and take precedence over dynamic entries
 Explain the bridge hosts table flags
 Switch Hosts table  Explain how this table shows entries only for switch ports (hw-offloaded bridge ports)
 Explain the extra properties (e.g. copy-to-cpu, drop, mirror, redirect-to-cpu)
 Port Security  MAC address limits
 Unicast FDB entries - https://wiki.mikrotik.com/wiki/Manual:CRS3xx_series_switches#Models
 802.1X Port based  Since 6.45 RouterOS has IEEE 802.1X support
Authentication (dot1x)  dot1x provides port-based network access control using EAP
https://wiki.mikrotik.com/wiki/Manual:Interface/Dot1x
 Explain the 3 components of dot1x
 supplicant (client)
 authenticator (server)
 authentication server (radius)
 Explain how RouterOS can be:
 a supplicant
 an authenticator
 Explain how with dot1x RouterOS can do port based VLAN assignment to authenticated interfaces. Only
devices with hardware offloaded VLAN filtering will be able to do this in switch chip. Other devices will do
this in software.
 Explain that dot1x can do mac type authentication
 Explain that dot1x can create dynamic firewall rules
 Explain reject-vlan-id radius attribute works
 Securing switch access  Cover how to secure your switch
 Disable insecure protocols
 Only have IP Address on management range

10
 Last edited on March 17, 2020
 Set a password
 Limit access to services
 Firewall filter rules
 Disable routing (/ip settings set ip-forward=no)
 Disable or limit neighbour discovery
 MAC Server
 Disable unused interfaces
 Disable Console access
 Disable / make read only setting to LCD Screen
 And more - https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router
 Module 8  Carry out a number of labs on these topics. Again, these can be done all in one go or as you go along.
laboratory(s) This is up to you:
 LAB on Layer2 Firewall
 LAB on DHCP snooping - show fake DHCP server blocked
 LAB on Port Security and show port blocking more MAC Addresses
 Extra Lab on Static ARP tables?
 Extra Lab on Local Proxy ARP?
 Trainers could have a radius server for students to use, and setup their switch as a dot1x
authenticator and use their laptops as a supplicant and authenticate and even do a VLAN
assignment

Module 9  Overview of PoE with  Supported PoE types

PoE MikroTik hardware  Passive PoE
 IEEE 802.3af/at (PoE & PoE+)
 Note that there is a new type: PoE++ 802.3bt, not yet available on any MikroTik hardware
 802.3af/at PoE classes
 PoE consumption / max draw / power draw
 PoE-out specification of different hardware overview
 PoE input overview of different hardware
 PoE-out Modes  Explain how you can change the PoE out settings on a unit. Either forcing a type of PoE (Passive or
802.3af/at) or how to force power on if the port does not automatically sense the connected device that
needs the PoE power.
 Cover the 3 PoE-out modes
 Auto
 Forced-on
 Off
11
 Last edited on March 17, 2020
 PoE Priority Settings  Explain how a unit can only supply so much power and how RouterOS will decide what to do when it runs
out of available PoE Power.
 Explain that when there's not enough power for all of the connected devices, it will be provided or cut off
based on the port priority settings.
 Explain that depending on the device the total available power can be divided in blocks of ports, for
example CRS328-24P-4S+RM has 150W per each 8 port block.
 Show how these settings are configured on the CRS3xx
 PoE Monitoring and  Explain what options are available to the engineer to see power usage and how to see when the unit has
notifications run out of PoE power
 PoE Monitoring options are as follows:
 /interface ethernet poe monitor
 PoE-Out LED
 Warnings in GUI/CLI
 SNMP
 Logs
 Also show how PoE power can be disabled/re-enabled to restart a unit
 Also show how PoE power cycle ping can be used to restart a device that has “crashed”
 Module 9  Lab here is optional.
laboratory(s)  Though it would be nice to show how PoE priorities can be used, that will use a lot of PoE devices to draw
enough power to trigger a switch off on a port which may not be possible. A Trainer may have access to a
live system where this can be shown¶
 Another optional lab would be to show ping power cycle settings here if the trainer wants a lab here

 Tools  There are a number of tools in RouterOS to help diagnose Layer2 network problems. During the course
Module 10 and the above sections you may have used and shown students most of them. This topic is to bring them
Tools all together in one place for the students

 bridge -> filter  show bridge filter stats

/bridge filter print stats
 bridge -> vlan table  Show which ports (and if any are dynamic) are in which VLAN

 bridge -> ports  Bridge port details and STP port monitoring.

 bridge -> hosts table  Shows MAC address learnt on a bridge interface. This also shows
 https://wiki.mikrotik.com  bridge name
/wiki/Manual:Interface/  on-interface
Bridge#Hosts_Table  VID (VLAN ID)
12
 Last edited on March 17, 2020
 age
 Cover the flags
 x - disabled
 I - invalid
 D - dynamic
 L - local
 E - external (e.g. from wireless or switch chip)
 IP -> ARP Table  ARP table will contain entries only for the traffic that flows through the router. If the traffic is forwarded
through the bridge, ARP entries will not be created.
 Interface -> Ethernet  Interface stats and monitoring:
 /interface print stats
 /interface ethernet print stats
 /interface ethernet monitor
 /interface ethernet monitor [find]
 /interface ethernet switch print stats
 Port Mirroring  Mirroring lets the switch 'sniff' all traffic that is going in a switch chip and send a copy of those packets out
to another port (mirror-target). This feature can be used to easily set up a 'tap' device that allows you to
inspect the traffic on your network on a traffic analyser device. It is possible to set up a simple port based
mirroring where, but it is also possible to setup more complex mirroring based on various parameters.
 Cover how to create a port mirror on a CRS3xx and provide example uses for a port mirror, e.g. packet
capture with Wireshark. There are other types of software to capture, this is the most common one.
 Sniffer  Cover that sniffer with HW-offloaded bridge will see only input/output traffic like broadcast/multicast (ARP,
neighbour discovery). To sniff all traffic the HW-offloading should be switched off on the port, but that can
produce high load on the CPU. Alternatively ACL rules with copy-to-cpu=yes can be used.
 Torch  The same rules apply as for the sniffer.

 Copy to CPU  Cover how Copy to CPU can selectivity match packets and send to CPU. this can be used in conjunction
with sniffer and torch to selectively send traffic to CPU so these tools can be used to analyse the traffic.
 Copy to CPU will not affect the original packet forwarding, but it can cause an extra CPU load to process
this packet.
 Monitoring  Remind students that RouterOS supports SNMP and switches can be monitored by SNMP and the Dude

 RouterOS Logs  Remind students about logging and extra logging can be turned on eg:
 DHCP port blocking logged in Logs
 Spanning tree is logged in logs
 Dot1x radius logs
• Module 10  LAB on a doing a Port Mirror, and use Wireshark (or similar program) to see this traffic with and without

13
 Last edited on March 17, 2020
laboratory(s) the port mirror

Module 11  Interface overview -  Cover the basics of SwOS:

SwOS cover  Web access only
 http://wiki.mikrotik.com/  Backup
wiki/SwOS  Restore
 Reset
 Upgrade
 Dual boot SwOS / RouterOS
 Cover than it is possible to load, save and reset SwOS configuration using RouterOS
 Cover that you can set an IP address for SwOS by using RouterOS
 Link Configuration - name, flow, duplex
 Cover the supported features of SwOS with a walk through of the menus:
 Port Isolation
 (R)STP
 LACP/LAG/Port Trunking
 IGMP
 Port Mirroring
 VLAN
 DHCP Snooping
 PPPoE Snooping
 Broadcast storm
 QoS
 ACL
 Module 11  Show that basic SwOS settings can be set from RouterOS, e.g. IP address to access the switch.
laboratory(s)  Reboot the switch into SwOS and update it to the latest version.
 Show that by using serial console (or CLI) in RouterBOOT menu you can select which OS to start after
reboot (SwOS/RouterOS). Repeat a couple of labs from the RouterOS sections of this course, this time
with SwOS e.g.:
 VLANs with SwOS
 Bonding with SwOS
 Spanning Tree with SwOS

14
 Last edited on March 17, 2020

Notes to trainers for extra reading.

Here are a few useful docs for extra reading when creating your training material. This list is not exclusive but are some useful docs
to expand on these topic further:

 https://wiki.mikrotik.com/wiki/Manual:Spanning_Tree_Protocol
 https://wiki.mikrotik.com/wiki/SwOS
 https://wiki.mikrotik.com/wiki/Manual:CRS_Router
 https://wiki.mikrotik.com/wiki/Manual:CRS3xx_series_switches
 https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge
 https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features
 https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table
 https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches
 https://wiki.mikrotik.com/wiki/Manual:Master-port
 https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching

It's important to cover what can go wrong with Layer2 :

 https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration

MUM presentations:
 Optimising your MikroTik Layer2 configuration by Jono Thompson (BirchenallHowden Ltd, United Kingdom) -
https://mum.mikrotik.com/2019/EU/agenda/EN
 New Bridge Features in 6.43 by Jono Thompson (BirchenallHowden Ltd, United Kingdom) -
https://mum.mikrotik.com/2018/UK/agenda/EN

15
 Last edited on March 17, 2020
Notes to trainers on labs.
Suggested lab setup:

Ideally each student would use their own CRS3xx switch. If this is not possible labs would be possible with students sharing a CRS3xx switch
and creating unique VLAN IDs. Careful planning would be required for Spanning Tree labs.
16
 Last edited on March 17, 2020

Alternatively, students could do bridge VLANs on a router that does not support HW-offloading.

Students would then need an alternative unit for labs with SwOS.

17