Professional Documents
Culture Documents
Mtcswe (Switching Engineer) Syllabus
Mtcswe (Switching Engineer) Syllabus
Duration: 3 days
Outcomes: By the end of this training session, the student will be familiar with RouterOS Layer 2 forwarding software
and RouterBOARD hardware switch chip features. The student will be able to configure and control Layer
2 forwarding using MikroTik networking solutions.
This course will cover an introduction to MikroTik switch hardware and Layer2 features:
How to configure VLANs on RouterOS
How to utilize built in switch chips
Look at how SwOS works
How bridge VLAN filtering works in CRS3xx series switches
Layer2 security features
Spanning Tree Protocol, link aggregation
This course will not cover how CRS1xxx/2xx units and basic switch chips are configured.
Target audience: Network engineers and technicians wanting to deploy and support Layer 2 based networks.
Course prerequisites: MTCNA certificate
Suggested reading: Search for ‘Layer2 networking’, ‘Bridging’, ‘Switching’, ‘VLAN’
Notes to trainers: LABS: It is recommended that students have access to a RouterBOARD of your choice (e.g. hAP Lite)
and a CRS3xx series switch per student for the labs.
All the labs are shown at the end of each module, it is up to you when you do these, and you might want
to split them up throughout each module.
All training should be done using RouterOS version 6.43 and SwOS version 2.10 as a minimum.
THIS DOCUMENT IS FOR TRAINERS ONLY - NOT TO BE PUBLISHED!
1
Last edited on March 17, 2020
2
Last edited on March 17, 2020
Cover that MAC learning from a wireless interface is by default taken from the registration table.
Basic Interface settings Cover Duplex and speed settings
and types Ports have duplex or half duplex and speed settings which can either be automatically determined
or manually selected
Ports must match, cover that sometimes auto does not always bring up both ends at the same
speed and duplex
SFP/SFP+/QSFP+ ports
show hardware compatibility table -
https://wiki.mikrotik.com/wiki/MikroTik_SFP_module_compatibility_table
Cover that 1Gb fiber modules in SFP+ ports need manual speed settings
SFP RJ45 modules in SFP+ work with auto-negotiation on.
Cover that some units have combo ports - only the copper OR SFP can be used at a time
RouterOS bridge Explain that if HW-offloading is running it is using the physical hardware switch chip for frame forwarding
overview and not the main CPU -
https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_Hardware_Offloading
Forward traffic is using HW-offloading, bridge input/output is still using the main CPU
A good way to explain this is to see switching logic and software related packet processing (e.g. routing,
firewall, traffic control) as separate functions. If some frames from switch chip need to reach the device
CPU for additional processing, then both of these separate functions can interact through switch-cpu port
or bridge interface
Cover that most RouterBOARDs only support 1 bridge with HW-offloading
Cover that, depending on the switch chip fitted to a RouterBOARD, some of the bridge features will
disable HW-offloading
Explain how some of the features that are available in the switch menu and on the switch chip don’t work
when bridge HW-offloading is disabled due to selecting those specific features.
SwitchOS (SwOS) brief Briefly cover that there is a second OS from MikroTik called SwOS (SwitchOS).
overview http://wiki.mikrotik.com/wiki/SwOS
Explain that this is a second OS that runs on only some MikroTik switch hardware and some are also dual
boot between SwOS and RouterOS
(We will look more at SwOS later on in the course - therefore do not go into great detail at this stage)
Module 1 laboratory Create your class lab
The minimum RouterOS Version level is stated at the header of this document
Suggested class setup is shown at the end of this document
Student need their own network with a simple RouterBOARD with DHCP Server and internet access
Student also needs a CRS3xx series switch connected to this
Student need to configure their router to join the class WIFI on trainer router. Students to configure a
DHCP server and NAT rules needed to get internet access on their RouterBOARD
Students should now make a backup of their initial configuration
3
Last edited on March 17, 2020
Module 3 802.1Q VLAN Optionally remind what is a VLAN, why VLANs are used.
VLAN Overview Cover VLAN ranges. There are 0-4095 VLAN ID’s and RouterOS supports all of them.
VLAN tagging concepts Remind students that one should be careful when using vlan-id=1 as it can be a default VLAN ID on other
VLAN Terms & Port devices in the network. If there is no specific requirement, it is suggested to avoid using vlan-id=1
types: You can mention that Cisco VLAN IDs are split into: Normal and Extended range
Cover reserved VLANs and what they are reserved for
Cover the VLAN Terms & Port types used in RouterOS:
Trunk port
Untagged (or access) port
Hybrid port
Native VLAN equivalent in RouterOS
Explain that there are different ways to VLAN tag traffic. The most common ones being:
Port based VLAN
MAC based VLAN
Protocol based VLAN
Explain how VLAN tag is inserted into the packet and increases the size and remind students you need to
make sure you have sufficient L2MTU for this to work.
Managing VLANs in Cover the 3 ways of doing VLANs in RouterOS and how not to mix and match them.
RouterOS Virtual VLAN interface (and bridging together):
4
Last edited on March 17, 2020
VLANs on switch menu (found on some units with basic switch chips)
Bridge VLAN filtering
Briefly mention on RouterBOARDs with basic switch chips, that VLANs can be done in the switch menu.
This course will not cover this in any more detail.
On a CRS3xx there is no VLAN section in the switch menu, so bridge VLAN filtering needs to be used.
RouterOS VLAN Explain how '/interface vlan' works on RouterOS
Interface Explain how creating 2 interfaces on different physical interfaces will not join them together.
RouterOS Port based VLAN interfaces
Port based VLAN (VLAN bridging)
Inter-VLAN routing ('router on a stick') - Using one single ethernet interface with VLANs
Explain how Port based VLAN bridging, even though this has been a widely used configuration, and still
valid, this is not the preferred option. Using bridge-vlan filtering can make configuration less complicated
and it supports other features like IGMP and DHCP snooping, HW-offloading (hardware dependent),
(R/M) Spanning Tree
Bridge VLAN Filtering Explain how to create and manage VLANs using Bridge VLAN filtering.
Cover the creation of the 3 port types:
Untagged port
Trunk port
Hybrid port
Cover how to create common non-port based VLANs on the CRS3xxx switch
MAC based VLAN
Protocol based VLAN
Explain how ingress filtering works and why we need it and how this secures your network.
Explain how egress filtering works
Explain how dynamic untagged entries are created in VLAN table based on PVID of bridge and bridge
port interfaces. Explain how this does not happen with ingress filtering
Explain how to use frame-types setting with ingress filtering
Explain how to create a Management interface in a VLAN and how the only link between Switch and CPU
is the bridge interface.
Explain how ingress filtering works on bridge interface, this is not a global setting for bridge but for
interface between switch and the CPU.
Look at the VLAN table in WinBox and show the addition of the extra columns.
Explain why NOT to add vlan interfaces as untagged ports in a bridge, for both regular traffic and
management interface.
QinQ (802.1ad) QinQ concept, packet header stack, where QinQ should be used
Explain that with QinQ there are 2 VLAN tags inserted into the packet and that increases the size, you
need to make sure you have sufficient L2MTU for this to work.
Explain EtherType - SVID (0x88A8) and CVID (0x8100)
5
Last edited on March 17, 2020
Explain how QinQ works on VLAN interfaces, the use of service-tag setting and how VLAN stacking
works
Explain how Bridge-vlan filtering is only aware of one VLAN type so filters VLANs on either CVID or SVID
and how bridges can be used to tunnel CVID unfiltered.
Explain that if using Bridge VLAN filtering with SVID then creation of Management port will need to use
the 'service-tag' parameter
Explain how with Bridge VLAN filtering Tag Stacking is achieved.
The bridge is not aware of the packet contents, even though there might be another VLAN tag, only the
first VLAN tag is checked.
Module 3 Do a set of labs to show the following things with bridge VLAN filtering. These labs can be split up
laboratory(s) throughout this module for whatever works for you and your students
Untagged Ports
Trunk Ports
MAC based VLAN
Protocol based VLAN
Create a management interface on the CRS3xx switch
Lab using RouterOS VLAN interfaces for “Router on a stick” and do some inter-vlan routing
Lab with a DHCP server per VLAN
Module 4 Spanning tree protocol Explain how network loops can emerge both intentionally and not.
Spanning (STP) concepts Explain how Ethernet frames don’t have a TTL so can cause an infinite loop
Tree STP and RSTP & Explain how (R)STP can be used to create a loop free network, and still have backup paths for
Protocol MSTP comparison redundancy.
Explain how a broadcast storm can quickly take over your network
Explain how STP works by use of root bridge based upon BridgeID,
Explain that the automatically chosen Root bridge may not be most desirable one so set BridgeID to elect
correct one
Explain Spanning Tree algorithm and STP steps of Operation and Topology Change flow
STP bridge priority should only be set in steps of 4096 to comply with 802.1t standard (merged into
802.1D now 802.1Q)
STP port path cost
BPDU & BPDU timers
BPDU header and used MAC destination address
Explain the STP Port Types
Root port
Designated ports
Non-designated ports
Edge ports
6
Last edited on March 17, 2020
STP Topology Change
Cover also which units support spanning tree with HW offloading
Cover how MSTP is different and works and creates one or more STP instance to which VLAN are then
mapped. Explain how this can be used to make some VLANs take one path and other VLAN’s take a
different path.
Spanning Tree Security Explain how (and demo with lab) how you can send BPDU packets from a “hacker” which can cause
spanning tree to re-converge or alter the topology causing network issues
Explain the importance of using BDPU guard on ports not facing other switches (not taking part in STP)
e.g. Edge Ports
Module 4 laboratory A Spanning Tree LAB with at least 3 students, showing how spanning tree is used for redundancy not just
stopping loops due to user error.
Lab could be done first with STP and then (R)STP and show how much quicker convergence is achieved
If time really does allow, you can also show how MSTP will send traffic for different VLANs over different
links
You could also do a LAB showing what happens when a “hacker” injects BPDU packets and how to
configure BPDU Guard
Module 5 RouterOS bonding Cover all bonding modes, limitations of and benefits of
Link 802.3ad
Aggregation Active-backup
Balance-alb
Balance-rr
Balance-tbl
Balance-xor
Broadcast
Cover how not all modes create single interface of higher speed but increase throughput for multi stream
traffic
Cover that currently only 802.3ad and balance-xor are supported with HW-offloading
802.3ad is compatible with other vendors using LACP
Balance-xor is compatible with other vendors static LAG
Cover how a bonded interface can be added into a bridge and used with VLANs just like any physical
interface
Module 5 laboratory With at least 2 bonded interfaces - show how LACP does not create 1x2Gb interface and other types
might do. This can be done using different speed test tools, ones that send several streams and one that
use single streams
Module 6 RouterOS bridge Explain the use of split-horizon and how traffic will not flow out of a port with horizon value the same as it
Port horizon came in
7
Last edited on March 17, 2020
Isolation Explain that using split-horizon works in software and will disable hw-offloading
Switch port isolation Explain how switch port isolation works, and how to create a private VLAN
Explain the drawbacks of this and how then there is no access client to client unless explicitly allowed to
the egress ports (Forwarding override). This is because layer 2 traffic is forward directly client to client
and the private VLAN blocks this.
Another potential drawback can appear when using port isolation together with STP. The STP is not
aware of the underlying port isolation configuration, so there are no separate spanning trees for each
isolated network, but a single one for all isolated networks. This can cause some unwanted behaviour
(e.g. devices on isolated ports might select a root bridge from a different isolated network).
Note that with Local Proxy ARP Port isolation changes things - this is covered in the ARP section of the
Security Module
Explain how Switch port isolation will not work if HW-offloading has been disabled and RouterOS will not
tell you. By default, bridge settings have RSTP enabled. This means this will not work on any
RouterBOARD which doesn't not support HW offloading for RSTP unless spanning tree is turned off.
Module 6 laboratory Lab to show bridge split horizon in action
Lab to show CRS Port isolation
Module 8 IGMP Snooping Explain how this controls multicast streams and prevents multicast flooding. There is both a software
Layer 2 implementation and a hw-offloaded version depending on hardware so will work in all bridge
Security configurations
DHCP Snooping Cover the security risks of having unauthorized DHCP servers on your network
Cover how DHCP is a broadcast request
Cover how you can block DHCP request from unauthorized ports as its UDP 67,68 traffic
Show how this can be done in the bridge configuration and require uplink ports and port facing server to
be trusted as the RouterOS implication of DHCP Snooping blocks ALL DHCP packets not just replies like
some other vendors
Cover which units and which configurations support this with HW-offloading
Explain the use of DHCP option 82 with DHCP Snooping
Cover DHCP snooping works both with HW-offloading and in software
Loop protect Explain how loop protect can prevent Layer2 loops. The feature works by checking source MAC address
of received loop protect packet against MAC addresses of loop protect enabled interfaces. If the match is
found, loop protect disables the interface which received the loop protect packet.
Explain that recommended to use (R/M)STP as its compatible with other switches and provides much
more options to fine tune network
Traffic Storm Control Explain it is possible to limit broadcast, unknown multicast and unknown unicast. These rules are set as
a % of the link speed.
Layer 2 firewall RouterOS bridge filter features
Switch access control list rules
Option to also force traffic through IP Firewall
Layer2 Firewalls can also be used to restrict routing between networks. this blocking traffic near to
source.
BPDU Guard Note to trainers (though this is a Layer2 security issue) I have covered this in the spanning tree module,
then you can use a tool to inject BPDU packets into your student’s networks. If you want to you can move
it here instead, its up to you.
ARP enable / disable / Remind students how the network will not function at Layer2 without ARP.
proxy ARP / reply only Show students that max size of arp-table can be changed (/ip settings set max-neighbor-entries)
ARP is covered in MTCNA but not all ARP Interface Modes in detail
Explain the 5 ARP Interface modes
Enable
Disable
Proxy ARP
Reply only
Local Proxy ARP
9
Last edited on March 17, 2020
Explain how static ARP entries can be used for “security”
Explain how DHCP-server can add ARP entries for you
Explain how you can use DHCP static only, to give out static IP Addresses based on MAC Address and
how this will then add an ARP entry when the user requests a DHCP Address and then will work,
however anyone with manually configured IP will not work.
ARP request can be shown really well in Wireshark to show a client device doing broadcast say “who has
this address” - this will show why big Layer2 networks are bad or/and Layer2 networks latency are bad.
Cover how Local Proxy ARP works and means that L2 traffic can be filter on the router and how 2 devices
can now communicate with port isolation which they could not before
Bridge Hosts Explain to students the bridge Hosts table
Explain the bridge port learn mode settings
Explain how bridge hosts table learn mac addresses
Explain how static bridge host entries can be made and take precedence over dynamic entries
Explain the bridge hosts table flags
Switch Hosts table Explain how this table shows entries only for switch ports (hw-offloaded bridge ports)
Explain the extra properties (e.g. copy-to-cpu, drop, mirror, redirect-to-cpu)
Port Security MAC address limits
Unicast FDB entries - https://wiki.mikrotik.com/wiki/Manual:CRS3xx_series_switches#Models
802.1X Port based Since 6.45 RouterOS has IEEE 802.1X support
Authentication (dot1x) dot1x provides port-based network access control using EAP
https://wiki.mikrotik.com/wiki/Manual:Interface/Dot1x
Explain the 3 components of dot1x
supplicant (client)
authenticator (server)
authentication server (radius)
Explain how RouterOS can be:
a supplicant
an authenticator
Explain how with dot1x RouterOS can do port based VLAN assignment to authenticated interfaces. Only
devices with hardware offloaded VLAN filtering will be able to do this in switch chip. Other devices will do
this in software.
Explain that dot1x can do mac type authentication
Explain that dot1x can create dynamic firewall rules
Explain reject-vlan-id radius attribute works
Securing switch access Cover how to secure your switch
Disable insecure protocols
Only have IP Address on management range
10
Last edited on March 17, 2020
Set a password
Limit access to services
Firewall filter rules
Disable routing (/ip settings set ip-forward=no)
Disable or limit neighbour discovery
MAC Server
Disable unused interfaces
Disable Console access
Disable / make read only setting to LCD Screen
And more - https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router
Module 8 Carry out a number of labs on these topics. Again, these can be done all in one go or as you go along.
laboratory(s) This is up to you:
LAB on Layer2 Firewall
LAB on DHCP snooping - show fake DHCP server blocked
LAB on Port Security and show port blocking more MAC Addresses
Extra Lab on Static ARP tables?
Extra Lab on Local Proxy ARP?
Trainers could have a radius server for students to use, and setup their switch as a dot1x
authenticator and use their laptops as a supplicant and authenticate and even do a VLAN
assignment
Tools There are a number of tools in RouterOS to help diagnose Layer2 network problems. During the course
Module 10 and the above sections you may have used and shown students most of them. This topic is to bring them
Tools all together in one place for the students
bridge -> ports Bridge port details and STP port monitoring.
bridge -> hosts table Shows MAC address learnt on a bridge interface. This also shows
https://wiki.mikrotik.com bridge name
/wiki/Manual:Interface/ on-interface
Bridge#Hosts_Table VID (VLAN ID)
12
Last edited on March 17, 2020
age
Cover the flags
x - disabled
I - invalid
D - dynamic
L - local
E - external (e.g. from wireless or switch chip)
IP -> ARP Table ARP table will contain entries only for the traffic that flows through the router. If the traffic is forwarded
through the bridge, ARP entries will not be created.
Interface -> Ethernet Interface stats and monitoring:
/interface print stats
/interface ethernet print stats
/interface ethernet monitor
/interface ethernet monitor [find]
/interface ethernet switch print stats
Port Mirroring Mirroring lets the switch 'sniff' all traffic that is going in a switch chip and send a copy of those packets out
to another port (mirror-target). This feature can be used to easily set up a 'tap' device that allows you to
inspect the traffic on your network on a traffic analyser device. It is possible to set up a simple port based
mirroring where, but it is also possible to setup more complex mirroring based on various parameters.
Cover how to create a port mirror on a CRS3xx and provide example uses for a port mirror, e.g. packet
capture with Wireshark. There are other types of software to capture, this is the most common one.
Sniffer Cover that sniffer with HW-offloaded bridge will see only input/output traffic like broadcast/multicast (ARP,
neighbour discovery). To sniff all traffic the HW-offloading should be switched off on the port, but that can
produce high load on the CPU. Alternatively ACL rules with copy-to-cpu=yes can be used.
Torch The same rules apply as for the sniffer.
Copy to CPU Cover how Copy to CPU can selectivity match packets and send to CPU. this can be used in conjunction
with sniffer and torch to selectively send traffic to CPU so these tools can be used to analyse the traffic.
Copy to CPU will not affect the original packet forwarding, but it can cause an extra CPU load to process
this packet.
Monitoring Remind students that RouterOS supports SNMP and switches can be monitored by SNMP and the Dude
RouterOS Logs Remind students about logging and extra logging can be turned on eg:
DHCP port blocking logged in Logs
Spanning tree is logged in logs
Dot1x radius logs
• Module 10 LAB on a doing a Port Mirror, and use Wireshark (or similar program) to see this traffic with and without
13
Last edited on March 17, 2020
laboratory(s) the port mirror
14
Last edited on March 17, 2020
Here are a few useful docs for extra reading when creating your training material. This list is not exclusive but are some useful docs
to expand on these topic further:
https://wiki.mikrotik.com/wiki/Manual:Spanning_Tree_Protocol
https://wiki.mikrotik.com/wiki/SwOS
https://wiki.mikrotik.com/wiki/Manual:CRS_Router
https://wiki.mikrotik.com/wiki/Manual:CRS3xx_series_switches
https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features
https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table
https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches
https://wiki.mikrotik.com/wiki/Manual:Master-port
https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching
MUM presentations:
Optimising your MikroTik Layer2 configuration by Jono Thompson (BirchenallHowden Ltd, United Kingdom) -
https://mum.mikrotik.com/2019/EU/agenda/EN
New Bridge Features in 6.43 by Jono Thompson (BirchenallHowden Ltd, United Kingdom) -
https://mum.mikrotik.com/2018/UK/agenda/EN
15
Last edited on March 17, 2020
Notes to trainers on labs.
Suggested lab setup:
Ideally each student would use their own CRS3xx switch. If this is not possible labs would be possible with students sharing a CRS3xx switch
and creating unique VLAN IDs. Careful planning would be required for Spanning Tree labs.
16
Last edited on March 17, 2020
Alternatively, students could do bridge VLANs on a router that does not support HW-offloading.
Students would then need an alternative unit for labs with SwOS.
17