Optimising your MikroTik

Layer2 configuration

March 2019 © Jono Thompson

BirchenallHowden Ltd
 Jono Thompson
• Networking background started as a
Cisco Engineer

• Started using ROS June 2010

• MikroTik Consultant Since Dec 2014

• MikroTik Trainer since March 2017

2
 BirchenallHowden Ltd
• Established in 2006
• 29 staff
• Based in Sheffield, UK and working throughout the UK and
Europe
• Currently providing IT support for over 75 companies and 2800
users
• Currently have 2 MikroTik consultants

3
 BirchenallHowden Ltd
• Services Provided
– Wired and wireless network design and installation,
– Desktop and server installation, support and maintenance
– ISP Services, leased lines, connectivity
– Telephony
– Wireless installs
– MikroTik Consultancy
– MikroTik Training

• Visit www.birchenallhowden.co.uk 4
 Presentation Objectives
• Since version 6.41 there have been some major changes to the
Bridge configuration

• This presentation is designed to help and encourage you to use

the new features.

5
 Presentation Objectives
• This presentation will show some of the most common
mistakes made with Layer 2 configurations.

• It will show some incorrect configurations, and then show the

correct configurations along with an explanation of what was
wrong.
– This is not a step by step guide

• Most of these are taken from real setups we have had to fix

6
 Presentation Objectives

• At UK MUM in Birmingham 2018, I did a presentation on step

by step guide on the new Bridge VLAN filtering
– “New bridge features in 6.43”

7
 Configurations
• In the download PDF version the incorrect configurations will be marked
like this

• Correct configurations will be marked like this:-

8
 Meet Mike
• Last time we met Mike, he had just
installed his new MikroTik Wireless

• He has finally got all his wireless working

really well thanks to some really cool
guy from the UK MUM

• Mike invites Dave around to see how

good it is…

9
 Mike and Dave
• They sit in Mike’s office
Kitchen while Mike shows
Dave how fast the WiFi
network now is…

• Dave looks up at Mike’s

Network patch cabinet

10
Mike’s Network

11
 Dave’s Visit

• Dave suggests that Mike uses a PoE

switch to power all his APs.

• Then he would be able to shut his

cabinet door!

12
 New Switch
• Mike does some searches the internet…
• Mike sees that MikroTik do PoE switches
• As they are cheap he buys one
• CRS328-24P-4S-RM

13
Neat Install

14
 Mike looks at the features
• Mike is so excited about his new switch he Tweets about his
new tidy install

15
 Dave’s Visit

• Dave replies and says ”You should have

a guest Wi-Fi to keep your visitors off
your office network”

16
 Mike’s Network

ether2

ether4 hAP ac^2

CRS328
ether24
Link / Act: Off = N o Link, Flash = Activity, On = Link 10/ 100/ 1000Base-T Ports (1 - 24) - Ports are Auto-M DIX
HP PS1810-24G Switch
Use only supported transceivers
Link / Act: 1 Spd* 3 5 7 9 11 Link / Act: 13 Spd* 15 17 19 21 23

Link / Act 25
Pow er
Spd*
Fault
Locator
Link / Act 26

Spd*

Reset Clear Link / Act: 2 Spd* 4 6 8 10 12 Link / Act: 14 Spd* 16 18 20 22 24

* Speed: Off = 10 M bps, Flash = 100 M bps, On = 1000 M bps

AP2 - 13

17
 Guest Network - Router Configuration
• Dave sets about configuring a new bridge on his hAP ac2
Router for his guest network

/interface bridge add name=bridge-guest

/interface bridge port add bridge=bridge-guest interface=ether4
/ip address add address=192.168.201.1/24 interface=bridge-guest network=192.168.201.0
/ip pool add name=dhcp_pool-guest ranges=192.168.201.2-192.168.201.254
/ip dhcp-server add address-pool=dhcp_pool-guest disabled=no interface=bridge-guest name=dhcp-guest
/ip dhcp-server network add address=192.168.201.0/24 dns-server=8.8.8.8 gateway=192.168.201.1

/interface bridge add name=bridge-lan

/interface bridge port add bridge=bridge-lan interface=ether2
/interface bridge port add bridge=bridge-lan interface=ether3

18
 The Problem
• Mike notices that he now has really slow throughput from his
wireless clients to his wired clients

• He also notices that his hAP ac2 router has a high CPU load.

• He also notices that network traffic has huge latency

• He calls Dave…..

19
 What’s wrong?
• Dave tells Mike to look for the check hardware offloading is
enabled and the H flag to show its being used.

20
 Multiple Bridges on a Single Switch Chip
Analysis:

• Only CRS1xx/2xx Support HW-offloading on more than 1

bridge

• Even though bridge port has HW-offloading enabled, the traffic

for the 2nd bridge is going though the CPU. This has created a
hardware limit for Mike

21
 Multiple Bridges on a Single Switch Chip
Solution:

• You can control which bridge uses HW-offloading.

Preferred solution:

• Consider a network redesign to use hardware optimally

22
 Bridge VLAN filtering
• Mike does some reading about VLANs and sees that since
version 6.41 MikroTik supports VLANs with a single bridge

• Mike configures bridge VLAN filtering on his hAP ac2 so he only

needs to use one bridge and turns it on…..

23
 Bridge VLAN filtering

/interface vlan
add interface=ether4 name=vlan11 vlan-id=11
add interface=ether4 name=vlan201 vlan-id=201
/ip dhcp-server
add address-pool=dhcp_pool-lan disabled=no interface=vlan11 name=dhcp-lan
add address-pool=dhcp_pool-guest disabled=no interface=vlan201 name=dhcp-guest

/interface bridge port

add bridge=bridge-lan interface=ether4
add bridge=bridge-lan interface=ether2 pvid=11
add bridge=bridge-lan interface=ether3 pvid=11
/interface bridge vlan
add bridge=bridge-lan untagged=ether2,ether3 tagged=ether4 vlan-ids=11
add bridge=bridge-lan tagged=ether4 vlan-ids=201

24
 VLAN Interfaces
• Mike now notices that his clients don’t always get a DHCP
address, even though he has a DHCP server running on the
VLAN….

• Mike emails MikroTik to point out that MikroTik don’t support

DHCP running in VLANs.

25
 VLAN Interfaces
Analysis:

• Interfaces in a bridge are slave interfaces.

– The bridge is the master.

• All traffic captured on the bridge is forwarded to the CPU using

the bridge interface, not the physical interface

26
VLAN Interfaces

27
 VLAN Interfaces
Solution:

• Change the VLAN interface to the bridge as the bridge is the

new switch CPU and this is where all traffic will flow out of the
bridge

• DHCP is now working

for Mike

28
 Bridge VLAN filtering – Correct Configuration

/interface vlan
add interface=bridge-lan name=vlan11 vlan-id=11
add interface=bridge-lan name=vlan201 vlan-id=201
/ip dhcp-server
add address-pool=dhcp_pool-lan disabled=no interface=vlan11 name=dhcp-lan
add address-pool=dhcp_pool-guest disabled=no interface=vlan201 name=dhcp-guest

/interface bridge port

add bridge=bridge-lan interface=ether4
add bridge=bridge-lan interface=ether2 pvid=11
add bridge=bridge-lan interface=ether3 pvid=11
/interface bridge vlan
add bridge=bridge-lan untagged=ether2,ether3 tagged=bridge-lan,ether4 vlan-ids=11
add bridge=bridge-lan tagged=bridge-lan,ether4 vlan-ids=201

29
 Bridge VLAN filtering
• Mike tests his network and now see that he has slow
throughput through both networks

• Mike also notices that when he runs a performance test he

notices that his hAP ac2 has a very high CPU load.

30
 Bridge VLAN filtering
• Mike looks at his config on his hAP ac2 and sees that even
though hw-offload is enabled that there is still no H flag

31
 Bridge VLAN filtering
• Mike can’t understand why when he thinks he done everything
right
– He only has 1 bridge
– He has hw-offloading enabled

• And yet the bridge does not show HW offloading

• Mike calls Dave

32
 Bridge – HW offloading
• Dave tells Mike to look at the manual……

• Depending on the model or the switch chip, only some

features are supported with bridge HW offloading

• Use of unsupported features will disable HW-offloading

33
 Bridge – HW offloading
Switch Chip Model (example units) STP/RSTP MSTP DHCP Snooping VLAN Filtering Bonding3
CRS3xx ✓ ✓ ✓ ✓ ✓
CRS1xx/2xx ✓  ✓1  
QCA8337 hAP ac / hEX PoE / 3011 (1Gb) ✓  ✓2  
AR8327 hAP ac2/2011(1Gb)/1100AHx2 ✓  ✓2  
AR8227 hAP/hEX lite/2011 (100Mb) ✓  ✓2  
AR8316 ✓  ✓2  
AR7240 ✓  ✓2  
MT7621 hEX (750Gr3) ✓  ✓  
RTL8367 1100AHx4   ✓  
ICPlus175D   ✓  

1. Feature will not work properly in VLAN switching setups, you must make sure that required packets
are sent out with the correct VLAN tag using ACL rules.
2. DCHP Snooping will not work properly with VLAN switching
3. Bridge hardware offloading only supported using 802.3ad bonding
Complete list https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Bridge_Hardware_Offloading
34
 Bridge – HW offloading
• Only a few devices are able to offload the traffic to the switch
chip when using VLAN filtering

• When traffic is not offloaded to the switch chip the CPU is used
to forward traffic. This can result in lower than expected
throughput

• Dave suggest that he carries out a network redesign to use his

hardware to its full potential

35
 Bridge VLAN filtering
• Mike carries out a network redesign and no longer uses his
hAP ac2 as a switch in his network.

• Mike sees that his CRS328-24P-4S+ also supports VLAN filtering

• Mike now starts configuring his CRS328-24P-4S+ with VLANs so

that his wireless access points can have both VLANs running on
them

36
 Mike’s Network
• New network topology

ether4 hAP ac^2

CRS328
ether24

ether23

Link / Act: Off = N o Link, Flash = Activity, On = Link 10/ 100/ 1000Base-T Ports (1 - 24) - Ports are Auto-M DIX
HP PS1810-24G Switch
Use only supported transceivers
Link / Act: 1 Spd* 3 5 7 9 11 Link / Act: 13 Spd* 15 17 19 21 23

Link / Act 25
Pow er
Spd*
Fault
Locator
Link / Act 26

Spd*

Reset Clear Link / Act: 2 Spd* 4 6 8 10 12 Link / Act: 14 Spd* 16 18 20 22 24

* Speed: Off = 10 M bps, Flash = 100 M bps, On = 1000 M bps

AP2 - 13
37
 CRS326 VLAN Configuration
• Mike now sets about setting up his new CRS328-24P-4S+.

• He creates a bridge

38
CRS326 VLAN Configuration

• Adds all Switch Ports to the

Bridge
• Default is hardware
offloaded enabled

39
 CRS326 VLAN Configuration
• Creates VLANs and adds the ports for the Wireless Access
Points as Tagged Ports

40
 CRS326 VLAN Configuration
• And finally Mike turns on VLAN filtering

41
 CRS VLAN Configuration 1
/interface bridge add name=bridge-lan vlan-filtering=yes
/interface bridge port
add bridge=bridge-lan interface=ether1
add bridge=bridge-lan interface=ether2
add bridge=bridge-lan interface=ether3
add bridge=bridge-lan interface=ether4
add bridge=bridge-lan interface=ether5
add bridge=bridge-lan interface=ether6
add bridge=bridge-lan interface=ether7
add bridge=bridge-lan interface=ether8
add bridge=bridge-lan interface=ether9
add bridge=bridge-lan interface=ether10
add bridge=bridge-lan interface=ether11
add bridge=bridge-lan interface=ether12
add bridge=bridge-lan interface=ether24
/interface bridge vlan
add bridge=bridge-lan
tagged="ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether2
4" vlan-ids=201
add bridge=bridge-lan
tagged="ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether2
4" vlan-ids=11
42
 VLAN in bridge with a physical interface
• Mike now adds in ether23 to link his old switch to the new
switch.
• As his old switch has no VLANs and only needs traffic from the
NEW VLAN11 he creates a VLAN on ether23 and adds this to
the bridge
/interface vlan
add interface=ether23 name=vlan11-ether23 vlan-id=11
/interface bridge port
add bridge=bridge-lan interface=vlan11-ether23
/interface bridge vlan
add bridge=bridge-lan untagged=vlan11-ether23 vlan-ids=11

43
VLAN in bridge with a physical interface

44
 VLAN in bridge with a physical interface
• Mike is still having problems.
• He is seeing ports flapping on his old switch
• Spanning tree is doing strange things on his old switch
• Traffic just randomly stops

• He emails MikroTik to point out that their switches are

incompatible with other vendors switches

45
 VLAN in bridge with a physical interface
Analysis:
• Though this often works, this violates the 802.1w STP.
• The BPDU packets being sent on ether23 which is an untagged
switch interface.
• The VLAN tagging is being applied in the CPU causing all packets
being sent out as tagged traffic in VLAN11.
• Not all other vendors can understand tagged BPDU.
• In some more complex settings a switch may receive its own
BPDU packet and trigger a loop detection when there is not one.

47
 VLAN in bridge with a physical interface
Solution:

• The easiest solution is to simply disable STP/RSTP on the bridge

Preferred solution:

• Use bridge VLAN filtering correctly to tag the traffic

48
 VLAN in bridge with a physical interface
• Mike decides he is going to use the preferred solution and
makes changes to his bridge VLAN filtering

• Mike adds the physical port to the bridge and set the PVID and
add the port as a untagged in the VLAN

/interface bridge port

add bridge=bridge-lan interface=ether23 pvid=11
/interface bridge vlan
add bridge=bridge-lan untagged=ether23 vlan-ids=11

49
VLAN in bridge with a physical interface

50
 Untagged Interfaces
• Setting a PVID on a bridge port once
VLAN filtering is enabled will also set
untagged interface in the VLAN in the
VLAN table

51
 Management Interface
• Mike realises his new CRS328 switch needs to have an IP
Address on it so that he can manage it, and also it can then get
NTP time sync so logging is useful

• Mike plans to manage his switch from VLAN 11

• Mike doesn’t want any of the other VLANs to access his switch

52
 Management Interface 1
• Mike connects his laptop to ether22 and sets it untagged in
VLAN11.

• Mike now sets an IP Address on ether22 so he can manage the

switch
/interface bridge port
add bridge=bridge-lan interface=ether22 pvid=11
/interface bridge vlan
add bridge=bridge-lan untagged=ether22 vlan-ids=11
/ip address
add address=10.100.1.2/24 interface=ether22 network=10.100.1.0

53
Management Interface 1

54
 Management Interface 1
• Mike is still unable to access his new CRS328 switch by IP
Address

• Mike calls Dave…..

55
 Management Interface 1
Analysis:
• When you add an interface to the bridge it becomes a slave
interface

• All traffic captured on the interface is sent to the CPU on the

bridge interface, not the physical ethernet port
• The slave interface never captures any traffic on the interface

56
 Management Interface 1
Solution:

• Set the management interface VLAN to be on the master

interface in this case the master is bridge-lan

57
 Management Interface 2

• Mike add VLAN11 to the bridge with PVID11 and sets the VLAN
interface as an untagged port in the bridge….

/interface vlan
add interface=bridge-lan name=vlan11 vlan-id=11
/interface bridge port
add bridge=bridge-lan interface=vlan11 pvid=11
/interface bridge vlan
add bridge=bridge-lan untagged=vlan11 vlan-ids=11
/ip address
add address=10.100.1.2/24 interface=vlan11 network=10.100.1.0

58
Management Interface 2

59
 Management Interface 2
• Mike is still unable to access his new CRS328 switch by IP
Address

• Mike calls Dave

60
 Management Interface 2
Analysis

• The only connection from the switch chip to the CPU is through
the bridge interface.

• The bridge works like a Switch and this should not be mixed up
with physical interfaces with VLAN interfaces on.

61
 Management Interface 2
Solution:

1. Add the bridge as a tagged port into required VLANs

2. Creating VLAN interfaces on the bridge

• This will allow tagged packets to enter the bridge from the
switch chip and will be then passed through to the specific
VLAN interface on the bridge.

62
 Management Interface 2
Solution cont.:

• To secure management access further Dave tells Mike to use

ingress filtering to allow only traffic on Specific VLAN ID

63
 Management Interface 2
Solution cont.:

• Set the CPU/Bridge interface to pass tagged traffic.

• The CPU now receives tagged traffic and management access is
allowed

/interface vlan add interface=bridge-lan name=vlan11 vlan-id=11

/interface bridge vlan add bridge=bridge-lan tagged=bridge-lan vlan-ids=11
/ip address add address=10.100.1.2/24 interface=vlan11 network=10.100.1.0
/ip route add dst-address=0.0.0.0/0 gateway=10.100.1.1 distance=1

64
 Management Interface - Correct
• Create a VLAN interface on the bridge interface

65
Management Interface - Correct
• Add bridge as a Tagged Port on the
VLAN11 – IMPORTANT
• Add an IP Address to the VLAN interface

66
 Ingress Filtering
• Mike also configures Ingress Filtering.

• Ingress filtering not only can be

applied to a physical switch port, but
also the bridge port / switch-cpu port

/interface bridge
add frame-types=admit-only-vlan-tagged ingress-filtering=yes name=bridge-lan vlan-filtering=yes

67
 Egress Filtering
• When Bridge VLAN-filtering is enabled….

• By default the switch ports and the bridge port (switch CPU),
filter on Egress based on the VLAN table Invalid VLANs are
dropped on Egress.

68
 Ingress Filtering
• Ingress Filtering can be used along with frame type to limit
which packets are allowed to access the device, both from
physical ports and also from the CPU.

• Ingress filtering will check the VLAN table and only allow
VLANs. VLANs not specified in the VLAN table will be dropped

69
 Ingress Filtering

• By applying frame-type=VLAN-tagged-only tagged

packets will pass from the switch

• Applying frame-type=VLAN-tagged-only will also

disable dynamic adding of untagged ports based on PVID

70
Bridge VLAN Filtering – Mike’s Learnt

• Mike has learnt a few important things

about the new Bridge-VLAN Filtering
options

71
Bridge VLAN Filtering

1. Its important to check the features and

use the choose the correct hardware

72
Bridge VLAN Filtering

2. The bridge works like a Switch and this

should not be mixed up with physical
interfaces with VLAN interfaces on.

Use only one method of VLAN

configuration

Router or Switch

73
Bridge VLAN Filtering

3. The only connection from the switch to

the CPU is the bridge interface. This
needs adding as a tagged port in VLANs
as needed and works like a switch port.

74
Bridge VLAN Filtering

• Mike is now a fan of VLANs on MikroTik

switches!

75
 Packet flow with hardware offloading
• Mike notices that a couple of his ports have high traffic

• Mike is curious as to what is happening. So he torches one of

the interfaces

• He only sees a few packets. However he can see that there is a

lot more traffic on that interface

• He calls Dave….
76
 Packet flow with hardware offloading
• Dave immediately knows that Mike needs to look at the block
diagram to understand how the hardware functions

• Dave spent lots of time last year looking at the block diagrams
for different MikroTik hardware…

• Dave looks at the block diagram for the CRS328 with Mike and
explains how it works….

77
Packet flow with hardware offloading

78
 Packet flow with hardware offloading
• Each ethernet port is connected to the switch chip
• The switch chip is connected the CPU (sometimes called
switch-cpu port)
• Once hw-offloading has been enabled, the switch chip
forwards packets between ports
• For packets to view in sniffer tools, they need to be sent to the
CPU

79
 Packet flow with hardware offloading
• If you know the traffic you are interested in then you can copy
traffic to CPU.

• This is an example of how to send packets destined for

EC:F4:BB:50:5E:CF

/interface ethernet switch rule

add copy-to-cpu=yes dst-mac-address=EC:F4:BB:50:5E:CF/FF:FF:FF:FF:FF:FF ports=ether1
switch=switch1

80
 LAG / Bonding

• Mike wishes he could have more bandwidth between his

servers.

• Mike also reads that MikroTik support bonded interfaces. His

servers also support LACP so he bonds 2 ports together to
increase throughput.

81
 LAG / Bonding

ether4 hAP ac^2

CRS328
ether24
LACP LACP

ether23

Link / Act: Off = N o Link, Flash = Activity, On = Link 10/ 100/ 1000Base-T Ports (1 - 24) - Ports are Auto-M DIX
HP PS1810-24G Switch
Use only supported transceivers
Link / Act: 1 Spd* 3 5 7 9 11 Link / Act: 13 Spd* 15 17 19 21 23

Link / Act 25
Pow er
Spd*
Fault
Locator
Link / Act 26

Spd*

Reset Clear Link / Act: 2 Spd* 4 6 8 10 12 Link / Act: 14 Spd* 16 18 20 22 24

* Speed: Off = 10 M bps, Flash = 100 M bps, On = 1000 M bps

AP2 - 13

82
 LAG / Bonding

• Mike has also remembered to check if his CRS328 supports hw-

offloading with bonded interfaces

• Mike sees that only 802.3ad (LACP) bonding is supported so he

uses that bonding mode

83
 LAG / Bonding
Switch Chip Model (example units) STP/RSTP MSTP DHCP Snooping VLAN Filtering Bonding3
CRS3xx ✓ ✓ ✓ ✓ ✓
CRS1xx/2xx ✓  ✓1  
QCA8337 hAP ac / hEX PoE / 3011 (1gb) ✓  ✓2  
AR8327 hAP ac2/2011/1100AHx2 (1gb) ✓  ✓2  
AR8227 hAP/hEX lite/2011 (100mb) ✓  ✓2  
AR8316 ✓  ✓2  
AR7240 ✓  ✓2  
MT7621 hEX (750Gr3) ✓  ✓  
RTL8367 1100AHx4   ✓  
ICPlus175D   ✓  

1. Feature will not work properly in VLAN switching setups, you must make sure that required packets
are sent out with the correct VLAN tag using ACL rules.
2. DCHP snooping will not work properly with VLAN switching
3. Bridge hardware offloading only supported using 802.3ad bonding
Complete list https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Bridge_Hardware_Offloading
84
 LAG / Bonding
• Mike configures two bonding interfaces and sets them as
untagged on VLAN11

/interface bonding
add mode=802.3ad name=bonding1 slaves=ether13,ether14
add mode=802.3ad name=bonding2 slaves=ether15,ether16
/interface bridge port
add bridge=bridge-lan interface=bonding1 pvid=11
add bridge=bridge-lan interface=bonding2 pvid=11
/interface bridge vlan
add bridge=bridge-lan untagged=bonding1,bonding2

85
 LAG / Bonding
•

86
 LAG / Bonding
• Mike notices that he still only gets 1Gb between his servers
when testing with a well known network performance tool
(iperf)

• He only sees the traffic on one of the bonded interface slave

interfaces

• He checks the CPU and that it is not heavily loaded

87
LAG / Bonding

88
 LAG / Bonding
• This time he remembers to check that the ports are hw-
offloaded and the bonded interfaces are

• He calls Dave
89
 LAG / Bonding
Analysis:

• LACP (802.3ad) does not create 1 x 2Gbps interface but an

interface that can transmit traffic over multiple slave interfaces
• LACP (802.3ad) using transmit hash policy (MAC, IP or Port).
• As the traffic is going to the same dst MAC and dst IP and dst
Port, load balance between different members is not possible.

• This is correct for 802.3ad.

90
 LAG / Bonding
Solution:

• Traffic going from multiple sources / destinations will load

balance across LAG members

• Different transmit hash policies can increase single stream

throughput. However these are not hw-offloaded in the bridge
configuration so will be limited to CPU

91
 DHCP Snooping

• Mike has a problem on his network. His users keep bring in

their old routers from home and plugging them in to give them
extra switch ports under their desks….

• This causes clients on his network to obtain incorrect IP

information as these routers are also DHCP Servers.

92
 DHCP Snooping

• Mike reads more about the features on his new switch.

• Mike sees that he can run DHCP Snooping to prevent his users
plugging rogue routers into his network

93
 DHCP Snooping
• Mike turns on DHCP Snooping on
his bridge

/interface bridge
add dhcp-snooping=yes name=bridge-lan vlan-
filtering=yes

94
 DHCP Snooping
• Mike now has a problem…

• None of his client devices are getting a DHCP Address.

• He checks his switch and hw-offloading is still enabled

• He check his switch CPU and that is not maxed out…

• He Calls Dave….

95
 DHCP Snooping
• Dave tells Mike to check the logs on both his CRS328 and his
hAP ac2

• CRS328

• hAP ac2

96
 DHCP Snooping
Analysis:

• DHCP Snooping is a Layer 2 Security feature

• This limits the ports on which DHCP messages are received

• Mike has successfully drop DHCP messages from the rogue

routers on his network
• Mike has also blocked DHCP messages from his legitimate
DHCP Server too!
97
 DHCP Snooping
Solution:

• Dave tells Mike that he needs to allow DHCP messages to be

forward on the port with his server and the port facing other
switches.

• Mike sets the ports as trusted

• Mike’s Clients now get an IP Address

98
 DHCP Snooping

/interface bridge port

add bridge=bridge-lan interface=ether24 trusted=yes
add bridge=bridge-lan interface=ether23 trusted=yes

99
Thank you for Listening

100
 References
• Visio Templates – Mikrotik Forum user FernandoSuperGG
https://forum.mikrotik.com/viewtopic.php?f=2&t=120957

• MikroTik Manual
https://wiki.mikrotik.com/wiki/Manual:CRS_Router#CRS3xx_series_switches
https://wiki.mikrotik.com/wiki/Manual:CRS3xx_series_switches
https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration
https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Bridge_Hardware_Offloading
https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table

101