Securing Mikrotik Router
/interface ethernet switch print
List of all switch chips present in the system
Switch Port Settings
Property
/interface ethernet switch port
switch-all-ports (no  | yes;
Default: yes)
vlan-mode (check |
disabled | fallback | secure;
Default: disabled)
vlan-header (add-if-
missing | always-strip |
leave-as-is; Default: leave-
as-is)
Description
yes - <ether1> is part of the switch and supports switch grouping and all
other advanced Atheros8316/Atheros8327 features including extended
statistics (/interface ethernet print stats).
no - <ether1> is not part of the switch, effectively making it as stand-alone
ethernet port, this way increasing its throughput to other ports in bridged
and routed mode, but removing the switching possibility on this port.
Changes the VLAN lookup mechanism against the VLAN Table for ingress
traffic.
disabled - disables checking against the VLAN Table completely for ingress
traffic. No traffic is dropped when set on ingress port.
fallback - checks tagged traffic against the VLAN Table for ingress traffic,
forwards all untagged traffic. If ingress traffic is tagged and egress port is not
found in the VLAN table for the appropriate VLAN ID, then traffic is dropped.
If a VLAN ID is not found in the VLAN Table, then traffic is forwarded. Used
to allow known VLANs only in specific ports.
check - checks tagged traffic against the VLAN Table for ingress traffic, drops
all untagged traffic. If ingress traffic is tagged and egress port is not found in
the VLAN table for the appropriate VLAN ID, then traffic is dropped.
secure - checks tagged traffic against the VLAN Table for ingress traffic, drops
all untagged traffic. Both ingress and egress port must be found in the VLAN
Table for the appropriate VLAN ID, otherwise traffic is dropped.
Sets action which is performed on the port for egress traffic.
add-if-missing - adds a VLAN tag on egress traffic and uses default-vlan-id from
the ingress port. Should be used for trunk ports.
 always-strip - removes a VLAN tag on egress traffic. Should be used for access
ports.

leave-as-is - does not add nor removes a VLAN tag on egress traffic. Should be
used for hybrid ports
default-vlan-id (auto | Adds a VLAN tag with the specified VLAN ID on all untagged ingress traffic on a
integer: 0..4095; port, should be used with vlan-header set to always-strip on a port to configure the
Default: auto) port to be the access port. For hybrid ports default-vlan-id is used to tag untagged
traffic. If two ports have the same default-vlan-id, then VLAN tag is not added since
the switch chip assumes that traffic is being forwarded between access ports.
On QCA8337 and Atheros8327 switch chips, a default vlan-header=leave-as-is property should be used. The switch
chip will determine which ports are access ports by using the default-vlan-id property. The default-vlan-id should
only be used on access/hybrid ports to specify which VLAN the untagged ingress traffic is assigned to.

Port Mirroring
/interface ethernet switch

Property Description
mirror-source copy all traffic that is going in and out of one port (mirror-source)
mirror-target end out these copied frames to some other port (mirror-target)

VLAN Table

Property Description
disabled (no | yes;
Enables or disables switch VLAN entry.
Default: no)
independent-learning (no  |
Whether to use shared-VLAN-learning (SVL) or independent-VLAN-learning (IVL). 
yes; Default: yes)
Interface member list for the respective VLAN. This setting accepts comma-
ports (name; Default: none)
separated values. e.g. ports=ether1,ether2.
switch (name;
Name of the switch to which the respective VLAN entry is intended for.
Default: none)
vlan-id (integer: 0..4095;
The VLAN ID for certain switch port configuration.
Default: )