October 10, 2016 at 22:44How MikroTik sees neighbors. Neighbor discovery update on RouterOS 6.38
The neighboring router and compatible hardware discovery service has been around for a long time in RouterOS. Unfortunately, comrades admins rarely think about the "Neighbor Discovery" functioning scheme . Everything seems to be simple there, but just not as much as it seems.
A good illustration is the unsuccessful attempts to hide information about your MikroTik router, while still receiving info about the neighbors' routers inside the provider’s broadcast domain. So to speak, spy on the neighbors on the provider switch. Usually, this looks like a firewall blocking the sending of broadcast packets from the discovery UDP service advertisement 255.255.255.255Point678. Having driven a prohibitive rule into the firewall config, some believe that they have completely hidden their router from visibility by their neighbors. But this is not so.
Let's see how Neighbor Discovery works in MikroTik.
Neighbor Discovery in RouterOS up to 6.38 contains two ways of declaring and receiving information working at different levels of the OSI model: UDP transport works at the L4 level, the protocol of the MNDP / VDP / CDP family receives and transmits information at the L2 level. Information obtained from both sources is combined and displayed in the list of discovered neighbors “ / ip neighbors ”. This is what Neighbor Discovery looks like in the current release:
Thus, by simply prohibiting sending UDP packets to port 5678, information about the router cannot be hidden. You must either completely disable the Neighbors service on the interface with the command / ip neighbor discovery set ether1-gateway discover = no, or filter outgoing L2 traffic for MNDP packets using bridge filters. For example, like this:
Now a new version of RouterOS 6.38 is being prepared for release, and it finally happened something that theBolsheviks had asked the admins of many countries for so long . 6.38 finally adds a nice bun in the form of support for the open LLDP protocol . This slightly expands the capabilities of the equipment in terms of monitoring the status of the L2 connection. Now in the list of neighbors you can see any LLDP-compatible equipment, provided that it also includes support for LLDP declaration. For example, now my test router perfectly “sees” the neighboring switch HP v1905-24
Little information has been received and transmitted so far, but enough to monitor the presence / absence of visibility over L2. I note that LLDP support did not replace other protocols, but was added to the list of supported in MikroTik Discovery and starting from 6.38 it will look like this:
The official WiKi MikroTik has already added information about the information received and transmitted by RouterOS via LLDP.
RouterOS sends out:
Chassis subtype (MAC)
RouterOS accepts and processes:
Well, well, we are waiting for the official release and are closely watching the test devices - for that, the status at 6.38 is still “rc”.
A good illustration is the unsuccessful attempts to hide information about your MikroTik router, while still receiving info about the neighbors' routers inside the provider’s broadcast domain. So to speak, spy on the neighbors on the provider switch. Usually, this looks like a firewall blocking the sending of broadcast packets from the discovery UDP service advertisement 255.255.255.255Point678. Having driven a prohibitive rule into the firewall config, some believe that they have completely hidden their router from visibility by their neighbors. But this is not so.
Let's see how Neighbor Discovery works in MikroTik.
Neighbor Discovery in RouterOS up to 6.38 contains two ways of declaring and receiving information working at different levels of the OSI model: UDP transport works at the L4 level, the protocol of the MNDP / VDP / CDP family receives and transmits information at the L2 level. Information obtained from both sources is combined and displayed in the list of discovered neighbors “ / ip neighbors ”. This is what Neighbor Discovery looks like in the current release:
Thus, by simply prohibiting sending UDP packets to port 5678, information about the router cannot be hidden. You must either completely disable the Neighbors service on the interface with the command / ip neighbor discovery set ether1-gateway discover = no, or filter outgoing L2 traffic for MNDP packets using bridge filters. For example, like this:
/interface bridge filter add action=drop chain=output disabled=no dst-mac-address=01:00:0C:CC:CC:CC/FF:FF:FF:FF:FF:FF out-interface=ether1-gateway.Now a new version of RouterOS 6.38 is being prepared for release, and it finally happened something that the
Do not forget to enable LLDP on the HP v1905-24 switch
Little information has been received and transmitted so far, but enough to monitor the presence / absence of visibility over L2. I note that LLDP support did not replace other protocols, but was added to the list of supported in MikroTik Discovery and starting from 6.38 it will look like this:
The official WiKi MikroTik has already added information about the information received and transmitted by RouterOS via LLDP.
RouterOS sends out:
Chassis subtype (MAC)
- Port subtype (interface name)
- TTL
- System name (system identity)
- Sys description ({platform} RouterOS {osvers} {boardName})
- All IP addresses on configured on the port
RouterOS accepts and processes:
- identity (LLDP_TYPE_SYS_NAME)
- interfaceName (depending on the priority, if one is empty checks the next: LLDP_TYPE_CHASSIS_ID, LLDP_TYPE_PORT_ID, LLDP_TYPE_PORT_DESC)
- ip4 (first entry of IPv4 LLDP_TYPE_MANAGEMENT_ADDR)
- ip6 (first entry of IPv6 LLDP_TYPE_MANAGEMENT_ADDR)
- TTL (LLDP_TYPE_TTL)
- MAC (Source - 6-11 byte)
Well, well, we are waiting for the official release and are closely watching the test devices - for that, the status at 6.38 is still “rc”.