You are on page 1of 70

Network management

Module 5

2013-01-01

ARP

2013-01-01

ARP

Stands for Address Resolution Protocol


Mechanism that links layer 3 IP address to layer 2 MAC address
Is normally used as a dynamic process, but can be configured
statically in certain situations where security warrants it

2013-01-01

ARP modes

ARP modes tell RouterOS how ARP is to work

The modes are

Modes are configured on a per interface basis

Enabled : Default mode. ARP requests will be answered and the ARP table
will be filled automatically

Disabled : Interface will not send or reply to ARP requests. Other hosts
MUST be told the routers MAC address

Proxy ARP : The router answers ARP requests coming for its directly
connected network (regardless of origin)

Reply only : The router answers ARP requests. Routers ARP table must be
filled statically

2013-01-01

RouterOS ARP table

The ARP Table displays all ARP entries and the interface from which
they are learned
The ARP table provides:

2013-01-01

The IP address of know devices


The MAC addresses associated with the IP addresses
The interfaces from which they were learned

RouterOS ARP table

You can add static entries to the ARP table to secure your network

Can avoid ARP poisoning / ARP spoofing


Requires a lot of work and planning

2013-01-01

ARP syntax

View ARP table :

Add a static entry :

/ip arp print

/ip arp add address=172.16.2.222 mac-address=11:22:33:44:55:66


interface=Bridge-PC

Configure ARP mode :

2013-01-01

/interface ethernet set ether04 arp=proxy-arp

DHCP server and client

2013-01-01

DHCP server

Stands for Dynamic Host Configuration Protocol


It is used to automatically allocate an IP address, netmask, default
gateway and, optionally, other parameters to requesting nodes

2013-01-01

DHCP server setup

The interface hosting the DHCP-server must have its own IP address
that is NOT in the address pool

A pool is a range of IP addresses that will be made available to clients

2013-01-01

10

DHCP server setup

In the DHCP-server window, simply click on the DHCP Setup button


and answer the questions

DHCP Server Interface


DHCP Address Space
Gateway for DHCP Network
Addresses to Give Out
DNS Servers (more than one can be entered)
Lease Time

2013-01-01

11

DHCP server setup

The automated setup :

Creates an IP Pool

A pool of IP addresses to assign

Its name and parameters (such as the interface it will accept requests from)

The IP network and various parameters

Creates the DHCP server

Creates the address space

2013-01-01

12

DHCP server setup

The results of the automated setup

2013-01-01

13

DHCP server setup

DHCP can be used to set up options such as

42 : NTP Servers
70 : POP3-Server
Visit http://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcpparameters.xhtml for more DHCP options

Important note

If you have a bridged environment, DHCP Server MUST be set on the bridge
interface. If set on a bridge port, the DHCP server will not work.

2013-01-01

14

DHCP server syntax

Configure a DHCP scope

Configure a DHCP option

/ip dhcp-server setup

2013-01-01

/ip dhcp-server option add name=46-node-type code=46 value=0x0008

15

DHCP server syntax

Assign a DHCP option to a network

Assign a WINS server to a network

/ip dhcp-server network print (to view available networks)


/ip dhcp-server network set dhcp-option=46-node-type numbers=1

2013-01-01

/ip dhcp-server network set wins-server=172.16.2.100 numbers=1

16

DHCP server Networks configuration

Example of basic
configuration

Example of expanded
configuration

2013-01-01

17

DHCP client

Allows Ethernet-like interfaces to request an IP address.

The remote DHCP server will supply:

Address

Hostname

Mask
Default gateway
Two DNS servers (if the remote DHCP server is so configured)

The DHCP client will supply configurable options:

Clientid (in the form of its MAC address)

Normally used on interfaces facing the Internet, for example

2013-01-01

18

DHCP client syntax

To configure a DHCP-client interface

To view and enable a DHCP client

To view the DHCP client's address

/ip dhcp-client add interface=ether5 dhcp-options=clientid,hostname


/ip dhcp-client print
/ip dhcp-client enable numbers=1

2013-01-01

/ip address print

19

Lease management

The "/ip dhcp-server lease" section provides information about DHCP


clients and leases
Shows dynamic and static leases
Can turn a dynamic lease into a static one

2013-01-01

Can be very useful when a device needs to maintain the same IP address
Beware! If you change the network card, it will get a new address

20

Lease management

DHCP Server could be made to run only with static addresses


Clients will only receive the preconfigured IP addresses
Evaluate your situation and the need to do this before doing it this
way. It will require a lot of work for large networks

2013-01-01

21

Lease management syntax

To view DHCP leases

To make a dynamic IP address static

To modify the previous entry's assigned IP address

/ip dhcp-server lease print


/ip dhcp-server lease print detail (gives more detailed information)
/ip dhcp-server lease make-static numbers=0

2013-01-01

/ip dhcp-server lease set address=192.168.3.100 numbers=0

22

RouterOS tools

2013-01-01

23

E-mail

A tool that allows you to send e-mail from the router


It can be used, along with other tools, to send the network
administrator regular configuration backups, for example

Tool CLI path

/tools e-mail

2013-01-01

24

E-mail, example

Configure the SMTP server

/tool e-mail
set address=172.31.2.1 from=mymail@gmail.com last-status=succeeded password=never123! port=\
587 start-tls=yes user=mymail@gmail.com

Send a configuration file via e-mail

/export file=export
/tool e-mail send to=home@gmail.com subject="$[/system identity get name] export"\
body="$[/system clock get date] configuration file" file=export.rsc

2013-01-01

25

Netwatch

A tool that allows you to monitor the status of network devices


For each entry, you can specify

IP address
Ping interval
Up and/or Down scripts

2013-01-01

26

Netwatch

VERY useful to

Be made aware of network failures


Automate a change of default gateway, for example, should the main router
fail

Just to have a quick view of what is up


Whatever else you can come up with to simplify and speed up your job ( and
make you look efficient!)

2013-01-01

27

Ping

Basic connectivity tool that uses ICMP Echo messages to determine


remote host accessibility and round-trip delay
One of the first tools to use to troubleshoot. If it pings, the host is
alive (from a networking point of view)
Use it with other tools when troubleshooting. It's not THE ultimate
tool, but a good start

2013-01-01

28

Ping syntax

CLI

[admin@MikroAC1] > ping www.mikrotik.com


HOST

SIZE TTL TIME

159.148.147.196

56

50 163ms

159.148.147.196

56

50 156ms

159.148.147.196

56

50 156ms

159.148.147.196

56

50 160ms

STATUS

sent=4 received=4 packet-loss=0% min-rtt=156ms avg-rtt=158ms max-rtt=163ms

Youll need to hit CTRL-C to stop the ping

2013-01-01

29

Traceroute

Used to display all the routers traveled through to reach your


destination

It indicates the delay to reach each router in the path to reach your
destination

Good to locate a failure or slow node

2013-01-01

30

Traceroute

CLI

/tools traceroute www.mikrotik.com


[admin@MikroAC1] > /tool traceroute www.mikrotik.com
# ADDRESS

LOSS SENT

100%

LAST

AVG

BEST

WORST STD-DEV STATUS

3 timeout

2 216.113.124.190

0%

13.9ms

12.2

11.1

13.9

1.2

3 216.113.122.230

0%

9.6ms

7.5

9.8

100%

3 timeout

5 216.6.99.14

0%

3 114.4ms

114.7

113.6

116.2

6 80.231.130.121

0%

3 104.5ms

105.7

104.5

107.1

1.1 <MPLS:L=420033,E=0>

7 80.231.130.86

0%

3 103.2ms

107.5

103.2

115.4

5.6 <MPLS:L=795472,E=0>

8 80.231.154.70

0%

3 136.5ms

119

104.3

136.5

13.3 <MPLS:L=485138,E=0>

9 80.231.153.122

0%

110.7

106.4

113

113ms

1.1 <MPLS:L=400657,E=0>

3.1

10 195.219.50.38

0%

3 111.9ms

115

110.7

122.5

5.3

11 87.245.233.178

0%

3 140.7ms

159.6

135.7

202.4

30.3

12 87.245.242.94

0%

169ms

173

169

178.4

13 85.254.1.226

0%

3 173.3ms

168.4

164.6

173.3

3.6

14 85.254.1.6

0%

3 165.2ms

166.7

165.1

169.7

2.1

15 159.148.16.2

0%

3 165.3ms

166.1

165.3

167.3

0.8

16 159.148.42.129

0%

3 167.6ms

166.6

165.6

167.6

0.8

155.7

154.5

156.9

1.2

17

100%

3 timeout

18

100%

3 timeout

19

100%

3 timeout

20

100%

2 timeout

21 159.148.147.196
-- [Q quit|D dump|C-z pause]

2013-01-01

0%

2 156.9ms

31

Profiler (CPU load)

Tool that shows the CPU load


Shows the processes and their load o the CPU
Note : idle is not a process. It means just that; the percentage of the
CPU NOT being used

2013-01-01

32

Profiler (CPU load)

CLI

/tool profile

[admin@MikroAC1] > /tool profile

NAME

CPU

USAGE

console

all

0%

flash

all

0%

networking

all

0%

radius

all

0%

For more details onall


processes0.5%
and what they mean, please visit http://wiki.mikrotik.com/wiki/Manual:Tools/Profiler

management
telnet

all

0.5%

idle

all

99%

profiling

all

0%

unclassified

all

0%

-- [Q quit|D dump|C-z continue]

2013-01-01

33

System identity

Although it is not a tool, it's important to set the system's identity.

You can't manage 100 routers that all have the name "MikroTik". It makes
troubleshooting almost impossible.

Once set, it will make identifying the router you're working on much

simpler.

Syntax

2013-01-01

/system identity print (show current name)


/system identity set name=my-router (sets the router's name)

34

Contacting Mikrotik support

2013-01-01

35

Supout.rif

Supout.rif is a support file used for RouterOS debugging purposes and


to help Mikrotik support personnel resolve issues faster

Syntax

CLI : /system sup-output

2013-01-01

36

Supout.rif

Once generated, the


"supout.rif" file will be
found in File List

2013-01-01

37

Supout.rif Viewer

To access the "supout.rif


viewer", access your Mikrotik
account

You must have an account

(its a good idea to have one


anyway)

2013-01-01

38

Supout.rif Viewer

The first steps are to locate


and upload the file that you
generated
Start browsing all aspects
of your configuration

The default view is


resource

2013-01-01

39

Autosupout.rif

A file can be generated automatically upon software failure (ex. kernel


panic or the system becomes unresponsive for a minute)

Done through the watchdog (system)

2013-01-01

40

System logging and debug logs

Logging is important to insure a history (permanent or not) of router


events

The easiest way to view logs is through the log (Menu) window
The CLI equivalent is

/log print

2013-01-01

41

System logging

Actions

Tasks that the router will undertake with certain events


Rules tell the router which action to take
There are five types of actions, so you can have a very flexible logging
system

Suggestion

You should define news actions first as custom actions wont be made
available to your rules until they are created

2013-01-01

42

System logging

Actions, examples

[admin@MikroAC5] > /system logging action print


Flags: * - default
#

NAME

TARGET REMOTE

0 * memory

memory

1 * disk

disk

2 * echo
3 * remote

echo
remote 172.16.1.105

webproxy

remote 172.16.1.105

firewallJournal

remote 172.16.1.105

2013-01-01

43

System logging

Rules

They tell RouterOS what action to undertake with a given event (which is
called a topic)

You can have more than one rule for a same topic, each rule performing a
different action

You can have one rule with two or more topics, performing an action
Adding rules is simple, choose one or many topics, name the rule, choose one
action. (This is why it is suggested to create actions first)

2013-01-01

44

System logging

Rules, examples

[admin@MikroAC5] > /system logging print


Flags: X - disabled, I - invalid, * - default
#
0

TOPICS
* info

ACTION

PREFIX

memory

INF

!firewall
1

* error

memory

ERR

* warning

memory

WRN

* critical

memory

CRT

firewall

memory

FW

firewall

firewallJournal

FW

info

remote

INF

!firewall
7

error

remote

ERR

warning

remote

WRN

critical

remote

CRT

10 X

snmp

memory

SNMP

11

web-proxy

webproxy

PROXY

!debug

2013-01-01

45

System logging syntax

View rules

View actions

Store firewall messages to a syslog server

/system logging print


/system logging action print
/system logging action
add bsd-syslog=yes name=firewallJournal remote=172.16.1.105 srcaddress=10.5.5.5 syslog-facility=local5 target=remote

Create a rule for firewall topics that will use the previous action

2013-01-01

/system logging
add action=firewallJournal prefix=FW topics=firewall

46

Where logs are sent

As stated in actions, logs can be found in five places

Disk : A hard drive on the router


Echo : The routers console (if present)
Email : A predefined e-mail account
Memory : The routers internal memory (as seen in the log window)
Remote : A syslog server

2013-01-01

47

Readable configuration

AKA Make it clear!


Obscurity is your worst enemy. Keep your configurations clear and
readable through comments, names and uniformity

Comments : Give a simple description of the item


Names : Make them meaningful
Uniformity : Do things the same way everywhere

Why should you do all this?

For yourself. In the long run, this will simplify your job and make you look
efficient (again)

2013-01-01

48

Readable configuration

Examples

2013-01-01

49

Network diagrams

A well drawn diagram is a must! Even if you start from a humble


beginning, your network WILL grow.
Identify all key components
Keep the diagram up to date
It is a major troubleshooting tool.

Use it to identify potential problem spots


Using the tools seen in this module (ping, traceroute), write down possible
issues

2013-01-01

50

Network diagrams

Example

All ports are marked,


even available ones

Devices are
identified

Revision # is current

2013-01-01

51

Time for a practical exercise

End of module 5

2013-01-01

52

Laboratory

Goals of the lab

2013-01-01

Practice ARP concepts shown in this module


Add DHCP (client and server) functionality to your router
Use various troubleshooting tools

53

Laboratory : Setup

2013-01-01

54

Laboratory : step 1

Display the ARP entries of your router

Identify each entry


Based on the network diagram, does it make sense? Compare with the port
the MAC address was learned

Validate in which ARP mode your interfaces are


Add a fake MAC address as if it was learned from the bridge named
LAN

2013-01-01

55

Laboratory : step 2

Add a DHCP client on WLAN1 interface

Give the trainer your wlans interface MAC address since your router
hasnt been named yet

Ask the trainer to make a static reservation on his DHCP server. The
fourth digit of your IP address must match your pod

Delete your static IP address


Renew your DHCP client address
Whats the final address?

2013-01-01

56

Laboratory : step 3

Cleanup

When creating the DHCP client, the option Add default route was set to
yes. This means that the DHCP client gets a default route dynamically

Display your routes. What do you see for the default route?
What should be done now to cleanup this table?

2013-01-01

57

Laboratory : step 4

Set up DHCP server for the computers of the LAN bridge

Create the configuration that will ensure

that clients will get an IP address

The DNS server is at the same address as the default gateway (your router)

Reconfigure your computer so that it receives an IP address from your


router

Configure your router so that your computer always gets the .20X address
(where X is your pods address)

What do you have to do to get that address?

2013-01-01

58

Laboratory : step 5

Cleanup

Add a comment to your static address to indicate what the reservation is for
In the DHCP tab of DHCP Server, give a meaningful name to the DHCP
server (currently named dhcp 1)

2013-01-01

59

Laboratory : step 6

E-mail setup

Configure your e-mail settings as to allow you to send e-mails to a personal


e-mail address.

You can use your own e-mail account to test this out

Test your configuration with a test e-mail

2013-01-01

60

Laboratory : step 7

Netwatch

2013-01-01

Use this tool to monitor a test node supplied by the trainer


To speed things up, configure monitoring interval at 30 seconds

61

Laboratory : step 8

Netwatch

Use these scripts:

Up
/tool e-mail send to="<your-e-mail-address>" subject="$[/system identity get name] Netwatch status" \
body="$[/system clock get date] $[/system clock get time] Node up."

Down
/tool e-mail send to=<your-e-mail-address>" subject="$[/system identity get name] Netwatch status" \
body="$[/system clock get date] $[/system clock get time] Node down."

2013-01-01

62

Laboratory : step 9

Netwatch

Turn off the test node. Verify that you receive an e-mail indicating the
change of status. It should look something like this

2013-01-01

63

Laboratory : step 10

Ping

Traceroute

Use the ping tool to validate that the test node answers ICMP echo packets
Use the traceroute tool to see which hops are between you and the test node.
Validate that what you see is what is in the class network diagram

2013-01-01

64

Laboratory : step 11

Profiler

Launch the profiling tool and view the various processes running on your
router

What does the highest percentage represent?

2013-01-01

Sort tasks by usage

65

Laboratory : step 12

Supout.rif

Create a supout.rif file. Where is it?


Upload it and take a look at the various sections of your router as viewed by
the supout.rif viewer. Its interesting to see that such a small file can go a
long way to help Mikrotik help you.

Important note : If you don't have a MikroTik account, please create one now as it is required to take the certification exam!!

2013-01-01

66

Laboratory : step 13

Logging

Create an action:

Type is memory

topics e-mail and debug

Create a rule:

Action action1

Open the log window


Go back to the e-mail tool and send yourself a test e-mail. What do you see
in the log window?

2013-01-01

67

Laboratory : step 14

Cleaning up our configuration

Go to the logging window, actions tab and rename action1 to E-mailDebug

What happened? Rename action1 to EmailDebug


Switch back to the rules tab. What do you notice about the e-mail,debug

entry?

Do a binary backup of your configuration that respects the previous


file name structure from the previous module

2013-01-01

68

Laboratory : step 15

Lastly, rename your router so that :

Create two backups named Module5-Podx

it is named after your pod


The first letter is capitalized

2013-01-01

one must be binary


one must be an export

69

End of Laboratory 5

2013-01-01

70

You might also like