Professional Documents
Culture Documents
MTCRE English 20120227 1
MTCRE English 20120227 1
2
MTCRE Training
Overview and objectives
Objectives
To prepare attendees to plan, implement and run robust routed networks using
Mikrotik RouterOS features, based on MTCRE certification program;
After the training is expected that attendees will be able to plan and deploy
dynamic routing in their networks, using Mikrotik RouterOS.
3
Training Schedule
4
Training Schedule
5
Housekeeping
Course materials
- Printed Hand outs
- Pen Drive with full slides and slides + notes
Routers
Cables
Adapters
Restrooms and smoking area locations
6
Who we are
www.mdbrasil.com / www.mikrotikbrasil.com
7
About the instructors
8
Students Introduction
Your name
Company you work for
Location (City/Country)
Your previous knowledge about Mikrotik RouterOS
Your previous knowledge about networking and other systems
What do you expect from this training
9
Some course rules
Internet access is not our goal in this course. We will share the
connection but we are not concerned about quality or availability.
10
Some Course Rules
11
MTCRE Program
1) Introduction
–Overview
–Training Objectives
–Training Schedule
–Housekeeping
–About the Instructors
–Students Introductions
2) Class Setup
– Groups division and student's routers configuration
–Creating the basic scenario
12
MTCRE Program
3) Routing essentials
– Router architecture – functional view
–Routing table x forwarding table
–Routing protocols
–Link state and distance vector algorithms
–Mikrotik RouterOS routing implementation overview
4) Forwarding Protocols
–A Networking environment – the big picture
–Quick overview of all forwarding protocols supported by Mikrotik RouterOS
–Static Routing, RIP, OSPF, BGP, MPLS, MME
13
MTCRE Program
14
MTCRE Program
15
MTCRE Program
16
MTCRE Program
17
MTCRE Program
18
Routing Essentials
19
Routing Essentials
20
Routing Essentials
Routing Information
Base (RIB)
Routing Information base is
the data base where all
information about IP routes
are stored. Each protocol
has its RIB
21
Routing Essentials
Forwarding Information
Base (FIB)
FIB contains information
of prefixes related to the
network interfaces that
could be used to forward
packets.
22
Routing Essentials
RouterOS implementation
23
Routing Essentials
Routing Table:
By default 2 routing process will be made first for local addresses and after for
other routes. That means that router will have 2 tables:
A table for local addresses. Successful lookup in this table means that the
packet is to be delivered on the host itself.
24
Routing Essentials
FIB and Routing Cache:
25
Routing Table x Routing Cache
Routing Table:
Destination Next Hop Interface
192.168.0.0/24 1.1.1.1 eth1
Routing Cache:
Destination Next Hop Interface
192.168.0.10 1.1.1.1 eth1
192.168.0.20 1.1.1.1 eth1
26
Lookups on the routing table
27
Routing Essentials
Connected Routes
For each IP address associated to one active interface, one connected route is
dynamically created.
28
Routing Essentials
Static routes
Static routes can point either to the next hop
IP address or directly to the interface.
29
Routing Essentials
Default Route
A default route is a route with destination 0.0.0.0/0, that means all IPv4 address
space (0.0.0.1–255.255.255.255). If a routing table contains at least one default
route active, then route lookup will never fail.
30
Routing Essentials
Dynamic Routes
31
Preparing the Scenario
32
Preparing the Scenario
33
Physical Infrastructure
34
IP Infrastructure
35
IP detailed Infrastructure
36
Preparing the Scenario
Ensure that you from your Laptop you are pinging your router
Ensure that from your router you are pinging the right and left neighbor’s routers
Copy your backup file to your desktop – this will be the basic ip infrastructure
backup
37
Static Routing LAB
Test:
Laptop behind R1 should ping R3;
Laptop behind R2 should ping R4:
R3 R4
38
Multiple Matches in a Routing Table
In a routing table, if there is only one route toward each destination address,
routing lookups would be trivial. As soon a router finds a route whose destination
subnet includes the destination address, packet will be forwarded.
In this case a packet destined to e.g. 192.168.0.1 will find 2 possible destinations,
because it belongs to both subnets.
39
Longest Prefix Match
When a packet has multiple matches, longest prefix match (more specific
networks) will be preferred.
LAB: Keep the routes from previous LAB. Configure more routes to allow:
Test:
Trace a route from Laptop 1 to Laptop 3 and check the route
Trace a route from Laptop 1 to Laptop 3 and check the route R3 R4
41
Longest Prefix Match LAB
For Discussion:
Link 3 – 4 is broken ?
Link 4 – 1 is broken ?
R3 R4
42
Routes Processing
43
Routes Processing
Distance (Administrative Distance)
Distance refers to the reliability of the route. If
there is more than one destination to the
same network prefix, the less distance will be
chosen.
44
Distance LAB
LAB: Keep routes /24 from previous LAB and delete more specific ones. Create
below routes:
R2 R1
R1 R3, via R4 with distance > 1
R2 R4, via R3 with distance > 1
Test:
Look at your routing table and check which route is active R3 R4
Disable active route and see what happens
45
Distance = 1 Longest Prefix Match LAB
R2 R1
Distance = 1 Distance = 1
R3 R4
Distance = 10
For Discussion:
From the perspective of R3, what happens with the failure of the below
links:
R3 R4, R3 R2,
R2 R4, R4 R1
46
Load Balancing and
Multipath (ECMP) Routes
Multipath (ECMP) Routes
ECMP (Equal Cost Multi-Path) routes have multiple gateway next-hop values. All
reachable next-hops are copied to FIB and used in forwarding packets.
Routes can be created manually adding multiple gateways (next-hop or
interfaces)
47
Multipath (ECMP) Routes
Because results of the forwarding decision are cached, packets with the same:
This means that one connection will use only one link in each direction, so ECMP
routes can be used to implement per-connection load balancing.
48
ECMP Example
192.168.0.0/24
49
Check Gateway option
MD1203052048
LAB: Configure ECMP routes in order to R3 (R4) reach R1 (R2) via R2 (R3)
and R4 (R1)
Test:
Trace routes from R3(R4) to R1(R2)
Tip Configure Some IP Addresses on your Laptop/Mikrotik and try varying
source / destination addresses.
51
Policy-based Routing (PBR)
Policy-Based Routing
52
Policy-based Routing (PBR)
RouterOS can split the routing tables in several ones separated by routing
marks;
By default all active routes without marks are kept in the main routing table;
53
Policy Routing simple example GW1 GW2
10.0.0.1 10.0.0.2
NET1 NET2
192.168.1.0/24 192.168.2.0/24
54
Policy-based Routing Simple Example
1) Mark packets from network 192.168.1.0/24 with new-routing-mark=net1, and packets from
network 192.168.2.0/24 with new-routing-mark=net2:
55
Policy-based Routing Simple Example
2) Route packets from net1 (192.168.1.0/24) to GW1 (10.0.01) and from net2
(192.168.2.0/24) to GW2 (10.0.0.2)
56
GW3
Policy-based Routing GW1 GW2
10.0.0.3
Simple Example with Redundancy
10.0.0.1 10.0.0.2
NET1 NET2
192.168.1.0/24 192.168.2.0/24
57
Policy-based Routing simple
example with redundancy
58
Web Access port 80
R2 R1
PBR LAB
MD1203052048
R3 R4
FTP Access port 21
LAB: R3(R4) should access R1(R2) Web service via R2 (R1) and R1(R2) FTP service
via R4
Test: (Suggestion)
Log services on Firewall to check on which interface the flow is going through.
59
Routes Processing
60
Routes Selection Process
There can be multiple routes learned from dynamic protocols and static
configurations;
Each routing table can have only one active route for each destination prefix;
If a route meet the criteria to become an active route, then active route is
selected from all candidate routes with the same: dst-address AND routing-
mark
Candidate route with the lowest distance becomes an active route. If distance
is the same, selection is arbitrary (except for BGP routes).
61
Routes Selection Process
Criteria to become an active route (participate in the routing selection process)
distance is not 255. Routes that are rejected by routing filters have distance
value of 255.
If type of route is unicast and it is not a connected route, it must have at least
one reachable next-hop
62
Next-hop lookup
Routes that are installed in the FIB need to have interface associated with
each gateway address.
Gateway address (next-hop) has to be directly reachable via this interface.
Interface that should be used to send out packets to each gateway address is
found by doing next-hop lookup.
Next-hop lookup is done only in the main routing table, even for routes with
different value of routing mark.
Routes pointing to physical interface are not used to next-hop lookup.
63
Scope and target-scope
A router can have several routes in the main table. It is necessary to restrict
the set of routes that can be used to the lookup process.
For instance, next-hop values for static routes, are supposed to be directly
reachable and should be looked up only using connected routes.
To limit the scope where a router should look up, a route has the properties
scope and target-scope
Routes with scope greater than the maximum acceptable (target-scope) will
not be used for next-hop lookup.
64
Routes Selection Process
NB: With default values, iBGP will use Static, OSPF, RIP, MME and connect routes.
65
Scope and Target Scope Example
A router has an IP address 1.1.1.1/24 configured in one of its interface and thus, it
has a connected route 1.1.1.0/24 pointing to that interface.
One route to network 2.2.2.0/24 pointing to, e.g. 1.1.1.2 will be installed normally but
another to 3.3.3.0/24 pointing to 2.2.2.2 will become inactive
66
Scope and Target Scope Example
Changing Target scope to a value >= 30 will turn the route active (will be installed on
FIB). The route will appear as recursive.
67
Recursive Routing LAB
Objective:
To test recursive routing with target-scope manipulation
LAB:
All routers configure a static route to an arbitrary (e.g. 1.1.1.0/24) network
pointing to a directly connected IP - the route should be installed.
Create a second static route to another arbitrary (e.g. 2.2.2.0/24) network pointing
to an IP address belonging to the first network (e.g. 1.1.1.1) – the route should be
inactive.
Change the target-scope of this second route to something >= 30 – route should
turn to active state and route will appear as recursive.
68
Policy-based Routing GW1 GW2
Case Study
10.0.0.1 10.0.0.2
NET1 NET2
192.168.1.0/24 192.168.2.0/24
70
Dynamic Routing
Protocol assigns a number, the cost, to each of the links between each node in
the network;
Nodes will send information from point A to point B via the path that results in the
lowest total cost (sum of the costs of the links between the nodes used).
BGP can be considered a type of path vector implementation but not pure, because
there are some attributes other than cost that influence routes calculation.
71
Dynamic Routing
On link-state protocols, each node uses as its fundamental data a map of the
network in the form of a graph;
To produce this, each node floods the entire network with information about
what other nodes it can connect to, and each node then independently
assembles this information into a map.
Using this map, each router then independently determines the least-cost
path from itself to every other node using a standard shortest paths algorithm.
72
Dynamic Routing
73
OSPF – Open Shortest Path First
74
OSPF
Open Shortest Path First
Link State protocol that uses Dijkstra’s algorithm to calculate the shortest
path to all known destinations networks;
All routers must have the same MTU for all networks announced by the
protocol;
75
Autonomous System
Internet Context x OSPF Context
76
How OSPF Works
OSPF tables
OSPF works maintaining 3 separate tables:
78
OSPF Areas
79
OSPF Areas
80
OSPF Areas
82
OSPF Router Types
MD1201151011
Area 2
Internal Router: router connected to
only one area
83
Establishing Network Adjacencies
84
Neighborhood x Adjacencies
The fact that routers are neighbors does not guarantee an exchange of link-state
updates. To do it they must form adjacencies to exchange link-state updates.
86
Finding the Best Paths
Dijkstra algorithm runs for each router, calculating the best path with respect to
lowest total cost of the links to a specific destination.
Best routes are put in the forwarding database (routing table or FIB)
87
Finding the Best Paths
Dijkstra’s algorithm
Forwarding Database
Router X knows all the best paths
to reach to each router inside the
Router X area
OSPF doesn’t use TCP or UDP as transport protocol. All five OSPF packets are
encapsulated directly into IP payload.
To ensure reliability of the communication OSPF has its own scheme – using an
acknowledgment packet (type 5 - LSAck)
Protocol ID 89 (OSPF)
90
OSPF Packet Types and Format
91
OSPF Packet Types and Format
Common Header
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
Version (1 byte) Type (1 byte) Packet Length (2 bytes)
Router ID (4 bytes)
Area ID(4 bytes)
Checksum (2 bytes) Authentication Type (2 bytes)
Authentication (4 bytes)
Authentication (4 bytes)
92
Establishing Adjacencies
Hello Protocol
93
Establishing Communication
and Exchanging LSDB’s
Down State
192.168.1.1/24 192.168.1.2/24 R2
R1
eth2 eth3
Init State
I am router 192.168.1.1 and I see no one Hello
to 224.0.0.5
2-way state
Hello to I am router 192.168.1.2 and I see 192.168.1.1
192. 168.1.1
Exchange State
DBD to Here is a summary of my LSDB
R2
192. 168.1.1
Loading State
I request information about network 192.168.1.0/24 LSR to
192.168.1.2
97
Link State Sequence Numbers
The sequence number field is a signed 32-bit integer, used to detect old and
duplicate LSAs.
The larger the sequence number (when compared as signed 32-bit integers)
the more recent the LSA.
98
LSA/LSU Processing
99
OSPF Packet Types and Format
Hello Packet
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
Network Mask (4 bytes)
Hello Interval (2 bytes) Options (1 byte) Priority (1 byte)
Router Dead Interval (4 bytes)
Designated Router (4 bytes)
Backup Designated Router (4 bytes)
Neighbors (4 bytes each)
....
....
100
OSPF Packet Types and Format
DBD – Database Description
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
Interface MTU Options 000 00 1 M M
(2 bytes) (1 byte) S
101
OSPF Packet Types and Format
LSR - Link State Request
Link State request packet is used for pulling information.
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
Link State Type (4 bytes)
Link State ID (4 bytes)
Advertising Router (4 bytes)
.....
Link State Type (4 bytes)
Link State ID (4 bytes)
Advertising Router (4 bytes)
....
102
OSPF Packet Types and Format
LSU – Link State Updates
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
Number of LSA’s (4 bytes)
LSA1
.....
LSA2
…..
LSA3
….
103
LSA’s – Link State Advertisement
LSA Types: 1, 2, 3, 4, 5, 6, 7 , 8
104
OSPF LAB’s
We will work together with all routers in the classroom as if we were only one
AS.
Be careful, because one configuration error in only one router could influence
the whole setup
105
Loopback Interfaces
If the loopback interface on a router is down, that means that the router is
unavailable as a whole.
106
OSPF LAB Completing the setup
107
OSPF – Router ID
108
OSPF LAB
Working together setup an OSPF network with only one area (backbone area)
109
OSPF LAB
For network 172.16.0.0/24, observe that only 2 have full connection and
others are in 2-way state.
Identify the routers that have full connection. Why this occurred ?
110
Network Types in OSPF
111
Network Types in OSPF
Broadcast Networks
A multi access broadcast network, like Ethernet
Point-to-Multipoint
Special type of NBMA, consisted of collection of point-to-point links
Point-to-Point
A network that joins a single pair of routers
112
Broadcast Multi-access Network
e.g. Ethernet
113
Election criteria for DR and BDR
P=1 P=3
Mikrotik RouterOS uses the highest
DR router ID to select DR and the
second-highest router ID for BDR.
Default priority is 1
P=1
BDR
DR
Name it INFRA2
116
NBMA – Non-broadcast Multi-Access
117
NBMA – LAB
NBMA
118
Point-to-multipoint (pmtp)
119
PMTP – LAB
120
Point-to-point interfaces
Point-to-point LAB
121
LSA’s in depth
122
LSA Header
LSA packets are the heart of a link state protocol. A LSA packet consists of a
header, followed by data for different link types. Below is the header format
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
Age (2 bytes) Options (1 byte) Type (1 byte)
Link State ID (4 bytes)
Advertising Router (4 bytes)
Sequence Number (4 bytes)
Checksum (2 bytes) Length (2 bytes)
LSA’s (can be types 1,2,3,4,5,6,7,8)
123
LSA Header
LSA packets are the heart of a link state protocol. A LSA packet consists of a
header, followed by data for different link types. Below is the header format
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
Age (2 bytes) Options (1 byte) Type (1 byte)
Link State ID (4 bytes)
Advertising Router (4 bytes)
Sequence Number (4 bytes)
Checksum (2 bytes) Length (2 bytes)
LSA’s (can be types 1,2,3,4,5,6,7,8)
124
LSA type = 1 (Router LSA)
125
LSA type = 2 (Network LSA)
Area 0
Advertised by the DR
DR
126
LSA type = 3 (Summary LSA)
Regenerated by subsequent
ASBR ABR’s to flood throughout the AS
Type 4 Area 2
Backbone Area
ABR
MD1201151011
128
LSA type = 5 (External LSA)
129
LSA type = 7 (External LSA)
130
OSPF LAB
(Point-to-point Interfaces)
R1 R2
R2 R3
R3 R4
R4 R1
131
OSPF Areas
Creating more Areas
132
OSPF LAB
Creating more Areas
Routers G1 and G4 will be the ABR’s (will have networks on area 1 and one
network on backbone area
133
LSA’s
Type 2
(network)
Type 1
(router)
Type 3 and 4
(summary)
134
Routing Table Manipulations
Routes Summarization
Costs
Routes Redistribution
Default Route
135
Routes Summarization
136
OSPF LAB
LAB
137
Route Cost
Initial analysis:
R0
R2 R1
MD1203052048
R3 R4
139
OSPF LAB – Costs
Using Costs, ensure that upload and download traffic between R3 and
R0 will choose the routes:
R3 – R2 – R1 – R0
R0 – R1 – R2 – R3
R0
R2 R1
MD1203052048
R3 R4
140
Routes Redistribution
141
Routes Redistribution
142
External Type 1 or type 2 metrics
If type 2 is chosen, both green or red route will have the same cost - 30
144
Default Route
145
Default Route
146
OSPF LAB – Default Route
147
Special Area Types
Area Stub
Areas Totally Stub
Areas NSSA
148
Stub Area
150
Stub and Totally Stub Areas
151
Stub and Totally Stub Areas
Stub Area
Do not accept external LSA’s
Accept summary
152
OSPF LAB – Stub and Totally Stub areas
Differences observed ?
153
NSSA Areas
154
NSSA Areas
The options
Inject summary LSA’s can be checked for
Stub and NSSA areas.
In this case LSA summaries (LSA’s 3 and 4) will
not cross ABR’s.
156
OSPF LAB – NSSA Areas
Differences observed ?
157
OSPF Security
158
Attacks against OSPF
Basically, attacks against OSPF consist on forging Hello, LSA and LSU
messages on behalf of authorized hosts, causing:
Denial of service
and / or
Topology changes
159
OSPF Resource Starvation Attacks
These entries are ignored by the Shortest Path First (SPF) algorithm (do not
produce topology changes)
“Phantom LSAs” are entered in the Link State Database and each entry is
kept until “MaxAge” expires
160
OSPF Attacks - Forcing Topology Changes
Pre-condition:
absence of encryption.
compromised pre shared key.
161
Misdirecting traffic to form routing Loops
R1 R2 2.2.2.0/24
ROUTING LOOP
R3 R4
BEST PATH
2.2.2.2
162
Misdirecting Traffic to a Black Hole
R1 R2 2.2.2.0/24
R3 R4
BEST PATH
2.2.2.2
163
Eavesdropping/Man-in-the-middle
R3 R4
BEST PATH
2.2.2.2 164
Attacks against OSPF
(from the perspective of attacker’s location)
165
Attacks against OSPF
On NBMA and all other network types (including virtual links), the
majority of OSPF packets are sent as unicasts, i.e., sent directly to the other end
of the adjacency. In this case, the IP destination is just the Neighbor IP address
associated with the other end of the adjacency (see RFC 2326, section 10).
So, the answer is YES, the attack could work from any point of the Internet !
166
Attacks against OSPF
167
Attacks against OSPF
(from the perspective of attacker’s location)
168
Attacks against OSPF
(from the perspective of attacker’s location)
169
Attacks against OSPF
OSPF domain
170
Attacks against OSPF
C) Attacker is inside and in the same L2 segment (2/3)
Once the pre shared key is compromised, attacker could do anything a real
router could, since flooding LSA’s for resource starvation, or impersonate a
network router. Imagination and creativity will do the rest
Creating an arbitrary
network
171
Attacks against OSPF
C) Attacker is inside and in the same L2 segment
(3/3)
Countermeasures:
OSPF domain
Choosing a strong password will delay (but not avoid)
the discovery. It’s only a matter of time.
Passive mode
When an interface is in passive mode, reouter will prevent all OSPF traffic through that
interface.
Very useful in border interfaces specially if there are customers connected to.
174
OSPF LAB – Authentication and Passive mode
Test the option passive mode (your laptop probably is not running OSPF, so
test with your neighbor’s router)
175
Virtual Links
176
Virtual Links
OSPF protocol establishes that all areas should be connected to the backbone
area. This connection usually is made by an ABR that physically connects both
areas. That means all areas are contiguous to the backbone area
With virtual links it is possible to logically connect a not contiguous area to the
backbone area.
177
Virtual Links
178
Virtual Link - LAB
Area 0.0.G.1 R1
R2
R3
R4
In the above scenario, the path over the backdoor link will always be selected
because OSPF prefers intra-area paths over inter-area paths
OSPF cost configured with a SHAM link allows you to decide if OSPF client site
traffic will be routed over a backdoor link or through the VPN backbone.
180
IPV6 Addressing and Routing
181
IPV6 - Static addressing and routing
Default Route
182
Loopback addresses configuration with IPV6
IPV6 addresses are formed automatically from MAC Addresses. Because bridge
has no MAC by default, the method will fail. As a solution use Admin MAC
183
Loopback addresses configuration with IPV6
184
IPV6 Addressing LAB
Eu
185
Dynamic Routing with IPv6
186
Dynamic Routing with IPv6 - RIPng
Limited to 15 hops
187
Dynamic Routing with IPv6 OSPFv3
The same principles used for IPv4 were kept in the new
version, like LSA’s, Dijkstra Algorithm, flooding, etc.
However OSPFv3 has a lot of improvements when
compared to its antecessor, OSPFv2;
188
OSPF LAB – OSPFv3 Configuration
Configure OSPFv3 with a single area for all the classroom
Observe and comment the results
189
VLAN’s
190
VLan’s
Virtual Local Area Network (VLAN) is layer 2 method that allows configuration of
(Virtual) LANs on a single physical interface. Mikrotik RouterOS implementation is
based on IEEE 802.1Q standard.
191
Vlan Packet
802.1Q defines how to insert the 4 byte identifiers (VLAN ID) into an ethernet frame.
192
802.1q Header
193
Vlan Trunk
VLAN 20
VLAN 10
194
VLAN – LAB 1
Layer 2 Link
Vlan 12
Vlan 12 Vlan 14 Vlan 12
Vlan 14 Vlan 14
Q-in-Q allows two or more VLAN headers. In RouterOS Q-in-Q can be configured by
adding one VLAN interface over another
196
VLAN – LAB 2
QinQ
Vlan 12 Vlan 12
Vlan 100
Vlan 14 Vlan 14
198
802.1ad
199
VLAN – LAB 2
802.1ad
Vlan 12 Vlan 12
Vlan 100
Vlan 14 Vlan 14
As VLAN works on OSI Layer 2, it can be used just as any other network
interface without any restrictions. VLAN successfully passes through regular
Ethernet bridges.
You can also transport VLANs over wireless links and put multiple VLAN
interfaces on a single wireless interface. Note that as VLAN is not a full tunnel
protocol (i.e., it does not have additional fields to transport MAC addresses of
sender and recipient), the same limitation applies to bridging over VLAN as to
bridging plain wireless interfaces.
In other words, while wireless clients may participate in VLANs put on wireless
interfaces, it is not possible to have VLAN put on a wireless interface in station
mode bridged with any other interface.
201
VLAN’s – MTU Issues
MTU should be set to 1500 bytes as on Ethernet interfaces. But this may not
work with some Ethernet cards that do not support receiving/transmitting of full
size Ethernet packets with VLAN header added (1500 bytes data + 4 bytes VLAN
header + 14 bytes Ethernet header).
In this situation MTU 1496 can be used, but note that this will cause packet
fragmentation if larger packets have to be sent over interface. At the same time
remember that MTU 1496 may cause problems if path MTU discovery is not
working properly between source and destination
202
Unnumbered Interfaces
172.16.0.0/24 192.168.0.0/24
eth1 eth1
R1 R2
203
Vlan’s on Switches
VLAN-compliant switches can be used to implement those previous setups with gain in
performance, because without using bridges the packets will be forwarded at “wire
speed”. Switch chip features supported by RouterOS are:
Port Switching
Port Mirroring
Host Table
Vlan Tabel
Rule Table
204
Switch Chip Features
Switch chip features that are implemented in RouterOS (complete set of features
implemented starting v4.0)
Public IP = 30.2.2.2
Tunnel IP = 10.1.1.2
Test connectivity
208
Point to Point Addressing
Point-to-point addressing utilizes only two IP’s per link while /30 utilizes four IP’s
There is no broadcast address, but network address must be set manually to the
opposite IP address. Example:
There can be identical /32 addresses on the router – each address will have
different connected route
IP 2.2.2.2/32,
IP 1.1.1.1/32, Network 1.1.1.1
Network 2.2.2.2
Copyright
MD1203071007
209
EoIP Tunnel
Public IP = 30.2.2.2
Public IP = 20.1.1.1 Tunnel IP = 10.1.1.2
Tunnel IP = 10.1.1.1
PPtp or L2TP
PPTP and L2TP are used for site to site or to client to site connections
Both have mostly the same functionality
Configuration of the both tunnels are identical in RouterOS
212
PPtP and L2TP Tunnels
PPTP Tunnels
PPTP uses TCP port 1723 and IP protocol 47/GRE
PPTP clients are available for and/or included in almost all OS
You must use PPTP and GRE “NAT helpers” to connect to any public
PPTP server from your private masqueraded network
L2TP Tunnels
L2TP traffic uses UDP port 1701 only for link establishment, further
traffic is using any available UDP port
L2TP don't have problems with NATed clients – it don't required “NAT
helpers”
213
PPtP and L2TP
Client Configuration
214
PPtP and L2TP
Server Configuration
215
PPtP and L2TP LAB’s
216
PPP Bridge Control Protocol (BCP)
RouterOS offers BCP support for all asynchronous PPP, PPTP, L2TP & PPPoE
(not ISDN) interfaces
Bridging and routing over PPP link can happen at the same time, independently
217
PPP Bridge Control Protocol (BCP)
Setting up BCP
218
PPP Bridge Control Protocol (BCP)
PPP interfaces can utilize PPP Multi-link Protocol to handle Ethernet frames
219
PPP Bridge Control Protocol (BCP)
over single physical link – where multiple channels run on the same
link
220
PPP Bridge Control Protocol (BCP)
MRRU
To enable PPP Multi-link Protocol over single link you must specify MRRU
option;
If both sides support this feature there are no need for MSS adjustment (in
firewall mangle)
MRRU is less CPU expensive that 2 mangle rules per client if you have more
that 30 clients
221
PPtP and L2TP LAB’s
222
SSTP Tunnel
SSTP
SSTP is the way to transport PPP tunnel over SSL 3.0 channel. The use of SSL over
TCP port 443 allows SSTP to pass through virtually all firewalls and proxy servers.
223
SSTP Connection Mechanism
TCP connection is established from client to server (by default on port 443);
SSL validates server certificate. If certificate is valid connection is established
otherwise connection is torn down;
The client sends SSTP control packets within the HTTPS session which
establishes the SSTP state machine on both sides;
PPP negotiation over SSTP. Client authenticates to the server and binds IP
addresses to SSTP interface;
SSTP tunnel is now established and packet encapsulation can begin.
224
Configuring SSTP
225
SSTP LAB
In this LAB, Central AP will be Using Certificates
SSTP Server and all routers will be
clients.
SSTP Server
Certificates should be installed and
used
226
SSTP LAB – Using Certificates
Ask the teacher for the FTP IP address to download pre built Certificates
227
SSTP LAB – Using Certificates
Your Certificate, your key (ask the teacher for the key passwork) and CA
Certificate.
228
SSTP LAB – Using Certificates
/system reset-configuration
230
hvala
grazie
хвала
gracias
obrigado
დიდი მადლობა
Edson Veloso Sergio Souza Wardner Maia
edson@mikrotikbrasil.com.br sergio@mikrotikbrasil.com.br maia@mikrotikbrasil.com.br
231