Академический Документы
Профессиональный Документы
Культура Документы
This material was totally developed by MD Brasil team and is in English language
because has been used to give trainings outside Brazil.
All material here is destined to the personal studies and cannot be used in
commercial trainings, even those without cost, public presentations, or any other
form different from personal learning.
The reproduction total or partial of the texts, images or tables from this material is
forbidden and could be made only with formal and written authorization of MD Brasil
Tecnologia da Informao Ltda.
Contacts with the company can be made by the e-mail: apostila@mdbrasil.com.br
After the training is expected that attendees will be able to plan and deploy
dynamic routing in their networks, using Mikrotik RouterOS.
4
Who we are
www.mdbrasil.com / www.mikrotikbrasil.com
5
About the instructors
6
MTCRE Program
1) Introduction
Overview
Training Objectives
Training Schedule
Housekeeping
About the Instructors
Students Introductions
2) Class Setup
Groups division and student's routers configuration
Creating the basic scenario
7
MTCRE Program
3) Routing essentials
Router architecture functional view
Routing table x forwarding table
Routing protocols
Link state and distance vector algorithms
Mikrotik RouterOS routing implementation overview
4) Forwarding Protocols
A Networking environment the big picture
Quick overview of all forwarding protocols supported by Mikrotik RouterOS
Static Routing, RIP, OSPF, BGP, MPLS, MME
8
MTCRE Program
9
MTCRE Program
10
MTCRE Program
11
MTCRE Program
12
MTCRE Program
13
Routing Essentials
14
Routing Essentials
15
Routing Essentials
Routing Information
Base (RIB)
Routing Information base is
the data base where all
information about IP routes
are stored. Each protocol
has its RIB
16
Routing Essentials
Forwarding Information
Base (FIB)
FIB contains information
of prefixes related to the
network interfaces that
could be used to forward
packets.
17
Routing Essentials
RouterOS implementation
18
Routing Essentials
Routing Table:
By default 2 routing process will be made first for local addresses and after for
other routes. That means that router will have 2 tables:
A table for local addresses. Successful lookup in this table means that the
packet is to be delivered on the host itself.
19
Routing Essentials
FIB and Routing Cache:
20
Routing Table x Routing Cache
Routing Table:
Destination Next Hop Interface
192.168.0.0/24 1.1.1.1 eth1
Routing Cache:
Destination Next Hop Interface
192.168.0.10 1.1.1.1 eth1
192.168.0.20 1.1.1.1 eth1
21
Lookups on the routing table
22
Routing Essentials
Connected Routes
For each IP address associated to one active interface, one connected route is
dynamically created.
23
Routing Essentials
Static routes
Static routes can point either to the next hop
IP address or directly to the interface.
24
Routing Essentials
Default Route
A default route is a route with destination 0.0.0.0/0, that means all IPv4 address
space (0.0.0.1255.255.255.255). If a routing table contains at least one default
route active, then route lookup will never fail.
25
Routing Essentials
Dynamic Routes
26
Preparing the Scenario
27
Preparing the Scenario
28
Physical Infrastructure
29
IP Infrastructure
30
IP detailed Infrastructure
31
Preparing the Scenario
Ensure that you from your Laptop you are pinging your router
Ensure that from your router you are pinging the right and left neighbors routers
Copy your backup file to your desktop this will be the basic ip infrastructure
backup
32
Static Routing LAB
Test:
Laptop behind R1 should ping R3;
Laptop behind R2 should ping R4:
R3 R4
33
Multiple Matches in a Routing Table
In a routing table, if there is only one route toward each destination address,
routing lookups would be trivial. As soon a router finds a route whose destination
subnet includes the destination address, packet will be forwarded.
In this case a packet destined to e.g. 192.168.0.1 will find 2 possible destinations,
because it belongs to both subnets.
34
Longest Prefix Match
When a packet has multiple matches, longest prefix match (more specific
networks) will be preferred.
LAB: Keep the routes from previous LAB. Configure more routes to allow:
Test:
Trace a route from Laptop 1 to Laptop 3 and check the route
Trace a route from Laptop 1 to Laptop 3 and check the route R3 R4
36
Longest Prefix Match LAB
For Discussion:
Link 3 4 is broken ?
Link 4 1 is broken ?
R3 R4
37
Routes Processing
38
Routes Processing
Distance (Administrative Distance)
Distance refers to the reliability of the route. If
there is more than one destination to the
same network prefix, the less distance will be
chosen.
39
Distance LAB
LAB: Keep routes /24 from previous LAB and delete more specific ones. Create
below routes:
R2 R1
R1 R3, via R4 with distance > 1
R2 R4, via R3 with distance > 1
Test:
Look at your routing table and check which route is active R3 R4
Disable active route and see what happens
40
Distance = 1 Longest Prefix Match LAB
R2 R1
Distance = 1 Distance = 1
R3 R4
Distance = 10
For Discussion:
From the perspective of R3, what happens with the failure of the below
links:
R3 R4, R3 R2,
R2 R4, R4 R1
41
Load Balancing and
Multipath (ECMP) Routes
Multipath (ECMP) Routes
ECMP (Equal Cost Multi-Path) routes have multiple gateway next-hop values. All
reachable next-hops are copied to FIB and used in forwarding packets.
Routes can be created manually adding multiple gateways (next-hop or
interfaces)
42
Multipath (ECMP) Routes
Because results of the forwarding decision are cached, packets with the same:
This means that one connection will use only one link in each direction, so ECMP
routes can be used to implement per-connection load balancing.
43
ECMP Example
192.168.0.0/24
44
Check Gateway option
MD1203052048
LAB: Configure ECMP routes in order to R3 (R4) reach R1 (R2) via R2 (R3)
and R4 (R1)
Test:
Trace routes from R3(R4) to R1(R2)
Tip Configure Some IP Addresses on your Laptop/Mikrotik and try varying
source / destination addresses.
46
Policy-based Routing (PBR)
Policy-Based Routing
47
Policy-based Routing (PBR)
RouterOS can split the routing tables in several ones separated by routing
marks;
By default all active routes without marks are kept in the main routing table;
48
Policy Routing simple example GW1 GW2
10.0.0.1 10.0.0.2
NET1 NET2
192.168.1.0/24 192.168.2.0/24
49
Policy-based Routing Simple Example
1) Mark packets from network 192.168.1.0/24 with new-routing-mark=net1, and packets from
network 192.168.2.0/24 with new-routing-mark=net2:
50
Policy-based Routing Simple Example
2) Route packets from net1 (192.168.1.0/24) to GW1 (10.0.01) and from net2
(192.168.2.0/24) to GW2 (10.0.0.2)
51
GW3
Policy-based Routing GW1 GW2
10.0.0.3
Simple Example with Redundancy
10.0.0.1 10.0.0.2
NET1 NET2
192.168.1.0/24 192.168.2.0/24
52
Policy-based Routing simple
example with redundancy
53
Web Access port 80
R2 R1
PBR LAB
MD1203052048
R3 R4
FTP Access port 21
LAB: R3(R4) should access R1(R2) Web service via R2 (R1) and R1(R2) FTP service
via R4
Test: (Suggestion)
Log services on Firewall to check on which interface the flow is going through.
54
Routes Processing
55
Routes Selection Process
There can be multiple routes learned from dynamic protocols and static
configurations;
Each routing table can have only one active route for each destination prefix;
If a route meet the criteria to become an active route, then active route is
selected from all candidate routes with the same: dst-address AND routing-
mark
Candidate route with the lowest distance becomes an active route. If distance
is the same, selection is arbitrary (except for BGP routes).
56
Routes Selection Process
Criteria to become an active route (participate in the routing selection process)
distance is not 255. Routes that are rejected by routing filters have distance
value of 255.
If type of route is unicast and it is not a connected route, it must have at least
one reachable next-hop
57
Next-hop lookup
Routes that are installed in the FIB need to have interface associated with
each gateway address.
Gateway address (next-hop) has to be directly reachable via this interface.
Interface that should be used to send out packets to each gateway address is
found by doing next-hop lookup.
Next-hop lookup is done only in the main routing table, even for routes with
different value of routing mark.
Routes pointing to physical interface are not used to next-hop lookup.
58
Scope and target-scope
A router can have several routes in the main table. It is necessary to restrict
the set of routes that can be used to the lookup process.
For instance, next-hop values for static routes, are supposed to be directly
reachable and should be looked up only using connected routes.
To limit the scope where a router should look up, a route has the properties
scope and target-scope
Routes with scope greater than the maximum acceptable (target-scope) will
not be used for next-hop lookup.
59
Routes Selection Process
NB: With default values, iBGP will use Static, OSPF, RIP, MME and connect routes.
60
Scope and Target Scope Example
A router has an IP address 1.1.1.1/24 configured in one of its interface and thus, it
has a connected route 1.1.1.0/24 pointing to that interface.
One route to network 2.2.2.0/24 pointing to, e.g. 1.1.1.2 will be installed normally but
another to 3.3.3.0/24 pointing to 2.2.2.2 will become inactive
61
Scope and Target Scope Example
Changing Target scope to a value >= 30 will turn the route active (will be installed on
FIB). The route will appear as recursive.
62
Recursive Routing LAB
Objective:
To test recursive routing with target-scope manipulation
LAB:
All routers configure a static route to an arbitrary (e.g. 1.1.1.0/24) network
pointing to a directly connected IP - the route should be installed.
Create a second static route to another arbitrary (e.g. 2.2.2.0/24) network pointing
to an IP address belonging to the first network (e.g. 1.1.1.1) the route should be
inactive.
Change the target-scope of this second route to something >= 30 route should
turn to active state and route will appear as recursive.
63
Policy-based Routing GW1 GW2
Case Study
10.0.0.1 10.0.0.2
NET1 NET2
192.168.1.0/24 192.168.2.0/24
65
Dynamic Routing
Protocol assigns a number, the cost, to each of the links between each node in
the network;
Nodes will send information from point A to point B via the path that results in the
lowest total cost (sum of the costs of the links between the nodes used).
BGP can be considered a type of path vector implementation but not pure, because
there are some attributes other than cost that influence routes calculation.
66
Dynamic Routing
On link-state protocols, each node uses as its fundamental data a map of the
network in the form of a graph;
To produce this, each node floods the entire network with information about
what other nodes it can connect to, and each node then independently
assembles this information into a map.
Using this map, each router then independently determines the least-cost
path from itself to every other node using a standard shortest paths algorithm.
67
Dynamic Routing
68
OSPF Open Shortest Path First
69
OSPF
Open Shortest Path First
Link State protocol that uses Dijkstras algorithm to calculate the shortest
path to all known destinations networks;
All routers must have the same MTU for all networks announced by the
protocol;
70
Autonomous System
Internet Context x OSPF Context
71
How OSPF Works
OSPF tables
OSPF works maintaining 3 separate tables:
73
OSPF Areas
74
OSPF Areas
75
OSPF Areas
77
OSPF Router Types
MD1201151011
Area 2
Internal Router: router connected to
only one area
78
Establishing Network Adjacencies
79
Neighborhood x Adjacencies
The fact that routers are neighbors does not guarantee an exchange of link-state
updates. To do it they must form adjacencies to exchange link-state updates.
81
Finding the Best Paths
Dijkstra algorithm runs for each router, calculating the best path with respect to
lowest total cost of the links to a specific destination.
Best routes are put in the forwarding database (routing table or FIB)
82
Finding the Best Paths
Dijkstras algorithm
Forwarding Database
Router X knows all the best paths
to reach to each router inside the
Router X area
OSPF doesnt use TCP or UDP as transport protocol. All five OSPF packets are
encapsulated directly into IP payload.
To ensure reliability of the communication OSPF has its own scheme using an
acknowledgment packet (type 5 - LSAck)
Protocol ID 89 (OSPF)
85
OSPF Packet Types and Format
86
OSPF Packet Types and Format
Common Header
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
Version (1 byte) Type (1 byte) Packet Length (2 bytes)
Router ID (4 bytes)
Area ID(4 bytes)
Checksum (2 bytes) Authentication Type (2 bytes)
Authentication (4 bytes)
Authentication (4 bytes)
87
Establishing Adjacencies
Hello Protocol
88
Establishing Communication
and Exchanging LSDBs
Down State
192.168.1.1/24 192.168.1.2/24 R2
R1
eth2 eth3
Init State
I am router 192.168.1.1 and I see no one Hello
to 224.0.0.5
2-way state
Hello to I am router 192.168.1.2 and I see 192.168.1.1
192. 168.1.1
Exchange State
DBD to Here is a summary of my LSDB
R2
192. 168.1.1
Loading State
I request information about network 192.168.1.0/24 LSR to
192.168.1.2
92
Link State Sequence Numbers
The sequence number field is a signed 32-bit integer, used to detect old and
duplicate LSAs.
The larger the sequence number (when compared as signed 32-bit integers)
the more recent the LSA.
93
LSA/LSU Processing
94
OSPF Packet Types and Format
Hello Packet
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
Network Mask (4 bytes)
Hello Interval (2 bytes) Options (1 byte) Priority (1 byte)
Router Dead Interval (4 bytes)
Designated Router (4 bytes)
Backup Designated Router (4 bytes)
Neighbors (4 bytes each)
....
....
95
OSPF Packet Types and Format
DBD Database Description
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
Interface MTU Options 000 00 1 M M
(2 bytes) (1 byte) S
96
OSPF Packet Types and Format
LSR - Link State Request
Link State request packet is used for pulling information.
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
Link State Type (4 bytes)
Link State ID (4 bytes)
Advertising Router (4 bytes)
.....
Link State Type (4 bytes)
Link State ID (4 bytes)
Advertising Router (4 bytes)
....
97
OSPF Packet Types and Format
LSU Link State Updates
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
Number of LSAs (4 bytes)
LSA1
.....
LSA2
..
LSA3
98
LSAs Link State Advertisement
LSA Types: 1, 2, 3, 4, 5, 6, 7 , 8
99
OSPF LABs
We will work together with all routers in the classroom as if we were only one
AS.
Be careful, because one configuration error in only one router could influence
the whole setup
100
Loopback Interfaces
If the loopback interface on a router is down, that means that the router is
unavailable as a whole.
101
OSPF LAB Completing the setup
102
OSPF Router ID
103
OSPF LAB
Working together setup an OSPF network with only one area (backbone area)
104
OSPF LAB
For network 172.16.0.0/24, observe that only 2 have full connection and
others are in 2-way state.
Identify the routers that have full connection. Why this occurred ?
105
Network Types in OSPF
106
Network Types in OSPF
Broadcast Networks
A multi access broadcast network, like Ethernet
Point-to-Multipoint
Special type of NBMA, consisted of collection of point-to-point links
Point-to-Point
A network that joins a single pair of routers
107
Broadcast Multi-access Network
e.g. Ethernet
108
Election criteria for DR and BDR
P=1 P=3
Mikrotik RouterOS uses the highest
DR router ID to select DR and the
second-highest router ID for BDR.
Default priority is 1
P=1
BDR
DR
Name it INFRA2
111
NBMA Non-broadcast Multi-Access
112
NBMA LAB
NBMA
113
Point-to-multipoint (pmtp)
114
PMTP LAB
115
Point-to-point interfaces
Point-to-point LAB
116
LSAs in depth
117
LSA Header
LSA packets are the heart of a link state protocol. A LSA packet consists of a
header, followed by data for different link types. Below is the header format
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
Age (2 bytes) Options (1 byte) Type (1 byte)
Link State ID (4 bytes)
Advertising Router (4 bytes)
Sequence Number (4 bytes)
Checksum (2 bytes) Length (2 bytes)
LSAs (can be types 1,2,3,4,5,6,7,8)
118
LSA Header
LSA packets are the heart of a link state protocol. A LSA packet consists of a
header, followed by data for different link types. Below is the header format
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
Age (2 bytes) Options (1 byte) Type (1 byte)
Link State ID (4 bytes)
Advertising Router (4 bytes)
Sequence Number (4 bytes)
Checksum (2 bytes) Length (2 bytes)
LSAs (can be types 1,2,3,4,5,6,7,8)
119
LSA type = 1 (Router LSA)
120
LSA type = 2 (Network LSA)
Area 0
Advertised by the DR
DR
121
LSA type = 3 (Summary LSA)
Regenerated by subsequent
ASBR ABRs to flood throughout the AS
Type 4 Area 2
Backbone Area
ABR
MD1201151011
123
LSA type = 5 (External LSA)
124
LSA type = 7 (External LSA)
125
OSPF LAB
(Point-to-point Interfaces)
R1 R2
R2 R3
R3 R4
R4 R1
126
OSPF Areas
Creating more Areas
127
OSPF LAB
Creating more Areas
Routers G1 and G4 will be the ABRs (will have networks on area 1 and one
network on backbone area
128
LSAs
Type 2
(network)
Type 1
(router)
Type 3 and 4
(summary)
129
Routing Table Manipulations
Routes Summarization
Costs
Routes Redistribution
Default Route
130
Routes Summarization
131
OSPF LAB
LAB
132
Route Cost
Initial analysis:
R0
R2 R1
MD1203052048
R3 R4
134
OSPF LAB Costs
Using Costs, ensure that upload and download traffic between R3 and
R0 will choose the routes:
R3 R2 R1 R0
R0 R1 R2 R3
R0
R2 R1
MD1203052048
R3 R4
135
Routes Redistribution
136
Routes Redistribution
137
External Type 1 or type 2 metrics
If type 2 is chosen, both green or red route will have the same cost - 30
139
Default Route
140
Default Route
141
OSPF LAB Default Route
142
Special Area Types
Area Stub
Areas Totally Stub
Areas NSSA
143
Stub Area
145
Stub and Totally Stub Areas
146
Stub and Totally Stub Areas
Stub Area
Do not accept external LSAs
Accept summary
147
OSPF LAB Stub and Totally Stub areas
Differences observed ?
148
NSSA Areas
149
NSSA Areas
The options
Inject summary LSAs can be checked for
Stub and NSSA areas.
In this case LSA summaries (LSAs 3 and 4) will
not cross ABRs.
151
OSPF LAB NSSA Areas
Differences observed ?
152
OSPF Security
153
Attacks against OSPF
Basically, attacks against OSPF consist on forging Hello, LSA and LSU
messages on behalf of authorized hosts, causing:
Denial of service
and / or
Topology changes
154
OSPF Resource Starvation Attacks
These entries are ignored by the Shortest Path First (SPF) algorithm (do not
produce topology changes)
Phantom LSAs are entered in the Link State Database and each entry is
kept until MaxAge expires
155
OSPF Attacks - Forcing Topology Changes
Pre-condition:
absence of encryption.
compromised pre shared key.
156
Misdirecting traffic to form routing Loops
R1 R2 2.2.2.0/24
ROUTING LOOP
R3 R4
BEST PATH
2.2.2.2
157
Misdirecting Traffic to a Black Hole
R1 R2 2.2.2.0/24
R3 R4
BEST PATH
2.2.2.2
158
Eavesdropping/Man-in-the-middle
R3 R4
BEST PATH
2.2.2.2 159
Attacks against OSPF
(from the perspective of attackers location)
160
Attacks against OSPF
On NBMA and all other network types (including virtual links), the
majority of OSPF packets are sent as unicasts, i.e., sent directly to the other end
of the adjacency. In this case, the IP destination is just the Neighbor IP address
associated with the other end of the adjacency (see RFC 2326, section 10).
So, the answer is YES, the attack could work from any point of the Internet !
161
Attacks against OSPF
162
Attacks against OSPF
(from the perspective of attackers location)
163
Attacks against OSPF
(from the perspective of attackers location)
164
Attacks against OSPF
OSPF domain
165
Attacks against OSPF
C) Attacker is inside and in the same L2 segment (2/3)
Once the pre shared key is compromised, attacker could do anything a real
router could, since flooding LSAs for resource starvation, or impersonate a
network router. Imagination and creativity will do the rest
Creating an arbitrary
network
166
Attacks against OSPF
C) Attacker is inside and in the same L2 segment
(3/3)
Countermeasures:
OSPF domain
Choosing a strong password will delay (but not avoid)
the discovery. Its only a matter of time.
Passive mode
When an interface is in passive mode, reouter will prevent all OSPF traffic through that
interface.
Very useful in border interfaces specially if there are customers connected to.
169
OSPF LAB Authentication and Passive mode
Test the option passive mode (your laptop probably is not running OSPF, so
test with your neighbors router)
170
Virtual Links
171
Virtual Links
OSPF protocol establishes that all areas should be connected to the backbone
area. This connection usually is made by an ABR that physically connects both
areas. That means all areas are contiguous to the backbone area
With virtual links it is possible to logically connect a not contiguous area to the
backbone area.
172
Virtual Links
173
Virtual Link - LAB
Area 0.0.G.1 R1
R2
R3
R4
In the above scenario, the path over the backdoor link will always be selected
because OSPF prefers intra-area paths over inter-area paths
OSPF cost configured with a SHAM link allows you to decide if OSPF client site
traffic will be routed over a backdoor link or through the VPN backbone.
175
IPV6 Addressing and Routing
176
IPV6 - Static addressing and routing
Default Route
177
Loopback addresses configuration with IPV6
IPV6 addresses are formed automatically from MAC Addresses. Because bridge
has no MAC by default, the method will fail. As a solution use Admin MAC
178
Loopback addresses configuration with IPV6
179
IPV6 Addressing LAB
180
Dynamic Routing with IPv6
181
Dynamic Routing with IPv6 - RIPng
Limited to 15 hops
182
Dynamic Routing with IPv6 OSPFv3
The same principles used for IPv4 were kept in the new
version, like LSAs, Dijkstra Algorithm, flooding, etc.
However OSPFv3 has a lot of improvements when
compared to its antecessor, OSPFv2;
183
OSPF LAB OSPFv3 Configuration
Configure OSPFv3 with a single area for all the classroom
Observe and comment the results
184
VLANs
185
VLans
Virtual Local Area Network (VLAN) is layer 2 method that allows configuration of
(Virtual) LANs on a single physical interface. Mikrotik RouterOS implementation is
based on IEEE 802.1Q standard.
186
Vlan Packet
802.1Q defines how to insert the 4 byte identifiers (VLAN ID) into an ethernet frame.
187
802.1q Header
188
Vlan Trunk
VLAN 20
VLAN 10
189
VLAN LAB 1
Layer 2 Link
Vlan 12
Vlan 12 Vlan 14 Vlan 12
Vlan 14 Vlan 14
Q-in-Q allows two or more VLAN headers. In RouterOS Q-in-Q can be configured by
adding one VLAN interface over another
191
VLAN LAB 2
QinQ
Vlan 12 Vlan 12
Vlan 100
Vlan 14 Vlan 14
193
802.1ad
194
VLAN LAB 2
802.1ad
Vlan 12 Vlan 12
Vlan 100
Vlan 14 Vlan 14
As VLAN works on OSI Layer 2, it can be used just as any other network
interface without any restrictions. VLAN successfully passes through regular
Ethernet bridges.
You can also transport VLANs over wireless links and put multiple VLAN
interfaces on a single wireless interface. Note that as VLAN is not a full tunnel
protocol (i.e., it does not have additional fields to transport MAC addresses of
sender and recipient), the same limitation applies to bridging over VLAN as to
bridging plain wireless interfaces.
In other words, while wireless clients may participate in VLANs put on wireless
interfaces, it is not possible to have VLAN put on a wireless interface in station
mode bridged with any other interface.
196
VLANs MTU Issues
MTU should be set to 1500 bytes as on Ethernet interfaces. But this may not
work with some Ethernet cards that do not support receiving/transmitting of full
size Ethernet packets with VLAN header added (1500 bytes data + 4 bytes VLAN
header + 14 bytes Ethernet header).
In this situation MTU 1496 can be used, but note that this will cause packet
fragmentation if larger packets have to be sent over interface. At the same time
remember that MTU 1496 may cause problems if path MTU discovery is not
working properly between source and destination
197
Unnumbered Interfaces
172.16.0.0/24 192.168.0.0/24
eth1 eth1
R1 R2
198
Vlans on Switches
VLAN-compliant switches can be used to implement those previous setups with gain in
performance, because without using bridges the packets will be forwarded at wire
speed. Switch chip features supported by RouterOS are:
Port Switching
Port Mirroring
Host Table
Vlan Tabel
Rule Table
199
Switch Chip Features
Switch chip features that are implemented in RouterOS (complete set of features
implemented starting v4.0)
Public IP = 30.2.2.2
Tunnel IP = 10.1.1.2
Test connectivity
203
Point to Point Addressing
Point-to-point addressing utilizes only two IPs per link while /30 utilizes four IPs
There is no broadcast address, but network address must be set manually to the
opposite IP address. Example:
There can be identical /32 addresses on the router each address will have
different connected route
IP 2.2.2.2/32,
IP 1.1.1.1/32, Network 1.1.1.1
Network 2.2.2.2
Copyright
MD1203071007
204
EoIP Tunnel
Public IP = 30.2.2.2
Public IP = 20.1.1.1 Tunnel IP = 10.1.1.2
Tunnel IP = 10.1.1.1
PPtp or L2TP
PPTP and L2TP are used for site to site or to client to site connections
Both have mostly the same functionality
Configuration of the both tunnels are identical in RouterOS
207
PPtP and L2TP Tunnels
PPTP Tunnels
PPTP uses TCP port 1723 and IP protocol 47/GRE
PPTP clients are available for and/or included in almost all OS
You must use PPTP and GRE NAT helpers to connect to any public
PPTP server from your private masqueraded network
L2TP Tunnels
L2TP traffic uses UDP port 1701 only for link establishment, further
traffic is using any available UDP port
L2TP don't have problems with NATed clients it don't required NAT
helpers
208
PPtP and L2TP
Client Configuration
209
PPtP and L2TP
Server Configuration
210
PPtP and L2TP LABs
211
PPP Bridge Control Protocol (BCP)
RouterOS offers BCP support for all asynchronous PPP, PPTP, L2TP & PPPoE
(not ISDN) interfaces
Bridging and routing over PPP link can happen at the same time, independently
212
PPP Bridge Control Protocol (BCP)
Setting up BCP
213
PPP Bridge Control Protocol (BCP)
PPP interfaces can utilize PPP Multi-link Protocol to handle Ethernet frames
214
PPP Bridge Control Protocol (BCP)
over single physical link where multiple channels run on the same
link
215
PPP Bridge Control Protocol (BCP)
MRRU
To enable PPP Multi-link Protocol over single link you must specify MRRU
option;
If both sides support this feature there are no need for MSS adjustment (in
firewall mangle)
MRRU is less CPU expensive that 2 mangle rules per client if you have more
that 30 clients
216
PPtP and L2TP LABs
217
SSTP Tunnel
SSTP
SSTP is the way to transport PPP tunnel over SSL 3.0 channel. The use of SSL over
TCP port 443 allows SSTP to pass through virtually all firewalls and proxy servers.
218
SSTP Connection Mechanism
TCP connection is established from client to server (by default on port 443);
SSL validates server certificate. If certificate is valid connection is established
otherwise connection is torn down;
The client sends SSTP control packets within the HTTPS session which
establishes the SSTP state machine on both sides;
PPP negotiation over SSTP. Client authenticates to the server and binds IP
addresses to SSTP interface;
SSTP tunnel is now established and packet encapsulation can begin.
219
Configuring SSTP
220
SSTP LAB
In this LAB, Central AP will be Using Certificates
SSTP Server and all routers will be
clients.
SSTP Server
Certificates should be installed and
used
221
SSTP LAB Using Certificates
Ask the teacher for the FTP IP address to download pre built Certificates
222
SSTP LAB Using Certificates
Your Certificate, your key (ask the teacher for the key passwork) and CA
Certificate.
223
SSTP LAB Using Certificates
/system reset-configuration
225
hvala
grazie
gracias
obrigado
Edson Veloso Sergio Souza Wardner Maia
edson@mikrotikbrasil.com.br sergio@mikrotikbrasil.com.br maia@mikrotikbrasil.com.br
226