Managing and Monitoring - mum.mikrotik.com · MikroTik hotspot gateway with Usermanager HSNM 2 1 2...
Transcript of Managing and Monitoring - mum.mikrotik.com · MikroTik hotspot gateway with Usermanager HSNM 2 1 2...
Managing and Monitoring
MUM EU 2019 Amsterdam | Patrik Schaub | © FMS Internetservice GmbH
RouterOS
Agenda
ƒ Company introduction
ƒ Network operationthe big picture
ƒ Management approachesƒ Network monitoringƒ RouterOS monitoring
FMS Internetservice GmbH
ƒ Value Added Distributor
ƒ Distribution
ƒ Training
ƒ Consulting
ƒ Support
ƒ Founded 1997
ƒ 11 employees
ƒ Southern Germany
FMS Internetservice GmbH
ƒ Inhouse training facility
ƒ All certification levels
ƒ First German speaking Training partnerTR11 & TR23
ƒ First MTCSA certified German distributor
See Training Schedule
The Challenge of Operation
ƒ Growing number of devicesƒ More critical servicesƒ Higher bandwidth (more packets)ƒ Heavy interconnection of sites
ƒ Networksƒ Become largerƒ Become more complexƒ Require higher availabilityƒ Require effective security
Operational Tasks
ƒ Management
ƒ Inventory
ƒ Maintenance
ƒ Debugging
ƒ Monitoring
RouterOS
Network Inventory Management
ƒ Dudeƒ Script based databaseƒ TR069ƒ CAPsMAN
Access to management
ƒ Dudeƒ Management VLANƒ RoMONƒ CAPsMAN
Management technologies
ƒ Webboxƒ Winboxƒ Terminalƒ APIƒ TR069ƒ SNMPƒ Appƒ CAPsMAN
General Tools
ƒ Time / SNTPƒ Watchdogƒ Scripting & APIƒ Netwatchƒ SSH keys
Maintenance
ƒ RouterOS & bootloader updatesƒ Backup/Restore & Import-Export
RouterOS
Debugging (Router)
ƒ Healthƒ Historyƒ local loggingƒ /system ressourcesƒ /system routerboardƒ /tools profileƒ Supout
Debugging (Traffic and Network)
ƒ Neighboursƒ Bandwidth test (old and new)ƒ Traffic generatorƒ Torchƒ Ping, Flood Ping, Ping Speedƒ Tracerouteƒ IP Scanƒ Packet Sniffer (and TZSP
streams)ƒ Port Mirroring (Switch chip)
Logging & 3rd Party Integration
ƒ IP Accountingƒ Traffic Flow (Netflow)ƒ SNMPƒ Graphingƒ Syslogƒ TR069
Management Approaches
ƒ Considerationsƒ Securityƒ Convenienceƒ Efficiency
ƒ Common Approachesƒ Separate management and user trafficƒ Management VLANƒ Tunneling payload (e.g. PPPoE)ƒ Tunneling of management (VPN)
Management Approaches
ƒ Central MikroTik toolsƒ The Dudeƒ CAPsMANƒ Usermanager
ƒ Detailed examplesƒ RoMONƒ CLI/scripting (3rd party tools)ƒ API (Application programming interface)
RoMON
ƒ Router Management Overlay Networkƒ Proprietary MikroTik protocol
ƒ Device discoveryƒ Device access
ƒ Layer-2 & layer-3 networksƒ Without layer-3 routingƒ Winbox support
RoMON + MAC Winbox vs. Neighbours + MAC Winbox
RoMON
ƒ Creates overlay networkƒ Only with MikroTik devicesƒ Not limited to layer-2 broadcast domainƒ Winbox: discovery and MAC connectionƒ Winbox: RoMON agent connection
ƒ On ethernet like interfaces (Ethernet,WLAN, EoIP, VLAN …)
Neighbour discovery (MNDP)
ƒ Using existing networkƒ Compatible with CDP and LLDPƒ Limited to layer-2 broadcast domainƒ Winbox: discovery and MAC
connection
Local Device Discovery across Routers
192.0.2.0/24 203.0.113.0/24 198.51.100.0/24
Winbox RoMON Agent RoMON enabled Router
RoMON enabled devices RoMON enabled devices RoMON enabled devices
Discovery with MNDPConnect by IP or MAC Winbox
Discovery with RoMON, Connect by RoMON Winbox
Connect to RoMON
RoMON Setup
ƒ Enable RoMON
ƒ Optional but recommended
ƒ Set ID manually
ƒ Use secret(s)
ƒ Optional
ƒ Customize interface
configuration
Winbox Discovery and RoMON Connection
Devices within
the layer-2
network
discovered
Use router as
RoMON agent
1
2
Winbox Discovery and RoMON Connection
Connected to
RoMON agent
Two hops to
reachRoMON
discovery
through agent
3
4
Local Device Discovery across Routers
192.0.2.0/24 203.0.113.0/24 198.51.100.0/24
Winbox RoMON Agent RoMON enabled Router
Discovery with RoMON, Connect by RoMON Winbox
Connect to RoMON
R1 R2
A11 A12 A21 A22 A31 A32
Path to A32 as seen from agent R1
1
2
21
Remote RoMON Agent
ƒ RoMON agent connection by IPƒ Across layer-3 networkƒ E.g. internet
ƒ Remote discovery and management
ƒ Branch officesƒ Customer networks
Remote Network Discovery
INET
203.0.113.0/24
198.51.100.0/24
RoMONenableddevices
RoMONenableddevices
RoMON AgentCustomer 1
RoMON AgentCustomer 2
OperatorWinbox
eth5Disable RoMON on WAN port
Security Considerations
ƒ Disable RoMON on WANƒ Don’t enable Winbox on WAN
ƒ Management VPNƒ VPN to reach RoMON agentƒ RoMON to reach remote devicesƒ VLAN to limit RoMON locally
Hotspot Network Manager (HSNM)
ƒ Commercial Captive Portal solutionƒ Tight MikroTik integration
ƒ Managementƒ Monitoring
ƒ /importƒ Scripting hostƒ Scheduler
HSNM Gatewayƒ MikroTik hotspotƒ WAN/LAN gateway
HSNM Accesspointƒ MikroTik WLAN access
point
MikroTik Gateway Integration
Choosing Hardware and RouterOS Type
MikroTik Specific Settings: WAN
MikroTik Specific Settings: MAC Auth + Hotspot
Initial Configuration
ƒ Download .rscƒ Upload to MikroTikƒ /import
ƒ Initial configurationƒ Scripting
environment
Scripting Environment
ƒ Updating MikroTik gateway configurationƒ Changes of initial configuration will be transferred to gateway
ƒ Importing data from HSNMƒ E.g. walled garden
ƒ Exporting data to HSNMƒ E.g. User Manager accounts, GPS data
ƒ Monitoringƒ Gateway and accesspoint availability
Central Walled Garden
ƒ Domain or gateway levelƒ Automatic import by script
Seamless Integration of legacy Solutions
Legacy ticket printerCreating Usermanager accounts
1
3
3
Ticket Printer 3rd Party Application
MikroTik hotspot gatewaywith Usermanager
HSNM
2
1
2
Legacy 3rd party applicationCreating Usermanager accounts
Exporting UM accounts to HSNMDeleting UM accounts locally
GPS based Maps and Tracking
ƒ Script sends GPS locationƒ Can be stored in HSNM
ƒ Tracking of moving gatewaysƒ E.g. busses, trains, taxies
ƒ Static GPS locationƒ Can be entered in HSNM
ƒ Visualisation of gateway location
Hotspot Network Manager (HSNM)
Hotspot Network Manager (HSNM)
Manual Positioning on Floor Plans and Maps
ƒ Manual positioningƒ Gateways & access pointsƒ Maps or plansƒ Coverage (in m)
Hotspot Network Manager (HSNM)
Hotspot Network Manager (HSNM)
Gateway
Access point
Access pointcontext menue
Hotspot Network Manager (HSNM)
Direct webinterface accessfor gateways andaccess points
Monitoring (HSNM)
ƒ Availability and latency
ƒ Captive portal related valuesƒ Bandwidthƒ Amount of transferred dataƒ Number of connected usersƒ Number od registrations
Get in Touch
Are you looking for a powerfulcaptive portal solution?
+49 761 2926500 | [email protected] | Web form
Network Debugging
ƒ Planning / checking firewall settingsƒ Networking problemsƒ Faulty client / server applications
ƒ Things go wrong?ƒ Real insight is necessary
ƒ Packet sniffingƒ De facto standard: Wiresharkƒ RouterOS packet sniffer
MikroTik Packet Sniffer
ƒ General settingsƒ Filterƒ Start/Stop
ƒ Results in CLI / Winboxƒ Results in file, analyse in Wireshark
ƒ Streaming to Wireshark
Remote Packet Sniffing
INET 198.51.100.0/24
Customer 1
Operator
Packet SnifferLocally analyse packets from
a remote sniffer in real time
Sniffer Stream
ƒ Enable “Stream”ƒ Set Wireshark host IPƒ Enable “Filter Stream”
ƒ TZSP stream is sent
ƒ Filter stream in Wiresharkƒ UDP port 37008
ƒ Start sniffer in Winbox
1
2
Traffic Flow
ƒ Compatible with Netflowƒ Statistical network
informationƒ Byte and packet counterƒ Source and destination IP
addressesƒ Source and destination ports
ƒ Top talkersƒ Top protocolsƒ Utilisation
Netflow Collector and Anlysis
ƒ ntop (former) free standardƒ Successor ntop-ngƒ Requires commercial nProbe
to collect Netflow
ƒ Alternative free and opensource collectors available
ƒ E.g as in FMS ManagementPlattform Former ntop GUI
Netflow in FMS Management Plattform
xxxxxxxx
xxxxxxxx
xxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxx
Local RouterOS Logging
ƒ Source for networkdebugging = packets andpacket statistics
ƒ Source for device debugging= local status information
ƒ SNMPƒ Local logging
Log Output
Central Syslog
ƒ External, central syslog server
ƒ Will survive reboots / crashesƒ No tampering from deviceƒ Better searchƒ Correlation across devices
ƒ Example: Investigate VRRP changeƒ Involved: Master, slave, crosslink
switch
VRRP Setup
VRRP1 VRRP2
RSTP
FMS Management Platform
ƒ Syslog, Netflow, SNMP traps …ƒ MongoDB, Elasticsearch …
ƒ Central storageƒ Powerful searchƒ Dashboardsƒ Alerts
ƒ Enhanced MikroTik supportƒ E.g. MikroTik MIB, Log syntax Remote Syslog Configuration
?
WIFI Connects from Syslog across complete Network
10.10.0.29
10.10.0.22
system,error,critical login failure for user admin from 10.10.0.55 via web
Enhanced Log Message Processing
ƒ Make syslog serverunderstand message
ƒ Database fields
ƒ Searchƒ Sortingƒ Analyse
ƒ Login FailureDashboard
1
Get in Touch
Are you looking for centralisedand MikroTik aware logging?
+49 761 2926500 | [email protected] | Web form
CentralLoggingTraining
CentralManagement
RouterOSHosting
ConsultingSupport
ServiceContracts Distribution
+49 761 2926500 | [email protected] | Web form
www.fmsweb.de | www.mikrotik-shop.de
Dank u wel!