Routing Training Course

7/28/2019 Routing Training Course

1/93

MikroTik RouterOS

Training

Routing


2/93

MikroTik 2008 2

Schedule

09:00 10:30 Morning Session I10:30 11:00 Morning Break

11:00 12:30 Morning Session II

12:30 13:30 Lunch Break13:30 15:00 Afternoon Session I

15:00 15:30 Afternoon Break

15:30 17:00 (18.00) Afternoon Session II


3/93

MikroTik 2008 3

Instructors


4/93

MikroTik 2008 4

Housekeeping

Course materialsRouters, cables

Break times and lunch

Restrooms and smoking area locations


5/93

MikroTik 2008 5

Course Objective

Provide thorough knowledge and hands-ontraining for MikroTik RouterOS basic andadvances routing capabilities for small and

medium size networksUpon completion of the course you will be ableto plan, implement, adjust and debug routedMikroTik RouterOS network configurations.


6/93

MikroTik 2008 6

Introduce Yourself

Please, introduce yourself to the classYour name

Your Company

Your previous knowledge about RouterOSYour previous knowledge about networking

What do you expect from this course?

Please, remember your class XY number.(X is number of the row, Y is your seat number in the row)

My number is:_________


7/93

MikroTik 2008 7

Class Setup Lab

Create an 192.168.XY.0/24 Ethernet networkbetween the laptop (.1) and the router (.254)

Connect routers to the AP SSID ap_rb532

Assign IP address 10.1.1.XY/24 to the wlan1Main GW and DNS address is 10.1.1.254

Gain access to the internet from your laptops

via local routerCreate new user for your router and changeadmin access rights to read


8/93

MikroTik 2008 8

Class Setup


9/93

MikroTik 2008 9

Class setup Lab (cont.)

Set system identity of the board and wirelessradio name to XY_. Example:00_Janis

Upgrade your router to the latest MikrotikRouterOS version 3.x

Upgrade your Winbox loader version

Set up NTP client use 10.1.1.254 as server

Create a configuration backup and copy it tothe laptop (it will be default configuration)


10/93

MikroTik 2008 10

Simple Routing

Distance, Policy Routing, ECMP, Scope,

Dead-End and Recursive Next-HopResolving


11/93

MikroTik 2008 11

Simple Static Route

Only one gateway fora single network

More specific routesin the routing tablehave higher prioritythan less specific

Route with destination

network 0.0.0.0/0basically meanseverything else


12/93

MikroTik 2008 12

Simple Routing Lab

Ask teacher to join you in a group of 4 andassign specific group number Z

Use any means necessary (cables, wireless) tocreate IP network structure from the next slide

Remove any NAT (masquerade) rules from yourrouters

By using simple static routes only ensure

connectivity between laptops


13/93

MikroTik 2008 13

IP Network Structure

192

.168

.Z.192

/26

192.16

8.Z.64

/26

192.168.Z.128/26

192.168.Z.0/26

10.10.Z.0/30

To Main AP

To LaptopTo Laptop

To Laptop

To Laptop

Z your group number


14/93

MikroTik 2008 14

Questions!

Is it possible to manually create routes that willensure

load balancing

failover

best path

Is it possible to create routes in this situation?

Lets take a look!


15/93

MikroTik 2008 15

ECMP Routes

ECMP (Equal CostMulti Path) routeshave more than onegateway to the same

remote networkGateways will beused in Round Robinper SRC/DSTaddress combination

Same gateway can bewritten several times!!


16/93

MikroTik 2008 16

Check-gateway Option

You can set router to check gatewayreachability using ICMP (ping) or ARP protocols

If gateway is unreachable in a simple route the route will become inactive

If one gateway is unreachable in an ECMProute, only the reachable gateways will be usedin the Round Robin algorithm

If Check-gateway option is enabled on oneroute it will affect all routes with that gateway.


17/93

MikroTik 2008 17

ECMP Lab

To avoid routing loopsOnly one participant creates ECMP to every192.168.XY.0/24 network with check-gateway

Other participants adjust simple routes to reach

each other without routes though the first participant

Check the redundancy

Use traceroute to examine the setup

Use Undo to get back pre-lab configuration -only then proceed to next participant andstart over


18/93

MikroTik 2008 18

Configuration Example


19/93

MikroTik 2008 19

Distance Option

To prioritize one route over another, if they bothpoint to the same network, using distanceoption.

When forwarding a packet, the router will usethe route with the lowest distance and reachablegateway


20/93

MikroTik 2008 20

Route Distance Lab

Create 2 separate routes for each participantslocal network:

One route clockwise with Distance=1

One route anticlockwise with Distance=2

Check the redundancy by disabling clockwisegateway IP addresses



21/93

MikroTik 2008 21

Route Distance LabTo Main AP

To Laptop

To Laptop

To Laptop

To Laptop

BACKUPLINK


22/93

MikroTik 2008 22



23/93

MikroTik 2008 23

Observed Behaviour

Traffic has no problems to pass clockwise

In the case of check-gateway failure onlyaffected router will pass traffic anticlockwise every other router will continue to send itclockwise

Solution:

If traffic starts to go anticlockwise, it should berouted anticlockwise until it reaches destination


24/93

MikroTik 2008 24

Routing Mark

To assign specific traffic to the route trafficmust be identified by routing mark

Routing marks can be assigned by IP firewallmangle facility only in chains prerouting and

output

Packets with the routing mark will be ignored bymain routing table, if there is at least one route

for that routing mark (if none main routing tablewill be used)

Each packet can have only one routing mark


25/93

MikroTik 2008 25

Routing Policy Lab

Mark all traffic that passes the router (chainprerouting) in anticlockwise direction

Create a route for marked traffic (use routing-mark option) and send it in anticlockwise

direction

Check the redundancy by disabling clockwisegateway IP addresses



26/93

MikroTik 2008 26

Mark Routing Rule Example


27/93

MikroTik 2008 27



28/93

MikroTik 2008 28

Time To Live (TTL)

TTL is a limit of Layer3 devices that IP packetcan experience before it should be discarded

TTL default value is 64 and each router reducevalue by one just before forwarding decision

TTL can be adjusted in IP firewall mangefacility

Router will not pass traffic to the next device if itreceives IP packet with TTL=1

Useful application: eliminate possibility forclients to create masqueraded networks


29/93

MikroTik 2008 29

Changing TTL


30/93

MikroTik 2008 30

Recursive Next-hop Resolving

It is possible to specify gateway to network evenif gateway is not directly reachable by usingrecursive next-hop resolving from any existingroute

Useful for setups where middle section betweenyour router and the gateway is not constant(iBGP for example)

One route must be in scope of other route forrecursive next-hop resolving to work


31/93

MikroTik 2008 31

Scope/Target-Scope

Route's scope contains all routes that scopevalue is less or equal to its target-scope value

Example:

0 ADC dst-address=1.1.1.0/24 pref-src=1.1.1.1interface=ether1 scope=10 target-scope=0

1 A S dst-address=2.2.2.0/24 gateway=1.1.1.254interface=ether1 scope=30 target-scope=10

2 A S dst-address=3.3.3.0/24 gateway=2.2.2.254interface=ether1 scope=30 target-scope=30


32/93

MikroTik 2008 32


33/93

MikroTik 2008 33

Other Options

Type option allows to create dead-end(blackhole/prohibit/unreachable)routes to blocksome networks to be routed further in thenetwork

Preferred Source option points preferredrouter source address for locally originatedpackets


34/93

MikroTik 2008 34

Clean-up Lab

Delete all mangle rulesDelete all IP routes

Leave all IP addresses and network structure

intact


35/93

MikroTik 2008

O p e n S h o r t e s t P a t h F i r s t

(OSP F)

Areas, Costs, Virtual links,

Route Redistribution and Aggregation

OSPF P t l


36/93

MikroTik 2008 36

OSPF Protocol

Open Shortest Path First protocol uses alink-state and Dijkstra algorithm to build andcalculate the shortest path to all knowndestination networks

OSPF routers use IP protocol 89 forcommunication with each other

OSPF distributes routing information betweenthe routers belonging to a single autonomoussystem (AS)

A t S t (AS)


37/93

MikroTik 2008 37

Autonomous System (AS)

An autonomous system is a collection of IPnetworks and routers under the control of oneentity (OSPF, iBGP ,RIP) that presents acommon routing policy to rest of the network

AS is identified by 16 bit number (0 - 65535)Range from 1 to 64511 for use in the Internet

Range from 64512 to 65535 for private use

OSPF Areas


38/93

MikroTik 2008 38

OSPF Areas

OSPF allows collections of routers to begrouped together (


39/93

MikroTik 2008 39

OSPF AS

AreaArea

Area Area

Router Types


40/93

MikroTik 2008 40

Router Types

Autonomous System Border Router (ASBR) - arouter that is connected to more than one AS.

An ASBR is used to distribute routes received fromother ASes throughout its own AS

Area Border Router (ABR) - a router that isconnected to more than one OSPF area.

An ABR keeps multiple copies of the link-statedatabase in memory, one for each area

Internal Router (IR) a router that is connectedonly to one area

OSPF AS


41/93

MikroTik 2008 41

AreaArea

Area Area

ABR

ASBR

ABR

ASBR

ABR

OSPF AS

Backbone Area


42/93

MikroTik 2008 42

Backbone Area

The backbone area (area-id=0.0.0.0) forms thecore of an OSPF network

The backbone is responsible for distributingrouting information between non-backbone

areasEach non-backbone area must be connected tothe backbone area (directly or using virtuallinks)

Virtual Links


43/93

MikroTik 2008 43

Virtual Links

Also Used to connect two parts of a partitionedbackbone area through a non-backbone area

Used to connectremote areas tothe backbonearea through anon-backbonearea

OSPF AS


44/93

MikroTik 2008 44

Virtual Link

ASBR

area-id=0.0.0.1

area-id=0.0.0.0

area-id=0.0.0.2 area-id=0.0.0.3

OSPF AS

OSPF Areas


45/93

MikroTik 2008 45

OSPF Areas

OSPF Networks


46/93

MikroTik 2008 46

OSPF Networks

You should use exact networks from routerinterfaces (do not aggregate them)

It is necessaryto specifynetworks andassociatedareas where tolook for otherOSPF routers

OSPF Neighbour States


47/93

MikroTik 2008 47

OSPF Neighbour States

Full: link statedatabasescompletelysynchronized

2-Way:bidirectionalcommunicationestablished

Down,Attempt,Init,Loading,ExStart,Exchange:not completely running!

OSPF Area Lab


48/93

MikroTik 2008 48

OSPF Area Lab

Create your own area

area name Area

area-id=0.0.0.

Assign networks to the areas

Check your OSPF neighbors and routing tables

Owner of the ABR should also configure

backbone area and networks

Main AP should be in ABR's OSPF neighbor list

OSPF Settings


49/93

MikroTik 2008 49

OSPF Settings

Router ID can be left as 0.0.0.0 then largest IPaddress assigned to the router will be used

Router IDmust beuniquewithin theAS

What to Redistribute?


50/93

MikroTik 2008 50

What to Redistribute?

1

3

{5

2

}

2

4

Default route is not considered as static route

Redistribution Settings


51/93

MikroTik 2008 51

Redistribution Settings

if-installed - send the default route only if it has

been installed (static, DHCP, PPP, etc.)

always - always send the default route

as-type-1 remote routing decision to this

network will be made based on the sum of theexternal and internal metrics

as-type-2 remote routing decision to this

network will be made based only on externalmetrics (internal metrics will become trivial)

External Type 1 Metrics


52/93

MikroTik 2008 52

ASBR

Cost=10

Cost=10

Cost=10

Cost=10

Cost=10

Source

Cost=10

Cost=9Destination

Total Cost=40

Total Cost=49




53/93

MikroTik 2008 53

ASBR

Costtrivial

Costtrivial

Costtrivial

Costtrivial

Costtrivial

Source

Cost=10

Cost=9

Destination

Total Cost=10

Total Cost=9

te a ype et cs

Redistribution Lab


54/93

MikroTik 2008 54

Enable type 1 redistribution for all connected

routes

Take a look at the routing table

Add one static route to 172.16.XY.0/24 network

Enable type 1 redistribution for all static routes

Take a look at the routing table

Interface Cost


55/93

MikroTik 2008 55

Choose correct network type for the interface

All interfaces

have defaultcost of 10

To overridedefault setting

you should addnew entry ininterface menu

Designated Routers


56/93

MikroTik 2008 56

g

To reduce OSPF traffic in NBMA and broadcast

networks, a single source for routing updateswas introduced - Designated Router (DR)

DR maintains a complete topology table of the

network and sends the updates to the othersRouter with the highest priority (previous slide)will be elected as DR

Router with next priority will be elected asBackup DR (BDR)

Router with priority 0 will never be DR or BDR

OSPF Interface Lab


57/93

MikroTik 2008 57

Choose correct network type for all OSPF

interfaces

Assign costs (next slide) to ensure one waytraffic in the area

Check your routing table for ECMP routes

Assign necessary costs so backup link will beused only when some other link fails

Check OSPF network redundancy!

Ensure ABR to be DR your area, but not inbackbone area

Costs


58/93

MikroTik 2008 58

To Main AP

To Laptop

To Laptop

To Laptop

To Laptop

ABR

BACKUPLINK

100

100

100

100

10

10

10

10

??????

NBMA Neighbors


59/93

MikroTik 2008 59

For non-broadcast

networks it isnecessary tospecify neighborsmanually

The priority determines the neighbor chance tobe elected as a Designated router

Stub Area


60/93

MikroTik 2008 60

A stub area is an areawhich does notreceive AS externalroutes.

Typically all routes toexternal AS networkscan be replaced byone default route. -

this route will becreated automaticallydistributed by ABR

Stub area (2)


61/93

MikroTik 2008 61

Inject Summary LSA option allows to collect

separate backbone or other area router LinkState Advertisements (LSA) and inject it to thestub area

Enable Inject Summary LSA option only onABR

Inject Summary LSA is not a routeaggregation

Inject Summary LSA cost is specifiedbyDefault area cost option

Not-So-Stubby Area (NSSA)


62/93

MikroTik 2008 62

NSSA is a type ofstub

area that is able totransparently inject ASexternal routes to thebackbone.

Translator role optionallow to control whichABR of the NSSA area

will act as a relay fromASBR to backbonearea

OSPF AS


63/93

MikroTik 2008 63

Virtual Link

ASBR

area-id=0.0.0.1

area-id=0.0.0.0

area-id=0.0.0.2 area-id=0.0.0.3

NSSA Stub

defaultdefault

Area Type Lab


64/93

MikroTik 2008 64

Set your area type to stub

Check your routing table for changes!

Make sure that default route redistribution on

the ABR is set to never

Set Inject Summary LSA option

on the ABR to enableon the IR to disable

Passive interfaceIt i t


65/93

MikroTik 2008 65

Passive option allow you to disable OSPFHello protocol on client interfaces

It is necessary toassign clientnetworks to thearea or else stubarea will consider

those networks asexternal.

It is a securityissue!!!

Area Ranges


66/93

MikroTik 2008 66

Address ranges are used to aggregate

(replace) network routes from within the areainto one single route or delete them

It is possible toassign specific

cost toaggregate route

Route Aggregation Lab


67/93

MikroTik 2008 67

Advertise only one 192.168.Z.0/24 route

instead of four /26 (192.168.Z.0/26, 192.168.Z.64/26,192.168.Z.128/26, 192.168.Z.192/26) into the backbone

Stop advertising backup network to the

backboneCheck the Main AP's routing table

Summary


68/93

MikroTik 2008 68

For securing your OSPF network

Use authentication keys (for interfaces and areas)

Use highest priority (255) to designated router

Use correct network types for the area

To increase performance of OSPF network

Use correct area types

Use route aggregation as much as possible

OSPF and Dynamic VPN Interfaces


69/93

MikroTik 2008 69

Each dynamic VPN interface

creates a new /32 Dynamic, Active, Connected(DAC) route in the routing table when appears

removes that route when disappears

Problems:Each of these changes results in OSPF update, ifredistribute-connected is enabled (update flood inlarge VPN networks)

OSPF will create and send LSA to each VPNinterface, if VPN network is assigned to any OSPFarea (slow performance)

Type stub PPPoE area


70/93

MikroTik 2008 70

ABR

PPPoE

server

PPPoE

server

Area type = stub

Area1

~250 PPPoE clients

~ 100 PPPoE

clients

Type default PPPoE area


71/93

MikroTik 2008 71

ABRPPPoE

server

PPPoEserver

Area type = default

Area1

~250 PPPoE

clients

~ 100 PPPoE

clients

PPPoE area Lab (discussion)


72/93

MikroTik 2008 72

Give a solution for each problem mentioned

previously if used area type is stub

Try to find a solution for each problemmentioned previously if used area type isdefault

OSPF Routing Filters


73/93

MikroTik 2008 73

The routing filters may be applied to incoming

and outgoing OSPF routing update messagesChain ospf-in for all incoming routing updatemessages

Chain ospf-out for all outgoing routing updatemessages

Routing filters can manage only external OSPFroutes (routes for the networks that are not

assigned to any OSPF area)

Routing Filters


74/93

MikroTik 2008 74

Routing Filters and VPN


75/93

MikroTik 2008 75

It is possible to create a routing filter rule to

restrict all /32 routes from getting into the OSPF

It is necessary to have one aggregate route tothis VPN network :

By having address from the aggregate VPNnetwork to the any interface of the router

Suggestion: place this address on the interface whereVPN server is running

Suggestion: use network address, the clients will not beable to avoid your VPN service then

By creating static route to the router itself

Routing filters Rule


76/93

MikroTik 2008 76


77/93

MikroTik 2008

R o u t i n g a n d p o i n t -t o -p o in t

i n t e r f a c eVLA N , IP I P , EO IP ,p o i n t -t o -p o i n t a d d r e s s i n g

Virtual LAN (802.1Q)


78/93

MikroTik 2008 78

Virtual LAN (VLAN) allows network devices tobe grouped into independent subgroups even ifthey are located on the same LAN segment

For routers to communicate the VLAN ID must

be the same for VLAN interfacesPorts on the router supports multiple (up to250) Virtual LANs on a single ethernetinterface

VLAN can be configurated over other VLANinterface - Q-in-Q (from 802.1Q)

VLAN Example


79/93

MikroTik 2008 79

vlan1: 1.1.1.1/24

Any EthernetNetwork

vlan2: 2.2.2.1/24vlan3: 3.3.3.1/24

1.1.1.0/242.2.2.0/24

3.3.3.0/24

Creating VLAN Interface


80/93

MikroTik 2008 80

VLAN on Switch


81/93

MikroTik 2008 81

VLAN-compliant switch ports can be assigned

to one or several groups based on VLAN tag

Switch port in each group can be set to

Tagged mode allows to add group's VLAN tag on

transmit and allows to receive frames with this tagUntagged mode allows to remove this groupVLAN tag on transmit, and allows to receive onlyuntagged packets

port have no relation to this group

Trunk port - tagged port for several VLANgroups

VLAN Lab


82/93

MikroTik 2008 82

Restore default backup

Create the group of 4

Connect together using wireless - one AP, 3clients

Create VLAN link to each participant

Assign /30 networks to VLAN links and checkthem

IPIP


83/93

MikroTik 2008 83

IP protocol 4/IPIP allows to create tunnel by

encapsulating IP packets in IP packets andsending over to another router

IPIP is Layer-3 tunnel it can not be bridged

RouterOS implements IPIP tunnels accordingto RFC 2003 it should be compatible withother vendor IPIP implementations

To create a tunnel you must specify address of

the local and remote router on both sides of thetunnel

Creating IPIP Interface


84/93

MikroTik 2008 84

IPIP Lab


85/93

MikroTik 2008 85

Replace all VLANs (from previous lab) with IPIP

tunnels

Check that you are able to ping remote addressbefore creating a tunnel to it

Assign /30 IP addresses (from previous lab) toIPIP interfaces and check all tunnels

/30 AddressingP2P int2: 2 2 2 2/30


86/93

MikroTik 2008 86

Tunnel1: 1.1.1.1/30

Any IPnetwork

(LAN, WAN, Internet)Tunnel2: 2.2.2.1/30

Tunnel3: 3.3.3.1/30

P2P_int3: 3.3.3.2/30P2P_int2: 2.2.2.2/30

P2P_int1: 1.1.1.2/30

Point-to-point Addressing

P i t t i t dd i tili l t IP


87/93

MikroTik 2008 87

Point-to-point addressing utilizes only two IPs

per link while /30 utilizes four IPs

There is no broadcast address, but networkaddress must be set manually to the opposite IP

address. Example:Router1: address=1.1.1.1/32, network=2.2.2.2

Router2: address=2.2.2.2/32, network=1.1.1.1

There can be identical /32 addresses on the

router each address will have differentconnected route

Point-to-point Addressing

P2P int3: 4 4 4 4/32P2P int2: 3 3 3 3/32


88/93

MikroTik 2008 88

P2P_int1: 1.1.1.1/32Any IP network(LAN, WAN, Internet)P2P_int2: 1.1.1.1/32

P2P_int3: 1.1.1.1/32

P2P_int3: 4.4.4.4/32P2P_int2: 3.3.3.3/32

P2P_int1: 2.2.2.2/32

Network: 1.1.1.1Network: 1.1.1.1

Network: 1.1.1.1

Network: 2.2.2.2

Network: 3.3.3.3

Network: 4.4.4.4

Addressing Lab

R l ll /30 dd IPIP i t f


89/93

MikroTik 2008 89

Replace all /30 addresses on IPIP interfaces

(from previous lab) with /32 point-to-pointaddresses.

Ensure that every other participant will be able

to ping you by IP address XY.XY.XY.XY via allIPIP tunnels

Analyse how much IP addresses were utilizedon IPIP tunnels for whole group setup!

Ethernet Over IP (EOIP) Tunnel

IP protocol 47/GRE allo s to create t nnel b


90/93

MikroTik 2008 90

IP protocol 47/GRE allows to create tunnel by

encapsulating Ethernet frames in IP packetsand sending over to another router

MikroTik proprietary protocol

EOIP is Layer-2 tunnel it can be bridged

To create a tunnel you must specify remoterouter's address and choose unique Tunnel ID

Check that your EOIP interface have differentMAC-address than on opposite side.

Creating EoIP Tunnel


91/93

MikroTik 2008 91

EOIP and Bridging


92/93

MikroTik 2008 92

Any IP network(LAN, WAN, Internet)

Bridge

Local network192.168.0.101/24 - 192.168.0.255/24

Local network192.168.0.1/24 - 192.168.0.100/24

Bridge

EoIP Lab

Replace all IPIP tunnels (from previous lab) with


93/93

MikroTik 2008 93

Replace all IPIP tunnels (from previous lab) with

EOIP tunnelsCheck that you are able to ping remote addressbefore creating a tunnel to it

Bridge all EoIP interfaces with local interfaceCheck Winbox Loader neighbour discoveryfeature (... button)

Routing Training Course

Documents

Transcript of Routing Training Course