Community discussions

MikroTik App
 
vogtdominik
just joined
Topic Author
Posts: 14
Joined: Fri Mar 22, 2019 2:39 pm

LLDP only works partially

Tue Dec 10, 2019 1:14 pm

We manage multiple mikrotik hotspots (router + accesspoint) and use LLDP to discover connected mikrotik accesspoints connected to the hotspot router. Generally speaking this works good for +1000 Hotspots.

Scenario (Router OS v6.46):
1x MikroTik CHR as SSTP.
1x MikroTik hEX PoE (is connected to MikroTik CHR via SSTP and recieves IP via DHCP-Client)
6x MikroTik wAP ac (each connected to the MikroTik hEX PoE (3x AP on Port 5))

We observe strange behaviour with LLDP where certain connected accesspoints are not listed, which we can not explain. In Neighbor-Discovery on Port 5 we only see 1 AP of the expected 3 AP.
1 of 3 ap.PNG

But when i look at the SSTP-Server, i easily see the connected AP in Neighbor-Discovery
ap in sstp-server.PNG

Now, when I change ARP mode in "management_vlan" from "enabled" to "proxy-arp" on MikroTik hEX suddenly all AP are visible. This will only last for ~180s, until the Age (s) Threshold is reached. Then the previously missing AP will be missing again.
3 of 3 ap.PNG

I am looking for a solution, so that LLDP will work correctly again. Does anyone know why this might occur?

MikroTik hEX PoE Settings:
/interface bridge
add fast-forward=no name=management_vpn
add comment=defconf name=hotspot_bridge protocol-mode=none
/interface vlan
add interface=hotspot_bridge name=managment_vlan vlan-id=420
/interface bridge port
add bridge=hotspot_bridge interface=ether2
add bridge=hotspot_bridge interface=ether3
add bridge=hotspot_bridge interface=ether4
add bridge=hotspot_bridge interface=ether5
add bridge=management_vpn interface=managment_vlan
/interface list
add comment="contains local interfaces" name=ether
add name=management_discovery
/interface list member
add interface=managment_vlan list=management_discovery
add interface=hotspot_bridge list=management_discovery
/ip neighbor discovery-settings
set discover-interface-list=management_discovery
/interface sstp-client
add connect-to=$RANDOMSSTPSERVER disabled=no name=manangement_sstp password=$RANDOMSSTPPASSWORD profile=vpn user=$RANDOMSSTPUSER
/ppp profile
add bridge=management_vpn name=vpn
/ip dhcp-client
add disabled=no interface=ether1
add add-default-route=no disabled=no interface=management_vpn
MikroTik wAP ac Settings
/interface bridge
add auto-mac=no name=bridge
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
/interface vlan
add interface=bridge name=management_vlan vlan-id=420
/ip neighbor discovery-settings print 
  discover-interface-list: !dynamic
/ip dhcp-client
add add-default-route=no disabled=no interface=management_vlan 
You do not have the required permissions to view the files attached to this post.
 
vogtdominik
just joined
Topic Author
Posts: 14
Joined: Fri Mar 22, 2019 2:39 pm

Re: LLDP only works partially

Wed Dec 11, 2019 3:15 pm

Anyone any hints?
 
pe1chl
Forum Guru
Forum Guru
Posts: 7372
Joined: Mon Jun 08, 2015 12:09 pm

Re: LLDP only works partially

Wed Dec 11, 2019 3:35 pm

Are you sure that all your MAC-addresses are unique? I.e. you never took the shortcut of configuring an AP by loading a backup made on another AP, or otherwise set the same MAC e.g. in virtual AP.
(same MAC on ether and VLAN is of course not a problem)
 
vogtdominik
just joined
Topic Author
Posts: 14
Joined: Fri Mar 22, 2019 2:39 pm

Re: LLDP only works partially

Wed Dec 11, 2019 4:15 pm

Are you sure that all your MAC-addresses are unique? I.e. you never took the shortcut of configuring an AP by loading a backup made on another AP, or otherwise set the same MAC e.g. in virtual AP.
(same MAC on ether and VLAN is of course not a problem)
All our devices are configured with the same .rsc via netinstall, that has no pre-definied/static mac address what so every. This should make sure, that it only uses unique mac-addresses that come with the hardware/router/device.
 
roncoruk
just joined
Posts: 1
Joined: Mon Feb 10, 2020 11:23 am

Re: LLDP only works partially

Mon Feb 22, 2021 4:21 pm

Hi,

Did you ever get to the bottom of this? We are having the same thing where the AP's only stay in the Neighbour discovery table for 180 seconds and then disappear. We are using Cisco AP's< Zyxel switches and then the Miktotik Routers. I can see the AP's in the Zyxel LLDP table and on the Controller but they only show up on the Mikrotik after a reboot of the AP or switch and then only for the 180 seconds.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7372
Joined: Mon Jun 08, 2015 12:09 pm

Re: LLDP only works partially

Tue Feb 23, 2021 11:12 am

LLDP is not forwarded by (correctly working) switches. So what you observe would be normal: you do not see the LLDP info at a router connected to APs via a switch.
MikroTik has another protocol that provides this information (MNDP) which works at UDP level and it is forwarded by switches.
 
vogtdominik
just joined
Topic Author
Posts: 14
Joined: Fri Mar 22, 2019 2:39 pm

Re: LLDP only works partially

Tue Feb 23, 2021 4:07 pm

Unfortunately we did not solve this. We had to disable alerting for the mentioned AP.

Best wishes
Dominik
 
vogtdominik
just joined
Topic Author
Posts: 14
Joined: Fri Mar 22, 2019 2:39 pm

Re: LLDP only works partially

Tue Feb 23, 2021 4:13 pm

LLDP is not forwarded by (correctly working) switches. So what you observe would be normal: you do not see the LLDP info at a router connected to APs via a switch.
MikroTik has another protocol that provides this information (MNDP) which works at UDP level and it is forwarded by switches.
This seems reasonable.

But when I check LLDP/MNDP on the vpn-server the mikrotik router is connected, you will see the connected AP in neighbor discovery. Therefore the switch is forwarding LLDP. Because I do not fully understand how this protocol works, I can only mention what I'm observing on the devices in hope that somebody who does understand can give some hints on how to resolve this issue.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7372
Joined: Mon Jun 08, 2015 12:09 pm

Re: LLDP only works partially

Tue Feb 23, 2021 5:02 pm

LLDP works only between a switch and its connected equipment.
MNDP works across a broadcast-capable network. So it can work on a local network (including across switches) and also over some but not all VPN networks.
(e.g. GRE, L2TP)
 
mkrsn
just joined
Posts: 1
Joined: Tue Apr 13, 2021 10:28 pm

Re: LLDP only works partially

Wed Apr 14, 2021 12:07 am

Same Problem here. LLDP looks totally broken right now.

This is roughly how my Network looks like. All Server are in the same VLAN. The mgmt interface from both switches is also in the same vlan.
layer1.png
sw01
[admin@sw01] > ip neighbor print
# INTERFACE ADDRESS                  MAC-ADDRESS       IDENTITY   VERSION    BOARD    
0 mgmt      x.x.x.101                00:1E:06:xx:xx:xx srv1   <--- partly broken. connected to ether1 not mgmt interface!
1 mgmt      x.x.x.102                00:1E:06:xx:xx:xx srv2   <--- partly broken. connected to ether2 not mgmt interface!
2 mgmt      x.x.x.103                00:1E:06:xx:xx:xx srv3   <--- partly broken. connected to ether3 not mgmt interface!
3 mgmt      x.x.x.104                00:1E:06:xx:xx:xx srv4   <--- partly broken. connected to ether4 not mgmt interface!
4 mgmt      x.x.x.105                00:1E:06:xx:xx:xx srv5   <--- partly broken. connected to ether5 not mgmt interface!
5 mgmt      x.x.x.251                CC:2D:E0:xx:xx:xx sw02   <--- partly correct. sw02 is connected on ether23 not mgmt!

[admin@sw01] > ip neighbor export verbose 
/ip neighbor discovery-settings
set discover-interface-list=!dynamic lldp-med-net-policy-vlan=disabled protocol=lldp
sw01 is not showing the firewall - tcpdump shows that there are LLDP PDUs send to sw01. Not sure why this entry is ignored. The fw is seeing sw01!

sw02
[admin@sw02] > ip neighbor print
# INTERFACE ADDRESS                  MAC-ADDRESS       IDENTITY   VERSION    BOARD    
0 mgmt      x.x.x.101                00:1E:06:xx:xx:xx srv1   <--- broken - not connected to sw02! Should not be here!
1 mgmt      x.x.x.102                00:1E:06:xx:xx:xx srv2   <--- broken - not connected to sw02! Should not be here!
2 mgmt      x.x.x.103                00:1E:06:xx:xx:xx srv3   <--- broken - not connected to sw02! Should not be here!
3 mgmt      x.x.x.104                00:1E:06:xx:xx:xx srv4   <--- broken - not connected to sw02! Should not be here!
4 mgmt      x.x.x.105                00:1E:06:xx:xx:xx srv5   <--- broken - not connected to sw02! Should not be here!
5 mgmt      x.x.x.250                6C:3B:6B:xx:xx:xx sw01   <--- partly correct. sw01 is connected on ether7 - not mgmt interface!

[admin@sw02] > ip neighbor export verbose
/ip neighbor discovery-settings
set discover-interface-list=!dynamic lldp-med-net-policy-vlan=disabled protocol=lldp

Firewall - lldpctl
fw ~ # lldpctl 
-------------------------------------------------------------------------------
LLDP neighbors:
-------------------------------------------------------------------------------
Interface:    eth0, via: LLDP, RID: 20, Time: 0 day, 00:44:40   <---- This is correct!
  Chassis:     
    ChassisID:    mac 6c:3b:6b:xx:xx:xx
    SysName:      sw01
    SysDescr:     MikroTik RouterOS 6.48.2 (stable) CRS326-24G-2S+
    ...
    Port:        
      PortID:       ifname br1/ether21
-------------------------------------------------------------------------------
Interface:    eth0, via: LLDP, RID: 24, Time: 0 day, 00:44:12   <---- This is broken. The firewall is not directly connected to srv1
  Chassis:     
    ChassisID:    mac 00:1e:06:xx:xx:xx
    SysName:      srv1
    SysDescr:     Gentoo/Linux Linux 5.10.23-gentoo #1 SMP Wed Mar 17 21:25:14 CET 2021 x86_64
    ...
-------------------------------------------------------------------------------
Interface:    eth0, via: LLDP, RID: 26, Time: 0 day, 00:44:11   <---- this is partly correct. Port makes no sense. mgmt is a virtual Interface
  Chassis:     
    ChassisID:    mac cc:2d:e0:xx:xx:xx
    SysName:      sw02
    SysDescr:     MikroTik RouterOS 6.48.2 (stable) CRS112-8G-4S
    ...
    Port:        
      PortID:       ifname mgmt
-------------------------------------------------------------------------------
Interface:    eth0, via: LLDP, RID: 20, Time: 0 day, 00:44:10   <---- This is totally broken - Why is sw01 (see above) twice in the List?
  Chassis:     
    ChassisID:    mac 6c:3b:6b:xx:xx:xx
    SysName:      sw01
    SysDescr:     MikroTik RouterOS 6.48.2 (stable) CRS326-24G-2S+
    ...
    Port:        
      PortID:       ifname mgmt
-------------------------------------------------------------------------------
Interface:    eth0, via: LLDP, RID: 21, Time: 0 day, 00:39:42   <---- This is broken. The firewall is not directly connected to srv2
  Chassis:     
    ChassisID:    mac 00:1e:06:xx:xx:xx
    SysName:      srv2
    SysDescr:     Gentoo/Linux Linux 5.10.23-gentoo #1 SMP Wed Mar 17 21:27:09 CET 2021 x86_64
    ...
-------------------------------------------------------------------------------
Interface:    eth0, via: LLDP, RID: 22, Time: 0 day, 00:39:42   <---- This is broken. The firewall is not directly connected to srv3
  Chassis:     
    ChassisID:    mac 00:1e:06:xx:xx:xx
    SysName:      srv3
    SysDescr:     Gentoo/Linux Linux 5.10.23-gentoo #1 SMP Wed Mar 17 21:27:09 CET 2021 x86_64
    ...
-------------------------------------------------------------------------------
Interface:    eth0, via: LLDP, RID: 23, Time: 0 day, 00:39:42   <---- This is broken. The firewall is not directly connected to srv4
  Chassis:     
    ChassisID:    mac 00:1e:06:xx:xx:xx
    SysName:      srv4
    SysDescr:     Gentoo/Linux Linux 5.10.23-gentoo #1 SMP Wed Mar 17 21:27:09 CET 2021 x86_64
    ...
-------------------------------------------------------------------------------
Interface:    eth0, via: LLDP, RID: 25, Time: 0 day, 00:39:42   <---- This is broken. The firewall is not directly connected to srv5
  Chassis:     
    ChassisID:    mac 00:1e:06:xx:xx:xx
    SysName:      srv5
    SysDescr:     Gentoo/Linux Linux 5.10.23-gentoo #1 SMP Wed Mar 17 21:27:09 CET 2021 x86_64
    ...
-------------------------------------------------------------------------------
Interface:    eth2, via: LLDP, RID: 19, Time: 0 day, 00:44:54   <---- This is correct
  Chassis:     
    ChassisID:    mac c4:ad:34:xx:xx:xx
    SysName:      gw
    SysDescr:     MikroTik RouterOS 6.48.2 (stable) RB760iGS
    ...
      Port:        
        PortID:       ifname ether5
-------------------------------------------------------------------------------

srv2 - this all also happens on srv1,3-5
srv2 ~ # lldpctl 
-------------------------------------------------------------------------------
LLDP neighbors:
-------------------------------------------------------------------------------
Interface:    enp2s0, via: LLDP, RID: 16, Time: 0 day, 01:26:05  <---- This is correct
  Chassis:     
    ChassisID:    mac 6c:3b:6b:xx:xx:xx
    SysName:      sw01
    SysDescr:     MikroTik RouterOS 6.48.2 (stable) CRS326-24G-2S+
    ...
  Port:        
    PortID:       ifname br1/ether1
-------------------------------------------------------------------------------
Interface:    enp2s0, via: LLDP, RID: 19, Time: 0 day, 01:25:36  <---- broken
  Chassis:     
    ChassisID:    mac 00:1e:06:xx:xx:xx
    SysName:      srv1
    SysDescr:     Gentoo/Linux Linux 5.10.23-gentoo #1 SMP Wed Mar 17 21:25:14 CET 2021 x86_64
    ...
-------------------------------------------------------------------------------
Interface:    enp2s0, via: LLDP, RID: 21, Time: 0 day, 01:25:35  <---- broken
  Chassis:     
    ChassisID:    mac cc:2d:e0:xx:xx:xx
    SysName:      sw02
    ...
    Port:        
      PortID:       ifname mgmt
-------------------------------------------------------------------------------
Interface:    enp2s0, via: LLDP, RID: 16, Time: 0 day, 01:25:34  <---- totally broken - second entry - mgmt interface
  Chassis:     
    ChassisID:    mac 6c:3b:6b:xx:xx:xx
    SysName:      sw01
    SysDescr:     MikroTik RouterOS 6.48.2 (stable) CRS326-24G-2S+
    ...
    Port:        
      PortID:       ifname mgmt
-------------------------------------------------------------------------------
Interface:    enp2s0, via: LLDP, RID: 17, Time: 0 day, 01:21:06  <---- broken
  Chassis:     
    ChassisID:    mac 00:1e:06:xx:xx:xx
    SysName:      srv4
    SysDescr:     Gentoo/Linux Linux 5.10.23-gentoo #1 SMP Wed Mar 17 21:27:09 CET 2021 x86_64
    ...
-------------------------------------------------------------------------------
Interface:    enp2s0, via: LLDP, RID: 18, Time: 0 day, 01:21:06  <---- broken
  Chassis:     
    ChassisID:    mac 00:1e:06:xx:xx:xx
    SysName:      srv3
    SysDescr:     Gentoo/Linux Linux 5.10.23-gentoo #1 SMP Wed Mar 17 21:27:08 CET 2021 x86_64
    ...
-------------------------------------------------------------------------------
Interface:    enp2s0, via: LLDP, RID: 20, Time: 0 day, 01:21:06  <---- broken
  Chassis:     
    ChassisID:    mac 00:1e:06:xx:xx:xx
    SysName:      srv5
    SysDescr:     Gentoo/Linux Linux 5.10.23-gentoo #1 SMP Wed Mar 17 21:27:09 CET 2021 x86_64
    ...

Even when i disable LLDP (set discover-interface-list=none) on sw01, i still see all Devices on all other Devices. This should not happen.

I would expect the following:

- sw01 should only list fw, srv1-5, sw02 on their respective physical interface
- sw02 should only list sw01 on the physical interface
- fw should only list gw, sw01
- srv2 should only list sw01



Greetings
Matthias
You do not have the required permissions to view the files attached to this post.
Last edited by mkrsn on Wed Apr 14, 2021 12:18 am, edited 3 times in total.

Who is online

Users browsing this forum: Bing [Bot], DragonQ, drupol and 173 guests