Manual:Tools/RoMON

From MikroTik Wiki
Jump to navigation Jump to search

Overview

This page contains information about RoMON feature in RouterOS. RoMON stands for "Router Management Overlay Network". RoMON works by establishing independent MAC layer peer discovery and data forwarding network. RoMON packets are encapsulated with EtherType 0x88bf and dst-MAC 01:80:c2:00:88:bf and its network operates independently from L2 or L3 forwarding configuration. When RoMON is enabled, any received RoMON packets will not be displayed by sniffer or torch tools.

Each router on RoMON network is assigned its RoMON ID. RoMON ID can be selected from port MAC address or specified by user.

RoMON protocol does not provide encryption services. Encryption is provided at "application" level, by e.g. using ssh or by using secure winbox.

Configuration

In order for device to participate in RoMON network RoMON feature must be enabled and ports that participate in RoMON network must be specified.

RoMON feature is configured in /romon menu at version 6.28 and under /tool romon menu after version 6.28. It contains the following settings:

Property Description
enabled (yes | no; Default: no) Disable or enable RoMON feature
id (MAC address; Default: 00:00:00:00:00:00) MAC address to use as ID of this router

When RoMON is enabled and ID is automatically selected, ID is reported in menu info:

Version 6.28:

[admin@R3] > romon print
       ;;; RoMON running, ID 00:33:00:00:00:02
  enabled: yes
       id: 00:00:00:00:00:00

After version 6.28:

[admin@R3] > tool romon print       
   enabled: yes
        id: 00:00:00:00:00:00
   secrets:
current-id: 00:33:00:00:00:02

Ports that participate in RoMON network are configured in romon port menu. Port list is a list of entries that match either specific port or all ports and specifies if matching port(s) is forbidden to participate in RoMON network and in case port is allowed to participate in RoMON network entry also specifies port cost. Note that all specific port entries have higher priority than the wildcard entry with interface=all.

For example, the following list specifies that all ports except ether1 participate in RoMON network with cost 100:

Version 6.28:

[admin@R1] /romon port print
Flags: X - disabled, D - dynamic 
 #    INTERFACE                                                                 FORBID       COST
 0    ether1                                                                    yes           100
 1    all                                                                       no            100

After version 6.28:

[admin@R1] /tool romon port print
Flags: X - disabled, D - dynamic 
 #    INTERFACE                                                                 FORBID       COST
 0    ether1                                                                    yes           100
 1    all                                                                       no            100

By default one wildcard entry with forbid=no and cost=100 is created.

Secrets

RoMON protocol secrets are used for message authentication, integrity check and replay prevention by means of hashing message contents with MD5.

For each interface, if interface specific secret list is empty, global secret list is used.

When sending out, messages are hashed with first secret in list if list is not empty and first is not "empty secret" (empty string = ""), otherwise messages are sent unhashed.

When received, unhashed messages are only accepted if secret list is empty or contains "empty secret", hashed messages are accepted if they are hashed with any of secrets in list.

This design allows for incremental introduction and/or change of secrets in network without RoMON service interruption and can happen over RoMON itself, e.g.:

- initially all routers are without secrets

- configure each router one by one with secrets="","mysecret" - this will make all routers still send unprotected frames, but they all will be ready to accept frames protected with secret "mysecret".

- configure each router one by one with secrets="mysecret","" - this will make all routers use secret "mysecret", but also still accept unprotected frames (from routers that have not yet been changed)

- configure each router with secrets="mysecret" - this will make all routers use secret "mysecret" and also only accept frames protected with "mysecret".

Changing of secret in network should be performed in similar fashion where for some time both secrets are in use in network.

Peer discovery

In order to discover all routers on RoMON network romon discover command must be used:

Version 6.28:

[admin@R1] romon discover 
ADDRESS                 COST       HOPS PATH                   L2MTU
00:22:00:00:00:02        200          1 00:22:00:00:00:02       1500
00:02:03:04:05:06        400          2 00:22:00:00:00:02       1500
                                        00:02:03:04:05:06

After version 6.28:

[admin@R1] tool romon discover 
ADDRESS                 COST       HOPS PATH                   L2MTU
00:22:00:00:00:02        200          1 00:22:00:00:00:02       1500
00:02:03:04:05:06        400          2 00:22:00:00:00:02       1500
                                        00:02:03:04:05:06

Applications

Multiple applications can be run over RoMON network.

Ping

In order to test reachability of specific router on RoMON network romon ping command can be used:

Version 6.28:

[admin@R1] romon ping 00:22:00:00:00:02
  SEQ HOST                                    TIME  STATUS                                       
    0 00:22:00:00:00:02                       0ms                                                
    1 00:22:00:00:00:02                       1ms                                                
    2 00:22:00:00:00:02                       1ms                                                
    sent=3 received=3 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=1ms 

After version 6.28:

[admin@R1] tool romon ping 00:22:00:00:00:02
  SEQ HOST                                    TIME  STATUS                                       
    0 00:22:00:00:00:02                       0ms                                                
    1 00:22:00:00:00:02                       1ms                                                
    2 00:22:00:00:00:02                       1ms                                                
    sent=3 received=3 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=1ms 

SSH

In order to establish secure terminal connection to router on RoMON network romon ssh command can be used, provided that security package is installed:

Version 6.28:

[admin@R1] romon ssh 00:22:00:00:00:02  

After version 6.28:

[admin@R1] tool romon ssh 00:22:00:00:00:02  

Run RoMON in Winbox by using CLI

In order to establish RoMON session directly by using command line on computer, you must specify RoMON agents and desired routers addresses. RoMON agent must be saved on Managed routers list in Winbox in order to make successful connection:


winbox.exe --romon 192.168.88.1 D4:CA:6D:E1:B5:7D admin ""