MikroTik RouterOS IP Neighbors: Network Discovery and Mapping

RouterOS Version: 6.44+ (slave interface support), 7.x (enhanced LLDP) Difficulty: Beginner Estimated Time: 20 minutes

Overview

Neighbor Discovery enables your MikroTik router to automatically find and identify other devices in the same Layer 2 broadcast domain. The router can use three protocols: MNDP (MikroTik Neighbor Discovery Protocol), CDP (Cisco Discovery Protocol), and LLDP (Link Layer Discovery Protocol).

This feature is valuable for network mapping, troubleshooting connectivity, and integration with management tools like MikroTik’s The Dude. The neighbor list shows each discovered device’s identity, IP/MAC addresses, platform, software version, and the local interface where it was found.

Security warning: By default, discovery is enabled on all interfaces, which means your router broadcasts its identity, version, and IP addresses. On WAN or untrusted interfaces, this is an information leak that aids attackers. Always disable discovery on external-facing ports.

Understanding the Protocols

Protocol	Standard	Best For
MNDP	MikroTik proprietary	All-MikroTik networks
CDP	Cisco proprietary	Mixed MikroTik/Cisco networks
LLDP	IEEE 802.1AB	Multi-vendor environments (recommended)

Recommendation: For networks with devices from multiple vendors, use LLDP as it’s the industry standard supported by most enterprise equipment.

Viewing Discovered Neighbors

The neighbor list is read-only - RouterOS populates it automatically from discovery packets received on participating interfaces.

Basic Neighbor List

/ip neighbor print

Example Output:

 # INTERFACE  ADDRESS         MAC-ADDRESS       IDENTITY        PLATFORM      VERSION
 0 ether2     192.168.88.2    4C:5E:0C:12:34:56 MikroTik-SW1    MikroTik      7.12
 1 ether3     192.168.88.3    4C:5E:0C:78:90:AB MikroTik-AP1    MikroTik      7.12
 2 ether4     192.168.88.10   00:1A:2B:3C:4D:5E Cisco-Switch    Cisco         15.2

Detailed Neighbor Information

/ip neighbor print detail

This shows additional properties including:

age - Time since last discovery packet
board - Hardware model (MikroTik devices)
uptime - Device uptime (MikroTik devices)
discovered-by - Which protocol found this neighbor
system-caps - LLDP-reported capabilities

Filter by Protocol

# Show only LLDP-discovered neighbors
/ip neighbor print where discovered-by=lldp

# Show only neighbors on specific interface
/ip neighbor print where interface=ether2

Configuration Steps

Step 1: View Current Discovery Settings

/ip neighbor discovery-settings print

Default Output:

  discover-interface-list: static
             mode: tx-and-rx
         protocol: cdp,lldp,mndp

Step 2: Disable Discovery on WAN Interface (Security)

Create an interface list for exclusion and configure discovery to skip it:

# Create exclusion list
/interface list add name=no-discovery

# Add WAN interface to exclusion list
/interface list member add interface=ether1-wan list=no-discovery

# Configure discovery to exclude that list
/ip neighbor discovery-settings set discover-interface-list=!no-discovery

The ! prefix means “all interfaces EXCEPT those in this list.”

Step 3: Verify WAN is Excluded

# Check interface list membership
/interface list member print where list=no-discovery

# Verify no neighbors discovered on WAN
/ip neighbor print where interface=ether1-wan

The second command should return no results if properly configured.

Common Configuration Scenarios

Enable Discovery Only on Specific Interfaces

For maximum security, explicitly list which interfaces participate:

# Create inclusion list
/interface list add name=discovery-allowed
/interface list member add interface=ether2 list=discovery-allowed
/interface list member add interface=ether3 list=discovery-allowed
/interface list member add interface=bridge-lan list=discovery-allowed

# Set discovery to use only that list
/ip neighbor discovery-settings set discover-interface-list=discovery-allowed

Disable Discovery Completely

/ip neighbor discovery-settings set discover-interface-list=none

Use Only LLDP (Recommended for Multi-Vendor)

Disable MNDP and CDP to prevent duplicate entries and ensure compatibility:

/ip neighbor discovery-settings set protocol=lldp

Receive-Only Mode (Passive Discovery)

Discover neighbors without advertising your own router:

/ip neighbor discovery-settings set mode=rx-only

This is useful when you want to see what’s on the network without exposing your router’s information.

Configure LLDP for VoIP Phones (LLDP-MED)

Tell LLDP-MED capable phones which VLAN to use for voice traffic:

/ip neighbor discovery-settings set lldp-med-net-policy-vlan=100

Enable LLDP VLAN Information

For switches that need VLAN details in LLDP packets:

/ip neighbor discovery-settings set protocol=lldp lldp-vlan-info=yes

LLDP TLV Options

LLDP messages contain Type-Length-Value (TLV) fields. RouterOS allows configuring which optional TLVs to include:

Setting	Default	Description
`lldp-poe-power`	yes	Include Power over Ethernet information
`lldp-mac-phy-config`	no	Include MAC/PHY configuration (speed/duplex)
`lldp-max-frame-size`	no	Include maximum frame size (MTU)
`lldp-vlan-info`	no	Include IEEE 802.1 VLAN TLVs
`lldp-dcbx`	no	Data Center Bridging Exchange capabilities
`lldp-med-net-policy-vlan`	disabled	VLAN ID for LLDP-MED devices

Example enabling additional TLVs:

/ip neighbor discovery-settings set lldp-mac-phy-config=yes lldp-max-frame-size=yes

Verification

Check 1: Verify Discovery Settings

/ip neighbor discovery-settings print

Expected: Appropriate interface list (not “all” if WAN should be excluded).

Check 2: View All Neighbors

/ip neighbor print

Expected: Neighbors only on allowed interfaces.

Check 3: Verify WAN Exclusion

/ip neighbor print where interface~"wan"

Expected: No results (if WAN properly excluded).

Check 4: Check Interface List Configuration

/interface list member print

Expected: WAN/untrusted interfaces in exclusion list.

Check 5: Verify Specific Neighbor Details

/ip neighbor print detail where identity~"Switch"

Expected: Full details including discovery protocol, age, capabilities.

Troubleshooting

Problem: “Neighbors not appearing in list”

Cause: Interface not in discover-interface-list, or mode set to tx-only.

Solution:

Check discovery settings: /ip neighbor discovery-settings print
Verify interface is in the discovery list
Ensure mode includes rx: mode=tx-and-rx or mode=rx-only

Problem: “Same device appears multiple times”

Cause: Multiple protocols (CDP, MNDP, LLDP) all discovering the same device.

Solution: Enable only one protocol:

/ip neighbor discovery-settings set protocol=lldp

Problem: “Third-party switch not discovering MikroTik”

Cause: Remote device only speaks LLDP, but MikroTik sending CDP/MNDP.

Solution: Ensure LLDP is enabled:

/ip neighbor discovery-settings set protocol=lldp

Or enable all protocols:

/ip neighbor discovery-settings set protocol=cdp,lldp,mndp

Problem: “Discovery not working on bridge ports”

Cause: RouterOS version before 6.44.

Solution: Upgrade to RouterOS 6.44 or later. In older versions, discovery only worked on the master bridge interface, not individual ports.

Problem: “VoIP phones not getting voice VLAN”

Cause: LLDP-MED VLAN not configured.

Solution:

/ip neighbor discovery-settings set lldp-med-net-policy-vlan=100

Replace 100 with your voice VLAN ID.

Problem: “Router memory usage high from neighbor entries”

Cause: Large broadcast domain with many devices (pre-6.45 had no limit).

Solution: Upgrade to RouterOS 6.45+, which limits entries to (RAM in MB) × 16 per interface. Or restrict discovery to fewer interfaces.

Common Pitfalls

1. Discovery Enabled on WAN (Security Risk)

Wrong: Default configuration on internet-facing router

discover-interface-list: all

Right: Exclude WAN interfaces

/interface list add name=no-discovery
/interface list member add interface=ether1-wan list=no-discovery
/ip neighbor discovery-settings set discover-interface-list=!no-discovery

2. Expecting Manual Neighbor Entries

Wrong: Trying to add static neighbor entries

/ip neighbor add address=192.168.1.1  # This command doesn't exist

Right: The neighbor list is automatically populated - it’s read-only. You cannot manually add entries.

3. Confusing with IPv6 Neighbor Discovery

Wrong: Expecting /ip neighbor to show IPv6 ND table

/ip neighbor print  # Shows discovery protocols, not ARP/ND

Right: IPv6 Neighbor Discovery (ICMPv6 NDP) is separate:

/ipv6 neighbor print  # Shows IPv6 neighbor cache (like ARP for IPv6)

4. Using tx-only Mode and Expecting to See Neighbors

Wrong:

/ip neighbor discovery-settings set mode=tx-only
/ip neighbor print  # Empty - not receiving discovery packets

Right: Use tx-and-rx or rx-only to see neighbors:

/ip neighbor discovery-settings set mode=tx-and-rx

Security Best Practices

1. Disable on All External Interfaces

/interface list add name=external
/interface list member add interface=ether1-wan list=external
/interface list member add interface=pppoe-out1 list=external
/interface list member add interface=wlan-guest list=external
/ip neighbor discovery-settings set discover-interface-list=!external

2. Use Receive-Only on Semi-Trusted Networks

For networks where you want visibility but don’t want to advertise:

/ip neighbor discovery-settings set mode=rx-only

3. Firewall-Based Blocking (Alternative)

If you can’t use interface lists, block at the firewall:

# Block LLDP multicast
/interface bridge filter add chain=input dst-mac-address=01:80:C2:00:00:0E/FF:FF:FF:FF:FF:FF action=drop

# Block MNDP
/ip firewall filter add chain=input protocol=udp dst-port=5678 action=drop

4. Information Exposed

Discovery broadcasts reveal:

System identity name
RouterOS version
Hardware model (board)
All IP addresses on the interface
System uptime
MAC addresses

Attackers can use this to identify vulnerable versions or plan targeted attacks.

MAC Server (/tool mac-server) - Uses neighbor discovery for MAC-Telnet/WinBox access
The Dude - Network monitoring tool that uses discovery for mapping
IPv6 Neighbor Discovery (/ipv6 neighbor) - Separate feature for IPv6 address resolution
ARP (/ip arp) - IPv4 address resolution (different from neighbor discovery)
Interface Lists (/interface list) - Control discovery scope

References

Network Discovery

IP Scan - active network scanning
RoMON - MikroTik-specific remote management

Interface Management

Interface Lists - control discovery scope
Bridge Configuration - Layer 2 connectivity

Security

IP Services - management access control
Firewall Basics - block discovery protocols

MikroTik RouterOS IP Neighbors: Network Discovery and Mapping

MikroTik RouterOS IP Neighbors: Network Discovery and Mapping

Overview

Understanding the Protocols

Viewing Discovered Neighbors

Basic Neighbor List

Detailed Neighbor Information

Filter by Protocol

Configuration Steps

Step 1: View Current Discovery Settings

Step 2: Disable Discovery on WAN Interface (Security)

Step 3: Verify WAN is Excluded

Common Configuration Scenarios

Enable Discovery Only on Specific Interfaces

Disable Discovery Completely

Use Only LLDP (Recommended for Multi-Vendor)

Receive-Only Mode (Passive Discovery)

Configure LLDP for VoIP Phones (LLDP-MED)

Enable LLDP VLAN Information

LLDP TLV Options

Verification

Check 1: Verify Discovery Settings

Check 2: View All Neighbors

Check 3: Verify WAN Exclusion

Check 4: Check Interface List Configuration

Check 5: Verify Specific Neighbor Details

Troubleshooting

Problem: “Neighbors not appearing in list”

Problem: “Same device appears multiple times”

Problem: “Third-party switch not discovering MikroTik”

Problem: “Discovery not working on bridge ports”

Problem: “VoIP phones not getting voice VLAN”

Problem: “Router memory usage high from neighbor entries”

Common Pitfalls

1. Discovery Enabled on WAN (Security Risk)

2. Expecting Manual Neighbor Entries

3. Confusing with IPv6 Neighbor Discovery

4. Using tx-only Mode and Expecting to See Neighbors

Security Best Practices

1. Disable on All External Interfaces

2. Use Receive-Only on Semi-Trusted Networks

3. Firewall-Based Blocking (Alternative)

4. Information Exposed

Related Features

References

Related Topics

Network Discovery

Interface Management

Security