Skip to content
MikroTik RouterOS Docs

MikroTik RouterOS IP Neighbors: Network Discovery and Mapping

MikroTik RouterOS IP Neighbors: Network Discovery and Mapping

Section titled “MikroTik RouterOS IP Neighbors: Network Discovery and Mapping”

RouterOS Version: 6.44+ (slave interface support), 7.x (enhanced LLDP) Difficulty: Beginner Estimated Time: 20 minutes

Overview

Section titled “Overview”

Neighbor Discovery enables your MikroTik router to automatically find and identify other devices in the same Layer 2 broadcast domain. The router can use three protocols: MNDP (MikroTik Neighbor Discovery Protocol), CDP (Cisco Discovery Protocol), and LLDP (Link Layer Discovery Protocol).

This feature is valuable for network mapping, troubleshooting connectivity, and integration with management tools like MikroTik’s The Dude. The neighbor list shows each discovered device’s identity, IP/MAC addresses, platform, software version, and the local interface where it was found.

Security warning: By default, discovery is enabled on all interfaces, which means your router broadcasts its identity, version, and IP addresses. On WAN or untrusted interfaces, this is an information leak that aids attackers. Always disable discovery on external-facing ports.

Understanding the protocols

Section titled “Understanding the protocols”
Understanding the protocols diagram
ProtocolStandardBest For
MNDPMikroTik proprietaryAll-MikroTik networks
CDPCisco proprietaryMixed MikroTik/Cisco networks
LLDPIEEE 802.1ABMulti-vendor environments (recommended)

Recommendation: For networks with devices from multiple vendors, use LLDP as it’s the industry standard supported by most enterprise equipment.

Viewing discovered neighbors

Section titled “Viewing discovered neighbors”

The neighbor list is read-only - RouterOS populates it automatically from discovery packets received on participating interfaces.

Basic neighbor list

Section titled “Basic neighbor list”
/ip neighbor print

Example Output:

 # INTERFACE  ADDRESS         MAC-ADDRESS       IDENTITY        PLATFORM      VERSION
 0 ether2     192.168.88.2    4C:5E:0C:12:34:56 MikroTik-SW1    MikroTik      7.12
 1 ether3     192.168.88.3    4C:5E:0C:78:90:AB MikroTik-AP1    MikroTik      7.12
 2 ether4     192.168.88.10   00:1A:2B:3C:4D:5E Cisco-Switch    Cisco         15.2

Detailed neighbor information

Section titled “Detailed neighbor information”
/ip neighbor print detail

This shows additional properties including:

  • age - Time since last discovery packet
  • board - Hardware model (MikroTik devices)
  • uptime - Device uptime (MikroTik devices)
  • discovered-by - Which protocol found this neighbor
  • system-caps - LLDP-reported capabilities

Filter by protocol

Section titled “Filter by protocol”
# Show only LLDP-discovered neighbors
/ip neighbor print where discovered-by=lldp


# Show only neighbors on specific interface
/ip neighbor print where interface=ether2

Configuration steps

Section titled “Configuration steps”

Step 1: View current discovery settings

Section titled “Step 1: View current discovery settings”
/ip neighbor discovery-settings print

Default Output:

  discover-interface-list: static
             mode: tx-and-rx
         protocol: cdp,lldp,mndp

Step 2: Disable discovery on WAN interface (security)

Section titled “Step 2: Disable discovery on WAN interface (security)”
Step 2: Disable discovery on WAN interface (security) diagram

Create an interface list for exclusion and configure discovery to skip it:

# Create exclusion list
/interface list add name=no-discovery


# Add WAN interface to exclusion list
/interface list member add interface=ether1-wan list=no-discovery


# Configure discovery to exclude that list
/ip neighbor discovery-settings set discover-interface-list=!no-discovery

The ! prefix means “all interfaces EXCEPT those in this list.”

Step 3: Verify WAN is excluded

Section titled “Step 3: Verify WAN is excluded”
# Check interface list membership
/interface list member print where list=no-discovery


# Verify no neighbors discovered on WAN
/ip neighbor print where interface=ether1-wan

The second command should return no results if properly configured.

Common configuration scenarios

Section titled “Common configuration scenarios”

Enable discovery only on specific interfaces

Section titled “Enable discovery only on specific interfaces”

For maximum security, explicitly list which interfaces participate:

# Create inclusion list
/interface list add name=discovery-allowed
/interface list member add interface=ether2 list=discovery-allowed
/interface list member add interface=ether3 list=discovery-allowed
/interface list member add interface=bridge-lan list=discovery-allowed


# Set discovery to use only that list
/ip neighbor discovery-settings set discover-interface-list=discovery-allowed

Disable discovery completely

Section titled “Disable discovery completely”
/ip neighbor discovery-settings set discover-interface-list=none
Section titled “Use only LLDP (recommended for multi-vendor)”

Disable MNDP and CDP to prevent duplicate entries and ensure compatibility:

/ip neighbor discovery-settings set protocol=lldp

Receive-only mode (passive discovery)

Section titled “Receive-only mode (passive discovery)”

Discover neighbors without advertising your own router:

/ip neighbor discovery-settings set mode=rx-only

This is useful when you want to see what’s on the network without exposing your router’s information.

Configure LLDP for VoIP phones (LLDP-MED)

Section titled “Configure LLDP for VoIP phones (LLDP-MED)”

Tell LLDP-MED capable phones which VLAN to use for voice traffic:

/ip neighbor discovery-settings set lldp-med-net-policy-vlan=100

Enable LLDP VLAN information

Section titled “Enable LLDP VLAN information”

For switches that need VLAN details in LLDP packets:

/ip neighbor discovery-settings set protocol=lldp lldp-vlan-info=yes

LLDP TLV options

Section titled “LLDP TLV options”

LLDP messages contain Type-Length-Value (TLV) fields. RouterOS allows configuring which optional TLVs to include:

SettingDefaultDescription
lldp-poe-poweryesInclude Power over Ethernet information
lldp-mac-phy-confignoInclude MAC/PHY configuration (speed/duplex)
lldp-max-frame-sizenoInclude maximum frame size (MTU)
lldp-vlan-infonoInclude IEEE 802.1 VLAN TLVs
lldp-dcbxnoData Center Bridging Exchange capabilities
lldp-med-net-policy-vlandisabledVLAN ID for LLDP-MED devices

Example enabling additional TLVs:

/ip neighbor discovery-settings set lldp-mac-phy-config=yes lldp-max-frame-size=yes

Verification

Section titled “Verification”

Check 1: Verify discovery settings

Section titled “Check 1: Verify discovery settings”
/ip neighbor discovery-settings print

Expected: Appropriate interface list (not “all” if WAN should be excluded).

Check 2: View all neighbors

Section titled “Check 2: View all neighbors”
/ip neighbor print

Expected: Neighbors only on allowed interfaces.

Check 3: Verify WAN exclusion

Section titled “Check 3: Verify WAN exclusion”
/ip neighbor print where interface~"wan"

Expected: No results (if WAN properly excluded).

Check 4: Check interface list configuration

Section titled “Check 4: Check interface list configuration”
/interface list member print

Expected: WAN/untrusted interfaces in exclusion list.

Check 5: Verify specific neighbor details

Section titled “Check 5: Verify specific neighbor details”
/ip neighbor print detail where identity~"Switch"

Expected: Full details including discovery protocol, age, capabilities.

Troubleshooting

Section titled “Troubleshooting”

Problem: “Neighbors not appearing in list”

Section titled “Problem: “Neighbors not appearing in list””

Cause: Interface not in discover-interface-list, or mode set to tx-only.

Solution:

  1. Check discovery settings: /ip neighbor discovery-settings print
  2. Verify interface is in the discovery list
  3. Ensure mode includes rx: mode=tx-and-rx or mode=rx-only

Problem: “Same device appears multiple times”

Section titled “Problem: “Same device appears multiple times””

Cause: Multiple protocols (CDP, MNDP, LLDP) all discovering the same device.

Solution: Enable only one protocol:

/ip neighbor discovery-settings set protocol=lldp

Problem: “Third-party switch not discovering Mikrotik”

Section titled “Problem: “Third-party switch not discovering Mikrotik””

Cause: Remote device only speaks LLDP, but MikroTik sending CDP/MNDP.

Solution: Ensure LLDP is enabled:

/ip neighbor discovery-settings set protocol=lldp

Or enable all protocols:

/ip neighbor discovery-settings set protocol=cdp,lldp,mndp

Problem: “Discovery not working on bridge ports”

Section titled “Problem: “Discovery not working on bridge ports””

Cause: RouterOS version before 6.44.

Solution: Upgrade to RouterOS 6.44 or later. In older versions, discovery only worked on the master bridge interface, not individual ports.

Problem: “VoIP phones not getting voice VLAN”

Section titled “Problem: “VoIP phones not getting voice VLAN””

Cause: LLDP-MED VLAN not configured.

Solution:

/ip neighbor discovery-settings set lldp-med-net-policy-vlan=100

Replace 100 with your voice VLAN ID.

Problem: “Router memory usage high from neighbor entries”

Section titled “Problem: “Router memory usage high from neighbor entries””

Cause: Large broadcast domain with many devices (pre-6.45 had no limit).

Solution: Upgrade to RouterOS 6.45+, which limits entries to (RAM in MB) × 16 per interface. Or restrict discovery to fewer interfaces.

Common pitfalls

Section titled “Common pitfalls”

1. Discovery enabled on WAN (security risk)

Section titled “1. Discovery enabled on WAN (security risk)”

Wrong: Default configuration on internet-facing router

discover-interface-list: all

Right: Exclude WAN interfaces

/interface list add name=no-discovery
/interface list member add interface=ether1-wan list=no-discovery
/ip neighbor discovery-settings set discover-interface-list=!no-discovery

2. Expecting manual neighbor entries

Section titled “2. Expecting manual neighbor entries”

Wrong: Trying to add static neighbor entries

/ip neighbor add address=192.168.1.1  # This command doesn't exist

Right: The neighbor list is automatically populated - it’s read-only. You cannot manually add entries.

3. Confusing with IPv6 neighbor discovery

Section titled “3. Confusing with IPv6 neighbor discovery”
Common pitfalls - Confusing with IPv6 neighbor discovery diagram

Wrong: Expecting /ip neighbor to show IPv6 ND table

/ip neighbor print  # Shows discovery protocols, not ARP/ND

Right: IPv6 Neighbor Discovery (ICMPv6 NDP) is separate:

/ipv6 neighbor print  # Shows IPv6 neighbor cache (like ARP for IPv6)

4. Using tx-only mode and expecting to see neighbors

Section titled “4. Using tx-only mode and expecting to see neighbors”

Wrong:

/ip neighbor discovery-settings set mode=tx-only
/ip neighbor print  # Empty - not receiving discovery packets

Right: Use tx-and-rx or rx-only to see neighbors:

/ip neighbor discovery-settings set mode=tx-and-rx

Security best practices

Section titled “Security best practices”

1. Disable on all external interfaces

Section titled “1. Disable on all external interfaces”
/interface list add name=external
/interface list member add interface=ether1-wan list=external
/interface list member add interface=pppoe-out1 list=external
/interface list member add interface=wlan-guest list=external
/ip neighbor discovery-settings set discover-interface-list=!external

2. Use receive-only on semi-trusted networks

Section titled “2. Use receive-only on semi-trusted networks”

For networks where you want visibility but don’t want to advertise:

/ip neighbor discovery-settings set mode=rx-only

3. Firewall-based blocking (alternative)

Section titled “3. Firewall-based blocking (alternative)”

If you can’t use interface lists, block at the firewall:

# Block LLDP multicast
/interface bridge filter add chain=input dst-mac-address=01:80:C2:00:00:0E/FF:FF:FF:FF:FF:FF action=drop


# Block MNDP
/ip firewall filter add chain=input protocol=udp dst-port=5678 action=drop

4. Information exposed

Section titled “4. Information exposed”

Discovery broadcasts reveal:

  • System identity name
  • RouterOS version
  • Hardware model (board)
  • All IP addresses on the interface
  • System uptime
  • MAC addresses

Attackers can use this to identify vulnerable versions or plan targeted attacks.

Section titled “Related features”
  • MAC Server (/tool mac-server) - Uses neighbor discovery for MAC-Telnet/WinBox access
  • The Dude - Network monitoring tool that uses discovery for mapping
  • IPv6 Neighbor Discovery (/ipv6 neighbor) - Separate feature for IPv6 address resolution
  • ARP (/ip arp) - IPv4 address resolution (different from neighbor discovery)
  • Interface Lists (/interface list) - Control discovery scope

References

Section titled “References”
Section titled “Related topics”

Network discovery

Section titled “Network discovery”
  • IP Scan - active network scanning
  • RoMON - MikroTik-specific remote management

Interface management

Section titled “Interface management”

Security

Section titled “Security”