Neighbor Discovery (MNDP)
Neighbor Discovery (MNDP)
Section titled “Neighbor Discovery (MNDP)”RouterOS uses the MikroTik Neighbor Discovery Protocol (MNDP) to announce itself to and discover adjacent devices on the local network. MNDP is compatible with CDP (Cisco Discovery Protocol) and LLDP (Link Layer Discovery Protocol), so RouterOS can discover — and be discovered by — non-MikroTik devices as well.
The neighbor table populated by MNDP drives the Neighbors tab in Winbox, making it easy to locate and connect to unconfigured or newly deployed routers on the same broadcast domain.
Sub-menus
Section titled “Sub-menus”| Path | Purpose |
|---|---|
/ip/neighbor/discovery-settings | Control which interfaces participate in discovery |
/ip/neighbor | View the neighbor table |
How It Works
Section titled “How It Works”MNDP sends periodic multicast frames on each participating interface. These frames advertise:
- Router identity (hostname)
- MAC address and IP addresses
- RouterOS version and platform
- Active interface names and uptime
Received frames populate /ip/neighbor with a timed entry. Entries expire if no new frame is received within the hold-time window.
Configuration
Section titled “Configuration”Controlling Which Interfaces Participate
Section titled “Controlling Which Interfaces Participate”Discovery scope is controlled by the discover-interface-list setting, which points to a RouterOS interface list. Only interfaces that are members of that list will send and receive MNDP frames.
/ip/neighbor/discovery-settings/printExample output:
discover-interface-list: allThe default value all enables discovery on every interface — including WAN uplinks and untrusted segments. Restrict this in production.
Disable Discovery on WAN / Untrusted Interfaces
Section titled “Disable Discovery on WAN / Untrusted Interfaces”The recommended approach is to restrict discovery to your LAN or management segment only:
# Create a dedicated list for discovery-enabled interfaces/interface/list/add name=MGMT
# Add only trusted interfaces/interface/list/member/add list=MGMT interface=ether2/interface/list/member/add list=MGMT interface=bridge-lan
# Apply the list/ip/neighbor/discovery-settings/set discover-interface-list=MGMTDisable Discovery Entirely
Section titled “Disable Discovery Entirely”To stop all MNDP/CDP/LLDP announcements and neighbor collection:
/ip/neighbor/discovery-settings/set discover-interface-list=noneThis is appropriate for routers where any neighbor disclosure is a security concern (e.g., edge routers facing untrusted providers).
Re-enable on a Specific Interface Only
Section titled “Re-enable on a Specific Interface Only”/interface/list/add name=DISCOVERY/interface/list/member/add list=DISCOVERY interface=ether1/ip/neighbor/discovery-settings/set discover-interface-list=DISCOVERYViewing Discovered Neighbors
Section titled “Viewing Discovered Neighbors”/ip/neighbor/printTypical output columns:
| Column | Description |
|---|---|
interface | Local interface the neighbor was heard on |
identity | Remote router’s hostname |
mac-address | Remote device MAC |
address | Remote IP address (if available) |
platform | Device platform (e.g., MikroTik) |
version | RouterOS or firmware version |
uptime | How long since the neighbor entry was first seen |
age | Time since last MNDP frame received from this neighbor |
For full detail:
/ip/neighbor/print detailWinbox Neighbors Tab
Section titled “Winbox Neighbors Tab”Winbox uses /ip/neighbor to populate its Neighbors tab. This allows you to click a newly deployed router on the same LAN and connect via MAC address — even before it has an IP configured.
If a device does not appear in the Neighbors tab:
- Verify it is on the same broadcast domain (same VLAN or bridge).
- Confirm MNDP is enabled on the interface facing that device (
/ip/neighbor/discovery-settings/print). - The Neighbors tab shows results from the router you are connected to, not your local host. If you are connected to Router A, it shows A’s neighbors — not devices adjacent to your laptop.
Troubleshooting
Section titled “Troubleshooting”Neighbors tab is empty / /ip/neighbor print shows nothing
Section titled “Neighbors tab is empty / /ip/neighbor print shows nothing”Check discovery settings:
/ip/neighbor/discovery-settings/printIf discover-interface-list is none, discovery is disabled.
Check interface list membership:
/interface/list/member/print where list=<your-list>The interface facing the neighbor must be a member of the configured list.
Check L2 adjacency: MNDP is a Layer 2 multicast protocol. It does not cross routed boundaries or VLANs unless the ports are in the same bridge. Ensure both devices are on the same broadcast domain.
Check bridge settings: If you use a bridge with VLAN filtering, confirm multicast frames are not being dropped by the bridge VLAN filter.
Unwanted neighbors appearing (security concern)
Section titled “Unwanted neighbors appearing (security concern)”Discovery is passive — a neighbor entry appears when their router sends an MNDP frame to your interface. To suppress collection on a segment:
# Remove the interface from the discovery list/interface/list/member/remove [find list=MGMT interface=ether1-wan]This stops your router from both advertising and listening on that interface.
Discovery not reaching devices on a different VLAN
Section titled “Discovery not reaching devices on a different VLAN”MNDP multicast is constrained to the broadcast domain. To discover a device on VLAN 20:
# Add VLAN interface to discovery list/interface/list/member/add list=MGMT interface=vlan20Security Considerations
Section titled “Security Considerations”- Disable on WAN uplinks. MNDP frames expose your router’s hostname, RouterOS version, and IP addressing to anyone on that segment. ISPs and colocation providers can see this information if discovery is left enabled on uplink ports.
- Use restrictive interface lists in production. Default
allis convenient for lab work; it is not appropriate for deployed equipment. - CDP/LLDP exposure. RouterOS sends CDP and LLDP frames in addition to MNDP. Third-party devices on the same segment can record your router identity even if you only consider MNDP exposure.