How to drop MNDP packets?

hhoeth · Mon Nov 16, 2020 12:51 pm

Hi,

I am trying to drop MNDP packets in a bridge. This is the setup:

A  <-> ether3  B  ether1 <->  C

"B" has a bridge with ether1 and ether3, because it needs to be transparent for most traffic. But I don't want to forward MNDP packets between A and C. So that's what I have on B:

/interface bridge port
add bridge=bridge hw=no interface=ether1
add bridge=bridge hw=no interface=ether3

/interface bridge filter
add action=log chain=forward dst-port=5678 ip-protocol=udp mac-protocol=ip
add action=drop chain=forward dst-port=5678 ip-protocol=udp mac-protocol=ip

Unfortunately, A still can see C and vice versa. The log-rule shows the packets. If I place the log-role after the drop-rule, then I don't see the packets in the log of B, but A and C still can see each other.

What am I doing wrong? How can I drop those packets?

Thanks, Hendrik

sindy · Mon Nov 16, 2020 1:22 pm

What am I doing wrong? How can I drop those packets?

You do drop the MNDP packets successfully, but RouterOS sends also CDP and LLDP frames in parallel, and retrieves neighbor information from them.

LLDP is sent to MAC address 01:80:C2:xx:xx:xx, so it should not be forwarded by 802.1D conformant bridges, but if you have configured protocol=none on the bridge in order to disable (x)STP, the bridge is working in "dumb" mode and doesn't discriminate this specific MAC range.

So if you have protocol-mode=none, you have to drop also LLDP in the forward chain. It is easy to match, mac-protocol=lldp.

CDP is yet another case, it uses destination MAC address 01:00:0C:CC:CC:CC, so you have to drop by that dst-mac-address.

hhoeth · Mon Nov 16, 2020 2:57 pm

Thanks! I already had a rule for LLDP in place, but I missed CDP. That was the solution.

How to drop MNDP packets?

How to drop MNDP packets?

Re: How to drop MNDP packets?

Re: How to drop MNDP packets?

Who is online