Community discussions

MikroTik App
  4. RouterOS
  5. General

Switch: block STP on one port in RouterOS v7

Post Reply
 
mhaluska
just joined
Topic Author
Posts: 22
Joined: Sat Jun 13, 2020 1:20 pm

Switch: block STP on one port in RouterOS v7

Wed Sep 07, 2022 8:31 pm

Due to ISP special setup, I need to block STP on one switch port, otherwise clients behind this switch will not get IP thru DHCP. I'm limited to 3 dynamic public IPs, but also STP proto is somehow blocking rest of clients and is counted as a client.

This bridge filter was working fine untill I upgraded from latest v6 to v7.5:
Code: Select all
/interface bridge filter
add action=drop chain=output out-interface=ether23 src-mac-address=<MAC addr of ether23>/FF:FF:FF:FF:FF:FF
Filter is now not matching and I can see those packets in "testing" HexS connected to ISP modem in bridge mode:
Code: Select all
313077	1569.938077	<Switch MAC>	Spanning-tree-(for-bridges)_00	STP	107	RST. Root = 16384/0/<HIDDEN>  Cost = 10  Port = 0x0015
Some idea?
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11138
Joined: Mon Dec 04, 2017 9:19 pm

Re: Switch: block STP on one port in RouterOS v7

Wed Sep 07, 2022 9:18 pm

Try matching on the destination mac-address 01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF, which is specific for STP, instead.
Top
 
mhaluska
just joined
Topic Author
Posts: 22
Joined: Sat Jun 13, 2020 1:20 pm

Re: Switch: block STP on one port in RouterOS v7

Wed Sep 07, 2022 9:28 pm

None is matching (before setting edge=yes -> see below)...
Code: Select all
/interface bridge filter
add action=drop chain=output dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF out-interface=ether23
add action=drop chain=output out-interface=ether23 src-mac-address=08:55:31:95:85:C3/FF:FF:FF:FF:FF:FF

I managed to disable STP with this, I don't see more STP packets and got 2nd IP successfully:
Code: Select all
/interface/bridge/port/set edge=yes interface=ether23

But still there is probably some ethernet comm and "occupying" last available IP. Before this was probably solved with mentioned filter rule.
Top
 
mhaluska
just joined
Topic Author
Posts: 22
Joined: Sat Jun 13, 2020 1:20 pm

Re: Switch: block STP on one port in RouterOS v7

Wed Sep 07, 2022 9:39 pm

It looks like bridge filter is not working or all rules are totally ignored, ether5 is my Raspberry Pi where I tried to generate traffic after adding those rules:
Code: Select all
> /interface/bridge/filter/export
/interface bridge filter
add action=accept chain=forward in-interface=ether5
add action=accept chain=forward out-interface=ether5
add action=accept chain=input in-interface=ether5
add action=accept chain=output out-interface=ether5
...

Code: Select all
> /interface/bridge/filter/print stats
Columns: CHAIN, ACTION, BYTES, PACKETS
# CHAIN    ACTION  BYTES  PACKETS
0 forward  accept      0        0
1 forward  accept      0        0
2 input    accept      0        0
3 output   accept      0        0
...
Top
 
User avatar
Splash
Member Candidate
Member Candidate
Posts: 207
Joined: Fri Oct 16, 2015 10:09 am
Location: Johannesburg, South Africa

Re: Switch: block STP on one port in RouterOS v7

Tue Nov 15, 2022 12:35 pm

You could try a switching rule...

The manual seems to state you need to depend on the switch model you are using.

https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge

"Dropping received BPDUs on a certain port can be done on some switch chips using ACL rules, but the Bridge Filter Input rules cannot do it if bridge has STP/RSTP/MSTP enabled because then received BPDUs have special processing in the bridge."


Example:
Code: Select all
/interface ethernet switch rule
add dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF ports=sfp-sfpplus13 switch=switch1
Also set the port to Edge = yes
Code: Select all
add bridge=bridge1 edge=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus13
Top
Post Reply

Who is online

Users browsing this forum: tdw and 19 guests
  4. RouterOS
  5. General