Hi!
I need to use RSTP on Mikrotik-bridges, BUT: Is there any possibility to disable RSTP on one of the bridge ports?
I just found "edge port", but in that case, the bridge listens for BPDUs, but I want to avoid that, because I do not want that somebody outside connects and makes itself the root-bridge.
Can you give me a hint?
Regards
Stril
Re: RSTP - Disable on one port
Until someone comes with a better solution, I recommend you to use bridge filter to drop packets with destination MAC address 01:80:C2:00:00:00 which come in through that physical interface. As the bridge filter permits filtering by specific STP fields, I deduce that the filter acts before the STP packets get processed.
Re: RSTP - Disable on one port
afaik , the idea behind an edge port, is that it automatically blocks when BPDUs are received. This prevents against both loops and your STP root being overthrown.
Re: RSTP - Disable on one port
E.g. on Cisco switches you set edge port (portfast), bpdu-guard (shutting down the port in portfast mode if it receives a BPDU) and bpdu-filter (preventing the BPDUs to be sent out through the port) separately.
If you e.g. connect a switch in your company network to a switch in ISP's network (imagine a business center with ISP's PoP) and both networks use xSTP, you don't want the BPDUs to leak from one network to another.
I know what I'm talking about, except that in my case it was quite mysterious because I was receiving Cisco's PVST+ BPDUs from the ISP. The HPE switch receiving them did not recognize them as BPDUs at all because they use a different destination MAC address. So instead of dropping them, it honestly forwarded them just as any other multicast traffic - including to another Cisco switch in the network which thus kept switching over between MSTP with one root and PVST+ with another root.
If you e.g. connect a switch in your company network to a switch in ISP's network (imagine a business center with ISP's PoP) and both networks use xSTP, you don't want the BPDUs to leak from one network to another.
I know what I'm talking about, except that in my case it was quite mysterious because I was receiving Cisco's PVST+ BPDUs from the ISP. The HPE switch receiving them did not recognize them as BPDUs at all because they use a different destination MAC address. So instead of dropping them, it honestly forwarded them just as any other multicast traffic - including to another Cisco switch in the network which thus kept switching over between MSTP with one root and PVST+ with another root.
Re: RSTP - Disable on one port
Hi!
Its just not clear, what edge-port does...
There are four options:
- yes
- no
- yes discovery
- no discovery
But what does that exactly mean?
Thank you
Stril
Its just not clear, what edge-port does...
There are four options:
- yes
- no
- yes discovery
- no discovery
But what does that exactly mean?
Thank you
Stril
Re: RSTP - Disable on one port
The manual is silent about the difference. If plain "yes" without "discovery" does not automatically activate an ingress bpdu filter, you'll have to use the bridge filter I have suggested.
Re: RSTP - Disable on one port
Since this is almost 3 years... Do you have better solution now instead of using bridge filter? I need to disable outgoing (R)STP on one port.Until someone comes with a better solution, I recommend you to use bridge filter to drop packets with destination MAC address 01:80:C2:00:00:00 which come in through that physical interface. As the bridge filter permits filtering by specific STP fields, I deduce that the filter acts before the STP packets get processed.
Re: RSTP - Disable on one port
Would I get an example of this..Until someone comes with a better solution, I recommend you to use bridge filter to drop packets with destination MAC address 01:80:C2:00:00:00 which come in through that physical interface. As the bridge filter permits filtering by specific STP fields, I deduce that the filter acts before the STP packets get processed.
I have some switch rules that were helping me before when I would connect to Cisco switches and they would flood PVSTP packets,. But when just recently I was connecting to another Cisco switch and I can't determine if this was cause the problem. But I noticed even with those rules enabled and the ports set to edge, when I click on the status page I see saw that it was checked on SENDING RTSP.
Knowing how to exactly write the filter rule would be pretty helpful.
Thank you.
Rules I use below.. and this is in switch rules not in bridge filters.
Code: Select all
add comment=Cisco-PVSTP dst-mac-address=01:00:0C:CC:CC:CD/FF:FF:FF:FF:FF:FF new-dst-ports="" ports=ether14,ether16,sfp-sfpplus2 switch=switch1
add comment=CDP-Rule dst-mac-address=01:00:0C:CC:CC:CC/FF:FF:FF:FF:FF:FF new-dst-ports="" ports=ether14,ether16,sfp-sfpplus2 switch=switch1
Re: RSTP - Disable on one port
Unfortunately, sending-rstp shows yes even on a port that is configured as edge=yes and sniffing shows that indeed no BPDUs are sent out via that port (whereas it does show them if the port is configured as edge=no, so it is not a sniffing issue).But I noticed even with those rules enabled and the ports set to edge, when I click on the status page I see saw that it was checked on SENDING RTSP.
So apart from this misleading indication, what is the actual issue you need to address?
Re: RSTP - Disable on one port
Well at the moment the situation has been sorted out.. But in certain situations when we get our internet hand off from our provider for our events, they mainly use ciscos and even tho we are almost 100% Mikrotik now, we do still have some ciscos in our switch environment. We would have ports shut down from either native VLAN mismatch or from some BPDUs that would flood past our Mikrotik swithtports.. Granted that has happened less since I started using those switch rules that I posted before. But at this event they were telling us that there were seeing spanning tree issues when connecting to us.. and I just wanted to be ultra sure that my switch wasn't passing anything. I did do a sniff and I did not see anything like that.. ill post the capture here..Unfortunately, sending-rstp shows yes even on a port that is configured as edge=yes and sniffing shows that indeed no BPDUs are sent out via that port (whereas it does show them if the port is configured as edge=no, so it is not a sniffing issue).But I noticed even with those rules enabled and the ports set to edge, when I click on the status page I see saw that it was checked on SENDING RTSP.
So apart from this misleading indication, what is the actual issue you need to address?
You do not have the required permissions to view the files attached to this post.
Who is online
Users browsing this forum: No registered users and 22 guests