Q: How to bridge filter MNDP within a VLAN?

RouterOS General
1

For completeness, I have attached my bridge configuration below.

The point is that I do have a VLAN 400 across an EOIP connection to another installation.
To and from the remote installation, the router sends/receives MikroTik Neighbor Discovery protocol (MNDP).

The aim is to block that procotol with a bridge filter rule in order to not expose information about the local installation to remote.

Now the problem is that the bridge filter can either block a VLAN complete or MNDP on L2 without VLAN.
I have not found a way to setup a rule to filter MNDP within a VLAN tagged connection.

Any idea how to block MNDP within a VLAN tagged connection?


Thanks an best regards
dksoft



/interface bridge
add name=LAN vlan-filtering=yes

/interface bridge port
add bridge=LAN interface=sfp-sfpplus1 
add bridge=LAN edge=yes frame-types=admit-only-vlan-tagged interface=EOIP-WG-CORE 
    
/interface bridge vlan
add bridge=LAN tagged="LAN,sfp-sfpplus1,EOIP-WG-CORE" vlan-ids=400

/ip neighbor discovery-settings
set discover-interface-list=!dynamic lldp-med-net-policy-vlan=1

/interface vlan
add name=CORE vlan-id=400
2

You can change the discovery settings under ip neighbors.

Default is LAN,
You could make a new Address list, which only includes the interfaces you want
MNDP (and others) to advertise (and listen) on.

3

That’s true for devices which come with non-empty default config. High-end devices (AFAIK all CCR, CRS and RB1100) don’t have default config and everything is wide open (including MNDP and MAC winbox).

4

Thanks for your input, you both.

There are some limitations:

  • I must configure this at every device in my local network. But have no access to all devices on remote network.
  • There is no such option on Switch OS, like on my CSS610p devices.
  • I will still receive remote MNDP packages when popping up Winbox.

So the best solution would be to filter MNDP at the VLAN interface that connects to outside.