vlans leaked

hashbang · October 2, 2021, 12:16pm

Hi,
using crs 317 6.86.4. Eventhough sfp 16 is not allowed with vlan 2606. I see mac address on the this port with vlan 2606.

/interface bridge> pr
name=“bridge” mtu=auto actual-mtu=1500 l2mtu=1584 arp=enabled arp-timeout=auto mac-address=2C:C8:1B:2F:C8:56 protocol-mode=mstp fast-forward=yes igmp-snooping=no
auto-mac=no admin-mac=2C:C8:1B:2F:C8:56 ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 region-name=“R1” region-revision=0
max-hops=20 vlan-filtering=yes ether-type=0x8100 pvid=1 frame-types=admit-only-vlan-tagged ingress-filtering=yes dhcp-snooping=no

/interface bridge vlan> pr
0 bridge 3501 bridge
sfp-sfpplus16-LXM
1 bridge 2607 sfp-sfpplus16-LXM sfp-sfpplus2-Sigma
2 bridge 167 sfp-sfpplus2-Sigma
sfp-sfpplus16-LXM
Screenshot from 2021-10-02 17-44-08.png
help would be appreciated
thanks

anav · October 2, 2021, 12:37pm

/export hide=sensitive file=anynameyouwish

PLUS
network diagram

tdw · October 2, 2021, 12:39pm

Without seeing the configuration from /export hide-sensitive it is difficult to say, likely missing port ingress filtering.

hashbang · October 3, 2021, 11:28am

ty
crs317.rsc (4.38 KB)

tdw · October 3, 2021, 12:42pm

You have only specified ingress-filtering=yes on bridge ports sfp-sfpplus2-Sigma, sfp-sfpplus16-LXM and the bridge itself (which is the bridge-to-CPU port), all the other bridge ports will permit ingress of any VLAN ID.

As you have filtering on sfp-sfpplus16-LXM it may be that the bridge hosts table is populated before the packet is dropped, you could open a support ticket and see what Mikrotik say.