We have identified an issue with IP neighbour discovery packets, specifically Cisco Discovery Packets (CDP), being transmitted when ports are members of a bridge and spanning tree has detected the port as an alternate path towards the root bridge. Whilst STP correctly disables forwarding it still transmits CDP messages which are then bridged by the remote routers. We presume this to be due to CDP using the same destination multicast MAC address that Spanning Tree Protocol (STP) messages use, namely 01:00:0C:CC:CC:CC.
Network structure:
- 3 sites with VPLS tunnels bridged between them, classic A B C triangle.
- Router A has lower STP bridge priority (0x7000), so it becomes the root bridge
- RSTP correctly sets one of the redundant VPLS bridge ports as alternate and disables learning and forwarding
Problem:
Bridge correctly drops all traffic on the alterative path port, except packets destined to the multicast address 01:00:0C:CC:CC:CC, used by STP and CDP.
I presume this to be so that the bridge can still process STP messages and unblock the port when necessary. The problem comes in that CDP neighbour discovery packets are still transmitted out the port which is in a non-forwarding state. This causes intermittent connectivity problems as remote bridges temporarily learn the path to the source MAC from the path/port which is in a non-forwarding mode.
Sample log message, showing MAC of blocked interface being received back on working port:
jun/20 23:57:16 interface,warning vpls-vlan2000-A: bridge port received packet with own address as source address (02:0f:f1:63:85:ea), probably loop
Expected behaviour:
Do not transmit CDP neighbour discovery packets out of a port when disabled by spanning tree protocol.
Configuration shows two VPLS interfaces, from ‘B’ to ‘A’ and ‘C’:
/interface vpls
add disabled=no mac-address=02:0F:F9:48:BD:CA name=vpls-vlan2000-A remote-peer=192.168.255.1 vpls-id=1:22000
add disabled=no mac-address=02:0F:F1:63:85:EA name=vpls-vlan2000-C remote-peer=192.168.255.3 vpls-id=3:22000
Router B’s bridge configuration, running RSTP:
/interface bridge
add name=bridge-vlan2000
/interface bridge port
add bridge=bridge-vlan2000 interface=vpls-vlan2000-A
add bridge=bridge-vlan2000 interface=vpls-vlan2000-C
Spanning Tree correctly sets the ‘vpls-vlan2000-C’ interface's role as alternative-port, thereby disabling learning and forwarding:
[davidh@B] > /int bridge port print stats where bridge=bridge-vlan2000
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
0 interface=vpls-vlan2000-A bridge=bridge-vlan2000 priority=0x80 path-cost=10 internal-path-cost=10
edge=auto point-to-point=auto learn=auto horizon=none auto-isolate=no restricted-role=no
restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=no unknown-unicast-flood=yes
unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no
multicast-router=temporary-query fast-leave=no status=in-bridge port-number=1 role=root-port
edge-port=no edge-port-discovery=yes point-to-point-port=no external-fdb-status=no
sending-rstp=yes learning=yes forwarding=yes root-path-cost=10
designated-bridge=0x7000.02:3A:EF:BC:95:B8 designated-cost=0 designated-port-number=2
1 interface=vpls-vlan2000-C bridge=bridge-vlan2000 priority=0x80 path-cost=10 internal-path-cost=10
edge=auto point-to-point=auto learn=auto horizon=none auto-isolate=no restricted-role=no
restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=no unknown-unicast-flood=yes
unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no
multicast-router=temporary-query fast-leave=no status=in-bridge port-number=2 role=alternate-port
edge-port=no edge-port-discovery=yes point-to-point-port=no external-fdb-status=no
sending-rstp=yes learning=no forwarding=no root-path-cost=20
designated-bridge=0x8000.02:57:0E:3C:25:0E designated-cost=10 designated-port-number=2
6.44 made changes to transmit bond and bridge slave port information out via MNDP, CDP and LLDP, this is when the behaviour started. This also changes the previous behaviour in that these neighbour discovery packets are transmitted not just from the bridge itself, but additionally all slave ports. Herewith an example, showing the remote interface as being
bridge-vlan2000/vpls-vlan2000-C:
[davidh@B] > /ip neighbor print detail
0 interface=vpls-vlan2000-A,bridge-vlan2000 mac-address=02:0F:F1:63:85:EA
identity="B" platform="MikroTik" version="6.44.3 (stable)" unpack=none age=9s
interface-name="bridge-vlan2000/vpls-vlan2000-C" system-caps="" system-caps-enabled=""
Temporary work around:
- Create an interface list called 'vpls' and add all VPLS interfaces to this list
- Set IP neighbour discovery to use all interfaces except those in the 'vpls' interface list