I have a scenario where I need to filter STP BPDU's which are egressing a bridge port on various CRS models (112/125/226 etc.); this is to prevent transmission of said BPDUs into a remote network. The remote network will also filter them on ingress, however we also need to filter on egress to be safe. This would be the equivalent to the bpdu-filter function on other vendors. Currently testing with 6.38.5 as this is our internally approved "stable" code.
The topology is as follows:
site LAN < all other interfaces << CRS >> via ether1-master > remote network (STP BPDUs must not be transmitted into this network)
Config as below to create a bridge for the CRS switch chip STP in-hardware process (which dynamically adds slave interfaces to the STP bridge). I am attempting to use bridge filter to drop all STP BPDUs (dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF) egressing ether1-master, however the bridge filter ACL has no effect (and STP BPDUs with this destination MAC address are still seen via external Wireshark on ether1-master). I have tested various filter scenarios such as no out-interface defined however there is no change in behaviour.
Code: Select all
/interface bridge
add comment="Switch chip STP bridge" name=bridge-stp
/interface bridge filter
add action=drop chain=output comment="Drop STP BPDUs egress ether1-master" dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF out-interface=ether1-master
/interface bridge port
add bridge=bridge-stp comment="Switch chip master interface" interface=ether1-master