Community discussions

MikroTik App
 
dbsoundman
just joined
Topic Author
Posts: 6
Joined: Wed Feb 17, 2021 3:56 pm

HOW-TO: Spanning Tree BPDU Filtering with ACLs

Sat Feb 20, 2021 9:21 pm

Hi all, I just recently got into Mikrotik devices. I purchased two CSS-326 units for my home network to get familiar with SwOS, replacing my trusty but aged HP ProCurve switches.

One feature that most enterprise-grade switches have is the ability to either filter or block Bridge Protocol Data Units (BPDUs) on certain ports. Typically this is done on ports that are used for device access, where you wouldn't normally want to accept spanning tree protocol messages. In my case, I use it because I periodically play with new networking gear, and don't want the new gear to cause a spanning tree root bridge change on my home network.

I noticed that SwOS did not include any spanning tree filter/blocking features, so I decided to do some research; in the process, I learned something! Turns out that spanning tree messages always use the same two MAC addresses (reference: https://en.wikipedia.org/wiki/Bridge_Protocol_Data_Unit). This means that all we should have to do to filter BPDUs on a port is apply an ACL that simply drops messages on that port with either of those two MAC addresses as the destination MAC address.

I just implemented these rules today, and as you can see from my screenshot, it's definitely working on a particularly noisy ISP gateway I have connected to one of my ports:

Image

In case the screenshot gets lost in the future, here's the settings you need to set:
  • From: ports you want to apply filtering
  • MAC dst: 01:80:C2:00:00:00 and 01:00:0C:CC:CC:CD (you'll need two separate ACLs, one for each MAC address)
  • Set "drop" as the action
Hope that helps!
 
mada3k
Long time Member
Long time Member
Posts: 682
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: HOW-TO: Spanning Tree BPDU Filtering with ACLs

Sun Feb 21, 2021 1:17 pm

Thanks for the tip!

Mikrotik often misses this standard types of "standard features" some some reason (bdpu filter/guard, swichport security sticky, etc.) but it's good that it's possible to do manually at least.

Who is online

Users browsing this forum: No registered users and 9 guests