One feature that most enterprise-grade switches have is the ability to either filter or block Bridge Protocol Data Units (BPDUs) on certain ports. Typically this is done on ports that are used for device access, where you wouldn't normally want to accept spanning tree protocol messages. In my case, I use it because I periodically play with new networking gear, and don't want the new gear to cause a spanning tree root bridge change on my home network.
I noticed that SwOS did not include any spanning tree filter/blocking features, so I decided to do some research; in the process, I learned something! Turns out that spanning tree messages always use the same two MAC addresses (reference: https://en.wikipedia.org/wiki/Bridge_Protocol_Data_Unit). This means that all we should have to do to filter BPDUs on a port is apply an ACL that simply drops messages on that port with either of those two MAC addresses as the destination MAC address.
I just implemented these rules today, and as you can see from my screenshot, it's definitely working on a particularly noisy ISP gateway I have connected to one of my ports:
In case the screenshot gets lost in the future, here's the settings you need to set:
- From: ports you want to apply filtering
- MAC dst: 01:80:C2:00:00:00 and 01:00:0C:CC:CC:CD (you'll need two separate ACLs, one for each MAC address)
- Set "drop" as the action