Feature Request: bridge STP BPDU translation
Open, WishlistPublicFEATURE REQUEST
Actions

Assigned To

None

Authored By

	Unknown Object (User)
	Dec 31 2021, 3:56 AM

Description

When a bridge connects subinterfaces of different VLANs (eth0.705 & eth1.706 for example), STP messages from one VLAN go to the other VLAN. This causes port blocking on the switches.

The solution which is used in Cisco ASA is the modification of the host numbers in the STP messages (pcap files attached, see the latest STP packets).
nftables allows to do this in VyOS (thanks to @zsdc for the example of nft rules):

sudo nft add table bridge br1
sudo nft add chain bridge br1 vlan_change_705 { type filter hook postrouting priority 300 \; policy accept \; }
sudo nft add rule bridge br1 vlan_change_705 meta oifname eth0.705 ether daddr 01:00:0c:cc:cc:cd @nh,384,16 706 @nh,384,16 set 705

sudo nft add table bridge br1
sudo nft add chain bridge br1 vlan_change_706 { type filter hook postrouting priority 300 \; policy accept \; }
sudo nft add rule bridge br1 vlan_change_706 meta oifname eth1.706 ether daddr 01:00:0c:cc:cc:cd @nh,384,16 705 @nh,384,16 set 706

It would be useful to add this feature to the VyOS bridge or firewall settings

Details

Difficulty level: Unknown (require assessment)
Version: -
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Unspecified (please specify)

Event Timeline

Unknown Object (User) created this task.Dec 31 2021, 3:56 AM

Unknown Object (User) created this object in space S1 VyOS Public.

Viacheslav changed the subtype of this task from "Task" to "Feature Request".Dec 31 2021, 12:11 PM

fernando added a subscriber: fernando.Dec 31 2021, 2:43 PM

I want to leave a comment , it's also common that customers don't know that PVST is enabled by default (and send bpdu peer VLANS), So it's possible to mitigate it also using nf rules , below leave a example:

table bridge filter { # handle 8
	chain FORWARD { # handle 1
 		type filter hook forward priority filter; policy accept;
		iifname "eth1" ether daddr 01 :00:0c:cc:cc:cd ether type vlan vlan id 10  log prefix "STP DROP IN" level notice flags ether   counter packets 453 bytes 22650 drop # handle 2
		iifname  "eth2" ether daddr 01:00:0c:cc:cc:cd ether type vlan vlan id 10   log prefix "STP DROP IN2" level notice flags ether  counter packets 228 bytes 11400 drop # handle 3
	}

	chain INPUT { # handle 4
		type filter hook input priority filter; policy accept;
		ether daddr 01 :00:0c:cc:cc:cd ether type vlan vlan id 10  log prefix "STP DROP IP" level notice flags ether   counter packets 33 bytes 1650 drop # handle 5
	}

these rules , they can filter PVSTP (using its MAC ) or add MSTP MAC

pasik added a subscriber: pasik.Mar 21 2022, 8:45 AM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus ( 1.3.1).Aug 29 2022, 12:12 PM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.4); removed VyOS 1.3 Equuleus (1.3.3).Jul 12 2023, 9:39 PM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus (1.3.4).Aug 25 2023, 9:29 PM

Viacheslav removed a project: VyOS 1.3 Equuleus (1.3.5).Aug 30 2023, 11:55 AM

Viacheslav triaged this task as Wishlist priority.Jan 20 2024, 8:59 AM

dmbaturin edited projects, added VyOS 1.5 Circinus; removed VyOS 1.4 Sagitta.Fri, Apr 12, 11:15 AM

Feature Request: bridge STP BPDU translationOpen, WishlistPublicFEATURE REQUESTActions

Description

Details

Event Timeline

Feature Request: bridge STP BPDU translation
Open, WishlistPublicFEATURE REQUEST
Actions