Windows 10/11 doing unexpected traffic on tagged ports

Today we discovered some machines doing substantial amounts of traffic to each other on IPv6 Link-Local addresses. These machines are both in different vlans, but still appear to be communicating with each others.

We pointed fingers at the unifi network and expected that it would be routing IPv6 Link-local between vlans, but in the end it seems this was Windows 10 creating havoc.

On of the hosts in question had LLDP enabled on it's switch port and was a complete trunk port, so all vlans where allowed.

Apparently Windows discovers this, and starts creating IPv6 Link Local addresses for each of these vlans, and using them in mDNS updates (the application in question updated these).

As the client in the other vlan could connect to the server over it's native vlan, it could communicate with the server, but as the switches could not learn the mac address all this traffic was flooded towards all clients in the network.

This was fixed by removing the vlan tags + lldp on the switch port where the server was connected to.

Apparently this has been an issue for quite a while in Windows 10 / 11

https://answers.microsoft.com/en-us/windows/forum/all/windows-vlan-chaos-how-do-i-stop-windows-combining/e99adb7a-ace7-475b-bc54-7a29e65c91b2

https://learn.microsoft.com/en-us/answers/questions/1110923/windows-vlan-chaos-how-do-i-stop-windows-combining

https://superuser.com/questions/1755413/windows-11-connects-to-separate-untagged-and-vlan-tagged-network-at-the-same-tim

https://serverfault.com/questions/907602/windows-computers-getting-slaac-ipv6-from-tagged-vlan