bpdu-filter, does it really surpress bpdu's being sent?
Ok, ive got a 3550 connected to a 7200, all required outputs are below.I was of the idea bpdu-filter stopped bpdus being sent on a port, doesnt look to be the case here.
3550-2#show runn int gig 0/4
Building configuration...
Current configuration : 219 bytes
!
interface GigabitEthernet0/4
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1000
switchport mode trunk
switchport nonegotiate
no keepalive
no cdp enable
spanning-tree bpdufilter enable
e11-3550-2#show int gig 0/4
GigabitEthernet0/4 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 000d.290f.7104 (bia 000d.290f.7104)
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not set
Full-duplex, 1000Mb/s, media type is SX
input flow-control is off, output flow-control is on
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:06:19, output 00:00:00, output hang never
Last clearing of "show interface" counters 00:13:33
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
41 packets input, 9232 bytes, 0 no buffer
Received 16 broadcasts (0 multicast)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 16 multicast, 0 pause input
0 input packets with dribble condition detected
997 packets output, 105776 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
c10-7200-4#show runn int gig 0/1
Building configuration...
Current configuration : 140 bytes
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
media-type gbic
negotiation auto
no keepalive
no cdp enable
end
Frame received on 7200.
=============================================================================
05:15:22.319 UTC Thu Feb 28 2008 Relative Time: 1.830455
Packet 1 of 85 In: GigabitEthernet0/1
Ethernet Packet: 68 bytes
Dest Addr: 0100.0CCC.CCCD, Source Addr: 000D.290F.7104
DOT1Q Tag ID: 0x8100, Priority: 7, CFI: 0, VLAN ID: 1000
Protocol: 0x0032
Data:
0 : AAAA 0300 000C 010B 0000 0000 0060 0000 0ED6 FF90 .............`......
20 : 0000 0000 0060 0000 0ED6 FF90 0020 0200 000A 0002 .....`....... ......
40 : 0006 0000 0000 0002 03E8 ..........
3550-2#show runn int gig 0/4
Building configuration...
Current configuration : 219 bytes
!
interface GigabitEthernet0/4
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1000
switchport mode trunk
switchport nonegotiate
no keepalive
no cdp enable
spanning-tree bpdufilter enable
e11-3550-2#show int gig 0/4
GigabitEthernet0/4 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 000d.290f.7104 (bia 000d.290f.7104)
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not set
Full-duplex, 1000Mb/s, media type is SX
input flow-control is off, output flow-control is on
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:06:19, output 00:00:00, output hang never
Last clearing of "show interface" counters 00:13:33
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
41 packets input, 9232 bytes, 0 no buffer
Received 16 broadcasts (0 multicast)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 16 multicast, 0 pause input
0 input packets with dribble condition detected
997 packets output, 105776 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
c10-7200-4#show runn int gig 0/1
Building configuration...
Current configuration : 140 bytes
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
media-type gbic
negotiation auto
no keepalive
no cdp enable
end
Frame received on 7200.
=============================================================================
05:15:22.319 UTC Thu Feb 28 2008 Relative Time: 1.830455
Packet 1 of 85 In: GigabitEthernet0/1
Ethernet Packet: 68 bytes
Dest Addr: 0100.0CCC.CCCD, Source Addr: 000D.290F.7104
DOT1Q Tag ID: 0x8100, Priority: 7, CFI: 0, VLAN ID: 1000
Protocol: 0x0032
Data:
0 : AAAA 0300 000C 010B 0000 0000 0060 0000 0ED6 FF90 .............`......
20 : 0000 0000 0060 0000 0ED6 FF90 0020 0200 000A 0002 .....`....... ......
40 : 0006 0000 0000 0002 03E8 ..........
Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
Comments
Routing and Switching
Service Provider
That's not true, the status of portfast does not affect bpdufilter. Portfast and BPDU filter work well together, and can portfast can be enabled globally with the "spanning-tree portfast bpdufilter default" command. The benefit of this configuration is that if a BPDU is received on a portfast enabled port, it will lose it's portfast status.
"Understanding BPDU Filtering
The BPDU filtering feature can be globally enabled on the switch or can be enabled per interface, but the feature operates with some differences.
At the global level, you can enable BPDU filtering on Port Fast-enabled interfaces by using the spanning-tree portfast bpdufilter default global configuration command. This command prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled.
At the interface level, you can enable BPDU filtering on any interface by using the spanning-tree bpdufilter enable interface configuration command without also enabling the Port Fast feature. This command prevents the interface from sending or receiving BPDUs. "
basically still sends them out initially.
however ED I have to ask why turn on bpdu filter on a trunk? by the nature of a trunk port you are connecting to another switch and therefore risk causing a loop and bringing the world to an end!
Try the same but using it an an access port.
I did a quick test two trunk links with BPDU gaurd, no shuts and they go in to shutdown (BPDU violation)
The thing is that bdpufilter also get disabled in the process. If portfast is enabled and a bpdu is recieved, portfast and bpdufilter will be disabled. It's stated in DocCD and I have replicated on my switches.
If I'm not mistaken, when bpdufilter is applied at the interface level with portfast turned on it does not turn bpdufilter off.
Routing and Switching
Service Provider
BPDUFilter will not be disabled if you enable portfast on an interface, and bpdufilter will not be disabled if it receives a BPDU IF you enabled it on the interface. When enabled globally it will disable the BPDUfilter feature and portfast when it receives a BPDU but not when it's onfigured on the interface.
SW1#sh spanning-tree vlan 1 VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 001a.e387.6f80 Cost 19 Port 15 (FastEthernet0/13) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 001a.e3a8.8f00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Fa0/13 Root FWD 19 128.15 P2p Fa0/14 Altn BLK 19 128.16 P2p Fa0/15 Desg FWD 19 128.17 P2p SW1#sh cdp nei Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone Device ID Local Intrfce Holdtme Capability Platform Port ID SW2 Fas 0/15 162 R S I WS-C3560-2Fas 0/15 SW2 Fas 0/14 162 R S I WS-C3560-2Fas 0/14 SW2 Fas 0/13 161 R S I WS-C3560-2Fas 0/13 SW1# SW2#sh spanning-tree vlan 1 VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 001a.e387.6f80 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 001a.e387.6f80 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Fa0/13 Desg FWD 19 128.15 P2p Fa0/14 Desg FWD 19 128.16 P2p Fa0/15 Desg FWD 19 128.17 Edge P2p SW2#sh cdp nei Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone Device ID Local Intrfce Holdtme Capability Platform Port ID SW1 Fas 0/14 145 S I WS-C3560-2Fas 0/14 SW1 Fas 0/13 145 S I WS-C3560-2Fas 0/13 SW1 Fas 0/15 144 S I WS-C3560-2Fas 0/15 SW2#sh run int fa0/15 Building configuration... Current configuration : 129 bytes ! interface FastEthernet0/15 switchport mode access spanning-tree portfast spanning-tree bpdufilter enable endAll I did was enable portfast on interface fa0/15 of SW2, then bpdufilter on the same interface. Look at the result. There are now two active paths between the switches, Fa0/13 and Fa0/15. It made a nice spanning tree loop, interestingly enough all my BGP neighbors in the lab I was working have dropped out due to the loop
After removing the spanning-tree portfast and spanning-tree bpdufilter commands:
SW1#sh spann vlan 1 VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 001a.e387.6f80 Cost 19 Port 15 (FastEthernet0/13) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 001a.e3a8.8f00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Fa0/13 Root FWD 19 128.15 P2p Fa0/14 Altn BLK 19 128.16 P2p Fa0/15 Altn BLK 19 128.17 P2pLol! That what I said! In your original quote you stated the 'spanning-tree portfast bpdufilter default' command which is the global and NOT interface level command. I was referring to your quote regarding the global command in my statement and then made an edit saying that bpdufilter at the interface level does not disable portfast or bpdufilter. Sorry if this caused confusion.
Routing and Switching
Service Provider
I still need to go lab up EdTheLad's configuration of a trunk with bpdufilter and a single allowed vlan to see what it does. Leave it to him to come up with some interesting configurations!