bpdu-filter, does it really surpress bpdu's being sent?

EdTheLad

Ok, ive got a 3550 connected to a 7200, all required outputs are below.I was of the idea bpdu-filter stopped bpdus being sent on a port, doesnt look to be the case here.


3550-2#show runn int gig 0/4
Building configuration...

Current configuration : 219 bytes
!
interface GigabitEthernet0/4
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1000
switchport mode trunk
switchport nonegotiate
no keepalive
no cdp enable
spanning-tree bpdufilter enable


e11-3550-2#show int gig 0/4
GigabitEthernet0/4 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 000d.290f.7104 (bia 000d.290f.7104)
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not set
Full-duplex, 1000Mb/s, media type is SX
input flow-control is off, output flow-control is on
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:06:19, output 00:00:00, output hang never
Last clearing of "show interface" counters 00:13:33
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
41 packets input, 9232 bytes, 0 no buffer
Received 16 broadcasts (0 multicast)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 16 multicast, 0 pause input
0 input packets with dribble condition detected
997 packets output, 105776 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out

c10-7200-4#show runn int gig 0/1
Building configuration...

Current configuration : 140 bytes
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
media-type gbic
negotiation auto
no keepalive
no cdp enable
end

Frame received on 7200.
=============================================================================
05:15:22.319 UTC Thu Feb 28 2008 Relative Time: 1.830455
Packet 1 of 85 In: GigabitEthernet0/1

Ethernet Packet: 68 bytes
Dest Addr: 0100.0CCC.CCCD, Source Addr: 000D.290F.7104

DOT1Q Tag ID: 0x8100, Priority: 7, CFI: 0, VLAN ID: 1000
Protocol: 0x0032

Data:
0 : AAAA 0300 000C 010B 0000 0000 0060 0000 0ED6 FF90 .............`......
20 : 0000 0000 0060 0000 0ED6 FF90 0020 0200 000A 0002 .....`....... ......
40 : 0006 0000 0000 0002 03E8 ..........

dtlokee

I noticed even with bpdufilter on an interface it would still send a few BPDUs when the link initially came up on the switch, but they were on access ports. I never tried configuring it on a trunk port as you have. I would guess that it doesn't have the same effect on a trunk port as an access port, but that is just a guess.

a543047

Remember BPDU filtering is only for access ports without portfast enabled.

dtlokee

a543047 wrote:

Remember BPDU filtering is only for access ports without portfast enabled.

That's not true, the status of portfast does not affect bpdufilter. Portfast and BPDU filter work well together, and can portfast can be enabled globally with the "spanning-tree portfast bpdufilter default" command. The benefit of this configuration is that if a BPDU is received on a portfast enabled port, it will lose it's portfast status.

wildfire

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_see/configuration/guide/swstpopt.html#wp1046220

"Understanding BPDU Filtering

The BPDU filtering feature can be globally enabled on the switch or can be enabled per interface, but the feature operates with some differences.

At the global level, you can enable BPDU filtering on Port Fast-enabled interfaces by using the spanning-tree portfast bpdufilter default global configuration command. This command prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled.

At the interface level, you can enable BPDU filtering on any interface by using the spanning-tree bpdufilter enable interface configuration command without also enabling the Port Fast feature. This command prevents the interface from sending or receiving BPDUs. "

basically still sends them out initially.

however ED I have to ask why turn on bpdu filter on a trunk? by the nature of a trunk port you are connecting to another switch and therefore risk causing a loop and bringing the world to an end!

Try the same but using it an an access port.

I did a quick test two trunk links with BPDU gaurd, no shuts and they go in to shutdown (BPDU violation)

a543047

dtlokee wrote:

a543047 wrote:

Remember BPDU filtering is only for access ports without portfast enabled.

That's not true, the status of portfast does not affect bpdufilter. Portfast and BPDU filter work well together, and can portfast can be enabled globally with the "spanning-tree portfast bpdufilter default" command. The benefit of this configuration is that if a BPDU is received on a portfast enabled port, it will lose it's portfast status.

The thing is that bdpufilter also get disabled in the process. If portfast is enabled and a bpdu is recieved, portfast and bpdufilter will be disabled. It's stated in DocCD and I have replicated on my switches.

If I'm not mistaken, when bpdufilter is applied at the interface level with portfast turned on it does not turn bpdufilter off.

dtlokee

a543047 wrote:

dtlokee wrote:

a543047 wrote:

Remember BPDU filtering is only for access ports without portfast enabled.

That's not true, the status of portfast does not affect bpdufilter. Portfast and BPDU filter work well together, and can portfast can be enabled globally with the "spanning-tree portfast bpdufilter default" command. The benefit of this configuration is that if a BPDU is received on a portfast enabled port, it will lose it's portfast status.

The thing is that bdpufilter also get disabled in the process. If portfast is enabled and a bpdu is recieved, portfast and bpdufilter will be disabled. It's stated in DocCD and I have replicated on my switches.

If I'm not mistaken, when bpdufilter is applied at the interface level with portfast turned on it does not turn bpdufilter off.

BPDUFilter will not be disabled if you enable portfast on an interface, and bpdufilter will not be disabled if it receives a BPDU IF you enabled it on the interface. When enabled globally it will disable the BPDUfilter feature and portfast when it receives a BPDU but not when it's onfigured on the interface.

SW1#sh spanning-tree vlan 1

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     001a.e387.6f80
             Cost        19
             Port        15 (FastEthernet0/13)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     001a.e3a8.8f00
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/13           Root FWD 19        128.15   P2p 
Fa0/14           Altn BLK 19        128.16   P2p 
Fa0/15           Desg FWD 19        128.17   P2p 

SW1#sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
SW2                  Fas 0/15              162           R S I     WS-C3560-2Fas 0/15
SW2                  Fas 0/14              162           R S I     WS-C3560-2Fas 0/14
SW2                  Fas 0/13              161           R S I     WS-C3560-2Fas 0/13

SW1# 


SW2#sh spanning-tree vlan 1

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     001a.e387.6f80
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     001a.e387.6f80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 15 

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/13           Desg FWD 19        128.15   P2p 
Fa0/14           Desg FWD 19        128.16   P2p 
Fa0/15           Desg FWD 19        128.17   Edge P2p 

SW2#sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
SW1                  Fas 0/14              145            S I      WS-C3560-2Fas 0/14
SW1                  Fas 0/13              145            S I      WS-C3560-2Fas 0/13
SW1                  Fas 0/15              144            S I      WS-C3560-2Fas 0/15

SW2#sh run int fa0/15
Building configuration...

Current configuration : 129 bytes
!
interface FastEthernet0/15
 switchport mode access
 spanning-tree portfast
 spanning-tree bpdufilter enable
end

All I did was enable portfast on interface fa0/15 of SW2, then bpdufilter on the same interface. Look at the result. There are now two active paths between the switches, Fa0/13 and Fa0/15. It made a nice spanning tree loop, interestingly enough all my BGP neighbors in the lab I was working have dropped out due to the loop

After removing the spanning-tree portfast and spanning-tree bpdufilter commands:

SW1#sh spann vlan 1

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     001a.e387.6f80
             Cost        19
             Port        15 (FastEthernet0/13)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     001a.e3a8.8f00
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/13           Root FWD 19        128.15   P2p 
Fa0/14           Altn BLK 19        128.16   P2p 
Fa0/15           Altn BLK 19        128.17   P2p 

a543047

dtlokee wrote:

a543047 wrote:

dtlokee wrote:

a543047 wrote:

Remember BPDU filtering is only for access ports without portfast enabled.

That's not true, the status of portfast does not affect bpdufilter. Portfast and BPDU filter work well together, and can portfast can be enabled globally with the "spanning-tree portfast bpdufilter default" command. The benefit of this configuration is that if a BPDU is received on a portfast enabled port, it will lose it's portfast status.

The thing is that bdpufilter also get disabled in the process. If portfast is enabled and a bpdu is recieved, portfast and bpdufilter will be disabled. It's stated in DocCD and I have replicated on my switches.

If I'm not mistaken, when bpdufilter is applied at the interface level with portfast turned on it does not turn bpdufilter off.

BPDUFilter will not be disabled if you enable portfast on an interface, and bpdufilter will not be disabled if it receives a BPDU IF you enabled it on the interface. When enabled globally it will disable the BPDUfilter feature and portfast when it receives a BPDU but not when it's onfigured on the interface.

SW1#sh spanning-tree vlan 1

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     001a.e387.6f80
             Cost        19
             Port        15 (FastEthernet0/13)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     001a.e3a8.8f00
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/13           Root FWD 19        128.15   P2p 
Fa0/14           Altn BLK 19        128.16   P2p 
Fa0/15           Desg FWD 19        128.17   P2p 

SW1#sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
SW2                  Fas 0/15              162           R S I     WS-C3560-2Fas 0/15
SW2                  Fas 0/14              162           R S I     WS-C3560-2Fas 0/14
SW2                  Fas 0/13              161           R S I     WS-C3560-2Fas 0/13

SW1# 


SW2#sh spanning-tree vlan 1

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     001a.e387.6f80
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     001a.e387.6f80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 15 

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/13           Desg FWD 19        128.15   P2p 
Fa0/14           Desg FWD 19        128.16   P2p 
Fa0/15           Desg FWD 19        128.17   Edge P2p 

SW2#sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
SW1                  Fas 0/14              145            S I      WS-C3560-2Fas 0/14
SW1                  Fas 0/13              145            S I      WS-C3560-2Fas 0/13
SW1                  Fas 0/15              144            S I      WS-C3560-2Fas 0/15

SW2#sh run int fa0/15
Building configuration...

Current configuration : 129 bytes
!
interface FastEthernet0/15
 switchport mode access
 spanning-tree portfast
 spanning-tree bpdufilter enable
end

All I did was enable portfast on interface fa0/15 of SW2, then bpdufilter on the same interface. Look at the result. There are now two active paths between the switches, Fa0/13 and Fa0/15. It made a nice spanning tree loop, interestingly enough all my BGP neighbors in the lab I was working have dropped out due to the loop

After removing the spanning-tree portfast and spanning-tree bpdufilter commands:

SW1#sh spann vlan 1

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     001a.e387.6f80
             Cost        19
             Port        15 (FastEthernet0/13)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     001a.e3a8.8f00
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/13           Root FWD 19        128.15   P2p 
Fa0/14           Altn BLK 19        128.16   P2p 
Fa0/15           Altn BLK 19        128.17   P2p 

Lol! That what I said! In your original quote you stated the 'spanning-tree portfast bpdufilter default' command which is the global and NOT interface level command. I was referring to your quote regarding the global command in my statement and then made an edit saying that bpdufilter at the interface level does not disable portfast or bpdufilter. Sorry if this caused confusion.

dtlokee

It's all good, I didn't notice where you made a distinction between globally configuring it vs configuring it on the interface when you said that bpdufilter was only for access ports without portfast enabled. In my mind this implied you were referring to enabling it on the interface because the command "spanning-tree portfast bpdufilter default" implies that the interface is a portfast enabled interface for the switch to apply bpdufilter to it.

I still need to go lab up EdTheLad's configuration of a trunk with bpdufilter and a single allowed vlan to see what it does. Leave it to him to come up with some interesting configurations!