Cart
What if you have the rare circumstance that you want to prevent a port on your switch from sending BPDUs? This is one of the jobs that can be accomplished by BPDUFilter. You need to be very careful with this feature in the lab exam, as well as your production network, of course. That is because this feature not only prevents the sending of BPDUs by a port, but it can also result in a port ignoring BPDUs that are received. Of course, this can lead to a Layer 2 loop in your environment.
One of the things that makes BPDUFilter so tricky is the fact that it can be configured globally on a switch, or it can be configured under an interface or interfaces. There are slight behavioral differences based on how you configure it.
In Global Configuration mode, you can enable BPDUFiltering on your PortFast-enabled interfaces using the spanning-tree portfast bpdufilter default global configuration command. This command prevents interfaces that are in a PortFast operational state from sending BPDUs, with the exception of a 10 (or 11 when using PVST+) initial BPDU frames at link up. Do not forget to also turn on PortFast globally for your access ports, this is done with the command spanning-tree portfast default. If a BPDU is received on a PortFast interface in this configuration, the following occurs:
- The interface loses its PortFast state
- Outgoing BPDU filtering is disabled
At the interface level, you can enable BPDUFiltering on any interface by using the spanning-tree bpdufilter enable interface configuration command without also enabling the PortFast feature. This command prevents the interface from sending or receiving any BPDUs. Note that this configuration is very dangerous as you are essentially disabling Spanning Tree Protocol on the port.
Let us examine the most common configuration. This is where we use PortFast and BPDUFiltering globally on the device:
SW1(config)#spanning-tree portfast bpdufilter default SW1(config)#spanning-tree portfast default SW1(config)#
For confirmation, I like to use show spanning-tree summary:
SW1(config)#do show spanning-tree summary Switch is in pvst modeRoot bridge for: VLAN0001 Extended system ID is enabled Portfast Default is enabled PortFast BPDU Guard Default is disabled Portfast BPDU Filter Default is enabled Loopguard Default is disabled EtherChannel misconfig guard is enabled UplinkFast is disabled BackboneFast is disabled Configured Pathcost method used is short ...
We can also confirm that PortFast is actually enabled on our access interface:
SW1#show spanning-tree interface fa0/1 portfast VLAN0001 enabled
But what happens if we receive BPDUs on this port? The port loses its PortFast status:
SW1#show spanning-tree interface fa0/1 portfast VLAN0001 disabled
How did we send BPDUs suddenly to the port from a router? One simple method is to use a bridge group on the router under the appropriate interface.
bridge 1 protocol ieee interface fa0/0 bridge-group 1
Finally, notice on the switch that BPDUFilter is also disabled for the port and it is sending and receiving BPDUs now:
SW1#show spanning-tree int fa0/1 detail ... BPDU: sent 11, received 151
Anthony Sequeira CCIE, CCSI
Twitter: @compsolv
Facebook: http://www.facebook.com/compsolv
