This post will cover the BPDU Guard and BPDU Filter features - both in global and per interface modes. I'll use the simplified topology from the previous post again.
SW1#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address fa16.3ed0.04c9
Cost 4
Port 4 (GigabitEthernet0/3)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address fa16.3e7c.8ef1
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/1 Desg FWD 4 128.2 Shr
Gi0/3 Root FWD 4 128.4 Shr
Gi0/3 is the root port on SW1, which means that it will receive BPDUs from SW4 (root bridge). If BPDU Guard is enabled, the port will be but in the err-disabled state as soon as the next BPDU from SW4 is received.
SW1(config)#interface GigabitEthernet0/3
SW1(config-if)#spanning-tree bpduguard enable
SW1#show spanning-tree interface GigabitEthernet0/3 detail
Port 4 (GigabitEthernet0/3) of VLAN0001 is designated forwarding
Port path cost 4, Port priority 128, Port Identifier 128.4.
Designated root has priority 24577, address fa16.3ed0.04c9
Designated bridge has priority 32769, address fa16.3e7c.8ef1
Designated port id is 128.4, designated path cost 8
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is shared by default
Bpdu guard is enabled
BPDU: sent 20, received 0
SW1#
*Oct 17 21:23:18.623: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi0/3 with BPDU Guard enabled. Disabling port.
*Oct 17 21:23:18.623: %PM-4-ERR_DISABLE: bpduguard error detected on Gi0/3, putting Gi0/3 in err-disable state
*Oct 17 21:23:19.623: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to down
*Oct 17 21:23:20.626: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to down
SW1# show interfaces GigabitEthernet0/3 status err-disabled
Port Name Status Reason Err-disabled Vlans
Gi0/3 err-disabled bpduguard
BPDU Guard global mode is dependent on the operational PortFast state. It doesn't matter if PortFast was enabled globally or per interface, as long as it is active. Gi0/1 on SW1 is the designated port on the link between SW1 and SW3, which means it is not receiving BPDUs since the port on the other end is blocking. Because of this reason, I'm using Gi0/1 on SW1 to demonstrate BPDU Guard in global mode. I'll then shut down Gi1/1 on SW3 to cause it to start sending BPDUs to SW1.
Enable PortFast on the interface and BPDU Guard globally. Verify the configuration.
SW1(config)#interface GigabitEthernet0/1
SW1(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast has been configured on GigabitEthernet0/1 but will only
have effect when the interface is in a non-trunking mode.
SW1(config)#spanning-tree portfast bpduguard default
SW1(config)#do show spanning-tree summary
Switch is in pvst mode
Root bridge for: none
Extended system ID is enabled
Portfast Default is disabled
Portfast Edge BPDU Guard Default is enabled
Portfast Edge BPDU Filter Default is disabled
Loopguard Default is disabled
PVST Simulation Default is enabled but inactive in pvst mode
Bridge Assurance is enabled but inactive in pvst mode
EtherChannel misconfig guard is enabled
Configured Pathcost method used is short
UplinkFast is disabled
BackboneFast is disabled
Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001 0 0 0 2 2
---------------------- -------- --------- -------- ---------- ----------
1 vlan 0 0 0 2 2
SW1# show spanning-tree interface GigabitEthernet0/1 detail
Port 2 (GigabitEthernet0/1) of VLAN0001 is designated forwarding
Port path cost 4, Port priority 128, Port Identifier 128.2.
Designated root has priority 24577, address fa16.3ed0.04c9
Designated bridge has priority 32769, address fa16.3e7c.8ef1
Designated port id is 128.2, designated path cost 4
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
The port is in the portfast edge mode
Link type is shared by default
Bpdu guard is enabled by default
BPDU: sent 81, received 0
Shut down Gi1/1 on SW3 and watch what happens on SW1.
SW3(config)#interface GigabitEthernet1/1
SW3(config-if)#shutdown
SW1#
*Oct 17 21:42:05.919: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port GigabitEthernet0/1 with BPDU Guard enabled. Disabling port.
*Oct 17 21:42:05.919: %PM-4-ERR_DISABLE: bpduguard error detected on Gi0/1, putting Gi0/1 in err-disable state
*Oct 17 21:42:06.919: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down
*Oct 17 21:42:07.920: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down
The interface is in the err-disabled state.
SW1#show interface gi0/1
GigabitEthernet0/1 is down, line protocol is down (err-disabled)
Hardware is iGbE, address is fa16.3e4b.4f5b (bia fa16.3e4b.4f5b)
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto Duplex, Auto Speed, link type is auto, media type is unknown media type
output flow-control is unsupported, input flow-control is unsupported
Auto-duplex, Auto-speed, link type is auto, media type is unknown
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:06:52, output 00:06:53, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 2
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
127533 packets input, 8798358 bytes, 0 no buffer
Received 0 broadcasts (0 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
35773 packets output, 4150238 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
1 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
SW1#show interfaces status err-disabled
Port Name Status Reason Err-disabled Vlans
Gi0/1 err-disabled bpduguard
All changes have been reversed and STP has converged to its original state.
SW3#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address fa16.3ed0.04c9
Cost 4
Port 6 (GigabitEthernet1/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address fa16.3ed8.71ca
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/1 Altn BLK 4 128.2 Shr
Gi1/1 Root FWD 4 128.6 Shr
SW4#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address fa16.3ed0.04c9
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24577 (priority 24576 sys-id-ext 1)
Address fa16.3ed0.04c9
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/3 Desg FWD 4 128.4 Shr
Gi1/1 Desg FWD 4 128.6 Shr
SW1#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address fa16.3ed0.04c9
Cost 4
Port 4 (GigabitEthernet0/3)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address fa16.3e7c.8ef1
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/1 Desg FWD 4 128.2 Shr
Gi0/3 Root FWD 4 128.4 Shr
Gi0/1 on SW3 is currently receiving BPDUs from SW1, which is the designated switch on the segment.
SW3#show spanning-tree interface gi0/1 detail
Port 2 (GigabitEthernet0/1) of VLAN0001 is alternate blocking
Port path cost 4, Port priority 128, Port Identifier 128.2.
Designated root has priority 24577, address fa16.3ed0.04c9
Designated bridge has priority 32769, address fa16.3e7c.8ef1
Designated port id is 128.2, designated path cost 4
Timers: message age 3, forward delay 0, hold 0
Number of transitions to forwarding state: 6
Link type is shared by default
BPDU: sent 0, received 8
Now, when BPDU Filter is enabled on Gi0/1 on SW3, the port stops receiving BPDUs and eventually Gi0/1 is put in the forwarding state. All interfaces are then forwarding, which creates a loop. This is why the BPDU Filter can be very dangerous if enabled in the wrong place. Note that the IOS doesn't even generate a warning message, as it does with PortFast.
SW3(config)#interface GigabitEthernet0/1
SW3(config-if)#spanning-tree bpdufilter enable
SW3#clear spanning-tree counters
SW3#show spanning-tree interface gi0/1 detail
Port 2 (GigabitEthernet0/1) of VLAN0001 is designated forwarding
Port path cost 4, Port priority 128, Port Identifier 128.2.
Designated root has priority 24577, address fa16.3ed0.04c9
Designated bridge has priority 32769, address fa16.3ed8.71ca
Designated port id is 128.2, designated path cost 4
Timers: message age 0, forward delay 13, hold 0
Number of transitions to forwarding state: 6
Link type is shared by default
Bpdu filter is enabled
BPDU: sent 0, received 0
SW3#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address fa16.3ed0.04c9
Cost 4
Port 6 (GigabitEthernet1/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address fa16.3ed8.71ca
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/1 Desg FWD 4 128.2 Shr
Gi1/1 Root FWD 4 128.6 Shr
A loop can quickly overwhelm a switch. Look at the interface statistics to see packets/sec. Note that there is no user traffic on the network.
SW1#show interface gi0/1
GigabitEthernet0/1 is up, line protocol is up (connected)
Hardware is iGbE, address is fa16.3e4b.4f5b (bia fa16.3e4b.4f5b)
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto Duplex, Auto Speed, link type is auto, media type is unknown media type
output flow-control is unsupported, input flow-control is unsupported
Auto-duplex, Auto-speed, link type is auto, media type is unknown
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 25
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 222000 bits/sec, 303 packets/sec
5 minute output rate 327000 bits/sec, 449 packets/sec
255222 packets input, 20286572 bytes, 0 no buffer
Received 0 broadcasts (0 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
225583 packets output, 21229341 bytes, 0 underruns
0 output errors, 0 collisions, 5 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
1 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
The BPDU Filter has been removed and STP has converged back to its original state. The interface counters have been cleared and the interface statistics viewed about 5 minutes later. Note how significantly lower the packets/sec rate is.
SW1#clear interface gi0/1
SW1#show interface gi0/1
GigabitEthernet0/1 is up, line protocol is up (connected)
Hardware is iGbE, address is fa16.3e4b.4f5b (bia fa16.3e4b.4f5b)
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto Duplex, Auto Speed, link type is auto, media type is unknown media type
output flow-control is unsupported, input flow-control is unsupported
Auto-duplex, Auto-speed, link type is auto, media type is unknown
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:06, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 27
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 5000 bits/sec, 22 packets/sec
5 minute output rate 22000 bits/sec, 40 packets/sec
274913 packets input, 22061616 bytes, 0 no buffer
Received 0 broadcasts (0 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
245673 packets output, 23030684 bytes, 0 underruns
0 output errors, 0 collisions, 5 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
1 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
The global BPDU Filter is enabled on interfaces in operational PortFast state. In global mode, the switch does not filter incoming BPDUs but most (though not all) outgoing BPDUs are filtered. When the port comes up, 11 BPDUs are sent out. To demonstrate this, I've enabled BPDU Filter on Gi0/1 on SW3 again to effectively disable STP and prevent in from sending BPDUs when the interface is shutdown and no shutdown. First, enable PortFast on the interface and BPDU Filter globally.
SW1(config)#interface GigabitEthernet0/1
SW1(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast has been configured on GigabitEthernet0/1 but will only
have effect when the interface is in a non-trunking mode.
SW1(config)#spanning-tree portfast bpdufilter default
SW1#show spanning-tree interface gi0/1 detail
Port 2 (GigabitEthernet0/1) of VLAN0001 is designated forwarding
Port path cost 4, Port priority 128, Port Identifier 128.2.
Designated root has priority 24577, address fa16.3ed0.04c9
Designated bridge has priority 32769, address fa16.3e7c.8ef1
Designated port id is 128.2, designated path cost 4
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
The port is in the portfast edge mode
Link type is shared by default
Bpdu filter is enabled by default
BPDU: sent 842, received 49
SW1(config)#do show spanning-tree summary
Switch is in pvst mode
Root bridge for: none
Extended system ID is enabled
Portfast Default is disabled
Portfast Edge BPDU Guard Default is disabled
Portfast Edge BPDU Filter Default is enabled
Loopguard Default is disabled
PVST Simulation Default is enabled but inactive in pvst mode
Bridge Assurance is enabled but inactive in pvst mode
EtherChannel misconfig guard is enabled
Configured Pathcost method used is short
UplinkFast is disabled
BackboneFast is disabled
Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001 0 0 0 3 3
---------------------- -------- --------- -------- ---------- ----------
1 vlan 0 0 0 3 3
Next, clear the counters. Then, shutdown and no shutdown the interface. Only 11 BPDUs are sent out.
SW1#clear spanning-tree counters
SW1(config)#interface GigabitEthernet0/1
SW1(config-if)#shutdown
SW1(config-if)#no shutdown
SW1#
*Oct 17 22:44:52.146: set portid: VLAN0001 Gi0/1: new port id 8002
*Oct 17 22:44:52.146: STP: VLAN0001 Gi0/1 ->jump to forwarding from blocking
*Oct 17 22:44:54.663: STP: VLAN0001 Gi0/1 tx BPDU: config protocol=ieee
Data : 0000 00 00 00 6001FA163ED004C9 00000000 22AAAA0300000C20 0401 0001 0005 0000 0200
*Oct 17 22:44:55.274: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up
*Oct 17 22:44:57.810: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up
*Oct 17 22:44:58.904: STP: VLAN0001 Gi0/1 tx BPDU: config protocol=ieee
Data : 0000 00 00 00 6001FA163ED004C9 00000004 8001FA163E7C8EF1 8002 0100 1400 0200 0F00
SW1(config-if)#
*Oct 17 22:45:00.882: STP: VLAN0001 Gi0/1 tx BPDU: config protocol=ieee
Data : 0000 00 00 00 6001FA163ED004C9 00000004 8001FA163E7C8EF1 8002 0100 1400 0200 0F00
*Oct 17 22:45:02.585: STP: VLAN0001 Gi0/1 tx BPDU: config protocol=ieee
Data : 0000 00 00 00 6001FA163ED004C9 00000004 8001FA163E7C8EF1 8002 0100 1400 0200 0F00
*Oct 17 22:45:04.614: STP: VLAN0001 Gi0/1 tx BPDU: config protocol=ieee
Data : 0000 00 00 00 6001FA163ED004C9 00000004 8001FA163E7C8EF1 8002 0100 1400 0200 0F00
*Oct 17 22:45:06.905: STP: VLAN0001 Gi0/1 tx BPDU: config protocol=ieee
Data : 0000 00 00 00 6001FA163ED004C9 00000004 8001FA163E7C8EF1 8002 0001 0005 0000 0200
*Oct 17 22:45:09.182: STP: VLAN0001 Gi0/1 tx BPDU: config protocol=ieee
Data : 0000 00 00 00 6001FA163ED004C9 00000004 8001FA163E7C8EF1 8002 0100 1400 0200 0F00
*Oct 17 22:45:11.032: STP: VLAN0001 Gi0/1 tx BPDU: config protocol=ieee
Data : 0000 00 00 00 6001FA163ED004C9 00000004 8001FA163E7C8EF1 8002 0100 1400 0200 0F00
*Oct 17 22:45:13.757: STP: VLAN0001 Gi0/1 tx BPDU: config protocol=ieee
Data : 0000 00 00 00 6001FA163ED004C9 00000004 8001FA163E7C8EF1 8002 0100 1400 0200 0F00
*Oct 17 22:45:15.838: STP: VLAN0001 Gi0/1 tx BPDU: config protocol=ieee
Data : 0000 00 00 01 000CCCCCCCFA163E F609BB00 22AAAA0300000C20 0401 0001 0005 0000 0200
*Oct 17 22:45:17.593: STP: VLAN0001 Gi0/0 tx BPDU: config protocol=ieee
Data : 0000 00 00 00 6001FA163ED004C9 00000004 8001FA163E7C8E20 0401 0001 0005 0000 0200
SW1#show spanning-tree int gi0/1 detail
Port 2 (GigabitEthernet0/1) of VLAN0001 is designated forwarding
Port path cost 4, Port priority 128, Port Identifier 128.2.
Designated root has priority 24577, address fa16.3ed0.04c9
Designated bridge has priority 32769, address fa16.3e7c.8ef1
Designated port id is 128.2, designated path cost 4
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
The port is in the portfast edge mode
Link type is shared by default
Bpdu filter is enabled by default
BPDU: sent 11, received 0
BPDU Guard
BPDU Guard prevents a port from receiving BPDUs. If BPDUs are still received, the port is put in the err-disabled state. If BPDU Guard is enabled on the interface, it is applied unconditionally independent of the PortFast configuration or access/trunk mode. Let's look at that first.SW1#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address fa16.3ed0.04c9
Cost 4
Port 4 (GigabitEthernet0/3)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address fa16.3e7c.8ef1
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/1 Desg FWD 4 128.2 Shr
Gi0/3 Root FWD 4 128.4 Shr
Gi0/3 is the root port on SW1, which means that it will receive BPDUs from SW4 (root bridge). If BPDU Guard is enabled, the port will be but in the err-disabled state as soon as the next BPDU from SW4 is received.
SW1(config)#interface GigabitEthernet0/3
SW1(config-if)#spanning-tree bpduguard enable
SW1#show spanning-tree interface GigabitEthernet0/3 detail
Port 4 (GigabitEthernet0/3) of VLAN0001 is designated forwarding
Port path cost 4, Port priority 128, Port Identifier 128.4.
Designated root has priority 24577, address fa16.3ed0.04c9
Designated bridge has priority 32769, address fa16.3e7c.8ef1
Designated port id is 128.4, designated path cost 8
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is shared by default
Bpdu guard is enabled
BPDU: sent 20, received 0
SW1#
*Oct 17 21:23:18.623: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi0/3 with BPDU Guard enabled. Disabling port.
*Oct 17 21:23:18.623: %PM-4-ERR_DISABLE: bpduguard error detected on Gi0/3, putting Gi0/3 in err-disable state
*Oct 17 21:23:19.623: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to down
*Oct 17 21:23:20.626: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to down
SW1# show interfaces GigabitEthernet0/3 status err-disabled
Port Name Status Reason Err-disabled Vlans
Gi0/3 err-disabled bpduguard
BPDU Guard global mode is dependent on the operational PortFast state. It doesn't matter if PortFast was enabled globally or per interface, as long as it is active. Gi0/1 on SW1 is the designated port on the link between SW1 and SW3, which means it is not receiving BPDUs since the port on the other end is blocking. Because of this reason, I'm using Gi0/1 on SW1 to demonstrate BPDU Guard in global mode. I'll then shut down Gi1/1 on SW3 to cause it to start sending BPDUs to SW1.
Enable PortFast on the interface and BPDU Guard globally. Verify the configuration.
SW1(config)#interface GigabitEthernet0/1
SW1(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast has been configured on GigabitEthernet0/1 but will only
have effect when the interface is in a non-trunking mode.
SW1(config)#spanning-tree portfast bpduguard default
SW1(config)#do show spanning-tree summary
Switch is in pvst mode
Root bridge for: none
Extended system ID is enabled
Portfast Default is disabled
Portfast Edge BPDU Guard Default is enabled
Portfast Edge BPDU Filter Default is disabled
Loopguard Default is disabled
PVST Simulation Default is enabled but inactive in pvst mode
Bridge Assurance is enabled but inactive in pvst mode
EtherChannel misconfig guard is enabled
Configured Pathcost method used is short
UplinkFast is disabled
BackboneFast is disabled
Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001 0 0 0 2 2
---------------------- -------- --------- -------- ---------- ----------
1 vlan 0 0 0 2 2
SW1# show spanning-tree interface GigabitEthernet0/1 detail
Port 2 (GigabitEthernet0/1) of VLAN0001 is designated forwarding
Port path cost 4, Port priority 128, Port Identifier 128.2.
Designated root has priority 24577, address fa16.3ed0.04c9
Designated bridge has priority 32769, address fa16.3e7c.8ef1
Designated port id is 128.2, designated path cost 4
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
The port is in the portfast edge mode
Link type is shared by default
Bpdu guard is enabled by default
BPDU: sent 81, received 0
Shut down Gi1/1 on SW3 and watch what happens on SW1.
SW3(config)#interface GigabitEthernet1/1
SW3(config-if)#shutdown
SW1#
*Oct 17 21:42:05.919: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port GigabitEthernet0/1 with BPDU Guard enabled. Disabling port.
*Oct 17 21:42:05.919: %PM-4-ERR_DISABLE: bpduguard error detected on Gi0/1, putting Gi0/1 in err-disable state
*Oct 17 21:42:06.919: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down
*Oct 17 21:42:07.920: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down
The interface is in the err-disabled state.
SW1#show interface gi0/1
GigabitEthernet0/1 is down, line protocol is down (err-disabled)
Hardware is iGbE, address is fa16.3e4b.4f5b (bia fa16.3e4b.4f5b)
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto Duplex, Auto Speed, link type is auto, media type is unknown media type
output flow-control is unsupported, input flow-control is unsupported
Auto-duplex, Auto-speed, link type is auto, media type is unknown
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:06:52, output 00:06:53, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 2
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
127533 packets input, 8798358 bytes, 0 no buffer
Received 0 broadcasts (0 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
35773 packets output, 4150238 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
1 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
SW1#show interfaces status err-disabled
Port Name Status Reason Err-disabled Vlans
Gi0/1 err-disabled bpduguard
All changes have been reversed and STP has converged to its original state.
BPDU Filter
BPDU Filter prevents a port from sending and receiving BPDUs. Again, there are two ways to configure the feature: globally and per interface. If enabled under the interface, BPDU Filter filters BPDUs unconditionally, regardless of the PortFast state or access/trunk mode. Here's a quick recap of the STP topolgoy - Gi0/1 on SW3 is blocking.SW3#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address fa16.3ed0.04c9
Cost 4
Port 6 (GigabitEthernet1/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address fa16.3ed8.71ca
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/1 Altn BLK 4 128.2 Shr
Gi1/1 Root FWD 4 128.6 Shr
SW4#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address fa16.3ed0.04c9
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24577 (priority 24576 sys-id-ext 1)
Address fa16.3ed0.04c9
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/3 Desg FWD 4 128.4 Shr
Gi1/1 Desg FWD 4 128.6 Shr
SW1#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address fa16.3ed0.04c9
Cost 4
Port 4 (GigabitEthernet0/3)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address fa16.3e7c.8ef1
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/1 Desg FWD 4 128.2 Shr
Gi0/3 Root FWD 4 128.4 Shr
Gi0/1 on SW3 is currently receiving BPDUs from SW1, which is the designated switch on the segment.
SW3#show spanning-tree interface gi0/1 detail
Port 2 (GigabitEthernet0/1) of VLAN0001 is alternate blocking
Port path cost 4, Port priority 128, Port Identifier 128.2.
Designated root has priority 24577, address fa16.3ed0.04c9
Designated bridge has priority 32769, address fa16.3e7c.8ef1
Designated port id is 128.2, designated path cost 4
Timers: message age 3, forward delay 0, hold 0
Number of transitions to forwarding state: 6
Link type is shared by default
BPDU: sent 0, received 8
Now, when BPDU Filter is enabled on Gi0/1 on SW3, the port stops receiving BPDUs and eventually Gi0/1 is put in the forwarding state. All interfaces are then forwarding, which creates a loop. This is why the BPDU Filter can be very dangerous if enabled in the wrong place. Note that the IOS doesn't even generate a warning message, as it does with PortFast.
SW3(config)#interface GigabitEthernet0/1
SW3(config-if)#spanning-tree bpdufilter enable
SW3#clear spanning-tree counters
SW3#show spanning-tree interface gi0/1 detail
Port 2 (GigabitEthernet0/1) of VLAN0001 is designated forwarding
Port path cost 4, Port priority 128, Port Identifier 128.2.
Designated root has priority 24577, address fa16.3ed0.04c9
Designated bridge has priority 32769, address fa16.3ed8.71ca
Designated port id is 128.2, designated path cost 4
Timers: message age 0, forward delay 13, hold 0
Number of transitions to forwarding state: 6
Link type is shared by default
Bpdu filter is enabled
BPDU: sent 0, received 0
SW3#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address fa16.3ed0.04c9
Cost 4
Port 6 (GigabitEthernet1/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address fa16.3ed8.71ca
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/1 Desg FWD 4 128.2 Shr
Gi1/1 Root FWD 4 128.6 Shr
A loop can quickly overwhelm a switch. Look at the interface statistics to see packets/sec. Note that there is no user traffic on the network.
SW1#show interface gi0/1
GigabitEthernet0/1 is up, line protocol is up (connected)
Hardware is iGbE, address is fa16.3e4b.4f5b (bia fa16.3e4b.4f5b)
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto Duplex, Auto Speed, link type is auto, media type is unknown media type
output flow-control is unsupported, input flow-control is unsupported
Auto-duplex, Auto-speed, link type is auto, media type is unknown
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 25
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 222000 bits/sec, 303 packets/sec
5 minute output rate 327000 bits/sec, 449 packets/sec
255222 packets input, 20286572 bytes, 0 no buffer
Received 0 broadcasts (0 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
225583 packets output, 21229341 bytes, 0 underruns
0 output errors, 0 collisions, 5 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
1 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
The BPDU Filter has been removed and STP has converged back to its original state. The interface counters have been cleared and the interface statistics viewed about 5 minutes later. Note how significantly lower the packets/sec rate is.
SW1#clear interface gi0/1
SW1#show interface gi0/1
GigabitEthernet0/1 is up, line protocol is up (connected)
Hardware is iGbE, address is fa16.3e4b.4f5b (bia fa16.3e4b.4f5b)
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto Duplex, Auto Speed, link type is auto, media type is unknown media type
output flow-control is unsupported, input flow-control is unsupported
Auto-duplex, Auto-speed, link type is auto, media type is unknown
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:06, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 27
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 5000 bits/sec, 22 packets/sec
5 minute output rate 22000 bits/sec, 40 packets/sec
274913 packets input, 22061616 bytes, 0 no buffer
Received 0 broadcasts (0 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
245673 packets output, 23030684 bytes, 0 underruns
0 output errors, 0 collisions, 5 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
1 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
The global BPDU Filter is enabled on interfaces in operational PortFast state. In global mode, the switch does not filter incoming BPDUs but most (though not all) outgoing BPDUs are filtered. When the port comes up, 11 BPDUs are sent out. To demonstrate this, I've enabled BPDU Filter on Gi0/1 on SW3 again to effectively disable STP and prevent in from sending BPDUs when the interface is shutdown and no shutdown. First, enable PortFast on the interface and BPDU Filter globally.
SW1(config)#interface GigabitEthernet0/1
SW1(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast has been configured on GigabitEthernet0/1 but will only
have effect when the interface is in a non-trunking mode.
SW1(config)#spanning-tree portfast bpdufilter default
SW1#show spanning-tree interface gi0/1 detail
Port 2 (GigabitEthernet0/1) of VLAN0001 is designated forwarding
Port path cost 4, Port priority 128, Port Identifier 128.2.
Designated root has priority 24577, address fa16.3ed0.04c9
Designated bridge has priority 32769, address fa16.3e7c.8ef1
Designated port id is 128.2, designated path cost 4
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
The port is in the portfast edge mode
Link type is shared by default
Bpdu filter is enabled by default
BPDU: sent 842, received 49
SW1(config)#do show spanning-tree summary
Switch is in pvst mode
Root bridge for: none
Extended system ID is enabled
Portfast Default is disabled
Portfast Edge BPDU Guard Default is disabled
Portfast Edge BPDU Filter Default is enabled
Loopguard Default is disabled
PVST Simulation Default is enabled but inactive in pvst mode
Bridge Assurance is enabled but inactive in pvst mode
EtherChannel misconfig guard is enabled
Configured Pathcost method used is short
UplinkFast is disabled
BackboneFast is disabled
Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001 0 0 0 3 3
---------------------- -------- --------- -------- ---------- ----------
1 vlan 0 0 0 3 3
Next, clear the counters. Then, shutdown and no shutdown the interface. Only 11 BPDUs are sent out.
SW1#clear spanning-tree counters
SW1(config)#interface GigabitEthernet0/1
SW1(config-if)#shutdown
SW1(config-if)#no shutdown
SW1#
*Oct 17 22:44:52.146: set portid: VLAN0001 Gi0/1: new port id 8002
*Oct 17 22:44:52.146: STP: VLAN0001 Gi0/1 ->jump to forwarding from blocking
*Oct 17 22:44:54.663: STP: VLAN0001 Gi0/1 tx BPDU: config protocol=ieee
Data : 0000 00 00 00 6001FA163ED004C9 00000000 22AAAA0300000C20 0401 0001 0005 0000 0200
*Oct 17 22:44:55.274: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up
*Oct 17 22:44:57.810: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up
*Oct 17 22:44:58.904: STP: VLAN0001 Gi0/1 tx BPDU: config protocol=ieee
Data : 0000 00 00 00 6001FA163ED004C9 00000004 8001FA163E7C8EF1 8002 0100 1400 0200 0F00
SW1(config-if)#
*Oct 17 22:45:00.882: STP: VLAN0001 Gi0/1 tx BPDU: config protocol=ieee
Data : 0000 00 00 00 6001FA163ED004C9 00000004 8001FA163E7C8EF1 8002 0100 1400 0200 0F00
*Oct 17 22:45:02.585: STP: VLAN0001 Gi0/1 tx BPDU: config protocol=ieee
Data : 0000 00 00 00 6001FA163ED004C9 00000004 8001FA163E7C8EF1 8002 0100 1400 0200 0F00
*Oct 17 22:45:04.614: STP: VLAN0001 Gi0/1 tx BPDU: config protocol=ieee
Data : 0000 00 00 00 6001FA163ED004C9 00000004 8001FA163E7C8EF1 8002 0100 1400 0200 0F00
*Oct 17 22:45:06.905: STP: VLAN0001 Gi0/1 tx BPDU: config protocol=ieee
Data : 0000 00 00 00 6001FA163ED004C9 00000004 8001FA163E7C8EF1 8002 0001 0005 0000 0200
*Oct 17 22:45:09.182: STP: VLAN0001 Gi0/1 tx BPDU: config protocol=ieee
Data : 0000 00 00 00 6001FA163ED004C9 00000004 8001FA163E7C8EF1 8002 0100 1400 0200 0F00
*Oct 17 22:45:11.032: STP: VLAN0001 Gi0/1 tx BPDU: config protocol=ieee
Data : 0000 00 00 00 6001FA163ED004C9 00000004 8001FA163E7C8EF1 8002 0100 1400 0200 0F00
*Oct 17 22:45:13.757: STP: VLAN0001 Gi0/1 tx BPDU: config protocol=ieee
Data : 0000 00 00 00 6001FA163ED004C9 00000004 8001FA163E7C8EF1 8002 0100 1400 0200 0F00
*Oct 17 22:45:15.838: STP: VLAN0001 Gi0/1 tx BPDU: config protocol=ieee
Data : 0000 00 00 01 000CCCCCCCFA163E F609BB00 22AAAA0300000C20 0401 0001 0005 0000 0200
*Oct 17 22:45:17.593: STP: VLAN0001 Gi0/0 tx BPDU: config protocol=ieee
Data : 0000 00 00 00 6001FA163ED004C9 00000004 8001FA163E7C8E20 0401 0001 0005 0000 0200
SW1#show spanning-tree int gi0/1 detail
Port 2 (GigabitEthernet0/1) of VLAN0001 is designated forwarding
Port path cost 4, Port priority 128, Port Identifier 128.2.
Designated root has priority 24577, address fa16.3ed0.04c9
Designated bridge has priority 32769, address fa16.3e7c.8ef1
Designated port id is 128.2, designated path cost 4
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
The port is in the portfast edge mode
Link type is shared by default
Bpdu filter is enabled by default
BPDU: sent 11, received 0
Comments
Post a Comment