BPDUs on port connecting fwsm

Unanswered Question
Nov 21st, 2007

I have my ports configured like this.

router - L2 3750G switch - 6506 (port allocated to FWSM Module)

3750G config

int g1/0/1

desc "Router"

switchport mode access

switchport access vlan 5

spanning-tree portfast

spanning-tree bpduguard enable

int g1/0/2

desc "to 6506 FWSM"

switchport mode access

switchport access vlan 5

spanning-tree portfast

spanning-tree bpduguard enable


int g1/1


switchport mode access

switchport access vlan 5

spanning-tree portfast

spanning-tree bpduguard enable

I enable

firewall multiple-vlan-interfaces

firewall module 5 vlan-group 1

firewall vlan-group 1 5

My problem is that int g1/0/2 keeps receiving bpdu's and goes into errdisable because of bpduguard. My only fix to this is to enable "spanning-treee bpdufilter enable". Is this the proper way fixing the problem?

The FWSM is in routed mode.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Edison Ortiz Wed, 11/21/2007 - 08:09

It's behaving as designed.

bpduguard protects the switchport from unauthorized 'switch' connections on enabled switchports.

On switchports dedicated for uplinks, bpduguard must be disabled.

bpdufilter removes the portfast feature once it receives a bpdu from its link partner.

What exactly are you trying to accomplish here with the bdpu commands ?

cisconoobie Wed, 11/21/2007 - 08:44

Well I want to make sure my L2 3750G switch connects the router and 6506 (fwsm) module properly.

I dont want to connect directly into the 6506 from the router because I will use multiple routers sharing a vlan on the 3750g.

Basically, the router interfaces and FWSM outside interface will connect to vlan 5 on the 3750G.

Attached is the picture to clarify whatI am doing. I just want to make sure I am properly connected.

Edison Ortiz Wed, 11/21/2007 - 11:47

Just connect them.

Since you've decided to implement portfast on the interfaces, I do recommend enabling bdpufilter as you did in the example you posted.

You can enable bdpuguard in the remaining switchports that aren't connected to switches. This will prevent anyone from connecting an unauthorized switch.

cisconoobie Wed, 11/21/2007 - 14:23

Ok I will, how does a switch decide to send bpdu's to a given port?

I mean if I have a server conencted to a port with portfast and bpduguard enabled I never have problems.

I understand how spanning tree works, but how does a switch know to send bpdu to a port? Is it just listening on that stp multicast address?

Kevin Dorrell Thu, 11/22/2007 - 00:34

A switch will always send BPDUs unless you stop them with a bdpufilter, or if you like living dangerously and disable Spanning Tree altogether. Even on an access port. Personally, I never filter the BPDUs, except as an absolute last resort.

I prefer to leave bpduguard enabled on all ports except the ones that I know are going to be receiving legitimate BPDUs. That is, I enable it globally, and then explicitly disable it on those connected to other spanning-tree switches, or to dumb switches or hubs that have spanning-tree switches attached to them.

Kevin Dorrell


Edison Ortiz Thu, 11/22/2007 - 08:36


The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs, when BPDUFilter is enabled.

If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled.

Edison Ortiz Thu, 11/22/2007 - 08:38

At link-up, the switchport will always send BPDU. If the link partner does not reply, the switch assumes its link partner is not a switch so it stops sending BPDUs.


This Discussion