BPDU Filtering doesn't work

Unanswered Question
Oct 28th, 2008
User Badges:

Hello,


Cisco Catalyst 3560 switch. SW version 12.2(25) SEE3.


Interface Gi 0/25 (optical SFP connector) is connected to external equipment. Switchport mode trunk.


I don't need Spannnig tree on VLAN's which are allowed on this trunk port.


So I have disabled Spanning tree for these VLAN's.

no spannig-tree vlan xxx

Additionally I have set this port to PortFast Mode

spanning-tree portfast trunk

And enabled BPDU Filtering

spanning-tree bpdufilter enable


But I still see with Wireshark Analyzer outgoing BPDU from this Interface. Source MAC is Gi 0/25 port MAC address.


I have attached spanning tree configuration and Wireshark capture file.


Could You explain why BPDU messages are not filtered ?


With Best Regards


Tomas






  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
1pipantom2 Thu, 11/06/2008 - 01:00
User Badges:

Hello all,


Any idea ?? I tried to reboot switch, but problem still exists. Also I have found some other places in our network, where we have the same situation. SW and HW version are the same.


Best Regards,


Tomas

Sannie179 Thu, 11/06/2008 - 02:41
User Badges:

I have an idea.


When a portfast enabled port with bpdu filtering receives a bpdu packet it disables the filtering and will start sending bpdu's as normal.

Perhaps you can confirm if this is the case or not by sniffing for incoming bpdu packets on Gi0/25.

1pipantom2 Thu, 11/06/2008 - 03:20
User Badges:

Hello Sannie,


Thank You for response.


I have checked this version. No STP BPDUs enter Gi 0/25 port.


So mystery still exists for me.


Tomas

Sannie179 Thu, 11/06/2008 - 03:57
User Badges:

I have another idea then.


It is a bit of a long shot because it was documented under a router but I guess it is worth a try.


I found the following:

no spanning-tree bpdufilter - This state enables BPDU filtering on the interface if the interface is in operational PortFast state and if the spanning-tree portfast bpdufilter default command is configured.


So try removing the bpdu filter from the Gi0/25 interface.


vishwancc Thu, 11/06/2008 - 04:15
User Badges:

Hi,

Could you send the output for

show spanning-tree interface gi 0/25 detail

and

show run int gi 0/25


Chao

Vishwa

1pipantom2 Thu, 11/06/2008 - 14:59
User Badges:

Hello,


Show spannig-tree int gi 0/25 doesn't show any info for VLAN's for which Spanning-tree is disabled. So I have nothing to send to You.


sh run output


switchport trunk encapsulation dot1q

switchport trunk native vlan 1000

switchport mode trunk

switchport nonegotiate

srr-queue bandwidth share 15 35 35 15

srr-queue bandwidth shape 4 0 0 0

mls qos trust dscp

no cdp enable

spanning-tree portfast trunk

spanning-tree bpdufilter enable



Giuseppe Larosa Thu, 11/06/2008 - 05:37
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Tomas,

verify with

sh int gi0/25 switchport


which vlans are in forwarding state and see if there is at least one with an STP instance running.


Hope to help

Giuseppe




sean.cheney Sun, 11/09/2008 - 12:56
User Badges:

hmmm.


You might want to consider just leaving STP on in conjunction with bpdu guard, loop guard, root guard and port fast.


Just becuase you don't "need" it, shouldn't hurt anything to let it run.


tgryting Thu, 11/11/2010 - 06:26
User Badges:

This may or may not be helpful (as I don't think you have BPDU Filtering enabled globally).  However:


BPDU Filtering when enabled in global configuration mode - Upon startup, the port transmits ten BPDUs.  If this port receives any BPDUs during that time, PortFast, and PortFast BPDU Filtering are disabled.


I suggest you open a case with the Cisco TAC.  There could be just be a bug in your IOS image.  If that's the case, TAC will create and/or inform you of the BUG tracking number...you can receive updates to see which IOS release has fixed the issue.


Best of luck...

andtoth Thu, 11/11/2010 - 06:59
User Badges:
  • Silver, 250 points or more

If you have disabled STP on the switch for VLANs, it might forward BPDU packets received on other ports from other switches/devices. If you really want to disable STP (after making sure there's no L2 loop in your network), try disabling it on all switches so none of them will send BPDU packets.

Actions

This Discussion