BPDU Filtering doesn't work

Unanswered Question
Oct 28th, 2008

Hello,

Cisco Catalyst 3560 switch. SW version 12.2(25) SEE3.

Interface Gi 0/25 (optical SFP connector) is connected to external equipment. Switchport mode trunk.

I don't need Spannnig tree on VLAN's which are allowed on this trunk port.

So I have disabled Spanning tree for these VLAN's.

no spannig-tree vlan xxx

Additionally I have set this port to PortFast Mode

spanning-tree portfast trunk

And enabled BPDU Filtering

spanning-tree bpdufilter enable

But I still see with Wireshark Analyzer outgoing BPDU from this Interface. Source MAC is Gi 0/25 port MAC address.

I have attached spanning tree configuration and Wireshark capture file.

Could You explain why BPDU messages are not filtered ?

With Best Regards

Tomas

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
1pipantom2 Thu, 11/06/2008 - 01:00

Hello all,

Any idea ?? I tried to reboot switch, but problem still exists. Also I have found some other places in our network, where we have the same situation. SW and HW version are the same.

Best Regards,

Tomas

Sannie179 Thu, 11/06/2008 - 02:41

I have an idea.

When a portfast enabled port with bpdu filtering receives a bpdu packet it disables the filtering and will start sending bpdu's as normal.

Perhaps you can confirm if this is the case or not by sniffing for incoming bpdu packets on Gi0/25.

1pipantom2 Thu, 11/06/2008 - 03:20

Hello Sannie,

Thank You for response.

I have checked this version. No STP BPDUs enter Gi 0/25 port.

So mystery still exists for me.

Tomas

Sannie179 Thu, 11/06/2008 - 03:57

I have another idea then.

It is a bit of a long shot because it was documented under a router but I guess it is worth a try.

I found the following:

no spanning-tree bpdufilter - This state enables BPDU filtering on the interface if the interface is in operational PortFast state and if the spanning-tree portfast bpdufilter default command is configured.

So try removing the bpdu filter from the Gi0/25 interface.

vishwancc Thu, 11/06/2008 - 04:15

Hi,

Could you send the output for

show spanning-tree interface gi 0/25 detail

and

show run int gi 0/25

Chao

Vishwa

1pipantom2 Thu, 11/06/2008 - 14:59

Hello,

Show spannig-tree int gi 0/25 doesn't show any info for VLAN's for which Spanning-tree is disabled. So I have nothing to send to You.

sh run output

switchport trunk encapsulation dot1q

switchport trunk native vlan 1000

switchport mode trunk

switchport nonegotiate

srr-queue bandwidth share 15 35 35 15

srr-queue bandwidth shape 4 0 0 0

mls qos trust dscp

no cdp enable

spanning-tree portfast trunk

spanning-tree bpdufilter enable

Giuseppe Larosa Thu, 11/06/2008 - 05:37

Hello Tomas,

verify with

sh int gi0/25 switchport

which vlans are in forwarding state and see if there is at least one with an STP instance running.

Hope to help

Giuseppe

sean.cheney Sun, 11/09/2008 - 12:56

hmmm.

You might want to consider just leaving STP on in conjunction with bpdu guard, loop guard, root guard and port fast.

Just becuase you don't "need" it, shouldn't hurt anything to let it run.

tgryting Thu, 11/11/2010 - 06:26

This may or may not be helpful (as I don't think you have BPDU Filtering enabled globally).  However:

BPDU Filtering when enabled in global configuration mode - Upon startup, the port transmits ten BPDUs.  If this port receives any BPDUs during that time, PortFast, and PortFast BPDU Filtering are disabled.

I suggest you open a case with the Cisco TAC.  There could be just be a bug in your IOS image.  If that's the case, TAC will create and/or inform you of the BUG tracking number...you can receive updates to see which IOS release has fixed the issue.

Best of luck...

andtoth Thu, 11/11/2010 - 06:59

If you have disabled STP on the switch for VLANs, it might forward BPDU packets received on other ports from other switches/devices. If you really want to disable STP (after making sure there's no L2 loop in your network), try disabling it on all switches so none of them will send BPDU packets.

Actions

This Discussion