cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1615
Views
0
Helpful
11
Replies

BPDU Filtering doesn't work

1pipantom2
Level 1
Level 1

Hello,

Cisco Catalyst 3560 switch. SW version 12.2(25) SEE3.

Interface Gi 0/25 (optical SFP connector) is connected to external equipment. Switchport mode trunk.

I don't need Spannnig tree on VLAN's which are allowed on this trunk port.

So I have disabled Spanning tree for these VLAN's.

no spannig-tree vlan xxx

Additionally I have set this port to PortFast Mode

spanning-tree portfast trunk

And enabled BPDU Filtering

spanning-tree bpdufilter enable

But I still see with Wireshark Analyzer outgoing BPDU from this Interface. Source MAC is Gi 0/25 port MAC address.

I have attached spanning tree configuration and Wireshark capture file.

Could You explain why BPDU messages are not filtered ?

With Best Regards

Tomas

11 Replies 11

1pipantom2
Level 1
Level 1

Hello all,

Any idea ?? I tried to reboot switch, but problem still exists. Also I have found some other places in our network, where we have the same situation. SW and HW version are the same.

Best Regards,

Tomas

Sannie179
Level 1
Level 1

I have an idea.

When a portfast enabled port with bpdu filtering receives a bpdu packet it disables the filtering and will start sending bpdu's as normal.

Perhaps you can confirm if this is the case or not by sniffing for incoming bpdu packets on Gi0/25.

Hello Sannie,

Thank You for response.

I have checked this version. No STP BPDUs enter Gi 0/25 port.

So mystery still exists for me.

Tomas

Sannie179
Level 1
Level 1

I have another idea then.

It is a bit of a long shot because it was documented under a router but I guess it is worth a try.

I found the following:

no spanning-tree bpdufilter - This state enables BPDU filtering on the interface if the interface is in operational PortFast state and if the spanning-tree portfast bpdufilter default command is configured.

So try removing the bpdu filter from the Gi0/25 interface.

Didn't help.

vishwancc
Level 3
Level 3

Hi,

Could you send the output for

show spanning-tree interface gi 0/25 detail

and

show run int gi 0/25

Chao

Vishwa

Hello,

Show spannig-tree int gi 0/25 doesn't show any info for VLAN's for which Spanning-tree is disabled. So I have nothing to send to You.

sh run output

switchport trunk encapsulation dot1q

switchport trunk native vlan 1000

switchport mode trunk

switchport nonegotiate

srr-queue bandwidth share 15 35 35 15

srr-queue bandwidth shape 4 0 0 0

mls qos trust dscp

no cdp enable

spanning-tree portfast trunk

spanning-tree bpdufilter enable

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Tomas,

verify with

sh int gi0/25 switchport

which vlans are in forwarding state and see if there is at least one with an STP instance running.

Hope to help

Giuseppe

sean.cheney
Level 1
Level 1

hmmm.

You might want to consider just leaving STP on in conjunction with bpdu guard, loop guard, root guard and port fast.

Just becuase you don't "need" it, shouldn't hurt anything to let it run.

This may or may not be helpful (as I don't think you have BPDU Filtering enabled globally).  However:

BPDU Filtering when enabled in global configuration mode - Upon startup, the port transmits ten BPDUs.  If this port receives any BPDUs during that time, PortFast, and PortFast BPDU Filtering are disabled.

I suggest you open a case with the Cisco TAC.  There could be just be a bug in your IOS image.  If that's the case, TAC will create and/or inform you of the BUG tracking number...you can receive updates to see which IOS release has fixed the issue.

Best of luck...

andtoth
Level 4
Level 4

If you have disabled STP on the switch for VLANs, it might forward BPDU packets received on other ports from other switches/devices. If you really want to disable STP (after making sure there's no L2 loop in your network), try disabling it on all switches so none of them will send BPDU packets.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco