Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4990
Views
0
Helpful
4
Replies

BPDU Filtering on trunk and dot1q tunnel ports

Go to solution
1pipantom2
Level 1
Level 1

‎03-06-2009 05:53 AM - edited ‎03-06-2019 04:26 AM

Hello,

How to filter unwanted BPDU messages from customer equipment which is connected to Cisco switch port working in trunk or dot1q tunnel mode.

Lot of Cisco manuals write only about using BPDUFilter feature on access node, but no information if it possible to use BPDU Filter on ports working in trunk or dot1Q tunnel mode.

Example customer switch connected to network switch trunk port. Default Native Vlan 1 and e.g 3 normal VLAN 100,101,102. I would like port to be blocked if it receive BPDU on native VLAN, or on some normal VLAN (100,101,102). The same question related to situation, when network switch port working in dot1q mode.

If it possible to implement BPDU filtering in this siuation.

Switch Cisco3560, SW 12.2(25) SEE3

Best Regards,

Tomas

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎03-06-2009 09:32 AM

Hello Tomas,

from the config guide for your switch and release

When a port is configured as an IEEE 802.1Q tunnel port, spanning-tree bridge protocol data unit (BPDU) filtering is automatically enabled on the interface. Cisco Discovery Protocol (CDP) is automatically disabled on the interface.

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_see/configuration/guide/swtunnel.html

This is correct because the objective of 802.1 Q in Q is a L2 transport service without interaction with the customer network.

I understand your concerns but in the case of 802.1Q tunnel ports you get the BPDU filtering automatically.

When the port is a trunk port I would consider the usage of root guard: bpdu filtering can be dangerous in a redundant topology.

Hope to help

Giuseppe

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame

‎03-06-2009 06:03 AM

Tomas,

There are two types of BDPUfilter. You have the interface level command and the global level command. Both commands will deliver a different kind of service.

The global level command works in conjunction with portfast. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status and BPDU filtering is disabled.

While the interface level command prevents the interface from sending or receiving bridge protocol data units (BPDUs).

You need to be careful with the interface level command as is the same as disabling spanning tree on it and can result in spanning-tree loops.

If you want a port to go into err-disable (hence shutting down the port) when it receives a BPDU, I recommend going with BPDUGuard instead.

HTH,

__

Edison.

0 Helpful

Go to solution
1pipantom2
Level 1
Level 1
In response to Edison Ortiz

‎03-06-2009 08:55 AM

Hello Edison,

Thank You for Reply. Actually I am interisting in interface level command.

And again which is the best way to implement BPDUFiltering/BPDUBlocking on trunk/dot1q ports.

Imagine customer eguipment is also Cisco switch in which PVST+ is turning on by default. How to implement protection in best way, what BPDU coming from customer switch couldn't impact Network eguipment.

And again for access port answer is clear. But for trunk/dot1qport for me still dark area.

Best Regards,

Tomas

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎03-06-2009 09:32 AM

Hello Tomas,

from the config guide for your switch and release

When a port is configured as an IEEE 802.1Q tunnel port, spanning-tree bridge protocol data unit (BPDU) filtering is automatically enabled on the interface. Cisco Discovery Protocol (CDP) is automatically disabled on the interface.

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_see/configuration/guide/swtunnel.html

This is correct because the objective of 802.1 Q in Q is a L2 transport service without interaction with the customer network.

I understand your concerns but in the case of 802.1Q tunnel ports you get the BPDU filtering automatically.

When the port is a trunk port I would consider the usage of root guard: bpdu filtering can be dangerous in a redundant topology.

Hope to help

Giuseppe

0 Helpful

Go to solution
1pipantom2
Level 1
Level 1
In response to Giuseppe Larosa

‎03-08-2009 01:03 AM

Hello Giuseppe

Thank You for reply. Now situation is clear.

Best Regards,

Tomas

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card