03-06-2009 05:53 AM - edited 03-06-2019 04:26 AM
Hello,
How to filter unwanted BPDU messages from customer equipment which is connected to Cisco switch port working in trunk or dot1q tunnel mode.
Lot of Cisco manuals write only about using BPDUFilter feature on access node, but no information if it possible to use BPDU Filter on ports working in trunk or dot1Q tunnel mode.
Example customer switch connected to network switch trunk port. Default Native Vlan 1 and e.g 3 normal VLAN 100,101,102. I would like port to be blocked if it receive BPDU on native VLAN, or on some normal VLAN (100,101,102). The same question related to situation, when network switch port working in dot1q mode.
If it possible to implement BPDU filtering in this siuation.
Switch Cisco3560, SW 12.2(25) SEE3
Best Regards,
Tomas
Solved! Go to Solution.
03-06-2009 09:32 AM
Hello Tomas,
from the config guide for your switch and release
When a port is configured as an IEEE 802.1Q tunnel port, spanning-tree bridge protocol data unit (BPDU) filtering is automatically enabled on the interface. Cisco Discovery Protocol (CDP) is automatically disabled on the interface.
see
This is correct because the objective of 802.1 Q in Q is a L2 transport service without interaction with the customer network.
I understand your concerns but in the case of 802.1Q tunnel ports you get the BPDU filtering automatically.
When the port is a trunk port I would consider the usage of root guard: bpdu filtering can be dangerous in a redundant topology.
Hope to help
Giuseppe
03-06-2009 06:03 AM
Tomas,
There are two types of BDPUfilter. You have the interface level command and the global level command. Both commands will deliver a different kind of service.
The global level command works in conjunction with portfast. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status and BPDU filtering is disabled.
While the interface level command prevents the interface from sending or receiving bridge protocol data units (BPDUs).
You need to be careful with the interface level command as is the same as disabling spanning tree on it and can result in spanning-tree loops.
If you want a port to go into err-disable (hence shutting down the port) when it receives a BPDU, I recommend going with BPDUGuard instead.
HTH,
__
Edison.
03-06-2009 08:55 AM
Hello Edison,
Thank You for Reply. Actually I am interisting in interface level command.
And again which is the best way to implement BPDUFiltering/BPDUBlocking on trunk/dot1q ports.
Imagine customer eguipment is also Cisco switch in which PVST+ is turning on by default. How to implement protection in best way, what BPDU coming from customer switch couldn't impact Network eguipment.
And again for access port answer is clear. But for trunk/dot1qport for me still dark area.
Best Regards,
Tomas
03-06-2009 09:32 AM
Hello Tomas,
from the config guide for your switch and release
When a port is configured as an IEEE 802.1Q tunnel port, spanning-tree bridge protocol data unit (BPDU) filtering is automatically enabled on the interface. Cisco Discovery Protocol (CDP) is automatically disabled on the interface.
see
This is correct because the objective of 802.1 Q in Q is a L2 transport service without interaction with the customer network.
I understand your concerns but in the case of 802.1Q tunnel ports you get the BPDU filtering automatically.
When the port is a trunk port I would consider the usage of root guard: bpdu filtering can be dangerous in a redundant topology.
Hope to help
Giuseppe
03-08-2009 01:03 AM
Hello Giuseppe
Thank You for reply. Now situation is clear.
Best Regards,
Tomas
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: