BPDU Guard and Filter

Posted on by

 

“Use the spanning-tree portfast global configuration command to globally enable bridge protocol data unit (BPDU) filtering on Port Fast-enabled interfaces, the BPDU guard feature on Port Fast-enabled interfaces, or the Port Fast feature on all nontrunking interfaces”

interface FastEthernet0/1
switchport  access vlan 12
switchport mode access
switchport  nonegotiate
spanning-tree portfast

At a device attached to that port enabled with portfast, a router in this case.

interface  FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
duplex  auto
speed auto

Sw1#show spann int f0/1  deta
Port 3 (FastEthernet0/1) of VLAN0012 is forwarding
Port path cost  19, Port priority 128, Port Identifier 128.3.
Designated root has priority  32780, address 0019.067e.e200
Designated bridge has priority 32780,  address 0019.067e.e200
Designated port id is 128.3, designated path cost  0
Timers: message age 0, forward delay 0, hold 0
Number of  transitions to forwarding state: 1

The port is in the portfast mode

Link type is point-to-point by default
BPDU: sent 91864, received  0

Sw1#show spann int f0/1 deta | in BPDU
BPDU: sent 91866, received  0

So no BPDU received, lets change this a little bit at the router.

R1(config)#bridge 1 protocol ieee
R1(config)#int  f0/0
R1(config-if)#bridge-group 1

Now at the switch we receive BPDUs

Sw1#show spann int f0/1 deta | in BPDU
BPDU: sent  91909, received 12

Lets look at the command to globally enable bridge protocol data unit (BPDU) filtering on Port Fast-enabled interfaces

Sw1(config)#spanning-tree portfast ?
bpdufilter  Enable  portfast bdpu filter on this switch
bpduguard   Enable portfast bpdu guard  on this switch
default     Enable portfast by default on all access  ports

The BPDU filtering feature prevents the switch interface from sending or receiving BPDUs.

The BPDU guard feature puts Port Fast-enabled interfaces that receive BPDUs in an error-disabled state.

The switch has sent and received BPDU as expected

Sw1#show spann int f0/1 deta
Port 3 (FastEthernet0/1) of  VLAN0012 is forwarding
Port path cost 19, Port priority 128, Port  Identifier 128.3.
Designated root has priority 32768, address  0015.622f.5e98
Designated bridge has priority 32768, address  0015.622f.5e98
Designated port id is 128.4, designated path cost 0
Timers: message age 2, forward delay 0, hold 0
Number of transitions to  forwarding state: 1
Link type is point-to-point by default
!Here
BPDU:  sent 91909, received 81

Lets  then configure bpduguard default globally.

I am shutting down the interface at the router, just to get a Syslog message from the Switch, when he receives a BPDU

Sw1(config)#spanning-tree portfast bpduguard  default

This command globally enables  BPDU guard  on all Port Fast interfaces and place the interfaces that receive BPDUs in an error-disabled state.

Sw1(config)#default int f0/1
Interface FastEthernet0/1  set to default configuration
Sw1(config)#int f0/1
Sw1(config-if)#sw  host
switchport mode will be set to access
spanning-tree portfast will be  enabled
channel group will be disabled

Sw1(config-if)#do show run int  f0/1
Building configuration...
Current configuration : 81  bytes
!
interface FastEthernet0/1
switchport mode  access
spanning-tree portfast
end

Now if we turn the interface at the router back on

R1(config-if)#no  sh
R1(config-if)#

As soon as the switch receives a BPDU, the interface will be blocked in error-disabled state.,

%SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/1 with BPDU
Guard enabled.Disabling port.

The port will now be in err-disable

Sw1(config-if)#do show int f0/1 | in err-di
FastEthernet0/1 is  down, line protocol is down (err-disabled)

To return it back to the operational mode, we can shut down the port in err-disabled state and turn it back on, or  we can use the Sw1(config)#errdisable recovery cause bpduguard

Let do other test in other port configured as port fast, f0/2 on Sw1 connected to R2

Sw1(config)#do show spann int f0/2 de
Port 4 (FastEthernet0/2) of  VLAN0012 is forwarding
Port path cost 19, Port priority 128, Port  Identifier 128.4.
Designated root has priority 32780, address  0019.067e.e200
Designated bridge has priority 32780, address  0019.067e.e200
Designated port id is 128.4, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to  forwarding state: 1
The port is in the portfast mode
Link type is  point-to-point by default
!
Bpdu guard is enabled by default
!
BPDU:  sent 92589, received 0
Sw1(config)#do show spann int f0/2 de | in BPDU
BPDU: sent 92591, received 0
Sw1(config)#do show spann int f0/2 de | in  BPDU
BPDU: sent 92591, received 0
Sw1(config)#do show spann int f0/2 de  | in BPDU
BPDU: sent 92592, received 0
Sw1(config)#do show spann int  f0/2 de | in BPDU
BPDU: sent 92592, received 0
Sw1(config)#do show  spann int f0/2 de | in BPDU
BPDU: sent 92593, received  0
Sw1(config)#

The switch is sending BPDU out that interface (0/2) that has connected just a host (end stations) device, we are not receiving or supposed not to receive BPDU from Host in the network

Now with the bpdufilter default option feature  is used to globally enable BPDU filtering on all Port Fast-enabled interfaces and this prevent the switch interfaces connected to end stations from sending or receiving BPDUs.

Sw1(config)#spanning-tree portfast  bpdufilter default

No BPDU are now sent out from interfaces configured with portfast

Sw1(config)#do show spann int f0/2 de | in  BPDU
BPDU: sent 92624, received 0
Sw1(config)#do show spann int  f0/2 de | in BPDU
BPDU: sent 92624, received 0
Sw1(config)#do show  spann int f0/2 de | in BPDU
BPDU: sent 92624, received 0
Sw1(config)#do  show spann int f0/2 de | in BPDU
BPDU: sent 92624, received  0
Sw1(config)#!1seg
Sw1(config)#!2seg
Sw1(config)#!3Seg
Sw1(config)#do  show spann int f0/2 de | in BPDU
BPDU: sent 92624, received 0

spanning-tree portfast bpdufilter  global configuration command enables BPDU filtering on interfaces that are Port Fast-enabled (the interfaces are in a Port Fast-operational state).

The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs.

You should globally enable BPDU filtering on a switch so that hosts connected to switch interfaces do not receive BPDUs.

If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status and BPDU filtering is disabled.

You can override the spanning-tree portfast bpdufilter default global configuration command by using the spanning-tree bdpufilter interface configuration command.

Sw1(config)#no spanning-tree portfast bpduguard  default
Sw1(config)#do show span int f0/2
Vlan             Role Sts  Cost      Prio.Nbr Type
---------------- ---- --- --------- --------  --------------------------------
VLAN0001         Desg FWD 19        128.4     Edge P2p

Sw1(config)#do show span int f0/2 de
Port 4 (FastEthernet0/2) of  VLAN0001 is forwarding
Port path cost 19, Port priority 128, Port  Identifier 128.4.
Designated root has priority 32769, address  0019.067e.e200
Designated bridge has priority 32769, address  0019.067e.e200
Designated port id is 128.4, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to  forwarding state: 1
The port is in the portfast mode   ---- LOOK HERE
Link type is  point-to-point by default
Bpdu filter is enabled ---- LOOK HERE

BPDU:  sent 11, received 0
Sw1(config)#do show span int f0/2 de | in BPDU
BPDU: sent 11, received 0
Sw1(config)#do show span int f0/2 de | in  BPDU
BPDU: sent 11, received 0
Sw1(config)#

The switch is configured for port fast in that port “ The port is in the portfast mode “ and is Sending 11, received 0, no BPDU beeing sent and no BPDUs received in the port, lets test this by sending a BPDU from a Router directrly attached to port f0/2, which was enabled for Port Fast.

R2(config-if)#bridge-group  1

[Sw1 … ]

Sw1(config)#do  show span int f0/2 de | in BPDU
BPDU: sent 11, received  2

Sw1(config)#do show span int f0/2 de
Port 4 (FastEthernet0/2)  of VLAN0001 is forwarding
Port path cost 19, Port priority 128, Port  Identifier 128.4.
Designated root has priority 32768, address  0015.2bad.62d0
Designated bridge has priority 32768, address  0015.2bad.62d0
Designated port id is 128.4, designated path cost 0
Timers: message age 1, forward delay 0, hold 0
Number of transitions to  forwarding state: 1
Link type is point-to-point by default
BPDU:  sent 11, received 4
Sw1(config)#

We can see now that with this interface configuration command, if a BPDU is received, then the port losses this port fast capabilities ..

A Networker Blog

6 thoughts on “BPDU Guard and Filter

  1. Excellent article! Thank you very much for explaining all these features. I had problems understanding the consequences and actions of some of them, but now they are all clear to me.

  5. Pingback: BPDUGuard vs BPDUFilter | Initial Draft

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s