RE: BPDU Filtering and PortFast Relationship
From: Victor Cappuccio (victor@ccbootcamp.com)
Date: Sat Apr 21 2007 - 05:22:55 ART
Hi Workbee, this is my interpretation from that Link, I hope it helps in
something
�Use the spanning-tree portfast global configuration command to globally
enable bridge protocol data unit (BPDU) filtering on Port Fast-enabled
interfaces, the BPDU guard feature on Port Fast-enabled interfaces, or the
Port Fast feature on all nontrunking interfaces�
Ok lets try it on the switch
At the Switch
interface FastEthernet0/1
switchport access vlan 12
switchport mode access
switchport nonegotiate
spanning-tree portfast
end
At the router.
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
duplex auto
speed auto
end
At the switch
Sw1#show spann int f0/1 deta
Port 3 (FastEthernet0/1) of VLAN0012 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.3.
Designated root has priority 32780, address 0019.067e.e200
Designated bridge has priority 32780, address 0019.067e.e200
Designated port id is 128.3, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
The port is in the portfast mode
Link type is point-to-point by default
BPDU: sent 91864, received 0
Sw1#show spann int f0/1 deta | in BPDU
BPDU: sent 91866, received 0
So no BPDU received, lets change this a little bit
At the router.
R1(config)#bridge 1 protocol ieee
R1(config)#int f0/0
R1(config-if)#bridge-group 1
At the switch
Now I am receiving BPDUs
Sw1#show spann int f0/1 deta | in BPDU
BPDU: sent 91909, received 12
Now we are receiving BPDU, so the testing can be performed, sorry if I have to
use a router, but I have another topology running and I am lazy to change that
now
So lets look at the command to globally enable bridge protocol data unit
(BPDU) filtering on Port Fast-enabled interfaces
Sw1(config)#spanning-tree portfast ?
bpdufilter Enable portfast bdpu filter on this switch
bpduguard Enable portfast bpdu guard on this switch
default Enable portfast by default on all access ports
The BPDU filtering feature prevents the switch interface from sending or
receiving BPDUs.
The BPDU guard feature puts Port Fast-enabled interfaces that receive BPDUs in
an error-disabled state.
While looking for the information in the link
The switch has send and received BPDU normally
Sw1#show spann int f0/1 deta
Port 3 (FastEthernet0/1) of VLAN0012 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.3.
Designated root has priority 32768, address 0015.622f.5e98
Designated bridge has priority 32768, address 0015.622f.5e98
Designated port id is 128.4, designated path cost 0
Timers: message age 2, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default
BPDU: sent 91909, received 81
So
bpduguard default:
Globally enable the BPDU guard feature on Port Fast-enabled interfaces and
place the interfaces that receive BPDUs in an error-disabled state
So when you enable port fast, we know that the listening and learning state in
802.1D are avoided, and that in 802.1w is stated as an Edge Port, and that
with those port states are used to learn information (who the root-bridge is,
and what role in STP I am doing � from the switch perspective � Root or non
designated root, and what type of ports)
Sw1(config)#default int f0/1
Interface FastEthernet0/1 set to default configuration
Sw1(config)#int f0/1
Sw1(config-if)#sw host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled
Sw1(config-if)#do show run int f0/1
Building configuration...
Current configuration : 81 bytes
!
interface FastEthernet0/1
switchport mode access
spanning-tree portfast
end
Sw1(config-if)#do show span int f0/1
no spanning tree info available for FastEthernet0/1
rack11>2
[Resuming connection 2 to R1 ... ]
*Apr 21 08:03:18.399: %LINK-5-CHANGED: Interface FastEthernet0/0, changed
state to administratively down
*Apr 21 08:03:19.399: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastE
R1(config-if)#no sh
R1(config-if)#
rack11>1
[Resuming connection 1 to sw1 ... ]
Sw1(config-if)#do show span int f0/1
2d10h: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/1 with
BPDU Guard enabled. Disabling port.
As soon as the switch receives a BPDU, the interface will be blocked since we
had BPDU Guard enabled
Sw1(config-if)#do show int f0/1 | in err-di
FastEthernet0/1 is down, line protocol is down (err-disabled)
To return it back to the operational mode
Sw1(config-if)#no sh
Sw1(config-if)#sh
Sw1(config-if)#no sh
2d10h: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to
administratively down
Sw1(config-if)#no sh
Or use the Sw1(config)#errdisable recovery cause bpduguard
In the switch I have this configured
Sw1(config)#do show run | in portfast|interface
spanning-tree portfast bpduguard default
interface FastEthernet0/1
spanning-tree portfast
interface FastEthernet0/2
spanning-tree portfast
interface FastEthernet0/3
spanning-tree portfast
interface FastEthernet0/4
spanning-tree portfast
interface FastEthernet0/5
spanning-tree portfast
interface FastEthernet0/6
interface FastEthernet0/7
interface FastEthernet0/8
interface FastEthernet0/9
interface FastEthernet0/10
interface FastEthernet0/11
interface FastEthernet0/12
interface FastEthernet0/13
interface FastEthernet0/14
interface FastEthernet0/15
interface FastEthernet0/16
interface FastEthernet0/17
interface FastEthernet0/18
interface FastEthernet0/19
interface FastEthernet0/20
interface FastEthernet0/21
interface FastEthernet0/22
interface FastEthernet0/23
interface FastEthernet0/24
interface GigabitEthernet0/1
interface GigabitEthernet0/2
interface Vlan1
Sw1(config)#
So in the order had
Sw1(config)#do show spann int f0/2 de
Port 4 (FastEthernet0/2) of VLAN0012 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.4.
Designated root has priority 32780, address 0019.067e.e200
Designated bridge has priority 32780, address 0019.067e.e200
Designated port id is 128.4, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
The port is in the portfast mode
Link type is point-to-point by default
Bpdu guard is enabled by default
BPDU: sent 92589, received 0
Sw1(config)#do show spann int f0/2 de | in BPDU
BPDU: sent 92591, received 0
Sw1(config)#do show spann int f0/2 de | in BPDU
BPDU: sent 92591, received 0
Sw1(config)#do show spann int f0/2 de | in BPDU
BPDU: sent 92592, received 0
Sw1(config)#do show spann int f0/2 de | in BPDU
BPDU: sent 92592, received 0
Sw1(config)#do show spann int f0/2 de | in BPDU
BPDU: sent 92593, received 0
Sw1(config)#
The switch is sending BPDU out that interface (0/2) that has connected a
computer solely
Now with the bpdufilter default option feature that is used to Globally
enable BPDU filtering on Port Fast-enabled interfaces and prevent the switch
interface connected to end stations from sending or receiving BPDUs.
Sw1(config)#spanning-tree portfast bpdufilter default
Sw1(config)#do show spann int f0/2 de | in BPDU
BPDU: sent 92624, received 0
Sw1(config)#do show spann int f0/2 de | in BPDU
BPDU: sent 92624, received 0
Sw1(config)#do show spann int f0/2 de | in BPDU
BPDU: sent 92624, received 0
Sw1(config)#do show spann int f0/2 de | in BPDU
BPDU: sent 92624, received 0
Sw1(config)#!1seg
Sw1(config)#!2seg
Sw1(config)#!3Seg
Sw1(config)#do show spann int f0/2 de | in BPDU
BPDU: sent 92624, received 0
Use the spanning-tree portfast bpdufilter default global configuration command
to globally enable BPDU filtering on interfaces that are Port Fast-enabled
(the interfaces are in a Port Fast-operational state). The interfaces still
send a few BPDUs at link-up before the switch begins to filter outbound BPDUs.
You should globally enable BPDU filtering on a switch so that hosts connected
to switch interfaces do not receive BPDUs. If a BPDU is received on a Port
Fast-enabled interface, the interface loses its Port Fast-operational status
and BPDU filtering is disabled.
You can override the spanning-tree portfast bpdufilter default global
configuration command by using the spanning-tree bdpufilter interface
configuration command.
So here is the thing
Sw1(config-if)#do show span int f0/2
Vlan Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
VLAN0001 Desg LIS 19 128.4 P2p
Sw1(config-if)#do show span int f0/2
Vlan Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
VLAN0001 Desg LIS 19 128.4 P2p
Sw1(config-if)#int f0/2
Sw1(config-if)#sh
Sw1(config-if)#do show
2d10h: %LINK-5-CHANGED: Interface FastEthernet0/2, changed state to
administratively down
2d10h: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2,
changed state to down
Sw1(config-if)#do show spann int f0/2
no spanning tree info available for FastEthernet0/2
Sw1(config-if)#spann portf
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast has been configured on FastEthernet0/2 but will only
have effect when the interface is in a non-trunking mode.
Sw1(config-if)#do show span int f0/2
no spanning tree info available for FastEthernet0/2
Sw1(config-if)#no sh
Sw1(config-if)#do show span int f0/2
no spanning tree info available for FastEthernet0/2
Sw1(config-if)#do show span int f0/2
Vlan Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
VLAN0001 Desg FWD 19 128.4 Edge P2p
Sw1(config-if)#do show span int f0/2
Vlan Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
VLAN0001 Desg FWD 19 128.4 Edge P2p
Sw1(config-if)#do show span int f0/2
2d10h: %LINK-3-UPDOWN: Interface FastEthernet0/2, changed state to up
2d10h: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2,
changed state to up
Sw1(config-if)#do show span int f0/2
Vlan Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
VLAN0001 Desg FWD 19 128.4 Edge P2p
Sw1(config-if)#do show span int f0/2 de
Port 4 (FastEthernet0/2) of VLAN0001 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.4.
Designated root has priority 32769, address 0019.067e.e200
Designated bridge has priority 32769, address 0019.067e.e200
Designated port id is 128.4, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
The port is in the portfast mode
Link type is point-to-point by default
Bpdu guard is enabled by default
Bpdu filter is enabled by default
BPDU: sent 6, received 0
We are sending BPDUs
Lets remove the Spanning-tree portfast bpduguard default
Sw1(config)#no spanning-tree portfast bpduguard default
Sw1(config)#no spanning-tree portfast bpduguard default
Sw1(config)#do show span int f0/2
Vlan Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
VLAN0001 Desg FWD 19 128.4 Edge P2p
Sw1(config)#do show span int f0/2 de
Port 4 (FastEthernet0/2) of VLAN0001 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.4.
Designated root has priority 32769, address 0019.067e.e200
Designated bridge has priority 32769, address 0019.067e.e200
Designated port id is 128.4, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
The port is in the portfast mode
Link type is point-to-point by default
Bpdu filter is enabled by default
BPDU: sent 11, received 0
Sw1(config)#do show span int f0/2 de | in BPDU
BPDU: sent 11, received 0
Sw1(config)#do show span int f0/2 de | in BPDU
BPDU: sent 11, received 0
Sw1(config)#
So the switch is configured for port fast in that port � The port is in the
portfast mode � and is Sending 11, received 0
rack11>3
[Resuming connection 3 to R2 ... ]
*Apr 21 08:18:26.963: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/0, changed state to up
R2(config-if)#
R2(config-if)#bridge-group 1
R2(config-if)#
rack11>1
[Resuming connection 1 to sw1 ... ]
do show span int f0/2 de | in BPDU
BPDU: sent 11, received 2
Sw1(config)#do show span int f0/2 de
Port 4 (FastEthernet0/2) of VLAN0001 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.4.
Designated root has priority 32768, address 0015.2bad.62d0
Designated bridge has priority 32768, address 0015.2bad.62d0
Designated port id is 128.4, designated path cost 0
Timers: message age 1, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default
BPDU: sent 11, received 4
Sw1(config)#
Now if that port receives a BPDU then the port losses the port fast
capabilities
Sorry for this long email, I really hope it gives you more light in the
dilemma
thanks,
Victor Cappuccio.-
Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We take
Cisco Learning credits!
victor@ccbootcamp.com
http://www.ccbootcamp.com (Cisco Training and Rental Racks)
http://www.ccbootcamp.com/groupstudy.html (groupstudy member discounts!)
Voice: 702-968-5100
FAX: 702-446-8012
-----Original Message-----
From: nobody@groupstudy.com on behalf of WorkerBee
Sent: Sat 4/21/2007 0:52
To: Cisco certification
Subject: BPDU Filtering and PortFast Relationship
Hi Group,
This is something that confused me.
If "BPDU filtering" + "Port Fast" is enabled globally, why does a switchport
loses it's Port Fast status as well as BPDU filtering when a BPDU
packet is received from that particular port?
If I want BPDU filtering protection and Port Fast status of a switch
port, why upon
receiving a BPDU from a PortFast port turned off both features?
So how can I ensure I still have PortFast enable and BPDU filtering
just block the BPDU packets from the PortFast port and yet has both
features enable without losing their status?
Reference link,
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12235se/cr/cli3.h
tm#wp1946892
You should globally enable BPDU filtering on a switch so that hosts
connected to switch interfaces do not receive BPDUs. If a BPDU is
received on a Port Fast-enabled interface, the interface loses its
Port Fast-operational status and BPDU filtering is disabled.
This archive was generated by hypermail 2.1.4
: Tue May 01 2007 - 08:28:36 ART