Judging from recent discussions I was part of recently, two Cisco’s spanning tree features are cause of major misunderstanding to quite a few people. Those two features are BPDU Filter and BPDU Guard. While ultimately very simple, there are good reasons for a confusion. I will do my best to clear out most of misconceptions in this blog.First of all, let’s do a quick overview what is the actual purpose of these two features. To do that, the best is to go directly to Cisco’s documentation and read it there. Here are the links to appropriate portions of the Catalyst 3560 Configuration Guide.
After reading the above two segments, we can conclude that we are not dealing with two features. Instead, we are dealing with two sets of two different features that share the same names. There are two different features called “BPDU Filter” and two different features called “BPDU Guard”. Allow me to explain in some more detail.
To do so, I will use the simple network shown on the diagram below.
All ports on the two switches except those shown on the diagram are disabled (shutdown) and below is the relevant configuration.
Cat2:
vtp mode transparent vtp domain IPexpert ! vlan 23 name Cat2-Cat3 ! ip routing ! interface FastEthernet0/2 switchport mode access switchport access vlan 23 ! no interface Vlan 1 ! interface Vlan23 ip address 192.168.23.12 255.255.255.0 no shutdown !
Cat3:
vtp mode transparent vtp domain IPexpert ! vlan 23 name Cat2-Cat3 ! ip routing ! interface FastEthernet0/5 switchport mode access switchport access vlan 23 ! no interface Vlan 1 ! interface Vlan23 ip address 192.168.23.13 255.255.255.0 no shutdown !
R2:
interface GigabitEthernet0/1 ip address 192.168.23.2 255.255.255.0 !
R5:
interface FastEthernet0/1 ip address 192.168.23.5 255.255.255.0 !
I’ll use these IPs just for testing of connectivity and no other purpose. Let’s see if our connection works now.
Cat2:
Cat2#ping 192.168.23.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.23.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
Now we’re ready to explore the different flavors of BPDU Filter and BPDU Guard. We will start doing that by exploring another feature, which is crucial for operation of the two we will be focusing on today. This is “portfast” feature.
Portfast
We all know that a switch will process BPDU frames on every layer 2 port. We also know that spanning-tree requires port to transition through different states before it can actually send any traffic. Depending on the flavor of the spanning tree protocol in use, these states are different, but the basic idea remains. This is all done with the ultimate goal of preventing bridging loops. Regardless of the STP version, this process takes time. Sometimes there is a need to bypass these states and make the port forward traffic immediately. This can be accomplished using “portfast” feature, or enabling the “edge port” functionality in rapid spanning-tree (incidentally, using “portfast” command).
Portfast has two modes of operation. One is global, the other one is per-port configuration. Global configuration will causeaccess ports to start forwarding traffic immediately, unless BPDU is received on the port. If BPDU is received, port loses portfast status and reverts to normal operation, i.e. passing through all the states.
On the other hand, enabling portfast feature on the port itself is unconditional. Regardless of any BPDU being received, port will remain in portfast state. This small, but, crucial difference is important for the remainder of our analysis. We will see that history, so to speak, repeats itself.
BPDU Filter: Global
Per documentation, global BPDU Filter is configured as part of global “portfast” configuration. The purpose of BPDU Filter is to prevent the switch from sending BPDU frames on ports that are enabled with portfast. Let’s configure portfast globally and enable BPDU filter globally on Cat2. We’ll observe what happens next.
Cat2:
spanning-tree portfast default spanning-tree portfast bpdufilter default
Cat2#show spanning-tree interface FastEthernet0/2 portfast VLAN0023 enabled Cat2#show spanning-tree interface FastEthernet0/20 portfast VLAN0023 disabled
We can clearly see that port facing R2 is in portfast state, while the port facing Cat3 is not. This is perfectly to be expected. Cat3 is sending BPDU frames (remember, it’s still just a switch) and Cat2 has disabled the portfast status on the port. Since R2 is not a switch, Cat2′s port facing it is still in portfast. While this is all very interesting, it doesn’t answer the question – are BPDU frames being sent from Cat2′s ports? Let’s test that.
I am going to disable both active ports, clear spanning-tree counters, enable them and examine what happens.
interface range FastEthernet0/2 , FastEthernet0/20 shutdown !
Cat2#clear spanning-tree counters
Let’s re-enable the ports and check the counters.
Cat2:
interface range FastEthernet0/2 , FastEthernet0/20 no shutdown !
Cat2#show spanning-tree interface FastEthernet0/2 detail Port 4 (FastEthernet0/2) of VLAN0023 is designated forwarding Port path cost 19, Port priority 128, Port Identifier 128.4. Designated root has priority 32791, address 0018.baf8.a200 Designated bridge has priority 32791, address 001b.d4d3.0280 Designated port id is 128.4, designated path cost 19 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode by default Link type is point-to-point by default Bpdu filter is enabled by default BPDU: sent 2, received 0 Cat2#show spanning-tree interface FastEthernet0/20 detail Port 22 (FastEthernet0/20) of VLAN0023 is root forwarding Port path cost 19, Port priority 128, Port Identifier 128.22. Designated root has priority 32791, address 0018.baf8.a200 Designated bridge has priority 32791, address 0018.baf8.a200 Designated port id is 128.22, designated path cost 0 Timers: message age 1, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is point-to-point by default BPDU: sent 0, received 3
Note that Cat2 reports it has sent few BPDU frames towards R2 even with BPDU Filter being enabled on all portfast ports. There is a very good reason for this behavior. Imagine two switches connected using access ports with BPDU Filter enabled globally. How would they realize they should be sending BPDU frames to each other? This setup could spell a disaster in a network, so to prevent it, switches with globally enabled BPDU Filter will send “couple of BPDU frames” when they become active in an effort to remedy this race condition.
BPDU Guard: Global
The purpose of globally configured BPDU Guard is to disable (err-disable) all portfast-enabled ports should they ever receive BPDU frames. Let’s see if it works. I will enable the feature globally (first disabling BPDU Filter) and bounce the port between Cat2 and Cat3.
Cat2:
no spanning-tree portfast bpdufilter default spanning-tree portfast bpduguard default interface FastEthernet0/20 shutdown no shutdown !
As soon as the port comes up, we’ll see a log message:
%SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Fa0/20 with BPDU Guard enabled. Disabling port. %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/20, putting Fa0/20 in err-disable state
It worked like a charm. There is one point I would like to make here. Even though global portfast relies on not receiving any BPDU frames, BPDU Guard will prevent the switch from receiving those frames and disable the port before it can change status. In a sense, BPDU Guard is older than portfast feature.
BPDU Filter: Port
We’ve seen in examples earlier that globally configuring BPDU Filter relies on the portfast status of the port. Behavior of the globally configured BPDU Filter is also not complete – couple of BPDU frames are still being sent when the port becomes active. In short, globally configured BPDU Filter is “conditional”. Contrary to this, BPDU Filter configured directly on the port is unconditional. It will always be active and no BPDU frames will be sent.
To test this claim we can use the existing setup on Cat2 and enable BPDU Filter on the port on Cat3. We have seen in the previous example that Cat2 disables the port when it receives BPDU frame due to BPDU Guard being enabled. if this doesn’t happen after configuring BPDu Filter on Cat3′s port, we will have our proof. Let’s try.
Cat3:
interface FastEthernet0/20 spanning-tree bpdufilter enable !
Let’s bounce the port on Cat2 to recover err-disable.
Cat2:
interface FastEthernet0/20 shutdown no shutdown !
Cat2#show spanning-tree interface FastEthernet0/20 Vlan Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- VLAN0023 Desg FWD 19 128.22 P2p Edge
We can see that the port is up, Cat2 considers it to be designated and an edge port. Edge port simply means that no BPDU frames are being received!
BPDU Guard: Port
Similar to BPDU Filter, globally enabled BPDU Guard is conditional. It will work only on portfast ports. If the port is not portfast, BPDU Guard will not be enabled. Simply said, this means it will not be enabled on any trunks by default. If we wish to enable BPDU Guard unconditionally on a port, we should do that on the port itself.
To test this behavior, let’s change the port between Cat2 and Cat3 to be 802.1q trunk. This will disable all BPDU Filter and BPDU Guard features on Cat2, since they are enabled globally. BPDU Filter on Cat3 will remain active, since it’s configured on the port itself.
Cat2:
interface FastEthernet0/20 shutdown switchport trunk encapsulation dot1q switchport mode trunk no shutdown !
Cat3:
interface FastEthernet0/20 shutdown switchport trunk encapsulation dot1q switchport mode trunk no shutdown !
Cat2:
Cat2#show spanning-tree interface FastEthernet 0/20 Vlan Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- VLAN0001 Desg LRN 19 128.22 P2p VLAN0023 Desg LRN 19 128.22 P2p
We can see that port is no longer considered Edge and it’s definitely not portfast, since it’s going through the learning state.
We should be seeing similar behavior on Cat3.
Cat3:
Cat3#show spanning-tree interface FastEthernet0/20
Vlan Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
VLAN0001 Desg FWD 19 128.22 P2p
VLAN0023 Desg FWD 19 128.22 P2p
Now, let’s configure BPDU Guard on FastEthernet0/20 on Cat3 and see what happens.
Cat3:
interface FastEthernet0/20 spanning-tree bpduguard enable !
It will soon become obvious that absolutely nothing changes! The port is still operational. Remember, we still have BPDU Filter enabled on it:
Cat3:
Cat3#show running-config interface FastEthernet0/20 Building configuration... Current configuration : 211 bytes ! interface FastEthernet0/20 switchport access vlan 23 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate spanning-tree bpdufilter enable spanning-tree bpduguard enable end Cat3#show spanning-tree interface FastEthernet0/20 detail Port 22 (FastEthernet0/20) of VLAN0001 is designated forwarding Port path cost 19, Port priority 128, Port Identifier 128.22. Designated root has priority 32769, address 0018.baf8.a200 Designated bridge has priority 32769, address 0018.baf8.a200 Designated port id is 128.22, designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is point-to-point by default Bpdu guard is enabled Bpdu filter is enabled BPDU: sent 0, received 0 Port 22 (FastEthernet0/20) of VLAN0023 is designated forwarding Port path cost 19, Port priority 128, Port Identifier 128.22. Designated root has priority 32791, address 0018.baf8.a200 Designated bridge has priority 32791, address 0018.baf8.a200 Designated port id is 128.22, designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is point-to-point by default Bpdu guard is enabled Bpdu filter is enabled BPDU: sent 0, received 0
The important conclusion we should make here is that BPDU Filter configured locally on the port takes precedence, or as I like to say is older, than BPDU Guard. We can clearly see that switch doesn’t send nor receive any BPDU frames. Let’s now remove BPDu Filter and see what happens.
Cat3:
interface FastEthernet0/20 no spanning-tree bpdufilter enable !
Sure enough, as soon as I did that, familiar log message showed up.
%SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Fa0/20 with BPDU Guard enabled. Disabling port. %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/20, putting Fa0/20 in err-disable state
Conclusions
In the CCIE lab attention to detail is of extreme importance. Not understanding the difference between features and how they behave depending how they have been configured can be a costly mistake. Hopefully this article cleared up some of the misconceptions I heard and read about these Cisco features in Catalyst switches.
Happy studies!
This post has been edited on January 22nd 2011 to correct minor errors and provide additional clarification of the initial test configuration.
