Spanning Tree BPDU Filter and Guard Behavior
Earlier this week I ran into a situation at the customer site I work at that involved BPDU filter, BPDU guard and portfast. I wasn’t 100% off the top of my head how these would interoperate. So, mostly to satisfy my curiosity, I set up a quick lab at home with my Catalyst 3550 and another device.
These are my notes about the behavior in different situations. I think most of this is covered in Cisco’s documentation….but it was easier for me to lab it out, and I figure someone else might find a brief overview valuable.
Main Points
-
If portfast is not used, BPDU filter will filter BPDU’s before they make it to BPDU guard
-
BPDU filter works differently when it’s configured as a default for portfast than it does when it’s explicitly configured on a port.
-
BPDU guard works the same in either case (other than being effected by BPDU filter working differently).
Behavior in Specific Combinations
With portfast enabled on the interface:
- BPDU’s are transmitted
- If a BPDU is received - the port is taken out of portfast mode, becomes a normal STP port
With portfast enabled, and with BPDU filter configured specifically on the interface:
- No BPDU’s transmitted
- No BPDU’s will be received (will be filtered out)
With portfast enabled, and with BPDU filter set as the default for portfast:
- A few BPDU’s will be sent out when port is initially brought up (11 in my experience), but then it will cease transmitting BPDU’s.
- If a BPDU is received, it kicks it out of portfast mode, and disables BPDU filter on it. Becomes a normal STP port at that point.
Transmitting a few BPDU’s at the beginning is done to prevent a loop if two ports with this configuration are directly connected together. Though, I think it’s still conceptually possible (though unlikely) for a loop to be formed in this scenario. (I’m thinking of a scenario where a hub could be connected, to bring the port up, and then later another switch with this port configuration is connected to the hub).
With portfast, and with BPDU guard enabled by default for portfast:
- BPDU’s are transmitted
- If a BPDU is received - the port is error disabled
No portfast, and with both BPDU filter and BPDU guard configured specifically on the interface:
- Port goes through normal blocking, learning, forwarding process since portfast is disabled
- No BPDU’s are transmitted
- No BPDU’s will be received (BPDU filters them out before BPDU guard sees them). So if BPDU’s are transmitted to this switchport, this port will stays up, is not disabled (BPDU guard is essentially non-functional).
Portfast enabled on interface, with both BPDU filter and BPDU guard set as defaults for portfast:
- A few BPDU’s will be sent out when port is initially brought up, but then cease
- If a BPDU is received, BPDU guard catches it and err disables the ports.
So, in this case BPDU filter will not filter out incoming BPDU’s - it still allows BPDU guard to function.
Portfast enabled, with BPDU guard configured as default for portfast, and BPDU filter specifically enabled on the interface:
- No BPDU’s are transmitted
- No BPDU’s are received - BPDU filter filters them out. BPDU guard is not functional.