I use the above diagram to illustrate the interaction between the spanning tree features: portfast, bpdufilter and bpduguard.
For a long time whilst i understood the purpose of these features i did not understand how in particular bpdufilter and bpduguard interacted with each other.
I have at last resolved this confusion by running a wire capture to see for myself exactly what is going on.
First the basics
portfast - moves a port immediately to the forwarding state
bpdufilter - stops a port sending bpdus
bpduguard - error disables a port if bpdus are received
1)
config-if#spanning-tree portfast
Enabling portfast the port moves to forwarding state and from the capture i can see BPDUs still being sent.
2)
config-if#spanning-tree portfast
config-if#spanning-tree bpdufilter
I enable bpdufilter and BPDUS are no longer sent.
3)
config-if#spanning-tree portfast
config-if#spanning-tree bpduguard
I enable bpduguard and can see bpdus being sent. I was somewhat surprised by this as i had always treated bpduguard as a more severe version of bpdufilter. i.e. no bpdus sent with the guard feature set - Wrong!!
The enlightening moment for me was the realisation that to enforce no bpdus are sent and bpduguard is on perhaps requires bpdufilter to be enabled alongside bpduguard.
4)
config-if#spanning-tree portfast
config-if#spanning-tree bpduguard
config-if#spanning-tree bpdufilter
With the above commands i observed no bpdus being sent. I had previously assumed these features were mutually exclusive. They are not, they perform different functions and can be used alongside each other.
To observe bpdu guard in action i connected the port to another switchport that was sending bpdus.
I then observed the following...
01:03:26: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/24 with BPDU Guard enabled. Disabling port.
01:03:26: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/24, putting Fa0/24in err-disable state
01:03:27: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to down
01:03:28: %LINK-3-UPDOWN: Interface FastEthernet0/24, changed state to down
Examining the port status
show int status err-disabled
Port Name Status Reason
Fa0/24 err-disabled bpduguard
To ensure auto recovery i entered the following commands
config#errdisable recovery cause bpduguard
config#errdisable recovery interval 30
I then applied bpdufilter to the neighboring switch port sending bpdus and the local port was automatically restored to normal service.
3 comments:
Good work, and useful too because I'm studing BCMSN... I will stay tuned!
Andrea
I'm currently CCNA certified, but can't remember the bpdugaurd/bpdufilter options... It's amazing to see all the things you forget an half year after I got my certificate ... :)
Great and simple explanation, thanks for the info
Post a Comment