Configuring BPDU filtering
The STP BPDU filter feature allows control of spanning tree participation on a per-port basis. It can be used to exclude specific ports from becoming part of spanning tree operations. A port with the BPDU filter enabled will ignore incoming BPDU packets and stay locked in the spanning tree forwarding state. All other ports will maintain their role.
Syntax:
[no]
spanning-tree [<port-list>| all ] bpdu-filterEnables or disables the BPDU filter feature on specified ports. This forces a port to always stay in the forwarding state and be excluded from standard STP operation.
Sample scenarios in which this feature may be used are:
To have STP operations running on selected ports of the switch rather than every port of the switch at a time.
To prevent the spread of errant BPDU frames.
To eliminate the need for a topology change, when a port's link status changes. For example, ports that connect to servers and workstations can be configured to remain outside of spanning tree operations.
To protect the network from denial of service attacks that use spoofing BPDUs by dropping incoming BPDU frames. For this scenario, BPDU protection offers a more secure alternative, implementing port shutdown and a detection alert when errant BPDU frames are received.
CAUTION: Ports configured with the BPDU filter mode remain active (learning and forward frames); however, spanning tree cannot receive or transmit BPDUs on the port. The port remains in a forwarding state, permitting all broadcast traffic. This can create a network storm if there are any loops (that is, trunks or redundant links) using these ports. If you suddenly have a high load, disconnect the link and disable the bpdu-filter (using the
nocommand).
Configuring BPDU filtering
To configure BPDU filtering on port a9, enter:
switch(config)#: spanning-tree a9 bpdu-filter
Enabling and disabling BPDU protection
Syntax:
[no]
spanning-tree<port-list>bpdu-protectionEnables or disables BPDU protection on specified ports.
Syntax:
[no]
spanning-tree<port-list>bpdu-protection-timeout<timeout>Configures the duration in seconds when protected ports receiving unauthorized BPDUs will remain disabled. The default value of 0 (zero) sets an infinite timeout (that is, ports that are disabled by
bpdu-protectionare not, by default, re-enabled automatically).Range: 0-65535 seconds; Default: 0
Syntax:
![[CAUTION: ]](images/caution.gif) | CAUTION: This command should only be used to guard edge ports that are not expected to participate in STP operations. Once BPDU protection is enabled, it will disable the port as soon as any BPDU packet is received on that interface. |
Configuring BPDU protection
To configure BPDU protection on ports 1 to 10 with SNMP traps enabled, enter:
switch(config)#: spanning-tree 1-10 bpdu protection switch(config)#: spanning-tree trap errant-bpdu
The following steps will then be set in progress:
When an STP BPDU packet is received on ports 1-10, STP treats it as an unauthorized transmission attempt and shuts down the port that the BPDU came in on.
An event message is logged and an SNMP notification trap is generated.
The port remains disabled until re-enabled manually by a network administrator using the
interface<port-list>enablecommand.
![[NOTE: ]](images/note.gif) | NOTE: To re-enable the BPDU-protected ports automatically,
configure a timeout period using the |
Displaying BPDU protection status
Syntax:
show spanning-tree bpdu-protectionDisplays a summary listing of ports with BPDU protection enabled. To display detailed per port status information, enter the specific port numbers as shown here.
BPDU protected ports are displayed as separate entries of the spanning tree category within the configuration file.
