Got it

How to filter PVST+ BPDUs

Latest reply: Apr 1, 2017 09:15:21 2047 1 0 0 0

The S5700 switch is connected to  Cisco LAN that is using PVST+ protocol to break layer 2 loops. The interface connects to Cisco LAN is G0/0/6. We can view the interface configuration below.

interface GigabitEthernet0/0/6
 undo negotiation auto
 speed 100
 description PtP Zuiderzeeland #4
 port link-type dot1q-tunnel
 port default vlan 1915
 mac-limit maximum 100
 loopback-detect recovery-time 60
 loopback-detect enable
 loopback-detect action block
 stp bpdu-filter enable
 stp edged-port enable

 undo ndp enable
 storm-control broadcast min-rate 1488 max-rate 1488
 storm-control multicast min-rate 1488 max-rate 1488
 storm-control action error-down
 storm-control enable trap
 storm-control enable log

Customer configure STP BPDU FILTER and EDGE PORT on this interface hoping to block PVST+ BPDU on this interface. But it didn't work... let's see why.

From V200R003 software version S5700 switch series will forward transparently BPDU of PVST+ by default through ASIC. What does STP BPDU FILTER and EDGE PORT? According with product documentation, after a specified port is configured as an edge port and BPDU filter port in the interface view, the port does not process or send BPDUs and cannot negotiate the STP state with the directly connected port on the peer device.

So what's wrong here?

BPDU filter and STP edge port commands will refer only to MSTP, STP or RSTP BDPUs. PVST+ is a Cisco private protocol and is processed differently. Our switch considers PVST+ as normal L2 frames, therefore it will not forward them into protocol stack.

How to fix this? 

  • x
  • convention:

Created Apr 1, 2017 09:15:21

In order to filter PVST+ BPDUs that are arriving to the switch I propose to use the following traffic policy:

acl number 4000                                                                 
 rule 10 permit destination-mac 0100-0ccc-cccd              \\\ match PVST+ BPDUs                    
traffic classifier c1 type or                                                                                                                 
 if-match acl 4000                                                              
traffic behavior b1                                                             
 statistics enable                                                              
 deny             \\\\\ to filter the BPDUs you will need to change behavior to Deny.                                                         
traffic policy p1                                                               
 classifier c1 behavior b1 precedence 5                                        

then apply the policy on the system globally. 
[S570]traffic-policy p1 global inbound

View more
  • x
  • convention:


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits


Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.