FAQ - How to filter PVST+ BPDUs

Publication Date:  2016-12-31 Views:  413 Downloads:  0
Issue Description

The S5700 switch is connected to  Cisco LAN that is using PVST+ protocol to break layer 2 loops. The interface connects to Cisco LAN is G0/0/6. We can view the interface configuration below.

interface GigabitEthernet0/0/6
 undo negotiation auto
 speed 100
 description PtP Zuiderzeeland #4
 port link-type dot1q-tunnel
 port default vlan 1915
 mac-limit maximum 100
 loopback-detect recovery-time 60
 loopback-detect enable
 loopback-detect action block
 stp bpdu-filter enable
 stp edged-port enable

 undo ndp enable
 storm-control broadcast min-rate 1488 max-rate 1488
 storm-control multicast min-rate 1488 max-rate 1488
 storm-control action error-down
 storm-control enable trap
 storm-control enable log

Customer configure STP BPDU FILTER and EDGE PORT on this interface hoping to block PVST+ BPDU on this interface. But it didn't work... let's see why.

From V200R003 software version S5700 switch series will forward transparently BPDU of PVST+ by default through ASIC. What does STP BPDU FILTER and EDGE PORT? According with product documentation, after a specified port is configured as an edge port and BPDU filter port in the interface view, the port does not process or send BPDUs and cannot negotiate the STP state with the directly connected port on the peer device.

So what's wrong here?

BPDU filter and STP edge port commands will refer only to MSTP, STP or RSTP BDPUs. PVST+ is a Cisco private protocol and is processed differently. Our switch considers PVST+ as normal L2 frames, therefore it will not forward them into protocol stack.

How to fix this?


In order to filter PVST+ BPDUs that are arriving to the switch I propose to use the following traffic policy:

acl number 4000                                                                
 rule 10 permit destination-mac 0100-0ccc-cccd              \\\ match PVST+ BPDUs                   
traffic classifier c1 type or                                                                                                                
 if-match acl 4000                                                             
traffic behavior b1                                                            
 statistics enable                                                             
 deny             \\\\\ to filter the BPDUs you will need to change behavior to Deny.                                                        
traffic policy p1                                                              
 classifier c1 behavior b1 precedence 5                                        

then apply the policy on the system globally.
[S570]traffic-policy p1 global inbound