The S5700 switch is connected to Cisco LAN that is using PVST+ protocol to break layer 2 loops. The interface connects to Cisco LAN is G0/0/6. We can view the interface configuration below.
undo negotiation auto
description PtP Zuiderzeeland #4
port link-type dot1q-tunnel
port default vlan 1915
mac-limit maximum 100
loopback-detect recovery-time 60
loopback-detect action block
stp bpdu-filter enable
stp edged-port enable
undo ndp enable
storm-control broadcast min-rate 1488 max-rate 1488
storm-control multicast min-rate 1488 max-rate 1488
storm-control action error-down
storm-control enable trap
storm-control enable log
Customer configure STP BPDU FILTER and EDGE PORT on this interface hoping to block PVST+ BPDU on this interface. But it didn't work... let's see why.
From V200R003 software version S5700 switch series will forward transparently BPDU of PVST+ by default through ASIC. What does STP BPDU FILTER and EDGE PORT? According with product documentation, after a specified port is configured as an edge port and BPDU filter port in the interface view, the port does not process or send BPDUs and cannot negotiate the STP state with the directly connected port on the peer device.
So what's wrong here?
BPDU filter and STP edge port commands will refer only to MSTP, STP or RSTP BDPUs. PVST+ is a Cisco private protocol and is processed differently. Our switch considers PVST+ as normal L2 frames, therefore it will not forward them into protocol stack.
How to fix this?
In order to filter PVST+ BPDUs that are arriving to the switch I propose to use the following traffic policy:
acl number 4000
rule 10 permit destination-mac 0100-0ccc-cccd \\\ match PVST+ BPDUs
traffic classifier c1 type or
if-match acl 4000
traffic behavior b1
deny \\\\\ to filter the BPDUs you will need to change behavior to Deny.
traffic policy p1
classifier c1 behavior b1 precedence 5
then apply the policy on the system globally.
[S570]traffic-policy p1 global inbound