BPDU Filter Accidentally Hiding BPDUs — Loop Risk
Presenting Symptom
After configuring BPDU filter on an access port, the switch experiences a loop that causes network instability, even though BPDU filter is supposed to prevent loops.
Network Context
A small branch office network with two Cisco Catalyst 2960 switches running IOS 15.0. Switch A is the root bridge, and Switch B is a non-root switch. An access port on Switch B has BPDU filter enabled globally via 'spanning-tree portfast bpdufilter default' and also on the interface. A user connected a hub to that port, causing a loop because BPDUs from Switch A are filtered out, preventing the port from being blocked by STP.
Diagnostic Steps
Check for STP topology changes and loop indicators
show spanning-tree vlan 1VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0001.1111.1111
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0001.1111.1111
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Gi0/1 Desg FWD 4 128.1 P2p
Gi0/2 Desg FWD 4 128.2 P2p
Gi0/3 Desg FWD 4 128.3 P2p Edge
Gi0/4 Desg FWD 4 128.4 P2p EdgeIf the output shows all ports in forwarding state (FWD) and no blocking ports, it indicates STP is not blocking any redundant paths. This is abnormal if there is a loop; normally STP should block one port. Also, note if any ports are designated (Desg) but should be alternate (Altn) or backup (Back).
Check for BPDU filter configuration on the interface
show running-config interface gigabitEthernet 0/3interface GigabitEthernet0/3 switchport mode access spanning-tree portfast spanning-tree bpdufilter enable spanning-tree bpduguard enable
The presence of 'spanning-tree bpdufilter enable' indicates BPDU filter is configured on this interface. BPDU filter prevents the interface from sending or receiving BPDUs, which disables STP on that port. This is the root cause if a loop occurs because the port will not participate in STP.
Verify BPDU filter status on the interface
show spanning-tree interface gigabitEthernet 0/3 detailPort 3 (GigabitEthernet0/3) of VLAN0001 is forwarding Port path cost 4, Port priority 128, Port identifier 128.3. Designated root has priority 32769, address 0001.1111.1111 Designated bridge has priority 32769, address 0001.1111.1111 Designated port id is 128.3, designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode BPDU: sent 0, received 0 BPDU filter: enabled
The line 'BPDU filter: enabled' confirms that BPDU filtering is active. Also, 'BPDU: sent 0, received 0' indicates no BPDUs are being exchanged, meaning STP is effectively disabled on this port. This is dangerous because the port will forward traffic regardless of loops.
Check for BPDU guard configuration (optional but related)
show spanning-tree interface gigabitEthernet 0/3 detail | include bpduguardBPDU guard: enabled
If BPDU guard is also enabled, it would normally err-disable the port upon receiving a BPDU. However, BPDU filter takes precedence and prevents BPDU reception, so BPDU guard never triggers. This combination can be misleading.
Root Cause
BPDU filter is enabled on an access port that is connected to a hub or another switch. BPDU filter prevents the port from sending or receiving BPDUs, effectively disabling STP on that port. When a loop occurs (e.g., due to a hub or redundant cabling), STP cannot detect and block the loop, leading to a broadcast storm and network instability.
Resolution
Verification
After removing BPDU filter, verify STP is working correctly: Command: show spanning-tree vlan 1 Expected output should show one port in blocking state (ALTN or BLK) if there is a loop. For example: VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0001.1111.1111 This bridge is the root Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0001.1111.1111 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Gi0/1 Desg FWD 4 128.1 P2p Gi0/2 Desg FWD 4 128.2 P2p Gi0/3 Desg FWD 4 128.3 P2p Edge Gi0/4 Altn BLK 4 128.4 P2p Edge Also, verify BPDU filter is disabled: show spanning-tree interface gigabitEthernet 0/3 detail | include BPDU filter Expected: 'BPDU filter: disabled'
Prevention
1. Avoid using BPDU filter on ports that connect to other switches or hubs; use BPDU guard instead for edge ports. 2. Use 'spanning-tree portfast bpduguard default' globally to automatically enable BPDU guard on all PortFast-enabled ports, which err-disables the port if a BPDU is received. 3. Implement root guard or loop guard on appropriate ports to prevent misconfigurations from causing loops.
CCNA Exam Relevance
On the CCNA 200-301 exam, this scenario may appear as a troubleshooting question where you must identify why a loop occurred despite STP being enabled. The exam tests understanding of BPDU filter vs. BPDU guard, and how BPDU filter can disable STP on a port. Candidates must know that BPDU filter prevents BPDU transmission and reception, effectively disabling STP, while BPDU guard err-disables the port upon BPDU reception.
Exam Tips
Remember that BPDU filter and BPDU guard are mutually exclusive in behavior: filter disables STP, guard protects against unexpected BPDUs.
On the exam, if a port has BPDU filter enabled and a loop occurs, the root cause is that STP is disabled on that port.
Know the command 'show spanning-tree interface <int> detail' to verify BPDU filter and guard status.
Commands Used in This Scenario
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions