05-04-2009 04:16 AM - edited 03-04-2019 04:37 AM
Hello Experts,
I experienced below output in the Cisco Switches.
SW1#sh spanning-tree vl 126
----output suppressed----
---------------- ---- --- --------- -------- --------------------------------
Fa0/11 Desg FWD 19 128.11 P2p
Fa0/23 Desg BKN*19 128.23 P2p *PVID_Inc
After Enabling the "spanning-tree bpdufilter enable" on the Interface Fa0/23 the Interface is Unblocked.
Could/Can someone help in providing a detailed Technical Reasoning for this. Logs collected from the Switch:
IST: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 371 on FastEthernet0/23 VLAN126.
IST: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking FastEthernet0/23 on VLAN0126. Inconsistent local vlan.
IST: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking FastEthernet0/23 on VLAN0126. Port consistency restored.
IST: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 371 on FastEthernet0/23 VLAN126.
IST: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking FastEthernet0/23 on VLAN0126. Inconsistent local vlan.
Post configuring the "spanning-tree bpdufilter enable" on the Interface, the logs is collected:
IST: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking FastEthernet0/23 on VLAN0126. Port consistency restored.
Thanks in Advance.
Best Regards,
Guru Prasad R
05-04-2009 04:46 AM
Guru:
This is normal behavior.
BPDU filtering is applied to ports that are configured for PortFast. A port with PortFast configured on it is assumed to be connected to ONLY an end-device that, if connected to the PortFast-enabled port, cannot create a parallel path for data nor the subsequent bridging loop.
So, when you configure PortFast BPDU Filtering on an interface, you are basically confirming that this is an access port that will not have another L2 bridge connected to it, so there is no need to process BPDUs.
Without BPDU filtering enabled, if a PortFast enabled port is accidentally connected to a switch, BPDUs will be received and sent on that port and PortFast will effectively be disabled. The port will then go through all the STP port states until it begins forwarding or gets blocked.
With BPDU filtering enabled on the interface, the BPDUs from the rogue switch will be IGNORED, thereby allowing it to establish a connection with our switch, whose port has now bypassed the STP Listening and Learning states and gone immediately into forwarding. This can create a layer 2 parallel path and loop.
So, you must be very discrimninating when you use BPDU filtering.
HTH
Victor
05-04-2009 05:09 AM
Hi Victor,
IMHO:
a) BPDU Filtering is independent on PortFast. It can be configured on any interface and simply ignores incoming BPDUs.
I agree it should be used very carefully.
b) The error message was received on a trunk port probably and caused by inconsistent native VLAN.
See Error Decoder output:
"%SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id [dec] on [chars] [chars].
The listed interface received an SSTP BPDU that is tagged with a VLAN ID that does not match the VLAN ID on which the BPDU was received. This occurs when the native VLAN is not consistently configured on both ends of an IEEE 802.1Q trunk. [dec] is the VLAN ID, the first [chars] is the port, and the second [chars] is the VLAN.
Recommended Action: Verify that the configurations of the native VLAN ID is consistent on the interfaces on each end of the IEEE 802.1Q trunk connection. When the configurations are consistent, spanning tree automatically unblocks the interfaces."
BR,
Milan
05-04-2009 05:13 AM
HI Milan,
Yes, the ERROR message was received on the TRUNK port.
I have queried the Error message in the Decoder output already, but could not able to understand the Technical Explanation by Cisco.
Could you please explain more in detail about this. Thanks in Advance.
Best Regards,
Guru Prasad R
05-04-2009 05:23 AM
Hi Guru,
the explanation is easy:
You have to configure the same Native VLAN on both trunk sides!
If you issue
show int ... switchport
you should be able to detect which VLAN is configured as Native on the port.
And this has to be the same as Native VLAN on the opposite trunk side port.
and
for details.
BR,
Milan
05-04-2009 05:19 AM
Milan:
"BPDU Filtering is independent on PortFast. It can be configured on any interface and simply ignores incoming BPDUs."
Yes, but in a practical sense, BPDU filtering would be configured in conjunction with PortFast.
Is there another situation -- other than one in which PortFast is enabled -- in which you want a L2 switch port to ignore BPDUs and bypass the Spanning Tree convergence process?
Guru:
If this is a trunk port, why would you want to use BPDU Filtering?
Victor
05-04-2009 05:30 AM
Hi Victor,
I can imagine only one situation when I'd dare using BPDU filtering:
L2 peering with somebody else when I'm absolutely sure there is no second physical connection between our LANs.
And I don't want his switch to become a root in my LAN.
In this case, I even can imagine BPDU filtering without PortFast.
IMHO, Guru didn't want to use BPDU filtering primarilly, he just noticed using that "fixed" his problem - as BPDUs were ignored, no native VLAN mismatch was noticed and the port was not disabled.
BR,
Milan
05-04-2009 05:31 AM
HI Victor,
It's a Service Provider Environment.
It's not a complete STP Network even. The Switches are cascased together for inter-communication.
The TRUNK port on Switch to which the Edge Router (PE) and Backbone will be connecting.
How only Trunk Port is effected ?
After enabling the "BPDU Filter" how the Port was Unblocked ?
What is Cisco trying to explain with this Error log: %SPANTREE-2-RECV_PVID_ERR: ?
Thanks in Advance for your responses.
Thanks & Regards,
Guru Prasad R
05-04-2009 05:56 AM
Guru:
A couple of things...
1.) You should read this link regarding PortFast and how it interacts with BPDU Filtering. In short, let me tell you that PortFast is automatically disabled when the port receives BPDUs. This is a good thing, as it protects your network from a bridging loop by disabling PortFast and forcing the port to go through the STP convergence process and then, mostl likely, get blocked. IF, however, you have BPDU filtering enabled on a port that is set for PortFast, the BPDUs will be IGNORED, and PortFast will not be disabled and STP re-convergence and re-calculations will NOT take place, and the port will go into the Forwarding state. That is what happened with you.
2.) After entering the STP Forwarding state, a native vlan mismatch was mostl likely discovered on the trunk port, as Milan rightly pointed out. For consistency and to avoid receiving such errors, you should ensure that the native vlan is the SAME on both ends of the trunk.
HTH
Victor
05-04-2009 07:11 AM
hi guru
The reason for this problem is that the switch is receiving superior bpdu form the neighbor which forces it to put the port in block mode.
After enable the command spanning tree bpdu filter enable, the bpdu comes to the interfaces and interface drop it.
regards
shivlu jain
01-19-2023 11:17 PM
hi,
i also ran into the same dilemma. i've checked the native VLAN on both switch are the same (VLAN 1) and both switch run PVST.
the only way to get our MGMT traffic working is when i shutdown PE01 router link to SW01.
when i unshut PE01 link to SW01 trunk, SW01 G1/0/23 gets block due to STP VLAN inconsistencies.
this makes traffic traverse: SW01 > SW02 > PE02 which makes HSRP unusable. i saw both PE01 and PE02 HSRP group sees itself as active.
i double checked access and trunk ports config/portfast on both switch but don't see any issue.
do i apply spanning-tree bpdufilter enable only in SW02 G1/0/23 to get PE01 > SW01 link back online and make HSRP work again?
SW02
interface g1/0/23
spanning-tree bpdufilter enable
Jan 19 14:11:43.956: %SPANTREE-2-BLOCK_PVID_PEER: Blocking GigabitEthernet1/0/23 on VLAN0533. Inconsistent peer vlan.
SW01-3650#sh spanning-tree summary
Switch is in pvst mode
Root bridge for: VLAN0001, VLAN0010-VLAN0011
SW01-3650#sh run int g1/0/23
Building configuration...
Current configuration : 89 bytes
!
interface GigabitEthernet1/0/23
description SW02
switchport mode trunk
end
-----
SW02-3750X#sh spanning-tree summary
Switch is in pvst mode
SW02-3750X#sh run int g1/0/23
Building configuration...
Current configuration : 144 bytes
!
interface GigabitEthernet1/0/23
description SW01
switchport trunk encapsulation dot1q
switchport mode trunk
end
01-20-2023 12:26 AM
Hello,
this thread is quite long (and old), so it is not really clear what the original issue was, or is. Can you briefly summarize what you want to accomplish, and what you are running into ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide