STP_UplinkFast_GuardTop

In this Topology everything is default, so SW1 has one the Root Bridge election with the lowest MAC Address as the tie breaker, and all port states were dynamically calculated.

There is a lot to hit on these multiple STP topics, so, without further ado!

 

First a quick peek at a great verification command for Global STP Enabled settings!

 

If you want to know anything related to the interfaces, VLANs, or configurations of your current spanning-tree instance running on the local switch use the following command:

SW1#sh span summ
Switch is in pvst mode
Root bridge for: VLAN0001
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
EtherChannel misconfig guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Configured Pathcost method used is short

Name Blocking Listening Learning Forwarding STP Active
———————- ——– ——— ——– ———- ———-
VLAN0001 0             0                 0                   2                     2
———————- ——– ——— ——– ———- ———-
1 vlan         0             0                   0                  2                     2
SW1#

This doesn’t give you every nut and bolt of STP information, however it is a very good way to get a big picture look at the STP network, as the configurations listed are either enabled globally on the switch or network wide on the switched network.

For example both BPDU Guard and BPDU Filter appears to be configurations pertaining to Portfast configuration, while Loop Guard does not appear to be (I highlighted these in red to illustrate them in the output).

Also as can be seen, this is a verification command for just about any STP configuration, and towards the bottom shows it on a per VLAN basis.

I won’t be posting a lot of this (I don’t anticipate) through this post because of the table formatting at the bottom of the output, but wanted to give this an initial shout out.

 

Spanning-Tree Root Guard

 

This STP mechanism prevents either a rogue switch or just a spare switch laying around with a hard coded lower priority from joining the network, and taking over as the Root Bridge for that network.

This will be configured on Access Layer switches, as it is configured at the interface level.

To configure this, you issue the follow on a port:

SW3(config)#int fa1/0/4
SW3(config-if)#span ?
bpdufilter Don’t send or receive BPDUs on this interface
bpduguard Don’t accept BPDUs on this interface
cost Change an interface’s spanning tree port path cost
guard Change an interface’s spanning tree guard mode
link-type Specify a link type for spanning tree protocol use
mst Multiple spanning tree
port-priority Change an interface’s spanning tree port priority
portfast Enable an interface to move directly to forwarding on link up
stack-port Enable stack port
vlan VLAN Switch Spanning Tree

SW3(config-if)#span guard ?
loop Set guard mode to loop guard on interface
none Set guard mode to none
root Set guard mode to root guard on interface

SW3(config-if)#span guard root ?
<cr>

SW3(config-if)#span guard root
SW3(config-if)#

So this is 1 out of 3 sub-commands for “span guard …” at the interface level, one obviously being Loop Guard to be discussed, but then there is also “none” there as well.

The “none” option is the same as doing a “no span guard (root/loop)” on the interface, only it will take either command off in one swoop, whereas using “no span guard …” will only remove one or the other.

Here is one quirk in the show run between using “no” or “none” with the span guard command:

Verifying Root Guard is configured

SW3(config-if)#do sh run int fa1/0/4
Building configuration…

Current configuration : 61 bytes
!
interface FastEthernet1/0/4
spanning-tree guard root

end

SW3(config-if)#

Removing STP Root Guard with “span guard none”

SW3(config-if)#span guard none
SW3(config-if)#do sh run int fa1/0/4
Building configuration…

Current configuration : 61 bytes
!
interface FastEthernet1/0/4
spanning-tree guard none

end

SW3(config-if)#

So it will actually put “none” on the interface as a spanning-tree guard sub-command, whereas using “no” to negate the configuration will remove it entirely from show run:

Using “no” on the “span guard none” command

SW3(config-if)#no span guard none
SW3(config-if)#do sh run int fa1/0/4
Building configuration…

Current configuration : 35 bytes
!
interface FastEthernet1/0/4
end

SW3(config-if)#

So putting “none” in there will not stop any future “span guard …” commands from being input, it just hangs out in the show run on the interface, so to keep things clean I would advise using the “no” command HOWEVER ON EXAM DAY we need to know that “span guard none” can disable both Root Guard and Loop Guard!

Now that I have beat that point to death, back to Root Guard, I’ll add SW4 as shown here:

STP_UplinkFast_GuardTop2

Given all things are default, SW4 will become the Root Bridge even though it is a 3560 and all other lab switches are 3570’s, because it has the lowest MAC Address of all Bridges so it sends the superior BPDU – Well not anymore!

So here I will configure Root Guard on Fa1/0/4, plug in SW4, and let the magic work:

SW3#debug span events
Spanning Tree event debugging is on
SW3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW3(config)#int fa1/0/4
SW3(config-if)#span guard root
SW3(config-if)#
*Mar 1 01:12:38.812: set portid: VLAN0001 Fa1/0/4: new port id 8006
*Mar 1 01:12:38.812: STP: VLAN0001 Fa1/0/4 -> listening
*Mar 1 01:12:39.408: STP: VLAN0001 heard root 32769-0017.5aa8.a600 on Fa1/0/4
*Mar 1 01:12:39.408: supersedes 32769-1ce6.c7c1.c800
*Mar 1 01:12:39.408: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port FastEthernet1/0/4 on VLAN0001.
SW3(config-if)#
*Mar 1 01:12:39.408: STP: VLAN0001 Fa1/0/4 -> blocking
*Mar 1 01:12:40.809: %LINK-3-UPDOWN: Interface FastEthernet1/0/4, changed state to up
SW3(config-if)#
*Mar 1 01:12:40.851: STP: VLAN0001 heard root 32769-0017.5aa8.a600 on Fa1/0/4
*Mar 1 01:12:40.851: supersedes 32769-1ce6.c7c1.c800
SW3(config-if)#
*Mar 1 01:12:41.815: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/4, changed state to up
SW3(config-if)#
*Mar 1 01:12:42.856: STP: VLAN0001 heard root 32769-0017.5aa8.a600 on Fa1/0/4
*Mar 1 01:12:42.856: supersedes 32769-1ce6.c7c1.c800
SW3(config-if)#
*Mar 1 01:12:44.861: STP: VLAN0001 heard root 32769-0017.5aa8.a600 on Fa1/0/4
*Mar 1 01:12:44.861: supersedes 32769-1ce6.c7c1.c800

Highlighted in blue are console messages that will be seen without a debug running, and highlighted in red are the debug output messages, showing that the interface still receives Superior BPDUs every Hello (2 seconds) but ignores them.

To look at this from a verification point of view, using “sh span” :

SW3#sh span

VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 1ce6.c7c1.c800
Cost 19
Port 5 (FastEthernet1/0/3)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 5897.1eab.ce00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type
——————- —- — ——— ——– ——————————–
Fa1/0/2 Altn BLK 19 128.4 P2p
Fa1/0/3 Root FWD 19 128.5 P2p
Fa1/0/4 Desg BKN*19 128.6 P2p *ROOT_Inc

A status or state of BKN* (which is Blocking state for the record), and the * indicating there is more to this state, which is followed up with ROOT_Inc which means Root Inconsistency, as that is the state the port is put into – Root Inconsistent state.

Interface Fa1/0/4 will still show as being Up/Up on the interface despite its BLK state:

SW3#sh int fa1/0/4
FastEthernet1/0/4 is up, line protocol is up (connected)

Its important to note that while Blocking just as a normal Blocking port, it will discard received frames / not forward frames until it comes out of Blocking state, which it will dynamically do once SW4 stops sending it Superior BPDUs.

Another way to verify inconsistent STP ports is with “sh span incon” shown here:

SW3#sh span inconsistentports

SW3#sh span incon

Name               Interface              Inconsistency
——————– ———————— ——————
VLAN0001 FastEthernet1/0/4    Root Inconsistent

Number of inconsistent ports (segments) in the system : 1

SW3#

Shown first is the full command, but “sh span incon” works just fine as well.

Now to take a look at things from SW4 point of view:

SW4#sh span

VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0017.5aa8.a600
This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0017.5aa8.a600
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/4 Desg FWD 19 128.6 P2p

It is the Root Bridge in its own mind, as there is no mechanism to tell SW4 it isn’t getting elected as Root Bridge in this network, so we have to up its Priority to get SW3 to remove the “Root Inconsistency” / Blocking state.

So currently, the Topology is in the following logical state:

STP_UplinkFast_GuardTop3

To remove the Blocking state we could simply use the “Priority” command, but I want to use our newly learned command “uplinkfast” to accomplish the same task:

SW4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW4(config)#span uplinkfast
SW4(config)#
ASR#3
[Resuming connection 3 to sw3 … ]

SW3#
SW3#
*Mar 1 01:44:54.316: %SPANTREE-2-ROOTGUARD_UNBLOCK: Root guard unblocking port FastEthernet1/0/4 on VLAN0001.

SW3#sh span

VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 1ce6.c7c1.c800
Cost 19
Port 5 (FastEthernet1/0/3)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 5897.1eab.ce00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type
——————- —- — ——— ——– ——————————–
Fa1/0/2 Altn BLK 19 128.4 P2p
Fa1/0/3 Root FWD 19 128.5 P2p
Fa1/0/4 Desg LIS 19 128.6 P2p


Uplinkfast is the mechanism that raises the Bridge Priority to 49152 and Path Cost by 3000, to make sure that it doesn’t become the Root Bridge or a Root Path, however that was just used to demonstrate there is one more than one way to skin a cat 🙂

We could have also adjusted SW1s Priority with “span vlan # root primary / secondary” or “span vlan # priority #”, however the goal is to stop outside Bridges from becoming the Root Bridge WITHOUT having to adjust configurations on the Root Bridge.

So that is Root Guard.

 

Spanning-Tree BPDU Guard

 

As noted above BPDU Guard is a Portfast configuration, and will only impact ports that are configured with Portfast, and the reason for this is the purpose of BPDU Guard is to put a port in err-disable (down) if ANY type of BPDU is received on that port!

The same err-disable state that Port Security uses, meaning it would need to be administratively brought back up, unless configured for error-recovery (a future topic).

To demonstrate this, I’ve reset SW3 and SW4 of any configurations, and issue the following commands to enable Portfast and then BPDU Guard:

SW3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW3(config)#int fa1/0/4
SW3(config-if)#span portfast
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc… to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION

%Portfast has been configured on FastEthernet1/0/4 but will only
have effect when the interface is in a non-trunking mode.
SW3(config-if)#span bpduguard ?
disable Disable BPDU guard for this interface
enable Enable BPDU guard for this interface

SW3(config-if)#span bpduguard enable ?
<cr>

SW3(config-if)#span bpduguard enable
SW3(config-if)#
*Mar 1 00:03:45.183: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Fa1/0/4 with BPDU Guard enabled. Disabling port.

SW3(config-if)#
*Mar 1 00:03:45.183: %PM-4-ERR_DISABLE: bpduguard error detected on Fa1/0/4, putting Fa1/0/4 in err-disable state

SW3(config-if)#

That a lot of red, but it highlights the commands “span portfast” and “span bpduguard enable” being issued on interface Fa1/0/4, followed by me plugging the cable from SW4 back into SW3.

So the Topology now currently looks like this:

STP_UplinkFast_GuardTop4

So this link is now considered down on both SW3 and SW4 when put in err-disable!

As soon as the BPDU from SW4 hits it, it immediately shows it disables the port, and is verified a few different ways:

Show Interface

SW3(config-if)#do sh int fa1/0/4
FastEthernet1/0/4 is down, line protocol is down (err-disabled)

*** Note that BPDU Guard err-disabled interfaces can only be seen by “sh int #” as it will NOT show up under “sh span” or “sh span summ” ***

SW3(config-if)#do sh span

VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 1ce6.c7c1.c800
Cost 19
Port 5 (FastEthernet1/0/3)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 5897.1eab.ce00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type
——————- —- — ——— ——– ——————————–
Fa1/0/2 Altn BLK 19 128.4 P2p
Fa1/0/3 Root FWD 19 128.5 P2p

 

SW3(config-if)#do sh span summ
Switch is in pvst mode
Root bridge for: none
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is disabled  <— Not configured globally
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
EtherChannel misconfig guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Configured Pathcost method used is short

Name Blocking Listening Learning Forwarding STP Active
———————- ——– ——— ——– ———- ———-
VLAN0001 1              0                  0                  1                  2
———————- ——– ——— ——– ———- ———-
1 vlan         1              0                   0                 1                  2
SW3(config-if)#

It only mentions the two ports going back to SW1 and SW2, so once it goes into err-disabled from Root Guard STP basically disavows all knowledge of that interface in terms of STP Verification commands – Important to know for exam day!!

I will also address BPDU Guard being disabled globally in just a moment here, but first to illustrate a point, you cannot just remove the bpduguard command to bring the interface back up – It needs to be administratively brought back online:

SW3(config-if)#no spanning-tree bpduguard enable
SW3(config-if)#shut
SW3(config-if)#
*Mar 1 00:13:19.073: %LINK-5-CHANGED: Interface FastEthernet1/0/4, changed state to administratively down
SW3(config-if)#no shut
SW3(config-if)#
*Mar 1 00:13:25.566: %LINK-3-UPDOWN: Interface FastEthernet1/0/4, changed state to up
*Mar 1 00:13:26.573: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/4, changed state to up

SW3(config-if)#

So we have Portfast configured on the interface, but no BPDU Guard at the interface level, so I will shut the interface down again and configure it globally to see what happens:

Configuration

SW3(config)#span ?
backbonefast Enable BackboneFast Feature
etherchannel Spanning tree etherchannel specific configuration
extend Spanning Tree 802.1t extensions
logging Enable Spanning tree logging
loopguard Spanning tree loopguard options
mode Spanning tree operating mode
mst Multiple spanning tree configuration
pathcost Spanning tree pathcost options
portfast Spanning tree portfast options
transmit STP transmit parameters
uplinkfast Enable UplinkFast Feature
vlan VLAN Switch Spanning Tree

SW3(config)#span portfast ?
bpdufilter Enable portfast bpdu filter on this switch
bpduguard Enable portfast bpdu guard on this switch
default Enable portfast by default on all access ports

SW3(config)#span portfast bpduguard ?
default Enable bpdu guard by default on all portfast ports

SW3(config)#span portfast bpduguard default
SW3(config)#

Verification with “show span summ”

SW3(config)#do sh span summ
Switch is in pvst mode
Root bridge for: none
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is enabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
EtherChannel misconfig guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Configured Pathcost method used is short

There it is, and now when the interface to SW4 is brought back up:

SW3(config)#int fa1/0/4
SW3(config-if)#no shut
SW3(config-if)#
*Mar 1 00:22:10.600: %LINK-3-UPDOWN: Interface FastEthernet1/0/4, changed state to up
*Mar 1 00:22:11.506: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet1/0/4 with BPDU Guard enabled. Disabling port.
SW3(config-if)#
*Mar 1 00:22:11.506: %PM-4-ERR_DISABLE: bpduguard error detected on Fa1/0/4, putting Fa1/0/4 in err-disable state
SW3(config-if)#
*Mar 1 00:22:13.520: %LINK-3-UPDOWN: Interface FastEthernet1/0/4, changed state to down
SW3(config-if)#

And boom goes the dynamite.

One last note for BPDU Guard, is that both Portfast and BPDU Guard can be configured globally and work in sweet harmony together, as demonstrated here:

Shutting Port / Removing Portfast

SW3(config)#int fa1/0/4
SW3(config-if)#shut
SW3(config-if)#no span portfast
SW3(config-if)#
*Mar 1 00:24:14.668: %LINK-5-CHANGED: Interface FastEthernet1/0/4, changed state to administratively down

The configuration

SW3(config)#
SW3(config)#span portfast default
%Warning: this command enables portfast by default on all interfaces. You
should now disable portfast explicitly on switched ports leading to hubs,
switches and bridges as they may create temporary bridging loops.

SW3(config)#span portfast bpduguard default

No shut Port to verify it works

SW3(config)#int fa1/0/4
SW3(config-if)#no shut
SW3(config-if)#
*Mar 1 00:24:59.522: %LINK-3-UPDOWN: Interface FastEthernet1/0/4, changed state to up
*Mar 1 00:24:59.941: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet1/0/4 with BPDU Guard enabled. Disabling port.
SW3(config-if)#
*Mar 1 00:24:59.941: %PM-4-ERR_DISABLE: bpduguard error detected on Fa1/0/4, putting Fa1/0/4 in err-disable state

SW3(config-if)#
*Mar 1 00:25:01.946: %LINK-3-UPDOWN: Interface FastEthernet1/0/4, changed state to down
SW3(config-if)#

How it looks in “sh run”

!
spanning-tree mode pvst
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree extend system-id
!

This was a bit odd to me, as you’d think setting one default after the other would overwrite the first portfast default configured, but they do coexist and work just fine this way and are a valid way of deploying BPDU Guard!

 

STP BPDU Filter (with a catch at the end)

 

This is also a Portfast only command, which can be configured at the interface level or globally, and its purpose is to stop ALL BPDUs from being sent or received on Portfast enabled interfaces!

Simple enough, right?

So first I will run through configuring it on the interface level, to see what happens or doesn’t happen when the shutdown port is brought back up:

Configuration

SW3(config)#int fa1/0/4
SW3(config-if)#span portfast
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc… to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION

%Portfast has been configured on FastEthernet1/0/4 but will only
have effect when the interface is in a non-trunking mode.
SW3(config-if)#span bpdufilter enable

No shutting the interface

SW3(config-if)#no shut
SW3(config-if)#
*Mar 1 00:10:17.544: %LINK-3-UPDOWN: Interface FastEthernet1/0/4, changed state to up
*Mar 1 00:10:18.550: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/4, changed state to up
SW3(config-if)#

Verification of what happened from SW3

SW3(config-if)#do sh span

VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 1ce6.c7c1.c800
Cost 19
Port 5 (FastEthernet1/0/3)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 5897.1eab.ce00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15 sec

Interface Role Sts Cost Prio.Nbr Type
——————- —- — ——— ——– ——————————–
Fa1/0/2 Altn BLK 19 128.4 P2p
Fa1/0/3 Root FWD 19 128.5 P2p
Fa1/0/4 Desg FWD 19 128.6 P2p Edge

It shows Portfast is enabled by the “Edge” tacked onto the interface info noting that this is an Edge Port, but also this did NOT transition to the Root Port, so BPDUs are officially being blocked from SW4!

Verifying what happened from the view of SW4

SW4#sh span

VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0017.5aa8.a600
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0017.5aa8.a600
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/4 Desg FWD 19 128.6 P2p

SW4 is not receiving BPDUs telling it there is a Root Bridge in the network, and just to drive the point home, I will even configure SW1 with a lower Priority to test this theory:

SW1(config)#span vlan 1 root primary
SW1(config)#
ASR#4
[Resuming connection 4 to sw4 … ]

SW4#sh span

VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0017.5aa8.a600
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0017.5aa8.a600
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/4 Desg FWD 19 128.6 P2p

Someone needs to tell SW4, that Denial is more than a river running through Egypt 🙂

For my final act of the night, I removed the configurations off the interface level, and will apply them globally to see if this does indeed work:

Configuration and no shut int Fa1/0/4

SW3(config)#span portfast default
%Warning: this command enables portfast by default on all interfaces. You
should now disable portfast explicitly on switched ports leading to hubs,
switches and bridges as they may create temporary bridging loops.

SW3(config)#span portfast bpdufilter default
SW3(config)#int fa1/0/4
SW3(config-if)#no shut
SW3(config-if)#
*Mar 1 00:20:02.464: %LINK-3-UPDOWN: Interface FastEthernet1/0/4, changed state to up
*Mar 1 00:20:03.471: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/4, changed state to up
SW3(config-if)#

Verification BPDU Filter is configured globally on SW3

SW3(config-if)#do sh span summ
Switch is in pvst mode
Root bridge for: none
Extended system ID is enabled
Portfast Default is enabled
PortFast BPDU Guard Default is disabled
Portfast BPDU Filter Default is enabled
Loopguard Default is disabled
EtherChannel misconfig guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Configured Pathcost method used is short

I will spare all the output, but after verifying this did not work.

This actually would not work with the command “span portfast bpdufilter default” at all, the “bpdufilter” portion had to be configured at interface level, or SW4 would indeed get a BPDU and adjust its Root Bridge ID # to that of SW1 (the Root Bridge).

***So technically I could not get the command for BPDU Filter to work globally in any scenario, the BPDU Filter command HAD to be configured on the interface, but Portfast could be enabled globally and the interface bpdufilter command would work.***

This is the best explanation for this behavior I found, on Cisco CCNP Forums:

“The global configuration is more intricate. Similar to the BPDU Guard feature, the global BPDU Filter is enabled on interfaces in operational PortFast state. In global mode, the switch does not filter incoming BPDUs, but most (though not all) outgoing BPDUs are filtered. When a port comes up, 11 BPDUs are sent out. If BPDUs are received, the PortFast and BPDU Filter features are disabled.”

The full thread of me losing my mind trying to get this to work can be found here on the Cisco CCNP R/S Study Group forum.

So in theory its good to know it “should” work exactly the same as BPDU Guard global configuration, so for exam day I would go with the theory of how it “should” work, but how it “technically” works on real equipment is a much different story.

That covers that, onto some more Spanning-Tree!