KB.15.15

PVST filtering

If you configure a port for PVST filtering instead of PVST protection, the port remains in operation

but traps are still generated and the BPDU counter hpSwitchStpPortErrantBpduCounter is

incremented.

CAUTION: Enabling the PVST filter feature allows the port to continuously forward packets without

spanning tree intervention, which could result in loop formation. If this occurs, disable the port and

then reconfigure it with these commands:

no spanning-tree port-list bpdu-filter

no spanning-tree port-list pvst-filter

Loop protection

In cases where spanning tree cannot be used to prevent loops at the edge of the network, loop

protection may provide a suitable alternative. Loop protection operates in two modes:

Untagged The default mode. This mode can be used to find loops in untagged downlinks.

Tagged VLAN Finds loops on tagged VLANs. This mode can be used to detect loops in

tagged-only uplinks where STP cannot be enabled.

The cases where loop protection might be chosen ahead of spanning tree to detect and prevent

loops are as follows:

On ports with client authentication When spanning tree is enabled on a switch that use 802.1X,

Web authentication, and MAC authentication, loops may

go undetected. For example, spanning tree packets that are

looped back to an edge port will not be processed because

they have a different broadcast/multicast MAC address

from the client-authenticated MAC address. To ensure that

client-authenticated edge ports get blocked when loops

occur, you should enable loop protection on those ports.

On ports connected to unmanaged

devices

Spanning tree cannot detect the formation of loops where

there is an unmanaged device on the network that does not

process spanning tree packets and simply drops them. Loop

protection has no such limitation, and can be used to prevent

loops on unmanaged switches.

About MSTP 129