Spanning-Tree

Spanning-tree “BPDU Filter” works similar to “BPDU Guard”, as it allows you to block BPDU’s. The major difference is that “BPDU Guard” will place an interface that receives the BPDU into an “err-disabled”state pretty much protecting the violating port while “BPDU Filter” just “filters” it leaving the port to stay up

BPDU Filter can be configured globally or on a port by port basis, and there is a difference between the two

• Global – If BPDU filter is enabled globally, then any interface with “Portfast” configured will not send or receive any BPDU’s. However, when the port does receive a BPDU then it will lose its “Portfast” status, disable BPDU Filtering and act as a normal port.

• Port by Port – If BPDU Filter is enabled on a port by port basis, the port will ignore incoming BPDU’s and it will also not send out any BPDU’s. This is the same as disabling spanning tree.

广播风暴

广播风暴就是因为以太网中出现了明环或暗环，引起广播包被指数涨速递增，整个网络流量被广播 包占据，其他的转发业务不能进行。

以太交换机对广播包的处理，是不管从哪个端口收到广播包，都完整地复制一份转发到其他所以端口 （除接收到的端口外）。

Bridge assuance can be enable by

Spanning-tree port type network

bridge assuance 加强SPT协议的保护和稳定性， 当对端发生问题时（如bpdu-filter enabled on port, 过滤掉了所有的bpdu), 本地可以利用bridge assurance（当收不到对端发来的BPDU时，block本端） 来确保不发生环路。

When the BPDUs stop being received, the port is put into blocking state (actually a port inconsistent state, which stops forwarding). When BPDUs restart, the port resumes normal RSTP or MST modes. This handles unidirectional links as well as the malfunction of a neighboring switch where STP stops sending BPDUs but the switch continues to forward frames.

Bridge Assurance makes sense in a pure Spanning Tree Protocol environment with STP blocked ports to help ensure that those ports will not transition to a forwarding state by error (by sending bidirectional BPDUs). But in a vPC environment, there are no STP blocked ports with vPC (vPC member ports are always in forwarding state), so making the Bridge Assurance feature less useful.

Strong Recommendations:

● Do not enable Bridge Assurance (BA) on vPC member port. Even if peer-switch is used in the vPC domain, recommendation is still to disable Bridge Assurance on the vPC.

● Bridge Assurance is enabled automatically on vPC peer-link at creation of the link. Bridge assurance on the peer-link is fine so there is no need to disable it.