3 min read

BPDU filter on a Unifi switch

Brand new Unifi Switch (48 POE-500W) is experiencing some issues that do not affect the switch functionality, but it is filling our syslog server with messages like this:

US48P500,18e829286ff3,v4.0.80.10875 switch: DOT1S: dot1sBpduReceive(): Discarding the BPDU on port 0/1, since it is an invalid BPDU type

and

US48P500,18e829286ff3,v4.0.80.10875 switch: DOT1S: dot1sBpduReceive(): Invalid Forward Delay

Connecting to a Unifi switch

Since this is BPDU-related, where BPDU stands for Bridge Protocol Data Unit, a type of L2 frame usually exchanged between switching equipment, we can assume that the issue is with spanning-tree. Upstream device (the one connected on port 0/1) is an ISP device and we can’t configure it, and with limited options in the Unifi Controller, we need to jump on the switch via SSH:

ssh [email protected]
[email protected]'s password: 


BusyBox v1.23.2 (2020-01-11 23:36:54 UTC) built-in shell (ash)


  ___ ___      .__________.__
 |   |   |____ |__\_  ____/__|
 |   |   /    \|  ||  __) |  |   (c) 2010-2019
 |   |  |   |  \  ||  \   |  |   Ubiquiti Networks, Inc.
 |______|___|  /__||__/   |__|
            |_/                  https://www.ui.com/

      Welcome to UniFi USW-48P-500!

Entering CLI on a Unifi switch

To enter the CLI interface of the switch we need to telnet to itself:

telnet 127.0.0.1
Entering character mode
Escape character is '^]'.

Warning!
The changes may break controller settings and only be effective until reboot.
The device is warning us that the changes we are making are only going to be effective until the last reboot. To enter privileged mode, we enter:

(UBNT) >enable 

We already know that the port that’s having issues is 0/1, so we will look at the spanning-tree configuration of that port:

(UBNT) #show spanning-tree interface 0/1

Hello Time..................................... Not Configured
Port Mode...................................... Enabled
BPDU Guard Effect.............................. Disabled
Root Guard..................................... False
TCN Guard...................................... False
BPDU Filter Mode............................... Disabled
BPDU Flood Mode................................ Disabled
Auto Edge...................................... TRUE
Port Up Time Since Counters Last Cleared....... 13 day 19 hr 47 min 11 sec
STP BPDUs Transmitted.......................... 0
STP BPDUs Received............................. 0
RSTP BPDUs Transmitted......................... 597224
RSTP BPDUs Received............................ 0
MSTP BPDUs Transmitted......................... 0
MSTP BPDUs Received............................ 0

Configuring Unifi switch in CLI mode

At this point we are not going to go into details why this is happening, we just need to stop flooding the syslog server with messages. To do that, the easiest way is to enable BPDU filter on the 0/1 interface. This will effectively ignore all BPDU messages received on that port, and since the device connected on the other side shouldn’t participate in our STP topology, we should be OK – at least until the next reboot 🙂

(UBNT) #configure 
(UBNT) (Config)#interface 0/1 
(UBNT) (Interface 0/1)#spanning-tree bpdufilter 
(UBNT) (Interface 0/1)#end
Once we’re done with configuring the port, we will check once again for the spanning-tree settings on the port:

(UBNT) #show spanning-tree interface 0/1
...
BPDU Filter Mode............................... Enabled
...

As can be seen here, BPDU filter is now enabled and the switch is no longer flooding the syslog server.

As previously stated, BPDU filter is a functionality that will help us resolve the issue at hand. This still doesn’t resolve the underlying issue of BPDU frames being sent in the first place. BPDU filter is a great option when you don’t control both devices that are having an issue and you need to resolve a symptom, not an underlying issue.
BPDU filter shouldn’t be configured on ports of the devices we control unless we are trying to manually influence spanning-tree topology. BPDU filtering on ports that are actually connected to switches in our network could cause bridging loops as the ports configured with BPDU filter will ignore any BPDU they receive and will alway be in a forwarding state.

Configuration changes made in the CLI of Unifi equipment are not saved after a device reboot. Unfortunately, once the device is rebooted, changes made in the CLI will be gone and this procedure will have to be repeated. This is by design as Unifi devices should be managed by a Unifi Controller, not directly. If anyone has an idea on how to make CLI changes permanent, feel free to comment below.

Read more