BPDU Guard Versus Filter

Unanswered Question
Apr 27th, 2007

Hi,

If want to set, at configuration global level, BPDU Guard AND BPDU filter enable for stp portfast. Is it a good idea ?

BPDU guard will shutdwon port if BPDU frame is received and with BPDU filter, a swict ports cannot send BPDU frame.

Si, if I do a loop with two ports where BPDU guard and filter enable, I will have a network outage ?

Is it true or not ?

Regards

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JeremiahL Fri, 04/27/2007 - 04:48

I'm not sure I completely understand your question, but BPDU guard and BPDU Filter can be configured globally or on an individual port, and applies to all non-trunking interfaces where Portfast has been enabled.

So if you're connecting two switches together both with BPDU Guard/Filter enabled and the ports connecting the switches are not configured to be a trunk then neither switch will send or acknowledge BPDU's on the connected ports unless portfast is disabled or BPDU Guard/Filter is turned off on the indiviual ports (I believe thats possible with BPDU Guard/Filter enabled globally.)

Check out this page for a litte more information on BPDU services the commands listed are for the CAT ios though.

http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a00800d81a8.html

HtH

obacati21 Fri, 04/27/2007 - 05:01

In fact, I put these 2 commands globally on 2950. A user takes another switch (Netgear) and connect it twice on the network on portfast ports . So he did a loop and i saw big issue in the lan.

I don't know exactly why ? I tkink that BPDUfilter blocks all bpdu annoucement so BPSDUGard don't shutdown the port ! Is it true ?

Obacati21

royalblues Fri, 04/27/2007 - 07:25

Does the Netgear switch send / forward BPDU's?

BPDU guard puts a port into errrdisable if it receives a BPDU.

BPDU filter sort of disables STP by not sending or proccessing BPDS's. So if a BPDU is received on a BPDU filter port it will not process it.

Narayan

rseiler Fri, 04/27/2007 - 08:55

There is really no good reason to use bpdu filter and this will generally create loop issues if you don't know what you are doing. I would recommend using portfast bpdu-guard which would have prevented your loop issue since the Cisco switch would have seen its own BPDU through the netgear (or whatever) hub or switch and err-disabled one or both of the cross-connected ports.

I always recommend the following global commands on an edge switch:

'spanning-tree portfast default'

'spanning-tree portfast bpduguard default'

Please ensure that you have disabled both portfast AND bpduguard on all uplink ports before you enable this globally because unlike what was intimated in an earlier post, portfast and/or bpduguard can trigger on a trunk port before the dot1q trunk actually forms and this could err-disable your uplink port!

In summary, do the following:

conf t

! uplink ports

int range gi0/1-2

spanning-tree portfast disable

spanning-tree bpduguard disable

exit

! global commands

spanning-tree extend system-id

spanning-tree portfast default

spanning-tree portfast bpduguard default

! edge ports

int range fa0/1-48

switchport mode access

default spanning-tree portfast

end

Actions

This Discussion