BPDU Guard and Filter

Answered Question
Feb 27th, 2008
User Badges:

What is the difference between BPDU Guard and Filter?

Correct Answer by Kevin Dorrell about 9 years 4 weeks ago

Yes they are two completely different things.


BPDU Guard is designed to protect your network from unauthorised switches, or from loops. What it says is "If you see a BPDU on this port, then shut the port down." It is recommended to have BPDU Guard on all user-facing ports.


BPDU filter switches off the BPDUs, and as such is very dangerous unless you are absolutely sure you need it. What it does is to stop sending or receiving BPDUs on this port. BDPUs are what protects your network against loops, so you can see that blocking them is to take a great risk. Do not use bpdufilter unless you have a specific very valid reason for doing so.


Kevin Dorrell

Luxembourg


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Correct Answer
Kevin Dorrell Wed, 02/27/2008 - 06:01
User Badges:
  • Green, 3000 points or more

Yes they are two completely different things.


BPDU Guard is designed to protect your network from unauthorised switches, or from loops. What it says is "If you see a BPDU on this port, then shut the port down." It is recommended to have BPDU Guard on all user-facing ports.


BPDU filter switches off the BPDUs, and as such is very dangerous unless you are absolutely sure you need it. What it does is to stop sending or receiving BPDUs on this port. BDPUs are what protects your network against loops, so you can see that blocking them is to take a great risk. Do not use bpdufilter unless you have a specific very valid reason for doing so.


Kevin Dorrell

Luxembourg


royalblues Wed, 02/27/2008 - 06:02
User Badges:
  • Green, 3000 points or more

BPDU guard puts a port into errrdisable if it receives a BPDU. THis is generally configured on all ports configured with portfast as these should generally connect to end stations and should never receive a BPDU


BPDU filter sort of disables STP by not sending or proccessing BPDS's. Even if you enable PortFast on a port, by default that port still generates configuration BPDUs. Any connected device receives and might process configuration BPDUs unnecessarily. You can configure a feature called BPDU Filter, which prevents a PortFast-enabled port from sending configuration BPDUs. If configuration BPDUs are received on the PortFast-enabled port, the port either loses its PortFast status (or is manually shut down if BPDU guard is configured), or it ignores the BPDUs, depending on how you configure BPDU Filter.



Narayan




mohammedmahmoud Wed, 02/27/2008 - 06:07
User Badges:
  • Green, 3000 points or more

Hi,


BPDU Filter depends upon where it is configured:


- When enabling it globally, this command prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled (meaning that BPDUs are sent and received and not filtered anymore).


- When used on a per interface it has nothing to do with portfast it will stop sending and receiving BPDU on this interface (bordering/stopping the Spanning-tree domain - the same as disabling spanning tree on it and can result in spanning-tree loops).



As for BPDU Guard:


If a BPDU is received on an interface, the interface will be shutdown (BPDU filter just reverts the interface out of PortFast state, but BPDU Guard puts the interface into err-disabled).



BR,

Mohammed Mahmoud.


starmanjl Wed, 02/27/2008 - 06:49
User Badges:

What are the consequences when configuring both features on a per port basis if any?

mohammedmahmoud Wed, 02/27/2008 - 07:13
User Badges:
  • Green, 3000 points or more

Hi,


Both are different in needs, i can't see the case where you need to configure both on the same interface (but i believe that the switch won't reject it).


To make my post complete, BPDU Guard also depends on whether it is configured globally or under the interface, where if it is enabled globally it affects only the ports configured with PortFast, while if configured on the interface level it doesn't depend on PortFast being enabled.


BR,

Mohammed Mahmoud.


lamav Wed, 02/27/2008 - 07:13
User Badges:
  • Blue, 1500 points or more

Folks:


All of you had informative and useful explanations, but Mohammed's was extra awesome, since it elaborated on the different ways to implement the features -- either globally or by port.


Mo, great post, I'm rating it a 5.


Victor

mohammedmahmoud Wed, 02/27/2008 - 07:25
User Badges:
  • Green, 3000 points or more

Hi Victor,


Thank you very much for the appreciation.



BR,

Mohammed Mahmoud.

starmanjl Thu, 02/28/2008 - 07:00
User Badges:

I want to thank everyone for their input. I was for the most part on the right track, however Mohammed's input concerning the differences between the global and local setting was very usefull.


I appreciate your help.

Actions

This Discussion