Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1029
Views
20
Helpful
8
Replies

BPDU Guard and Filter

Go to solution
starmanjl
Level 1
Level 1

‎02-27-2008 05:42 AM - edited ‎03-05-2019 09:24 PM

What is the difference between BPDU Guard and Filter?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kevin Dorrell
Level 10
Level 10

‎02-27-2008 06:01 AM

Yes they are two completely different things.

BPDU Guard is designed to protect your network from unauthorised switches, or from loops. What it says is "If you see a BPDU on this port, then shut the port down." It is recommended to have BPDU Guard on all user-facing ports.

BPDU filter switches off the BPDUs, and as such is very dangerous unless you are absolutely sure you need it. What it does is to stop sending or receiving BPDUs on this port. BDPUs are what protects your network against loops, so you can see that blocking them is to take a great risk. Do not use bpdufilter unless you have a specific very valid reason for doing so.

Kevin Dorrell

Luxembourg

View solution in original post

8 Replies 8

Go to solution
Kevin Dorrell
Level 10
Level 10

‎02-27-2008 06:01 AM

Yes they are two completely different things.

BPDU Guard is designed to protect your network from unauthorised switches, or from loops. What it says is "If you see a BPDU on this port, then shut the port down." It is recommended to have BPDU Guard on all user-facing ports.

BPDU filter switches off the BPDUs, and as such is very dangerous unless you are absolutely sure you need it. What it does is to stop sending or receiving BPDUs on this port. BDPUs are what protects your network against loops, so you can see that blocking them is to take a great risk. Do not use bpdufilter unless you have a specific very valid reason for doing so.

Kevin Dorrell

Luxembourg

Go to solution
royalblues
Level 10
Level 10

‎02-27-2008 06:02 AM

BPDU guard puts a port into errrdisable if it receives a BPDU. THis is generally configured on all ports configured with portfast as these should generally connect to end stations and should never receive a BPDU

BPDU filter sort of disables STP by not sending or proccessing BPDS's. Even if you enable PortFast on a port, by default that port still generates configuration BPDUs. Any connected device receives and might process configuration BPDUs unnecessarily. You can configure a feature called BPDU Filter, which prevents a PortFast-enabled port from sending configuration BPDUs. If configuration BPDUs are received on the PortFast-enabled port, the port either loses its PortFast status (or is manually shut down if BPDU guard is configured), or it ignores the BPDUs, depending on how you configure BPDU Filter.

Narayan

0 Helpful

Go to solution
mohammedmahmoud
Level 11
Level 11

‎02-27-2008 06:07 AM

Hi,

BPDU Filter depends upon where it is configured:

- When enabling it globally, this command prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled (meaning that BPDUs are sent and received and not filtered anymore).

- When used on a per interface it has nothing to do with portfast it will stop sending and receiving BPDU on this interface (bordering/stopping the Spanning-tree domain - the same as disabling spanning tree on it and can result in spanning-tree loops).

As for BPDU Guard:

If a BPDU is received on an interface, the interface will be shutdown (BPDU filter just reverts the interface out of PortFast state, but BPDU Guard puts the interface into err-disabled).

BR,

Mohammed Mahmoud.

Go to solution
starmanjl
Level 1
Level 1
In response to mohammedmahmoud

‎02-27-2008 06:49 AM

What are the consequences when configuring both features on a per port basis if any?

0 Helpful

Go to solution
mohammedmahmoud
Level 11
Level 11
In response to starmanjl

‎02-27-2008 07:13 AM

Hi,

Both are different in needs, i can't see the case where you need to configure both on the same interface (but i believe that the switch won't reject it).

To make my post complete, BPDU Guard also depends on whether it is configured globally or under the interface, where if it is enabled globally it affects only the ports configured with PortFast, while if configured on the interface level it doesn't depend on PortFast being enabled.

BR,

Mohammed Mahmoud.

Go to solution
lamav
Level 8
Level 8
In response to mohammedmahmoud

‎02-27-2008 07:13 AM

Folks:

All of you had informative and useful explanations, but Mohammed's was extra awesome, since it elaborated on the different ways to implement the features -- either globally or by port.

Mo, great post, I'm rating it a 5.

Victor

0 Helpful

Go to solution
mohammedmahmoud
Level 11
Level 11
In response to lamav

‎02-27-2008 07:25 AM

Hi Victor,

Thank you very much for the appreciation.

BR,

Mohammed Mahmoud.

0 Helpful

Go to solution
starmanjl
Level 1
Level 1
In response to mohammedmahmoud

‎02-28-2008 07:00 AM

I want to thank everyone for their input. I was for the most part on the right track, however Mohammed's input concerning the differences between the global and local setting was very usefull.

I appreciate your help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card