- Silver, 250 points or more
Could someone please put me straight about BPDU filtering please?
My study material states the BPDU filtering like BPDU guard should only be configured on ports configured for Portfast. It appears that BPDU filtering and BPDU guard perform much the same function, though when BPDU filtering is configured on a port, that port does not get put into "err-disabled" state when a BPDU is received.
My study material goes on to explain about the different behaviour between BPDU filtering when configured globally and configured on an interface, which I understand.
My study material states that when configured on an interface, BPDU's received on that interface will be quietly ignored (dropped) and no BPDU's will be sent in return. BPDU filtering is presented as a "good" feature which can help prevent a switch becoming the root bridge if it was mischievously or erroneously connected to a interface configured with Port fast & BPDU filtering.
I have also referenced this Cisco document (http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_see/configuration/guide/swstpopt.html#wp1046220)
and under the section titled "Understanding BPDU Filtering" it states that "enabling BPDU filtering on an interface is the same as disabling STP on it and it can cause Spanning Tree loops".
This sounds like a warning, however if BPDU filtering is only meant to be used by ports configured with Portfast and ports configured with Portfast are only supposed to link to hosts (Portfast is not supposed to be configured on Trunk links), then where does the possibility of spanning tree loops arise?
And if a switch is mischievously or erroneously connected to a port on my network configured with Portfast and BPDU filtering, then surely it is a good thing that this switch is prevented from becoming the root bridge by design/accident, as my STP topology is protected and remains stable?
Best Regards & TIA,
Agree with Istvan, please check the below post:
Bpdufiltering just disables sending and receiving bpdus on those ports, so the spanning-tree algorithm will not be able to determine if there is a loop in the network.
Those ports will work like there is no stp algorithm at all.
This is why you should enable bpdufiltering only in case if the device connected to the port cannot stand bpdus and you're absolutely sure there is no possibility for loops to form.
Does this answer your question?