04-09-2008 06:00 AM - edited 03-05-2019 10:17 PM
Hi All
Could someone please put me straight about BPDU filtering please?
My study material states the BPDU filtering like BPDU guard should only be configured on ports configured for Portfast. It appears that BPDU filtering and BPDU guard perform much the same function, though when BPDU filtering is configured on a port, that port does not get put into "err-disabled" state when a BPDU is received.
My study material goes on to explain about the different behaviour between BPDU filtering when configured globally and configured on an interface, which I understand.
My study material states that when configured on an interface, BPDU's received on that interface will be quietly ignored (dropped) and no BPDU's will be sent in return. BPDU filtering is presented as a "good" feature which can help prevent a switch becoming the root bridge if it was mischievously or erroneously connected to a interface configured with Port fast & BPDU filtering.
I have also referenced this Cisco document (http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_see/configuration/guide/swstpopt.html#wp1046220)
and under the section titled "Understanding BPDU Filtering" it states that "enabling BPDU filtering on an interface is the same as disabling STP on it and it can cause Spanning Tree loops".
This sounds like a warning, however if BPDU filtering is only meant to be used by ports configured with Portfast and ports configured with Portfast are only supposed to link to hosts (Portfast is not supposed to be configured on Trunk links), then where does the possibility of spanning tree loops arise?
And if a switch is mischievously or erroneously connected to a port on my network configured with Portfast and BPDU filtering, then surely it is a good thing that this switch is prevented from becoming the root bridge by design/accident, as my STP topology is protected and remains stable?
Best Regards & TIA,
Michael
Solved! Go to Solution.
04-09-2008 06:41 AM
Hi Michael,
Bpdufiltering just disables sending and receiving bpdus on those ports, so the spanning-tree algorithm will not be able to determine if there is a loop in the network.
Those ports will work like there is no stp algorithm at all.
This is why you should enable bpdufiltering only in case if the device connected to the port cannot stand bpdus and you're absolutely sure there is no possibility for loops to form.
Does this answer your question?
Cheers:
Istvan
04-09-2008 06:49 AM
Hi Michael,
Agree with Istvan, please check the below post:
BR,
Mohammed Mahmoud.
04-09-2008 06:35 AM
Michael,
That is the way I understand it to work as well. With bpdufilter enabled, even if a switch was connected to a portfast port, the interface will drop bpdu's.
04-09-2008 06:53 AM
Hi Jason
Cheers, thanks for the confirmation.
Best Regards,
Michael.
04-09-2008 06:41 AM
Hi Michael,
Bpdufiltering just disables sending and receiving bpdus on those ports, so the spanning-tree algorithm will not be able to determine if there is a loop in the network.
Those ports will work like there is no stp algorithm at all.
This is why you should enable bpdufiltering only in case if the device connected to the port cannot stand bpdus and you're absolutely sure there is no possibility for loops to form.
Does this answer your question?
Cheers:
Istvan
04-09-2008 06:49 AM
Hi Michael,
Agree with Istvan, please check the below post:
BR,
Mohammed Mahmoud.
04-09-2008 06:57 AM
Hi Mohammed
Thank you for your input and the link, which was really helpful.
Best Regards,
Michael
04-09-2008 07:03 AM
Hi Michael,
Thank you and you are very welcomed.
BR,
Mohammed Mahmoud.
04-09-2008 06:52 AM
Hi Istvan
Yet again thank you for your swift response. Yes that pretty much answers my question.
Best Regards,
Michael
04-09-2008 07:30 AM
Hi Michael,
I'm glad I was helpful for you.
Cheers:
Istvan
04-09-2008 06:51 AM
Michael,
This is how I understand it:-
BPDU Guard = if a port recevies a BPDU from another switch device or you have created a loop then the switch will close the port in a "err-disabled" state on a portfast enabled port.
BPDU Filter = ignores/does not send any BPDU's on any portfast enabled port.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide