Questioning benefit of 'bpdufilter' in my case

Unanswered Question
May 22nd, 2009
User Badges:

For a switchport which should have hosts connected to it, is there any benefit in doing:

!

int fa0/1

switchport mode access

switchport access vlan 10

spanning-tree bpdufilter enable <===

spanning-tree bpduguard enable

end

!


To my understanding if I do 'bpduguard enable', that should give me protection against STP loops.


Anyone can give me valid reasons to enable bpdufilter as well in this case where I want only hosts connected?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Fri, 05/22/2009 - 07:55
User Badges:
  • Purple, 4500 points or more

Bpdufilter will disable spanning-tree on that port if it's configured on the interface. If it's configured globally, it will silently put a port that's got "spanning-tree portfast" configured back to a normal port because it's received a bpdu.


In your case, if you have a user that connects a switch to your network, it could cause a loop in your network. Personally, I would enable bpdufilter globally, and then configure spanning-tree portfast on the port for hosts.


HTH,

John

BPDU filtering discards INCOMING and OUTGOING bpdu's on the given port.


BPDU guard discards the INCOMING bpdu and puts the port into Error Disable state. Note that BPDUs will be sent OUT this port.


I think the only valid reason is to prevent the switch from sending BPDUs out to the machine. A low security area might be a good reason. Why send out switch BPDUs to insecure devices (ie: Public area)?


The real question is....


Are they mutually exclusive?


When you turn on bpdufilter does it override bpduguard or vice-versa?

rakesh.hegde Mon, 05/25/2009 - 11:44
User Badges:

Hi,


You can have both on a switchport, but bpdufilter will override bpduguard. One scenario where you need bpdufiter only is on PE edge swith port tunneling stp bpdus (l2 protocol tunneling not dot1q) . You dont wan to messup the downstream (CE) switch with PE switch's local BPDUs.

This is automatically enabled if you are doing dot1q tunneling.

HTH,

-Rakesh

Giuseppe Larosa Fri, 05/22/2009 - 11:38
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Marlon,

I would stay away from bpdu filter it is not the right tool to protect switches in an enterprise environment.

The right tool is BPDU guard.


By the way, there is a lot of misunderstanding about these two tools.


There have been different threads of people that used bdpu filter and had their network torned down by a bridging loop formed by a user installing a consumer switch or even connecting two ports of same switch with a cable (yes also this can happen you cannot know what users do).

The reason is that BPDU filter is not of help in detecting loops because it stops BPDUs sending and receiving.


For example there is a recent thread where Bret and I have contributed.


We use bpdu guard + STP portfast + storm control 1% on user ports (where possible, this depends from site to site)


Hope to help

Giuseppe


Actions

This Discussion