bdpufilter no longer using it

Unanswered Question
Jul 16th, 2009
User Badges:

Hi, I know cisco recommends using bpdufilter but I have no had problems with it any one else using it?


I caused me a network loop someone on the desktop team patched a cable from 1 switch to another. portfast bpduguard bpdufilter were enabled.


bpdufilter obviously filtered out bpdu and caused a network loop taking down the LAN.


So I'm no longer using this command even if it recommended by cisco anyone else had expenience of bpdufilter?


Are you guys still using it?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
andrew.prince@m... Thu, 07/16/2009 - 03:53
User Badges:
  • Green, 3000 points or more

bpdufilter is only used on ports that are configured "spanningtree portfast" and generally the default action is to close the offending switch port.


This would not cause a loop and bring down the lan - I suggest you check the switch topology and spanningtree config.

smwager52 Thu, 07/16/2009 - 08:06
User Badges:

Hi Andrew,


Sorry but that is incorrect bpdufilter removes bpdu's being sent on the port.


your getting confused with Bpduguard which shuts the port down if it see a bpdu.


With bpdufilter enabled the port wont send bpdu's and so the ports don't get shutdown.


Also portfast is enabled so the port goes straight into forwarding.


As bpdufilter was enabled no bpdu's were being sent causing a network loop which eventually takes the LAN down as the same packets are passed around the network continuouslys


andrew.prince@m... Thu, 07/16/2009 - 08:11
User Badges:
  • Green, 3000 points or more

You are correct - I was thinking of something else.


When portfast is enabled on a port BPDUfiltering is enabled by default.


When you do create a loop like that - then user education is required or you just don't have portfast on user access switches. You may also want to configure broadcast storm suppression.

iyde Sun, 07/19/2009 - 12:50
User Badges:
  • Silver, 250 points or more

"When portfast is enabled on a port BPDUfiltering is enabled by default."


Are you sure? I had the understanding that you'd have to actively enable it anyway?

andrew.prince@m... Mon, 07/20/2009 - 00:23
User Badges:
  • Green, 3000 points or more

Well this is the interesting issue - on some switches it is enabled by default, in other switches it's disabled and you have to either enable it globally or by port basis.


It depends on which switch platform/software you are running.

Giuseppe Larosa Thu, 07/16/2009 - 12:44
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Stephen,

I totally agree with you.


bpdu filter should be used only when a L2 service provider doesn't want to take part in customer's STP.


I don't see any use for it in an enterprise environment


We use bpduguard on user ports with STP portfast (I hope bpdu filter is not enabled by default)


This is only a source or misunderstanding and you can find multiple threads about the negative effects of STP bpdufilter in this forum.


Hope to help

Giuseppe


Mohamed Sobair Thu, 07/16/2009 - 12:54
User Badges:
  • Gold, 750 points or more


Hi Stephen,


Your understanding is correct, In normal cases "Bpdu filter" is not applied and thats within any Switching Organization.


when "Bpdu filter" applied the Switch doesnt forward bpdus throuh the interface, normally configured when connecting between 2 different Switching Networks. the reason behind is that you want spanning tree topology between both networks to be isolated.



HTH

Mohamed

andrew.butterworth Sun, 07/19/2009 - 15:18
User Badges:
  • Gold, 750 points or more

My understanding is that with BPDU Filter enabled this disables BPDU's from being sent, however not ALL BPDU's are disabled. The switch should send a few BPDU's when it is initially brought up and if this is connected to a BPDU Guard enabled port it 'should' disable it. This is the output from a switch I have with BPDU Guard & filter enabled on an edge port and you can see there are a few (9) BPDU's that have been sent:


cat-3560-48#sho spanning-tree interface fastEthernet 0/1 detail

Port 3 (FastEthernet0/1) of VLAN0015 is designated forwarding

Port path cost 19, Port priority 128, Port Identifier 128.3.

Designated root has priority 32783, address 0014.6945.4480

Designated bridge has priority 32783, address 0014.6945.4480

Designated port id is 128.3, designated path cost 0

Timers: message age 0, forward delay 0, hold 0

Number of transitions to forwarding state: 1

The port is in the portfast mode

Link type is point-to-point by default

Bpdu guard is enabled by default

Bpdu filter is enabled by default

Loop guard is enabled by default on the port

BPDU: sent 11, received 0

cat-3560-48#


What you describe isn't (shouldn't?) be the behaviour you experienced.


Andy

nate-miller Mon, 07/20/2009 - 10:28
User Badges:
  • Bronze, 100 points or more

There's a difference in Portfast on a per-port usage and a global-usage.



In basic Portfast, the switch will bring the port up immediately in Forwarding mode, but continue to send BPDUs during the life of the connection.



In global BPDUFilter mode, the switch will send BPDUs when the link first comes up- but after a cautious time period (probably equivalent to an STP calculation?) it'll quit sending BPDUs entirely. Also, if the link receives a BPDU, it'll drop the port out of Portfast mode.


In BPDUfilter per-port mode, the switch just won't send BPDUs and ignore everything coming in- period.



Putting BPDUFilter on globally is probably ok. It keeps your sniffer ports free of all the BPDUs the switch is sending towards your machine. :) If a user cross-connects two ports on your edge devices, the system should detect it and run a normal STP calculation


You can still break the network by hooking up an unmanaged switch (to bring up portfast mode and get past the 30 seconds worth of BPDUs) and then loop two ports on the unmanaged switch towards themselves. [who'd ever do that, you may ask? Never underestimate the power of boredom when somebody's sitting in a conference room with a switch and a patch cable.]



Putting bpdfilter on access ports means that you'll never detect a cross-connect- and it's a bad idea to implement towards your users.




Giuseppe Larosa Mon, 07/20/2009 - 23:51
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Nate,

good explanation of differences

rated as it deserves


I still prefer bpduguard for user ports in an enterprise context.


Best Regards

Giuseppe


nate-miller Tue, 07/21/2009 - 05:30
User Badges:
  • Bronze, 100 points or more

I prefer BPDUGuard as well- I've had enough bad experiences with BPDUFilter (both globally and per-port!) to not use BPDUFilter if I can help it.


Any time BPDUs and spanning tree are preventing your network from working as designed, you may need to revisit your design...

Actions

This Discussion