bdpufilter no longer using it

Unanswered Question
Jul 16th, 2009

Hi, I know cisco recommends using bpdufilter but I have no had problems with it any one else using it?

I caused me a network loop someone on the desktop team patched a cable from 1 switch to another. portfast bpduguard bpdufilter were enabled.

bpdufilter obviously filtered out bpdu and caused a network loop taking down the LAN.

So I'm no longer using this command even if it recommended by cisco anyone else had expenience of bpdufilter?

Are you guys still using it?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
smwager52 Thu, 07/16/2009 - 08:06

Hi Andrew,

Sorry but that is incorrect bpdufilter removes bpdu's being sent on the port.

your getting confused with Bpduguard which shuts the port down if it see a bpdu.

With bpdufilter enabled the port wont send bpdu's and so the ports don't get shutdown.

Also portfast is enabled so the port goes straight into forwarding.

As bpdufilter was enabled no bpdu's were being sent causing a network loop which eventually takes the LAN down as the same packets are passed around the network continuouslys

iyde Sun, 07/19/2009 - 12:50

"When portfast is enabled on a port BPDUfiltering is enabled by default."

Are you sure? I had the understanding that you'd have to actively enable it anyway?

Giuseppe Larosa Thu, 07/16/2009 - 12:44

Hello Stephen,

I totally agree with you.

bpdu filter should be used only when a L2 service provider doesn't want to take part in customer's STP.

I don't see any use for it in an enterprise environment

We use bpduguard on user ports with STP portfast (I hope bpdu filter is not enabled by default)

This is only a source or misunderstanding and you can find multiple threads about the negative effects of STP bpdufilter in this forum.

Hope to help


Mohamed Sobair Thu, 07/16/2009 - 12:54

Hi Stephen,

Your understanding is correct, In normal cases "Bpdu filter" is not applied and thats within any Switching Organization.

when "Bpdu filter" applied the Switch doesnt forward bpdus throuh the interface, normally configured when connecting between 2 different Switching Networks. the reason behind is that you want spanning tree topology between both networks to be isolated.



andrew.butterworth Sun, 07/19/2009 - 15:18

My understanding is that with BPDU Filter enabled this disables BPDU's from being sent, however not ALL BPDU's are disabled. The switch should send a few BPDU's when it is initially brought up and if this is connected to a BPDU Guard enabled port it 'should' disable it. This is the output from a switch I have with BPDU Guard & filter enabled on an edge port and you can see there are a few (9) BPDU's that have been sent:

cat-3560-48#sho spanning-tree interface fastEthernet 0/1 detail

Port 3 (FastEthernet0/1) of VLAN0015 is designated forwarding

Port path cost 19, Port priority 128, Port Identifier 128.3.

Designated root has priority 32783, address 0014.6945.4480

Designated bridge has priority 32783, address 0014.6945.4480

Designated port id is 128.3, designated path cost 0

Timers: message age 0, forward delay 0, hold 0

Number of transitions to forwarding state: 1

The port is in the portfast mode

Link type is point-to-point by default

Bpdu guard is enabled by default

Bpdu filter is enabled by default

Loop guard is enabled by default on the port

BPDU: sent 11, received 0


What you describe isn't (shouldn't?) be the behaviour you experienced.


nate-miller Mon, 07/20/2009 - 10:28

There's a difference in Portfast on a per-port usage and a global-usage.

In basic Portfast, the switch will bring the port up immediately in Forwarding mode, but continue to send BPDUs during the life of the connection.

In global BPDUFilter mode, the switch will send BPDUs when the link first comes up- but after a cautious time period (probably equivalent to an STP calculation?) it'll quit sending BPDUs entirely. Also, if the link receives a BPDU, it'll drop the port out of Portfast mode.

In BPDUfilter per-port mode, the switch just won't send BPDUs and ignore everything coming in- period.

Putting BPDUFilter on globally is probably ok. It keeps your sniffer ports free of all the BPDUs the switch is sending towards your machine. :) If a user cross-connects two ports on your edge devices, the system should detect it and run a normal STP calculation

You can still break the network by hooking up an unmanaged switch (to bring up portfast mode and get past the 30 seconds worth of BPDUs) and then loop two ports on the unmanaged switch towards themselves. [who'd ever do that, you may ask? Never underestimate the power of boredom when somebody's sitting in a conference room with a switch and a patch cable.]

Putting bpdfilter on access ports means that you'll never detect a cross-connect- and it's a bad idea to implement towards your users.

Giuseppe Larosa Mon, 07/20/2009 - 23:51

Hello Nate,

good explanation of differences

rated as it deserves

I still prefer bpduguard for user ports in an enterprise context.

Best Regards


nate-miller Tue, 07/21/2009 - 05:30

I prefer BPDUGuard as well- I've had enough bad experiences with BPDUFilter (both globally and per-port!) to not use BPDUFilter if I can help it.

Any time BPDUs and spanning tree are preventing your network from working as designed, you may need to revisit your design...


This Discussion