Is it required to all access switches to have bpdu filter configure on each client's port to avoid plugging another network cisco/non-cisco switches?
Or is there any options that can use to avoid plugging network switches to out access switches? This may cause loop if someone plug a switches to our network.
Thanks in advance.
I strongly recommend to use bpuguard instead:
it will disable the access port if any BPDU is received.
bpdu filter as explained by other colleagues can lead to loops in some cases.
I see bpdu filter as a tool for L2 service providers to avoid to join STP domains.
For enterprise access layer switches BPDU guard is the right tool.
if you make a search in the forums you will find that several people had troubles with STP bpdu filter that caused unexpected loops.
Leo: I haven't seen your answer but as you see I totally agree.
Hope to help
Enabling bpdufilter on a switchport will disable the ability to send and receive bpdus in a switchport. Disabling this feature can cause a loop in a network as you aren't sending spanning-tree information if another switch connects to the switchport where bpdufilter is enabled.
Ideally, you should enable bpduguard on client facing ports. This feature will err-disable the switchport if it receives a bpdu from the connected device. BPDUs are sent by switches but you will find old hubs won't send bpdus so under those circumstances, I recommend implementing port-security with a maximum of 3 if using IP-Phones or maximum of 1 w/o IP-Phones.