BPDU Filter in access switches

Answered Question
Nov 1st, 2009
User Badges:

Hi Guys,


Is it required to all access switches to have bpdu filter configure on each client's port to avoid plugging another network cisco/non-cisco switches?


Or is there any options that can use to avoid plugging network switches to out access switches? This may cause loop if someone plug a switches to our network.


Thanks in advance.

Correct Answer by Giuseppe Larosa about 7 years 5 months ago

Hello Irvine,

I strongly recommend to use bpuguard instead:

it will disable the access port if any BPDU is received.


bpdu filter as explained by other colleagues can lead to loops in some cases.

I see bpdu filter as a tool for L2 service providers to avoid to join STP domains.

For enterprise access layer switches BPDU guard is the right tool.


if you make a search in the forums you will find that several people had troubles with STP bpdu filter that caused unexpected loops.



Edit:

Leo: I haven't seen your answer but as you see I totally agree.


Hope to help

Giuseppe



Correct Answer by Edison Ortiz about 7 years 5 months ago

Enabling bpdufilter on a switchport will disable the ability to send and receive bpdus in a switchport. Disabling this feature can cause a loop in a network as you aren't sending spanning-tree information if another switch connects to the switchport where bpdufilter is enabled.


Ideally, you should enable bpduguard on client facing ports. This feature will err-disable the switchport if it receives a bpdu from the connected device. BPDUs are sent by switches but you will find old hubs won't send bpdus so under those circumstances, I recommend implementing port-security with a maximum of 3 if using IP-Phones or maximum of 1 w/o IP-Phones.


Regards


Edison.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.6 (5 ratings)
Loading.
Correct Answer
Edison Ortiz Sun, 11/01/2009 - 18:33
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Enabling bpdufilter on a switchport will disable the ability to send and receive bpdus in a switchport. Disabling this feature can cause a loop in a network as you aren't sending spanning-tree information if another switch connects to the switchport where bpdufilter is enabled.


Ideally, you should enable bpduguard on client facing ports. This feature will err-disable the switchport if it receives a bpdu from the connected device. BPDUs are sent by switches but you will find old hubs won't send bpdus so under those circumstances, I recommend implementing port-security with a maximum of 3 if using IP-Phones or maximum of 1 w/o IP-Phones.


Regards


Edison.

suryakant.chavan Sun, 11/01/2009 - 19:40
User Badges:

Hi Edison,


If I am not wrong, there is difference , how we enabling bpdufilter.

1. if we enable bpdufilter at global . and if switchport receive bpdu , port disable its portfast and bpdufilter and port would active as normal stp port.

2.if we enable bpdufilter at interface level . the port would not receive and send bpdu , and there loop will form .



Muhammad Anser Khan Sun, 11/01/2009 - 21:21
User Badges:

Hi Suryakant,


"" 1. if we enable bpdufilter at global . and if switchport receive bpdu , port disable its portfast and bpdufilter and port would active as normal stp port. ""


Yes, port becomes a normal STP port (If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled. )


"" 2.if we enable bpdufilter at interface level . the port would not receive and send bpdu , and there loop will form .""


Yes, Port will not send/receive BPDU, If it receives BPDU, It will disable STP (also disable bpdufilter) from this port which will form loops.


Regards,

Anser

Edison Ortiz Mon, 11/02/2009 - 09:14
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

If I am not wrong, there is difference , how we enabling bpdufilter.


Correct, there is a difference between global and interface level but neither will help the original poster on his dilemma.


bpduguard and port-security are the right tools.


Regards


Edison

Leo Laohoo Sun, 11/01/2009 - 19:55
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Do NOT use or enable BPDU Filter. Use BPDUguard and port security. :)

Correct Answer
Giuseppe Larosa Mon, 11/02/2009 - 01:38
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Irvine,

I strongly recommend to use bpuguard instead:

it will disable the access port if any BPDU is received.


bpdu filter as explained by other colleagues can lead to loops in some cases.

I see bpdu filter as a tool for L2 service providers to avoid to join STP domains.

For enterprise access layer switches BPDU guard is the right tool.


if you make a search in the forums you will find that several people had troubles with STP bpdu filter that caused unexpected loops.



Edit:

Leo: I haven't seen your answer but as you see I totally agree.


Hope to help

Giuseppe



gagamboy15 Mon, 11/02/2009 - 09:34
User Badges:

Im surprised that many guys will be helping with my problem! Thanks to all!



Wow, bpduguard and port security is the solution to prevent other switches to connect to my access ports :-)



Leo Laohoo Wed, 11/04/2009 - 14:08
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

There are alot of combinations to use but I'd like the BPDUGuard and port security because both options are less labour intensive. I configure both during the prep work and if the port gets disabled you know what's causing it and no explanation needed.

Actions

This Discussion