BPDU Filter in access switches

Answered Question
Nov 1st, 2009

Hi Guys,

Is it required to all access switches to have bpdu filter configure on each client's port to avoid plugging another network cisco/non-cisco switches?

Or is there any options that can use to avoid plugging network switches to out access switches? This may cause loop if someone plug a switches to our network.

Thanks in advance.

I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 7 years 1 month ago

Hello Irvine,

I strongly recommend to use bpuguard instead:

it will disable the access port if any BPDU is received.

bpdu filter as explained by other colleagues can lead to loops in some cases.

I see bpdu filter as a tool for L2 service providers to avoid to join STP domains.

For enterprise access layer switches BPDU guard is the right tool.

if you make a search in the forums you will find that several people had troubles with STP bpdu filter that caused unexpected loops.

Edit:

Leo: I haven't seen your answer but as you see I totally agree.

Hope to help

Giuseppe

Correct Answer by Edison Ortiz about 7 years 1 month ago

Enabling bpdufilter on a switchport will disable the ability to send and receive bpdus in a switchport. Disabling this feature can cause a loop in a network as you aren't sending spanning-tree information if another switch connects to the switchport where bpdufilter is enabled.

Ideally, you should enable bpduguard on client facing ports. This feature will err-disable the switchport if it receives a bpdu from the connected device. BPDUs are sent by switches but you will find old hubs won't send bpdus so under those circumstances, I recommend implementing port-security with a maximum of 3 if using IP-Phones or maximum of 1 w/o IP-Phones.

Regards

Edison.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.6 (5 ratings)
Loading.
Correct Answer
Edison Ortiz Sun, 11/01/2009 - 18:33

Enabling bpdufilter on a switchport will disable the ability to send and receive bpdus in a switchport. Disabling this feature can cause a loop in a network as you aren't sending spanning-tree information if another switch connects to the switchport where bpdufilter is enabled.

Ideally, you should enable bpduguard on client facing ports. This feature will err-disable the switchport if it receives a bpdu from the connected device. BPDUs are sent by switches but you will find old hubs won't send bpdus so under those circumstances, I recommend implementing port-security with a maximum of 3 if using IP-Phones or maximum of 1 w/o IP-Phones.

Regards

Edison.

suryakant.chavan Sun, 11/01/2009 - 19:40

Hi Edison,

If I am not wrong, there is difference , how we enabling bpdufilter.

1. if we enable bpdufilter at global . and if switchport receive bpdu , port disable its portfast and bpdufilter and port would active as normal stp port.

2.if we enable bpdufilter at interface level . the port would not receive and send bpdu , and there loop will form .

Muhammad Anser Khan Sun, 11/01/2009 - 21:21

Hi Suryakant,

"" 1. if we enable bpdufilter at global . and if switchport receive bpdu , port disable its portfast and bpdufilter and port would active as normal stp port. ""

Yes, port becomes a normal STP port (If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled. )

"" 2.if we enable bpdufilter at interface level . the port would not receive and send bpdu , and there loop will form .""

Yes, Port will not send/receive BPDU, If it receives BPDU, It will disable STP (also disable bpdufilter) from this port which will form loops.

Regards,

Anser

Edison Ortiz Mon, 11/02/2009 - 09:14

If I am not wrong, there is difference , how we enabling bpdufilter.

Correct, there is a difference between global and interface level but neither will help the original poster on his dilemma.

bpduguard and port-security are the right tools.

Regards

Edison

Leo Laohoo Sun, 11/01/2009 - 19:55

Do NOT use or enable BPDU Filter. Use BPDUguard and port security. :)

Correct Answer
Giuseppe Larosa Mon, 11/02/2009 - 01:38

Hello Irvine,

I strongly recommend to use bpuguard instead:

it will disable the access port if any BPDU is received.

bpdu filter as explained by other colleagues can lead to loops in some cases.

I see bpdu filter as a tool for L2 service providers to avoid to join STP domains.

For enterprise access layer switches BPDU guard is the right tool.

if you make a search in the forums you will find that several people had troubles with STP bpdu filter that caused unexpected loops.

Edit:

Leo: I haven't seen your answer but as you see I totally agree.

Hope to help

Giuseppe

gagamboy15 Mon, 11/02/2009 - 09:34

Im surprised that many guys will be helping with my problem! Thanks to all!

Wow, bpduguard and port security is the solution to prevent other switches to connect to my access ports :-)

Leo Laohoo Wed, 11/04/2009 - 14:08

There are alot of combinations to use but I'd like the BPDUGuard and port security because both options are less labour intensive. I configure both during the prep work and if the port gets disabled you know what's causing it and no explanation needed.

Actions

This Discussion