cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1496
Views
13
Helpful
8
Replies

BPDU Filter in access switches

gagamboy15
Level 1
Level 1

Hi Guys,

Is it required to all access switches to have bpdu filter configure on each client's port to avoid plugging another network cisco/non-cisco switches?

Or is there any options that can use to avoid plugging network switches to out access switches? This may cause loop if someone plug a switches to our network.

Thanks in advance.

2 Accepted Solutions

Accepted Solutions

Edison Ortiz
Hall of Fame
Hall of Fame

Enabling bpdufilter on a switchport will disable the ability to send and receive bpdus in a switchport. Disabling this feature can cause a loop in a network as you aren't sending spanning-tree information if another switch connects to the switchport where bpdufilter is enabled.

Ideally, you should enable bpduguard on client facing ports. This feature will err-disable the switchport if it receives a bpdu from the connected device. BPDUs are sent by switches but you will find old hubs won't send bpdus so under those circumstances, I recommend implementing port-security with a maximum of 3 if using IP-Phones or maximum of 1 w/o IP-Phones.

Regards

Edison.

View solution in original post

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Irvine,

I strongly recommend to use bpuguard instead:

it will disable the access port if any BPDU is received.

bpdu filter as explained by other colleagues can lead to loops in some cases.

I see bpdu filter as a tool for L2 service providers to avoid to join STP domains.

For enterprise access layer switches BPDU guard is the right tool.

if you make a search in the forums you will find that several people had troubles with STP bpdu filter that caused unexpected loops.

Edit:

Leo: I haven't seen your answer but as you see I totally agree.

Hope to help

Giuseppe

View solution in original post

8 Replies 8

Edison Ortiz
Hall of Fame
Hall of Fame

Enabling bpdufilter on a switchport will disable the ability to send and receive bpdus in a switchport. Disabling this feature can cause a loop in a network as you aren't sending spanning-tree information if another switch connects to the switchport where bpdufilter is enabled.

Ideally, you should enable bpduguard on client facing ports. This feature will err-disable the switchport if it receives a bpdu from the connected device. BPDUs are sent by switches but you will find old hubs won't send bpdus so under those circumstances, I recommend implementing port-security with a maximum of 3 if using IP-Phones or maximum of 1 w/o IP-Phones.

Regards

Edison.

Hi Edison,

If I am not wrong, there is difference , how we enabling bpdufilter.

1. if we enable bpdufilter at global . and if switchport receive bpdu , port disable its portfast and bpdufilter and port would active as normal stp port.

2.if we enable bpdufilter at interface level . the port would not receive and send bpdu , and there loop will form .

Hi Suryakant,

"" 1. if we enable bpdufilter at global . and if switchport receive bpdu , port disable its portfast and bpdufilter and port would active as normal stp port. ""

Yes, port becomes a normal STP port (If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled. )

"" 2.if we enable bpdufilter at interface level . the port would not receive and send bpdu , and there loop will form .""

Yes, Port will not send/receive BPDU, If it receives BPDU, It will disable STP (also disable bpdufilter) from this port which will form loops.

Regards,

Anser

If I am not wrong, there is difference , how we enabling bpdufilter.

Correct, there is a difference between global and interface level but neither will help the original poster on his dilemma.

bpduguard and port-security are the right tools.

Regards

Edison

Leo Laohoo
Hall of Fame
Hall of Fame

Do NOT use or enable BPDU Filter. Use BPDUguard and port security. :)

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Irvine,

I strongly recommend to use bpuguard instead:

it will disable the access port if any BPDU is received.

bpdu filter as explained by other colleagues can lead to loops in some cases.

I see bpdu filter as a tool for L2 service providers to avoid to join STP domains.

For enterprise access layer switches BPDU guard is the right tool.

if you make a search in the forums you will find that several people had troubles with STP bpdu filter that caused unexpected loops.

Edit:

Leo: I haven't seen your answer but as you see I totally agree.

Hope to help

Giuseppe

Im surprised that many guys will be helping with my problem! Thanks to all!

Wow, bpduguard and port security is the solution to prevent other switches to connect to my access ports :-)

There are alot of combinations to use but I'd like the BPDUGuard and port security because both options are less labour intensive. I configure both during the prep work and if the port gets disabled you know what's causing it and no explanation needed.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco