11-01-2009 06:14 PM - edited 03-06-2019 08:24 AM
Hi Guys,
Is it required to all access switches to have bpdu filter configure on each client's port to avoid plugging another network cisco/non-cisco switches?
Or is there any options that can use to avoid plugging network switches to out access switches? This may cause loop if someone plug a switches to our network.
Thanks in advance.
Solved! Go to Solution.
11-01-2009 06:33 PM
Enabling bpdufilter on a switchport will disable the ability to send and receive bpdus in a switchport. Disabling this feature can cause a loop in a network as you aren't sending spanning-tree information if another switch connects to the switchport where bpdufilter is enabled.
Ideally, you should enable bpduguard on client facing ports. This feature will err-disable the switchport if it receives a bpdu from the connected device. BPDUs are sent by switches but you will find old hubs won't send bpdus so under those circumstances, I recommend implementing port-security with a maximum of 3 if using IP-Phones or maximum of 1 w/o IP-Phones.
Regards
Edison.
11-02-2009 01:38 AM
Hello Irvine,
I strongly recommend to use bpuguard instead:
it will disable the access port if any BPDU is received.
bpdu filter as explained by other colleagues can lead to loops in some cases.
I see bpdu filter as a tool for L2 service providers to avoid to join STP domains.
For enterprise access layer switches BPDU guard is the right tool.
if you make a search in the forums you will find that several people had troubles with STP bpdu filter that caused unexpected loops.
Edit:
Leo: I haven't seen your answer but as you see I totally agree.
Hope to help
Giuseppe
11-01-2009 06:33 PM
Enabling bpdufilter on a switchport will disable the ability to send and receive bpdus in a switchport. Disabling this feature can cause a loop in a network as you aren't sending spanning-tree information if another switch connects to the switchport where bpdufilter is enabled.
Ideally, you should enable bpduguard on client facing ports. This feature will err-disable the switchport if it receives a bpdu from the connected device. BPDUs are sent by switches but you will find old hubs won't send bpdus so under those circumstances, I recommend implementing port-security with a maximum of 3 if using IP-Phones or maximum of 1 w/o IP-Phones.
Regards
Edison.
11-01-2009 07:40 PM
Hi Edison,
If I am not wrong, there is difference , how we enabling bpdufilter.
1. if we enable bpdufilter at global . and if switchport receive bpdu , port disable its portfast and bpdufilter and port would active as normal stp port.
2.if we enable bpdufilter at interface level . the port would not receive and send bpdu , and there loop will form .
11-01-2009 09:21 PM
Hi Suryakant,
"" 1. if we enable bpdufilter at global . and if switchport receive bpdu , port disable its portfast and bpdufilter and port would active as normal stp port. ""
Yes, port becomes a normal STP port (If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled. )
"" 2.if we enable bpdufilter at interface level . the port would not receive and send bpdu , and there loop will form .""
Yes, Port will not send/receive BPDU, If it receives BPDU, It will disable STP (also disable bpdufilter) from this port which will form loops.
Regards,
Anser
11-02-2009 09:14 AM
If I am not wrong, there is difference , how we enabling bpdufilter.
Correct, there is a difference between global and interface level but neither will help the original poster on his dilemma.
bpduguard and port-security are the right tools.
Regards
Edison
11-01-2009 07:55 PM
Do NOT use or enable BPDU Filter. Use BPDUguard and port security. :)
11-02-2009 01:38 AM
Hello Irvine,
I strongly recommend to use bpuguard instead:
it will disable the access port if any BPDU is received.
bpdu filter as explained by other colleagues can lead to loops in some cases.
I see bpdu filter as a tool for L2 service providers to avoid to join STP domains.
For enterprise access layer switches BPDU guard is the right tool.
if you make a search in the forums you will find that several people had troubles with STP bpdu filter that caused unexpected loops.
Edit:
Leo: I haven't seen your answer but as you see I totally agree.
Hope to help
Giuseppe
11-02-2009 09:34 AM
Im surprised that many guys will be helping with my problem! Thanks to all!
Wow, bpduguard and port security is the solution to prevent other switches to connect to my access ports :-)
11-04-2009 02:08 PM
There are alot of combinations to use but I'd like the BPDUGuard and port security because both options are less labour intensive. I configure both during the prep work and if the port gets disabled you know what's causing it and no explanation needed.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: