Port Fast and BPDU Filtering

Unanswered Question
Dec 5th, 2009
User Badges:


Dear All,


1) Port Fast Feature:


i read about port fast, it says that enable STP port fast on access port where PCs or servers are connected causes forwarding state immediately bypassing listening and learning state, but confusion is that how that port will become in forwarding state whereas PC is connected..


please clarify me ASAP..


2) BPDU Filtering Feature:


when i read about this feature in BCMSN book, it says that in first para that it prevents switches from sending BPDUs on portfast enabled interfaces, portfast enabled interfaces connected to PCs hence dont participate in STP and drops the reced BPDUs


and next immediate para says that if globally enabled, switch changes the interface back to normal STP operation if the port receves BPDU on the respective interface. if portfast enabled interface receives a BPDU, it immediately loses its portfast status with BPDU filtering enabled.


also its says : CAUTION::: config of BPDU filtering on a port connected to another switch may results in a bridging loop, use caution when deploying  BPDU filtering. BPDU filtering is not a recommended config


what all does this means all about?


please help me!


Thanks and Regards,

sourabh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Sat, 12/05/2009 - 23:48
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Sourabth,

the question of STP portfast and BPDU filtering has been discussed many times in the forums.


I and others think that BPDU guard is the right tool to be used on access layer switches on an enterprise network.


Sending STP BDPUs out an access port is not a problem: they are discarded by PC NICs or router interfaces with no problems.


It is a problem to have switch ports that doesn't send out BPDUs because if by an accident two ports are connected with a cable, even in the same switch, there is no way for the involved devices to detect this and a bridging loop forms.


BPDU guard behaves in the opposite way: it allows BPDUs to be sent out the port but if any BPDU is received the port is placed in error disabled state.


This makes BPDU guard the right tool for access ports and to detect user inserted unmanaged switches: end users always try to add lan ports on their own instead of asking for more ports from ICT people.


There are also many threads of colleagues that had troubles with BDPU filtering used on access layer devices that caused (un)expected bridging loops.


I think that BDPU filtering has been introduced first and it has been listed as a security feature. I have some older IOS based switches that support BPDU filter and don't support BPDU guard.

However, we haven't enabled STP bpdu filter on any port and we use bpdu guard + storm control 1% on all devices that support these features.


I think BPDU filter can be useful for a L2 service provider that doesn't want to join its spanning-tree domain with that of its customers.


Hope to help

Giuseppe

Actions

This Discussion