Does BPDU guard and BPDU filter enable per interface ?? when spanning-tree portfast disable on per interface

Unanswered Question
Dec 24th, 2009

Dear Expers,

Does BPDU guard and BPDU filter enable per interface when spanning-tree portfast disable on per interface ??

I have 3550 switch 48P , in this switch many users connected on per interface. that's why i have not enable to confiure spanning-tree portfast on per interface it is disble.

We are facing huge problem of loop occure from our users, now i need to control it.

at present i have configured in global mode Spanning-tree mode pvst and spannig-tree loopguard default but still we are facing that problem,

but i am confuse about that BPDU guard enable or BPDU filter enable on per interface or both are enable in this switch.

So please suggest me what i have to do to control or stop this issue.

Thanks in ADV,

Vaib...

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (1 ratings)
Loading.
csawest.dc Thu, 12/24/2009 - 23:48

Dear Ganesh,

I am little bit confuse when i saw details in this link, cause there are lots of details that's why.

I need to know only when spanning-tree portfast disable per port that time should i configure on per interface spanning-tree BPDU guard enable or Spanning-tree BPDU filter enable on per interface and can both are enable ??? when all the ports is not configure spanning-tree portfast manualy configure at present in my switch spanning-tree portfast disable.

Pl help me it is very urgent!!!

Thanks in ADV,

Vaib...

Ganesh Hariharan Fri, 12/25/2009 - 00:16

Hi Vaibhav,

This is text out of the Cisco Press BCMSN book:

"By default, BPDU guard is disabled on all switch ports. You can configure BPDU guard as a global default. affecting all switch ports with a single command. All ports that have PortFast enabled also have BPDU guard automatically enabled."

The PortFast BPDU guard feature prevents loops by moving a nontrunking port into an errdisable state when a BPDU is received on that port. When the BPDU guard feature is enabled on the switch, spanning tree shuts down PortFast-configured interfaces that receive BPDUs, instead of putting them into the spanning tree blocking state. In a valid configuration, PortFast-configured interfaces do not receive BPDUs. If a PortFast-configured interface receives a BPDU, an invalid configuration exists, such as connection of an unauthorized device. The BPDU guard feature provides a secure response to invalid configurations because the administrator must manually put the interface back in service.

BPDU Filtering at the global level will work with Portfast interfaces, and simply kick them out of portfast if a BPDU is received.

BPDU Filtering configured on the interface level will COMPLETELY stop send/receive BPDU, and if you plug in two switches then you may have a loop because they don't 'see' each other as a problem.

Hope this clear your query !!

Regards

Ganesh.H

csawest.dc Fri, 12/25/2009 - 00:25

Dear Ganesh,

Many users are conneted per interface in cisco 3550 so it is reliable or not to configure portfast on interface  and also bpdu guard enable in cisco 3550 when many users conneted per interface ??

Thanks in ADV,

Vaib...

Ganesh Hariharan Fri, 12/25/2009 - 00:30

Hi Vaibhav,

Portfast should be enabled on inteface where you have end station so that to make the port in forwarding state directly and in order to avoid any looping in portfast enabled port experts recommends to enable BPDU gaurd also.

As i already stated Portfast with BPDU gaurd feature prevents loops by moving a nontrunking port into an errdisable state when a BPDU is received on that port. When the BPDU guard feature is enabled on the switch, spanning tree shuts down PortFast-configured interfaces that receive BPDUs, instead of putting them into the spanning tree blocking state. In a valid configuration, PortFast-configured interfaces do not receive BPDUs. If a PortFast-configured interface receives a BPDU, an invalid configuration exists, such as connection of an unauthorized device. The BPDU guard feature provides a secure response to invalid configurations because the administrator must manually put the interface back in service.

Hope that clear your query !!

Regards

Ganesh.H

csawest.dc Fri, 12/25/2009 - 00:38

Dear Ganesh,

So what you suggest me in my switch from port 3 to 48 ports are conneted with different  IP DSLAM ( means any 1 DSLAM conneted with 60 users per port ) should i go with portfast enable from port 3 to 48 ?? and also bpdu guard enable ??..

Thanks in adv,

Vaib...

Ganesh Hariharan Fri, 12/25/2009 - 01:18

As per the question asked by you  regarding BPDU Gaurd and BPDU filter i think answer is cleared in my previous post,Now port 3 to 48 are connected with direct end station or some other means like switches or other devices ?

If direct connected with endstation then you can apply if not some other device then i wont recommend to do it before having complete knowledge about the connecting device.

Regards

Ganesh.H

Actions

This Discussion