cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2447
Views
30
Helpful
6
Replies

BPDU Filter

snarayanaraju
Level 4
Level 4

Dear Experts,

I expect your help in understanding the logic behind BPDU FILTER. I understood that BPDU FILTER configured port will not send or receive BPDUs. If any BPDU packet is received on the BPDU FILTER configured port, the port will leave the PORT FAST state and start processing the STP and BPDU FILTER will be disabled (Send & Receive BPDUs) at that moment

1. Shall I assume that BPDU FILTER is useful only for scenarios where BPDU should not be sent out of the PORTFAST enabled ports. Any way it is going to lose its state upon receiving the BPDUs, we donot have control on receiving BPDUs.

2. Having been said that, BPDU FILTER configured ports will not receive BPDUs, I observered that when BPDU Packets are received on the port, the port start processing BPDU and becomes Normal Port leaving the PORT-FAST state

I hope the explanation is clear for your understanding. Thanks in advance

sairam

1 Accepted Solution

Accepted Solutions

Hi Jon/Ganesh/Mohammed,

Thanks for your sharing the concepts with me.

Shall I understand in this way:

BPDU FILTER will behave differently when it is applied along with PORT FAST (Global Configuration) and when it is applied as separate command (Interface command).

When applied with PORTFAST, it will not create problem upon receiving BPDU as it is going to remove the PORTFAST capability of the port and STP Process will start and thus STP will take care of the Loop prevention mechanism

When applied as individual command inside an Interface, It neither send nor receive BPDUs and thus chances for loop is ample.

Please let me know your views if any

sairam

Sairam,

Yes you are understanding is right for global enable and when enabled at interface level.

BPDU filter can be configured globally or under the interface level. When configured globally all portfast enabled ports stop sending and receiving BPDUs, but if a BPDU is received on the port it gets out of the portfast state and normally participate in the spanning tree calculations.

Enabling BPDU filtering in the interface level stops sending or receiving BPDU on this interface; this is the same as disabling spanning tree on the interface. This is a risky choice unless you are sure that no switch can ever be connected to this port.

Hope to help

Ganesh.H

View solution in original post

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

snarayanaraju wrote:

Dear Experts,

I expect your help in understanding the logic behind BPDU FILTER. I understood that BPDU FILTER configured port will not send or receive BPDUs. If any BPDU packet is received on the BPDU FILTER configured port, the port will leave the PORT FAST state and start processing the STP and BPDU FILTER will be disabled (Send & Receive BPDUs) at that moment

1. Shall I assume that BPDU FILTER is useful only for scenarios where BPDU should not be sent out of the PORTFAST enabled ports. Any way it is going to lose its state upon receiving the BPDUs, we donot have control on receiving BPDUs.

2. Having been said that, BPDU FILTER configured ports will not receive BPDUs, I observered that when BPDU Packets are received on the port, the port start processing BPDU and becomes Normal Port leaving the PORT-FAST state

I hope the explanation is clear for your understanding. Thanks in advance

sairam

Sairam

You need to be careful with BPDUfilter. The logic you have descrbed is what happens when a port has spanning-tree portfast enabled and BPDUfilter enabled globally. In this case if a BPDU is received, as you say, the port loses it's portfast state, disables BPDUfilter and becomes a normal STP port.

If BPDUfilter is enabled on the interface but not globally then that turns off STP for that port. BPDUfilter per interface is rarely used as far as i am aware and it's quite dangerous if you don't have control over devices connected into ports.

Jon

Ganesh Hariharan
VIP Alumni
VIP Alumni

Dear Experts,

I expect your help in understanding the logic behind BPDU FILTER. I understood that BPDU FILTER configured port will not send or receive BPDUs. If any BPDU packet is received on the BPDU FILTER configured port, the port will leave the PORT FAST state and start processing the STP and BPDU FILTER will be disabled (Send & Receive BPDUs) at that moment

1. Shall I assume that BPDU FILTER is useful only for scenarios where BPDU should not be sent out of the PORTFAST enabled ports. Any way it is going to lose its state upon receiving the BPDUs, we donot have control on receiving BPDUs.

2. Having been said that, BPDU FILTER configured ports will not receive BPDUs, I observered that when BPDU Packets are received on the port, the port start processing BPDU and becomes Normal Port leaving the PORT-FAST state

I hope the explanation is clear for your understanding. Thanks in advance

sairam

Hi Sairam,

With BPDU Filter, it will ignore in/out BPDUs.So you could end up with a loop in your network.BPDU Filtering at the global level will work with Portfast interfaces, and simply kick them out of portfast if a BPDU is received.BPDU Filtering configured on the interface level will completely stop send/receive BPDU, and if you plug in two switches then you may have a loop because they don't 'see' each other as a problem.

Hope to help

Ganesh.H

Mohamed Sobair
Level 7
Level 7

Hi Sairam,

Normally BPDU filter should be applied on Portfast enabled interfaces OR between ports interconnecting different switches in different domains.

Its used prevents a port from sending and recieving BPDUs and should be applied on ports connected to Interdomain switches not in the same STP domain. like for example If you want to Isolate STP domain from another domain.

However, If not applied on the appropriate ports, it could result in Spanning-tree loops. In its normal operation , Spanning-tree relies on continous recipient of BPDUs to perform all spanning-tree calculations, So missing BPDUs is problematic, On the other hand, missing or sending BPDUs is not important between Interdomain or different domains.

HTH

Mohamed

Hi Jon/Ganesh/Mohammed,

Thanks for your sharing the concepts with me.

Shall I understand in this way:

BPDU FILTER will behave differently when it is applied along with PORT FAST (Global Configuration) and when it is applied as separate command (Interface command).

When applied with PORTFAST, it will not create problem upon receiving BPDU as it is going to remove the PORTFAST capability of the port and STP Process will start and thus STP will take care of the Loop prevention mechanism

When applied as individual command inside an Interface, It neither send nor receive BPDUs and thus chances for loop is ample.

Please let me know your views if any

sairam

Hi Jon/Ganesh/Mohammed,

Thanks for your sharing the concepts with me.

Shall I understand in this way:

BPDU FILTER will behave differently when it is applied along with PORT FAST (Global Configuration) and when it is applied as separate command (Interface command).

When applied with PORTFAST, it will not create problem upon receiving BPDU as it is going to remove the PORTFAST capability of the port and STP Process will start and thus STP will take care of the Loop prevention mechanism

When applied as individual command inside an Interface, It neither send nor receive BPDUs and thus chances for loop is ample.

Please let me know your views if any

sairam

Sairam,

Yes you are understanding is right for global enable and when enabled at interface level.

BPDU filter can be configured globally or under the interface level. When configured globally all portfast enabled ports stop sending and receiving BPDUs, but if a BPDU is received on the port it gets out of the portfast state and normally participate in the spanning tree calculations.

Enabling BPDU filtering in the interface level stops sending or receiving BPDU on this interface; this is the same as disabling spanning tree on the interface. This is a risky choice unless you are sure that no switch can ever be connected to this port.

Hope to help

Ganesh.H

Yup, just confirmed this in my home lab, complete with a nice STP loop and total meldown.

I see a mention of this in the command reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.1E/native/command/reference/S1.html#wp1179280

"Use care when entering the spanning-tree bpdufilter enable command. Enabling BPDU filtering on an interface is approximately equivalent to disabling the spanning tree for this interface. It is possible to create bridging loops if this command is not correctly used."

What I don't understand is why does it operate differently on a per-interface level?   BPDUGuard works the same whether it's global or per interface.  Why is bpdufilter different?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: