It would seem that Cisco has a different opinion: BPDU Filter Disabled on Access Ports Campus Manager reports a Best Practice Deviation when BPDU Filter is not enabled on access ports. Impact BPDU filtering allows you to avoid transmitting BPDUs on PortFast-enabled ports that are connected to an end system. When you enable PortFast on the switch, spanning tree places ports in the forwarding state immediately, instead of going through the listening, learning, and forwarding states. By default, spanning tree sends BPDUs from all ports regardless of whether PortFast is enabled. BDPUFilter can be enabled for each port or globally. When you enable BPDUFilter globally, it applies to all PortFast-enabled ports on the switch. When you disable PortFast on a port, the BPDU Filter that was globally enabled on the PortFast enabled port is also disabled. Fix Campus Manager provides commands for enabling BPDU Filter on access ports. To fix the Best Practice Deviation on switches using Catalyst operating system:

That's interesting.  Do you have a reference to that document?

It seems dangerous to me.  If you put bpdufilter on your access ports, then you could melt down the network with just a crossed cable between two access ports.  This is easier to do accidentlaly than you might imagine.  I could mention the user who noticed he had two RJ-45s on his IP telephone and decided to implement link redundancy by connecting both of them to access ports.  Fortunately we had no bpdufilter, and we had bpduguard which shut down one of the ports.  (But not before port security had stickied a few MAC addresses that had nothing to do with the ports in question, but just happened to be broadcasting at that instant. )

Kevin Dorrell

Luxembourg

That's interesting.  So if I understand you correctly, you are saying there is a difference in behaviour between bpdu filter when set globally (and therefore implied on the portfast port) and bpdu filter when configured explicitly on the port.  I'll try that out in the lab next time I get a chance.

Kevin Dorrell

Luxembourg

Well tdistlists, I tried this out in the lab, and you are absolutely right.

1. I put two ports into portfast and connected them with a crossed cable.  Of course one of them went immediately into blocking.
2. I then shut them both, gave them spanning-tree bpdufilter enable, and no shut them.  Instant meltdown loop.  (I had a router on the VLAN to generate a b/c).
3. I then shut them down, no spanning-tree bpdufilter enable, but re-applied it globally, then no shut the ports.  The ports came out of bpdufilter and portfast, and one of them went into blocking.

In fact, it seems that if you have bpdufilter enabled globally, the port still sends one or two BPDUs as it comes up.  I guess this is done precisely to deal with this situation, where you (accidentally) connect two ports, both with "bpdufilter by default", together with a crossed cable.  That initial BPDU will take the other port out of portfast and bpdufilter.

I can still think of one situation where this could be dangerous.  Consider a switch with portfast on by default and bpdufilter enabled by default.  It does not matter what bpduguard is.  Now connect a dumb supermarket switch to each of two access ports.  The two switchports are now up, and they are in portfast, and they have finished sending their initial BPDUs.  Now cross connect the two dumb switches.  I think that will melt down the network.

Thanks again for pointing out this behaviour.

Kevin Dorrell

Luxembourg