Is bpdu filter enable best practice for access ports with portfast

Answered Question
Mar 11th, 2010
User Badges:

Hi,


Could someone please confirm if applying bpdu filter enable on access ports with portfast enabled is best practice?



Thanks

Darren

Correct Answer by Giuseppe Larosa about 7 years 4 months ago

Hello Darren,


>> Could someone please confirm if applying bpdu filter enable on access ports with portfast enabled is best practice?


No it isn't, use bpdu guard + portfast it is more safe.


if you make a search in the forums you will find several issues caused by bpdu filter (possible bridging loops)


Hope to help

Giuseppe

Correct Answer by Leo Laohoo about 7 years 4 months ago

Personally, for an access port, I'd go for STP portfast and BPDU Guard enabled.  For trunk ports I have both disabled.

Correct Answer by Jerry Ye about 7 years 4 months ago

BPDU guard will error disable the port if it detect BPDU (another switch).


BPDU filter will turn off portfast if it detect BPDU.


If a BPDU is received on a Port Fast-enabled  interface, the interface loses its Port Fast-operational status, and  BPDU filtering is disabled.


http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/swstpopt.html#wp1095752


HTH,

jerry

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
Loading.
Jerry Ye Thu, 03/11/2010 - 07:55
User Badges:
  • Cisco Employee,

Depend on your company's policy. If you want the port to be hard down when someone plug a switch into a portfast enabled port, then you should use bpdu guard. If your policy is to allow switch into portfast enabled port, then bpdu filter is a better approach.


HTH,

jerry

darrenriley5 Thu, 03/11/2010 - 09:24
User Badges:

I thought you could use both. BPDU guard to protect a port if it receives a BPDU so error disables the port.

Then BPDU filter simply to stop sending BPDU's from the port.

Correct Answer
Jerry Ye Thu, 03/11/2010 - 09:32
User Badges:
  • Cisco Employee,

BPDU guard will error disable the port if it detect BPDU (another switch).


BPDU filter will turn off portfast if it detect BPDU.


If a BPDU is received on a Port Fast-enabled  interface, the interface loses its Port Fast-operational status, and  BPDU filtering is disabled.


http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/swstpopt.html#wp1095752


HTH,

jerry

Correct Answer
Leo Laohoo Thu, 03/11/2010 - 14:05
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Personally, for an access port, I'd go for STP portfast and BPDU Guard enabled.  For trunk ports I have both disabled.

Correct Answer
Giuseppe Larosa Fri, 03/12/2010 - 02:14
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Darren,


>> Could someone please confirm if applying bpdu filter enable on access ports with portfast enabled is best practice?


No it isn't, use bpdu guard + portfast it is more safe.


if you make a search in the forums you will find several issues caused by bpdu filter (possible bridging loops)


Hope to help

Giuseppe

darrenriley5 Fri, 03/12/2010 - 08:33
User Badges:

Many thanks for everyone's replies. A CCIE engineer recently came and configured two Nexus 7000 switches for us and applied the spanning-tree bpduguard enable and spanning-tree bpdufilter enable on every access port which I found strange. Now I have confirmation I will remove the spanning-tree bpdufilter command from the access ports.

Actions

This Discussion