Hi, I know cisco recommends using bpdufilter but I have no had problems with it any one else using it?
I caused me a network loop someone on the desktop team patched a cable from 1 switch to another. portfast bpduguard bpdufilter were enabled.
bpdufilter obviously filtered out bpdu and caused a network loop taking down the LAN.
So I'm no longer using this command even if it recommended by cisco anyone else had expenience of bpdufilter?
Are you guys still using it?
bpdufilter is only used on ports that are configured "spanningtree portfast" and generally the default action is to close the offending switch port.
This would not cause a loop and bring down the lan - I suggest you check the switch topology and spanningtree config.
Sorry but that is incorrect bpdufilter removes bpdu's being sent on the port.
your getting confused with Bpduguard which shuts the port down if it see a bpdu.
With bpdufilter enabled the port wont send bpdu's and so the ports don't get shutdown.
Also portfast is enabled so the port goes straight into forwarding.
As bpdufilter was enabled no bpdu's were being sent causing a network loop which eventually takes the LAN down as the same packets are passed around the network continuouslys
You are correct - I was thinking of something else.
When portfast is enabled on a port BPDUfiltering is enabled by default.
When you do create a loop like that - then user education is required or you just don't have portfast on user access switches. You may also want to configure broadcast storm suppression.
"When portfast is enabled on a port BPDUfiltering is enabled by default."
Are you sure? I had the understanding that you'd have to actively enable it anyway?
Well this is the interesting issue - on some switches it is enabled by default, in other switches it's disabled and you have to either enable it globally or by port basis.
It depends on which switch platform/software you are running.
I totally agree with you.
bpdu filter should be used only when a L2 service provider doesn't want to take part in customer's STP.
I don't see any use for it in an enterprise environment
We use bpduguard on user ports with STP portfast (I hope bpdu filter is not enabled by default)
This is only a source or misunderstanding and you can find multiple threads about the negative effects of STP bpdufilter in this forum.
Hope to help
Your understanding is correct, In normal cases "Bpdu filter" is not applied and thats within any Switching Organization.
when "Bpdu filter" applied the Switch doesnt forward bpdus throuh the interface, normally configured when connecting between 2 different Switching Networks. the reason behind is that you want spanning tree topology between both networks to be isolated.
My understanding is that with BPDU Filter enabled this disables BPDU's from being sent, however not ALL BPDU's are disabled. The switch should send a few BPDU's when it is initially brought up and if this is connected to a BPDU Guard enabled port it 'should' disable it. This is the output from a switch I have with BPDU Guard & filter enabled on an edge port and you can see there are a few (9) BPDU's that have been sent:
cat-3560-48#sho spanning-tree interface fastEthernet 0/1 detail
Port 3 (FastEthernet0/1) of VLAN0015 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.3.
Designated root has priority 32783, address 0014.6945.4480
Designated bridge has priority 32783, address 0014.6945.4480
Designated port id is 128.3, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
The port is in the portfast mode
Link type is point-to-point by default
Bpdu guard is enabled by default
Bpdu filter is enabled by default
Loop guard is enabled by default on the port
BPDU: sent 11, received 0
What you describe isn't (shouldn't?) be the behaviour you experienced.
There's a difference in Portfast on a per-port usage and a global-usage.
In basic Portfast, the switch will bring the port up immediately in Forwarding mode, but continue to send BPDUs during the life of the connection.
In global BPDUFilter mode, the switch will send BPDUs when the link first comes up- but after a cautious time period (probably equivalent to an STP calculation?) it'll quit sending BPDUs entirely. Also, if the link receives a BPDU, it'll drop the port out of Portfast mode.
In BPDUfilter per-port mode, the switch just won't send BPDUs and ignore everything coming in- period.
Putting BPDUFilter on globally is probably ok. It keeps your sniffer ports free of all the BPDUs the switch is sending towards your machine. :) If a user cross-connects two ports on your edge devices, the system should detect it and run a normal STP calculation
You can still break the network by hooking up an unmanaged switch (to bring up portfast mode and get past the 30 seconds worth of BPDUs) and then loop two ports on the unmanaged switch towards themselves. [who'd ever do that, you may ask? Never underestimate the power of boredom when somebody's sitting in a conference room with a switch and a patch cable.]
Putting bpdfilter on access ports means that you'll never detect a cross-connect- and it's a bad idea to implement towards your users.
good explanation of differences
rated as it deserves
I still prefer bpduguard for user ports in an enterprise context.
I prefer BPDUGuard as well- I've had enough bad experiences with BPDUFilter (both globally and per-port!) to not use BPDUFilter if I can help it.
Any time BPDUs and spanning tree are preventing your network from working as designed, you may need to revisit your design...