Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1556
Views
5
Helpful
3
Replies

BPDU filter

Go to solution
shoaib sheikh
Level 1
Level 1

‎09-05-2014 12:00 AM - edited ‎03-07-2019 08:38 PM

I am preparing for switch exam and recently saw a question on website as below:

You are the administrator of a switch and currently all host-connected ports are configured with the portfast command. You have received a new directive from your manager that states that, in the future, any host-connected port that receives a BPDU should automatically disable PortFast and begin transmitting BPDUs. Which of the following commands will support this new requirement?

A. Switch(config)# spanning-tree portfast bpduguard default
B. Switch(config-if)# spanning-tree bpduguard enable
C. Switch(config-if)# spanning-tree bpdufilter enable
D. Switch(config)# spanning-tree portfast bpdufilter default

The website says answer is option D.

 

But one of the link on cisco website http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4000/8-2glx/configuration/guide/stp_enha.html#wp1047408 says.

BPDU filtering allows you to avoid transmitting BPDUs on PortFast-enabled ports that are connected to an end system. When you enable PortFast on the switch, spanning tree places ports in the forwarding state immediately, instead of going through the listening, learning, and forwarding states. By default, spanning tree sends BPDUs from all ports regardless of whether PortFast is enabled. BDPU filtering is on a per-switch basis; after you enable BPDU filtering, it applies to all PortFast-enabled ports on the switch.

 

To prevent loops from occurring in a network, the PortFast mode is supported only on nontrunking access ports because these ports typically do not transmit or receive BPDUs. The most secure implementation of PortFast is to enable it only on ports that connect end stations to switches. Because PortFast can be enabled on nontrunking ports connecting two switches, spanning tree loops can occur because BPDUs are still being transmitted and received on those ports. PortFast BPDU guard prevents loops by moving a nontrunking port into an errdisable state when a BPDU is received on that port. When you enable BPDU guard on the switch, spanning tree shuts down PortFast-configured interfaces that receive BPDUs instead of putting them into the spanning tree blocking state. In a valid configuration, PortFast-configured interfaces do not receive BPDUs. If a PortFast-configured interface receives a BPDU, an invalid configuration exists. BPDU guard provides a secure response to invalid configurations because the administrator must manually put the interface back in service.

 

So, how BPDU filter serves the purpose of what is asked in question because BPDU filter avoid transmitting BPDU if detected on Portfast interface. Also, if someone explains me that both BPDU filter and guard somewhat closely serves the same purpose of avoiding loops when BPDU's are detected on portfast. 

 

Thanks in advance.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
InayathUlla Sharieff
Cisco Employee
Cisco Employee
In response to shoaib sheikh

‎09-05-2014 01:12 AM

BPDU filtering allows you to avoid transmitting BPDUs on PortFast-enabled ports that are connected to an end system. When you enable PortFast on the switch, spanning tree places ports in the forwarding state immediately, instead of going through the listening, learning, and forwarding states.
 
By default, spanning tree sends BPDUs from all ports regardless of whether PortFast is enabled. BDPU filtering is on a per-switch basis; after you enable BPDU filtering, it applies to all PortFast-enabled ports on the switch

per-interface
spanning-tree portfast bpduguard enable
 
a port configured with BPDU guard will shutdown (err-disable) an interface that is in a portfast operational state if it receives any BPDUs.
 
So, what is the difference?  Lets look at the two examples:
 
Example 1 - BPDU filtering
==========================
spanning-tree portfast bpdufilter default
!
inter face f0/1
spanning-tree portfast
!
 
Interface f0/1 will prevent STP from sending BPDUs and ignore all received BPDUs.  However, if interface f0/1 receives any BPDUs, it will lose its portfast status and BPDU filtering will be disabled.  Normal STP operation will resume just as any other STP port on the switch.
 
Example 2 - BPDU guard
==========================
spanning-tree portfast bpduguard default
!
inter face f0/1
spanning-tree portfast
!
 
Interface f0/1 will still send BPDUs and operate in a portfast operational state.  However, if interface f0/1 starts to receive any BPDUs it will be shutdown (err-disable) and must manually be re-enabled.
 
While similar in their configuration, they do behave very differently.

 

HTH

Regards

Inayath

*plz rate all usefull posts.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Tagir Temirgaliyev
Spotlight
Spotlight

‎09-05-2014 12:24 AM

this link on cisco website http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4000/8-2glx/configuration/guide/stp_enha.html#wp1047408 says.

explains

C. Switch(config-if)# spanning-tree bpdufilter enable

 

not D. Switch(config)# spanning-tree portfast bpdufilter default

 

and dont forget to rate post

Go to solution
shoaib sheikh
Level 1
Level 1
In response to Tagir Temirgaliyev

‎09-05-2014 12:34 AM

So, going by that spanning-tree portfast bpdufilter default  will disable porfast and enable BPDU to pass through the port when BPDU's are detected. 

It means the answer is right.

0 Helpful

Go to solution
InayathUlla Sharieff
Cisco Employee
Cisco Employee
In response to shoaib sheikh

‎09-05-2014 01:12 AM

BPDU filtering allows you to avoid transmitting BPDUs on PortFast-enabled ports that are connected to an end system. When you enable PortFast on the switch, spanning tree places ports in the forwarding state immediately, instead of going through the listening, learning, and forwarding states.
 
By default, spanning tree sends BPDUs from all ports regardless of whether PortFast is enabled. BDPU filtering is on a per-switch basis; after you enable BPDU filtering, it applies to all PortFast-enabled ports on the switch

per-interface
spanning-tree portfast bpduguard enable
 
a port configured with BPDU guard will shutdown (err-disable) an interface that is in a portfast operational state if it receives any BPDUs.
 
So, what is the difference?  Lets look at the two examples:
 
Example 1 - BPDU filtering
==========================
spanning-tree portfast bpdufilter default
!
inter face f0/1
spanning-tree portfast
!
 
Interface f0/1 will prevent STP from sending BPDUs and ignore all received BPDUs.  However, if interface f0/1 receives any BPDUs, it will lose its portfast status and BPDU filtering will be disabled.  Normal STP operation will resume just as any other STP port on the switch.
 
Example 2 - BPDU guard
==========================
spanning-tree portfast bpduguard default
!
inter face f0/1
spanning-tree portfast
!
 
Interface f0/1 will still send BPDUs and operate in a portfast operational state.  However, if interface f0/1 starts to receive any BPDUs it will be shutdown (err-disable) and must manually be re-enabled.
 
While similar in their configuration, they do behave very differently.

 

HTH

Regards

Inayath

*plz rate all usefull posts.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card