Re: BPDU Filtering

sfurqanali · ‎09-14-2010

Hi

I dont know if this is the correct forum to discuss and appologize if mistakenly posted.

In a ciscopress switching book "BPDU Filtering" section it stated:

" BPDUs are sent on all switch ports—even ports where PortFast has been enabled."

Few lines below its says:

"Switch(config)# spanning-tree portfast bpdufilter default"

"All ports that have PortFast enabled also have BPDU filtering automatically enabled."

Its really confusing if BPDU Filtering is automatically enabled on ports that has PortFast enabled than how come BPDU's are sent on Ports with PortFast enabled.

I would appreciate anyone can explain the difference.

Best Regards.

SALI

Julio Garcia · ‎09-14-2010

Hi Syed,

Portfast ports do not have bpdufilter enabled by default,

you need to put global command ...

(config)# spanning-tree portfast bpdufilter default

to make bpdufilter happen by default on a portfast port.

If you have a specific interface and enable portfast eg...

int gi x/x

spanning-tree portfast

bpdufilter will not be enabled on it , (if you dont have the previous Global command mentional above set up)

note you can have globally portfast set up without bpdufilter using..

(config)# spanning-tree portfast default

hope that helps.

Peter Paluch · ‎09-14-2010

Hello Sali,

You are in the correct forum and you are welcome.

You have to differentiate very well between PortFast and BPDU Filtering. They are in their essence two independent things. The PortFast makes your port an edge port - it is allowed to rapidly transition to the Forwarding state. However, a PortFast port still sends and receives BPDU, and should another switch be mistakenly connected to a PortFast-enabled port, the port will lose its PortFast status until disconnected and will behave like any other internal switched port governed by STP.

The BPDU Filter prevents BPDUs from being received and sent through a switchport. Its behavior, however, depends on how it is configured.

If the BPDU Filter is configured directly on a particular port using the spanning-tree bpdufilter enable interface command, the port simply stops sending and receiving BPDUs. It has no effect on whether the port is a PortFast port or not, i.e. it does not result in the port being put into Forwarding state rapidly. The port simply does not send and receive BPDUs, that's all. If the BPDU Filter is configured directly on a port, there is absolutely no relation to PortFast whatsoever.
If the BPDU Filter is configured in the global configuration mode using the spanning-tree portfast bpdufilter default command then it applies only to PortFast-enabled ports. It also behaves differently: whenever a PortFast enabled port comes up, it sends 11 BPDUs. If no BPDUs are received during this period or anytime after it, the port stops sending BDPUs. It, however, permanently listens for BPDUs and should any BPDU arrive, the BPDU Filter will be deactivated on this port until it is disconnected, and the port will start sending and receiving BPDUs just like any other port. Note that in this case, the port was also configured as PortFast, which means that receiving a BPDU will cause the port to lose both PortFast and BPDU Filter.

It is slightly confusing, I admit.

Best regards,

Peter

burleyman · ‎09-14-2010

Syed,

Just to add something to the two great answers. BPDU filtering essentially disables Spanning-tree on the ports it is configured on so if someone does connect a switch to a port and causes a loop it may not pick that up and would cause issues. If you enable that you must make certain that a device that could cause a loop is not added. A better alternative would be to enable BPDU Guard as that would shut down a port that someone connected a switch that should not be there and would prevent loops.

Mike