02-27-2008 05:42 AM - edited 03-05-2019 09:24 PM
What is the difference between BPDU Guard and Filter?
Solved! Go to Solution.
02-27-2008 06:01 AM
Yes they are two completely different things.
BPDU Guard is designed to protect your network from unauthorised switches, or from loops. What it says is "If you see a BPDU on this port, then shut the port down." It is recommended to have BPDU Guard on all user-facing ports.
BPDU filter switches off the BPDUs, and as such is very dangerous unless you are absolutely sure you need it. What it does is to stop sending or receiving BPDUs on this port. BDPUs are what protects your network against loops, so you can see that blocking them is to take a great risk. Do not use bpdufilter unless you have a specific very valid reason for doing so.
Kevin Dorrell
Luxembourg
02-27-2008 06:01 AM
Yes they are two completely different things.
BPDU Guard is designed to protect your network from unauthorised switches, or from loops. What it says is "If you see a BPDU on this port, then shut the port down." It is recommended to have BPDU Guard on all user-facing ports.
BPDU filter switches off the BPDUs, and as such is very dangerous unless you are absolutely sure you need it. What it does is to stop sending or receiving BPDUs on this port. BDPUs are what protects your network against loops, so you can see that blocking them is to take a great risk. Do not use bpdufilter unless you have a specific very valid reason for doing so.
Kevin Dorrell
Luxembourg
02-27-2008 06:02 AM
BPDU guard puts a port into errrdisable if it receives a BPDU. THis is generally configured on all ports configured with portfast as these should generally connect to end stations and should never receive a BPDU
BPDU filter sort of disables STP by not sending or proccessing BPDS's. Even if you enable PortFast on a port, by default that port still generates configuration BPDUs. Any connected device receives and might process configuration BPDUs unnecessarily. You can configure a feature called BPDU Filter, which prevents a PortFast-enabled port from sending configuration BPDUs. If configuration BPDUs are received on the PortFast-enabled port, the port either loses its PortFast status (or is manually shut down if BPDU guard is configured), or it ignores the BPDUs, depending on how you configure BPDU Filter.
Narayan
02-27-2008 06:07 AM
Hi,
BPDU Filter depends upon where it is configured:
- When enabling it globally, this command prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled (meaning that BPDUs are sent and received and not filtered anymore).
- When used on a per interface it has nothing to do with portfast it will stop sending and receiving BPDU on this interface (bordering/stopping the Spanning-tree domain - the same as disabling spanning tree on it and can result in spanning-tree loops).
As for BPDU Guard:
If a BPDU is received on an interface, the interface will be shutdown (BPDU filter just reverts the interface out of PortFast state, but BPDU Guard puts the interface into err-disabled).
BR,
Mohammed Mahmoud.
02-27-2008 06:49 AM
What are the consequences when configuring both features on a per port basis if any?
02-27-2008 07:13 AM
Hi,
Both are different in needs, i can't see the case where you need to configure both on the same interface (but i believe that the switch won't reject it).
To make my post complete, BPDU Guard also depends on whether it is configured globally or under the interface, where if it is enabled globally it affects only the ports configured with PortFast, while if configured on the interface level it doesn't depend on PortFast being enabled.
BR,
Mohammed Mahmoud.
02-27-2008 07:13 AM
Folks:
All of you had informative and useful explanations, but Mohammed's was extra awesome, since it elaborated on the different ways to implement the features -- either globally or by port.
Mo, great post, I'm rating it a 5.
Victor
02-27-2008 07:25 AM
Hi Victor,
Thank you very much for the appreciation.
BR,
Mohammed Mahmoud.
02-28-2008 07:00 AM
I want to thank everyone for their input. I was for the most part on the right track, however Mohammed's input concerning the differences between the global and local setting was very usefull.
I appreciate your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide