Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

BPDUFILTER implementation

Hello everybody,

I would appreciate your comments to the following scenario:

Intending to reduce unnecessary traffic in an access layer redundant topology I would consider implementing the following:

  1. Enable portfast globally on a access layer switch
  2. Enable bpdufilter globally on the same switch
  3. Enable bpduguard on all individual non-uplink access configured ports
  4. Disable portfast on any port configured as a trunk and intended to be used as a trunk.

Even with bpdufilter active, every port, according to Cisco, transmits 2-3 BPDU before it stops as a result of bpdufilter implementation.

Conclusion

There would be absolutely no risk of loops forming in a topology consisting of 3 switches A, B, C where:

  • It is desirable that A, B, C are connected with each other in a triangle topology.
  • Switch A is configured with global bpdufilter according to the above
  • Switch B is empty (default configuration) and an attempt is made to connect it with A via an access configured port on A. STP is then activated and moves port of A to err-disable mode.
  • Switch C is configured (no bpdufilter, bpduguard or portfast anywhere) and a connection to A is performed between the trunk configured ports of both C and A

 

 

3 REPLIES
Hall of Fame Super Gold

Enable portfast globally on a

Enable portfast globally on a access layer switch

I don't understand why you want to "re-invent the wheel".  You really want to follow the KISS principle.  

On paper, putting only the portfast globally is "nice".  In reality it will cause issues.  Why?   If I want to look at the configuration of a port, will the portfast configuration show up?  No it won't. 

 

My recommendation is to enable portfast on a per-port basis. 

Enable bpdufilter globally on the same switch

Enabling BPDU Filter is not really something "popular" among network admin.    Enabling BPDU Filter filters out BPDU from both direction, effectively disabling STP ... and this means that you've just significantly increased the chance of having a loop in your network. 

New Member

Thanks for commenting,I agree

Thanks for commenting,

I agree with your kiss principle but bpdufiltering with simultaneous protection from loops requires global application of portfast. In any Event, These commands are all under the Group of spanning tree commands.

I know bpdufilter is not sth popular. But enabling it globally, and NOT PER PORT will help guard against loops. Attached document refers. Can there be sth wrong with the config guide from Cisco?

Lab tests have shown that with bpdufilter globally on the port will be err-disabled if a Switch is connected to it. Regardless whether the "incoming" has bpdufilter on or not.

Hall of Fame Super Gold

I know bpdufilter is not sth

I know bpdufilter is not sth popular. But enabling it globally, and NOT PER PORT will help guard against loops. Attached document refers. Can there be sth wrong with the config guide from Cisco?

Yes and no.  

 

On paper and in a sandbox/lab environment, the answer is yes.  

 

In reality, no.  BPDU Filter is as destructive as enabling STP on all your ports and disabling BPDU Guard.  You will, one day, get a loop and you'll have a fun time finding where the source is originating from.  

244
Views
0
Helpful
3
Replies