Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7647
Views
10
Helpful
6
Replies

Is bpdu filter enable best practice for access ports with portfast

Go to solution
darrenriley5
Level 1
Level 1

‎03-11-2010 07:46 AM - edited ‎03-06-2019 10:05 AM

Hi,

Could someone please confirm if applying bpdu filter enable on access ports with portfast enabled is best practice?

Thanks

Darren

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Jerry Ye
Cisco Employee
Cisco Employee
In response to darrenriley5

‎03-11-2010 09:32 AM

BPDU guard will error disable the port if it detect BPDU (another switch).

BPDU filter will turn off portfast if it detect BPDU.

If a BPDU is received on a Port Fast-enabled  interface, the interface loses its Port Fast-operational status, and  BPDU filtering is disabled.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/swstpopt.html#wp1095752

HTH,

jerry

View solution in original post

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎03-11-2010 02:05 PM

Personally, for an access port, I'd go for STP portfast and BPDU Guard enabled.  For trunk ports I have both disabled.

View solution in original post

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎03-12-2010 02:14 AM

Hello Darren,

>> Could someone please confirm if applying bpdu filter enable on access ports with portfast enabled is best practice?

No it isn't, use bpdu guard + portfast it is more safe.

if you make a search in the forums you will find several issues caused by bpdu filter (possible bridging loops)

Hope to help

Giuseppe

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jerry Ye
Cisco Employee
Cisco Employee

‎03-11-2010 07:55 AM

Depend on your company's policy. If you want the port to be hard down when someone plug a switch into a portfast enabled port, then you should use bpdu guard. If your policy is to allow switch into portfast enabled port, then bpdu filter is a better approach.

HTH,

jerry

Go to solution
darrenriley5
Level 1
Level 1
In response to Jerry Ye

‎03-11-2010 09:24 AM

I thought you could use both. BPDU guard to protect a port if it receives a BPDU so error disables the port.

Then BPDU filter simply to stop sending BPDU's from the port.

0 Helpful

Go to solution
Jerry Ye
Cisco Employee
Cisco Employee
In response to darrenriley5

‎03-11-2010 09:32 AM

BPDU guard will error disable the port if it detect BPDU (another switch).

BPDU filter will turn off portfast if it detect BPDU.

If a BPDU is received on a Port Fast-enabled  interface, the interface loses its Port Fast-operational status, and  BPDU filtering is disabled.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/swstpopt.html#wp1095752

HTH,

jerry

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎03-11-2010 02:05 PM

Personally, for an access port, I'd go for STP portfast and BPDU Guard enabled.  For trunk ports I have both disabled.

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎03-12-2010 02:14 AM

Hello Darren,

>> Could someone please confirm if applying bpdu filter enable on access ports with portfast enabled is best practice?

No it isn't, use bpdu guard + portfast it is more safe.

if you make a search in the forums you will find several issues caused by bpdu filter (possible bridging loops)

Hope to help

Giuseppe

0 Helpful

Go to solution
darrenriley5
Level 1
Level 1
In response to Giuseppe Larosa

‎03-12-2010 08:33 AM

Many thanks for everyone's replies. A CCIE engineer recently came and configured two Nexus 7000 switches for us and applied the spanning-tree bpduguard enable and spanning-tree bpdufilter enable on every access port which I found strange. Now I have confirmation I will remove the spanning-tree bpdufilter command from the access ports.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card