Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Using Both BPDUFilter Global *AND* BPDUGuard Interface

Let's say I've got a port configured like this:

interface FastEthernet1/0/1
description End User Port
switchport access vlan 535
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable

Now I enable BPDUFilter at the global level (mainly to make port spans easier to look at):

spanning-tree portfast bpdufilter default

I surmise that if a BPDU is detected, BPDUFilter (global) will take the port out of the portfast state and shortly thereafter BPDUGuard will shut the port down.

Is this correct?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Using Both BPDUFilter Global *AND* BPDUGuard Interface

Hello,

I surmise that if a BPDU is detected, BPDUFilter (global) will take the 
port out of the portfast state and shortly thereafter BPDUGuard will 
shut the port down.

That is how I perceive it as well, but this needs some clarification:

With the BPDUFilter activated on a global level, when a BPDU is received on a PortFast-enabled port, the BPDUFilter will be deactivated on that port. However, having the BPDUFilter alone activated or deactivated does not influence the PortFast state by itself. Still, every PortFast -enabled port that receives BPDUs loses its PortFast status until disconnected. So, upon receiving a BPDU on your port, the port will lose both BPDUFilter and PortFast states - but both are the direct consequence of receiving a BPDU. There is no connection between the BPDUFilter and PortFast. However, they both react to receiving BPDUs so the net result may look like as if the BPDUFilter also had an influence on the PortFast state which is certainly not the case.

Best regards,

Peter

7 REPLIES
Cisco Employee

Re: Using Both BPDUFilter Global *AND* BPDUGuard Interface

Hello,

I surmise that if a BPDU is detected, BPDUFilter (global) will take the 
port out of the portfast state and shortly thereafter BPDUGuard will 
shut the port down.

That is how I perceive it as well, but this needs some clarification:

With the BPDUFilter activated on a global level, when a BPDU is received on a PortFast-enabled port, the BPDUFilter will be deactivated on that port. However, having the BPDUFilter alone activated or deactivated does not influence the PortFast state by itself. Still, every PortFast -enabled port that receives BPDUs loses its PortFast status until disconnected. So, upon receiving a BPDU on your port, the port will lose both BPDUFilter and PortFast states - but both are the direct consequence of receiving a BPDU. There is no connection between the BPDUFilter and PortFast. However, they both react to receiving BPDUs so the net result may look like as if the BPDUFilter also had an influence on the PortFast state which is certainly not the case.

Best regards,

Peter

Community Member

Re: Using Both BPDUFilter Global *AND* BPDUGuard Interface

Peter:

Thank you for the detailed response. 5pts!

Re: Using Both BPDUFilter Global *AND* BPDUGuard Interface

Does the order of events really matter here? I would say it doesn't because the port will be put in err-disable by the bpduguard.

Whether the bpdufilter also takes some action or not is purely a matter of implementation of the software. Timeframe is milliseconds.

Please also note that bpdufilter may not be required, namely when you are running rstp (802.1w).

In that case, edge ports (portfast enabled & full duplex) are not participating in STP and hence not sending bpdu's.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2970/software/release/12.1_14_ea1/configuration/guide/swstpopt.html#wp1031307

RSTP:

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_white_paper09186a0080094cfa.shtml

regards,

Leo

Cisco Employee

Re: Using Both BPDUFilter Global *AND* BPDUGuard Interface

Leo,

Does the order of events really matter here?

I think that the OP did not focus on the exact order of events - I personally perceived it simply as trying to express in simple (thus in sequential) steps what would happen if a port configured with PortFast, BPDUGuard and BPDUFilter receives a BPDU. You are correct that the exact sequence of steps may be slightly different or perhaps even concurrent - that depends on the IOS internals.

Please also note that bpdufilter may not be required, namely when you are running rstp (802.1w).

In that case, edge ports (portfast enabled & full duplex) are not participating in STP and hence not sending bpdu's.

Pardon me but I strongly disagree with this statement. To my best knowledge and experience, an edge port in Rapid-STP still sends and receives BPDUs. The difference is that it is allowed to transition into Designated Forwarding role/state immediately after its activation and its up/down transitions do not generate topology change events. However, as the port still sends/receives BPDUs, it must be participating in STP, albeit in a way different from non-edge ports.

Best regards,

Peter

Cisco Employee

Re: Using Both BPDUFilter Global *AND* BPDUGuard Interface

Hi,

BPDUGuard on interface level will errdisable the port once BPDU is recvied, regarless the interface is portfast or not.

However, 'if a port configured with PortFast, BPDUGuard and BPDUFilter receives a BPDU', will not errdisable the interface. BPDUFilter on interface level will disable the spanning tree, hence no BPDU will received on the interface, then BPDUGuard will never kicks in. 

HTH,

Lei Tian

Cisco Employee

Re: Using Both BPDUFilter Global *AND* BPDUGuard Interface

Hello Lei,

However, 'if a port configured with PortFast, BPDUGuard and BPDUFilter receives a BPDU', will not errdisable the interface. BPDUFilter on interface level will disable the spanning tree, hence no BPDU will received on the interface, then BPDUGuard will never kicks in. 

Yes, that would be absolutely correct if the BPDUFilter was configured directly on the interface. However, the OP is clear about this:

Now I enable BPDUFilter at the global level (mainly to make port spans easier to look at):

With the BPDUFilter activated globally, receiving a BPDU on a port that has the BPDUFilter feature activated from the global configuration mode will merely deactivate the BPDUFilter on that port. This was what I had in mind - I should have been more clear about this.

Best regards,

Peter

Cisco Employee

Re: Using Both BPDUFilter Global *AND* BPDUGuard Interface

Hi Peter,

Agreed

I just saw your previous post says "if a port configured with PortFast, BPDUGuard and BPDUFilter receives a BPDU", thought you were talking about other case.

Anyway, we have agreement here.

Regards,

Lei Tian

1888
Views
0
Helpful
7
Replies
CreatePlease to create content