Can anyone tell me what this does and why we would use it, i was just told that its so if anyone plugs a switch in it stops it changing the topolgoy of spanning tree and wont allow re convergence etc ? would you enanble this on all ports except current uplinks etc ?
BPDU Guard will reject any BPDU's recieved on the port on which it is enabled.
You would normally enable it on all access ports so even of a switch is connected to the port to which the desktop normally connects, the BPDU's recieved from the new switch will be rejected thereby preventing STP topology change.
To protect the current root of the spanning tree from being couped.
The global command "spanning-tree portfast bpduguard default" protects the root bridge against better BPDU from connected users.
The global command "spanning-tree bpduguard default" enables bpduguard on all ports.
The interface command "spanning-tree bpduguard [enable | disable]" enables or disables bpduguard on a port-to-port basis.
In a large switched network it is advisable to protect the root of the spanning tree from superior BDPUs from downstream switches.
* Please rate posts.
PS I notice that you post questions on a daily basis. The answers can be easily found in the documentation and in many courseware provided by Cisco.At least rate post to let people know it was helpful and to show some appreciation. Thank you.
there are so many command to prevent from L2 looping. For example, BPDU guard, BPDU filter..etc
BPDU guard has slightly different mechenism from BPDU filter. When you enable BPDU filter, switch just never receive BPDU frame(filtering). On the other hands, BPDU guard would be err-disable on a port received BPDU frame. clear ?
If BPDU Guard is ENABLED on specific port and if it recieve BPDU that port will be in err-disable state and when the BPDU Filter is enabled on a port and now if the port receive BPDU what will happen now ?
If BPDUfilter is enabled on a port, it does nothing when it receives a BPDU.
So if you configure BPDUFilter on two ports and connect them together (or a user plugs two together, by adding a hub and patching it into two ports or plugging both ports in an IP phone into the network) the loop will not be detected and you will have a problem...
Please rate helpful posts...
You mean when would you use it?
I guess when you don't want an end station or connected device to see BPDUs for whatever reason (maybe security)... but you'd have to be sure no possibility of loops exists as it basically disables STP on the port...
Please rate helpful posts...
Actually, BPDU are dropped in software by BPDUfilter, so the CPU is still involved.
BPDU filter allows you to ignore the BPDU you receive while and making sure the port stays forwarding. If you combine this with portfast, it's as if STP was not running on the port (there is no real definition of STP not runnning however;-)).
This is not a major feature, but there are lots of corner case applications. You can enable this on an edge port for instance, to ignore any BPDU that could be generated there (a different way of reacting to BPDU than bpduguard or rootguard).
It is used when you are doing tunneling. As a provider, you don't want to have any interaction with your customer... etc...
Can anyone tell what will happen if both bpdu filter and bpdu guard are both configured on the same port.
For example then an bpdu packet arrives at that port. Which feature will it trigger first Filter or Guard?
I'd like to know this as well. Does BPDU Guard shutdown the port, or does BPDU filter prevent this becasue it cuases BDPUs to be ignored? If that is the case why would you ever enable both BPDU Guard and BPDU Filter?
Yes, BPDU guard shuts down the port when it receives a BPDU. BPDU guard is about receiving BPDUs when you are not expecting them.
BPDU filter is about transmitting BPDUs. If you enable this feature, the port will not transmit BPDUs.
In answer to your last question, you would not normally enable both. In fact, it is dangerous to do so, because it makes your network vulnerable to attack by someone connecting two ports back-to-back with a loopback cable. You think you are being protected by BPDU guard, but the other port is not transmitting BPDUs.
When you look at the following link
under the chapter bpdu filter.
In the example output a warning is show:
Console> (enable) set spantree portfast bpdu-filter 6/1 enable
Warning:Ports enabled with bpdu filter will not send BPDUs and drop all
received BPDUs. You may cause loops in the bridged network if you misuse
This sugests BDPU filter will drop all recieved BPDU's. This is very confusing.
Can anyone confirm BPDU Filter ignores incoming BPDU's, or if it only prevents them from being sent.
BPDU filter, configured on an interface will both drop incoming BPDUs and prevent transmission of BPDUs on the port. The feature is done in software (the decision of dropping incoming BPDUs is done by the CPU).
Now, if you configured both BPDUguard and BPDU filter on an interface, it's all a matter of which feature kicks in first. I already had to search for that a while ago, and it seems that this is BPDU filter that is checked first, at least on the latest versions of this IOS. That means that if you configure both feature, BPDU filter will drop the BPDUs before BPDU guard, and BPDU guard will not be triggered.
Note that there is a subtle difference between BPDU filter configured on the port and BPDU filter configured globally. The global version of BPDU filter only works on edge ports. Edge ports are portfast ports that never received a BPDU. As soon as a BPDU is received on an edge port, it loses its operational edge status, and as a result, global BPDU filter does not apply to the port any more (which means that the port starts sending BPDUs again).
Question about this topic, why recommeds Cisco LMS 4.0 Best practice to use both BPDUfilter?
LMS reports a Best Practice Deviation if PortFast is enabled and BPDU-Guard is not enabled on a port. BPDU-Guard prevents spanning-tree loops by moving a port into the errdisable state when a BPDU is received on that port. When you enable BPDU-Guard on the switch, spanning tree shuts down the interfaces that receive BPDUs instead of putting the interfaces into the spanning-tree blocking state. Impact Cisco recommends that you enable BPDUGuard to block incoming BPDUs on edge devices (end-hosts). The Cisco BPDUGuard feature, when enabled, informs the switch to disable PortFast ports if a BPDU is received on those ports. BDPUGuard can be enabled on each port or globally. When you enable BPDUGuard globally, it applies to all PortFast-enabled ports on the switch.
LMS reports a Best Practice Deviation when BPDU Filter is not enabled on access ports. Impact BPDU filtering allows you to avoid transmitting BPDUs on PortFast-enabled ports that are connected to an end system. When you enable PortFast on the switch, spanning tree places ports in the forwarding state immediately, instead of going through the listening, learning, and forwarding states. By default, spanning tree sends BPDUs from all ports regardless of whether PortFast is enabled. BDPUFilter can be enabled for each port or globally. When you enable BPDUFilter globally, it applies to all PortFast-enabled ports on the switch. When you disable PortFast on a port, the BPDU Filter that was globally enabled on the PortFast enabled port is also disabled.