Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1811
Views
5
Helpful
4
Replies

BPDUGUARD vs. BPDUFILTER

alandean
Level 1
Level 1

‎03-28-2006 12:49 PM - edited ‎03-04-2019 03:01 AM

I am attempting to avoid spanning-tree loops in my network from those who would take a switch or hub and connect it to 2 switchports.

I have seen some conflicting information so I setup a test and noticed some unexpected results.

1. When I dually connected an old Netgear hub with no BPDUGUARD or BPDUFILTER, the Netgear hub utilization and the port utilization on both Cisco ports connected to the hub went to 100% utilization.

2. When I then enable BPDUGUARD the loop continues until I disconnect the hub and reconnect it. Then Cisco err-disables one of the ports because it sees BPDUs. I assume the hub does not generate BPDUs but is forwarding BPDUs that it receives from the Cisco switch on the other port.

3. When I enable only BPDUFILTER, and reconnect the switch the loop still exists.

4. When I enable both BPDUGUARD and BPDUFILTER and reconnect the hub, BUDUGUARD err-disables the port.

5. Doing the same tests with a Linksys SD216 switch instead of a NetGerar hub, I could not force a loop even with no BPDUGUARD and BPDUFILTER. The second port always goes into amber color and goes into a blocking state.

So when configuring my switches, BPDUGUARD is the only way to prevent loops.

Another forum suggests that you cannot do both BPDUGUARD and BPDUFILTER because BPDUFILTER will drop the BPDUs before BPDUGUARD can see them. My test suggests this is not the case. I propose that BPDUGUARD and BPDUFILTER should both be enabled. Anyone agree or disagree?

Anyone know why a linksys SD216 switch will not allow a loop. Is there some spanning-tree mechanism in the Linksys that prevents this?

Labels:
0 Helpful
4 Replies 4

ankurbhasin
Level 9
Level 9

‎03-28-2006 09:27 PM

Hi Friend,

I think you have taken the concept of BPDUFILTER and BPDUGUARD in a wrong way. These features prevent BPDU to be received by a port so it will not help you to avoid spanning tree loops but as a matter of fact applying a bpdu filter may result in STP loop and that is the reason when you applied BPDUFILTER and you reconnected the the hub it did not stopped the loop cause it will not let interface receive any BPDUs.

Talking about BPDU GUARD it is putting the ports in errdisable state bevause your ports might have been configured for port fast and on when any port fast configured ports receive any BPDU it will put the port into err disable state.

Both of these features are to avoid BPDUs and in STP BPDU only detect the loops and avoid loops. So if you want to protect your network from loop do not enable this features and do not enable port fast also where you think someone can connect the hub.

Read this doc

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12119ea1/2950scg/swstpopt.htm#1051443

HTH, if yes please rate the post.

Ankur

alandean
Level 1
Level 1
In response to ankurbhasin

‎03-29-2006 08:53 AM

Thank you Ankur for your response. I agree that the intention of BPDUGUARD and BPDUFILTER is different than what I trying to accomplish.

Do you or anyone you are aware of, run all ports with spanntree portfast disabled?

Several years ago when we were logging into Novell NDS, we had to enable spantree portfast to eliminate logon errors.

I will do testing with a groups using spantree portfast disabled and report back here.

0 Helpful

ankurbhasin
Level 9
Level 9
In response to alandean

‎03-29-2006 08:05 PM

Hi Friend,

spanningtree portfast is always recommended to be only configured on ports which are connected to end devices like computers, servers, printers etc etc where tere is no chances of loop.

Any many a times servers connected ports when not configured with port fast does not work well like DHCP server and you hav a live example of your Novel NDS.

So if you have ports on which you have not connected another network device which can let many other device connect to it like switches, hubs and bridges you can very well enabled port fast.

HTH, if yes please rate the post.

Ankur

0 Helpful

alandean
Level 1
Level 1
In response to ankurbhasin

‎04-06-2006 02:32 PM

Regarding spantree portfast. In testing, I created a loop with a port with spantree portfast disabled and with spantree portfast enabled.

With spantree portfast disabled, the port that the loop was created on, went to blocking immediately.

With spantree portfast enabled, a loop was created for perhaps 1 second before it went to blocking.

So it appears that the worst that can happen with spantree portfast, is that a loop can only happen for 1 second at the most.

Another interesting thing I noticed with BPDUGUARD and BPDUFILTER is that when both were enabled on a CATOS switch, BPDUGUARD did not errdisable the port and a major loop occured.

On an IOS switch with both BPDUGUARD and BPDUFILTER enabled, BPDUGUARD worked and disabled the port.

In summary, I would say, BPDUFILTER is potentially a dangerous command, USE WITH CAUTION!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents