08-11-2024 07:00 AM
Hello Experts,
There are two FPR1120 firewalls working as Active/Standby, and two stacked C9300L switches.
Please let me know if the PortFast and BPDU filter can be enabled for the firewall interface ports on C9300L switches.
I'm wondering if the enabled BPDU filter can cause the network loop.
Regards,
SY
Solved! Go to Solution.
08-11-2024 07:12 AM
Sure Yes,
Firepower not send bpdu and not participate in stp.
So you can config
Portfast + bpduguard in SW port
MHM
08-11-2024 07:12 AM
Sure Yes,
Firepower not send bpdu and not participate in stp.
So you can config
Portfast + bpduguard in SW port
MHM
08-11-2024 04:58 PM - edited 08-11-2024 04:59 PM
Hi MHM,
Thank you for your reply!
Is it also okay to config PortFast + BPDU Filter?
Regards,
SY
08-12-2024 02:19 AM
I run lab for you to explain both cases
1- R2(SW) use
-portfast
-bpduguard
here the R2 still send BPDU
2- R3(SW) use
-portfast
-bpduguard
-bpdufilter
here the R3 stop send any BPDU
I recommend run only portfast and bpduguard, not run bpdufilter
why because bpdu is control plane loop detection and using bpdufilter will prevent SW from send it and hence if loop happened then SW can not detect it.
so keep SW send BPDU with no bpdufilter config, and make it fast go to STP forward via portfast, and detect if ASA (forward any bpdu from BVI interface) via BPDU guard (for safety).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide