cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
336
Views
1
Helpful
3
Replies

BPDU filter for the firewall interface port

SY Ham
Level 1
Level 1

Hello Experts,

There are two FPR1120 firewalls working as Active/Standby, and two stacked C9300L switches.

Please let me know if the PortFast and BPDU filter can be enabled for the firewall interface ports on C9300L switches.

I'm wondering if the enabled BPDU filter can cause the network loop.

 

Regards,

SY

1 Accepted Solution

Accepted Solutions

Sure Yes, 

Firepower not send bpdu and not participate in stp. 

So you can config 

Portfast + bpduguard in SW port

MHM

View solution in original post

3 Replies 3

Sure Yes, 

Firepower not send bpdu and not participate in stp. 

So you can config 

Portfast + bpduguard in SW port

MHM

Hi MHM,

Thank you for your reply!

Is it also okay to config PortFast + BPDU Filter?

Regards,

SY

I run lab for you to explain both cases 
1- R2(SW) use 
-portfast
-bpduguard 

here the R2 still send BPDU 

2- R3(SW) use 
-portfast 
-bpduguard
-bpdufilter 

here the R3 stop send any BPDU


I recommend run only portfast and bpduguard, not run bpdufilter 
why because bpdu is control plane loop detection and using bpdufilter will prevent SW from send it and hence if loop happened then SW can not detect it.


so keep SW send BPDU with no bpdufilter config, and make it fast go to STP forward via portfast, and detect if ASA (forward any bpdu from BVI interface) via BPDU guard (for safety).

Screenshot (668).png

Review Cisco Networking for a $25 gift card