In Networking World we know that to avoid any loops or any problem related to switching arcihtecure the stability of the Root Bridge is of paramount importance in the operation and continual uninterrupted service of spanning-tree. A change in the position of the Root Bridge will cause service disruption on the network with data and voice session timing out.
It is important to consider what events could cause a change in the position of the Root Bridge, events such as links failing between the existing Root Bridge and the rest of the network would cause a change, or possibly a duplex mismatch between the Root Bridge and downstream switches causing the spanning-tree messages from the Root Bridge from reaching the other parts of the network. These events are easily fixed and resolved none of which would require the use of the BPDU Guard feature.
Always a better practice to enforce the Spanning-tree domain borders and keep our active topology and the position of our Root Bridge predictable.
Best Practices to enable BPDU Guard only on access ports (access ports lead to end user devices) so that any end user devices on these ports that have BPDU Guard enabled are not able to influence the Spanning-tree topology.
Configuring BPDU Guard
Following are the modes in which we can configure BPDU Guard in switches
spanning-tree bpduguard enable (Puts port in errdisable upon receiving any bpdu).
spanning-tree portfast bpduguard default (It enables bpduguard on ports that have port-fast configuration, puts port in errdisable upon receiving a bpdu).
Once BPDU Guard is enabled it will keep an eye open for any BPDU's entering the access ports. The only devices which can reliably create and transmit BPDU's are switches.Our main aim to have a predictable topology and not allow other switches outside our control onto our network. If a rogue switch is introduced into our topology it will in most cases transmit a BPDU, if the rogue switch has "better" values than the existing Root Bridge it will cause a topology change in the switched network. Any topology change is bad news for the users.
By configuring the "BPDU Guard" feature on the access-ports enables the spanning-tree protocol to shut the port down in the event that is receives a BPDU. As a rule of thumb, BPDU's are really only expected across trunk links.If a rogue switch is plugged into a port configured for BPDU Guard, the port will disable as soon as the first BPDU is received, by shutting the port down we prevent the rogue switch from affecting our spanning-tree topology.
To re-enable a port disabled by BDPU Guard you will need to remove the offending device and then bounce the port by issuing the shut/no shut command
BPDUfilter on the other hand just filters BPDUs in both directions, which effectively disables STP on the port.Bpdu filter will prevent inbound and outbound bpdu but will remove portfast state on a port if a bpdu is received.Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning-tree loops.
Configuring BPDU Filter
Following are the method to configure BPDU Filter in switches
spanning-tree bpdufilter enable (Results port to not participate in STP, loops may occur).
spanning-tree portfast bpdufilter default (It enables bpdufiltering on ports that have port-fast configuration, so it sends a few bpdu while enabling port then it filters bdpu unless receives a bpdu, after that it changes from port-fast mode and disables filtering for port to operate like a normal port because it has received bpdu).
You always should allow STP to run on a switch to prevent loops. However, in special cases when you need to prevent BPDUs from being sent or processed on one or more switch ports, you can use BPDU filtering to effectively disable STP on those ports.you would use bpdufilter when you want a switch plugged into your network but you don't want it participating in spanning tree.
An example: In an office environment where someone needs another network drop under their desk but you don't have time/budget to run a new line for now. you are been given a small switch but don't want it to break spanning tree.The switch you have lying around for this task is a simple unmanaged switch and will only have one uplink into your network. so you put bpdufilter on your switch port.
Hello in the community.I am faced with the following problem and I wonder if somebody could help me.after having loaded a WS-C2960X-24PD-L switch with up-to-date-ios (c2960x-universalk9-tar.152-4.E8.tar) i tried to reload the switch with reload command.Th...
Hello, I am having trouble accessing my ASA 5506-X through the ASDM Launcher. "Error : Enable to launch device manager at 192.168.1.1"When i try to access through Google chrome i get this error :"Unsupported protocolThe client and serv...
Hello All, We have a cisco 9200 Stack comprising of 2 switches and we need to add C9200-NM-4G= modules to both the switches. As these modules are hot swap-able will be able to add them directly one by one to the switches.Like first to the ...
Hello,Topology:"CISCO-3750-.253"Already set to vlan3 Root.Then why vlan3 root is"CISCO-3750G"?What is the answer to the situation if the topology is unchanged? "CISCO-3750G" show spanning(vlan 3 mac address identical but priority different ...
Hello,I am configuring some flexible Netflow records on my ASR1002-X (with IOS Version 15.5(3)S4b) and ASR1000 routers (with IOS XE version 16.3.5), and as I'm doing sampling (to preserve CPU), I do not have a reliable information on bandwidth usage. Exam...