cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
233705
Views
75
Helpful
22
Comments
Ganesh Hariharan
VIP Alumni
VIP Alumni

 

Introduction

In Networking World we know that to avoid any loops or any problem related to switching arcihtecure the stability of the Root Bridge is of paramount importance in the operation and continual uninterrupted service of spanning-tree. A change in the position of the Root Bridge will cause service disruption on the network with data and voice session timing out. 

It is important to consider what events could cause a change in the position of the Root Bridge, events such as links failing between the existing Root Bridge and the rest of the network would cause a change, or possibly a duplex mismatch between the Root Bridge and downstream switches causing the spanning-tree messages from the Root Bridge from reaching the other parts of the network. These events are easily fixed and resolved none of which would require the use of the BPDU Guard feature.

Always a better practice to enforce the Spanning-tree domain borders and keep our active topology and the position of our Root Bridge predictable.

Best Practices to enable BPDU Guard only on access ports (access ports lead to end user devices) so that any end user devices on these ports that have BPDU Guard enabled are not able to influence the Spanning-tree topology.

Configuring BPDU Guard

Following are the modes in which we can configure BPDU Guard in switches

Interface mode

spanning-tree bpduguard enable (Puts port in errdisable upon receiving any bpdu).

Global mode

spanning-tree portfast bpduguard default (It enables bpduguard on ports that have port-fast configuration, puts port in errdisable upon receiving a bpdu). 

Once BPDU Guard is enabled it will keep an eye open for any BPDU's entering the access ports. The only devices which can reliably create and transmit BPDU's are switches.Our main aim to have a predictable topology and not allow other switches outside our control onto our network. If a rogue switch is introduced into our topology it will in most cases transmit a BPDU, if the rogue switch has "better" values than the existing Root Bridge it will cause a topology change in the switched network. Any topology change is bad news for the users. 

By configuring the "BPDU Guard" feature on the access-ports enables the spanning-tree protocol to shut the port down in the event that is receives a BPDU. As a rule of thumb, BPDU's are really only expected across trunk links.If a rogue switch is plugged into a port configured for BPDU Guard, the port will disable as soon as the first BPDU is received, by shutting the port down we prevent the rogue switch from affecting our spanning-tree topology.

To re-enable a port disabled by BDPU Guard you will need to remove the offending device and then bounce the port by issuing the shut/no shut command

BPDUfilter on the other hand just filters BPDUs in both directions, which effectively disables STP on the port.Bpdu filter will prevent inbound and outbound bpdu but will remove portfast state on a port if a bpdu is received.Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning-tree loops.

Configuring BPDU Filter

Following are the method to configure BPDU Filter in switches

Interface mode

spanning-tree bpdufilter enable (Results port to not participate in STP, loops may occur).

Global mode                                

spanning-tree portfast bpdufilter default (It enables bpdufiltering on ports that have port-fast configuration, so it sends a few bpdu while enabling port then it filters bdpu unless receives a bpdu, after that it changes from port-fast mode and disables filtering for port to operate like a normal port because it has received bpdu). 

You always should allow STP to run on a switch to prevent loops. However, in special cases when you need to prevent BPDUs from being sent or processed on one or more switch ports, you can use BPDU filtering to effectively disable STP on those ports.you would use bpdufilter when you want a switch plugged into your network but you don't want it participating in spanning tree.

An example:  In an office environment where someone needs  another network drop under their desk but you don't have time/budget to  run a new line for now.  you are been given a small switch but don't want it to break spanning tree.The switch  you have lying around for this task is a simple unmanaged switch and  will only have one uplink into your network. so you put bpdufilter on your  switch port.

Ganesh.H

Comments
luisdj2008
Community Member

BPDU filter only stops sending BPDUs on that interface, the port is able to receive them, now, if the port is configured in spanning tree port fast mode, it will stops sending BPDUs as well, even if no BPDU filter is configure, but, if the port receive BPDUs so it will start running spanning tree and will change its state according to the spanning tree roll assigned.

blue phoenix
Level 1
Level 1

trield this on a virtual lab using IOL switches.

SW1 e0/2----e0/2 SW2

SW1 is like the small switch while the SW2 is the access layer switch in the comms room or on top of the fridge of the break room inside the office ;)

SW1#sh run int e0/2
interface Ethernet0/2

SW2#sh run int e0/2

interface Ethernet0/2
switchport mode access
spanning-tree portfast edge
spanning-tree bpdufilter enable
spanning-tree bpduguard enable

================================
SW1#sh vlan brief

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Et0/0, Et0/1, Et0/2, Et0/3
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

SW2#sh vlan brief

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Et0/0, Et0/1, Et0/2, Et0/3
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

================================

SW1#sh spanning-tree vlan 1

VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 32769
Address aabb.cc00.0100
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address aabb.cc00.0100
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/2 Desg FWD 100 128.3 Shr

SW2#sh spanning-tree vlan 1

VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 32769
Address aabb.cc00.0200
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address aabb.cc00.0200
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/2 Desg FWD 100 128.3 Shr Edge

So bpdufilter negates all stp loop preventive measures, since both of them think they are the root switch.  But what is good is that SW2 is not affected by the small switch with a legacy mac-address since it's bpdu's are not being transmitted to the switch port e0/2 of SW2...

This is a great solution for unscheduled guests or VIP's in the office that needs network access pronto!

Cheers,

Devendra Naik
Community Member

Superb. Nicely Explained.

Eddgar Rojas
Level 1
Level 1

Well, I will try ever not use BDPU Filter due to problems it could bring,  in your example:


An example:  In an office environment where someone needs  another network drop under their desk but you don't have time/budget to  run a new line for now.  you are been given a small switch but don't want it to break spanning tree.The switch  you have lying around for this task is a simple unmanaged switch and  will only have one uplink into your network. so you put bpdufilter on your  switch port.

Ganesh.H


If the switch is a dumb switch that not sends BPDUs then i use BPDU Guard only, but if that is not a dumb switch or that dumb switch sends BPDU  on that port  Il will let participate on stp topology but with enable RootGuard to prevent that switch became root for any reason. 

 

In my experience End users are very creative for example taking that drop switch and connect another link to access wall ports. 

pgasparovic
Level 1
Level 1

Hi there,

interesting even in 2022 when someone needs to rebuild some team lab, a optimize it to the best avoiding new stuff to deploy in place of good old switches. 

For me the output of this is, that BPDU filter makes BPDU guard blind. If you never ever expect/desire for any kind of switch in user side, just dont use BPDU filter.

PS: @blue phoenix comment "it's bpdu's are not being transmitted to the switch port e0/2 of SW2...". I expect they indeed are, but filter rules over guard and lets traffic in.

knaik99
Level 1
Level 1

1.Means BPDU filter is enabled at Global level in switch then if any switch port receive BPDU then due to Global level BPDU filter ,STP is enabled and port would loose port fast status ,right?

in which scenario this case can be used

2. switch port enabled with BPDU filter at interface level would not send any BPDU and would ignore received BPDU ,right?

This case we can use normally for any PC,Cisco IP phone or we have any unmanaged switch which want to connect to Cisco switch ,Right?

 

 

 

 

Mwiingai14
Level 1
Level 1

The article explains exactly with what am really planing to do am working on it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: