In Networking World we know that to avoid any loops or any problem related to switching arcihtecure the stability of the Root Bridge is of paramount importance in the operation and continual uninterrupted service of spanning-tree. A change in the position of the Root Bridge will cause service disruption on the network with data and voice session timing out.
It is important to consider what events could cause a change in the position of the Root Bridge, events such as links failing between the existing Root Bridge and the rest of the network would cause a change, or possibly a duplex mismatch between the Root Bridge and downstream switches causing the spanning-tree messages from the Root Bridge from reaching the other parts of the network. These events are easily fixed and resolved none of which would require the use of the BPDU Guard feature.
Always a better practice to enforce the Spanning-tree domain borders and keep our active topology and the position of our Root Bridge predictable.
Best Practices to enable BPDU Guard only on access ports (access ports lead to end user devices) so that any end user devices on these ports that have BPDU Guard enabled are not able to influence the Spanning-tree topology.
Configuring BPDU Guard
Following are the modes in which we can configure BPDU Guard in switches
spanning-tree bpduguard enable (Puts port in errdisable upon receiving any bpdu).
spanning-tree portfast bpduguard default (It enables bpduguard on ports that have port-fast configuration, puts port in errdisable upon receiving a bpdu).
Once BPDU Guard is enabled it will keep an eye open for any BPDU's entering the access ports. The only devices which can reliably create and transmit BPDU's are switches.Our main aim to have a predictable topology and not allow other switches outside our control onto our network. If a rogue switch is introduced into our topology it will in most cases transmit a BPDU, if the rogue switch has "better" values than the existing Root Bridge it will cause a topology change in the switched network. Any topology change is bad news for the users.
By configuring the "BPDU Guard" feature on the access-ports enables the spanning-tree protocol to shut the port down in the event that is receives a BPDU. As a rule of thumb, BPDU's are really only expected across trunk links.If a rogue switch is plugged into a port configured for BPDU Guard, the port will disable as soon as the first BPDU is received, by shutting the port down we prevent the rogue switch from affecting our spanning-tree topology.
To re-enable a port disabled by BDPU Guard you will need to remove the offending device and then bounce the port by issuing the shut/no shut command
BPDUfilter on the other hand just filters BPDUs in both directions, which effectively disables STP on the port.Bpdu filter will prevent inbound and outbound bpdu but will remove portfast state on a port if a bpdu is received.Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning-tree loops.
Configuring BPDU Filter
Following are the method to configure BPDU Filter in switches
spanning-tree bpdufilter enable (Results port to not participate in STP, loops may occur).
spanning-tree portfast bpdufilter default (It enables bpdufiltering on ports that have port-fast configuration, so it sends a few bpdu while enabling port then it filters bdpu unless receives a bpdu, after that it changes from port-fast mode and disables filtering for port to operate like a normal port because it has received bpdu).
You always should allow STP to run on a switch to prevent loops. However, in special cases when you need to prevent BPDUs from being sent or processed on one or more switch ports, you can use BPDU filtering to effectively disable STP on those ports.you would use bpdufilter when you want a switch plugged into your network but you don't want it participating in spanning tree.
An example: In an office environment where someone needs another network drop under their desk but you don't have time/budget to run a new line for now. you are been given a small switch but don't want it to break spanning tree.The switch you have lying around for this task is a simple unmanaged switch and will only have one uplink into your network. so you put bpdufilter on your switch port.
Hi,I rencently bought a Cisco SG350-10 because I just started to learn switching and routing with Cisco.But the commands I have to use with this switch are a bit "strange" (the author uses a Cisco 2960 in his book).Is this the future for Cisco switches CL...
We are designing a SDA setup with 9300 as edge nodes.and 9500 as border node. My question in regards to DNA licensing:- Do we need to buy DNA premier and separate license for ISE appliance ?- We tried to generate BoM using Cisco CCW portal and ...
Request to help us in exporting output of customized CLI templates in presentable format either in excel or PDF as soon as we deploy on the added network devices under prime infrastructure 3.4 tool.If we are more precise we have couple of devices added un...
Hi, In order to get a 10G uplink speed between my new Cisco C9200L-48P-4G-E switch I thinking to buy and the Core switch (C9407), Does the C9200L-48P-4G-E support C9200-NM-4X (10G uplink network module) ? Thanks in advance. H...
Hello, I have a cisco 2960 and I'm trying to set up QoS on it for my Voip Traffic. We are using a Voip softphone software as our voip device. I have enabled the command "mls qos trust dscp" on the access ports going to the softphones, however w...