06-30-2010 04:20 AM - edited 03-01-2019 04:32 PM
In Networking World we know that to avoid any loops or any problem related to switching arcihtecure the stability of the Root Bridge is of paramount importance in the operation and continual uninterrupted service of spanning-tree. A change in the position of the Root Bridge will cause service disruption on the network with data and voice session timing out.
It is important to consider what events could cause a change in the position of the Root Bridge, events such as links failing between the existing Root Bridge and the rest of the network would cause a change, or possibly a duplex mismatch between the Root Bridge and downstream switches causing the spanning-tree messages from the Root Bridge from reaching the other parts of the network. These events are easily fixed and resolved none of which would require the use of the BPDU Guard feature.
Always a better practice to enforce the Spanning-tree domain borders and keep our active topology and the position of our Root Bridge predictable.
Best Practices to enable BPDU Guard only on access ports (access ports lead to end user devices) so that any end user devices on these ports that have BPDU Guard enabled are not able to influence the Spanning-tree topology.
Following are the modes in which we can configure BPDU Guard in switches
spanning-tree bpduguard enable (Puts port in errdisable upon receiving any bpdu).
spanning-tree portfast bpduguard default (It enables bpduguard on ports that have port-fast configuration, puts port in errdisable upon receiving a bpdu).
Once BPDU Guard is enabled it will keep an eye open for any BPDU's entering the access ports. The only devices which can reliably create and transmit BPDU's are switches.Our main aim to have a predictable topology and not allow other switches outside our control onto our network. If a rogue switch is introduced into our topology it will in most cases transmit a BPDU, if the rogue switch has "better" values than the existing Root Bridge it will cause a topology change in the switched network. Any topology change is bad news for the users.
By configuring the "BPDU Guard" feature on the access-ports enables the spanning-tree protocol to shut the port down in the event that is receives a BPDU. As a rule of thumb, BPDU's are really only expected across trunk links.If a rogue switch is plugged into a port configured for BPDU Guard, the port will disable as soon as the first BPDU is received, by shutting the port down we prevent the rogue switch from affecting our spanning-tree topology.
To re-enable a port disabled by BDPU Guard you will need to remove the offending device and then bounce the port by issuing the shut/no shut command
BPDUfilter on the other hand just filters BPDUs in both directions, which effectively disables STP on the port.Bpdu filter will prevent inbound and outbound bpdu but will remove portfast state on a port if a bpdu is received.Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning-tree loops.
Following are the method to configure BPDU Filter in switches
spanning-tree bpdufilter enable (Results port to not participate in STP, loops may occur).
spanning-tree portfast bpdufilter default (It enables bpdufiltering on ports that have port-fast configuration, so it sends a few bpdu while enabling port then it filters bdpu unless receives a bpdu, after that it changes from port-fast mode and disables filtering for port to operate like a normal port because it has received bpdu).
You always should allow STP to run on a switch to prevent loops. However, in special cases when you need to prevent BPDUs from being sent or processed on one or more switch ports, you can use BPDU filtering to effectively disable STP on those ports.you would use bpdufilter when you want a switch plugged into your network but you don't want it participating in spanning tree.
An example: In an office environment where someone needs another network drop under their desk but you don't have time/budget to run a new line for now. you are been given a small switch but don't want it to break spanning tree.The switch you have lying around for this task is a simple unmanaged switch and will only have one uplink into your network. so you put bpdufilter on your switch port.
Ganesh.H
Adding to Ganesh's Document, when (spanning-tree portfast bpdu-filter default) enabled Globally , an STP port enabled with portfast is not assumed to recieve BPDUs, However, if for any reason the port recieves BPDUs, the Port shall go into (Blocking , listening , learning and then Forwarding state ) HE RECALLS. and the port will be subject to noramal STP calculations whether being in forwarding or blocking state.
HTH
Mohamed
The article helps with what I am currently working on. I did have a question however. You mention BPDU filtering when a small switch is connected to a port. I currently run all my access ports with portfast and some do have unmanaged switches. I have bpduguard default turned on and even with unmanaged switches this has not been a problem because I am assuming that they do not support spanning tree. Would I be correct in leaving it this way or should I be using something different. I personally want the port to shutoff if a new spanning-tree device is intorduced but if someone connects a hub or unmanaged 4-port switch keep working.
Just be warned about BPDU Filter. I would stay clear from it personally.
what is there to be afraid of about BPDU filter, please do educate us.
thanks
I can answer that one ayokunies.
If a user takes a network cable and plugs it into two wall jacks, (with BPDU filter on) this creates a loop, a broadcast storm will likely follow. This happened to us by having an end user hooking up their IP phone to two network jacks. It brought down the entire network.
BPDU filter overrides the BPDU guard.
"In an office environment where someone needs another network drop under their desk but you don't have time/budget to run a new line for now. you are been given a small switch but don't want it to break spanning tree.The switch you have lying around for this task is a simple unmanaged switch and will only have one uplink into your network. so you put bpdufilter on your switch port."
so wen u connect ur new switch to the bpdu enable interface of your existing switch,the new switch ll send a BPDU and on receving this BPDU in the port the exisiting switch port status will move to a normal port status ..is that right?
Hi Karthikeyan,
On the new switch make sure to enable BPDU filter on the uplink port which will prevent any BPDU's from passing through the interface. This will keep the new switch from causing a BPDU guard error on the existing switch.
Additionally, I like to set up the temporary switch with BPDU guard on every single port except the uplink port. This helps prevent a user from looping a cable back (since BPDU guard will disable one of those ports) and causing a loop. This also prevents a user from connecting up two wall ports to the same switch since that will also trip a BPDU guard error and disable a port.
Regards,
Dave
FYI,
To re-enable a port disabled by BDPU Guard you will need to remove the offending device and then;
1/ either bounce the port by issuing the shut/no shut command
2/ either have configured automated recovery by below IOS commands;
errdisable recovery cause bpduguard
errdisable recovery interval 300
BR,
Lieven
When you have two ports configured with portfast, bpduguard AND bpdufilter, neither port will send BPDUs so bpduguard will not be able to disable the port upon physical loops...now if we connect these two ports back to back, there will be a loop and user traffic will get flooded bringing down the whole network. since bpdufilter at both ends WILL NOT send bpdus, there WILL be a loop on USER traffic.
So, best practice to prevent something like a user plugging two wall ports into 1 IP Phone bringing down the network would be to enable Portfast on the user access ports as usual, AND enable bpdufilter on the access ports? (but do NOT enable bpdufilter). Is that correct?
It seems that you already have it configured correctly.
If you have have BPDUGUARD enabled on a port, and you have a switch that understands STP (it sends BPDUs) the port will go into errdisable state (won't pass traffic), until you manually shut/no shut the port or use the errdisable timeout recovery command.
If you want somebody to connect a hub or unmanaged switch, and retain the port's ability to pass traffic, then you have the port configured correctly already (bpduguard enabled on it).
This is if the unmanaged switch does NOT understand STP. Just because a switch is unmanaged does not necessarily mean that it does not understand STP.
Initial part of document refers to a statement "The only devices which can reliably create and transmit BPDU's are switches." Does this mean any server connected to switch would not generate BPDU ?
Currently i had an issue and my network team told me that one of my server started generating BPDUs and brought down STP. Can this be true ?
If BPDU filter stops sending and "receiving" BPDU on a port, then why when BPDU is "received" Port transitions from Port-fast to normal Designated port and starts sending BPDUs again
Please answer as this is killing me
oops
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: