Solved: Re: BPDU Guard vs BPDU FIlter

tmartin91 · ‎05-19-2006

Could anyone suggest some possible scenarios where yuo would want a global config enabled for both BPDU-Guard and BPDU-Filter. If you are filtering on a port to not send BPDUs, what use would you have for BPDU-Guard?

andrew.butterworth · ‎05-19-2006

Actually even if you enable BPDU-Filter some BPDU's are still sent when an interface link first comes up:

cat-2950#sho spanning-tree interface fastEthernet 0/1 detail

Port 1 (FastEthernet0/1) of VLAN0010 is designated forwarding

Port path cost 19, Port priority 128, Port Identifier 128.1.

Designated root has priority 24586, address 000f.3440.2e80

Designated bridge has priority 32778, address 000c.ce3f.4ec0

Designated port id is 128.1, designated path cost 4

Timers: message age 0, forward delay 0, hold 0

Number of transitions to forwarding state: 2

The port is in the portfast mode by default

Link type is point-to-point by default

Bpdu guard is enabled by default

Bpdu filter is enabled by default

Loop guard is enabled by default on the port

BPDU: sent 11, received 0

cat-2950#

This is to allow such things as BPDU-Guard to kick in and shut a mis-connected port down.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea7/scg/swstpopt.htm#wp1046220

HTH

Andy

View solution in original post

a-larkins · ‎05-19-2006

BPDU-guard is critical in my view should you eve use spanning-tree portfast. The last thing you need is a loop. The concept is that if you make the ports portfast, you are saying that these are access points.

Should someone then connect a switch into this portfast port (hopefully in error:), there is a good chance of getting a spanning tree loop. Bpdu-guard will see the incoming bdpu's from the other switch and err-disable the port because a port configured as portfast should never get these.

HTH

tmartin91 · ‎05-19-2006

I am using portfast on all access ports. I know how BPDU-guard works and why to use it. Your answer does not really answer my question. My question is what the use is of BPDU-guard WHEN BPDU-FILTERING IS ENABLED globally as well. I would think they would be mutually exclusive, and was wondering the rationale of having both.

dtushing123 · ‎05-19-2006

I think the recommendation is not to run bpdu-filter unless you absolutely need to for some reason..

Port-fast and bpdu-guard are the 2 that go hand in hand.

tmartin91 · ‎05-19-2006

My thought is that BPDU-guard is not doing its job if BPDU-filter is enabled because you are filtering out the BPDUs. I just need someone who knows better to agree or refute this.

gpulos · ‎05-19-2006

bpdu guard is the process of a portFast port going into errorDisable mode when it receives a BPDU from a downstream switch. this prevents the downstream switch from becoming the root bridge.

bpdu filter is used to prevent a switch from transmitting bpdu's out the portFast ports. this is differnt from bpdu guard in the respect that a bpdu-guarded port will send bpdu's downstream versus a bpdu-filtered port that will not send any bpdu's at all.

if you were filtering on a port to not send bpdu's you could still want to be able to restrict that port from receving bpdu's...this is what bpdu guard would do for you.

Aaron Harrison · ‎05-19-2006

OK - here's a good point to consider...

Say you configure bpdu-guard on all ports.

You then configure bpdu-filter on all ports.

You now have no ports sending out BPDUs. You have all ports configured to shut down if they receive a BPDU.

So if you plug port 0/1 into 0/2, you have a loop and your network will explode. I've seen this happen, one of our guys put these commands everywhere, and someone plugged both ports on an Avaya IP phone into a switch. Bang!

Same would happen if you connect two switches together with both these features on the connecting ports.

Basically BPDU filter turns off spanning tree for a port, probably not something you want to do!.

Hope this helps

Aaron

please rate helpful posts

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

andrew.butterworth · ‎05-19-2006

Actually even if you enable BPDU-Filter some BPDU's are still sent when an interface link first comes up:

cat-2950#sho spanning-tree interface fastEthernet 0/1 detail

Port 1 (FastEthernet0/1) of VLAN0010 is designated forwarding

Port path cost 19, Port priority 128, Port Identifier 128.1.

Designated root has priority 24586, address 000f.3440.2e80

Designated bridge has priority 32778, address 000c.ce3f.4ec0

Designated port id is 128.1, designated path cost 4

Timers: message age 0, forward delay 0, hold 0

Number of transitions to forwarding state: 2

The port is in the portfast mode by default

Link type is point-to-point by default

Bpdu guard is enabled by default

Bpdu filter is enabled by default

Loop guard is enabled by default on the port

BPDU: sent 11, received 0

cat-2950#

This is to allow such things as BPDU-Guard to kick in and shut a mis-connected port down.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea7/scg/swstpopt.htm#wp1046220

HTH

Andy

Aaron Harrison · ‎05-19-2006

Hi Andy

That's interesting - perhaps when the Avaya phone was in the middle, the time that took to boot and start forwarding was the time in which the BPDUs were sent out... hence they weren't picked up by BPDUGUard.

To be honest I didn't try looping it direct, I just spotted the problem and fixed it.

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

kleo · ‎05-19-2006

actually avaya phones prior to 2.2 firmware would not forward BDPU packets between the 2 ports on the back of the phone :(

i had a similar problem about a year ago, when someone plugged both ports into the switch with an ip phone that had old firmware ...ouch...BPDU-guard did nothing!