Re: bpdu guard

carl_townshend · ‎06-21-2006

Can anyone tell me what this does and why we would use it, i was just told that its so if anyone plugs a switch in it stops it changing the topolgoy of spanning tree and wont allow re convergence etc ? would you enanble this on all ports except current uplinks etc ?

thanks

Carlos

imran_mo · ‎06-21-2006

BPDU Guard will reject any BPDU's recieved on the port on which it is enabled.

You would normally enable it on all access ports so even of a switch is connected to the port to which the desktop normally connects, the BPDU's recieved from the new switch will be rejected thereby preventing STP topology change.

leonvd79 · ‎06-21-2006

Carl,

To protect the current root of the spanning tree from being couped.

The global command "spanning-tree portfast bpduguard default" protects the root bridge against better BPDU from connected users.

The global command "spanning-tree bpduguard default" enables bpduguard on all ports.

The interface command "spanning-tree bpduguard [enable | disable]" enables or disables bpduguard on a port-to-port basis.

In a large switched network it is advisable to protect the root of the spanning tree from superior BDPUs from downstream switches.

HTH

--Leon

* Please rate posts.

PS I notice that you post questions on a daily basis. The answers can be easily found in the documentation and in many courseware provided by Cisco.At least rate post to let people know it was helpful and to show some appreciation. Thank you.

criss_noh · ‎06-26-2006

there are so many command to prevent from L2 looping. For example, BPDU guard, BPDU filter..etc

BPDU guard has slightly different mechenism from BPDU filter. When you enable BPDU filter, switch just never receive BPDU frame(filtering). On the other hands, BPDU guard would be err-disable on a port received BPDU frame. clear ?

cisco · ‎06-29-2006

If BPDU Guard is ENABLED on specific port and if it recieve BPDU that port will be in err-disable state and when the BPDU Filter is enabled on a port and now if the port receive BPDU what will happen now ?

regards

Neo

Aaron Harrison · ‎06-29-2006

Hi

If BPDUfilter is enabled on a port, it does nothing when it receives a BPDU.

So if you configure BPDUFilter on two ports and connect them together (or a user plugs two together, by adding a hub and patching it into two ports or plugging both ports in an IP phone into the network) the loop will not be detected and you will have a problem...

Regards

Aaron

Please rate helpful posts...

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

cisco · ‎06-29-2006

Hi Aaron ,

Thanks for your reply.So whats the requirement to enable BPDU Filter ?

regards

Neo

Aaron Harrison · ‎06-29-2006

You mean when would you use it?

I guess when you don't want an end station or connected device to see BPDUs for whatever reason (maybe security)... but you'd have to be sure no possibility of loops exists as it basically disables STP on the port...

Aaron

Please rate helpful posts...

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

cisco · ‎06-30-2006

Bottom line is " BPDU filter is used so that a system CPU is not wasted for processing BPDU packets" , right ?

regards

Neo

Francois Tallet · ‎06-30-2006

Actually, BPDU are dropped in software by BPDUfilter, so the CPU is still involved.

BPDU filter allows you to ignore the BPDU you receive while and making sure the port stays forwarding. If you combine this with portfast, it's as if STP was not running on the port (there is no real definition of STP not runnning however;-)).

This is not a major feature, but there are lots of corner case applications. You can enable this on an edge port for instance, to ignore any BPDU that could be generated there (a different way of reacting to BPDU than bpduguard or rootguard).

It is used when you are doing tunneling. As a provider, you don't want to have any interaction with your customer... etc...

Regards,

Francois

r.sneekes · ‎07-05-2006

Can anyone tell what will happen if both bpdu filter and bpdu guard are both configured on the same port.

For example then an bpdu packet arrives at that port. Which feature will it trigger first Filter or Guard?

littlesaint · ‎07-13-2006

I'd like to know this as well. Does BPDU Guard shutdown the port, or does BPDU filter prevent this becasue it cuases BDPUs to be ignored? If that is the case why would you ever enable both BPDU Guard and BPDU Filter?

Kevin Dorrell · ‎07-13-2006

Yes, BPDU guard shuts down the port when it receives a BPDU. BPDU guard is about receiving BPDUs when you are not expecting them.

BPDU filter is about transmitting BPDUs. If you enable this feature, the port will not transmit BPDUs.

In answer to your last question, you would not normally enable both. In fact, it is dangerous to do so, because it makes your network vulnerable to attack by someone connecting two ports back-to-back with a loopback cable. You think you are being protected by BPDU guard, but the other port is not transmitting BPDUs.

Kevin Dorrell

Luxembourg

r.sneekes · ‎07-14-2006

Kevin,

When you look at the following link

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a00801a5b35.html

under the chapter bpdu filter.

In the example output a warning is show:

Console> (enable) set spantree portfast bpdu-filter 6/1 enable

Warning:Ports enabled with bpdu filter will not send BPDUs and drop all

received BPDUs. You may cause loops in the bridged network if you misuse

this feature.

This sugests BDPU filter will drop all recieved BPDU's. This is very confusing.

Can anyone confirm BPDU Filter ignores incoming BPDU's, or if it only prevents them from being sent.

Francois Tallet · ‎07-14-2006

BPDU filter, configured on an interface will both drop incoming BPDUs and prevent transmission of BPDUs on the port. The feature is done in software (the decision of dropping incoming BPDUs is done by the CPU).

Now, if you configured both BPDUguard and BPDU filter on an interface, it's all a matter of which feature kicks in first. I already had to search for that a while ago, and it seems that this is BPDU filter that is checked first, at least on the latest versions of this IOS. That means that if you configure both feature, BPDU filter will drop the BPDUs before BPDU guard, and BPDU guard will not be triggered.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Archive&topic=Network%20Infrastructure&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dd92c22/1#selected_message

Note that there is a subtle difference between BPDU filter configured on the port and BPDU filter configured globally. The global version of BPDU filter only works on edge ports. Edge ports are portfast ports that never received a BPDU. As soon as a BPDU is received on an edge port, it loses its operational edge status, and as a result, global BPDU filter does not apply to the port any more (which means that the port starts sending BPDUs again).

Regards,

Francois