10-12-2011 08:04 AM - edited 03-04-2019 01:54 PM
I know that the behaviour of both BPDU Guad /Filter with PORT FAst have been discussed ,but till now i still have confusion with all these discussion and i have posted the differnet scenarios and please explain me what will happen if that is enabled accordingly.
1.Only the port fast enabled globally with out BPDU filter/guard
2.Only the port fast enabled on interface with out BPDU filter/guard
3.Only BPDU Filter enabled globally with portfast disabled
4.Only BPDU Filter enabled on interface with portfast disabled
5.Only BPDU Gurad enabled globally with portfast disabled
6.Only BPDU Guard enabled on interface with portfast disabled
7. Port fast enabled globally with BPDU filter enabled on interface
8. Port fast enabled on interface with BPDU filter enabled globally
9. Both the Port fast and BPDU filter enabled on interface
10. Both the Port fast and BPDU filter enabled globally.
11. Port fast enabled globally with BPDU Guard enabled on interface
12. Port fast enabled on interface with BPDU Guard enabled globally
13. Both the Port fast and BPDU Guard enabled on interface
14. Both the Port fast and BPDU Guard enabled globally.
Can some expert explain these differnt conditions and what will be an effect.
Thanks
Sathya
Solved! Go to Solution.
10-13-2011 03:52 PM
No problem, happy to help. I just did my CCNP switch exam so I understand how confusing this stuff can be.
Scenario 4. I made a bit of a mistake here according to this source http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/7.4/configuration/guide/stp_enha.html
When you disable PortFast on a port, PortFast BPDU guard becomes inactive. I am unsure if a switch will allow you to enable BPDU guard on the interface if it is not configured allready for portfast.
Scenario 9. I believe the port will be forwarding as it is an edge port connecting to a single device.
Heres another link you might find usefull
http://blog.ipexpert.com/2010/12/06/bpdu-filter-and-bpdu-guard/
For the scenario's that you suggest it would be best to test them in the lab and then you will understand them better. You would have spotted my mistake with Scenario 4 if you tried to enter the config on a switch. I just took the literal effect of both things together to find out the result. There are allways exceptions to rules, mucking about in config is usually a good way to find them.
10-19-2011 06:57 AM
Gentlemen,
Allow me to join the discussion.
First of all, all the features discussed here, i.e. PortFast, BPDU Guard, BPDU Filter are independent and can be configured independently of each other. In particular, neither BPGU Guard nor BPDU Filter requires the PortFast to be configured. This is the first thing we have to agree upon.
So each of these features can be configured independently on a single port, without requiring that any other feature is activated along with it.
However, to make the configuration more comfortable, these features can be enabled on a global level, rather than on a per-port basis. In that case, however, it would be unwise that, for example, BPDU Guard was activated on all ports, including trunks to other switches, just because it is activated on a global level. So a chain of assumptions can be made:
This should form the global picture about the BPDU Guard and BPDU Filter features:
As Chris correctly noted, the behavior of BPDU Filter differs depending on how it is configured: on an interface, it immediately blocks sending and processing of received BPDUs. On a global basis, the BPDU Filter merely stops sending BPDUs if 11 BPDUs are sent and no BPDUs are received. However, should a BPDU be received on this port, the BPDU Filter is disabled on that port (until it is disconnected) and the port starts sending and processing BPDUs again.
Interaction of both BPDU Guard and BPDU Filter is somewhat convoluted:
I am not sure if this helps but these are my two cents...
Best regards,
Peter
10-12-2011 01:24 PM
I guess you need to look at whiat each one does individually to figure out your scenarios.
Portfast - Allows fast transition from STP blocking to forrwarding whilst bypassing listening and learning states. Global application only applies portfast to access ports. Be careful where you apply portfast on a per interface basis.
BPDU Guard - Works with portfast. If BPDU is recieved on an edge (portfast) port the port will be put into an err-disable state and will need to be reset either manually or using err-disable recovery before it will work again. When applied globally only applies to portfast ports.
BPDU Filter - Works with portfast.Effect differs if done globally or per interface.
When applied globally
Only applies to portfast ports that do not allready have BPDU filtering enabled on the port.
If BPDU's are seen it looses portfast status and becomes a standard STP port
10 BPDU's are sent out the port at startup to check for STP devices after that no BPDU's are sent
When Applied on Interface
No BPDU's sent
Recieved BPDU's ignored
Acording to my logic the following will be true. Best to double check though incase I made any mistakes
1. Portfast applied to access ports only
2. STP topology loop is a possibility
3. No Effect as BPDU filter is only applied to portfast ports globaly
4. BPDU's ignored on port and not sent either
5. No effect as BPDU guard is only applied to portfast ports globaly
6. Port will enter err-disable state on reciept of BPDU whether or not portfast is enabled
7. BPDU's ignored on port and not sent either
8. If BPDU is recieved port will transition to a standard spanning tree port
9. BPDU's ignored on port and not sent either
10. If BPDU is recieved port will transition to a standard spanning tree port
11. Port will enter err-disable state on reciept of BPDU
12. Port will enter err-disable state on reciept of BPDU
13. Port will enter err-disable state on reciept of BPDU
14. Port will enter err-disable state on reciept of BPDU
Hope this helps
Chris
10-13-2011 06:13 AM
Hi Chris,
First of all i want to thank you for your excellent reply.
Agter gone through your post im little confused about the some points,
As per your reply,i made the below points,
Scenario 4:My question:Only BPDU Filter enabled on interface with portfast disabled
Your answer:BPDU's ignored on port and not sent either---------->IN this scenario 4 what will be the port state(forwarding or blocking)
Scenario 9:My question:Both the Port fast and BPDU filter enabled on interface
Your Answer:BPDU's ignored on port and not sent either--------->IN this scenario 9 what will be the port state(forwarding or blocking)
Awaiting for your reply....
10-13-2011 03:52 PM
No problem, happy to help. I just did my CCNP switch exam so I understand how confusing this stuff can be.
Scenario 4. I made a bit of a mistake here according to this source http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/7.4/configuration/guide/stp_enha.html
When you disable PortFast on a port, PortFast BPDU guard becomes inactive. I am unsure if a switch will allow you to enable BPDU guard on the interface if it is not configured allready for portfast.
Scenario 9. I believe the port will be forwarding as it is an edge port connecting to a single device.
Heres another link you might find usefull
http://blog.ipexpert.com/2010/12/06/bpdu-filter-and-bpdu-guard/
For the scenario's that you suggest it would be best to test them in the lab and then you will understand them better. You would have spotted my mistake with Scenario 4 if you tried to enter the config on a switch. I just took the literal effect of both things together to find out the result. There are allways exceptions to rules, mucking about in config is usually a good way to find them.
10-18-2011 10:10 AM
Hi chris,
Thanks a lot for your reply.My appologies for the delayed response.i went through the link which you referred me.
So as per that document,
We cant enable BPDU guard/Filter if port fast is disabled.
So if this is a case then the case 4:
6.Only BPDU Guard enabled on interface with portfast disabled-----it will be also not possible(i meant that BPDU will not be active if we disable postfast rite) but in your answer you said that
6. Port will enter err-disable state on reciept of BPDU whether or not portfast is enabled...can you clarify this one last time....
10-19-2011 05:41 AM
I thought that I read in the CCNP switch guide that it was possible to enable bpduguard on a per port basis indipendant of portfast. I may have been mistaken though as this document suggests. I do not have a switch handy justnow or I would test to see.
10-19-2011 05:51 AM
Ok chris!!! any way thanks a lot for your answer.so i understand this as it is that BPDU guard will not be active if we disable postfast as per the document.
10-19-2011 06:57 AM
Gentlemen,
Allow me to join the discussion.
First of all, all the features discussed here, i.e. PortFast, BPDU Guard, BPDU Filter are independent and can be configured independently of each other. In particular, neither BPGU Guard nor BPDU Filter requires the PortFast to be configured. This is the first thing we have to agree upon.
So each of these features can be configured independently on a single port, without requiring that any other feature is activated along with it.
However, to make the configuration more comfortable, these features can be enabled on a global level, rather than on a per-port basis. In that case, however, it would be unwise that, for example, BPDU Guard was activated on all ports, including trunks to other switches, just because it is activated on a global level. So a chain of assumptions can be made:
This should form the global picture about the BPDU Guard and BPDU Filter features:
As Chris correctly noted, the behavior of BPDU Filter differs depending on how it is configured: on an interface, it immediately blocks sending and processing of received BPDUs. On a global basis, the BPDU Filter merely stops sending BPDUs if 11 BPDUs are sent and no BPDUs are received. However, should a BPDU be received on this port, the BPDU Filter is disabled on that port (until it is disconnected) and the port starts sending and processing BPDUs again.
Interaction of both BPDU Guard and BPDU Filter is somewhat convoluted:
I am not sure if this helps but these are my two cents...
Best regards,
Peter
10-19-2011 07:19 AM
Peter,
Awesome expalnation!!!! you cleared my doubts on a good way....Thanks a ton...So if we enable BPDU Gurad/Filter(with out portfast enabled) then it will get applied to all ports(trunk/access) and if we enable portfast globally then it will get applied only to access ports(not trunk).Am i right?
Thanks,
Sathya
10-19-2011 08:31 AM
Thanks Peter, I was getting myself a bit confused trying to explain it
10-19-2011 09:06 AM
Hello Sathya,
So if we enable BPDU Gurad/Filter(with out portfast enabled) then it will get applied to all ports(trunk/access)
Yes, assuming it is configured directly on an interface. Enabling BPDU Guard or BPDU Filter on a global level without having any ports running in PortFast mode would not make any difference - nothing would happen. Also, enabling or disabling PortFast when BPDU Guard/Filter are configured directly on an interface again does not make any difference to the operation of the Guard/Filter.
and if we enable portfast globally then it will get applied only to access ports(not trunk).
If BPDU Guard and BPDU Filter are configured globally, they apply only to PortFast-enabled ports. However, it is irrelevant how the ports became PortFast-enabled in the first place. You may enable the PortFast globally (which will apply only to access ports) and then it would work exactly as you described here. Alternatively, you may enable the PortFast on a per-interface basis. For BPDU Guard/Filter configured globally, the only interesting thing is whether the port is PortFast-enabled. If yes, the global BPDU Guard/Filter apply to it. If not, the global Guard/Filter do not apply to this port.
Best regards,
Peter
10-19-2011 10:18 AM
So you mean that the BPDU guard/Filter enabled globally will be applied to the ports on which the portfast is enabled.But if we enable the BPDU filter/Guard globally without port fast configured(neither on interface nor globally) what will happen? whether the BPDU guard/Filter get applied or not?
10-19-2011 10:24 AM
Hello Sathya,
So you mean that the BPDU guard/Filter enabled globally will be applied to the ports on which the portfast is enabled.
Correct.
But if we enable the BPDU filter/Guard globally without port fast configured(neither on interface nor globally) what will happen?
The BPDU Filter/Guard will not be active on any port - as if you did not configure the Guard/Filter at all. Remember, Filter/Guard configured globally act only on PortFast ports. If there are no PortFast ports, Filter/Guard features do not have any ports to act on.
Best regards,
Peter
10-19-2011 10:31 AM
Hi Peter,
But can enable the BPDU guard/filter to the port eventhough there is no portfast enabled,if i do that will that BPDU guard/filter function correctly?-------->This is my final question sir
10-19-2011 10:37 AM
Hi Sathya,
Please feel welcome to ask as much as you need.
But can enable the BPDU guard/filter to the port eventhough there is no portfast enabled,if i do that will that BPDU guard/filter function correctly?
Yes, regardless of the PortFast setting, you can always go directly to the interface configuration and enable the Guard/Filter directly on the interface. In such case, the Guard/Filter will work correctly, without paying any attention whether PortFast is enabled on that interface or not.
Note that BPDU Filter works differently when activated on a global level (and thus on an interface if that interface is PortFast-enabled), and differently when activated directly on an interface (ignoring the PortFast setting completely).
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide