Solved: BPDU Filter/Guard,Portfast...confused

sathyasav · ‎10-12-2011

I know that the behaviour of both BPDU Guad /Filter with PORT FAst have been discussed ,but till now i still have confusion with all these discussion and i have posted the differnet scenarios and please explain me what will happen if that is enabled accordingly.

1.Only the port fast enabled globally with out BPDU filter/guard

2.Only the port fast enabled on interface with out BPDU filter/guard

3.Only BPDU Filter enabled globally with portfast disabled

4.Only BPDU Filter enabled on interface with portfast disabled

5.Only BPDU Gurad enabled globally with portfast disabled

6.Only BPDU Guard enabled on interface with portfast disabled

7. Port fast enabled globally with BPDU filter enabled on interface

8. Port fast enabled on interface with BPDU filter enabled globally

9. Both the Port fast and BPDU filter enabled on interface

10. Both the Port fast and BPDU filter enabled globally.

11. Port fast enabled globally with BPDU Guard enabled on interface

12. Port fast enabled on interface with BPDU Guard enabled globally

13. Both the Port fast and BPDU Guard enabled on interface

14. Both the Port fast and BPDU Guard enabled globally.

Can some expert explain these differnt conditions and what will be an effect.

Thanks

Sathya

chris1317 · ‎10-13-2011

No problem, happy to help. I just did my CCNP switch exam so I understand how confusing this stuff can be.

Scenario 4. I made a bit of a mistake here according to this source http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/7.4/configuration/guide/stp_enha.html

When you disable PortFast on a port, PortFast BPDU guard becomes inactive. I am unsure if a switch will allow you to enable BPDU guard on the interface if it is not configured allready for portfast.

Scenario 9. I believe the port will be forwarding as it is an edge port connecting to a single device.

Heres another link you might find usefull

http://blog.ipexpert.com/2010/12/06/bpdu-filter-and-bpdu-guard/

For the scenario's that you suggest it would be best to test them in the lab and then you will understand them better. You would have spotted my mistake with Scenario 4 if you tried to enter the config on a switch. I just took the literal effect of both things together to find out the result. There are allways exceptions to rules, mucking about in config is usually a good way to find them.

View solution in original post

Peter Paluch · ‎10-19-2011

Gentlemen,

Allow me to join the discussion.

First of all, all the features discussed here, i.e. PortFast, BPDU Guard, BPDU Filter are independent and can be configured independently of each other. In particular, neither BPGU Guard nor BPDU Filter requires the PortFast to be configured. This is the first thing we have to agree upon.

So each of these features can be configured independently on a single port, without requiring that any other feature is activated along with it.

However, to make the configuration more comfortable, these features can be enabled on a global level, rather than on a per-port basis. In that case, however, it would be unwise that, for example, BPDU Guard was activated on all ports, including trunks to other switches, just because it is activated on a global level. So a chain of assumptions can be made:

These mechanisms are used mostly to protect ports towards end stations, so enabling them globally should apply only to such ports.
Such ports are by definition edge ports.
Edge ports can be configured either by per-interface spanning-tree portfast command, or on the global level using the spanning-tree portfast default command that in turn applies to all ports operating in access mode.
Hence, activating the BPDU Filter or BPDU Guard on the global level will apply to only those ports which are already operating in PortFast (i.e. edge port) mode, and it does not matter how these ports received their PortFast status (whether by global or interface-level configuration).

This should form the global picture about the BPDU Guard and BPDU Filter features:

Either these features are configured on a particular interface, not having any requirements as to which feature depends on which other (in particular, regardless of the PortFast),
Or these features are configured on a global level, in which case they apply only to ports that are recognized as PortFast-enabled ports

As Chris correctly noted, the behavior of BPDU Filter differs depending on how it is configured: on an interface, it immediately blocks sending and processing of received BPDUs. On a global basis, the BPDU Filter merely stops sending BPDUs if 11 BPDUs are sent and no BPDUs are received. However, should a BPDU be received on this port, the BPDU Filter is disabled on that port (until it is disconnected) and the port starts sending and processing BPDUs again.

Interaction of both BPDU Guard and BPDU Filter is somewhat convoluted:

If both are configured on an interface, the BPDU Filter prevents received BPDUs from being processed. Hence, the BPDU Guard will not react to received BPDUs because they will be dropped immediately on arrival, instead of being processed. In essence, it does not make sense to activate BPDU Filter and BPDU Guard simultaneously on a per-port basis.
If BPDU Filter is configured on a port and the BPDU Guard is activated globally, the result is the same as in the previous example, with the same explanation.
If BPDU Filter is configured on a global basis and the BPDU Guard is activated on a port, then a received BPDU on a port will cause the BPDU Guard to process it and immediately deactivate the port. This is because the BPDU Filter activated globally does not prevent received BPDUs from being processed.
If both BPDU Filter and BPDU Guard are configured on a global level, the result is the same as in the previous example, with the same explanation.

I am not sure if this helps but these are my two cents...

Best regards,

Peter

View solution in original post

chris1317 · ‎10-12-2011

I guess you need to look at whiat each one does individually to figure out your scenarios.

Portfast - Allows fast transition from STP blocking to forrwarding whilst bypassing listening and learning states. Global application only applies portfast to access ports. Be careful where you apply portfast on a per interface basis.

BPDU Guard - Works with portfast. If BPDU is recieved on an edge (portfast) port the port will be put into an err-disable state and will need to be reset either manually or using err-disable recovery before it will work again. When applied globally only applies to portfast ports.

BPDU Filter - Works with portfast.Effect differs if done globally or per interface.

When applied globally

Only applies to portfast ports that do not allready have BPDU filtering enabled on the port.

If BPDU's are seen it looses portfast status and becomes a standard STP port

10 BPDU's are sent out the port at startup to check for STP devices after that no BPDU's are sent

When Applied on Interface

No BPDU's sent

Recieved BPDU's ignored

Acording to my logic the following will be true. Best to double check though incase I made any mistakes

1. Portfast applied to access ports only

2. STP topology loop is a possibility

3. No Effect as BPDU filter is only applied to portfast ports globaly

4. BPDU's ignored on port and not sent either

5. No effect as BPDU guard is only applied to portfast ports globaly

6. Port will enter err-disable state on reciept of BPDU whether or not portfast is enabled

7. BPDU's ignored on port and not sent either

8. If BPDU is recieved port will transition to a standard spanning tree port

9. BPDU's ignored on port and not sent either

10. If BPDU is recieved port will transition to a standard spanning tree port

11. Port will enter err-disable state on reciept of BPDU

12. Port will enter err-disable state on reciept of BPDU

13. Port will enter err-disable state on reciept of BPDU

14. Port will enter err-disable state on reciept of BPDU

Hope this helps

Chris

sathyasav · ‎10-13-2011

Hi Chris,

First of all i want to thank you for your excellent reply.

Agter gone through your post im little confused about the some points,

As per your reply,i made the below points,

Scenario 4:My question:Only BPDU Filter enabled on interface with portfast disabled

Your answer:BPDU's ignored on port and not sent either---------->IN this scenario 4 what will be the port state(forwarding or blocking)

Scenario 9:My question:Both the Port fast and BPDU filter enabled on interface

Your Answer:BPDU's ignored on port and not sent either--------->IN this scenario 9 what will be the port state(forwarding or blocking)

Awaiting for your reply....

chris1317 · ‎10-13-2011

No problem, happy to help. I just did my CCNP switch exam so I understand how confusing this stuff can be.

Scenario 4. I made a bit of a mistake here according to this source http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/7.4/configuration/guide/stp_enha.html

When you disable PortFast on a port, PortFast BPDU guard becomes inactive. I am unsure if a switch will allow you to enable BPDU guard on the interface if it is not configured allready for portfast.

Scenario 9. I believe the port will be forwarding as it is an edge port connecting to a single device.

Heres another link you might find usefull

http://blog.ipexpert.com/2010/12/06/bpdu-filter-and-bpdu-guard/

For the scenario's that you suggest it would be best to test them in the lab and then you will understand them better. You would have spotted my mistake with Scenario 4 if you tried to enter the config on a switch. I just took the literal effect of both things together to find out the result. There are allways exceptions to rules, mucking about in config is usually a good way to find them.

sathyasav · ‎10-18-2011

Hi chris,

Thanks a lot for your reply.My appologies for the delayed response.i went through the link which you referred me.

So as per that document,

We cant enable BPDU guard/Filter if port fast is disabled.

So if this is a case then the case 4:

6.Only BPDU Guard enabled on interface with portfast disabled-----it will be also not possible(i meant that BPDU will not be active if we disable postfast rite) but in your answer you said that

6. Port will enter err-disable state on reciept of BPDU whether or not portfast is enabled...can you clarify this one last time....

chris1317 · ‎10-19-2011

I thought that I read in the CCNP switch guide that it was possible to enable bpduguard on a per port basis indipendant of portfast. I may have been mistaken though as this document suggests. I do not have a switch handy justnow or I would test to see.

sathyasav · ‎10-19-2011

Ok chris!!! any way thanks a lot for your answer.so i understand this as it is that BPDU guard will not be active if we disable postfast as per the document.

Peter Paluch · ‎10-19-2011

Gentlemen,

Allow me to join the discussion.

First of all, all the features discussed here, i.e. PortFast, BPDU Guard, BPDU Filter are independent and can be configured independently of each other. In particular, neither BPGU Guard nor BPDU Filter requires the PortFast to be configured. This is the first thing we have to agree upon.

So each of these features can be configured independently on a single port, without requiring that any other feature is activated along with it.

However, to make the configuration more comfortable, these features can be enabled on a global level, rather than on a per-port basis. In that case, however, it would be unwise that, for example, BPDU Guard was activated on all ports, including trunks to other switches, just because it is activated on a global level. So a chain of assumptions can be made:

These mechanisms are used mostly to protect ports towards end stations, so enabling them globally should apply only to such ports.
Such ports are by definition edge ports.
Edge ports can be configured either by per-interface spanning-tree portfast command, or on the global level using the spanning-tree portfast default command that in turn applies to all ports operating in access mode.
Hence, activating the BPDU Filter or BPDU Guard on the global level will apply to only those ports which are already operating in PortFast (i.e. edge port) mode, and it does not matter how these ports received their PortFast status (whether by global or interface-level configuration).

This should form the global picture about the BPDU Guard and BPDU Filter features:

Either these features are configured on a particular interface, not having any requirements as to which feature depends on which other (in particular, regardless of the PortFast),
Or these features are configured on a global level, in which case they apply only to ports that are recognized as PortFast-enabled ports

As Chris correctly noted, the behavior of BPDU Filter differs depending on how it is configured: on an interface, it immediately blocks sending and processing of received BPDUs. On a global basis, the BPDU Filter merely stops sending BPDUs if 11 BPDUs are sent and no BPDUs are received. However, should a BPDU be received on this port, the BPDU Filter is disabled on that port (until it is disconnected) and the port starts sending and processing BPDUs again.

Interaction of both BPDU Guard and BPDU Filter is somewhat convoluted:

If both are configured on an interface, the BPDU Filter prevents received BPDUs from being processed. Hence, the BPDU Guard will not react to received BPDUs because they will be dropped immediately on arrival, instead of being processed. In essence, it does not make sense to activate BPDU Filter and BPDU Guard simultaneously on a per-port basis.
If BPDU Filter is configured on a port and the BPDU Guard is activated globally, the result is the same as in the previous example, with the same explanation.
If BPDU Filter is configured on a global basis and the BPDU Guard is activated on a port, then a received BPDU on a port will cause the BPDU Guard to process it and immediately deactivate the port. This is because the BPDU Filter activated globally does not prevent received BPDUs from being processed.
If both BPDU Filter and BPDU Guard are configured on a global level, the result is the same as in the previous example, with the same explanation.

I am not sure if this helps but these are my two cents...

Best regards,

Peter

sathyasav · ‎10-19-2011

Peter,

Awesome expalnation!!!! you cleared my doubts on a good way....Thanks a ton...So if we enable BPDU Gurad/Filter(with out portfast enabled) then it will get applied to all ports(trunk/access) and if we enable portfast globally then it will get applied only to access ports(not trunk).Am i right?

Thanks,

Sathya

chris1317 · ‎10-19-2011

Thanks Peter, I was getting myself a bit confused trying to explain it

Peter Paluch · ‎10-19-2011

Hello Sathya,

So if we enable BPDU Gurad/Filter(with out portfast enabled) then it will get applied to all ports(trunk/access)

Yes, assuming it is configured directly on an interface. Enabling BPDU Guard or BPDU Filter on a global level without having any ports running in PortFast mode would not make any difference - nothing would happen. Also, enabling or disabling PortFast when BPDU Guard/Filter are configured directly on an interface again does not make any difference to the operation of the Guard/Filter.

and if we enable portfast globally then it will get applied only to access ports(not trunk).

If BPDU Guard and BPDU Filter are configured globally, they apply only to PortFast-enabled ports. However, it is irrelevant how the ports became PortFast-enabled in the first place. You may enable the PortFast globally (which will apply only to access ports) and then it would work exactly as you described here. Alternatively, you may enable the PortFast on a per-interface basis. For BPDU Guard/Filter configured globally, the only interesting thing is whether the port is PortFast-enabled. If yes, the global BPDU Guard/Filter apply to it. If not, the global Guard/Filter do not apply to this port.

Best regards,

Peter

sathyasav · ‎10-19-2011

So you mean that the BPDU guard/Filter enabled globally will be applied to the ports on which the portfast is enabled.But if we enable the BPDU filter/Guard globally without port fast configured(neither on interface nor globally) what will happen? whether the BPDU guard/Filter get applied or not?

Please answer my query

Peter Paluch · ‎10-19-2011

Hello Sathya,

So you mean that the BPDU guard/Filter enabled globally will be applied to the ports on which the portfast is enabled.

Correct.

But if we enable the BPDU filter/Guard globally without port fast  configured(neither on interface nor globally) what will happen?

The BPDU Filter/Guard will not be active on any port - as if you did not configure the Guard/Filter at all. Remember, Filter/Guard configured globally act only on PortFast ports. If there are no PortFast ports, Filter/Guard features do not have any ports to act on.

Best regards,

Peter

sathyasav · ‎10-19-2011

Hi Peter,

But can enable the BPDU guard/filter to the port eventhough there is no portfast enabled,if i do that will that BPDU guard/filter function correctly?-------->This is my final question sir

Peter Paluch · ‎10-19-2011

Hi Sathya,

Please feel welcome to ask as much as you need.

But can enable the BPDU guard/filter to the port eventhough there is no  portfast enabled,if i do that will that BPDU guard/filter function  correctly?

Yes, regardless of the PortFast setting, you can always go directly to the interface configuration and enable the Guard/Filter directly on the interface. In such case, the Guard/Filter will work correctly, without paying any attention whether PortFast is enabled on that interface or not.

Note that BPDU Filter works differently when activated on a global level (and thus on an interface if that interface is PortFast-enabled), and differently when activated directly on an interface (ignoring the PortFast setting completely).

Best regards,

Peter