Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
802
Views
5
Helpful
6
Replies

BPDU GUARD/ FILTER

sukesh tandon
Level 1
Level 1

‎07-22-2016 11:36 AM - edited ‎03-07-2019 12:15 AM

Why do we need BDPU GUARD and BPDU FILTER both.? I think both are used to protect switch loops ensuring that the port transitions to forwarding state quickly. 

Can anyone help me on this.

Thanks 

Sukesh Tandon

Labels:
0 Helpful
6 Replies 6

Philip D'Ath
VIP Alumni
VIP Alumni

‎07-22-2016 01:02 PM

You may have one of the other configured but not both at the same time on the same port.

bpduguard is used when connecting devices that should not be generating spanning tree packets, such as workstations, servers, etc.

bpdu filter is used when you are connecting a trunk port to another device (often a service provider) and you want want to exchange spanning tree with them, and you are 100% confident that no loop can be formed.

0 Helpful

paul driver
VIP
VIP

‎07-22-2016 02:47 PM

Hello

Here is a summary of some testing I did regards those stp features a while back.

portfast (global or interface) = bypasses listen/learn goes into forwarding state

bpduguard
(Global)  - goes through stp process - no blocking
(Interface) - listen state then blocks port (err-disable}

bpduguard + portfast (any variation) = jumps to forwarding from blocking - then blocks port (err-disable


Bpdufilter (global or interface) = goes through stp process (no filtering occurs)
Bpdufilter (Global) + Portfast = jumps to forwarding from blocking (no filtering occurs)
Bpdufilter (interface mode) + Portfast - jumps to forwarding from blocking (filtering occurs)

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to paul driver

‎07-23-2016 04:25 AM

Hi Paul,

Can we discuss some of your findings? I know them differently - perhaps I am in error so it's always good to share and discuss our experiences.

portfast (global or interface) = bypasses listen/learn goes into forwarding state

True. It should be noted that the spanning-tree portfast default command in the global configuration mode applies only to ports operating as access ports. It ignores ports operating as trunk ports.

bpduguard
(Global)  - goes through stp process - no blocking

To my knowledge, this is different. BPDU Guard configured globally applies only to PortFast-enabled ports, that is why the global configuration level command actually says

spanning-tree portfast bpduguard default

In this case, non-PortFast-enabled ports won't be protected by this global BPDU Guard. PortFast port will of course jump into Designated Forwarding role/state as soon as they come up (because they're PortFast-enabled), and should they ever receive a BPDU, they will get err-disabled thanks to the BPDU Guard. Ports that are not PortFast-enabled won't be affected by this global BPDU Guard because it does not apply to them.

bpduguard
(Interface) - listen state then blocks port (err-disable}

This depends on whether the port is PortFast-enabled. If it is PortFast-enabled then it jumps right into Designated Forwarding. If it is not (in that case, the BPDU Guard had to be configured directly on the interface, otherwise it wouldn't apply), then correctly, the port will start in the Listening state.

Bpdufilter (global or interface) = goes through stp process (no filtering occurs)

To my knowledge, this is different. BPDU Filter configured globally applies only to PortFast-enabled ports, that's why the command says:

spanning-tree portfast bpdufilter default

BPDU Filter configured globally causes each PortFast-enabled port to send only 11 BPDUs (over 10 Hello intervals) and then it stops sending BPDUs through that port. If the port receives a BPDU at any time (during those 11 BPDUs or afterwards), both PortFast and BPDU Filter will be deactivated on that port, and the port will start operating as a normal non-edge unfiltered port. Hence, BPDU Filter configured globally performs outbound filtering (after a while) but does not perform inbound filtering.

BPDU Filter configured on an interface operates differently and much more strictly - it prevents sending and receiving BPDUs whatsoever.

Bpdufilter (Global) + Portfast = jumps to forwarding from blocking (no filtering occurs)

True - but the port will send only 11 BPDUs and then stop sending them, so outbound filtering will actually kick in after 10 BPDU Hello periods.

Bpdufilter (interface mode) + Portfast - jumps to forwarding from blocking (filtering occurs)

True. All BPDUs, incoming and outgoing, are unconditionally filtered.

Best regards,
Peter

paul driver
VIP
VIP
In response to Peter Paluch

‎07-23-2016 04:59 AM

Hello Peter 

one inportant thing I  forgot to mention was my testing was based on the attachment of a rouge switch of a non trunk interface and the port receiving unwarranted bpdus 

res

paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to paul driver

‎07-23-2016 07:57 AM

Hi Paul,

my testing was based on the attachment of a rouge switch of a non trunk interface and the port receiving unwarranted bpdus

Well, depending on the timing, this could have skewed your experiment results.

The main problem is the PortFast setting on a port that influences whether the globally configured BPDU Guard and BPDU Filter apply to that port.

PortFast is a feature that has an administrative state, and an operational state. The administrative state simply refers to whether the PortFast is configured for a port - either on the port directly, or in the global configuration, in both cases assuming that the port is operating in access mode. This administrative state alone does not mean, however, that the port truly acts as a PortFast-enabled port. It only means that the switch will attempt to treat that port as an edge port, but if it detects another switch by receiving a BPDU, it will forget about the PortFast and will start treating the port as a non-edge port - and the true status of the PortFast on a port is the operational state.

A port configured with PortFast always comes up as a PortFast-enabled port, meaning that the operational state of the PortFast on that port is "enabled". However, when such a port receives a BPDU, the operational state of the PortFast on that port is moved to "disabled" even though the port remains configured as PortFast port - but it no longer acts as a PortFast-enabled port, rather, it is a normal, non-edge port.

What I am saying is that you might have configured a port as a PortFast port, but until you configured the BPDU Guard or BPDU Filter in the global mode, the port already received a BPDU and stopped being a PortFast-enabled port, and as a result, the globally configured BPDU Guard/Filter no longer applied to it.

It's all just a hunch, though... After you go over my explanations of the features in my previous post, would you say they match your observations?

Best regards,
Peter

0 Helpful

paul driver
VIP
VIP
In response to Peter Paluch

‎07-26-2016 01:44 PM

Hello Peter

Apologies for the late reply - Work commitments and all!

Here is the complete itinerary of the testing that I recorded - what I posted previous was a summary and may have been misleading;

I think it support what you have stated.

Tested in PVST mode:


portfast-
#########
global or interface - bypasses listen/learn goes into forwarding state

Bpduguard-
###########
spanning-tree portfast bpduguard (Global)  - goes through stp process - no blocking
spanning-tree bpduguard enable (Interface) - listen state then blocks port (err-disable}


spanning-tree portfast default
spanning-tree portfast bpduguard default -jumps to forwarding from blocking - then blocks port (err-disable}

spanning-tree portfast default
spanning-tree bpduguard enable (interface mode) -jumps to forwarding from blocking - then blocks port (err-disable}


spanning-tree portfast bpduguard default
spanning-tree portfast – (interface mode) -jumps to forwarding from blocking -  -then blocks port (err-disable}


spanning-tree portfast–interface mode)
spanning-tree bpduguard enable -(interface mode) jumps to forwarding from blocking -  -then blocks port (err-disable}


Bpdufilter
##########

spanning-tree portfast bpdufilter default (Global) -listening/learning/forwarding (rouge switch becomes root no filtering occurs)


spanning-tree bpdufilter enable (interface mode) -listening/learning/forwarding (rouge switch becomes root no filtering occurs)


spanning-tree portfast default
spanning-tree portfast bpdufilter default- jumps to forwarding from blocking (rouge switch becomes root no filtering occurs)


spanning-tree portfast bpdufilter default
spanning-tree portfast – (interface mode) -jumps to forwarding from blocking (rouge switch becomes root no filtering occurs)

spanning-tree portfast default
spanning-tree bpdufilter enable – (interface mode) jumps to forwarding from blocking ( keeps root status – so looks like bpdu’s are filtered)


spanning-tree portfast – (interface mode)
spanning-tree bpdufilter enable– (interface mode) jumps to forwarding from blocking ( keeps root status – so looks like bpdu’s are filtered)

Tested in RSTP mode:

Portfast-
Default 802.1w standard (global) -  tranmists 2x proposals goes into Fwd state
per interface   ---         initializes port goes straight to fwd state

Bpduguard-
Portfast  - Default 802.1w standard (global)
spanning-tree portfast bpduguard default (Global)  -  tranmists 2x proposals goes into Fwd state - no blocking

Portfast  - Default 802.1w standard (global)
spanning-tree bpduguard enable (Interface) -tranmists 2x proposals  then blocks port (err-disable}


spanning-tree portfast (interface)
spanning-tree portfast bpduguard default (Global -  initializes port then blocks port (err-disable}

Bpdufilter
Portfast  - Default 802.1w standard (global)
spanning-tree portfast bpdufilter default (Global)  tranmists 2x proposals goes into Fwd state - no blocking (rouge switch becomes root no filtering occurs)


Portfast  - Default 802.1w standard (global)
spanning-tree bpdufilter enable (interface mode) -initializes port goes straight to fwd state  (so looks like bpdu’s are filtered)


spanning-tree portfast (interface)
spanning-tree portfast bpdufilter enable-  initializes port goes straight to fwd state (so looks like bpdu’s are filtered)

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card