Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1907
Views
0
Helpful
8
Replies

BPDU Filter on Trunk port to Customer Network

fgasimzade
Level 4
Level 4

‎11-04-2022 03:06 AM

Hello Everyone,

I read lots of stuff to refresh my knowledge on STP protection mechanism, and I still need your advice on the following:

There is a customer network connected to ours using a trunk port. What is the best way to protect my network against loops and unwanted BPDUs from customer switches - I dont know if they run STP  on their network

I assume the following configuration, please review and express your opinion

interface FastEthernet1/0/6
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,15,55,74,164,202,204,234,252,420,706,836
switchport mode trunk
no keepalive
storm-control broadcast level 30.00
spanning-tree bpdufilter enable
spanning-tree guard root

Not sure about BPDU filter, I know it is not supposed to be on a trunk port, but I dont wish to receive BPDUs from the customer switches. Also, not sure if BPDU Filter will overtake Root Guard and effectively disable it

Thank you 

 

Labels:
0 Helpful
8 Replies 8

MHM Cisco World
VIP
VIP

‎11-04-2022 03:21 AM - edited ‎11-04-2022 03:23 AM

spanning-tree bpdufilter enable <<- make port not send BPDU, this can cause loop if you connect SW to this port, 
BPDUfilter is same as disable STP in port 
check link below 

https://medium.com/ken-m-lai/bpdu-filter-vs-bpdu-guard-a112f967798b

 

0 Helpful

fgasimzade
Level 4
Level 4
In response to MHM Cisco World

‎11-04-2022 03:46 AM

I am aware of that, but what if that customer is using different mode of STP and I dont with to receive BPDUs from it? Is it still dangerous? 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎11-04-2022 03:25 AM

You need ask couple of question, what is other side equiment, is the cisco or any other vendor  before connecting.

if this is 3rd party i would not suggest to allow VLAN1 in the trunk for many many reasons.

make sure all the VLAN you allowing, and you will be STP Root for that VLAN by setting the priority. ( if you enabling the root gaurd look below)

regarding :

spanning-tree bpdufilter enable

  • Global: if you enable BPDUfilter globally then any interface with portfast enabled will not send or receive any BPDUs. When you receive a BPDU on a portfast enabled interface then it will lose its portfast status, disables BPDU filtering and acts as a normal interface.
  • Interface: if you enable BPDUfilter on the interface it will ignore incoming BPDUs and it will not send any BPDUs. This is the equivalent of disabling spanning-tree.

some use case and explaned here :

https://community.cisco.com/t5/networking-knowledge-base/importance-of-bpdu-guard-and-bpdu-filter/ta-p/3120465

https://community.cisco.com/t5/blogs-routing-y-switching/caracter%C3%ADsticas-avanzadas-de-spanningtree-portfast-bpdu-guard-y/ba-p/3104851


spanning-tree guard root

The configuration of root guard is on a per-port basis. Root guard does not allow the port to become an STP root port, so the port is always STP-designated. If a better BPDU arrives on this port, root guard does not take the BPDU into account and elect a new STP root. Instead, root guard puts the port into the root-inconsistent STP state. You must enable root guard on all ports where the root bridge must not appear. In a way, you can configure a perimeter around the part of the network where the STP root is able to be located.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

fgasimzade
Level 4
Level 4
In response to balaji.bandi

‎11-04-2022 03:52 AM

Different customers use different switches, but just 2 vendors - HP and Cisco. I agree regarding VLAN 1, I will remove it from the trunk

When it comes to Root Guard, its role is quite obvious, so I will use it on the perimeter of my network to protect our Root

BPDU Filter is still not clear enough for me. I understand how it works, however still can not figure out if it dangerous to use it towards customer network if I do not wish to receive BPDU from them and if it is enabled alongside with Root Guard it would just surpass it

0 Helpful

David Ruess
VIP
VIP

‎11-04-2022 05:02 AM

Hello,

 

First here is the difference:

BPDU Guard

BPDU Guard is designed to protect your switching network. Remember that a Port-fast port is designed to be connected to a device where BPDU’s aren’t expected. This could be a end user device, server or access-point.  When an unexpected BPDU is detected (an end-user wants to plug in a switch in his cubicle) the port will shutdown and enter a err-disable state.

 

BPDU Filter

BPDU filter is a feature used to filter sending or receiving BPDUs on a switchport. It is extremely useful on those ports which are configured as portfast ports as there is no need to send or receive any BPDU messages on of these ports. BPDU filter can be configured globally or under the interface level.

 

Secondly, you need to have a conversation with your customer about what devices they use and connect to you. You cant effectively run a network with half the information. BPDUs are what help create the spanning tree structure and carry the VLAN information. It allows paths and puts ports in certain states to configure the spanning tree topology. Without it, you WILL create a loop. Spanning tree works automatically and all versions are pretty much compatible with eachother. 

Find out what the customer is using and do some more research about how their equipment uses STP and implement changes needed.

Hope that helps

 

-David

0 Helpful

fgasimzade
Level 4
Level 4
In response to David Ruess

‎11-04-2022 11:53 PM

Hello David,

I talked to the customers - one of them is not running STP at all, another is running pvst with their own root

What would be the best configuration for the uplinks in this case?

0 Helpful

David Ruess
VIP
VIP
In response to fgasimzade

‎11-08-2022 04:51 AM

If one customer is not running STP then BPDU filter wont really do anything, as its designed to filter BPDUs, which are a direct result of running STP. If they aren't running STP you wont receive BPDUs.

Secondly with the other customer running PVST you need to coordinate weather they will retain the root bridge or you will take over. You cannot filter BPDUs on that link or you will create weird traffic flow and possibly loop some things since you will be running different Spanning trees. By that I mean actual path trees the spanning tree algorithm makes not versions of STP.

 

-David

0 Helpful

mlund
Level 7
Level 7

‎11-07-2022 07:43 AM

Hi

In my opinion, for this situation, with different customers, you have no other choice than using bpdu filter. Of course, you can not have redundant links, you have to use single port connection to each customer. If you want to have more than one port, it must be an ether-channel, so it looks like one port. 

You may have in mind that if you move your customer connections to L3, you get rid of the spanning-tree problem.

/Mikael

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card