cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
908
Views
0
Helpful
5
Replies
Highlighted
Beginner

BPDU Filter

I am trying to figure out when is the appropriate scenario to use BPDU filter. Does anyone have real world experiences when using this. I can see this being used between demark points so that STP is not sending out BPDU's in a customers environment, but is there any use cases past this. Here is what I understand on this regarding the use on a 3750 switch:

If BPDU filter is configured at the global level and a BPDU is received on a port, then the port will go out of portfast and filter will be disabled. Is this globally or on that particular port?

If BPDU filter is enabled on a per port basis, then you have disabled STP for the port period.

I can see were filter will cut down on BPDU traffics to a end users computer, but is this really worth the effort? It is recommended not to use filter and guard together since filter will trump guard.

Input appreciated!

5 REPLIES 5
Highlighted
Hall of Fame Cisco Employee

Hi Phil,

You have mentioned great points and your analysis is correct.

You would want to enable the BPDU Filter on a per-port basis if you wanted to keep your STP region separate from the region that is connected through this port, allowing both STP regions to keep their topologies entirely separate. However, it would then be up to you to make sure that there is never an additional link connected between these two regions, otherwise a switching loop would be inevitable.

The BPDU Filter configured on a global level is just a (questionable) optimization that allows edge ports that are by definition not supposed to be connected to other switching devices to stop sending BPDUs after a period of time (10x Hello interval).

If BPDU filter is configured at the global level and a BPDU is received on a port, then the port will go out of portfast and filter will be disabled. Is this globally or on that particular port?

It is just for the particular port.

It is recommended not to use filter and guard together since filter will trump guard.

If having BPDU Filter activated on a port level, yes, BPDU Filter will block all BPDUs so BPDU Guard will never get to hear those BPDUs. If the BPDU Filter is activated on a global level, the BPDU Guard will kick into action as if BPDU Filter was not configured.

Best regards,
Peter

Highlighted

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

"I can see were filter will cut down on BPDU traffics to a end users computer, but is this really worth the effort?"

As Peter explains, filtering BPDUs isn't without risk, and its also probably something you wouldn't have routine need for.

A "real world" example of using it, I have had occasion to try some config changes on a 3750G at my desk.  I also wanted to connect to our production network so I could pull an IOS image.

However, my experimental 3750G had a production like config on it, so STP is active, and the port I wanted to connect to has a production switch whitch has BPDUGuard enabled.  So, if I connect my test switch, the prod switch will error-disable its port.

One method I used to avoid that, was to enable BPDU filter on my switch "uplink" interface, and so the prod switch didn't error-disable its port.  (Another way to avoid this, was to change my port to a routed port, but then I couldn't have my other switch ports extend the prod switch's VLAN.)

Highlighted

Thanks for the input everyone. So it sounds like it is wise and recommended to apply bpdu guard globally and only use filter in rare cases such as testing. 

Highlighted

Hi Peter,

why are you saying it's questionable?

Apparently it's a nice feature that allows you to enable portfast globally and at the same time be quite safe about users causing loops.

Am I too optimist?

Regards,

Max.

Highlighted
Hall of Fame Cisco Employee

Hi Max,

Apparently it's a nice feature that allows you to enable portfast globally and at the same time be quite safe about users causing loops.

Suprisingly to many, neither BPDU Guard nor BPDU Filter allow to be "quite safe about users causing loops". With PortFast, access ports are opportunistically put into Forwarding state as soon as they come up. If a user connects two such ports together, a loop is created implicitly.

Having the BPDU Guard activated will help only if the ensuing looping is not too intensive to overload the ports or CPUs. If the looping traffic is so intensive that the BPDUs are dropped, or the CPU is too overloaded to be able to process them, BPDU Guard will not help.

Having BPDU Filter activated on a global level provides no additional protection at the moment of interconnecting two edge ports (the BPDUs are still being sent and received), and can actually worsen the situation after it decides to stop sending BPDUs. If there is a switch connected to a PortFast port that gets initially "hushed" by the outgoing BPDUs, it will eventually get unblocked after BPDU Filter stops sending the BPDUs. That is why I have called the global BPDU Filter activation to be a questionable optimization.

In any case, BPDU Filter does not increase the safety of deploying PortFast ports. At best, it does not influence it at all, and in worse case scenarios, it actually reduces your safety against switching loops.

Best regards,
Peter

Content for Community-Ad