Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
772
Views
0
Helpful
8
Replies

BPDU filtering and portfast enable

Go to solution
nnn_sss22
Level 1
Level 1

‎07-31-2017 07:50 AM - edited ‎03-08-2019 11:32 AM

Hello,

When i put this commond 

Sw1# show spanning-tree interface fa0/1 portfast

and result shows

VLAN0001                           Disable

what is mean by disable. if there is showing enable then what is meaning? thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to nnn_sss22

‎07-31-2017 01:03 PM

yes exactly if you turn it off on a port and someone makes a mistake by looping that port back through a patch panel to a switch instead of an end device traffic at layer 2 will start to go around and around through these interfaces until the CPU keeps getting higher and higher , eventually most switches crash after a while network  or become just un-useable unless maybe some form of storm control is in place to mitigate it , the filter command in my opinion is a last resort command connecting to switches that don't understand bpdu traffic but you want to make sure its single homed and not dual linked

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Predrag Jovic
Level 3
Level 3

‎07-31-2017 08:18 AM

Means that portfast is not enabled on interface fa0/1.

interface fa0/1
  spanning-tree portfast
need to be issued if you want to enable portfast on that interface.

Enable would mean that interface is skipping listening (15 sec) and learning (15 sec) STP states, so port will be moved directly to forwarding state .

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to Predrag Jovic

‎07-31-2017 08:42 AM

its good practice to run bpduguard with portfast globally per switch

the guard will only function when the portfast is enabled as a form of protection with it , the portfast  will only apply itself to edge ports by default when applied globally that are already set as access not to effect the trunks

spanning-tree portfast bpduguard default

0 Helpful

Go to solution
nnn_sss22
Level 1
Level 1
In response to Mark Malone

‎07-31-2017 09:16 AM

For example if i will set bpdu filter on fa0/1 then when this port will detect BPDU then it will goes to Disable state?

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to nnn_sss22

‎07-31-2017 09:19 AM

No because bpdufilter turns off STP , its dangerous and should only be used connecting to non cisco vendor switches that don't support STP , be very careful using the filter command

what you need there is bpduguard , then if a bpdu is seen it will disable the port

0 Helpful

Go to solution
nnn_sss22
Level 1
Level 1
In response to Mark Malone

‎07-31-2017 10:55 AM

its mean through enable bpdu filter command loop can created. right? thats why this is dangrous command.

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to nnn_sss22

‎07-31-2017 01:03 PM

yes exactly if you turn it off on a port and someone makes a mistake by looping that port back through a patch panel to a switch instead of an end device traffic at layer 2 will start to go around and around through these interfaces until the CPU keeps getting higher and higher , eventually most switches crash after a while network  or become just un-useable unless maybe some form of storm control is in place to mitigate it , the filter command in my opinion is a last resort command connecting to switches that don't understand bpdu traffic but you want to make sure its single homed and not dual linked

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to Mark Malone

‎07-31-2017 01:54 PM

Hello Mark


its good practice to run bpduguard with portfast globally per switch

Thats interesting, I tend it say interface mode would be more beneficial than global

If bpdus are then received this feature will still initiate even without PF as it isnt reliant on it being applied.

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to paul driver

‎08-01-2017 02:39 AM

Hey Paul

I suppose one of the reasons we enable it globally on our access switches we had multiple discussions on it with TAC and our acc managers and they at the time said it was best to run it globally , im still  on the fence about it but I think it should be enabled on every access switch whether global or interface as it does help but ive read so many different opinions on it and even at the time 2 TAC teams gave us different answers too :) but that's what we deicided on in the end and it has worked well for us

If bpdus are then received this feature will still initiate even without PF as it isnt reliant on it being applied

My understanding was guard only came into effect when the pf was in place but ive re-read the doc this morning and that's not correct , as you said it works even without pf which to me is good to as you would still want some form of protection in place as pf just speeds up convergence

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card