Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3922
Views
10
Helpful
5
Replies

BPDU Guard and Filter with Cisco IP Phones

Phil Bradley
Level 4
Level 4

‎04-25-2018 04:56 AM - edited ‎03-08-2019 02:47 PM

I have a question regarding implementing bpdu guard/filter on access ports in my network that also have Cisco IP phones attached and the phones have desktop PC's plugged into them. Does a Cisco IP phone participate in STP and send/receive bpdu's? I would like to implement BPDU guard or filter on the access ports going to the client phones/pc's. If I implement BPDU filter at the global level then this only applies to ports that are in the portfast state and if it receives a BPDU on this port then it takes it out of portfast, correct? I assume if I plugged a switch into an access port with BPDU filter at the global level then it would kick it out of portfast and then process/participate in STP? Thanks!

Labels:
0 Helpful
5 Replies 5

rasmus.elmholt
Level 7
Level 7

‎04-25-2018 06:05 AM

Hi Phil

If BPDU Filter is configured on the global level using the spanning-tree portfast bpdufilter
default global configuration command, the BPDU Filter applies only to PortFast-enabled ports. When these ports come up, they will send up to 11 BPDUs and then stop sending further BPDUs. If the BPDU Filter-configured interface receives a BPDU at any time, the BPDU Filter and PortFast will be deactivated on that port and it will become a normal spanning tree interface. As a result, a globally configured BPDU Filter does not prevent ports from receiving and processing BPDUs; it only attempts to stop sending BPDUs on ports where most probably, there is no device attached that would be interested in processing them.
0 Helpful

Phil Bradley
Level 4
Level 4
In response to rasmus.elmholt

‎04-25-2018 05:32 PM

Thanks for the info. I am going to enable filter at the global level and then enable guard at the interface level so that I get alerted if a switch is plugged in. I was just concerned that if a cisco phone was plugged in on a guard interface that it would shut the port down. Even though the phone is technically a switch, I assume it doesn't participate in spanning tree. After all with only two ports it would be impossible to create a loop unless you plugged another switch into the desktop port?

0 Helpful

rasmus.elmholt
Level 7
Level 7
In response to Phil Bradley

‎04-26-2018 07:01 AM

I don't recall the phones sending out BPDUs.

Would normally enable BPDUGuard on all access ports with phones and without.

 

Don't forget to rate replies as helpful.

0 Helpful

nixpengu1n
Level 1
Level 1

‎04-26-2018 08:06 AM

Hello,

 

Cisco IP Phones have built-in switch but it acts not like a normal switch - it determines requirements for voice vlan through CDP and builds a trunk without any BPDUs. So you can issue this config on access port of your switch:

 

spanning-tree portfast

spanning-tree bpduguard enable

switchport voice vlan X

switchport access vlan Y

auto qos voip cisco-phone

 

But do not forget to enable CDP on this interface or globally.

jonwhite5
Level 1
Level 1
In response to nixpengu1n

‎08-09-2023 09:05 AM

What if a cisco IP Phone is physically connected with both its ports (switch and PC) "daisy chained" to the same switch?
Had a person connect both PC and switch ports on cisco IP Phone to the two wall ports, creating a loop.
 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card