BPDUFILTER implementation

John Katsoulas · ‎11-09-2014

Hello everybody,

I would appreciate your comments to the following scenario:

Intending to reduce unnecessary traffic in an access layer redundant topology I would consider implementing the following:

Enable portfast globally on a access layer switch
Enable bpdufilter globally on the same switch
Enable bpduguard on all individual non-uplink access configured ports
Disable portfast on any port configured as a trunk and intended to be used as a trunk.

Even with bpdufilter active, every port, according to Cisco, transmits 2-3 BPDU before it stops as a result of bpdufilter implementation.

Conclusion

There would be absolutely no risk of loops forming in a topology consisting of 3 switches A, B, C where:

It is desirable that A, B, C are connected with each other in a triangle topology.
Switch A is configured with global bpdufilter according to the above
Switch B is empty (default configuration) and an attempt is made to connect it with A via an access configured port on A. STP is then activated and moves port of A to err-disable mode.
Switch C is configured (no bpdufilter, bpduguard or portfast anywhere) and a connection to A is performed between the trunk configured ports of both C and A

Leo Laohoo · ‎11-09-2014

Enable portfast globally on a access layer switch

I don't understand why you want to "re-invent the wheel". You really want to follow the KISS principle.

On paper, putting only the portfast globally is "nice". In reality it will cause issues. Why? If I want to look at the configuration of a port, will the portfast configuration show up? No it won't.

My recommendation is to enable portfast on a per-port basis.

Enable bpdufilter globally on the same switch

Enabling BPDU Filter is not really something "popular" among network admin. Enabling BPDU Filter filters out BPDU from both direction, effectively disabling STP ... and this means that you've just significantly increased the chance of having a loop in your network.

John Katsoulas · ‎11-11-2014

Thanks for commenting,

I agree with your kiss principle but bpdufiltering with simultaneous protection from loops requires global application of portfast. In any Event, These commands are all under the Group of spanning tree commands.

I know bpdufilter is not sth popular. But enabling it globally, and NOT PER PORT will help guard against loops. Attached document refers. Can there be sth wrong with the config guide from Cisco?

Lab tests have shown that with bpdufilter globally on the port will be err-disabled if a Switch is connected to it. Regardless whether the "incoming" has bpdufilter on or not.

Leo Laohoo · ‎11-11-2014

I know bpdufilter is not sth popular. But enabling it globally, and NOT PER PORT will help guard against loops. Attached document refers. Can there be sth wrong with the config guide from Cisco?

Yes and no.

On paper and in a sandbox/lab environment, the answer is yes.

In reality, no. BPDU Filter is as destructive as enabling STP on all your ports and disabling BPDU Guard. You will, one day, get a loop and you'll have a fun time finding where the source is originating from.