Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
948
Views
0
Helpful
3
Replies

BPDUFILTER implementation

John Katsoulas
Level 1
Level 1

‎11-09-2014 02:48 AM - edited ‎03-07-2019 09:25 PM

Hello everybody,

I would appreciate your comments to the following scenario:

Intending to reduce unnecessary traffic in an access layer redundant topology I would consider implementing the following:

  1. Enable portfast globally on a access layer switch
  2. Enable bpdufilter globally on the same switch
  3. Enable bpduguard on all individual non-uplink access configured ports
  4. Disable portfast on any port configured as a trunk and intended to be used as a trunk.

Even with bpdufilter active, every port, according to Cisco, transmits 2-3 BPDU before it stops as a result of bpdufilter implementation.

Conclusion

There would be absolutely no risk of loops forming in a topology consisting of 3 switches A, B, C where:

  • It is desirable that A, B, C are connected with each other in a triangle topology.
  • Switch A is configured with global bpdufilter according to the above
  • Switch B is empty (default configuration) and an attempt is made to connect it with A via an access configured port on A. STP is then activated and moves port of A to err-disable mode.
  • Switch C is configured (no bpdufilter, bpduguard or portfast anywhere) and a connection to A is performed between the trunk configured ports of both C and A

 

 

Labels:
0 Helpful
3 Replies 3

Leo Laohoo
Hall of Fame
Hall of Fame

‎11-09-2014 06:58 PM 

Enable portfast globally on a access layer switch

I don't understand why you want to "re-invent the wheel".  You really want to follow the KISS principle.  

On paper, putting only the portfast globally is "nice".  In reality it will cause issues.  Why?   If I want to look at the configuration of a port, will the portfast configuration show up?  No it won't. 

 

My recommendation is to enable portfast on a per-port basis. 

Enable bpdufilter globally on the same switch

Enabling BPDU Filter is not really something "popular" among network admin.    Enabling BPDU Filter filters out BPDU from both direction, effectively disabling STP ... and this means that you've just significantly increased the chance of having a loop in your network. 

0 Helpful

John Katsoulas
Level 1
Level 1
In response to Leo Laohoo

‎11-11-2014 05:48 AM

Thanks for commenting,

I agree with your kiss principle but bpdufiltering with simultaneous protection from loops requires global application of portfast. In any Event, These commands are all under the Group of spanning tree commands.

I know bpdufilter is not sth popular. But enabling it globally, and NOT PER PORT will help guard against loops. Attached document refers. Can there be sth wrong with the config guide from Cisco?

Lab tests have shown that with bpdufilter globally on the port will be err-disabled if a Switch is connected to it. Regardless whether the "incoming" has bpdufilter on or not.

Preview file
134 KB
0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to John Katsoulas

‎11-11-2014 01:33 PM 

I know bpdufilter is not sth popular. But enabling it globally, and NOT PER PORT will help guard against loops. Attached document refers. Can there be sth wrong with the config guide from Cisco?

Yes and no.  

 

On paper and in a sandbox/lab environment, the answer is yes.  

 

In reality, no.  BPDU Filter is as destructive as enabling STP on all your ports and disabling BPDU Guard.  You will, one day, get a loop and you'll have a fun time finding where the source is originating from.  

0 Helpful
Customers Also Viewed These Support Documents