Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
201
Views
0
Helpful
12
Replies

Configuration spanning-tree on root

Go to solution
mulbreizh
Level 1
Level 1

‎08-30-2024 02:21 AM

Hello and sorry for my english , 

My core switch is also root of spanning-tree, i use Rapid-pvst.  On this switch, in global configuration i can see :

spanning-tree portfast bpduguard default
spanning-tree portfast bpdufilter default

This commands are necessary ? not ?

thanks a lot

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP
VIP
In response to mulbreizh

‎08-30-2024 05:11 AM

Hello
You can leave it however as stated , I would say its not preferable to do so, especially bpdu-filter.
disabling it globally and applying it at an interface level is more deterministic and you have better control as when those features will initiate.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

0 Helpful
12 Replies 12

Go to solution
MHM Cisco World
VIP
VIP

‎08-30-2024 02:37 AM - edited ‎08-30-2024 05:17 AM

MHM

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎08-30-2024 04:19 AM - edited ‎08-30-2024 04:19 AM

Two solution for portfast+bpduguard+bpdufilter

Solution1 

Global 

spanning-tree portfast bpduguard default
spanning-tree portfast bpdufilter default

Interface

Spanning-tree portfast 

 

Solution2

Interface 

Spanning-tree portfast 

Spanning-tree bpduguard enable 

Spanning-tree bpdufilter enable 

 

You use first solution for simplicity, and it work but be aware which port you config as portfast that all

MHM

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎08-30-2024 02:46 AM

"This commands are necessary ?"

No.

But are they a good practice to use?

Usually, yes.

0 Helpful

Go to solution
paul driver
VIP
VIP

‎08-30-2024 04:04 AM

Hello
Id would recommend to remove bpdufilter globally especially 

Both of those commands enabled globally work in conjunction with port-fast enabled edge ports -  and as you SHOULD append port-fast to ALL access-edge ports I would recommend disabling both commands globally and applying bpdu-guard at interface level where it will work with/without portfast


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
mulbreizh
Level 1
Level 1
In response to paul driver

‎08-30-2024 04:25 AM

If there are apply globally but not in interfaces, i can let like this in global configuration ?

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to mulbreizh

‎08-30-2024 05:11 AM

Hello
You can leave it however as stated , I would say its not preferable to do so, especially bpdu-filter.
disabling it globally and applying it at an interface level is more deterministic and you have better control as when those features will initiate.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to mulbreizh

‎08-30-2024 05:37 AM - edited ‎08-30-2024 05:39 AM

Hello @mulbreizh ,

bpdu guard = good

bpdu filter = bad idea .

BPDU filter should be used only on specific corner cases like connecting to other network where you don't want to joint your Rapid PVST domain with some other devices.

on normal user ports BPDU filter should not be used.

So my personal suggestion is to remove the command

conf it

no spanning-tree portfast bpdufilter default

( note to disable the command may be different )

 

Finally if your core switch is acting as a pure core switch i.e. it just has inter switch links with distribution layer switches or access layer switches both commands are useless, however you can keep the one for  bpdu guard .

Final note : stay also away from

spanning-tree loopguard default

it can create issues. I had a customer many years ago that had incident caused by this.

Hope to help

Giuseppe

 

0 Helpful

Go to solution
mulbreizh
Level 1
Level 1
In response to Giuseppe Larosa

‎08-30-2024 05:45 AM - edited ‎08-30-2024 05:45 AM

Most of my network is cisco switch with VTP domain. I just have 4 Aruba switchs on other spanning-tree but connect to the core /

with configuration like this on aruba :
interface lag 1 multi-chassis
description LACP-to-Coeur
no shutdown
no routing
vlan trunk native 999
vlan trunk allowed 1-2,5,15,17,21-22,25-26,45,51,54,56,61-62,70,89,100,102,104,110,999
lacp mode active
spanning-tree bpdu-filter
spanning-tree rpvst-filter

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Giuseppe Larosa

‎08-30-2024 05:45 AM

Bad idea why ? if he careful config it ?
if he have more than 48 ports instead of add two or three command under the port connect to host he only need specify this port is portfast and make global config add it auto

both solution I share misconfig the bpdufilter is make issue 

MHM

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎08-30-2024 06:05 AM - edited ‎08-30-2024 06:09 AM

@mulbreizh o

bpdufilter 

Cisco Sw use bpdufilter in link connect to other SW vendor to disable STP between two SW 

This can Done only if there is only one link connect two SW 

Why ? Because Cisco SW not use standard IEEE stp it use it stp abd that not compatible with other vendor that why disable stp by bpdufilter is one solution 

Other is run MST

MHM

0 Helpful

Go to solution
paul driver
VIP
VIP

‎08-30-2024 06:25 AM

Hello

@mulbreizh wrote:

Most of my network is cisco switch with VTP domain. I just have 4 Aruba switchs on other spanning-tree but connect to the core /

interface lag 1 multi-chassis
description LACP-to-Coeur
no shutdown
no routing
vlan trunk native 999
vlan trunk allowed 1-2,5,15,17,21-22,25-26,45,51,54,56,61-62,70,89,100,102,104,110,999
lacp mode active
spanning-tree bpdu-filter
spanning-tree rpvst-filter


By default arubas usually run mstp and not rstp, it seems the port cfg you hasve shared is the aruba interface (mLAG) 

It looks like you are filtering bpdus on this lag for a reason, maybe its the interconnect between the cisco, if that is the case I would leave it be.

FYI when Ive have had to interconnect two STP domains in the past , especially between cisco and aruba, the arubas have a neat feature called rpvst-mstp-interconnect-vlan x  which allows you specify the vlan (other than vlan 1) you which to interconnect between the two stp domains and on the cisco pvst simulation seems to work also.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
mulbreizh
Level 1
Level 1
In response to paul driver

‎08-30-2024 06:28 AM

Yes, and i have trouble between the cisco and aruba like you can this my post here : https://community.cisco.com/t5/switching/trunk-between-cisco-an-aruba/td-p/5168104

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card