cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
885
Views
0
Helpful
6
Replies

Confused about BPDU filtering

droeun141
Level 1
Level 1

Found this on Cisco's website:

At the global level, you can enable BPDU filtering on Port Fast-enabled interfaces by using the
spanning-tree portfast bpdufilter default global configuration command. This command prevents
interfaces that are in a Port Fast-operational state from sending or receiving BPDUs
. The interfaces still
send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. You should globally
enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs. If
a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status,
and BPDU filtering is disabled.

It says the command prevents the interface from sending or receiving BPDU's, but at the same time says that if a BPDU is received, the interfaces loses portfast status and BPDU filtering is disabled.  Doesn't this defeat the whole purpose of the command?

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

droeun141 wrote:

It says the command prevents the interface from sending or receiving BPDU's, but at the same time says that if a BPDU is received, the interfaces loses portfast status and BPDU filtering is disabled.  Doesn't this defeat the whole purpose of the command?

No, because as soon as the port loses it's portfast status then it must go through the full STP process of listening/learning and then either blocking or forwarding. Portfast is used to allow a host to immediately being sending and receiving packets.  Once portfast is disabled you absolutely don't want to be filtering BPDUs because that port could potentially be creating a loop in your network. So you want it to send and receive BPDUs so it can work out whether it should be blocking or forwarding.

Jon

Jon,

Great explanation.  I used have the same confusion when I first dove into spanning tree configurations.  If what you're looking for is to stop BPDUs from traversing the link at all costs, go with BPDU Guard, though I like to think of this feature as more security-centric as it shuts down the port, and gives you notification of a BPDU being recieved.  I look at BPDU filter as a less abraisive form of BPDU Guard.  BPDU filter allows a portfast link to adapt in the case that a switch is connected.  This can open itself up to loops and security issues, but the risks and flexibility arguments should be weighed and considered before choosing between the two features.

Thanks Jon, but doesn't that defeat the purpose of filtering BPDU's? Please forgive me if I sound ignorant.  Also, is the behavior the same on non-portfast enabled ports?

droeun141,

A non-portfast port sends and receives BPDUs, meaning it participates in the spanning tree process.  Applying portfast with BPDU filter stops the port from participating in the spanning tree (portfast's role) but allows the port to rejoin the spanning tree process if it recieves a BPDU without an administrators intervention (BPDU filter's role).  If you don't want the added flexibility, you should go with BPDU guard, which will disable the port if it receives a BPDU.

Hope that helps.

Nathan Spitzer
Level 1
Level 1

IMHO there is one, and ONLY one time BPDU filtering should be enabled and that is when there is a specific device incompatability where a host device just REALLY does not like BPDU's. Some early Nortel VOIP sets had this issue and there are other types of hardware that may have poorly designed network stacks.

I specifically would never enable this either globaly or to resolve a spanning-tree incompatability between switch vendors. This is an evil "feature" that can bite the unwary and in fact Cisco basically says in the documentation, though obliquely, to not use this unless you have a very good reason and know what you are doing..

Dmytro Shabeko
Level 1
Level 1

Here is the reasonable article about these functions.Though there is some mismatch with the Cisco manual that you quote.

Review Cisco Networking for a $25 gift card