Confused about BPDU Filtering

danielseijas3010 · ‎02-23-2016

Hi Everyone,

I am a little confused with BPDU Filtering concepts. This is what Cisco official documentation says: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swstpopt.html#wp1046220

"At the global level, you can enable BPDU filtering on Port Fast-enabled interfaces by using the spanning-tree portfast bpdufilter default global configuration command. This command prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled."

So... I don't get it... If the command above prevents interfaces that are in port fast operational state from sending or receiving BPDU's, then why if a BPDU is received on such port then the interface simply loses its portfast operational status and the actual bdpu filtering feature is disabled??? So what would be the protection? If BPDU filtering feature is disabled... then the port will go throught all the STP modes as usual

Thanks in advance

Daniel

Philip D'Ath · ‎02-23-2016

I use it per port, not globally. It simply prevents the sending of BPDU's, and filters out the receiving of them. Simple.

danielseijas3010 · ‎02-23-2016

Thanks for your reply,

However, based on the information above, it doesn't really filter out the receiving of BPDUs, documentation says that if a BPDU is received, the port "loses its portfast operational status and BPDU filtering is disabled", so I get the point on avoiding the sending of BPDUs but it doesn't really solve the receiving problem.

Best Regards

Daniel

Philip D'Ath · ‎02-23-2016

Don't configure it globally. Configure it on the interface. It will filter out the BPDU packets.

danielseijas3010 · ‎02-24-2016

Thanks Philip!

Mark Malone · ‎02-24-2016

Hey bpdufuilter isn't just about security its about being able to turn off stp coming towards switches that do not support it , you may have a switch that has no understanding of bpdus , in that case you connect a switch to the Cisco port and turn on bpdufilter between the 2 devices so it can operate normally

The security comes into place when you use guard with filter , the port goes err-disable if someone connects a switch they should not , guard does that bit and shuts the port down and with something like err-disable it you can automate its recovery

danielseijas3010 · ‎02-24-2016

Thanks Mark,

Ok so just so if I understood properly based on both people who have answered this discussion:

1.- If BPDU filtering is enabled on the port rather than globally it will filter out the BPDUs that are received on the port

2.- With the global config command: spanning-tree portfast bpdufilter default, if a bpdu is received on a portfast-enabled interface, the port loses both its portfast and bpdu filtering condition. This is what does not make sense to me so I guess I will configure bpdu guard as well, I just want to make sure I at least understand the concept for now

Mark Malone · ‎02-24-2016

Hi Yes portfast and filter provides no protection just for speeding up stp and filtering bpdus , its guard that will shut the port down and prevent the issue , there used in conjunction together depending what the end goal is , whether you want it protected from someone mistakenly causing a loop or you want 3rd party non bpdu switch or to protect edge user port

1 Yes

2 Yes when that happen it reverts to normal status , you want bpduguard enabled for protection and to shut it down

danielseijas3010 · ‎02-24-2016

Thank you so much!