Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
948
Views
0
Helpful
4
Replies

Questioning benefit of 'bpdufilter' in my case

news2010a
Level 3
Level 3

‎05-22-2009 07:38 AM - edited ‎03-06-2019 05:53 AM

For a switchport which should have hosts connected to it, is there any benefit in doing:

!

int fa0/1

switchport mode access

switchport access vlan 10

spanning-tree bpdufilter enable <===

spanning-tree bpduguard enable

end

!

To my understanding if I do 'bpduguard enable', that should give me protection against STP loops.

Anyone can give me valid reasons to enable bpdufilter as well in this case where I want only hosts connected?

Labels:
0 Helpful
4 Replies 4

John Blakley
VIP Alumni
VIP Alumni

‎05-22-2009 07:55 AM

Bpdufilter will disable spanning-tree on that port if it's configured on the interface. If it's configured globally, it will silently put a port that's got "spanning-tree portfast" configured back to a normal port because it's received a bpdu.

In your case, if you have a user that connects a switch to your network, it could cause a loop in your network. Personally, I would enable bpdufilter globally, and then configure spanning-tree portfast on the port for hosts.

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

bretjaquish
Level 3
Level 3

‎05-22-2009 09:38 AM

BPDU filtering discards INCOMING and OUTGOING bpdu's on the given port.

BPDU guard discards the INCOMING bpdu and puts the port into Error Disable state. Note that BPDUs will be sent OUT this port.

I think the only valid reason is to prevent the switch from sending BPDUs out to the machine. A low security area might be a good reason. Why send out switch BPDUs to insecure devices (ie: Public area)?

The real question is....

Are they mutually exclusive?

When you turn on bpdufilter does it override bpduguard or vice-versa?

0 Helpful

rakesh.hegde
Level 1
Level 1
In response to bretjaquish

‎05-25-2009 11:44 AM

Hi,

You can have both on a switchport, but bpdufilter will override bpduguard. One scenario where you need bpdufiter only is on PE edge swith port tunneling stp bpdus (l2 protocol tunneling not dot1q) . You dont wan to messup the downstream (CE) switch with PE switch's local BPDUs.

This is automatically enabled if you are doing dot1q tunneling.

HTH,

-Rakesh

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-22-2009 11:38 AM

Hello Marlon,

I would stay away from bpdu filter it is not the right tool to protect switches in an enterprise environment.

The right tool is BPDU guard.

By the way, there is a lot of misunderstanding about these two tools.

There have been different threads of people that used bdpu filter and had their network torned down by a bridging loop formed by a user installing a consumer switch or even connecting two ports of same switch with a cable (yes also this can happen you cannot know what users do).

The reason is that BPDU filter is not of help in detecting loops because it stops BPDUs sending and receiving.

For example there is a recent thread where Bret and I have contributed.

We use bpdu guard + STP portfast + storm control 1% on user ports (where possible, this depends from site to site)

Hope to help

Giuseppe

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card