Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
469
Views
0
Helpful
9
Replies

Spanning Tree

sgalarza
Level 1
Level 1

‎05-24-2017 01:10 PM - edited ‎03-08-2019 10:43 AM

Hello,

Kind of a basic question but, I have bpdu guard enabled on all of my access ports connecting to hosts, I was wondering what bpdu "filter" should I be using on trunk ports connecting to other switches and the router.  

Labels:
0 Helpful
9 Replies 9

Reza Sharifi
Hall of Fame
Hall of Fame

‎05-24-2017 01:15 PM

Hi,

Have a look at this post.

https://supportforums.cisco.com/document/45136/importance-bpdu-guard-and-bpdu-filter

HTH

0 Helpful

sgalarza
Level 1
Level 1
In response to Reza Sharifi

‎05-24-2017 01:44 PM

So should I be using bpdu filter on trunk ports or root guard?  The link you posted was informational but slightly contradicting.  One person saying:  

"BPDU filter only stops sending BPDUs on that interface, the port is able to receive them, now, if the port is configured in spanning tree port fast mode, it will stops sending BPDUs as well," 

Any help would be great.

Thanks,

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to sgalarza

‎05-24-2017 01:53 PM

The answer is no, you should not run it on any ports that interconnect switches because switches need to see all BPDUs.

Jon

0 Helpful

sgalarza
Level 1
Level 1
In response to Jon Marshall

‎05-24-2017 01:56 PM

Jon,

Thanks for the reply, I realize interconnecting switches need to see bpdu's, what I'm asking is should I be using any other type of spanning tree filter such as root guard for my trunk ports.

Thanks

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to sgalarza

‎05-24-2017 02:08 PM

You can do if you think there is a chance a new switch could become root.

It is a useful protection especially if not all switches are under your control but even if they are you may want to enable it.

It is up to you really.

Jon

0 Helpful

sgalarza
Level 1
Level 1
In response to Jon Marshall

‎05-24-2017 02:13 PM

Jon, 

Much appreciated response, this clears things up for me.  I do have control over all the switches in our organization, and we have our root bridge set so I don't foresee any issues with superior bpdu's messing up our root.  

Thanks again,

Steve

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to sgalarza

‎05-24-2017 02:14 PM

No problem, glad to have helped.

Jon

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to sgalarza

‎05-24-2017 01:55 PM

Only access ports

BPDU guard can be enabled globally for all access ports.

The BPDU guard feature can be globally enabled on the switch or can be enabled per port, but the feature operates with some differences.

At the global level, you enable BPDU guard on Port Fast-enabled ports by using the spanning-tree portfast bpduguard default global configuration command. Spanning tree shuts down ports that are in a Port Fast-operational state if any BPDU is received on them. In a valid configuration, Port Fast-enabled ports do not receive BPDUs. Receiving a BPDU on a Port Fast-enabled port means an invalid configuration, such as the connection of an unauthorized device, and the BPDU guard feature puts the port in the error-disabled state. When this happens, the switch shuts down the entire port on which the violation occurred.

Here is a link to the config guide on how to enable it.

I also recommend testing it if you a couple extra devices in the lab.

HTH

0 Helpful

sgalarza
Level 1
Level 1
In response to Reza Sharifi

‎05-24-2017 01:57 PM

Reza,

I appreciate all the insight thanks for your time. 

0 Helpful
Customers Also Viewed These Support Documents