cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18880
Views
5
Helpful
4
Replies

When is it appropriate to use "spanning-tree bpdufilter enable"

jstevens13
Level 1
Level 1

What exactly does enabling bpdu filter do?  I see some examples where bpdu filtering is enabled on access ports?  Is this correct or are there dangers in this approach? 

1 Accepted Solution

Accepted Solutions

InayathUlla Sharieff
Cisco Employee
Cisco Employee

Hi John,

Simple way of saying would that it would disable the STP on that port.

BPDU filter filters the BPDU's coming in both directions. which means it effectively disable the STP on the port.

Detailed explanation:

===============

BPDUfilter on the other hand just filters BPDUs in both directions, which effectively disables STP on the port.Bpdu filter will prevent inbound and outbound bpdu but will remove portfast state on a port if a bpdu is received.Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning-tree loops.

Following are the method to configure BPDU Filter in switches

Interface mode:

spanning-tree bpdufilter enable                        (Results port to not participate in STP, loops may occur).

Global mode:                                                

spanning-tree portfast bpdufilter default             (It enables bpdufiltering on ports that have port-fast configuration, so it sends a few bpdu while enabling port then it filters bdpu unless receives a bpdu, after that itchanges from port-fast mode and disables filtering for port to operate like a normal port cause it has received bpdu).

You always should allow STP to run on a switch to prevent loops. However, in special cases when you need to prevent BPDUs from being sent or processed on one or more switch ports, you can use BPDU filtering to effectively disable STP on those ports.you would use bpdufilter when you want a switch plugged into your network but you don't want it participating in spanning tree.

An example:  In an office environment where someone needs  another network drop under their desk but you don't have time/budget to  run a new line for now.  you are been given a small switch but don't want it to break spanning tree.The switch  you have lying around for this task is a simple unmanaged switch and  will only have one uplink into your network. so you put bpdufilter on your  switch port.

Ref:https://supportforums.cisco.com/docs/DOC-11825

HTH

Regards

Inayath

*Plz rate if this info is helpfull and mark as answered if this resolved your query.

View solution in original post

4 Replies 4

InayathUlla Sharieff
Cisco Employee
Cisco Employee

Hi John,

Simple way of saying would that it would disable the STP on that port.

BPDU filter filters the BPDU's coming in both directions. which means it effectively disable the STP on the port.

Detailed explanation:

===============

BPDUfilter on the other hand just filters BPDUs in both directions, which effectively disables STP on the port.Bpdu filter will prevent inbound and outbound bpdu but will remove portfast state on a port if a bpdu is received.Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning-tree loops.

Following are the method to configure BPDU Filter in switches

Interface mode:

spanning-tree bpdufilter enable                        (Results port to not participate in STP, loops may occur).

Global mode:                                                

spanning-tree portfast bpdufilter default             (It enables bpdufiltering on ports that have port-fast configuration, so it sends a few bpdu while enabling port then it filters bdpu unless receives a bpdu, after that itchanges from port-fast mode and disables filtering for port to operate like a normal port cause it has received bpdu).

You always should allow STP to run on a switch to prevent loops. However, in special cases when you need to prevent BPDUs from being sent or processed on one or more switch ports, you can use BPDU filtering to effectively disable STP on those ports.you would use bpdufilter when you want a switch plugged into your network but you don't want it participating in spanning tree.

An example:  In an office environment where someone needs  another network drop under their desk but you don't have time/budget to  run a new line for now.  you are been given a small switch but don't want it to break spanning tree.The switch  you have lying around for this task is a simple unmanaged switch and  will only have one uplink into your network. so you put bpdufilter on your  switch port.

Ref:https://supportforums.cisco.com/docs/DOC-11825

HTH

Regards

Inayath

*Plz rate if this info is helpfull and mark as answered if this resolved your query.

Ok - thank you for the answer.  So it seems like generally you don't want to enable BPDUfilter on switch ports unless you have a specific reason to do so (like the example you listed).  For the most part you want BPDUfilter disabled so that spanning tree can detect loops. 

I was originally asking the question, because I came across this switch configuration tool and I noticed that they have BPDUfilter on for every access port as the deault for the tool.  I thought that was strange. 

Wow thats kewl tool , have not used it anytime.

But thats a good thing that it has enalbed by default as we dont expect to see the BPDU's coming from end stations or from access ports.

HTH

Regards

Inayath

get_rthym
Level 1
Level 1

I would suggest bpduguard as well, as it will err-disable port if it receives bpdu unlike bpdufilter which will loose deactivate portfast function and start taking part in spanning tree process..

Lek

Sent from Cisco Technical Support iPhone App

Review Cisco Networking for a $25 gift card