bpduguard vs. bpdufilter

hi, what i know about bpduguard is that it can prevent recieving unwanted BPDUS as well as bpdufilter never sent unnacassary BPDUS so firstly am i right?

secondly, when should i apply Bpduguard and Bpdufilter on interface or global configuration mode? 

Comments

  • ssfouzdar.ie,

    The purpose of BPDU Filter is to prevent the switch from sending BPDU frames on ports that are enabled with portfast ( if you use global command).

    To enable BPDU filter globally:
    spanning-tree portfast default
    spanning-tree portfast bpdufilter default

    When you enable the BPDU filter using global command, it sends few BPDUs. If switch receives BPDU, the port transition back to normal (non portfast port).
    To enable BPDU filter on particular port
    spanning-tree bpdufilter  enable

    If you enable BPDU filter on interface, it neither sends nor receives the BPDU.

    Remember that when you apply the BPDU filter, the port state is always forwarding.



    BPDU GUARD:
    The purpose of BPDU guard is to put the interface in err-disable state (we can say shutdown state), when port receives the BPDU message.

    To configure BPDU GUARD using global command:

    spanning-tree portfast default
    spanning-tree portfast bpduguard default

    To configure on particular interface:

    spanning-tree bpduguard enable

    Remember that portfast should be enabled to configure bpduguard and bpdufilter.

    Using global command means it applies to all portfast enabled access ports. If you have some selective port, go through the port by port.

     

    Please correct me if I am worng!!

     

    HAPPY STUDY

    [:D]

  • Hi,

       Do you have access to Volume 1? I remember it's alll being explained in there. However:

    BPDU Guard enabled at port level or global level achieves the same thing: as soon as a BPDU is received, it puts the port in err-disabled. For the lab, look if the task pushes you to use a certain solution. For real life, well it depends how much control you have over the network. Setting it at global level, it will get applied on all portfast enabled ports, so if you have a switch-to-switch access with portfast connection, it will get applied as well and break your switch-to-switch connectivity.

    BPDUF FIlter behaves differently when enabled at port or global level. BPDU Filter when enabled at port level it immediately stops sending and receiving BPDUs on that port. BPDU Filter enabled at global level, will get applied to all portfast enabled ports, will still send out 11 BPDUs on all of those ports (i let you think why 11 and not 100), if no BPDUs are received in this interval it will stop sending out BPDUs. However when enabled at global level, as soon as it receives a BPDU, it takes the port out of portfast mode (edge for RSTP), removes the BPDUFilter configuration for that port and starts the usual STP port state negotiation.

    Make sure never to enable both at the same time, cause BPDU Filter takes precedence over BPDU Guard (order of operation), so basically BPDU Guard never kicks in. Moreover, features were not invented to be used in the same time for any given port, cause achieve different things and should be used in different situations.

    Good luck with your studies!

  • Hi nnn,

        "Remember that portfast should be enabled to configure bpduguard and bpdufilter." This is only for enabling BPDU Guard or BPDU Filter at global level. If you enable it at port level, it will get applied even if the port is not portfast enabled. So this is not correct "The purpose of BPDU Filter is to prevent the switch from sending BPDU frames on ports that are enabled with portfast"

    Good luck with your studies!

  •  

    Thanks Cristian for correction!!

     

    [:D]

  • hi cristian, suppose i have applied portfast on some interfaces now can i configure bpdufilter at global configuration mode actually my actual question is:-

    avoid transmitting BPDUs on some access switch ports. if a BPDU is received on any of these ports, the ports should transition back to the listening, learning and forwarding process

  •  

    When you enter the portfast global command, it applies to all access ports and when you enter the BPDU filter global command, it applies to all portfast enabled interfaces. If there is no other condition, you can configure bpdufilter.

    HAPPY STUDY

    [:D]

     

    Avoid transmitting BPDUs on some access switch ports. if a BPDU is received on any of these ports, the ports should transition back to the listening, learning and forwarding process

     

  • thanks for response nnn,

    please tell me in this condition whare should i configure bpdufilter? on interface base 0r on global

  • Hi,

      If you read my post you'll get the answer in there:"avoid transmitting BPDUs on some access switch ports. if a BPDU is received on any of these ports, the ports should transition back to the listening, learning and forwarding process" means the port should revert back to a normal STP port as soon as a BPDU is received.

      Based on my post, which option would you configure? Port or global level?

    Good luck with your studies!

  • actually i have configured bpdufilter at global configuration mode

  • Check out jonbov's post for some sound examples of where BPDU Filter / BPDU Guard are most likely to be used.

    http://ieoc.com/forums/p/15048/129826.aspx

     

  • Yes it is on global configuration mode.

    actually i have configured bpdufilter at global configuration mode

     

  • With BPDU FILTER it will ignore the BPDU,s totally so there is a possibility that a loop may occur, because the ports would still be functioning (UP)

    but , in case of BPDU GUARD as soon as it gets a BPDU it will go into error disabled state (DOWN to keep it simple) , so our network will not have a loop but that port would be shut.

    regards siddharth

  • Siddharth, your post is not correct, see my intial post on this one.

    Good luck with your studies!

  • Hi please confirm:
    ------------------
    Configuration
    ------------------
    - Global config
    spanning-tree portfast bpduguard default
    - All access ports configured with command
    spanning-tree portfast

    -------------
    Action
    -------------
    - Access port receive BPDU

    -------------
    Expected results
    -------------
    - Access port should go through all below states
    Blocking
    Listening
    Learning
    Forwarding

  • Hi krzal,

       Your post makes no sense to me(you configure bpduguard and make reference to bpdufilter behavior and anyways it goes to listening first not blocking). Read my initial post on this topic.

    Good luck with your studies!

  • hi cristian

    i think i wrote a briefly and correctly in my post about BPDUFilter and BPDUguard ..

    good luck with ur studies buddy

  • Yes it is my mistake should be bpdufilter of course.

    ------------------
    Configuration
    ------------------
    - Global config
    spanning-tree portfast bpdufilter default
    - All access ports configured with command
    spanning-tree portfast

    -------------
    Action
    -------------
    - Access port receive BPDU

    -------------
    Expected results
    -------------
    - Access port should go through all below states
    Listening
    Learning
    Forwarding

     

    And it means that access ports will be participate in spanning-tree path to root bridge?

  • peetypeety ✭✭✭

    If the other side of a link has bpduguard, you want bpdufilter so you don't trip the bpduguard.

    If you don't want users to connect switches and/or you want to forcibly enforce a "no loops" policy, bpduguard.

    In the real world, I'm a big believer in global portfast and bpdufilter, with root guard on all non-uplink ports.

     

  • Christian,

    Can you explain why there are 11 BPDUs being sent?

  • if you enable bpdufilter globally, 11 BPDUs are always sent to detect STP loops.

    if you enable bpdufilter on port, BPDUs are not sent and not processed.

     

    update:

    if your question is "why 11?" - 10 bpdus are normaly send in time interval of 20 seconds, by default it is max-age. 11th bpdu will be definetely sent after remote device expires blocked undesignated ports, expire lost roots, etc. so 11 is magic number that allows 100% protection from STP loops.

  • Hi Daniel,

       "invalidccie" answered correctly, by sending 11 BPDUs the switch is trying to make sure no temporary loops are created. Back in old STP, remember that when suddenly you receive an inferior BPDU on a designated port, you wait 20 seconds or whatever the max-age timer values is (default is 20) before you expire the old BPDU (in these 20 seconds you just ignore the BPDUs and do not modify the STP port state). By sending exactly 11 BPDUs, the switch is trying to make sure the remote-end switch processes at least one BPDU(in case you configured BPDUFilter in the same time the topology change occured and you started sending inferior BPDUs cause you lsot connection to root bridge and consider yourself as root now) and thus remote switch port starts to converge the STP tree.

    This is not documented anywhere, at least i was not able to find it, it's just a personal interpretation of it.

    Hope i've clearly explained it. Good luck with your studies.

Sign In or Register to comment.