Spanning-Tree BPDUFilter

ReneMolenaar · December 27, 2016, 4:32pm

This topic is to discuss the following lesson:

https://networklessons.com/spanning-tree/spanning-tree-bpdufilter/

mangatoea · March 24, 2015, 5:54pm

Hi Rene,

Do you know what exactly happens when BPDU filter and Guard are both enabled on aportfast enabled interface and then a BPDU’s are suddenly received? I cannot find a clear answer on that anywhere. I read that BPDU filter takes precedence over BPDU guard when both configured on the interface, but it is still unclear to me what happens when in this case bpdu’s are received on a port configured this way.

ReneMolenaar · March 30, 2015, 1:27pm

Hi Edwin,

I just labbed this up. When you enable BPDU filter & guard at the same time then filter takes precedence. The BPDUs are ignored, the interface doesn’t go in err-disabled because of BPDUguard anymore.

Rene

mangatoea · March 30, 2015, 7:21pm

Thanks Rene!

That thus confirms that the guard fuction is useless when both guard and filter are enabled on the interface, as the guard never kicks in due to the bpdu’s being filtered beforehand

ReneMolenaar · March 31, 2015, 8:39pm

Yup that’s right

talk2seeni · May 29, 2015, 6:25pm

Hi Rene,
Configuring command “spanning-tree portfast trunk” for trunk port is needed ?.
“spanning-tree bpdufilter enable” command anything to do with the above command.

Thanks,
SV

ReneMolenaar · May 30, 2015, 11:32am

spanning-tree portfast trunk is not required for trunks, it’s only used to skip the different spanning-tree port states and jump to forwarding immediately.

Normally it’s used for trunks to routers (router on a stick) or perhaps servers.

talk2seeni · June 4, 2015, 12:49pm

Hi Rene,
Thanks for your explanation!

SV

sims · May 17, 2016, 4:35am

Hi Rene ,

Global: if you enable BPDUfilter globally then any interface with portfast enabled will not send or receive any BPDUs. When you receive a BPDU on a portfast enabled interface then it will lose its portfast status, disables BPDU filtering and acts as a normal interface.

What does it mean of "disables BPDU filtering and acts as a normal interface " ?

“Interface: if you enable BPDUfilter on the interface it will ignore incoming BPDUs and it will not send any BPDUs. This is the equivalent of disabling spanning-tree.”

What if there is portfast enabled on these interface and enable bpdufilter also ?
If this disable spanning tree , There is no use of portfast ?

Thanks

andrew · May 17, 2016, 7:25pm

Sims,
What does it mean of “disables BPDU filtering and acts as a normal interface ” ?

It means that the switch realizes either there has been a change in topology, or the administrator has made an error. A BPDU should never be received on an interface on which BPDU filtering is enabled. When the filtering is enabled globally, this is a safety mechanism so that when a BPDU is received on a port where the global filtering was enabled, the Switch knows there must be another switch on the other side. In order to prevent a possible loop, the BPDU filtering is turned off just for this port, the portfast feature is disabled, and the switch will have this port go through the full spanning-tree states (instead of skipping straight to Forwarding).

What if there is portfast enabled on these interface and enable bpdufilter also ? If this disable spanning tree , There is no use of portfast?

Note that the method of enabling bpdu filtering locally at a port level does not have the same safety mechanism as globally enabling it (as was discussed above). Without the safety mechanism, there is a much higher chance that a loop can be created, and for this reason, most people try to avoid setting bpdu filtering at a port level.

I suspect that even with BPDU Filtering enabled for a port without having PortFast enabled, the port will still go through all STP states (Listening, Learning, Forwarding for regular STP). In other words, even if the switch would never receive or send a BPDU where filtering is disabled, it would still “go through the motions” of normal STP without PortFast telling it to skip ahead. If this is true, PortFast would still have a purpose.

I would encourage you to test this yourself and see what happens–I would like to know!

adamleff · October 20, 2016, 6:09am

Rene,

I think it’s worth mentioning that a switch that is globally configured for portfast and for portfast bpdufilter will still send a few BPDUs out whenever a link is brought online. Then the remaining subsequent BPDUs will be filtered.

waqar675 · July 25, 2017, 10:15pm

Dear Rene,

I tested both scenario ( Enable BPDU globally with portfast and also enable it on interface basis)
As per my lab outputs what i find is below.

-If i enable it on interface its stop sending and receiving BPDU.
-If i enable globally i won’t stop sending BPDU but it stop receiving it.

I am sharing my lab output as below

//Globally with Portfast

SW#sh spanning-tree summary totals
Switch is in pvst mode
Root bridge for: VLAN0001
Extended system ID           is enabled
Portfast Default             is enabled  >>>>>Portfast
PortFast BPDU Guard Default  is disabled
Portfast BPDU Filter Default is enabled  >>>>>BPDUFilter
Loopguard Default            is disabled
EtherChannel misconfig guard is enabled
Configured Pathcost method used is short
UplinkFast                   is disabled
BackboneFast                 is disabled

Name                   Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
1 vlan                       0         0        0          3          3


SW#sh spanning-tree detail | i BPDU
   BPDU: sent 6, received 0
   BPDU: sent 6, received 0
   BPDU: sent 6, received 0
SW#sh spanning-tree detail | i BPDU
   BPDU: sent 9, received 0
   BPDU: sent 9, received 0
   BPDU: sent 9, received 0

//Enable it on interface

SW#show spanning-tree interface Gi0/1 detail
 Port 2 (GigabitEthernet0/1) of VLAN0001 is designated forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.2.
   Designated root has priority 32769, address 5000.0005.0000
   Designated bridge has priority 32769, address 5000.0005.0000
   Designated port id is 128.2, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast mode >>>>>Portfast
   Link type is shared by default
   Bpdu filter is enabled  >>>>>>>BPDUFilter
   BPDU: sent 0, received 0
SW#
SW#
SW#
SW#
SW#sh spanning-tree detail | i BPDU
   BPDU: sent 0, received 0
   BPDU: sent 12, received 0
   BPDU: sent 12, received 0
SW#
SW#
SW#sh spanning-tree detail | i BPDU
   BPDU: sent 0, received 0
   BPDU: sent 13, received 0
   BPDU: sent 13, received 0


//BR
Waqar




I

jamayassin · July 30, 2017, 5:41am

Hi Waqar,

its other way around:-

if you configured BPDFilter globally with portfast it will only filter sending BPDU but it will accept incoming BPDU.
if you configure per interface it will not send nor accept any BPDU its like turning off STP.

Regards
Jama

Harleen · October 22, 2018, 12:16pm

Hello Rene ,
This lines are always confusing for me as
Global: if you enable BPDUfilter globally then any interface with portfast enabled will not send or receive any BPDUs.
When you receive a BPDU on a portfast enabled interface then it will lose its portfast status, disables BPDU filtering and acts as a normal interface.

so, Main Point it says if you enable BPDUfilter globally then any interface with portfast enabled will not send or receive any BPDUs.
but it contradicts the next statement that When you receive a BPDU on a portfast enabled interface then it will lose its portfast status,
disables BPDU filtering and acts as a normal interface

so first we are saying it can not receive and then we are saying it receive so this is very confusing and not sure if BPDUfilter enable globally
with portfast interface can receive BPDUfilter or not.

I think that BPDUfilter enabled globally can filter BPDUs from sending, but can receive BPDU filters Please let me know if this statement is correct.

lagapidis · October 26, 2018, 2:15pm

Hello Tejpal

The confusion is understood and it is due to the terminology used. The text, to be clearer should read:

Global: if you enable BPDUfilter globally then any interface with portfast enabled will not send and should not receive or process any BPDUs.
If you receive a BPDU on a portfast enabled interface then it will lose its portfast status, disables BPDU filtering and acts as a normal interface.

So when you configure a port using portfast, you can’t say “it will never receive BPDUs” because that depends on the port on the other end of the link, and not on the config of the local router itself. But in a correctly configured network, a port that is set to portfast should not under normal circumstances receive a BPDU, but if it does, it will not process it, but will lose its portfast status.

I hope this has been helpful!

Laz

bvesel · November 20, 2019, 9:16am

Hello

I wonder when should we using BPDUFilter in real topology?

Thanks

fadisaccal · November 20, 2019, 11:34am

Good question that drove me to think…
Imagine you have an open port on a switch and you want to use this port to connect an external switch (as a network admin and without creating a loop) without worrying about breaking the STP topology.
If you use BPDU Guard you will end up with a port in an err-disable state
if you do not use BPDU filter you might change the root.
Waiting for the instructors insights as well.

fadisaccal · November 20, 2019, 11:43am

Hello,
so the command #spanning-tree portfast trunk
is basically telling the switch that despite that this port is a trunk, I understand that and still wants to have it as portfast?
Thank you…

lagapidis · November 21, 2019, 7:21am

Hello Boris

@fadisaccal has described a good case where you would use BPDU Filter. Even so, it is a feature that should be used with great caution. BPDU Filter will essentially filter out or disable both the sending and receiving of BPDUs on an interface. This essentially means that STP is completely disabled on that port, because BPDUs are necessary for STP to function. So any switch that is connected to such a port must not create any physical loop, otherwise STP will not protect your network from a resulting broadcast storm.

For more info, take a look at this Cisco documentation.

I hope this has been helpful!

Laz

lagapidis · November 21, 2019, 7:31am

Hello Fadi

It is always best practice to enable portfast only on access ports. This is also why we get a very ominous message whenever enabling portfast:

SW1(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
 host. Connecting hubs, concentrators, switches, bridges, etc... to this
 interface  when portfast is enabled, can cause temporary bridging loops.
 Use with CAUTION

However, there are cases where you would want to enable portfast on a trunk port. These include in the case of router on a stick, where a trunk connects to a single router with subinterfaces, as well as if you are connecting to a server which has trunking enabled on its NIC. In both of these cases, the trunk is actually connecting to a single device, so no L2 loops would occur.

Even so, portfast on trunks should always be employed with great caution, as Cisco’s warning suggests.

I hope this has been helpful!

Laz