Spanning-Tree BPDUFilter

This topic is to discuss the following lesson:

Hi Rene,

Do you know what exactly happens when BPDU filter and Guard are both enabled on aportfast enabled interface and then a BPDU’s are suddenly received? I cannot find a clear answer on that anywhere. I read that BPDU filter takes precedence over BPDU guard when both configured on the interface, but it is still unclear to me what happens when in this case bpdu’s are received on a port configured this way.

Hi Edwin,

I just labbed this up. When you enable BPDU filter & guard at the same time then filter takes precedence. The BPDUs are ignored, the interface doesn’t go in err-disabled because of BPDUguard anymore.

Rene

1 Like

Thanks Rene!

That thus confirms that the guard fuction is useless when both guard and filter are enabled on the interface, as the guard never kicks in due to the bpdu’s being filtered beforehand

Yup that’s right :slight_smile:

Hi Rene,
Configuring command “spanning-tree portfast trunk” for trunk port is needed ?.
“spanning-tree bpdufilter enable” command anything to do with the above command.

Thanks,
SV

spanning-tree portfast trunk is not required for trunks, it’s only used to skip the different spanning-tree port states and jump to forwarding immediately.

Normally it’s used for trunks to routers (router on a stick) or perhaps servers.

Hi Rene,
Thanks for your explanation!

SV

Hi Rene ,

Global: if you enable BPDUfilter globally then any interface with portfast enabled will not send or receive any BPDUs. When you receive a BPDU on a portfast enabled interface then it will lose its portfast status, disables BPDU filtering and acts as a normal interface.

What does it mean of "disables BPDU filtering and acts as a normal interface " ?

“Interface: if you enable BPDUfilter on the interface it will ignore incoming BPDUs and it will not send any BPDUs. This is the equivalent of disabling spanning-tree.”

What if there is portfast enabled on these interface and enable bpdufilter also ?
If this disable spanning tree , There is no use of portfast ?

Thanks

Sims,
What does it mean of “disables BPDU filtering and acts as a normal interface ” ?

It means that the switch realizes either there has been a change in topology, or the administrator has made an error. A BPDU should never be received on an interface on which BPDU filtering is enabled. When the filtering is enabled globally, this is a safety mechanism so that when a BPDU is received on a port where the global filtering was enabled, the Switch knows there must be another switch on the other side. In order to prevent a possible loop, the BPDU filtering is turned off just for this port, the portfast feature is disabled, and the switch will have this port go through the full spanning-tree states (instead of skipping straight to Forwarding).

What if there is portfast enabled on these interface and enable bpdufilter also ? If this disable spanning tree , There is no use of portfast?

Note that the method of enabling bpdu filtering locally at a port level does not have the same safety mechanism as globally enabling it (as was discussed above). Without the safety mechanism, there is a much higher chance that a loop can be created, and for this reason, most people try to avoid setting bpdu filtering at a port level.

I suspect that even with BPDU Filtering enabled for a port without having PortFast enabled, the port will still go through all STP states (Listening, Learning, Forwarding for regular STP). In other words, even if the switch would never receive or send a BPDU where filtering is disabled, it would still “go through the motions” of normal STP without PortFast telling it to skip ahead. If this is true, PortFast would still have a purpose.

I would encourage you to test this yourself and see what happens–I would like to know!

Rene,

I think it’s worth mentioning that a switch that is globally configured for portfast and for portfast bpdufilter will still send a few BPDUs out whenever a link is brought online. Then the remaining subsequent BPDUs will be filtered.

Dear Rene,

I tested both scenario ( Enable BPDU globally with portfast and also enable it on interface basis)
As per my lab outputs what i find is below.

-If i enable it on interface its stop sending and receiving BPDU.
-If i enable globally i won’t stop sending BPDU but it stop receiving it.

I am sharing my lab output as below

//Globally with Portfast

SW#sh spanning-tree summary totals
Switch is in pvst mode
Root bridge for: VLAN0001
Extended system ID           is enabled
Portfast Default             is enabled  >>>>>Portfast
PortFast BPDU Guard Default  is disabled
Portfast BPDU Filter Default is enabled  >>>>>BPDUFilter
Loopguard Default            is disabled
EtherChannel misconfig guard is enabled
Configured Pathcost method used is short
UplinkFast                   is disabled
BackboneFast                 is disabled

Name                   Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
1 vlan                       0         0        0          3          3


SW#sh spanning-tree detail | i BPDU
   BPDU: sent 6, received 0
   BPDU: sent 6, received 0
   BPDU: sent 6, received 0
SW#sh spanning-tree detail | i BPDU
   BPDU: sent 9, received 0
   BPDU: sent 9, received 0
   BPDU: sent 9, received 0

//Enable it on interface

SW#show spanning-tree interface Gi0/1 detail
 Port 2 (GigabitEthernet0/1) of VLAN0001 is designated forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.2.
   Designated root has priority 32769, address 5000.0005.0000
   Designated bridge has priority 32769, address 5000.0005.0000
   Designated port id is 128.2, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast mode >>>>>Portfast
   Link type is shared by default
   Bpdu filter is enabled  >>>>>>>BPDUFilter
   BPDU: sent 0, received 0
SW#
SW#
SW#
SW#
SW#sh spanning-tree detail | i BPDU
   BPDU: sent 0, received 0
   BPDU: sent 12, received 0
   BPDU: sent 12, received 0
SW#
SW#
SW#sh spanning-tree detail | i BPDU
   BPDU: sent 0, received 0
   BPDU: sent 13, received 0
   BPDU: sent 13, received 0


//BR
Waqar




I

Hi Waqar,

its other way around:-

  1. if you configured BPDFilter globally with portfast it will only filter sending BPDU but it will accept incoming BPDU.
  2. if you configure per interface it will not send nor accept any BPDU its like turning off STP.

Regards
Jama

1 Like

Hello Rene ,
This lines are always confusing for me as
Global: if you enable BPDUfilter globally then any interface with portfast enabled will not send or receive any BPDUs.
When you receive a BPDU on a portfast enabled interface then it will lose its portfast status, disables BPDU filtering and acts as a normal interface.

so, Main Point it says if you enable BPDUfilter globally then any interface with portfast enabled will not send or receive any BPDUs.
but it contradicts the next statement that When you receive a BPDU on a portfast enabled interface then it will lose its portfast status,
disables BPDU filtering and acts as a normal interface

so first we are saying it can not receive and then we are saying it receive so this is very confusing and not sure if BPDUfilter enable globally
with portfast interface can receive BPDUfilter or not.

I think that BPDUfilter enabled globally can filter BPDUs from sending, but can receive BPDU filters Please let me know if this statement is correct.

Hello Tejpal

The confusion is understood and it is due to the terminology used. The text, to be clearer should read:

Global: if you enable BPDUfilter globally then any interface with portfast enabled will not send and should not receive or process any BPDUs.
If you receive a BPDU on a portfast enabled interface then it will lose its portfast status, disables BPDU filtering and acts as a normal interface.

So when you configure a port using portfast, you can’t say “it will never receive BPDUs” because that depends on the port on the other end of the link, and not on the config of the local router itself. But in a correctly configured network, a port that is set to portfast should not under normal circumstances receive a BPDU, but if it does, it will not process it, but will lose its portfast status.

I hope this has been helpful!

Laz

2 Likes