Spanning-Tree BPDUFilter

Hi Waqar,

its other way around:-

  1. if you configured BPDFilter globally with portfast it will only filter sending BPDU but it will accept incoming BPDU.
  2. if you configure per interface it will not send nor accept any BPDU its like turning off STP.

Regards
Jama

1 Like

Hello Rene ,
This lines are always confusing for me as
Global: if you enable BPDUfilter globally then any interface with portfast enabled will not send or receive any BPDUs.
When you receive a BPDU on a portfast enabled interface then it will lose its portfast status, disables BPDU filtering and acts as a normal interface.

so, Main Point it says if you enable BPDUfilter globally then any interface with portfast enabled will not send or receive any BPDUs.
but it contradicts the next statement that When you receive a BPDU on a portfast enabled interface then it will lose its portfast status,
disables BPDU filtering and acts as a normal interface

so first we are saying it can not receive and then we are saying it receive so this is very confusing and not sure if BPDUfilter enable globally
with portfast interface can receive BPDUfilter or not.

I think that BPDUfilter enabled globally can filter BPDUs from sending, but can receive BPDU filters Please let me know if this statement is correct.

Hello Tejpal

The confusion is understood and it is due to the terminology used. The text, to be clearer should read:

Global: if you enable BPDUfilter globally then any interface with portfast enabled will not send and should not receive or process any BPDUs.
If you receive a BPDU on a portfast enabled interface then it will lose its portfast status, disables BPDU filtering and acts as a normal interface.

So when you configure a port using portfast, you can’t say “it will never receive BPDUs” because that depends on the port on the other end of the link, and not on the config of the local router itself. But in a correctly configured network, a port that is set to portfast should not under normal circumstances receive a BPDU, but if it does, it will not process it, but will lose its portfast status.

I hope this has been helpful!

Laz

3 Likes

Hello

I wonder when should we using BPDUFilter in real topology?

Thanks

Good question that drove me to think…
Imagine you have an open port on a switch and you want to use this port to connect an external switch (as a network admin and without creating a loop) without worrying about breaking the STP topology.
If you use BPDU Guard you will end up with a port in an err-disable state
if you do not use BPDU filter you might change the root.
Waiting for the instructors insights as well.

1 Like

Hello,
so the command #spanning-tree portfast trunk
is basically telling the switch that despite that this port is a trunk, I understand that and still wants to have it as portfast?
Thank you…

Hello Boris

@fadisaccal has described a good case where you would use BPDU Filter. Even so, it is a feature that should be used with great caution. BPDU Filter will essentially filter out or disable both the sending and receiving of BPDUs on an interface. This essentially means that STP is completely disabled on that port, because BPDUs are necessary for STP to function. So any switch that is connected to such a port must not create any physical loop, otherwise STP will not protect your network from a resulting broadcast storm.

For more info, take a look at this Cisco documentation.

I hope this has been helpful!

Laz

3 Likes

Hello Fadi

It is always best practice to enable portfast only on access ports. This is also why we get a very ominous message whenever enabling portfast:

SW1(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
 host. Connecting hubs, concentrators, switches, bridges, etc... to this
 interface  when portfast is enabled, can cause temporary bridging loops.
 Use with CAUTION

However, there are cases where you would want to enable portfast on a trunk port. These include in the case of router on a stick, where a trunk connects to a single router with subinterfaces, as well as if you are connecting to a server which has trunking enabled on its NIC. In both of these cases, the trunk is actually connecting to a single device, so no L2 loops would occur.

Even so, portfast on trunks should always be employed with great caution, as Cisco’s warning suggests.

I hope this has been helpful!

Laz

2 Likes

Hello Fadi
Thanks a lot

1 Like

Hello Laz
Thanks a lot

1 Like

Does anyone have a use case for BPDUfilter? I have come up empty handed :expressionless:
I have seen a topology connecting a provider network L2 topology to a customer network L2 topology, however, I miss the explanation on when that would ever happen

Hello Orla

Take a look at this NetworkLessons note on the BPDU filter feature for more info.

One possible use case is when you have a multi-tenant situation, where a building owner provides network facilities to tenants. You don’t want the tenants to participate in the STP of the network infrastructure, you can use BPDU filter to essentially ignore all BPDUs that arrive on such a port. That way, the port won’t go down, but will not be affected by any STP attempts, whether malicious or not. You can have a similar situation with a provider L2 network as well, the idea and logic are the same.

I hope this has been helpful!

Laz

Thanks, Laz -
That actually makes sense :smiley:
/ Orla

1 Like

Hi Rene,

Do you know what exactly happens when BPDU filter is enabled on trunk port between switches? It is recommended to do that? For example my scenario is with a Core Cisco switch and a Core Ruckus both working with 802.1w (rstp), where the Cisco Core is the root of all the vlans, but not all are consumed on the Ruckus Core side, only some vlans cross over the trunk link between them. I cannot find a clear answer on that anywhere. Core Cisco switch stp priority 0 and Core Ruckus switch stp priority 4096.

Does anyone know something about this topic or scenario?
Thanks

Hello Miguel

BPDU Filter should not be used on interfaces that connect to other switches, including both trunks and access ports. By doing so, you are essentially disabling STP on that port, so the connected switch will not be able to participate in STP. If you do employ such a configuration, it should be done with great caution, as it can cause a Layer 2 loop.

For more info, take a look at this NetworkLessons note on STP BPDU Filter.

In your particular case, you have some VLANs on the Cisco switch that are not included on the trunk to the Ruckus switch, correct? If the Cisco core switch is root for all VLANs, you should be OK. What is it that you want to achieve? Let us know a little bit more so that we can help you further.

I hope this has been helpful!

Laz

Hello team,

What i tried, unable to find similar global command on Cisco IOSvL2 related to BPDU filter and guard, instead i found attached one, please let me know the difference, which one should i pick (edge, network or normal).

attachment,

Hello Nahro

The difference you see here in commands has to do with the version of STP that is running. Rapid STP uses the edgeport keyword. What STP version is active will depend upon the platform and IOS being used, and the default STP version being used on that particular platform/IOS version.

Here is the command reference for the spanning-tree portfast edge bpdufilter default command:

And here is the command reference for the spanning-tree portfast bpdufilter default command:

Take a look at this thread for some more info on these commands that you see in your output:

I hope this has been helpful!

Laz

1 Like

Thanks so much Sir Laz,

1 Like

i’ve noticed that bpduguard and bpdufilter can be configured without spanning-tree portfast. My question is if whether bdpuguard or bpdufilter is enabled per interface or globally takes effect or not when spanning-tree portfast is not activaded (whether per interface or globally)

Hello Juan

That’s an interesting question. Indeed, the behavior of both BPDUFilter and BPDUGuard change somewhat when applied to ports with or without PortFast, and also when applied globally or on a per-interface basis. I created a NetworkLessons note on the topic to respond to your question.

If you have any further questions, let us know!

I hope this has been helpful!

Laz

1 Like