Procurve: BPDU Protection/Filtering & loop protection

fluk3d
fluk3d used Ask the Experts™
on
I would like to implement BPDU protection & filerting in our topology, and loop protection. Should I be turning on bpdu fil/pro on all ports except firewall, inter switch links and the same for loop protection?

I am using the following guide as a reference

http://h40060.www4.hp.com/procurve/uk/en/pdfs/application-notes/How_to_improve_and_harden_spanning-tree_configuration_Configuration_note_Dec_08_A4.pdf
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
Also what about printers should I include them in loop protect?
BPDU filtering should be enabled on the edge ports, where end devices like user desktop is connected...In this scenario if you connect a device which sends BPDU then that port will go into err-disabled state. The loop protection should be enabled on those trunk link where you are not expecting root path...

Author

Commented:
Thank you

Commented:
Hi,

Please correct me when I'm wrong, but if I'm reading the document linked to correctly, all Edge ports should be configured with BPDU-Protect, and only particular ports that for any reason you would want to lock out from spanning tree protocol (e.g. the preferred primary backbone links) should be configured with BPDU-Filtering.  

"BPDU filtering allows control of spanning-tree participation on a per-port basis. When enabled on a port, it excludes
this port from any spanning-tree participation: the port will ignore spanning-tree BPDUs and stay locked in “forwarding”
state."


So wouldn't enabeling BPDU-Filtering on Edge ports defeat the effect of spanning-tree hardening alltogether?

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial