Solved

BPDU Filter with Portfast

Posted on 2014-10-27
52
251 Views
Last Modified: 2014-10-30
If I understand when Applying BPDU Filter on an interface it blocks Send/Receive BPDUs

However I am trying to understand the point behind configuring at the Global Configuration level:
SW1(config)#spanning-tree portfast bpdufilter default
SW1(config)#spanning-tree portfast default

Thanks
0
Comment
Question by:jskfan
  • 25
  • 13
  • 11
  • +1
52 Comments
 
LVL 50

Accepted Solution

by:
Don Johnston earned 251 total points
ID: 40407607
It makes all access ports operate as portfast (and enables BPDU filter).  So you don't have to set that parameter in interface configuration mode.  If you've got a 48-port switch and 47 of the ports are access ports connecting to end stations, it eliminates having to apply that command to those 47 ports.
0
 

Author Comment

by:jskfan
ID: 40407638
To enable portfast on all ports, I guess we can just type:
SW1(config)#spanning-tree portfast default

Why should we type:
SW1(config)#spanning-tree portfast bpdufilter default
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40407665
Because you want BPDU filter on those ports with portfast enabled.
0
 

Author Comment

by:jskfan
ID: 40407717
What I meant if we just use this command by itself:
SW1(config)#spanning-tree portfast default

This will avoid the switch from going through Blocking, listening Learning states.

So what flavor this command below will add to it:
SW1(config)#spanning-tree portfast bpdufilter default
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40407791
bpdufilter
That command will add functionality - if in some moment someone attach switch to one of ports configured with portfast - when BPDU is received on that interface will immediately enter Errdisabled State. It is a loop prevention mechanism, since interfaces are in portfast (STP disabled) mode and go directly from blocking to forwarding.

On trunk interfaces you just add
SW1(config-if)#no spanning-tree portfast
SW1(config-if)#no spanning-tree bpdufilter
and you are good to go.
0
 

Author Comment

by:jskfan
ID: 40408197
I know that sometimes , for instance when computers boot into PXE mode, configuring Portfast on the Switch is helpful.
However, I though when Portfast is configured (STP is disabled), so even if a another Switch is plugged into a port that's configured with Portfast, nothing will happen as STP is disabled.
0
 

Author Comment

by:jskfan
ID: 40408236
I could be wrong in the last statement...
Switches  send BPDUs , but PCs do not, so When PCs are plugged in, the Portfast is Active, when a switch is plugged in,  Portfast will be disabled....So that 's when the second command is effective, to turn the port into Error Disabled.
SW1(config)#spanning-tree portfast bpdufilter default
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 251 total points
ID: 40408288
You are correct that portfast is so the port bypasses the initial listening/learning phase.  That way the port comes up forwarding instead of waiting 30 seconds before it's usable.

But BPDU's will still be sent out those ports (which IMO, is not a bad thing).

But if you don't want BPDU's sent out those ports (which have portfast configured), then you can use the "spanning-tree portfast bpdufilter default" command. That way, any port that is in portfast mode will not send BPDU's.

The alternative to this is to go into interface configuration mode for the ports and apply the commands.

When PCs are plugged in, the Portfast is Active, when a switch is plugged in,  Portfast will be disabled....
No. Portfast just skips the initial listening/learning phase.  Connecting a switch doesn't change that.  Portfast won't be disabled and the port will not go errdisabled

So that 's when the second command is effective, to turn the port into Error Disabled.
No. The second command simply stops the port from sending BPDU's.
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40408306
Sorry, I was referring to bpduguard. My bad.
bpdufiter disables STP on port.
In my book for preparing exam explanation of bpdufiter is very bad.

BPDUguard - Explanation that sounds valid
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 251 total points
ID: 40408329
BPDUfilter does not "disable" STP.  It just stops the transmission of BPDU's on that port.  This could be interpreted as disabling STP, but it doesn't.

If a BPDU is received on that port, and it's part of a loop, and it's determined to be inferior, the switch will block that port.

But... if the switch at the other end of the link on that port should be blocking, it won't because it hasn't received a BPDU.  Then you've got a bad situation.  Which is why many people think BPDUfilter disables STP on a per port basis.

BTW, I always use BPDUguard on ports that I have portfast configured on.
0
 
LVL 26

Assisted Solution

by:Predrag Jovic
Predrag Jovic earned 187 total points
ID: 40408339
You always should allow STP to run on a switch to prevent loops. However, in special
cases when you need to prevent BPDUs from being sent or processed on one or more
switch ports, you can use BPDU filtering to effectively disable STP on those ports.
Explanation from book CCNP SWITCH 642-813 Official Certification Guide. But probably one of things that are bad explained in book. Wouldn't be the first one.
0
 

Author Comment

by:jskfan
ID: 40408626
Sometimes it is hard to get grasp of it.

If ports are configured access ports and at the same time as portfast, so even if we connect another switch, it will not form a Trunk.... so why would we worry about adding BPDU Filter or BPDU Guard, etc...?
0
 
LVL 26

Assisted Solution

by:Predrag Jovic
Predrag Jovic earned 187 total points
ID: 40408662
Just for moment ignore switch.
Take LAN cable and put it in 2 ports. - Loop is obvious.
So, next step is switch - 2 ports into the same switch with the same settings fastport and bpdufilter (same thing as above).
Now back to switch problem.
Next in line is trying to create redundant network - after few switches connected for redundancy wont be so obvious reason for loop.

:)
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 251 total points
ID: 40408673
If ports are configured access ports and at the same time as portfast, so even if we connect another switch, it will not form a Trunk
This is correct.  But even so, using 802.1q trunking, the native VLAN will still be passing traffic on the link.

so why would we worry about adding BPDU Filter or BPDU Guard, etc...?
The original purpose behind BPDU filter was some end stations (IIRC, there were some servers) that were trying to process the BPDU's and creating problems. So BPDUfilter fixed that.  I really can't think of a good reason today to use BPDUfilter as it has the potential to allow a loop to exist.

For BPDUguard, my philosophy is that I configure portfast on ports that connect to end stations and do not connect to switches.  Which means that a switch should never be connected to that port.  So (for me), BPDUguard is an impossible to miss indicator that someone has connected an unauthorized switch.
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40408702
The original purpose behind BPDU filter was some end stations (IIRC, there were some servers) that were trying to process the BPDU's and creating problems. So BPDUfilter fixed that.
Thanks for info, did not know that. This is first useful use of bpdufiler that I can imagine.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40408750
To my mind, it's the only useful use. :-)
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 62 total points
ID: 40409304
IIRC spanning-tree portfast bpdufilter default at global level will disable sending and receiving of BPDUs only on ports where portfast is also configured.  If you don't configure the portfast option on a specific port it will still process BPDUs.

As for actually using bpdufilter, it can be handy where you need to (let's say temporarily) use an unmanaged switch to provide a connection to a few hosts where only one cable back to the proper network is available.  As you all say, it can cause L2 loops so it should be used with extreme caution in a production network.  I agree with Don too; sending BPDUs even where a PC is connected is never a bad thing.

I also swear by bpduguard.  I'd much rather bounce a port after someone came to tell me that the port stopped working after they connected a switch to it than have to spend hours trying to find the source of a loop and suffer hundreds of people complaining that the network is down.  There's where L3 is your friend though but that's a story for another day :-)
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40409492
IIRC spanning-tree portfast bpdufilter default at global level will disable sending and receiving of BPDUs only on ports where portfast is also configured.
BPDUfilter only affect the transmission of BPDU's. Not receipt or processing.  I tested this years ago when the feature came out.  If the BPDUfilter port receives a BPDU (and the topology requires it), the switch will process the BPDU and block the port.  I believe the only way to prevent the switch from processing an inbound BPDU is to use BPDU guard... But it would kinda have to process it to know to block the port. :-)
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40409719
I've used bpdufilter extensively to stop switchports from going down when a bpdu is received.  I think I understand what you mean, but it does have the desired effect when receiving BPDUs.

With bpduguard you're telling the switch to disable a port which is configured with portfast when a BPDU is received - bpdufilter tells the switch to ignore BPDUs on the port.  Either method stops the STP topology from being influenced though via that port.
0
 

Author Comment

by:jskfan
ID: 40412081
I  have tested that in the LAB.
**if a port is configured with Portfast only(no BPDUFilter or BPDUGuard)
the port on the other Switch will show as Root and FWD
** if a port is configured with portfast+BPDUFilter
the port on the other switch will show as Desg FWD (There is no Root port)
**if a port is configured with portfast+BPDUGuard
the port will turn into Err-Disabled
the port in the other switch will show Desg FWD



=========================
SW1
e0/0 portfast
e0/0 Desg FWD

SW1#sh interface e0/0 status
Port         Name               Status       Vlan       Duplex  Speed Type
Et0/0                           connected    1            auto   auto unknown

SW2
e0/0 Root FWD
=================================
SW1
e0/0 portfast
E0/0 BPDUFILTER
e0/0 Desg FWD

SW1#sh interface e0/0 status
Port         Name               Status       Vlan       Duplex  Speed Type
Et0/0                           connected    1            auto   auto unknown

SW2
e0/0 Desg FWD (there is no Root port even though SW1 still shows as Root Bridge)
===================================
SW1
e0/0 portfast
E0/0 BPDUGUARD
SW1#sh spanning-tree interface e0/0
no spanning tree info available for Ethernet0/0

SW1#sh interfaces e0/0 status
Port         Name               Status       Vlan       Duplex  Speed Type
Et0/0                           err-disabled 1            auto   auto unknown

SW2
Et0/0               Desg FWD 100       128.1    Shr
SW2#sh interfaces e0/0 status
Port         Name               Status       Vlan       Duplex  Speed Type
Et0/0                           connected    1            auto   auto unknown
0
 

Author Comment

by:jskfan
ID: 40412095
The ambiguous point is when a port is configured with portfast+BPDUFilter.
as you see, the port in other switch will not show (Root FWD), but will show (Desg FWD)
What does that mean ?
0
 

Author Comment

by:jskfan
ID: 40412101
Just for info , there is no Trunk configured between switches , to simulate rogue switch.
and the connecting interface between both switches is in access mode
SW1#sh interfaces e0/0 switchport
Name: Et0/0
Switchport: Enabled
Administrative Mode: static access
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40412112
Well, the behavior depends ENTIRELY on the topology. To speak intelligently (and accurately) about this, we would need to see the topology.

That said, If a switch port does not receive a BPDU, there's no way that port will be a root port.  Becoming a root port requires receiving a superior BPDU.  When BPDUfilter is enabled on the other switch, the BPDU doesn't get sent so the switch that would have received the BPDU puts the port in designated mode.
0
 

Author Comment

by:jskfan
ID: 40412114
simple topology:
b
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40412129
Here's a more important test. Issue a "show spanning-tree vlan 1" (please don't post the full ouput) and look at the bridge status.  I think (depending on where you apply the BPDUfilter command) that you may see two root bridges... Which is not a good thing. :-)
0
 

Author Comment

by:jskfan
ID: 40412133
DOn,

After I have applied BPDUGuard , the e0/0 is not in STP, it is in Err-Disabled
so show spanning-tree vlan 1, will not have any sense.
I may need to revert back to BPDUFilter
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:jskfan
ID: 40412138
Don,
After I reverted the configuration back to BPDUfilter:
SW1#sh spanning-tree interface vlan 1
no spanning tree info available for Vlan1
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40412140
After I have applied BPDUGuard , the e0/0 is not in STP, it is in Err-Disabled
Of course... because it received a BPDU. That's what it's supposed to do.

Look, first drop back to the basics.  It sounds like you're trying to understand advanced STP topics before you've got the basics.  So before you try to get a handle on things like BPDUfilter, BPDUguard, rootguard, you need to understand what spanning-tree is doing.

Put together a basic three switch network connected in a triangle.  Understand why one switch is a root and why some ports get blocked.  Then you can start playing with tuning and tweaks.

But most important: NEVER USE PORTFAST ON AN INTERFACE THAT CONNECTS TO ANOTHER SWITCH. You're asking for trouble when you head down that road.
0
 

Author Comment

by:jskfan
ID: 40412152
But most important: NEVER USE PORTFAST ON AN INTERFACE THAT CONNECTS TO ANOTHER SWITCH. You're asking for trouble when you head down that road.

I was simulating rogue switch...
means if a port is configured as access port, but end user will bring and plug a switch instead of a PC
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40412155
Well then that's where BPDUguard saves the day.  And as you saw, it kills the port... Until you discipline the unruly miscreant that would dare connect an unauthorized switch. ;-)
0
 

Author Comment

by:jskfan
ID: 40412156
going back to BPDUfilter if ports from both switches are showing Desg /Fwd.
there is  Root/Fwd port.

Does that mean SW1 and SW2 cannot communicate ?
0
 

Author Comment

by:jskfan
ID: 40412215
sorry .....
I meant there is no  Root/Fwd port.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40412243
Not sure what you're asking.
0
 

Author Comment

by:jskfan
ID: 40412272
what I was asking:

The ambiguous point is when a port is configured with portfast+BPDUFilter on SW1
 
the port connecting to it from SW2 does  not show (Root FWD), but shows (Desg FWD)
 What does that mean  ?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40412376
Which switch is the root?
0
 

Author Comment

by:jskfan
ID: 40412655
SW! is the root
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40412665
the port connecting to it from SW2 does  not show (Root FWD), but shows (Desg FWD)
Of course SW1 is root, and Don Johnston new that. I guess he wanted you to find out yourself. :)
On root bridge all ports are designated ports.
Root ports on other switches are pointing in rootbridge direction.
0
 

Author Comment

by:jskfan
ID: 40412683
In normal situation.
Root Switch ports going to other switches are Desg/Fwd
and other switches connected to the root switch are Root/Fwd


However when I configured on the Root Switch interface:
SW1:
e0/0 portfast
 E0/0 BPDUFILTER
the e/0 shows normal: e0/0 Desg FWD

on  SW2:
the interface is showing:
e0/0 Desg FWD

What I wanted to point is there is no Root/Fwd port on SW2
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40412692
So, both switches are root bridge since there's no BPDU transmitting cause BPDUFILTER is applyed. STP cannot elect root bridge without BPDU, each switch believes (and is) root bridge, because switches don't know that other switch exists on their network. That's how potential loop in network is created with BPDUFILTER.
0
 

Author Comment

by:jskfan
ID: 40412699
<<So, both switches are root bridge >>
you are correct..

which command will show that there is a loop ?
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40412713
Until you don't connect another interface from one switch to other there is no loop.
When you do that you will see that lights on switches go mad, and show show processes cpu will show you CPU skyrocketing.

#show processes cpu

CPU utilization for five seconds: X%/Y%; one minute: Z%; five minutes: W%
  PID  Runtime(ms)  Invoked  uSecs    5Sec   1Min   5Min TTY Process

and of course you need some traffic for loop :)
0
 

Author Comment

by:jskfan
ID: 40412728
I wonder what is the goal of cisco coming with the usage of command BPDUFILTER
if all it does it creates loop ?
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40412732
One of earlier post from above

Don Johnston
The original purpose behind BPDU filter was some end stations (IIRC, there were some servers) that were trying to process the BPDU's and creating problems. So BPDUfilter fixed that.
0
 

Author Comment

by:jskfan
ID: 40412738
<<<So BPDUfilter fixed that.>>>
How did it fix that, if it creates loop ?
0
 

Author Comment

by:jskfan
ID: 40412743
by the way I added another interface between SW1 and SW2, then run Show process CPU, there  is no really high spike :
 SW1#sh processes cpu sorted
CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0%
 PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
 146         648     58263         11  0.07%  0.05%  0.02%   0 RADIUS          
   1         108         4      27000  0.00%  0.00%  0.00%   0 Chunk Manager
0
 
LVL 26

Assisted Solution

by:Predrag Jovic
Predrag Jovic earned 187 total points
ID: 40412749
You need traffic for loop :) one PC on switch one and another on switch 2.
I had my experience with network loop. It is not nice to see switches go to disco mode. :)

And BPDU fixes described problem because it is not switch on bpdufiltered port - it is host on that port. That's the point and because Cisco gives you warning when you issue bpdufilter on port.
Warning:Ports enabled with bpdu filter will not send BPDUs and drop all received BPDUs. You may cause loops in the bridged network if you isuse this feature.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40412759
Bpdufilter doesn't cause a loop... It allows a loop to be present.  The only thing that causes a loop is plugging a link in to another switch which already has a path to the same switch.  If a connected switch has only one path to the network there is no loop.

If we connect a 3rd party switch we may need bpdufilter to ensure that their STP deployment doesn't interfere with ours, for example.  If we use bpduguard we can't connect the switch at all as the port will go down.  Again, doing this doesn't cause a loop - it only allows the potential for one.
0
 

Author Comment

by:jskfan
ID: 40412772
<<<The original purpose behind BPDU filter was some end stations (IIRC, there were some servers) that were trying to process the BPDU's and creating problems. So BPDUfilter fixed that.>>>>
OK , I guess I understand part of it : if servers are sending BPDUs do not forward the traffic to the root....(Will this still creates a Loop?)

if a switch is plugged, then let it behave normally (Assuming that BPDU Filter is configured globally).

It is too Risky  to configure BPDUfilter at the interface level... unless if we are 100% sure workstations are plugged in to the interface...(I wonder if those servers sending BPDU get plugged in, what will happen in this case?  will this creates loop?)  
0
 

Author Comment

by:jskfan
ID: 40412810
BPDUGuard is relatively easy to understand as it puts the port in Err-Disabled if it receives BPDUs...this is good to configure it with portfast for End Stations.

BPDUFilter is like telling the end device, if you are workstation then I am not sending BPDUs to you. if you are a Switch then I will receive and send BPDUs...

I tried it the Hard way, because I applied BPDUFilter at the interface level....instead of globally
0
 

Author Closing Comment

by:jskfan
ID: 40412863
Thank you so much Guys!
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40412877
OK , I guess I understand part of it : if servers are sending BPDUs do not forward the traffic to the root....(Will this still creates a Loop?)
Servers do not send BPDU, no need for BPDU on end devices.
To have a loop you need redundant links that are not blocked.
Also if devices send and receive BPDU there will not be loop, devices will first elect root bridge and then create loop free topology. That was reason for creating STP in a first place.
0
 

Author Comment

by:jskfan
ID: 40413579
In case servers that Don mentioned are connected:
 
Don Johnston
 The original purpose behind BPDU filter was some end stations (IIRC, there were some servers) that were trying to process the BPDU's and creating problems. So BPDUfilter fixed that.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

I see many questions here on Experts Exchange regarding switch port configurations and trunks. This article is meant for beginners in the subject to help to get basic knowledge about Virtual Local Area Network (VLAN (http://en.wikipedia.org/wiki/Vir…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now