BPDU Filter with Portfast

If I understand when Applying BPDU Filter on an interface it blocks Send/Receive BPDUs

However I am trying to understand the point behind configuring at the Global Configuration level:
SW1(config)#spanning-tree portfast bpdufilter default
SW1(config)#spanning-tree portfast default

Thanks
jskfanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don JohnstonInstructorCommented:
It makes all access ports operate as portfast (and enables BPDU filter).  So you don't have to set that parameter in interface configuration mode.  If you've got a 48-port switch and 47 of the ports are access ports connecting to end stations, it eliminates having to apply that command to those 47 ports.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jskfanAuthor Commented:
To enable portfast on all ports, I guess we can just type:
SW1(config)#spanning-tree portfast default

Why should we type:
SW1(config)#spanning-tree portfast bpdufilter default
0
Don JohnstonInstructorCommented:
Because you want BPDU filter on those ports with portfast enabled.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

jskfanAuthor Commented:
What I meant if we just use this command by itself:
SW1(config)#spanning-tree portfast default

This will avoid the switch from going through Blocking, listening Learning states.

So what flavor this command below will add to it:
SW1(config)#spanning-tree portfast bpdufilter default
0
JustInCaseCommented:
bpdufilter
That command will add functionality - if in some moment someone attach switch to one of ports configured with portfast - when BPDU is received on that interface will immediately enter Errdisabled State. It is a loop prevention mechanism, since interfaces are in portfast (STP disabled) mode and go directly from blocking to forwarding.

On trunk interfaces you just add
SW1(config-if)#no spanning-tree portfast
SW1(config-if)#no spanning-tree bpdufilter
and you are good to go.
0
jskfanAuthor Commented:
I know that sometimes , for instance when computers boot into PXE mode, configuring Portfast on the Switch is helpful.
However, I though when Portfast is configured (STP is disabled), so even if a another Switch is plugged into a port that's configured with Portfast, nothing will happen as STP is disabled.
0
jskfanAuthor Commented:
I could be wrong in the last statement...
Switches  send BPDUs , but PCs do not, so When PCs are plugged in, the Portfast is Active, when a switch is plugged in,  Portfast will be disabled....So that 's when the second command is effective, to turn the port into Error Disabled.
SW1(config)#spanning-tree portfast bpdufilter default
0
Don JohnstonInstructorCommented:
You are correct that portfast is so the port bypasses the initial listening/learning phase.  That way the port comes up forwarding instead of waiting 30 seconds before it's usable.

But BPDU's will still be sent out those ports (which IMO, is not a bad thing).

But if you don't want BPDU's sent out those ports (which have portfast configured), then you can use the "spanning-tree portfast bpdufilter default" command. That way, any port that is in portfast mode will not send BPDU's.

The alternative to this is to go into interface configuration mode for the ports and apply the commands.

When PCs are plugged in, the Portfast is Active, when a switch is plugged in,  Portfast will be disabled....
No. Portfast just skips the initial listening/learning phase.  Connecting a switch doesn't change that.  Portfast won't be disabled and the port will not go errdisabled

So that 's when the second command is effective, to turn the port into Error Disabled.
No. The second command simply stops the port from sending BPDU's.
0
JustInCaseCommented:
Sorry, I was referring to bpduguard. My bad.
bpdufiter disables STP on port.
In my book for preparing exam explanation of bpdufiter is very bad.

BPDUguard - Explanation that sounds valid
0
Don JohnstonInstructorCommented:
BPDUfilter does not "disable" STP.  It just stops the transmission of BPDU's on that port.  This could be interpreted as disabling STP, but it doesn't.

If a BPDU is received on that port, and it's part of a loop, and it's determined to be inferior, the switch will block that port.

But... if the switch at the other end of the link on that port should be blocking, it won't because it hasn't received a BPDU.  Then you've got a bad situation.  Which is why many people think BPDUfilter disables STP on a per port basis.

BTW, I always use BPDUguard on ports that I have portfast configured on.
0
JustInCaseCommented:
You always should allow STP to run on a switch to prevent loops. However, in special
cases when you need to prevent BPDUs from being sent or processed on one or more
switch ports, you can use BPDU filtering to effectively disable STP on those ports.
Explanation from book CCNP SWITCH 642-813 Official Certification Guide. But probably one of things that are bad explained in book. Wouldn't be the first one.
0
jskfanAuthor Commented:
Sometimes it is hard to get grasp of it.

If ports are configured access ports and at the same time as portfast, so even if we connect another switch, it will not form a Trunk.... so why would we worry about adding BPDU Filter or BPDU Guard, etc...?
0
JustInCaseCommented:
Just for moment ignore switch.
Take LAN cable and put it in 2 ports. - Loop is obvious.
So, next step is switch - 2 ports into the same switch with the same settings fastport and bpdufilter (same thing as above).
Now back to switch problem.
Next in line is trying to create redundant network - after few switches connected for redundancy wont be so obvious reason for loop.

:)
0
Don JohnstonInstructorCommented:
If ports are configured access ports and at the same time as portfast, so even if we connect another switch, it will not form a Trunk
This is correct.  But even so, using 802.1q trunking, the native VLAN will still be passing traffic on the link.

so why would we worry about adding BPDU Filter or BPDU Guard, etc...?
The original purpose behind BPDU filter was some end stations (IIRC, there were some servers) that were trying to process the BPDU's and creating problems. So BPDUfilter fixed that.  I really can't think of a good reason today to use BPDUfilter as it has the potential to allow a loop to exist.

For BPDUguard, my philosophy is that I configure portfast on ports that connect to end stations and do not connect to switches.  Which means that a switch should never be connected to that port.  So (for me), BPDUguard is an impossible to miss indicator that someone has connected an unauthorized switch.
0
JustInCaseCommented:
The original purpose behind BPDU filter was some end stations (IIRC, there were some servers) that were trying to process the BPDU's and creating problems. So BPDUfilter fixed that.
Thanks for info, did not know that. This is first useful use of bpdufiler that I can imagine.
0
Don JohnstonInstructorCommented:
To my mind, it's the only useful use. :-)
0
Craig BeckCommented:
IIRC spanning-tree portfast bpdufilter default at global level will disable sending and receiving of BPDUs only on ports where portfast is also configured.  If you don't configure the portfast option on a specific port it will still process BPDUs.

As for actually using bpdufilter, it can be handy where you need to (let's say temporarily) use an unmanaged switch to provide a connection to a few hosts where only one cable back to the proper network is available.  As you all say, it can cause L2 loops so it should be used with extreme caution in a production network.  I agree with Don too; sending BPDUs even where a PC is connected is never a bad thing.

I also swear by bpduguard.  I'd much rather bounce a port after someone came to tell me that the port stopped working after they connected a switch to it than have to spend hours trying to find the source of a loop and suffer hundreds of people complaining that the network is down.  There's where L3 is your friend though but that's a story for another day :-)
0
Don JohnstonInstructorCommented:
IIRC spanning-tree portfast bpdufilter default at global level will disable sending and receiving of BPDUs only on ports where portfast is also configured.
BPDUfilter only affect the transmission of BPDU's. Not receipt or processing.  I tested this years ago when the feature came out.  If the BPDUfilter port receives a BPDU (and the topology requires it), the switch will process the BPDU and block the port.  I believe the only way to prevent the switch from processing an inbound BPDU is to use BPDU guard... But it would kinda have to process it to know to block the port. :-)
0
Craig BeckCommented:
I've used bpdufilter extensively to stop switchports from going down when a bpdu is received.  I think I understand what you mean, but it does have the desired effect when receiving BPDUs.

With bpduguard you're telling the switch to disable a port which is configured with portfast when a BPDU is received - bpdufilter tells the switch to ignore BPDUs on the port.  Either method stops the STP topology from being influenced though via that port.
0
jskfanAuthor Commented:
I  have tested that in the LAB.
**if a port is configured with Portfast only(no BPDUFilter or BPDUGuard)
the port on the other Switch will show as Root and FWD
** if a port is configured with portfast+BPDUFilter
the port on the other switch will show as Desg FWD (There is no Root port)
**if a port is configured with portfast+BPDUGuard
the port will turn into Err-Disabled
the port in the other switch will show Desg FWD



=========================
SW1
e0/0 portfast
e0/0 Desg FWD

SW1#sh interface e0/0 status
Port         Name               Status       Vlan       Duplex  Speed Type
Et0/0                           connected    1            auto   auto unknown

SW2
e0/0 Root FWD
=================================
SW1
e0/0 portfast
E0/0 BPDUFILTER
e0/0 Desg FWD

SW1#sh interface e0/0 status
Port         Name               Status       Vlan       Duplex  Speed Type
Et0/0                           connected    1            auto   auto unknown

SW2
e0/0 Desg FWD (there is no Root port even though SW1 still shows as Root Bridge)
===================================
SW1
e0/0 portfast
E0/0 BPDUGUARD
SW1#sh spanning-tree interface e0/0
no spanning tree info available for Ethernet0/0

SW1#sh interfaces e0/0 status
Port         Name               Status       Vlan       Duplex  Speed Type
Et0/0                           err-disabled 1            auto   auto unknown

SW2
Et0/0               Desg FWD 100       128.1    Shr
SW2#sh interfaces e0/0 status
Port         Name               Status       Vlan       Duplex  Speed Type
Et0/0                           connected    1            auto   auto unknown
0
jskfanAuthor Commented:
The ambiguous point is when a port is configured with portfast+BPDUFilter.
as you see, the port in other switch will not show (Root FWD), but will show (Desg FWD)
What does that mean ?
0
jskfanAuthor Commented:
Just for info , there is no Trunk configured between switches , to simulate rogue switch.
and the connecting interface between both switches is in access mode
SW1#sh interfaces e0/0 switchport
Name: Et0/0
Switchport: Enabled
Administrative Mode: static access
0
Don JohnstonInstructorCommented:
Well, the behavior depends ENTIRELY on the topology. To speak intelligently (and accurately) about this, we would need to see the topology.

That said, If a switch port does not receive a BPDU, there's no way that port will be a root port.  Becoming a root port requires receiving a superior BPDU.  When BPDUfilter is enabled on the other switch, the BPDU doesn't get sent so the switch that would have received the BPDU puts the port in designated mode.
0
jskfanAuthor Commented:
simple topology:
b
0
Don JohnstonInstructorCommented:
Here's a more important test. Issue a "show spanning-tree vlan 1" (please don't post the full ouput) and look at the bridge status.  I think (depending on where you apply the BPDUfilter command) that you may see two root bridges... Which is not a good thing. :-)
0
jskfanAuthor Commented:
DOn,

After I have applied BPDUGuard , the e0/0 is not in STP, it is in Err-Disabled
so show spanning-tree vlan 1, will not have any sense.
I may need to revert back to BPDUFilter
0
jskfanAuthor Commented:
Don,
After I reverted the configuration back to BPDUfilter:
SW1#sh spanning-tree interface vlan 1
no spanning tree info available for Vlan1
0
Don JohnstonInstructorCommented:
After I have applied BPDUGuard , the e0/0 is not in STP, it is in Err-Disabled
Of course... because it received a BPDU. That's what it's supposed to do.

Look, first drop back to the basics.  It sounds like you're trying to understand advanced STP topics before you've got the basics.  So before you try to get a handle on things like BPDUfilter, BPDUguard, rootguard, you need to understand what spanning-tree is doing.

Put together a basic three switch network connected in a triangle.  Understand why one switch is a root and why some ports get blocked.  Then you can start playing with tuning and tweaks.

But most important: NEVER USE PORTFAST ON AN INTERFACE THAT CONNECTS TO ANOTHER SWITCH. You're asking for trouble when you head down that road.
0
jskfanAuthor Commented:
But most important: NEVER USE PORTFAST ON AN INTERFACE THAT CONNECTS TO ANOTHER SWITCH. You're asking for trouble when you head down that road.

I was simulating rogue switch...
means if a port is configured as access port, but end user will bring and plug a switch instead of a PC
0
Don JohnstonInstructorCommented:
Well then that's where BPDUguard saves the day.  And as you saw, it kills the port... Until you discipline the unruly miscreant that would dare connect an unauthorized switch. ;-)
0
jskfanAuthor Commented:
going back to BPDUfilter if ports from both switches are showing Desg /Fwd.
there is  Root/Fwd port.

Does that mean SW1 and SW2 cannot communicate ?
0
jskfanAuthor Commented:
sorry .....
I meant there is no  Root/Fwd port.
0
Don JohnstonInstructorCommented:
Not sure what you're asking.
0
jskfanAuthor Commented:
what I was asking:

The ambiguous point is when a port is configured with portfast+BPDUFilter on SW1
 
the port connecting to it from SW2 does  not show (Root FWD), but shows (Desg FWD)
 What does that mean  ?
0
Don JohnstonInstructorCommented:
Which switch is the root?
0
jskfanAuthor Commented:
SW! is the root
0
JustInCaseCommented:
the port connecting to it from SW2 does  not show (Root FWD), but shows (Desg FWD)
Of course SW1 is root, and Don Johnston new that. I guess he wanted you to find out yourself. :)
On root bridge all ports are designated ports.
Root ports on other switches are pointing in rootbridge direction.
0
jskfanAuthor Commented:
In normal situation.
Root Switch ports going to other switches are Desg/Fwd
and other switches connected to the root switch are Root/Fwd


However when I configured on the Root Switch interface:
SW1:
e0/0 portfast
 E0/0 BPDUFILTER
the e/0 shows normal: e0/0 Desg FWD

on  SW2:
the interface is showing:
e0/0 Desg FWD

What I wanted to point is there is no Root/Fwd port on SW2
0
JustInCaseCommented:
So, both switches are root bridge since there's no BPDU transmitting cause BPDUFILTER is applyed. STP cannot elect root bridge without BPDU, each switch believes (and is) root bridge, because switches don't know that other switch exists on their network. That's how potential loop in network is created with BPDUFILTER.
0
jskfanAuthor Commented:
<<So, both switches are root bridge >>
you are correct..

which command will show that there is a loop ?
0
JustInCaseCommented:
Until you don't connect another interface from one switch to other there is no loop.
When you do that you will see that lights on switches go mad, and show show processes cpu will show you CPU skyrocketing.

#show processes cpu

CPU utilization for five seconds: X%/Y%; one minute: Z%; five minutes: W%
  PID  Runtime(ms)  Invoked  uSecs    5Sec   1Min   5Min TTY Process

and of course you need some traffic for loop :)
0
jskfanAuthor Commented:
I wonder what is the goal of cisco coming with the usage of command BPDUFILTER
if all it does it creates loop ?
0
JustInCaseCommented:
One of earlier post from above

Don Johnston
The original purpose behind BPDU filter was some end stations (IIRC, there were some servers) that were trying to process the BPDU's and creating problems. So BPDUfilter fixed that.
0
jskfanAuthor Commented:
<<<So BPDUfilter fixed that.>>>
How did it fix that, if it creates loop ?
0
jskfanAuthor Commented:
by the way I added another interface between SW1 and SW2, then run Show process CPU, there  is no really high spike :
 SW1#sh processes cpu sorted
CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0%
 PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
 146         648     58263         11  0.07%  0.05%  0.02%   0 RADIUS          
   1         108         4      27000  0.00%  0.00%  0.00%   0 Chunk Manager
0
JustInCaseCommented:
You need traffic for loop :) one PC on switch one and another on switch 2.
I had my experience with network loop. It is not nice to see switches go to disco mode. :)

And BPDU fixes described problem because it is not switch on bpdufiltered port - it is host on that port. That's the point and because Cisco gives you warning when you issue bpdufilter on port.
Warning:Ports enabled with bpdu filter will not send BPDUs and drop all received BPDUs. You may cause loops in the bridged network if you isuse this feature.
0
Craig BeckCommented:
Bpdufilter doesn't cause a loop... It allows a loop to be present.  The only thing that causes a loop is plugging a link in to another switch which already has a path to the same switch.  If a connected switch has only one path to the network there is no loop.

If we connect a 3rd party switch we may need bpdufilter to ensure that their STP deployment doesn't interfere with ours, for example.  If we use bpduguard we can't connect the switch at all as the port will go down.  Again, doing this doesn't cause a loop - it only allows the potential for one.
0
jskfanAuthor Commented:
<<<The original purpose behind BPDU filter was some end stations (IIRC, there were some servers) that were trying to process the BPDU's and creating problems. So BPDUfilter fixed that.>>>>
OK , I guess I understand part of it : if servers are sending BPDUs do not forward the traffic to the root....(Will this still creates a Loop?)

if a switch is plugged, then let it behave normally (Assuming that BPDU Filter is configured globally).

It is too Risky  to configure BPDUfilter at the interface level... unless if we are 100% sure workstations are plugged in to the interface...(I wonder if those servers sending BPDU get plugged in, what will happen in this case?  will this creates loop?)  
0
jskfanAuthor Commented:
BPDUGuard is relatively easy to understand as it puts the port in Err-Disabled if it receives BPDUs...this is good to configure it with portfast for End Stations.

BPDUFilter is like telling the end device, if you are workstation then I am not sending BPDUs to you. if you are a Switch then I will receive and send BPDUs...

I tried it the Hard way, because I applied BPDUFilter at the interface level....instead of globally
0
jskfanAuthor Commented:
Thank you so much Guys!
0
JustInCaseCommented:
OK , I guess I understand part of it : if servers are sending BPDUs do not forward the traffic to the root....(Will this still creates a Loop?)
Servers do not send BPDU, no need for BPDU on end devices.
To have a loop you need redundant links that are not blocked.
Also if devices send and receive BPDU there will not be loop, devices will first elect root bridge and then create loop free topology. That was reason for creating STP in a first place.
0
jskfanAuthor Commented:
In case servers that Don mentioned are connected:
 
Don Johnston
 The original purpose behind BPDU filter was some end stations (IIRC, there were some servers) that were trying to process the BPDU's and creating problems. So BPDUfilter fixed that.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.