Solved

Usage of BPDUFilter at the interface level

Posted on 2016-07-19
8
64 Views
Last Modified: 2016-07-23
If I understand When BPDUFilter is configured globally on a Switch (SW1), it will disable STP, if someone plugs a switch in the other side then SW1 will  receive BPDUs and turn back on STP as normal..nothing Risky...

If BPDUFilter is configured ai the Interface level of SW1, then if someone plugs a Switch to the port of SW1 where BPDUFilter was configured then it might create a Loop..

I do not understand why at the Global Level BPDUFilter  does not create a Loop, but it can create a Loop when configured  at the Interface Level?
and in which circumstance BPDUFilter is configured at the interface level, since it can create a Loop..

Thank you
0
Comment
Question by:jskfan
  • 5
  • 3
8 Comments
 
LVL 9

Expert Comment

by:Ian Arakel
ID: 41720256
BPDU Filtering at the global level will work with Portfast interfaces, and simply kick them out of portfast if a BPDU is received.

BPDU Filtering configured on the interface level will COMPLETELY stop send/receive BPDU, and if you plug in two switches then you may have a loop because they don't 'see' each other as a problem.

Ideally, as per my understanding, configuring BPDU filter at interface level could be recommended in area when you are cocksure in terms of security measures (physical level/access level) where you do not expect an end user to connect an access switch to end port.
0
 

Author Comment

by:jskfan
ID: 41720315
Not clear...
The way I understand it,  is to configure BPDUFilter at the Global Level.
That way if an unpredictable plugged in switch participate in STP then BPDUFILTER will be turned off and the switch will go through LIS/LRN/FWD....It is still Risky if there is no Hard-coded Root switch in the Network and the new switch has the Highest BID in the Network.

OR
configure the Switch Globally with Portfast+ BPDUGUARD.
That way :
If an  unpredictable  switch that does not speak STP, will be plugged in ,then it will not create  a Loop problem
If an  unpredictable  switch that does  speak STP, will be plugged in , then the port will turn into Err-disabled
0
 
LVL 9

Accepted Solution

by:
Ian Arakel earned 500 total points
ID: 41720884
Hi there,

Refer to the below link.

https://networkingnerd.net/2010/11/23/calm-before-the-storm-bpduguard-bpdufilter/

The practical use of BPDU filter is quite less.
The recommended way is to use BPDU guard with error-disabled recovery option.
0
 

Author Comment

by:jskfan
ID: 41722073
Contrarily to the Books that say when BPDUFILTER +PORTFAST configured globally, when BPDU is received  BPDUFILTER and PORTFAST will be turned off and STP will do its job in normal way. in the LAB , I did not see STP transitionning any Port to Root and other as BLK



I tested in the LAB, BPDUFILTER  Globally ..
STP
SW2 interfaces e0/0 and e2/2 configured as Access Ports , then I shut them down.
I configured on SW2  Globally:
spanning-tree portfast default
spanning-tree portfast bpdufilter default

Then I brought up E0/0 and E2/2
I noticed all interfaces on SW2 and SW1 are in FWD state, which means there is a LOOP.

SW1#sh span

VLAN0001
  Spanning tree enabled protocol rstp
  Root ID    Priority    32769
             Address     aabb.cc00.0100
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     aabb.cc00.0100
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0               Desg FWD 100       128.1    Shr
Et0/1               Desg FWD 100       128.2    Shr
Et0/2               Desg FWD 100       128.3    Shr
Et0/3               Desg FWD 100       128.4    Shr
Et1/0               Desg FWD 100       128.5    Shr
Et1/1               Desg FWD 100       128.6    Shr
Et1/2               Desg FWD 100       128.7    Shr
Et1/3               Desg FWD 100       128.8    Shr

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------

Et2/0               Desg FWD 100       128.9    Shr
Et2/1               Desg FWD 100       128.10   Shr
Et2/2               Desg FWD 100       128.11   Shr
Et2/3               Desg FWD 100       128.12   Shr

Open in new window



SW2#sh span

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     aabb.cc00.0200
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     aabb.cc00.0200
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0               Desg FWD 100       128.1    Shr Edge
Et0/1               Desg FWD 100       128.2    Shr Edge
Et0/2               Desg FWD 100       128.3    Shr Edge
Et0/3               Desg FWD 100       128.4    Shr Edge
Et1/0               Desg FWD 100       128.5    Shr Edge
Et1/1               Desg FWD 100       128.6    Shr Edge
Et1/2               Desg FWD 100       128.7    Shr Edge
Et1/3               Desg FWD 100       128.8    Shr Edge

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------

Et2/0               Desg FWD 100       128.9    Shr Edge
Et2/1               Desg FWD 100       128.10   Shr Edge
Et2/2               Desg FWD 100       128.11   Shr Edge
Et2/3               Desg FWD 100       128.12   Shr Edge

Open in new window

0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 9

Expert Comment

by:Ian Arakel
ID: 41722879
Hi there,

Just a confusion.
Is the lab working properly or is there a bug?
How can both the switches become the ROOT?
0
 

Author Comment

by:jskfan
ID: 41723441
it is not a bug...
I said there seems to be a Switching Loop.
If you have 2 switches connected with 2 Links and there is no Root port , no BLK port, all Ports from both switches  FWDing..it means there is a Loop...

Books and Articles did not say that ...
they say if you configure Globally Portfast + BpduFilter then if the switch receives BPDUs then it just turn off the  Portfast and BPDUFilter, and the STP calculation will occur normally. Which means on one Switch which is not the root there should be one port BLK and one port as Root (FWD).

The Root Switch will have all port FWD.
0
 

Author Comment

by:jskfan
ID: 41725595
I have redone the same LAB.
This time , I see SW2 has BLK and Root port.
Something was wrong during the first LAB
0
 

Author Closing Comment

by:jskfan
ID: 41725596
Thanks
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now