12 Replies Latest reply: Dec 20, 2012 8:58 AM by jgmarr RSS

    STP PortFast, BPDU Guard and BPDU Filter

    Harris

      Hello,

       

      If I'm correct, if Portfast is enabed on a port, STP is still running and detects bridging loops. The only difference is that the port starts in forwarding state directly. If a switch is connected to the port and a loop is formed, the port will be blocked. So, why do we really need BPDU Guard?

       

      Also, by enabling BPDU fiilter on a port, you effectively disable STP completely on the port. Even if you know that a specific port will never be connected to another switch and therefore it's imposible to cause a loop, what is the gain from disabling STP on the port? Can anyone give me an example where BPDU filter is needed?

       

      Thanks.

        • 1. Re: STP PortFast, BPDU Guard and BPDU Filter
          Martin

          I think reason for BPDU Guard over Port-fast is additional layer of protection and security; BPDU Guard will put port into error disable mode where the admin will have to re-enable port (shutdown and no shut);

           

          PortFast feature, as you said, puts port into blocking mode.

          Port will be back in forwarding mode when BPDUs stop.

           

          Recently I did a test on this subject. https://learningnetwork.cisco.com/docs/DOC-13582

           

          Reasons for BPDU fiilter are Security by protecting layer 2 topology and reducing unnecessary traffic.

           

          some useful links are

          https://learningnetwork.cisco.com/message/153796#153796

          https://learningnetwork.cisco.com/message/188876#188876

          • 2. Re: STP PortFast, BPDU Guard and BPDU Filter
            Marek

            >PortFast feature, as you said, puts port into blocking mode.

            >Port will be back in forwarding mode when BPDUs stop.

             

            Is this really the case? I thought the port will just lose his portfase state and move normal trough the listen/learning/forwarding states?

            • 3. Re: STP PortFast, BPDU Guard and BPDU Filter
              Sp33doMcGee

              Portfast feature will immediately move a port to the forwarding state, without having it first go through the listening and learning phases. This is a feature to be placed on edge ports connected to hosts to speed up the time it takes to bring them to a forwarding state.

               

              It is prudent to be used in conjunction with BPDU Guard. This is because since the portfast port doesnt go through the listening and learning states it can later on begin sending superior bpdu's or bpdu's of any kind, potentially from an end user hooking up a linksys or other DHCP device, this can and usually does cause spanning tree event's and bridging loops.

               

              When you place BPDU Guard on the port along with portfast, you enable the immediate transition to forwarding state, while protecting it from potential bridging loops, if a BPDU is received on the port, it will be placed into an error-disable state and need to be manually re-enabled.

              • 4. Re: STP PortFast, BPDU Guard and BPDU Filter
                Brian

                Yes, this really is the case.   However, I do think there is some confusion as to what happens to a Portfast enabled port when it receives a BPDU.  Upon receipt of a BPDU on a Portfast enabled port, the port will immediately loose its PortFast feature.  This does not mean that the port will show Portfast disabled in the "show spanning-tree summary" output.  Rather it means it will act as a normal STP port and transistion through the STP states and will eventually end up in either a blocking state or a forwarding state.

                 

                If the BPDUs that were arriving on the port were "non-superior" BPDUs, the port would transistion to the blocking state.  Once these BPDUs stop the port would recover and again participate in Portfast.

                 

                If the BPDUs that were arriving on the port were "superior" BPDUs (means a lower bridge priority), then the port would transistion to the forwarding state.  This can cause a permanent STP recalculation throughout your switch network.

                 

                Enabling BPDU Guard in addition to Portfast will prevent bridging loops and/or topology changes from happening, because upon receipt of BPDUs (superior or not), the BPDU Guard feature immediately err-disables the port and must manually be reenabled.

                 

                Hope this helps.

                 

                Brian

                 

                • 5. Re: STP PortFast, BPDU Guard and BPDU Filter
                  Harris

                  Thanks for the answers! but what about BPDU Filter? The only reasons I can  think for someone to completely disable a port from sending and receiving BPDUs, is either to create a Layer-2 loop in purpose, or maybe because another problem is caused by forwarding BPDUs through a specific link. I can't see how this is increasing security or performance!

                  • 6. Re: STP PortFast, BPDU Guard and BPDU Filter
                    Martin

                    Right, for now I would stick with whatever books say (Cisco press books);

                     

                    I have failed to get same results as my test above on rental rack;

                    I haven't got the inconsistent port message and PortFast never came back.

                    I will check my home test again (run 3rd time) to see what's going on;

                    Maybe it depends on IOS versions and/or BPDU.

                    • 7. Re: STP PortFast, BPDU Guard and BPDU Filter
                      Shahin

                      HI Brian

                       

                      U hv written:

                       

                      If the BPDUs that were arriving on the port were "non-superior" BPDUs, the port would transistion to the blocking state.  Once these BPDUs stop the port would recover and again participate in Portfast.

                       

                      If the BPDUs that were arriving on the port were "superior" BPDUs (means a lower bridge priority), then the port would transistion to the forwarding state.  This can cause a permanent STP recalculation throughout your switch network.

                       

                       

                       

                      Can u plz explain in the below given scenario:

                       

                       

                       

                       

                      Coz in both cases (Superior & Inferior BPDU) i found PORTFAST PORT in forwarding state.

                       

                      Plz help me out to comeout from this puzzled.

                       

                      Thanks

                       

                       

                      Shahin..

                      • 8. Re: STP PortFast, BPDU Guard and BPDU Filter
                        Vijay

                        Portfast are enabled only on ports which would be connected to the end hosts. End hosts are like PC's , printers etc., these devices are not likely to cause switching loops so always kept at forwarding state.

                         

                        if PF is enabled on a link connecting to a switch, then depending upon where PF is enabled, the port would either lose its PF status and start operating as a normal STP port (or) you are at a risk of causing switching loops.

                         

                        HTH,

                        -Vijay

                        • 9. Re: STP PortFast, BPDU Guard and BPDU Filter
                          Bogdan

                          I believe the reason for using BPDU filtering is twofold:

                           

                          1. There is no need for STP traffic to consume the bandwidth on links that connect to host-like devices. Also, those devices do not need the additional burden to process unnecesary STP trafic. (In this respect it has a similar purpose to the "passive interface" command of routing protocols)

                           

                          2. As was mentioned in the Cisco books, some security experts advice against the use of STP (an opinion that Cisco does not share since the benefits outweight the possible issues in the general case). However, in order to reduce this security problem, disabling STP advertisements (in a controlled manner I explain below) on ports you know that are connected to host devices is an improvement.

                           

                          There are two modes of operation for BPDU filtering:

                           

                          a. When enabled globally: it affects all PortFast-enabled ports; at the receipt of a BPDU, that port loses both options and becomes normal port. This is 100% safe to use.

                           

                          b.When enabled per interface: the port just ignores BPDUs and does not transmit BPDUs. With this option I share your concern and I guess it should be used only for testing or connecting to fixed devices like servers.

                          • 10. Re: STP PortFast, BPDU Guard and BPDU Filter
                            jgmarr

                            Hi,

                             

                            Another reason to disable STP (bpdufilter) could be to avoid introduce TCN by customers.

                            Let's suppose ISP is running mst, customers sws running rstp (customers SWs could be Alcatel, Huawei... , no manage by the ISP).

                            ISP mst run rstp (ist 0). So, topology changes are detected as traditional.

                            Then, everytime there is a TCN change inside customers, SWs detect a TCN in ist 0, which will be introduce inside the ISP network.

                            Enabling portfast do not help as explained above, as once a BPDU is received in the port, the port looses it is condition.

                            In this case, to avoid TCN getting into your network from a SW that you know for sure there is not possibility of a loop (just one link), then you could consider disabling STP.

                            The following link explain some details about TCN and how they can impact the performance of the network.

                            http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094797.shtml#traffic

                             

                            Regards.

                            • 11. Re: STP PortFast, BPDU Guard and BPDU Filter
                              Bogdan

                              As a side note to the original topic but connected to the reply from jgmarr: is it the case that the connection between customer and ISP is layer 2? In my mind, I've always assumed that such a connection would be layer 3. I do not have much experience in this area so maybe someone can shed light into this.

                              • 12. Re: STP PortFast, BPDU Guard and BPDU Filter
                                jgmarr

                                Hi Bogdan,

                                 

                                Let´s refer to downstream Sws over which we do not have administration and we are receiving lot of TCNs, as it is more general and avoid confusions.

                                 

                                Regards.