7 Replies Latest reply: Jun 1, 2010 12:14 PM by Ed Diaz RSS

    Why BPDU filter


      BCMSN certification guide says this:


      You always should allow STP to run on a switch to prevent loops. However, in special cases when you need to prevent BPDUs from being sent or processed on one or more switch ports, you can use BPDU filtering to effectively disable STP on those ports.



      What are these special cases?

        • 1. Re: Why BPDU filter

          For example, on ports connecting to IP phones. There will be a trunk to the switch, but no BPDU's are expected.


          Generally speaking, BPDU Guard would be more preferable as it errdisables the port. However, BPDU Filter and BPDU Guard can be used on ports that trunk but do not expect BPDU's.

          • 2. Re: Why BPDU filter



            A rogue switch with a lower priority (BID) could easily be connected to a supposedly access only interface of your network and eventually become the root switch. In this particular case you would disable/filter Hello BPDUs on certain interfaces of your switch. If you know that no other switch is to a be connected to specific port of your switch it's a good idea to configure it to be access only interface and enable BPDU Guard.



            • 3. Re: Why BPDU filter



              Thanks for your responses.


              I think the answers are more of replacing BPDU filter with guard. We can even enable both BPDU guard and filter on an interface at the same time. So it is not really a replacement. I have searched a lot but did not find that special cases yet. Can someone explain some additional benefits?

              • 4. Re: Why BPDU filter
                Nick Adams

                you would use bpdufilter when you want a switch plugged into your network but you don't want it participating in spanning tree.


                an example is this:  an office environment where someone needs  another network drop under their desk but you don't have time/budget to  run a new line for now.  you, the netadmin sanction a small switch but  you don't want it to break spanning tree.


                the switch  you have lying around for this task is a simple unmanaged switch and  will only have 1 uplink into your network. so you put bpdufilter on your  switch port.


                bpduguard would see the bpdu from the  simple switch and /err-disable the port, which isn't what you want.

                • 5. Re: Why BPDU filter

                  Thanks Nick...you have enlightened me .


                  I can now imagine somebody introducing a switch in a big datacenter. He doesn't want to disturb the STP in business hours and would rather do it in a weekend maintenance window. This can be true when you introduce a switch for one week or so for a seminar etc.


                  Now, will you filter BPDUs on portfast ports, to stop additional processing burden to CPUs of both hosts and switches? Moreover is there any security concerns if the BPDU reaching a rouge host (not switch) like DTP spoofing?



                  • 6. Re: Why BPDU filter
                    Nick Adams

                    In order to allow immediate transition of the port into forwarding       state, enable the STP PortFast feature. PortFast immediately transitions the       port into STP forwarding mode upon linkup. The port still participates in STP.       So if the port is to be a part of the loop, the port eventually transitions       into STP blocking mode.


                    Use care when entering the spanning-tree bpdufilter enable command. Enabling BPDU filtering on an interface is approximately equivalent to disabling the spanning tree for this interface. It is possible to create bridging loops if this command is not correctly used.


                    it doesn't give any indication whether the bpdu filtering is ingress, egress, or both.  i suppose the more secure approach for rouge systems would be to shut all unused ports.  on the active access ports, turn on portfast, port-security, bpduguard, and dhcpguard.


                    if somehow a rogue system gets STP information and begins to spoof a root bridge, bpduguard/filter will stop it from digging back in.

                    • 7. Re: Why BPDU filter
                      Ed Diaz

                      BPDU filter applied globally will allow you to cascade switches on a portfast port without causing loops. Once the port received a BPDU, it drops the portfast status and allows the cascaded switch to participate in spanning-tree. A better way to protect your STP topology is using "spanning-tree guard root" on the ports facing down from your root bridge.


                      A good example of a per-port bpdu filter would be HP Virtual Connect switches. They don't participate in STP at all, so no BPDUs are ever expected.