1 2 3 4 Previous Next 50 Replies Latest reply: Mar 3, 2015 2:27 PM by Jordan RSS

    bpduguard Vs bpdufilter

    shams_dos

      Hello,

       

      I am wondering why you would want to implement the BPDUGUARD on a live network  taking into consideration that the port will be put in errdisable state.

       

      Is it not better to just use bpdufilter on the interface and disregards any bpdu?

       

      Please let me know if bpduguard add any more functionality than want you obtain from bpdufilter when enable on a port.

       

      Regards//

        • 1. Re: bpduguard Vs bpdufilter
          Conwyn

          Hi Shams

           

          It is nice to know you are being attacked.

           

          Regards Conwyn

          • 2. Re: bpduguard Vs bpdufilter
            Scott Morris - CCDE/4xCCIE/2xJNCIE

            With BPDU Filter, it will ignore in/out BPDUs.  So you COULD end up with a loop in your network.  Way not cool.

             

            BPDU Guard on the other hand will alert you to that mistake/mayhem and will shut down the port instead of letting the loop shut down your network!

             

            HTH,

             

            Scott

            • 3. Re: bpduguard Vs bpdufilter
              shams_dos

              Thanks guys,

               

              Scott,

               

              I understand when you are alert of mistake/mayhem by using bpduguard, can you paint a picture of how loop can occur.

               

              if I am right , if you enable bpduguard or bpdufilter on an interface you in-efffect also enable portfast. If this is the case you would only enable these feacture on an interface connected to a host and not expect bpdu on the interface. if you recieve bpdu and filter it out of this interfaces  I don't see a loop building up. (in theory) .

               

              Let me hear from you.

               

              regards//

              • 4. Re: bpduguard Vs bpdufilter
                Scott Morris - CCDE/4xCCIE/2xJNCIE

                Well, part of that depends on how/where you implement it!

                 

                BPDU Filtering at the global level will work with Portfast interfaces, and simply kick them out of portfast if a BPDU is received.

                BPDU Filtering configured on the interface level will COMPLETELY stop send/receive BPDU, and if you plug in two switches then you may have a loop because they don't 'see' each other as a problem.

                 

                HTH,

                 

                Scott

                • 5. Re: bpduguard Vs bpdufilter
                  Marius

                  Hi Scott,

                   

                  Can you explain to me on your previous statement

                   

                  "if you plug in two switches then you may have a loop because they don't 'see' each other as a problem."

                   

                  Does this scenario what you meant:

                   

                     1. Let say there is a network jack on the wall labeled jack A123 which connected to port A on switch A which only designed for the host (not switch),
                     2. On the jack A123, we plug switch B
                     3. Connect port on switch B to another jack on the wall B123 which connected to port B on switch A

                   

                       -------- Switch A ------

                      |                             |

                      |                             |

                  Jack A123              Jack B123

                      |                             |

                      |                             |

                      -------- Switch B--------

                   

                  Also,  If we disable BPDU, does it mean that spanning tree is disabled and the risk is we can not prevent the loop

                  Does loop guard solve this problem ?

                   

                  Please explain..

                   

                   

                  Thanks,

                   

                  Marius Cuanda

                  • 6. Re: bpduguard Vs bpdufilter
                    uraymo

                    I think you are overthinking this one.

                     

                    No diagrams required.  just read and think about what is being said.

                     

                    If you put BPDU filter on an interface it will cause all STP BPDUs from being sent and recieved.  STP is a loop prevention mechanism, so without this protection you will have a loop IF the physical topology has a loop.

                     

                     

                    it is really that simple.

                    • 7. Re: bpduguard Vs bpdufilter
                      Marius

                      Hi Uraymo,

                       

                      Below is what Scott said:

                       

                      Well, part of that depends on  how/where you implement it!

                       

                      BPDU Filtering at the global level will work with  Portfast interfaces, and simply kick them out of portfast if a BPDU is  received.

                      BPDU Filtering configured on the interface level will  COMPLETELY stop send/receive BPDU, and if you plug in two switches then  you may have a loop because they don't 'see' each other as a problem.

                       

                      HTH,

                       

                      Scott

                       

                       

                      "f  you plug in two switches then  you may have a loop because they don't 'see' each other as a problem".

                       

                      Well it's not that simple.

                      This situation happened in my network.. where 1 person plug 2 ports  to 2 different jack like I illustrated on another diagram and

                      created a loop and a CPU high on the core router (which could crash the router)


                      In this case, enabling BPDU guard will cause a problem because the switch "does not see each other" (like what Scott mentioned), because it does not send BPDU message in order to avoid looping, and there is no a blocking port.

                       

                      BPDU guard only good to prevent someone plug 1 switch port to the jack and this switch has lower root bridge ID/priority because it will become a "Root Bridge" and everything will point to the root bridge, change the reference point and the traffic and causing a network outage

                       

                      Thanks.

                       



                      • 8. Re: bpduguard Vs bpdufilter
                        bridgepartners

                        If you know that a port is connected to a set of switches on a remote site (via a single layer 2 WAN link, for example) is it then reasonable to set BPDU filtering on that port? It would be impossible to loop back to the main core, although it would be possible for a loop to exist on the remote site.

                        • 9. Re: bpduguard Vs bpdufilter
                          Steven Williams

                          So when an interface is set to BPDU filter it will not send or receive BPDU messages to try and reconfigure the spanning tree topology, but with BPDU guard it will see BPDU messages being sent on an access interface and shut it down so that the spanning tree topology can't be recalculated. I am having a hard time understanding what is the difference? Unless you are saying that with BPDU filter there still can be a loop on your layer 2 network because even though BPDU's are not being sent or received and its not adjusting spanning tree the port is still up and accepting other traffic that could loop. When BPDU guard it on that is not possible because it just shuts the port down. What about devices that do not send out BPDU's? I think there are some low end switches that probably do not send BPDU's that could cause a loop and not be detected, or no? What about hubs?

                          • 10. Re: bpduguard Vs bpdufilter
                            Steven Williams

                            Anything more on this topic?

                            • 11. Re: bpduguard Vs bpdufilter
                              Justin G. Mitchell - CCIE #28160

                              bdpufilter essentially stops spanning-tree from working on the interface. Doesn't send bpdus and doesn't expect to receive any. Ideally you are going to put this on host port interfaces. It can cause loops. It doesn't process BPDUs.

                               

                              bpdugaurd is meant to go on a Portfast enabled port leading to a host as well. It shuts down the port when a switch is connected the port and sends BPDUs to it. This way if a user connects an unauthorized device in thier cubicle you'll know about it.

                              • 12. Re: bpduguard Vs bpdufilter
                                Steven Williams

                                So why even use bpdufilter? Why not just use bpuguard?

                                • 13. Re: bpduguard Vs bpdufilter
                                  Justin G. Mitchell - CCIE #28160

                                  bpduguard doesn't stop the port from sending BPDUs. Cuts down on traffic being sent by the switch when you use bpdufilter.

                                  • 14. Re: bpduguard Vs bpdufilter
                                    Steven Williams

                                    So from a network admin perspective it would more common sense to use bpduguard as you may not be able to control what you users plug into the ports.

                                    1 2 3 4 Previous Next