Skip navigation
Cisco Learning Home > Certifications > CCIE Routing & Switching > Discussions

_Communities

58794 Views 44 Replies Latest reply: Mar 26, 2014 9:09 PM by Richard - A+/Network+/CCNA(RS) RSS 1 2 3 Previous Next

Currently Being Moderated

bpduguard Vs bpdufilter

Jul 15, 2009 1:34 PM

shams_dos 26 posts since
Jun 3, 2009

Hello,

 

I am wondering why you would want to implement the BPDUGUARD on a live network  taking into consideration that the port will be put in errdisable state.

 

Is it not better to just use bpdufilter on the interface and disregards any bpdu?

 

Please let me know if bpduguard add any more functionality than want you obtain from bpdufilter when enable on a port.

 

Regards//

  • Conwyn 7,914 posts since
    Sep 10, 2008
    Currently Being Moderated
    1. Jul 15, 2009 1:44 PM (in response to shams_dos)
    Re: bpduguard Vs bpdufilter

    Hi Shams

     

    It is nice to know you are being attacked.

     

    Regards Conwyn

  • Scott Morris - CCDE/4xCCIE/2xJNCIE 8,396 posts since
    Oct 7, 2008
    Currently Being Moderated
    2. Jul 15, 2009 2:30 PM (in response to shams_dos)
    Re: bpduguard Vs bpdufilter

    With BPDU Filter, it will ignore in/out BPDUs.  So you COULD end up with a loop in your network.  Way not cool.

     

    BPDU Guard on the other hand will alert you to that mistake/mayhem and will shut down the port instead of letting the loop shut down your network!

     

    HTH,

     

    Scott

  • Scott Morris - CCDE/4xCCIE/2xJNCIE 8,396 posts since
    Oct 7, 2008
    Currently Being Moderated
    4. Jul 15, 2009 3:26 PM (in response to shams_dos)
    Re: bpduguard Vs bpdufilter

    Well, part of that depends on how/where you implement it!

     

    BPDU Filtering at the global level will work with Portfast interfaces, and simply kick them out of portfast if a BPDU is received.

    BPDU Filtering configured on the interface level will COMPLETELY stop send/receive BPDU, and if you plug in two switches then you may have a loop because they don't 'see' each other as a problem.

     

    HTH,

     

    Scott

  • Marius 2 posts since
    Feb 25, 2009
    Currently Being Moderated
    Re: bpduguard Vs bpdufilter

    Hi Scott,

     

    Can you explain to me on your previous statement

     

    "if you plug in two switches then you may have a loop because they don't 'see' each other as a problem."

     

    Does this scenario what you meant:

     

       1. Let say there is a network jack on the wall labeled jack A123 which connected to port A on switch A which only designed for the host (not switch),
       2. On the jack A123, we plug switch B
       3. Connect port on switch B to another jack on the wall B123 which connected to port B on switch A

     

         -------- Switch A ------

        |                             |

        |                             |

    Jack A123              Jack B123

        |                             |

        |                             |

        -------- Switch B--------

     

    Also,  If we disable BPDU, does it mean that spanning tree is disabled and the risk is we can not prevent the loop

    Does loop guard solve this problem ?

     

    Please explain..

     

     

    Thanks,

     

    Marius Cuanda

  • uraymo 37 posts since
    Feb 7, 2009
    Currently Being Moderated
    6. Feb 15, 2010 6:44 AM (in response to Marius)
    Re: bpduguard Vs bpdufilter

    I think you are overthinking this one.

     

    No diagrams required.  just read and think about what is being said.

     

    If you put BPDU filter on an interface it will cause all STP BPDUs from being sent and recieved.  STP is a loop prevention mechanism, so without this protection you will have a loop IF the physical topology has a loop.

     

     

    it is really that simple.

  • Marius 2 posts since
    Feb 25, 2009
    Currently Being Moderated
    7. May 15, 2010 10:38 AM (in response to uraymo)
    Re: bpduguard Vs bpdufilter

    Hi Uraymo,

     

    Below is what Scott said:

     

    Well, part of that depends on  how/where you implement it!

    BPDU Filtering at the global level will work with  Portfast interfaces, and simply kick them out of portfast if a BPDU is  received.

    BPDU Filtering configured on the interface level will  COMPLETELY stop send/receive BPDU, and if you plug in two switches then  you may have a loop because they don't 'see' each other as a problem.

    HTH,

    Scott

     

     

    "f  you plug in two switches then  you may have a loop because they don't 'see' each other as a problem".

     

    Well it's not that simple.

    This situation happened in my network.. where 1 person plug 2 ports  to 2 different jack like I illustrated on another diagram and

    created a loop and a CPU high on the core router (which could crash the router)


    In this case, enabling BPDU guard will cause a problem because the switch "does not see each other" (like what Scott mentioned), because it does not send BPDU message in order to avoid looping, and there is no a blocking port.

     

    BPDU guard only good to prevent someone plug 1 switch port to the jack and this switch has lower root bridge ID/priority because it will become a "Root Bridge" and everything will point to the root bridge, change the reference point and the traffic and causing a network outage

     

    Thanks.

     



  • bridgepartners 1 posts since
    Mar 10, 2011
    Currently Being Moderated
    8. Mar 10, 2011 11:30 AM (in response to uraymo)
    Re: bpduguard Vs bpdufilter

    If you know that a port is connected to a set of switches on a remote site (via a single layer 2 WAN link, for example) is it then reasonable to set BPDU filtering on that port? It would be impossible to loop back to the main core, although it would be possible for a loop to exist on the remote site.

  • Steven Williams 3,266 posts since
    Jan 26, 2009
    Currently Being Moderated
    9. Mar 10, 2011 6:44 PM (in response to bridgepartners)
    Re: bpduguard Vs bpdufilter

    So when an interface is set to BPDU filter it will not send or receive BPDU messages to try and reconfigure the spanning tree topology, but with BPDU guard it will see BPDU messages being sent on an access interface and shut it down so that the spanning tree topology can't be recalculated. I am having a hard time understanding what is the difference? Unless you are saying that with BPDU filter there still can be a loop on your layer 2 network because even though BPDU's are not being sent or received and its not adjusting spanning tree the port is still up and accepting other traffic that could loop. When BPDU guard it on that is not possible because it just shuts the port down. What about devices that do not send out BPDU's? I think there are some low end switches that probably do not send BPDU's that could cause a loop and not be detected, or no? What about hubs?

  • Steven Williams 3,266 posts since
    Jan 26, 2009
    Currently Being Moderated
    10. Mar 16, 2011 8:40 AM (in response to Steven Williams)
    Re: bpduguard Vs bpdufilter

    Anything more on this topic?

  • Justin G. Mitchell - CCIE #28160 166 posts since
    Jun 26, 2008
    Currently Being Moderated
    11. Mar 16, 2011 11:04 AM (in response to Steven Williams)
    Re: bpduguard Vs bpdufilter

    bdpufilter essentially stops spanning-tree from working on the interface. Doesn't send bpdus and doesn't expect to receive any. Ideally you are going to put this on host port interfaces. It can cause loops. It doesn't process BPDUs.

     

    bpdugaurd is meant to go on a Portfast enabled port leading to a host as well. It shuts down the port when a switch is connected the port and sends BPDUs to it. This way if a user connects an unauthorized device in thier cubicle you'll know about it.

  • Steven Williams 3,266 posts since
    Jan 26, 2009
    Currently Being Moderated
    Re: bpduguard Vs bpdufilter

    So why even use bpdufilter? Why not just use bpuguard?

  • Justin G. Mitchell - CCIE #28160 166 posts since
    Jun 26, 2008
    Currently Being Moderated
    13. Mar 16, 2011 12:20 PM (in response to Steven Williams)
    Re: bpduguard Vs bpdufilter

    bpduguard doesn't stop the port from sending BPDUs. Cuts down on traffic being sent by the switch when you use bpdufilter.

  • Steven Williams 3,266 posts since
    Jan 26, 2009
    Currently Being Moderated
    Re: bpduguard Vs bpdufilter

    So from a network admin perspective it would more common sense to use bpduguard as you may not be able to control what you users plug into the ports.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (5)