STP: Mixing PortFast, BPDU Gaurd and BPDU Filter


"PortFast" - PortFast causes a switch or trunk port to enter the spanning tree forwarding state immediately, bypassing the listening and learning states. Globally configuring "spanning-tree portfast default" only applies to access ports. Trunks can be configured with PortFast with the interface command "spanning-tree portfast trunk".

"BPDU Guard" - PortFast BPDU guard prevents loops by moving a nontrunking port into an errdisable state when a BPDU is received on that port. When you enable BPDU guard on the switch, spanning tree shuts down PortFast-configured interfaces that receive BPDUs instead of putting them into the spanning tree blocking state. In a valid configuration, PortFast-configured interfaces do not receive BPDUs. If a PortFast-configured interface receives a BPDU, an invalid configuration exists. BPDU guard provides a secure response to invalid configurations because the administrator must manually put the interface back in service.

"BPDU Filter" - BPDU filtering allows you to avoid transmitting BPDUs on PortFast-enabled ports that are connected to an end system. When you enable PortFast on the switch, spanning tree places ports in the forwarding state immediately, instead of going through the listening, learning, and forwarding states. By default, spanning tree sends BPDUs from all ports regardless of whether PortFast is enabled. BDPU filtering is on a per-switch basis; after you enable BPDU filtering, it applies to all PortFast-enabled ports on the switch.

"Loop Guard" -  STP relies on continuous reception or transmission of BPDUs based on the port role. The designated port transmits BPDUs, and the non-designated port receives BPDUs. When one of the ports in a physically redundant topology no longer receives BPDUs, the STP conceives that the topology is loop free. Eventually, the blocking port from the alternate or backup port becomes designated and moves to a forwarding state. This situation creates a loop. The loop guard feature makes additional checks. If BPDUs are not received on a non-designated port, and loop guard is enabled, that port is moved into the STP loop-inconsistent blocking state, instead of the listening / learning / forwarding state. Without the loop guard feature, the port assumes the designated port role. The port moves to the STP forwarding state and creates a loop.


Access ports

For access ports to end hosts PortFast and BPDU Filer is enough. BPDU Gaurd instead of BPDU filter would be useful on access ports that face another switch or router should the customer form a loop.

Mixing all three on trunks?

Per interface:

interface x/x
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable

BPDU guard will never kick in because BPDU filter is filtering both the outgoing and incoming BPDUs. This also means that the port can never lose its Portfast status which it would normally do if BPDUs were received inbound. If you remove the filter then BPDU guard will kick in and shutdown the port if a BPDU is received. This is done before the port can lose its Portfast operational state so basically the port will always operate in Porfast operational mode.

PortFast ports still send BPDUs (access or trunk) so global config is likely best for BPDU Filter and BPDU Guard together;

spanning-tree portfast default
spanning-tree portfast bpdufilter default
spanning-tree portfast bpduguard default

The first command enables Portfast on all access ports.. When BPDU filter is applied globally, the switch sends out 11 BPDUs before going silent. Because normally one BPDU is sent out every 2 seconds and the default MaxAge is 20 seconds that means that if there is a device at the other end that can process BPDUs, at least one BPDU would be received when the old BPDU (if there was one) has expired.

If a BPDU is received inbound when BPDU filter is applied globally then the port stops filtering and it will lose its Portfast status.

The BPDU guard default command will only apply to ports that are in a Portfast operational state.

If you combine these three commands together then what will happen is that when a BPDU is received the port loses its BPDU filter, BPDU guard can then kick in. The port will never lose its Portfast operational state because the port is shutdown before.

When applied to the interface BPDU guard can never kick in but if you apply it globally it can.

Previous page: MST over L2TPv3
Next page: 6500/7600 MUX UNI