BPDU Filter

What is BPDU Filter?

By default, ports connected to end-user devices (e.g., PCs, printers) send BPDUs as part of the Spanning Tree Protocol (STP) process. However, in most cases, sending BPDUs on these ports is unnecessary and can expose sensitive STP topology information.

BPDU Filter is an STP feature that disables the sending of BPDUs on such ports, enhancing security and preventing unwanted BPDU exchanges.

Why Disable BPDU Sending?

  • Bandwidth and Processing: While minimal, sending BPDUs consumes bandwidth and processing power.
  • Security Concerns:
    BPDUs contain information about the STP topology. For security reasons, especially for end-user connected ports, it is best to avoid exposing this information.

Real-World Use Case

BPDU Filter can be applied on another scenario where company mergers, where two networks with separate STP topologies are interconnected, BPDU Filter ensures that BPDUs are not exchanged between the different STP topology preserving their independent spanning tree configurations.

This ensures that each network maintains its own spanning tree configuration without sharing or disrupting the other’s topology.

Let’s explore how to configure BPDU Filter to address these scenarios effectively.

2. Configuring BPDU Filter

BPDU Filter Configuration Modes

BPDU Filter can be configured in two ways:

  1. On Individual Ports: – Apply BPDU Filter to specific interfaces for precise control over which ports should stop sending BPDUs.
  2. Globally: Enable BPDU Filter across all PortFast-enabled ports on the switch.

3. Enabling BPDU Filter on Individual Ports

Let’s configure BPDU Filter on interface GigabitEthernet0/0 of switch SW3 and SW5 to prevent the exchange of BPDUs between two separate STP topologies.

For SW3 and SW5

  1. Enter interface configuration mode:
SW3(config)# interface g0/0

SW5(config)# interface g0/0

2. Enable BPDU Filter:

SW3(config-if)# spanning-tree bpdufilter enable

SW5(config-if)# spanning-tree bpdufilter enable

Verify Individual BPDU Filter

SW3# show spanning-tree interface g0/0 detail 
 Port 1 (GigabitEthernet0/0) of VLAN0001 is designated forwarding 
   Port path cost 4, Port priority 128, Port Identifier 128.1.
   Designated root has priority 32769, address 5030.9804.6800
   Designated bridge has priority 32769, address 5030.9804.6800
   Designated port id is 128.1, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   Bpdu filter is enabled
   BPDU: sent 63, received 2

The output confirms that BPDU Filter is enabled on GigabitEthernet0/0 of SW3, preventing it from sending and receiving BPDUs.

SW5# show spanning-tree interface g0/0 detail  
 Port 1 (GigabitEthernet0/0) of VLAN0001 is designated forwarding 
   Port path cost 4, Port priority 128, Port Identifier 128.1.
   Designated root has priority 32769, address 5035.7404.6900
   Designated bridge has priority 32769, address 5035.7404.6900
   Designated port id is 128.1, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   Bpdu filter is enabled
   BPDU: sent 825, received 63

The output confirms that BPDU Filter is enabled on GigabitEthernet0/0 of SW5, preventing it from sending and receiving BPDUs.

Disabling BPDU Filter on Individual Ports

If you need to disable BPDU Filter on a specific interface, perhaps to re-enable STP functionality or troubleshoot network issues, use the following command:

Switch(config-if)# spanning-tree bpdufilter disable

Effects of Individual BPDU Filter

  • No BPDU Transmission:
    The port will not send BPDUs, reducing unnecessary traffic and preventing the sharing of STP topology information.
  • BPDU Ignorance:
    The port will ignore any BPDUs it receives.
  • STP Disabled on Port:
    WARNING: Disabling BPDU Filter effectively disables STP on the port, which can lead to network loops if not managed carefully. Always ensure that BPDU Filter is only enabled on ports where STP is not required.

4. Configuring BPDU Filter Globally

Now that we’ve learned how to configure BPDU Filter on individual ports, let’s explore how to set it up globally.

Configuring BPDU Filter globally simplifies the process by automatically applying the filter to all PortFast-enabled ports on the switch. This ensures that ports connected to end-user devices, such as PCs and printers, do not send BPDUs.

The first step is to verify that our PortFast-enabled interfaces are correctly configured for end-user devices. Once this is ensured, we can proceed to configure BPDU Filter.

  1. Enable BPDU Filter Globally:
SW1(config)# spanning-tree portfast edge bpdufilter default

This command configures BPDU Filter on all ports that have PortFast enabled, ensuring that these ports do not send BPDUs by default.

Verify Global BPDU Filter

SW1# show spanning-tree int g0/1 detail 
 Port 2 (GigabitEthernet0/1) of VLAN0001 is designated forwarding 
   Port path cost 4, Port priority 128, Port Identifier 128.2.
   Designated root has priority 32769, address 5030.9804.6800
   Designated bridge has priority 32769, address 5030.9804.6800
   Designated port id is 128.2, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast edge mode
   Link type is point-to-point by default
   Bpdu filter is enabled by default
   BPDU: sent 2071, received 0

SW1# show spanning-tree int g0/2 detail  
 Port 3 (GigabitEthernet0/2) of VLAN0001 is designated forwarding 
   Port path cost 4, Port priority 128, Port Identifier 128.3.
   Designated root has priority 32769, address 5030.9804.6800
   Designated bridge has priority 32769, address 5030.9804.6800
   Designated port id is 128.3, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast edge mode
   Link type is point-to-point by default
   Bpdu filter is enabled
   BPDU: sent 870, received 0

These outputs confirm that BPDU Filter is enabled on our interfaces, effectively preventing them from sending BPDU.

Effects of Global BPDU Filter

  • BPDU Filter Applied to All PortFast-Enabled Ports:

All ports with PortFast enabled will no longer send BPDUs, reducing unnecessary traffic and enhancing security.

  • Ports Will Not Send BPDUs:

By not sending BPDUs, these ports help prevent the leakage of sensitive STP topology information to end-user devices.

  • Fallback Mechanism:

If a port configured with BPDU Filter receives a BPDU, both PortFast and BPDU Filter are automatically disabled. The port then reverts to a standard STP port to ensure network stability.

5. Conclusion

BPDU Filter is a valuable feature for securing STP topology information and managing BPDU exchanges. When configured correctly, it provides robust security and ensures network stability.

Key Takeaways

  1. Individual Port Mode:
    Use for specific ports with caution to avoid disabling STP unintentionally.
  2. Global Mode:
    Recommended for protecting all PortFast-enabled ports in scenarios where security is a concern.
  3. Fallback Mechanism:
    In global mode, receiving a BPDU reverts the port to normal STP operation.