Since servers normally should ignore BPDUs coming from a switch, there is no need to send them to a server in the first place. To filter out outgoing BPDUs apply interface command "spanning-tree bpdufilter enable".
But when BPDU is received on the port with bpdufilter enabled, the port's portfast status is disabled and port will participate in spanning-tree.
At all times network needs to be protected from unauthorized device that might decide to participate in your spanning-tree topology and cause spanning-tree loop or try to hijack STP root. Interface command "spanning-tree bpduguard enable" puts interface in err-disable mode whenever BPDU is received from connected device.
What will happen if you have both bpdufilter and bpduguard enabled on the interface?
spanning-tree portfastbpdufilter takes precedence and bpdugard does not work. Although bpduguard needs more administrative overhead - port needs to be enabled manually - it makes your network more secure.
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
Hi,
ReplyDeleteI enjoyed reading your post. I would just like to clarify on which platforms you saw this behaviour (filter overriding guard). In nexus terms, edge is the closest thing to portfast, and I want to highlight the fact that when port is type 'edge' and filter + guard are enabled together either both on an interface, or both globally, guard still blocks upon receiving a BPDU.
Cheers!
Sandy