--- id: 1779916771-SNCX aliases: - BPDU Guard & BPDU Filter (STP Toolkit) tags: [] --- # BPDU Guard & BPDU Filter (STP Toolkit) PortFast makes a port start in the Forwarding state when it is connected, but it doesn't disable STP on the port. - The port will continue to send BPDUs every 2 seconds. Because end hosts don't run STP and send BPDUs, a PortFast enabled port shouldn't receive BPDUs - But what if it does? If a PortFast-enabled port receives an STP BPDU, it will revert to acting like a regular STP port (without PortFast) ## BPDU Guard ### The problem PortFast should only be enabled on ports connected to non-switch devices (end osts, routers). - A PortFast-enabled port still sends BPDUs and will operate like a regular STP port if it receives VPDUs from a neighbor. - If an end user carelessly connects a switch to a port meant for end hosts,, it could affect the STP topology. - *BPDU Guard* acts as a safeguard against this. ### The Solution BPDU Guard protects the network from unauthorized switches being connected to ports intended for end hosts. It can be configured separately from [[PortFast]] but both features are usually used together. They both enhance STP's functionality on ports inteded for end hosts. A BPDU Guard-enabled port contibues to send BPDUs, but if it receives a BPDU it enters the error-disabled state. - In effect, this disbales the port. ### Configuration Like PorFast, BPDU Guard can be configured in two ways: per-port: ```Cisco SW3(config-if)# spanning-tree bpduguard enable ``` default ```Cisco SW3(config)# spanning-tree portfast bpduguard default ``` When enabled by default *BPDU Guard* is activated on **All Portfast-enabled ports**. disableing it ```Cisco SW3(config)# spanning-tree bpduguard disable ``` ### Errdisable ErrDiable is a [[Cisco]] switch feature that disables a port under certain conditions, such as BPDU Guard violation. More examples are - Power Policing violations - Port Security violations - DAI (Dynamic ARP inspection) violations to re-enable an err-disabled port, *first solve the underlying issue* - if you re0enable the port without fixing the issue, it will just be err-disabled again. You can re-enable an err-disabled port in two ways: 1. Manual: use *shutdown* and *no shutdown* to reset the disabled port. 2. Automatic: *ErrDisable Recovery* #### ErrDisable Recovery ErrDisable Recovery is a feature that automatically re-enables err disabled ports after a certain period of time ErrDisable Recovery is disabled by default to view it status use ```Cisco SW1# show errdisable recovery ``` The default recovery timer is 300 seconds (5minutes). - err-disabled interfaces will be automatically re-enabled after 5 minutes command to modify the interval is ```Cisco SW1# errdisable recovery interval *seconds* ``` to enable ErrDisable Recovery for ports disabled by a particular cause use ```Cisco SW1(config)# errdisble recovery cause *cause* ``` ## BPDU Filter ### The Problem A switch port connected to an end host contnues sending BPDUs every 2 seconds. - regardless of whether PortFast and/or BPDU GUard are enabled If the port doeen't connect to a switch, sending BPDUs is unnecessary and undesirable for a coupe of reasons 1. Sendig BPDUs uses some bandwidth and processing power on the witch (althrough it's minimal). 2. BPDUs contain information about the LAN's STP topology - If maximum security is a concern, you should avoid sending this info to user devices. Bpdu Filter solves this by preventing a port from sending BPDUs ### The Solution BPDU FIlter stops a port fro sending BPDUs - Unlike BPDU Guard, it does not disable the port if it receives a BPDU BPDU filter can be enabled in two ways: per-port: ```Cisco SW3(config-if)# spanning-tree bpdufilter enable ``` The port will not send BPDUs The port will ignore any BPDUs it receives. In effect this disables [[STP]] on the port. *Use with caution!* default ```Cisco SW3(config)# spanning-tree portfast bpdufilter default ``` BPDU Filter will be activated on all *PortFast-enabled ports*. You can use spanning-tree bpdufilter disable to disable it on specific ports. The port will not send BPDUs If the port receives a BPDU, PortFast and BPDU Filter are disabled, and it operates as a normal STP Port. ## Recommandation Enable PortFast and BPDU Guard however you prefer (per-port or by default) - Only enable BPDU Filter by default (global config mode). - Unless you have a very good reason to enable it per-port *BPDU Guard* and *BPDU Filter* can be enabled on the same port at the same time: --- If BPDU Filter is enabled in global-confg mode and the port receives a BPDU: 1. BPDU Filter will be disabled 2. BPDU Guard will be triggered (and err-disable the interface) --- If BPDU Fileter is enabled in interface config mode and the port receives a BPDU: - The BPDU will be ignored - BPDU Guard will *not* be triggered ## Review ### BPDU Guard Automatically disables a port if it receives a BPDU, protecting the STP topology by preventing unauthorized devices from becoming part of the network ### BPDU Filter Stops a port from sending BPDUs or processing received BPDUs