Home > BPDUGuard & BPDUFilter

BPDUGuard & BPDUFilter

November 20th, 2018 in SWITCH 300-115 Go to comments

Question 1

Question 2

Question 3

Explanation

There are two ways to re-enable a BPDU guard port in disabled state. The first way is issue the “shut” and “no shut” command on that port. The second way is to use the command “errdisable recovery cause bpduguard” command.

Question 4

Explanation

At the global level, you can enable BPDU filtering on Port Fast-enabled interfaces by using the spanning-tree portfast bpdufilter default global configuration command. This command prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swstpopt.html

The first and second underlined sentences are very contradictory. The first one says it prevents an interface from receiving BPDUs while the second one says when it receives BPDUs, BPDU filtering is disabled!

The fact is this command will prevent an interface from sending BPDUs only. But if it receives BPDUs, it will lose its Port Fast feature and return to a normal switching port (with STP enabled).

Note: There is another important thing we want to mention here: there are two ways to configure BPDU filtering feature, one in global configuration mode and one under a specific interface:

Configuring BPDU filter globally:
Switch(config)#spanning-tree portfast bpdufilter default
 
Configure BPDU Filter on the interface:
Switch(config-if)#spanning-tree bpdufilter enable (this overrides the global bpdufilter command above)

But the effect of these two commands are different and you should remember:
+ When BPDU filtering is enabled globally; and if BPDUs are seen, the port loses its PortFast status, BPDU filtering is disabled, the port returns to normal state
+ When BPDU filtering is enabled on a specific port, it prevents this port from sending or receiving BPDUs (so if BPDUs are seen, they will be dropped)

Question 5

Explanation

BPDUFilter is designed to suppress the sending and receiving of BPDUs on an interface. There are two ways of configuring BPDUFilter: under global configuration mode or under interface mode but they have subtle difference.

If BPDUFilter is configured globally via this command:

Switch(config)#spanning-tree portfast bpdufilter default

BPDUFilter will be enabled on all PortFast-enabled interfaces and will suppress the interface from sending or receiving BPDUs. This is good if that port is connected to a host because we can enable PortFast on this port to save some start-up time while not allowing BPDU being sent out to that host. Hosts do not participate in STP and hence drop the received BPDUs. As a result, BPDU filtering prevents unnecessary BPDUs from being transmitted to host devices.

If BPDUFilter is configured under interface mode like this:

Switch(config-if)#spanning-tree bpdufilter enable

It will suppress the sending and receiving of BPDUs. This is the same as disabling spanning tree on the interface. This choice is risky and should only be used when you are sure that port only connects to host devices.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swstpopt.html

Question 6

Explanation

The “spanning-tree portfast bpdufilter default” command is configured under global configuration mode. To stop receiving unwanted BPDUs (for easier troubleshooting), he can issue the “spanning-tree portfast bpdufilter default” under global configuration mode. This will enable BPDUFilter on all PortFast-enabled interfaces and will suppress the interface from sending or receiving BPDUs. This is good if that port is connected to a host because we can enable PortFast on this port to save some start-up time while not allowing BPDU being sent out to that host. Hosts do not participate in STP and hence drop the received BPDUs. As a result, BPDU filtering prevents unnecessary BPDUs from being transmitted to host devices.

Question 7

Question 8

Explanation

BPDU Guard feature allows STP to shut an access port in the event of receiving a BPDU.

Root Guard ensures that the port on which root guard is enabled is the designated port. If the bridge receives superior BPDUs on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state (which is equal to STP listening state). No traffic is forwarded across this port. In this way, the root guard enforces the position of the root bridge.

Loop guard feature provides additional protection against STP loops. An STP loop is created when an STP blocking port in a redundant topology erroneously transitions to the forwarding state. This usually happens because one of the ports of a physically redundant topology (not necessarily the STP blocking port) no longer receives STP BPDUs. In its operation, STP relies on continuous reception or transmission of BPDUs based on the port role. The designated port transmits BPDUs, and the non-designated port receives BPDUs.

When one of the ports in a physically redundant topology no longer receives BPDUs, the STP conceives that the topology is loop free. Eventually, the blocking port from the alternate or backup port becomes designated and moves to a forwarding state. This situation creates a loop.

The loop guard feature makes additional checks. If BPDUs are not received on a non-designated port, and loop guard is enabled, that port is moved into the STP loop-inconsistent blocking state, instead of the listening/learning/forwarding state. Without the loop guard feature, the port assumes the designated port role. The port moves to the STP forwarding state and creates a loop.

So all three features above do not support STP to transition between states. How about BPDU Filter?

At the global level, you can enable BPDU filtering on Port Fast-enabled interfaces by using the spanning-tree portfast bpdufilter default global configuration command. This command prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swstpopt.html

The first and second underlined sentences are very contradictory. The first one says it prevents an interface from receiving BPDUs while the second one says when it receives BPDUs, BPDU filtering is disabled!

The fact is this command will prevent an interface from sending BPDUs only. But if it receives BPDUs, it will lose its Port Fast feature and return to a normal switching port (with STP enabled).

There are two ways to configure BPDU filtering feature, one in global configuration mode and one under a specific interface:

Configuring BPDU filter globally:
Switch(config)#spanning-tree portfast bpdufilter default

Configure BPDU Filter on the interface:
Switch(config-if)#spanning-tree bpdufilter enable (this overrides the global bpdufilter command above)

But the effect of these two commands are different and you should remember:
+ When BPDU filtering is enabled globally; and if BPDUs are seen, the port loses its PortFast status, BPDU filtering is disabled, the port returns to normal state
+ When BPDU filtering is enabled on a specific port, it prevents this port from sending or receiving BPDUs (so if BPDUs are seen, they will be dropped)

Therefore in this question we can only think about the BPDU Filter under global configuration mode. In this mode the port can transit between STP states.

Question 9

Explanation

BPDU Guard feature allows STP to shut an access port in the event of receiving a BPDU.

Comments
  1. Anonymous
    September 11th, 2017

    Some of these questions need reviewing, they barely make any sense!

  2. Rizwan
    December 2nd, 2017

    BPDUguard Bpdufiler always screws me, these are so confusing please help i have exam after 2 days

  3. Rizwan
    January 7th, 2018

    BPDUguard is to prevent interface from rx BPDUs while BPDUfilter prevent the tx/rx of BPDUs

  4. Anonymous
    February 11th, 2018

    can anyone explain this question;
    Question 5
    A network engineer is installing a switch for temporary workers to connect to. The engineer does not want this switch participating in Spanning Tree with the rest of the network; however, end user connectivity is still required. Which spanning-tree feature accomplishes this?

  5. Anonymous
    March 27th, 2018

    Question 6.
    Answer does not make sense.

  6. CCNP
    April 7th, 2018

    Q6.

    Question is about specific port fa0/1. Answer should be B BUT the command syntax is wrong
    B. . spanning-tree portfast bpduguard enable

    Correct command is >>> (spanning-tree bpdufilter enable) just portfast work is missing.

  7. CCNP
    April 7th, 2018

    Q5 ?????????

  8. Anonymous
    May 15th, 2018

    Q6
    Switch(config)#int fastEthernet 0/1
    Switch(config-if)#spanning-tree bpduguard ?
    disable Disable BPDU guard for this interface
    enable Enable BPDU guard for this interface
    Switch(config-if)#spanning-tree bpduguard ena
    Switch(config-if)#spanning-tree bpduguard enable

  9. Anonymous
    May 15th, 2018

    packet tracer is missing bpdufilter but should be same just filter instead of guard..

  10. lalaversa
    May 16th, 2018

    Q2, wrong question (do not consider, the correct question is the following Q3).
    Q3.
    Considering that “NOW” admin has entered no bbdu guard enable command, he NOW needs puts shut and then no shut the interface. Enabling errordisable autorecovery will solve this problem next time… Correct answer is surely A option.

  11. lalaversa
    May 16th, 2018

    Answer to Anonymous May 15th, 2018.
    Packet tracer is missing a lot of commands and sometimes any default parameters in configuration are wrong (ex. the spanning-tree default mode is PVST and not PVST+).
    For example, if you configure an etherchannel of two links between two switches, you must first configure the trunk on the port-channelX and then on the individual interfaces by enabling the channel-groupX otherwise the etherchannel does not UP.
    Do not take as an absolute example the Packet Tracer which, moreover, is born to support the CCNA certification, not the CCNP.

  12. Aleksandr
    July 2nd, 2018

    Which results happens when a non-trunking port that is configured with BPDU guard is connected to a device that is transmitting?

    Which results happens when a non-trunking port that is configured with BPDU guard is connected to a device that is transmitting?
    A. The port is moved into the spanning-tree blocking state.
    B. There port is error-disabled.
    C. A routing loop can occur on the network.
    D. The port transitions to the connected state.

    If the device is a personal computer, which does not transmit BPDU packets, in that case, correct answer is D: The port transitions to the connected state!
    If the device is a switch, which transmits BPDU packets, in that case, correct answer is B: There port is error-disabled!

  1. No trackbacks yet.