Thursday, March 11, 2010

BPDUGuard vs. BPDUFilter

We all know that Spanning-Tree uses BPDU to communicate link state and configuration changes within a Switched network.  Spanning-Tree will use 2 types of BPDU's:
  1. TCN BPDU - will be used to notify other switches of changes occuring
  2. Configuration BPDU - will be used for the spanning-tree computations
The main goal of the BPDU's is to assist in maintaining information regarding the link state of neighboring switches so that a loop free switched network can be maintained.  The BPDU's help create the best reference point called the root bridge and helps create alternate pathing in case a link goes down.

So we know that switch ports connected to other switch ports will send each other BPDUs in order to assist spanning-tree, and the those switched ports will use the stp timers ( 2 sec hellos, 15 listening, 15 learning, 20 sec max age).  Given the timers of spanning-tree it could take up to 50 seconds to recover from any link failures.

In order to bypass this 50 second delay, we can configure the switch to bypass the listen, learning, and max age timer by putting the interfaces in portfast mode.

Portfast mode should be used when end devices such as servers, router, and pc's are connecting to the switch.  Spanning-tree is not necessary when connecting to such devices, only necessary when connecting switches to switches.

So why do we need BPDUGuard and BPDUFilter?

Well, what if we assigned a port to a user thinking he/she would plug in their pc, but instead they plugged in their Cisco swith they bought off of Ebay.  That switch would immediately beging sending BPDU's to the other network switches.

Given that the root bridge switch is determined by a combination of both (port priority + mac address) called the bridge ID, this new switch could win the root election thus altering all of the switching behaviour of the entire network....not good.

To prevent such unexpected mayheim, you can configure BPDUGuard or BPDUfilter on those ports that have been set as portfast ports.

BPDUGuard will watch out for BPDU's on configured ports and if it senses any BPDU's, it will shut the port down and put it in errdisable status so that there is no way any new unathorized switch can begin sending BPDU's to the switch network and participation in spanning-tree.

BPDUFilter is very similar to BPDUGuard in that it watches for BPDU's but rather than shutting down the port it merely ignores the BPDU's and filters them out rather than shutting down the port and putting the port in errdisable.

BPDUGuard - shut ports down and puts ports in errdisable if it senses BPDU's
BPDUFilter - does not shut down port or put in errdisable but instead just filters (ignores) BPDU's
Posted by Damone Freeman CCNP MCSE MCITP at 4:35 AM
Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
 

Copyright © Rhynobyte Technologies. All rights reserved.

Blogger templates created by Templates Block | Premium Wordpress Themes | Premium Wordpress Themes | Free Icons | wordpress theme
Wordpress Themes. Blogger Templates by Blogger Templates and Blogger Templates