Our IT won't let switches without bpdu-filter plug in

[dlots]

So I don't under stand this, but it seems pretty standard as I have known lots of network people who insist on this: "If you plug into their switches you must have BPDU filter turned on so no BPDUs are sent from your gear to theirs".

Personally I would be MAD if anyone was plugging in anything with BPDU filter into my network (other than me... to my shame I have had to do this on occasion).  In fact one of those places was when i was a network engineer for that IT group but the Senior engineer said they couldn't have BPDUs coming in from them. (BTW yes we did have network outages on a regular basis because of L2 loops because of this, and no he would never allow them to participate in STP).

Now I can see making them do access ports, and put root guard on said ports (your running transparent mode anyway right?), but saying you can't play with STP seems like a stupid idea to me, or am I missing something?  Is this something standard that I just don't get the reasoning behind it?

[deanwebb]

BPDU-Guard, I get. That stops inbound BPDUs.

https://networkinferno.net/clarity-bpdu-guard-vs-bpdu-filter points out that a point of demarcation is a good place for a BPDU-filter, so as to shut off all possible STP interactions between switching environments that need to stay free of each other.

But turning off STP? I don't think that's a good idea... I think we had a hilarious discussion of such once, that led to me doing this video: https://www.youtube.com/watch?v=RMS_ud2f1wU

[SimonV]

I don't understand the reasoning behind it? That would equate to plugging in a dumb switch without STP. The whole point of BPDUguard is detecting and alerting on those events

[dlots]

Yeah, their standard is to have BPDUguard on every port, end of discussion, so they tell me to use BPDUfilter.  Which if your not careful will cause a loop.  I would rather play nicely with other people and avoid this loop stuff.  Really how much damage can someone cause by exchanging BPDUs if your running transparent mode, switchport mode access, and you put root guard on the port?

[routerdork]

I can tell you that in the early days of working at an ISP that provided MetroE services some clients used switches to connect. Their BPDU's caused convergence on our networks and affected multiple circuits. So for that reason we blocked across the board on every edge port.

[that1guy15]

Just had this conversation on twitter the other day too

This was done all over the place at my last gig and caused multiple network blips due to root change and STP reconvergence when switches would go down or fail. It was a horrible, horrible mess.

IMO this is a situation where two networks dont trust one another and want to segregate as much as possible to controller their own world. If its the case then a switch is the wrong solution. Drop either a router in or firewall depending on the level of segregation needed. If there cant be trust between the two networks than stretching L2 across them should not be an option.

BPDUfilter is never a right solution. If its the only solution possible then something is wrong with the architecture or there is a layer 8 issue that needs to be addressed. The very same thing can be said for PBR!

[dlots]

as long as your using root-guard and access ports there shouldn't be any blips at all though.  Yes if you let someone other than you be able to take over as root you're going to have a bad time of it.

[NetworkGroover]

I wrote a blog about this a while back:

http://aspiringnetworker.blogspot.com/2013/07/optimizing-and-protecting-spanning-tree_13.html

[NetworkGroover]

Woops wrong one - this one:

http://aspiringnetworker.blogspot.com/2013/07/optimizing-and-protecting-spanning-tree.html

The thing is if they enable BPDU Guard then you have to enable BPDU filter - otherwise the port will go into err-disable.  Why exactly is it a big deal to enable BPDU filter on your end?  How exactly does this create a loop?  You're not disabling STP itself - you're only preventing BPDUs being sent out of specific ports going to a separate network under different administrative control.

EDIT - And a former company I worked at had this requirement as well, right after the "network pro" of the tech support department (customer facing, separate from IT) hooked two links into the corp network and somehow managed to cause a loop - bringing down both the tech support and corp networks.

[dlots]

that in and of it's self won't create a loop, but it does greatly increase the risk of loops as you're for all practical purposes disabling STP on that port, and in 3 years when we forget it already has a link going to that switch and we need to do the same thing again and the new guy on the network does the same thing, you basically have an instant loop.

[SimonV]

You could connect the switch back to itself and not have it see any BPDUs, thus creating a loop, right?

edit: think dlots is thinking of the same thing as me. Ever had a cleaning lady connect a cable back to a wall outlet?

[NetworkGroover]

To my knowledge, this doesn't cause STP to stop functioning - only stops the SENDING of BPDUs.  If we receive the same BPDUs on two ports, I would assume STP would do its job and block a port regardless of BPDU filter being configured on it.. but that's going off the top of my head.

EDIT - bad wording there but I think you get my point.  Summary is though, that's easy to test to confirm.  If you have a switch handy, just configure two ports in the same VLAN and bpdu filter on one of them, then loop the two together.  I assume STP will block a port when it receives BPDUs from itself on the port with BPDU filter enabled.

[dlots]

You could connect the switch back to itself and not have it see any BPDUs, thus creating a loop, right?

edit: think dlots is thinking of the same thing as me. Ever had a cleaning lady connect a cable back to a wall outlet?

nah we always use BPDU guard on our switches, I have however on regular occastoins had people plug the IP phones 2 interfaces into the wall, that's always fun


If you have BPDU filter on the port it stops the port from sending or receving BPDUs, thus that port can no long detect a loop in any way.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swstpopt.html#wp1046220

At the interface level, you can enable BPDU filtering on any interface by using the spanning-tree bpdufilter enable interface configuration command without also enabling the Port Fast feature. This command prevents the interface from sending or receiving BPDUs.
"Caution  Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning-tree loops."

[SimonV]

EDIT - bad wording there but I think you get my point.  Summary is though, that's easy to test to confirm.  If you have a switch handy, just configure two ports in the same VLAN and bpdu filter on one of them, then loop the two together.  I assume STP will block a port when it receives BPDUs from itself on the port with BPDU filter enabled.

That's not exactly what I'm thinking off, more of a scenario with two switches. You are running STP on your switch, with or without BPDUguard, doesn't matter. I connect my switch with BPDU filters to two ports of your switch. Your switch will not receive BPDUs on any of the ports (they are not transparently being relayed either to my understanding) and put both in FWD state. I think this is how I recreated loops when I was labbing for switch.

[NetworkGroover]

I stand corrected - after what you posted and looking in another vendor's documentation, I missed that detail - and it's a big one.  So, yes, that would absolutely cause a loop.  I knew the switch having BPDU guard didn't matter, but I incorrectly was thinking that STP would still function on a port in the rx direction with BPDU filter enabled.