all 11 comments

[–]Cristek 2 points3 points  (0 children)

Non Root switches forward Hellos coming from the root; the root sends these Hellos based on the root’s configured Hello timer. Only the Root creates these BPDUs.

Also, in STP, only designated ports send BPDUs. In RSTP, all ports send them

[–]a_cute_epic_axisJust 'cause it ain't in my flair doesn't mean I don't have certs 0 points1 point  (0 children)

In STP, only the root bridge initiates BPDU's as per the hello timer (2 seconds typically). These are sent out all designated ports, and when a BPDU is received by a non-root switch on a root port, it will send BPDU's out all designated ports. It will not send any out through the root port, nor any blocking ports. This is where bridge assurance and backbone fast comes from; when turned on a switch will place a port in an inconsistent state if it stops receiving BPDU's, or begin immediate convergence.

In RSTP, ALL switches generate their own BPDU's per the hello timer, so they will continue to send out BPDU's even if the root bridge goes offline and hasn't yet aged out. Additionally, they will send BPDU's out all ports with RSTP neighbors as part of the negotiation system RSTP uses.

Finally, all ports can send BPDU's regardless of being an access port or trunk port. In Cisco's PVST+ and RSTP modes, you'll get one per vlan on trunk ports. With MST, you'll get one per instance to MST neighbors, and one for the CIST for STP/RSTP neighbors.

[–]herolurkerCCENT 0 points1 point  (0 children)

You can connect an out-of-the-box switch to any port (access or trunk) and it will send BPDUs (security risk) you can configure BPDUGUARD, which err-disable the interface if it detects a BPDU

[–]betephreequeCCENT :: Sec+ :: Net+ :: A+ -1 points0 points  (7 children)

all switches send BPDU's from any port configured as a trunk

[–]hordecore80[S] 0 points1 point  (6 children)

i thought only one designated port in each collision domain, so if we have 2 ports connected to two switches and each switch connected to 2-3 Vlans what will happen

[–]betephreequeCCENT :: Sec+ :: Net+ :: A+ 0 points1 point  (5 children)

I'm sorry I misspoke, all ports send BPDUs, only Trunk ports know what they are.
In a lab you can configure BPDU Guard to see how the switch will react

[–]a_cute_epic_axisJust 'cause it ain't in my flair doesn't mean I don't have certs 1 point2 points  (4 children)

That is also incorrect. All ports can process a BPDU, regardless of their mode as a trunk or access port. Simply turn on and connect any two ports on two Cisco switches and you'll see them come up as access ports, one switch will become the root bridge, and the other will have a root port pointing to the root bridge.

[–]betephreequeCCENT :: Sec+ :: Net+ :: A+ 0 points1 point  (3 children)

I guess that is correct when I think about it, possibly linked to BPDU guard on an access port.
When I read some articles is sounded like all ports send them, but only trunks understand them

[–]a_cute_epic_axisJust 'cause it ain't in my flair doesn't mean I don't have certs 0 points1 point  (2 children)

Nope, they'll all understand them on Catalyst switches. If you enable BPDU guard, the switch will shut down the port if it receives a BPDU (it can still send them). If you enable BPDU filter, it will ignore any received and won't send them either.

[–]betephreequeCCENT :: Sec+ :: Net+ :: A+ 0 points1 point  (1 child)

Ah interesting ... thanks for the clarification!

[–]a_cute_epic_axisJust 'cause it ain't in my flair doesn't mean I don't have certs 0 points1 point  (0 children)