From: Gustavo Novais (gustavo.novais@novabase.pt)
Date: Fri Oct 14 2005 - 10:44:09 GMT-3
Humm... I think I got it... The difference between the two, is that
globally, only spanning-tree portfast ports have bpdufilter enabled. It
is smart enough to stop filtering if the port receives a BPDU, besides
losing portfast state. So it will become a "normal" port regarding to
STP states.
At the interface level, regardless of portfast, BPDU's are disabled
(hence it is the same of disabling STP), and the switch becomes
vulnerable to whatever loop may occur through one of the bpdufilter
ports.
Wouldn't it be better then enabling bpduguard? At least a port would be
shut if it gets BPDU's.
Thanks
Gustavo
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Henk de Tombe
Sent: sexta-feira, 14 de Outubro de 2005 13:13
To: Gustavo Novais; Bob Sinclair; Matthew Seppeler;
ccielab@groupstudy.com
Subject: RE: Difference between bpduguard & bpdufilter
Hi,
Watch the "Cautions" in the following link:
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225sec/3550s
cg/s
wstpopt.htm#wp1033638
Regards,
Henk
-----Oorspronkelijk bericht-----
Van: nobody@groupstudy.com [mailto:nobody@groupstudy.com] Namens Gustavo
Novais
Verzonden: vrijdag 14 oktober 2005 11:40
Aan: Bob Sinclair; Matthew Seppeler; ccielab@groupstudy.com
Onderwerp: RE: Difference between bpduguard & bpdufilter
Hi
I didn't understand why you say that spanning-tree bpdufilter is
dangerous on the interface level, because it disables STP on the port,
but globally it is safe? I thought it would be as dangerous enabling it
at global level (disable STP on ALL portfast ports) as it would be
interface level (if not more!).
At least the DocCD does not state anything that one command is safe and
the other is not.
Could you elaborate on that?
Thanks
Gustavo
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Bob Sinclair
Sent: sexta-feira, 14 de Outubro de 2005 3:10
To: Matthew Seppeler; ccielab@groupstudy.com
Subject: Re: Difference between bpduguard & bpdufilter
Matthew,
Here are some of my notes:
BPDU Guard:
error-disables port if a portfast port receives a bpdu
enable on all portfast ports: spanning-tree portfast bpduguard default
enable per port: spanning-tree bpduguard [enable disable]
BPDU Filtering:
When enabled globally prevents portfast ports from sending bpdus. If
bpdu is received, port becomes non-portfast and filtering is disabled
spanning-tree portfast bpdufilter default
On interface: DISABLES STP on the port: very dangerous!
spanning-tree bpdufilter enable
Global is recommended, per interface is dangerous.
HTH,
Bob Sinclair
CCIE #10427, CCSI 30427, CISSP
www.netmasterclass.net
----- Original Message -----
From: Matthew Seppeler
To: ccielab@groupstudy.com
Sent: Thursday, October 13, 2005 8:09 PM
Subject: Difference between bpduguard & bpdufilter
Can someone explain the differences between bpduguard & bpdufilter and
under which circumstances they would it best be used. The Doc CD does
not make a clear distinction between the two.
Matt Seppeler
This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:51 GMT-3