Re: Difference between bpduguard & bpdufilter

From: Anthony Sequeira (terry.francona@gmail.com)
Date: Fri Oct 14 2005 - 11:23:07 GMT-3

• Next message: Tony Schaffran: "Isis network point-to-point issue"
• Previous message: Kwan, Mark: "test- please ignore"
• Maybe in reply to: Matthew Seppeler: "Difference between bpduguard & bpdufilter"
• Next in thread: Ed Lui: "Re: Difference between bpduguard & bpdufilter"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Here is a case for BPDU Filtering......
 I want to set ALL of my ports to PortFast opertaion. So I do that.....now I
want to ensure that the PortFast status is dynamically turned off just in
case I need to plug a switch into one of these ports. So I configure BPDU
Filtering globally on the switch and I accomplish this goal.
 I have never seen BPDU Filter actually configured for any other purpose -
thus I have never seen it configured at the interface level.

 On 10/14/05, Gustavo Novais <gustavo.novais@novabase.pt> wrote:
>
> Humm... I think I got it... The difference between the two, is that
> globally, only spanning-tree portfast ports have bpdufilter enabled. It
> is smart enough to stop filtering if the port receives a BPDU, besides
> losing portfast state. So it will become a "normal" port regarding to
> STP states.
>
> At the interface level, regardless of portfast, BPDU's are disabled
> (hence it is the same of disabling STP), and the switch becomes
> vulnerable to whatever loop may occur through one of the bpdufilter
> ports.
> Wouldn't it be better then enabling bpduguard? At least a port would be
> shut if it gets BPDU's.
>
> Thanks
>
> Gustavo
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Henk de Tombe
> Sent: sexta-feira, 14 de Outubro de 2005 13:13
> To: Gustavo Novais; Bob Sinclair; Matthew Seppeler;
> ccielab@groupstudy.com
> Subject: RE: Difference between bpduguard & bpdufilter
>
> Hi,
>
> Watch the "Cautions" in the following link:
>
> http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225sec/3550s
> cg/s
> wstpopt.htm#wp1033638
>
> Regards,
> Henk
>
> -----Oorspronkelijk bericht-----
> Van: nobody@groupstudy.com [mailto:nobody@groupstudy.com] Namens Gustavo
> Novais
> Verzonden: vrijdag 14 oktober 2005 11:40
> Aan: Bob Sinclair; Matthew Seppeler; ccielab@groupstudy.com
> Onderwerp: RE: Difference between bpduguard & bpdufilter
>
> Hi
>
> I didn't understand why you say that spanning-tree bpdufilter is
> dangerous on the interface level, because it disables STP on the port,
> but globally it is safe? I thought it would be as dangerous enabling it
> at global level (disable STP on ALL portfast ports) as it would be
> interface level (if not more!).
>
> At least the DocCD does not state anything that one command is safe and
> the other is not.
>
> Could you elaborate on that?
>
> Thanks
>
> Gustavo
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Bob Sinclair
> Sent: sexta-feira, 14 de Outubro de 2005 3:10
> To: Matthew Seppeler; ccielab@groupstudy.com
> Subject: Re: Difference between bpduguard & bpdufilter
>
> Matthew,
>
> Here are some of my notes:
>
> BPDU Guard:
>
> error-disables port if a portfast port receives a bpdu
>
> enable on all portfast ports: spanning-tree portfast bpduguard default
>
> enable per port: spanning-tree bpduguard [enable disable]
>
>
> BPDU Filtering:
>
> When enabled globally prevents portfast ports from sending bpdus. If
> bpdu is received, port becomes non-portfast and filtering is disabled
>
> spanning-tree portfast bpdufilter default
>
>
> On interface: DISABLES STP on the port: very dangerous!
>
> spanning-tree bpdufilter enable
>
>
> Global is recommended, per interface is dangerous.
>
>
>
> HTH,
>
> Bob Sinclair
> CCIE #10427, CCSI 30427, CISSP
> www.netmasterclass.net <http://www.netmasterclass.net>
>
> ----- Original Message -----
> From: Matthew Seppeler
> To: ccielab@groupstudy.com
> Sent: Thursday, October 13, 2005 8:09 PM
> Subject: Difference between bpduguard & bpdufilter
>
>
> Can someone explain the differences between bpduguard & bpdufilter and
> under which circumstances they would it best be used. The Doc CD does
> not make a clear distinction between the two.
>
> Matt Seppeler
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Tony Schaffran: "Isis network point-to-point issue"
• Previous message: Kwan, Mark: "test- please ignore"
• Maybe in reply to: Matthew Seppeler: "Difference between bpduguard & bpdufilter"
• Next in thread: Ed Lui: "Re: Difference between bpduguard & bpdufilter"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:51 GMT-3