Re: Difference between bpduguard & bpdufilter

From: Ed Lui (edwlui@gmail.com)
Date: Fri Oct 14 2005 - 11:52:24 GMT-3

• Next message: Joe Rinehart: "Re: CCIE LAB preparation"
• Previous message: McCallum, Robert: "FW: [c-nsp] IPExpert workbook"
• Maybe in reply to: Matthew Seppeler: "Difference between bpduguard & bpdufilter"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I have done it at the interface level which the port is connected to
another switchport with bpduguard enable.

On 10/14/05, Anthony Sequeira <terry.francona@gmail.com> wrote:
> Here is a case for BPDU Filtering......
> I want to set ALL of my ports to PortFast opertaion. So I do that.....now I
> want to ensure that the PortFast status is dynamically turned off just in
> case I need to plug a switch into one of these ports. So I configure BPDU
> Filtering globally on the switch and I accomplish this goal.
> I have never seen BPDU Filter actually configured for any other purpose -
> thus I have never seen it configured at the interface level.
>
> On 10/14/05, Gustavo Novais <gustavo.novais@novabase.pt> wrote:
> >
> > Humm... I think I got it... The difference between the two, is that
> > globally, only spanning-tree portfast ports have bpdufilter enabled. It
> > is smart enough to stop filtering if the port receives a BPDU, besides
> > losing portfast state. So it will become a "normal" port regarding to
> > STP states.
> >
> > At the interface level, regardless of portfast, BPDU's are disabled
> > (hence it is the same of disabling STP), and the switch becomes
> > vulnerable to whatever loop may occur through one of the bpdufilter
> > ports.
> > Wouldn't it be better then enabling bpduguard? At least a port would be
> > shut if it gets BPDU's.
> >
> > Thanks
> >
> > Gustavo
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Henk de Tombe
> > Sent: sexta-feira, 14 de Outubro de 2005 13:13
> > To: Gustavo Novais; Bob Sinclair; Matthew Seppeler;
> > ccielab@groupstudy.com
> > Subject: RE: Difference between bpduguard & bpdufilter
> >
> > Hi,
> >
> > Watch the "Cautions" in the following link:
> >
> > http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225sec/3550s
> > cg/s
> > wstpopt.htm#wp1033638
> >
> > Regards,
> > Henk
> >
> > -----Oorspronkelijk bericht-----
> > Van: nobody@groupstudy.com [mailto:nobody@groupstudy.com] Namens Gustavo
> > Novais
> > Verzonden: vrijdag 14 oktober 2005 11:40
> > Aan: Bob Sinclair; Matthew Seppeler; ccielab@groupstudy.com
> > Onderwerp: RE: Difference between bpduguard & bpdufilter
> >
> > Hi
> >
> > I didn't understand why you say that spanning-tree bpdufilter is
> > dangerous on the interface level, because it disables STP on the port,
> > but globally it is safe? I thought it would be as dangerous enabling it
> > at global level (disable STP on ALL portfast ports) as it would be
> > interface level (if not more!).
> >
> > At least the DocCD does not state anything that one command is safe and
> > the other is not.
> >
> > Could you elaborate on that?
> >
> > Thanks
> >
> > Gustavo
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Bob Sinclair
> > Sent: sexta-feira, 14 de Outubro de 2005 3:10
> > To: Matthew Seppeler; ccielab@groupstudy.com
> > Subject: Re: Difference between bpduguard & bpdufilter
> >
> > Matthew,
> >
> > Here are some of my notes:
> >
> > BPDU Guard:
> >
> > error-disables port if a portfast port receives a bpdu
> >
> > enable on all portfast ports: spanning-tree portfast bpduguard default
> >
> > enable per port: spanning-tree bpduguard [enable disable]
> >
> >
> > BPDU Filtering:
> >
> > When enabled globally prevents portfast ports from sending bpdus. If
> > bpdu is received, port becomes non-portfast and filtering is disabled
> >
> > spanning-tree portfast bpdufilter default
> >
> >
> > On interface: DISABLES STP on the port: very dangerous!
> >
> > spanning-tree bpdufilter enable
> >
> >
> > Global is recommended, per interface is dangerous.
> >
> >
> >
> > HTH,
> >
> > Bob Sinclair
> > CCIE #10427, CCSI 30427, CISSP
> > www.netmasterclass.net <http://www.netmasterclass.net>
> >
> > ----- Original Message -----
> > From: Matthew Seppeler
> > To: ccielab@groupstudy.com
> > Sent: Thursday, October 13, 2005 8:09 PM
> > Subject: Difference between bpduguard & bpdufilter
> >
> >
> > Can someone explain the differences between bpduguard & bpdufilter and
> > under which circumstances they would it best be used. The Doc CD does
> > not make a clear distinction between the two.
> >
> > Matt Seppeler
> >
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Joe Rinehart: "Re: CCIE LAB preparation"
• Previous message: McCallum, Robert: "FW: [c-nsp] IPExpert workbook"
• Maybe in reply to: Matthew Seppeler: "Difference between bpduguard & bpdufilter"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:51 GMT-3