Re: BPDU Filter on the interface vs. global

From: Shawn Zandi (szmetal@gmail.com)
Date: Thu Aug 28 2008 - 14:11:02 ART

• Next message: sirus MOGHADASIAN: "Re: Finally ,the game is over.CCIE#21862 R&S,Sydney"
• Previous message: Scott Morris: "RE: Finally ,the game is over.CCIE#21862 R&S,Sydney"
• Maybe in reply to: Shahid Ansari: "Re: BPDU Filter on the interface vs. global"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Most likely we use it in service providers,
Any guard feature comes with a err-disable state for ports - like root guard
in SP environment " if customer network selected as the root port, root
guard then places the interface in the root-inconsistent (blocked) state to
prevent the customer's switch from becoming the root"
when you don't like to block customers interface and there's only one L2
connection to each customer there's no point to speak in STP language, lets
filter BPDUs...

Disable everything in L2 on customers edge (STP,DTP,CDP,VTP,...), L2 is easy
to hack...

-- 
Sincerely,
Shawn Zandi
Routing, Switching & Security Consultant
CCIE (Routing & Switching) - MCSE
Dubai Internet City - Building 13
web: http://www.shafagh.com
email: shafagh@shafagh.com
On Thu, Aug 28, 2008 at 7:39 PM, Shahid Ansari <shahid1357@gmail.com> wrote:
> As BPDUfilter disble spanning tree can creat more chances of loop .so
> normally we keeps all the ports in spanning tree .
> Rather than that we can use to BPDU guard , Root guard to avoide unwanted
> root bridge .
> Am I right ?  :  )
>
> thanks
>
>
> On Thu, Aug 28, 2008 at 6:29 PM, Joseph Brunner <joe@affirmedsystems.com
> >wrote:
>
> > Sending bpdu's to edge user ports is a security risk to some. So some do
> > use
> > this. If you are sure of your cabling, then it wont make a loop.
> >
> > I would use It if I wanted to plug into a switch with bpduguard enabled,
> > but
> > not port fast... hey I may want two machines at my desk?
> >
> > ;)
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Shahid Ansari
> > Sent: Thursday, August 28, 2008 11:27 AM
> > To: Ibrahim kabir
> > Cc: Julio Carrasco; ccielab@groupstudy.com
> > Subject: Re: BPDU Filter on the interface vs. global
> >
> >  Does any one use BPDUfilter in any live Environment ?Why it is essential
> > to
> > use ?
> >
> > Theoretically we know how it works but practically why to enable
> BPDUfilter
> > ?
Blogs and organic groups at http://www.ccie.net

• Next message: sirus MOGHADASIAN: "Re: Finally ,the game is over.CCIE#21862 R&S,Sydney"
• Previous message: Scott Morris: "RE: Finally ,the game is over.CCIE#21862 R&S,Sydney"
• Maybe in reply to: Shahid Ansari: "Re: BPDU Filter on the interface vs. global"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:33 ART