Dear Gents,
I was interested to test it and below are the results. My conclusion is that
when both are enabled under the interface bpdu filter wins and no bpdus are
sent/received as the spanning-tree output shows. However when turning
bpdufilter off
bpdu guard takes over and the interface goes into err-disabled state.
Check it out:
interface FastEthernet0/6
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
end
FastEthernet0/6 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 001b.2b7e.9388 (bia 001b.2b7e.9388)
MTU 1504 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 10/100BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:06, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 3000 bits/sec, 3 packets/sec
179 packets input, 14868 bytes, 0 no buffer
Received 152 broadcasts (151 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 151 multicast, 0 pause input
0 input packets with dribble condition detected
1110 packets output, 167980 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
MB-KSA-CORE#show spanning-tree interface fastEthernet 0/6 detail
Port 8 (FastEthernet0/6) of VLAN0001 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.8.
Designated root has priority 24577, address 001b.2b7e.9380
Designated bridge has priority 24577, address 001b.2b7e.9380
Designated port id is 128.8, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default
Bpdu guard is enabled
Bpdu filter is enabled
BPDU: sent 0, received 0
interface FastEthernet0/6
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
end
XXX#conf t
Enter configuration commands, one per line. End with CNTL/Z.
XXX(config)#int fa0/6
XXX(config-if)#no spann
XXX(config-if)#no spanning-tree bpdu
XXX(config-if)#no spanning-tree bpdufi
XXX(config-if)#no spanning-tree bpdufilter en
XXX(config-if)#no spanning-tree bpdufilter en
XXX(config-if)#
XXX(config-if)#
XXX(config-if)#
XXX(config-if)#^Z
XXX#show run int fa0/6
Building configuration...
Current configuration : 65 bytes
!
interface FastEthernet0/6
spanning-tree bpduguard enable
end
XXX#show int fa0/6
FastEthernet0/6 is down, line protocol is down (err-disabled)
Hardware is Fast Ethernet, address is 001b.2b7e.9388 (bia 001b.2b7e.9388)
MTU 1504 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto-duplex, Auto-speed, media type is 10/100BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:06, output 00:00:08, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 3000 bits/sec, 2 packets/sec
293 packets input, 22951 bytes, 0 no buffer
Received 259 broadcasts (257 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 257 multicast, 0 pause input
0 input packets with dribble condition detected
1439 packets output, 225974 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
HTH,
Best Regards,
On Mon, Sep 20, 2010 at 5:38 PM, karim jamali <karim.jamali_at_gmail.com>wrote:
Hi Mustafa,
I am not sure who will "win" but logically I can't seem to find any reason
to do so unless a crazy CCIE task is trying to go that way. Note that
bpdufilter acts both ways and it stops sending/receiving of BPDUs.
BPDUguard as per my knowledge only acts in one direction and the
action it takes
is put a port in err-disabled state if it receives a BPDU.
Best Regards,
On Wed, Sep 22, 2010 at 12:44 PM, jason munns <jasonmunns13_at_gmail.com>wrote:
> Access ports send BPDU's, the only way to get an interface to stop
> sending BPDU's is to enable BPDUFILTER or disable STP.
>
> You will use both features when you want to stop sending BPDU's and
> also get the interface to go err-disabled when a BPDU is received. The
> BPDUFILTER feature must be enabled globally for this to work,
> otherwise if you enable it on the interface the BDUGUARD feature is
> not triggered due to BPDUFILTER.
>
> Example config of the two features; this config will stop bpdu's from
> being sent and also cause the interface to err-disable if a bpdu is
> received:
>
> spanning-tree portfast bpdufilter default
> spanning-tree portfast bpduguard default
>
> or
>
> spanning-tree portfast bpdufilter default
> int fa0/1
> spanning-tree bpduguard enable
>
> I didn't have time to lab this, but I am reasonably confident that it
> works in this way.
>
> Jason
>
>
> On 22 September 2010 21:31, Dr.Fleming <doctorfleming_at_gmail.com> wrote:
> > Hi Mustafa!!
> >
> > I enabled both features just to check what the result would be.
> > When a BPDU came into the access-port, the port went to err-disable, so
> the
> > BPDU Guard feature wins.
> >
> > I'm not sure if it's useful to enable both features in global config.
> BPDU
> > Filter stops sending BPDUs (but and access-port doesnt send BPDUs anyway)
> > and make the port loose its portfast condition if it receives a BPDU.
> > On the other hand, BPDU Guard doesnt make a port to stop sending BPDUs
> > (doesnt matter when the port is an access-port, because it already doesnt
> > send them) but it makes the port to shut down if it receives a BPDU.
> >
> > So, why to enable both features in global config?? I would config only
> BPDU
> > Guard.
> >
> > Experts, do you see any reason to do it??
> >
> >
> >
> > On Mon, Sep 20, 2010 at 4:38 PM, karim jamali <karim.jamali_at_gmail.com
> >wrote:
> >
> >> Hi Mustafa,
> >>
> >> I am not sure who will "win" but logically I can't seem to find any
> reason
> >> to do so unless a crazy CCIE task is trying to go that way. Note that
> >> bpdufilter acts both ways and it stops sending/receiving of BPDUs. BPDU
> >> guard as per my knowledge only acts in one direction and the action it
> >> takes
> >> is put a port in err-disabled state if it receives a BPDU.
> >>
> >> Best Regards,
> >>
> >> 2010/9/20 Mustafa Yadav <mustafa.yadav_at_gmail.com>
> >>
> >> > Hi
> >> > Can we enable bpdu filter default and bpduguard at the same time in
> >> global.
> >> > What will be the effect of this.any bpdy transmit or in the case of
> >> > bpdu receieved what happens
> >> >
> >> > --
> >> > Mobil cihaz}mdan gvnderildi
> >> >
> >> >
> >> > Blogs and organic groups at http://www.ccie.net
> >> >
> >> >
> _______________________________________________________________________
> >> > Subscription information may be found at:
> >> > http://www.groupstudy.com/list/CCIELab.html
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >>
> >>
> >> --
> >> KJ
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
-- KJ Blogs and organic groups at http://www.ccie.netReceived on Wed Sep 22 2010 - 13:38:03 ART
This archive was generated by hypermail 2.2.0 : Fri Oct 01 2010 - 05:58:05 ART