Be careful. My little study group tested this and in all cases we tried bpdufilter trumped guard. This terminated the spanning tree domain (or split it) and permitted the formation of undetected loops.
-----Original Message-----
From: Cisco Fanatic <ebay_products_at_hotmail.com>
Sent: March 01, 2011 2:15 PM
To: patrick.laidlaw_at_wwt.com; ccielab_at_groupstudy.com
Subject: RE: bpdufilter and bpduguard
We have 2 stack able switches connected to a hosting service provider.
Someone tried to connect to one of the switches and we are trying to put
some best practice in place to avoid this.
> From: Patrick.Laidlaw_at_wwt.com
> To: ebay_products_at_hotmail.com; ccielab_at_groupstudy.com
> Date: Tue, 1 Mar 2011 12:57:59 -0600
> Subject: RE: bpdufilter and bpduguard
>
> Yuri,
>
> What is your goal in using these configurations? Answer us that before we
give you recommendations. What is the scenario that dictates the need for
these features.
>
> IE bpdufilter I would use if connecting to a service provider.
> IE bpduguard I would use out to end user workstations that I want to ensure
there not placing a hub or switch or to protect from the infamous user
plugging both ports of an ipphone into the wall jacks.
>
> Patrick
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Cisco Fanatic
> Sent: Tuesday, March 01, 2011 10:46 AM
> To: ccielab_at_groupstudy.com
> Subject: bpdufilter and bpduguard
>
> This might have been asked multiple times. I understand the differences,
but
> could not really convenience myself is what recommendation should I follow
>
> !
> interface GigabitEthernet1/0/38
> switchport access vlan 10
> switchport mode access
> spanning-tree portfast
> spanning-tree bpdufilter enable
> spanning-tree bpduguard enable
> !
>
> Or,
> !
> spanning-tree portfast bpdufilter default
> !
> interface GigabitEthernet1/0/38
> switchport access vlan 10
> switchport mode access
> spanning-tree portfast
> spanning-tree bpduguard enable
> !
>
> The second option looks promising to me as bpduguard will take precedence
and
> will put the port in err-disable state before BPDUFilter can transition the
> port back to normal.
>
> -Yuri
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http
[The entire original message is not included]
Blogs and organic groups at http://www.ccie.net
Received on Tue Mar 01 2011 - 14:23:27 ART
This archive was generated by hypermail 2.2.0 : Fri Apr 01 2011 - 06:35:41 ART