RE: bpdufilter and bpduguard from Laidlaw, Patrick A. on 2011-03-01 (Ccielab archives 03/2011)

From: Laidlaw, Patrick A. <Patrick.Laidlaw_at_wwt.com>
Date: Tue, 1 Mar 2011 14:49:04 -0600

Bpdufilter is a very dangerous command it does have its places but I generally avoid using it especially if there is a chance that there are going to be two paths potentially. Bpduguard in this instance also sounds like it could be problematic for you depending on the SP infrastructure.

You should get with the service provider and discuss the options you have with them.

Joseph has a point that doing away with all spanning tree with a routed port is preferred but may not be practical depending on the situation.

Are they handing off to you two Routed interfaces with some first hop redundancy protocol, or are they handing you two switch interfaces that connect back to an svi somewhere?

Patrick

-----Original Message-----
From: Joseph L. Brunner [mailto:joe_at_affirmedsystems.com]
Sent: Tuesday, March 01, 2011 12:09 PM
To: Cisco Fanatic; chris_at_cwproctor.net; Laidlaw, Patrick A.; ccielab_at_groupstudy.com
Subject: RE: bpdufilter and bpduguard

Never use bpdufilter. Its that simple.

For "carrier connections" make a Layer 3 routed port dude

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Cisco Fanatic
Sent: Tuesday, March 01, 2011 2:44 PM
To: chris_at_cwproctor.net; patrick.laidlaw_at_wwt.com; ccielab_at_groupstudy.com
Subject: RE: bpdufilter and bpduguard

Are you suggesting

!
spanning-tree portfast bpduguard default <--
!
interface GigabitEthernet1/0/38
  switchport access vlan 10
  switchport mode access
  spanning-tree portfast
  spanning-tree bpdufilter enable <--
!

instead of

!
spanning-tree portfast bpdufilter default <--
!
interface GigabitEthernet1/0/38
  switchport access vlan 10
  switchport mode access
  spanning-tree portfast
  spanning-tree bpduguard enable <--
!

> From: chris_at_cwproctor.net
> Subject: RE: bpdufilter and bpduguard
> Date: Tue, 1 Mar 2011 14:23:27 -0500
> To: ebay_products_at_hotmail.com; patrick.laidlaw_at_wwt.com;
ccielab_at_groupstudy.com
>
> Be careful. My little study group tested this and in all cases we tried
bpdufilter trumped guard. This terminated the spanning tree domain (or split
it) and permitted the formation of undetected loops.
>
>
>
> -----Original Message-----
> From: Cisco Fanatic <ebay_products_at_hotmail.com>
> Sent: March 01, 2011 2:15 PM
> To: patrick.laidlaw_at_wwt.com; ccielab_at_groupstudy.com
> Subject: RE: bpdufilter and bpduguard
>
> We have 2 stack able switches connected to a hosting service provider.
> Someone tried to connect to one of the switches and we are trying to put
> some best practice in place to avoid this.
>
> > From: Patrick.Laidlaw_at_wwt.com
> > To: ebay_products_at_hotmail.com; ccielab_at_groupstudy.com
> > Date: Tue, 1 Mar 2011 12:57:59 -0600
> > Subject: RE: bpdufilter and bpduguard
> >
> > Yuri,
> >
> > What is your goal in using these configurations? Answer us that before
we
> give you recommendations. What is the scenario that dictates the need for
> these features.
> >
> > IE bpdufilter I would use if connecting to a service provider.
> > IE bpduguard I would use out to end user workstations that I want to
ensure
> there not placing a hub or switch or to protect from the infamous user
> plugging both ports of an ipphone into the wall jacks.
> >
> > Patrick
> >
> > -----Original Message-----
> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Cisco Fanatic
> > Sent: Tuesday, March 01, 2011 10:46 AM
> > To: ccielab_at_groupstudy.com
> > Subject: bpdufilter and bpduguard
> >
> > This might have been asked multiple times. I understand the differences,
> but
> > could not really convenience myself is what recommendation should I
follow
> >
> > !
> > interface GigabitEthernet1/0/38
> > switchport access vlan 10
> > switchport mode access
> > spanning-tree portfast
> > spanning-tree bpdufilter enable
> > spanning-tree bpduguard enable
> > !
> >
> > Or,
> > !
> > spanning-tree portfast bpdufilter default
> > !
> > interface GigabitEthernet1/0/38
> > switchport access vlan 10
> > switchport mode access
> > spanning-tree portfast
> > spanning-tree bpduguard enable
> > !
> >
> > The second option looks promising to me as bpduguard will take precedence
> and
> > will put the port in err-disable state before BPDUFilter can transition
the
> > port back to normal.
> >
> > -Yuri
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http
>
> [The entire original message is not included]
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Mar 01 2011 - 14:49:04 ART

This archive was generated by hypermail 2.2.0 : Fri Apr 01 2011 - 06:35:41 ART