RE: bpdufilter and bpduguard

multiple devices on this same vlan.

From: Patrick.Laidlaw_at_wwt.com
To: ebay_products_at_hotmail.com; joe_at_affirmedsystems.com; chris_at_cwproctor.net;
ccielab_at_groupstudy.com
Date: Tue, 1 Mar 2011 15:15:14 -0600
Subject: RE: bpdufilter and bpduguard

Are they routing a subnet to you or are you landing multiple devices
on this same vlan/subnet for your use?

From: Cisco Fanatic
[mailto:ebay_products_at_hotmail.com]

Sent: Tuesday, March 01, 2011 1:13 PM

To: Laidlaw, Patrick A.; joe_at_affirmedsystems.com; chris_at_cwproctor.net;
ccielab_at_groupstudy.com

Subject: RE: bpdufilter and bpduguard

They
are handing us

two switch interfaces that connect back to an svi somewhere.

> From: Patrick.Laidlaw_at_wwt.com

> To: joe_at_affirmedsystems.com; ebay_products_at_hotmail.com;
chris_at_cwproctor.net; ccielab_at_groupstudy.com

> Date: Tue, 1 Mar 2011 14:49:04 -0600

> Subject: RE: bpdufilter and bpduguard

>

> Bpdufilter is a very dangerous command it does have its places but I
generally avoid using it especially if there is a chance that there are going
to be two paths potentially. Bpduguard in this instance also sounds like it
could be problematic for you depending on the SP infrastructure.

>

> You should get with the service provider and discuss the options you have
with them.

>

> Joseph has a point that doing away with all spanning tree with a routed
port is preferred but may not be practical depending on the situation.

>

> Are they handing off to you two Routed interfaces with some first hop
redundancy protocol, or are they handing you two switch interfaces that
connect
back to an svi somewhere?

>

> Patrick

>

> -----Original Message-----

> From: Joseph L. Brunner [mailto:joe_at_affirmedsystems.com]

> Sent: Tuesday, March 01, 2011 12:09 PM

> To: Cisco Fanatic; chris_at_cwproctor.net; Laidlaw, Patrick A.;
ccielab_at_groupstudy.com

> Subject: RE: bpdufilter and bpduguard

>

> Never use bpdufilter. Its that simple.

>

> For "carrier connections" make a Layer 3 routed port dude

>

> -----Original Message-----

> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Cisco Fanatic

> Sent: Tuesday, March 01, 2011 2:44 PM

> To: chris_at_cwproctor.net; patrick.laidlaw_at_wwt.com; ccielab_at_groupstudy.com

> Subject: RE: bpdufilter and bpduguard

>

> Are you suggesting

>

> !

> spanning-tree portfast bpduguard default <--

> !

> interface GigabitEthernet1/0/38

> switchport access vlan 10

> switchport mode access

> spanning-tree portfast

> spanning-tree bpdufilter enable <--

> !

>

> instead of

>

> !

> spanning-tree portfast bpdufilter default <--

> !

> interface GigabitEthernet1/0/38

> switchport access vlan 10

> switchport mode access

> spanning-tree portfast

> spanning-tree bpduguard enable <--

> !

>

>

> > From: chris_at_cwproctor.net

> > Subject: RE: bpdufilter and bpduguard

> > Date: Tue, 1 Mar 2011 14:23:27 -0500

> > To: ebay_products_at_hotmail.com; patrick.laidlaw_at_wwt.com;

> ccielab_at_groupstudy.com

> >

> > Be careful. My little study group tested this and in all cases we
tried

> bpdufilter trumped guard. This terminated the spanning tree domain (or
split

> it) and permitted the formation of undetected loops.

> >

> >

> >

> > -----Original Message-----

> > From: Cisco Fanatic <ebay_products_at_hotmail.com>

> > Sent: March 01, 2011 2:15 PM

> > To: patrick.laidlaw_at_wwt.com; ccielab_at_groupstudy.com

> > Subject: RE: bpdufilter and bpduguard

> >

> > We have 2 stack able switches connected to a hosting service
provider.

> > Someone tried to connect to one of the switches and we are trying to
put

> > some best practice in place to avoid this.

> >

> > > From: Patrick.Laidlaw_at_wwt.com

> > > To: ebay_products_at_hotmail.com; ccielab_at_groupstudy.com

> > > Date: Tue, 1 Mar 2011 12:57:59 -0600

> > > Subject: RE: bpdufilter and bpduguard

> > >

> > > Yuri,

> > >

> > > What is your goal in using these configurations? Answer us that
before

> we

> > give you recommendations. What is the scenario that dictates the need
for

> > these features.

> > >

> > > IE bpdufilter I would use if connecting to a service provider.

> > > IE bpduguard I would use out to end user workstations that I
want to

> ensure

> > there not placing a hub or switch or to protect from the infamous
user

> > plugging both ports of an ipphone into the wall jacks.

> > >

> > > Patrick

> > >

> > > -----Original Message-----

> > > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On
Behalf Of

> > Cisco Fanatic

> > > Sent: Tuesday, March 01, 2011 10:46 AM

> > > To: ccielab_at_groupstudy.com

> > > Subject: bpdufilter and bpduguard

> > >

> > > This might have been asked multiple times. I understand the
differences,

> > but

> > > could not really convenience myself is what recommendation
should I

> follow

> > >

> > > !

> > > interface GigabitEthernet1/0/38

> > > switchport access vlan 10

> > > switchport mode access

> > > spanning-tree portfast

> > > spanning-tree bpdufilter enable

> > > spanning-tree bpduguard enable

> > > !

> > >

> > > Or,

> > > !

> > > spanning-tree portfast bpdufilter default

> > > !

> > > interface GigabitEthernet1/0/38

> > > switchport access vlan 10

> > > switchport mode access

> > > spanning-tree portfast

> > > spanning-tree bpduguard enable

> > > !

> > >

> > > The second option looks promising to me as bpduguard will take
precedence

> > and

> > > will put the port in err-disable state before BPDUFilter can
transition

> the

> > > port back to normal.

> > >

> > > -Yuri

> > >

> > >

> > > Blogs and organic groups at http://www.ccie.net

> > >

> > >
Received on Tue Mar 01 2011 - 13:28:05 ART