I think the easiest way to think about it is this:
BPDU filter ENDS the spanning tree domain. The only time where it can
be safely used is between two autonomous systems with no possibilities
of loops. Service provider edges, etc.
The confusion seems to be that it "sounds" like bpdu filter and guard do
the same thing but ultimately they are not used in the same
circumstance. BPDUguard is a "just in case" protection tool. Filter is
an outright manual termination between two spanning tree domains.
On 3/1/2011 4:12 PM, Cisco Fanatic wrote:
> They are handing us
> two switch interfaces that connect back to an svi somewhere.
>
> > From: Patrick.Laidlaw_at_wwt.com
> > To: joe_at_affirmedsystems.com; ebay_products_at_hotmail.com;
> chris_at_cwproctor.net; ccielab_at_groupstudy.com
> > Date: Tue, 1 Mar 2011 14:49:04 -0600
> > Subject: RE: bpdufilter and bpduguard
> >
> > Bpdufilter is a very dangerous command it does have its places but I
> generally avoid using it especially if there is a chance that there
> are going to be two paths potentially. Bpduguard in this instance also
> sounds like it could be problematic for you depending on the SP
> infrastructure.
> >
> > You should get with the service provider and discuss the options you
> have with them.
> >
> > Joseph has a point that doing away with all spanning tree with a
> routed port is preferred but may not be practical depending on the
> situation.
> >
> > Are they handing off to you two Routed interfaces with some first
> hop redundancy protocol, or are they handing you two switch interfaces
> that connect back to an svi somewhere?
> >
> > Patrick
> >
> > -----Original Message-----
> > From: Joseph L. Brunner [mailto:joe_at_affirmedsystems.com]
> > Sent: Tuesday, March 01, 2011 12:09 PM
> > To: Cisco Fanatic; chris_at_cwproctor.net; Laidlaw, Patrick A.;
> ccielab_at_groupstudy.com
> > Subject: RE: bpdufilter and bpduguard
> >
> > Never use bpdufilter. Its that simple.
> >
> > For "carrier connections" make a Layer 3 routed port dude
> >
> > -----Original Message-----
> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
> Of Cisco Fanatic
> > Sent: Tuesday, March 01, 2011 2:44 PM
> > To: chris_at_cwproctor.net; patrick.laidlaw_at_wwt.com; ccielab_at_groupstudy.com
> > Subject: RE: bpdufilter and bpduguard
> >
> > Are you suggesting
> >
> > !
> > spanning-tree portfast bpduguard default <--
> > !
> > interface GigabitEthernet1/0/38
> > switchport access vlan 10
> > switchport mode access
> > spanning-tree portfast
> > spanning-tree bpdufilter enable <--
> > !
> >
> > instead of
> >
> > !
> > spanning-tree portfast bpdufilter default <--
> > !
> > interface GigabitEthernet1/0/38
> > switchport access vlan 10
> > switchport mode access
> > spanning-tree portfast
> > spanning-tree bpduguard enable <--
> > !
> >
> >
> > > From: chris_at_cwproctor.net
> > > Subject: RE: bpdufilter and bpduguard
> > > Date: Tue, 1 Mar 2011 14:23:27 -0500
> > > To: ebay_products_at_hotmail.com; patrick.laidlaw_at_wwt.com;
> > ccielab_at_groupstudy.com
> > >
> > > Be careful. My little study group tested this and in all cases we
> tried
> > bpdufilter trumped guard. This terminated the spanning tree domain
> (or split
> > it) and permitted the formation of undetected loops.
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Cisco Fanatic <ebay_products_at_hotmail.com>
> > > Sent: March 01, 2011 2:15 PM
> > > To: patrick.laidlaw_at_wwt.com; ccielab_at_groupstudy.com
> > > Subject: RE: bpdufilter and bpduguard
> > >
> > > We have 2 stack able switches connected to a hosting service provider.
> > > Someone tried to connect to one of the switches and we are trying
> to put
> > > some best practice in place to avoid this.
> > >
> > > > From: Patrick.Laidlaw_at_wwt.com
> > > > To: ebay_products_at_hotmail.com; ccielab_at_groupstudy.com
> > > > Date: Tue, 1 Mar 2011 12:57:59 -0600
> > > > Subject: RE: bpdufilter and bpduguard
> > > >
> > > > Yuri,
> > > >
> > > > What is your goal in using these configurations? Answer us that
> before
> > we
> > > give you recommendations. What is the scenario that dictates the
> need for
> > > these features.
> > > >
> > > > IE bpdufilter I would use if connecting to a service provider.
> > > > IE bpduguard I would use out to end user workstations that I want to
> > ensure
> > > there not placing a hub or switch or to protect from the infamous user
> > > plugging both ports of an ipphone into the wall jacks.
> > > >
> > > > Patrick
> > > >
> > > > -----Original Message-----
> > > > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On
> Behalf Of
> > > Cisco Fanatic
> > > > Sent: Tuesday, March 01, 2011 10:46 AM
> > > > To: ccielab_at_groupstudy.com
> > > > Subject: bpdufilter and bpduguard
> > > >
> > > > This might have been asked multiple times. I understand the
> differences,
> > > but
> > > > could not really convenience myself is what recommendation should I
> > follow
> > > >
> > > > !
> > > > interface GigabitEthernet1/0/38
> > > > switchport access vlan 10
> > > > switchport mode access
> > > > spanning-tree portfast
> > > > spanning-tree bpdufilter enable
> > > > spanning-tree bpduguard enable
> > > > !
> > > >
> > > > Or,
> > > > !
> > > > spanning-tree portfast bpdufilter default
> > > > !
> > > > interface GigabitEthernet1/0/38
> > > > switchport access vlan 10
> > > > switchport mode access
> > > > spanning-tree portfast
> > > > spanning-tree bpduguard enable
> > > > !
> > > >
> > > > The second option looks promising to me as bpduguard will take
> precedence
> > > and
> > > > will put the port in err-disable state before BPDUFilter can
> transition
> > the
> > > > port back to normal.
> > > >
> > > > -Yuri
> > > >
> > > >
> > > > Blogs and organic groups at http://www.ccie.net
> > > >
> > > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http
> > >
> > > [The entire original message is not included]
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
>
> --
> This message was scanned by ESVA and is believed to be clean.
> Click here to report this message as spam.
> <https://mail-relay.cwproctor.net/cgi-bin/learn-msg.cgi?id=7A1742811B.AE4DA>
-- Chris Proctor -- This message was scanned by ESVA and is believed to be clean. Blogs and organic groups at http://www.ccie.netReceived on Tue Mar 01 2011 - 17:11:32 ART
This archive was generated by hypermail 2.2.0 : Fri Apr 01 2011 - 06:35:41 ART