RE: bpdufilter and bpduguard

Thanks All, I will try this this weekend and see what's the result.

> Date: Tue, 1 Mar 2011 17:11:32 -0500
> From: chris_at_cwproctor.net
> To: ebay_products_at_hotmail.com
> CC: patrick.laidlaw_at_wwt.com; joe_at_affirmedsystems.com;
ccielab_at_groupstudy.com
> Subject: Re: bpdufilter and bpduguard
>
> I think the easiest way to think about it is this:
> BPDU filter ENDS the spanning tree domain. The only time where it can
> be safely used is between two autonomous systems with no possibilities
> of loops. Service provider edges, etc.
>
> The confusion seems to be that it "sounds" like bpdu filter and guard do
> the same thing but ultimately they are not used in the same
> circumstance. BPDUguard is a "just in case" protection tool. Filter is
> an outright manual termination between two spanning tree domains.
>
> On 3/1/2011 4:12 PM, Cisco Fanatic wrote:
> > They are handing us
> > two switch interfaces that connect back to an svi somewhere.
> >
> > > From: Patrick.Laidlaw_at_wwt.com
> > > To: joe_at_affirmedsystems.com; ebay_products_at_hotmail.com;
> > chris_at_cwproctor.net; ccielab_at_groupstudy.com
> > > Date: Tue, 1 Mar 2011 14:49:04 -0600
> > > Subject: RE: bpdufilter and bpduguard
> > >
> > > Bpdufilter is a very dangerous command it does have its places but I
> > generally avoid using it especially if there is a chance that there
> > are going to be two paths potentially. Bpduguard in this instance also
> > sounds like it could be problematic for you depending on the SP
> > infrastructure.
> > >
> > > You should get with the service provider and discuss the options you
> > have with them.
> > >
> > > Joseph has a point that doing away with all spanning tree with a
> > routed port is preferred but may not be practical depending on the
> > situation.
> > >
> > > Are they handing off to you two Routed interfaces with some first
> > hop redundancy protocol, or are they handing you two switch interfaces
> > that connect back to an svi somewhere?
> > >
> > > Patrick
> > >
> > > -----Original Message-----
> > > From: Joseph L. Brunner [mailto:joe_at_affirmedsystems.com]
> > > Sent: Tuesday, March 01, 2011 12:09 PM
> > > To: Cisco Fanatic; chris_at_cwproctor.net; Laidlaw, Patrick A.;
> > ccielab_at_groupstudy.com
> > > Subject: RE: bpdufilter and bpduguard
> > >
> > > Never use bpdufilter. Its that simple.
> > >
> > > For "carrier connections" make a Layer 3 routed port dude
> > >
> > > -----Original Message-----
> > > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
> > Of Cisco Fanatic
> > > Sent: Tuesday, March 01, 2011 2:44 PM
> > > To: chris_at_cwproctor.net; patrick.laidlaw_at_wwt.com;
ccielab_at_groupstudy.com
> > > Subject: RE: bpdufilter and bpduguard
> > >
> > > Are you suggesting
> > >
> > > !
> > > spanning-tree portfast bpduguard default <--
> > > !
> > > interface GigabitEthernet1/0/38
> > > switchport access vlan 10
> > > switchport mode access
> > > spanning-tree portfast
> > > spanning-tree bpdufilter enable <--
> > > !
> > >
> > > instead of
> > >
> > > !
> > > spanning-tree portfast bpdufilter default <--
> > > !
> > > interface GigabitEthernet1/0/38
> > > switchport access vlan 10
> > > switchport mode access
> > > spanning-tree portfast
> > > spanning-tree bpduguard enable <--
> > > !
> > >
> > >
> > > > From: chris_at_cwproctor.net
> > > > Subject: RE: bpdufilter and bpduguard
> > > > Date: Tue, 1 Mar 2011 14:23:27 -0500
> > > > To: ebay_products_at_hotmail.com; patrick.laidlaw_at_wwt.com;
> > > ccielab_at_groupstudy.com
> > > >
> > > > Be careful. My little study group tested this and in all cases we
> > tried
> > > bpdufilter trumped guard. This terminated the spanning tree domain
> > (or split
> > > it) and permitted the formation of undetected loops.
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Cisco Fanatic <ebay_products_at_hotmail.com>
> > > > Sent: March 01, 2011 2:15 PM
> > > > To: patrick.laidlaw_at_wwt.com; ccielab_at_groupstudy.com
> > > > Subject: RE: bpdufilter and bpduguard
> > > >
> > > > We have 2 stack able switches connected to a hosting service
provider.
> > > > Someone tried to connect to one of the switches and we are trying
> > to put
> > > > some best practice in place to avoid this.
> > > >
> > > > > From: Patrick.Laidlaw_at_wwt.com
> > > > > To: ebay_products_at_hotmail.com; ccielab_at_groupstudy.com
> > > > > Date: Tue, 1 Mar 2011 12:57:59 -0600
> > > > > Subject: RE: bpdufilter and bpduguard
> > > > >
> > > > > Yuri,
> > > > >
> > > > > What is your goal in using these configurations? Answer us that
> > before
> > > we
> > > > give you recommendations. What is the scenario that dictates the
> > need for
> > > > these features.
> > > > >
> > > > > IE bpdufilter I would use if connecting to a service provider.
> > > > > IE bpduguard I would use out to end user workstations that I want
to
> > > ensure
> > > > there not placing a hub or switch or to protect from the infamous
user
> > > > plugging both ports of an ipphone into the wall jacks.
> > > > >
> > > > > Patrick
> > > > >
> > > > > -----Original Message-----
> > > > > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On
> > Behalf Of
> > > > Cisco Fanatic
> > > > > Sent: Tuesday, March 01, 2011 10:46 AM
> > > > > To: ccielab_at_groupstudy.com
> > > > > Subject: bpdufilter and bpduguard
> > > > >
> > > > > This might have been asked multiple times. I understand the
> > differences,
> > > > but
> > > > > could not really convenience myself is what recommendation should I
> > > follow
> > > > >
> > > > > !
> > > > > interface GigabitEthernet1/0/38
> > > > > switchport access vlan 10
> > > > > switchport mode access
> > > > > spanning-tree portfast
> > > > > spanning-tree bpdufilter enable
> > > > > spanning-tree bpduguard enable
> > > > > !
> > > > >
> > > > > Or,
> > > > > !
> > > > > spanning-tree portfast bpdufilter default
> > > > > !
> > > > > interface GigabitEthernet1/0/38
> > > > > switchport access vlan 10
> > > > > switchport mode access
> > > > > spanning-tree portfast
> > > > > spanning-tree bpduguard enable
> > > > > !
> > > > >
> > > > > The second option looks promising to me as bpduguard will take
> > precedence
> > > > and
> > > > > will put the port in err-disable state before BPDUFilter can
> > transition
> > > the
> > > > > port back to normal.
> > > > >
> > > > > -Yuri
> > > > >
> > > > >
> > > > > Blogs and organic groups at http://www.ccie.net
> > > > >
> > > > >
> > _______________________________________________________________________
> > > > > Subscription information may be found at:
> > > > > http
> > > >
> > > > [The entire original message is not included]
> > > >
> > > >
> > > > Blogs and organic groups at http://www.ccie.net
> > > >
> > > >
> > _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> > --
> > This message was scanned by ESVA and is believed to be clean.
> > Click here to report this message as spam.
> >
<https://mail-relay.cwproctor.net/cgi-bin/learn-msg.cgi?id=7A1742811B.AE4DA>
>
>
>
> --
> Chris Proctor
>
>
> --
> This message was scanned by ESVA and is believed to be clean.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Mar 01 2011 - 14:58:22 ART