Re: bpdufilter and bpduguard from Dr.Fleming on 2011-03-23 (Ccielab archives 03/2011)

From: Dr.Fleming <doctorfleming_at_gmail.com>
Date: Wed, 23 Mar 2011 15:11:15 +0100

Maybe this link helps to understand the difference between both features:

http://blog.initialdraft.com/archives/280

<http://blog.initialdraft.com/archives/280>

On Tue, Mar 1, 2011 at 11:58 PM, Cisco Fanatic <ebay_products_at_hotmail.com>wrote:

> Thanks All, I will try this this weekend and see what's the result.
>
> > Date: Tue, 1 Mar 2011 17:11:32 -0500
> > From: chris_at_cwproctor.net
> > To: ebay_products_at_hotmail.com
> > CC: patrick.laidlaw_at_wwt.com; joe_at_affirmedsystems.com;
> ccielab_at_groupstudy.com
> > Subject: Re: bpdufilter and bpduguard
> >
> > I think the easiest way to think about it is this:
> > BPDU filter ENDS the spanning tree domain. The only time where it can
> > be safely used is between two autonomous systems with no possibilities
> > of loops. Service provider edges, etc.
> >
> > The confusion seems to be that it "sounds" like bpdu filter and guard do
> > the same thing but ultimately they are not used in the same
> > circumstance. BPDUguard is a "just in case" protection tool. Filter is
> > an outright manual termination between two spanning tree domains.
> >
> > On 3/1/2011 4:12 PM, Cisco Fanatic wrote:
> > > They are handing us
> > > two switch interfaces that connect back to an svi somewhere.
> > >
> > > > From: Patrick.Laidlaw_at_wwt.com
> > > > To: joe_at_affirmedsystems.com; ebay_products_at_hotmail.com;
> > > chris_at_cwproctor.net; ccielab_at_groupstudy.com
> > > > Date: Tue, 1 Mar 2011 14:49:04 -0600
> > > > Subject: RE: bpdufilter and bpduguard
> > > >
> > > > Bpdufilter is a very dangerous command it does have its places but I
> > > generally avoid using it especially if there is a chance that there
> > > are going to be two paths potentially. Bpduguard in this instance also
> > > sounds like it could be problematic for you depending on the SP
> > > infrastructure.
> > > >
> > > > You should get with the service provider and discuss the options you
> > > have with them.
> > > >
> > > > Joseph has a point that doing away with all spanning tree with a
> > > routed port is preferred but may not be practical depending on the
> > > situation.
> > > >
> > > > Are they handing off to you two Routed interfaces with some first
> > > hop redundancy protocol, or are they handing you two switch interfaces
> > > that connect back to an svi somewhere?
> > > >
> > > > Patrick
> > > >
> > > > -----Original Message-----
> > > > From: Joseph L. Brunner [mailto:joe_at_affirmedsystems.com]
> > > > Sent: Tuesday, March 01, 2011 12:09 PM
> > > > To: Cisco Fanatic; chris_at_cwproctor.net; Laidlaw, Patrick A.;
> > > ccielab_at_groupstudy.com
> > > > Subject: RE: bpdufilter and bpduguard
> > > >
> > > > Never use bpdufilter. Its that simple.
> > > >
> > > > For "carrier connections" make a Layer 3 routed port dude
> > > >
> > > > -----Original Message-----
> > > > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
> > > Of Cisco Fanatic
> > > > Sent: Tuesday, March 01, 2011 2:44 PM
> > > > To: chris_at_cwproctor.net; patrick.laidlaw_at_wwt.com;
> ccielab_at_groupstudy.com
> > > > Subject: RE: bpdufilter and bpduguard
> > > >
> > > > Are you suggesting
> > > >
> > > > !
> > > > spanning-tree portfast bpduguard default <--
> > > > !
> > > > interface GigabitEthernet1/0/38
> > > > switchport access vlan 10
> > > > switchport mode access
> > > > spanning-tree portfast
> > > > spanning-tree bpdufilter enable <--
> > > > !
> > > >
> > > > instead of
> > > >
> > > > !
> > > > spanning-tree portfast bpdufilter default <--
> > > > !
> > > > interface GigabitEthernet1/0/38
> > > > switchport access vlan 10
> > > > switchport mode access
> > > > spanning-tree portfast
> > > > spanning-tree bpduguard enable <--
> > > > !
> > > >
> > > >
> > > > > From: chris_at_cwproctor.net
> > > > > Subject: RE: bpdufilter and bpduguard
> > > > > Date: Tue, 1 Mar 2011 14:23:27 -0500
> > > > > To: ebay_products_at_hotmail.com; patrick.laidlaw_at_wwt.com;
> > > > ccielab_at_groupstudy.com
> > > > >
> > > > > Be careful. My little study group tested this and in all cases we
> > > tried
> > > > bpdufilter trumped guard. This terminated the spanning tree domain
> > > (or split
> > > > it) and permitted the formation of undetected loops.
> > > > >
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: Cisco Fanatic <ebay_products_at_hotmail.com>
> > > > > Sent: March 01, 2011 2:15 PM
> > > > > To: patrick.laidlaw_at_wwt.com; ccielab_at_groupstudy.com
> > > > > Subject: RE: bpdufilter and bpduguard
> > > > >
> > > > > We have 2 stack able switches connected to a hosting service
> provider.
> > > > > Someone tried to connect to one of the switches and we are trying
> > > to put
> > > > > some best practice in place to avoid this.
> > > > >
> > > > > > From: Patrick.Laidlaw_at_wwt.com
> > > > > > To: ebay_products_at_hotmail.com; ccielab_at_groupstudy.com
> > > > > > Date: Tue, 1 Mar 2011 12:57:59 -0600
> > > > > > Subject: RE: bpdufilter and bpduguard
> > > > > >
> > > > > > Yuri,
> > > > > >
> > > > > > What is your goal in using these configurations? Answer us that
> > > before
> > > > we
> > > > > give you recommendations. What is the scenario that dictates the
> > > need for
> > > > > these features.
> > > > > >
> > > > > > IE bpdufilter I would use if connecting to a service provider.
> > > > > > IE bpduguard I would use out to end user workstations that I want
> to
> > > > ensure
> > > > > there not placing a hub or switch or to protect from the infamous
> user
> > > > > plugging both ports of an ipphone into the wall jacks.
> > > > > >
> > > > > > Patrick
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On
> > > Behalf Of
> > > > > Cisco Fanatic
> > > > > > Sent: Tuesday, March 01, 2011 10:46 AM
> > > > > > To: ccielab_at_groupstudy.com
> > > > > > Subject: bpdufilter and bpduguard
> > > > > >
> > > > > > This might have been asked multiple times. I understand the
> > > differences,
> > > > > but
> > > > > > could not really convenience myself is what recommendation should
> I
> > > > follow
> > > > > >
> > > > > > !
> > > > > > interface GigabitEthernet1/0/38
> > > > > > switchport access vlan 10
> > > > > > switchport mode access
> > > > > > spanning-tree portfast
> > > > > > spanning-tree bpdufilter enable
> > > > > > spanning-tree bpduguard enable
> > > > > > !
> > > > > >
> > > > > > Or,
> > > > > > !
> > > > > > spanning-tree portfast bpdufilter default
> > > > > > !
> > > > > > interface GigabitEthernet1/0/38
> > > > > > switchport access vlan 10
> > > > > > switchport mode access
> > > > > > spanning-tree portfast
> > > > > > spanning-tree bpduguard enable
> > > > > > !
> > > > > >
> > > > > > The second option looks promising to me as bpduguard will take
> > > precedence
> > > > > and
> > > > > > will put the port in err-disable state before BPDUFilter can
> > > transition
> > > > the
> > > > > > port back to normal.
> > > > > >
> > > > > > -Yuri
> > > > > >
> > > > > >
> > > > > > Blogs and organic groups at http://www.ccie.net
> > > > > >
> > > > > >
> > > _______________________________________________________________________
> > > > > > Subscription information may be found at:
> > > > > > http
> > > > >
> > > > > [The entire original message is not included]
> > > > >
> > > > >
> > > > > Blogs and organic groups at http://www.ccie.net
> > > > >
> > > > >
> > > _______________________________________________________________________
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > > > Blogs and organic groups at http://www.ccie.net
> > > >
> > > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > > --
> > > This message was scanned by ESVA and is believed to be clean.
> > > Click here to report this message as spam.
> > >
> <
> https://mail-relay.cwproctor.net/cgi-bin/learn-msg.cgi?id=7A1742811B.AE4DA
> >
> >
> >
> >
> > --
> > Chris Proctor
> >
> >
> > --
> > This message was scanned by ESVA and is believed to be clean.
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Mar 23 2011 - 15:11:15 ART

This archive was generated by hypermail 2.2.0 : Fri Apr 01 2011 - 06:35:41 ART