Re: STP BPDU filter / guard - a little bit inefficient?

Thanks shiran for your reply!

I will test your suggestion in a lab.

Cheers,
Calin

> ----- Original Message -----
> From: shiran guez
> Sent: 08/31/11 03:13 PM
> To: Calin C.
> Subject: Re: STP BPDU filter / guard - a little bit inefficient?
>
> 1. If you have a switch that you are not sure if someone is going to connect
> a hub and cause problems, I would suggest using the spanning-tree bpduguard
> enable
>
> as with that option the switch is going to keep transmitting spanning tree
> bpdu and If you will connect a loop using a hub the switch will get his own
> bpdu and will go into err-disable.
>
> Note that if you use the bpdu filter it will prevent also the switch
> from transmitting bpdu out on that port (where it is enabled) and that may
> cause loop so I would suggest to avoid using that in an
> un-trusted environment
>
> 2. as for multi users I will suggest you use the port security feature to
> allow a max of one MAC or 2 (in some cases)
> *
> *
> *Hope that help*
> *
> *
> *:-)*
> *
> *
>
> On Wed, Aug 31, 2011 at 3:45 PM, Calin C. <calin_at_engineer.com> wrote:
>
> > Hello all,
> >
> > My problem is not directly related to CCIE exam, but rather to CCIE topics.
> > I have an issue and I don't know what solution to propose, so maybe you can
> > help me a little bit.
> >
> > 1. Let's assume that we have a L2 switch, with one or two uplinks, with
> > BPDU guard / filter enable and also portfast. Everything is running fine.
> >
> > 2. Somebody come and connected to one of the edge ports of L2 a hub. L2
> > switch will start to send BPDUs, but since at the other end there is no
> > switch, but a hub, it will get nothing back (in terms of BPDU packets) and
> > assume that an end device (e.g. PC) is connected there. Still, everything is
> > running fine.
> >
> > 3. Another (smart) somebody come and plug a loop in the hub (one cable;
> > both ends in the same hub). Since the port is already UP on the L2 port, no
> > BPDU flow through there, the BDPU guard / filter will not react, but the hub
> > will loop all other packets and send them to L2 switch. From this point a
> > little bit of disaster in the spanning-tree environment.
> >
> > I have no idea how to stop this issue from happening, beside adding there a
> > sign on L2 switch with "you plug something here and you die" or enabling
> > port-security (which let's say I don't want for certain personal reasons).
> >
> > Please let me know if I miss something in my problem (from logical point of
> > view) and if you have any possible solution to my problem.
> >
> > Thanks for your time!
> >
> > Cheers,
> > Calin
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> Shiran Guez
> MCSE CCNP NCE1 JNCIA-ENT JNCIS-ENT CCIE #20572
> http://cciep3.blogspot.com
> http://www.linkedin.com/in/cciep3
> http://twitter.com/cciep3

Blogs and organic groups at http://www.ccie.net
Received on Wed Aug 31 2011 - 09:28:38 ART