Re: STP BPDU filter / guard - a little bit inefficient?

If you enable BPDU filter globally, then your switch will revert to normal
spanning-tree operation (ie going through the learning and listening and
then forwarding states) when BPDU's are received inbound on the interface.
This does not sound like its what you need in this situation. This would be
a better solution:

Enable BPDU filter at the interface level. This will cause the switch to
drop all BPDU's inbound and outbound on the interface, period.

BPDU guard acts only inbound on an interface (by err-disabling the
interface, as pointed out by Shiran), while BPDU filter works in both
directions. Now, don't forget the behavior for these features works slightly
differently when enabled globally versus at the interface level.

HTH,
Sadiq

On Wed, Aug 31, 2011 at 2:28 PM, Calin C. <calin_at_engineer.com> wrote:

> Thanks shiran for your reply!
>
> I will test your suggestion in a lab.
>
> Cheers,
> Calin
>
> > ----- Original Message -----
> > From: shiran guez
> > Sent: 08/31/11 03:13 PM
> > To: Calin C.
> > Subject: Re: STP BPDU filter / guard - a little bit inefficient?
> >
> > 1. If you have a switch that you are not sure if someone is going to
> connect
> > a hub and cause problems, I would suggest using the spanning-tree
> bpduguard
> > enable
> >
> > as with that option the switch is going to keep transmitting spanning
> tree
> > bpdu and If you will connect a loop using a hub the switch will get his
> own
> > bpdu and will go into err-disable.
> >
> > Note that if you use the bpdu filter it will prevent also the switch
> > from transmitting bpdu out on that port (where it is enabled) and that
> may
> > cause loop so I would suggest to avoid using that in an
> > un-trusted environment
> >
> > 2. as for multi users I will suggest you use the port security feature to
> > allow a max of one MAC or 2 (in some cases)
> > *
> > *
> > *Hope that help*
> > *
> > *
> > *:-)*
> > *
> > *
> >
> > On Wed, Aug 31, 2011 at 3:45 PM, Calin C. <calin_at_engineer.com> wrote:
> >
> > > Hello all,
> > >
> > > My problem is not directly related to CCIE exam, but rather to CCIE
> topics.
> > > I have an issue and I don't know what solution to propose, so maybe you
> can
> > > help me a little bit.
> > >
> > > 1. Let's assume that we have a L2 switch, with one or two uplinks, with
> > > BPDU guard / filter enable and also portfast. Everything is running
> fine.
> > >
> > > 2. Somebody come and connected to one of the edge ports of L2 a hub. L2
> > > switch will start to send BPDUs, but since at the other end there is no
> > > switch, but a hub, it will get nothing back (in terms of BPDU packets)
> and
> > > assume that an end device (e.g. PC) is connected there. Still,
> everything is
> > > running fine.
> > >
> > > 3. Another (smart) somebody come and plug a loop in the hub (one cable;
> > > both ends in the same hub). Since the port is already UP on the L2
> port, no
> > > BPDU flow through there, the BDPU guard / filter will not react, but
> the hub
> > > will loop all other packets and send them to L2 switch. From this point
> a
> > > little bit of disaster in the spanning-tree environment.
> > >
> > > I have no idea how to stop this issue from happening, beside adding
> there a
> > > sign on L2 switch with "you plug something here and you die" or
> enabling
> > > port-security (which let's say I don't want for certain personal
> reasons).
> > >
> > > Please let me know if I miss something in my problem (from logical
> point of
> > > view) and if you have any possible solution to my problem.
> > >
> > > Thanks for your time!
> > >
> > > Cheers,
> > > Calin
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> > --
> > Shiran Guez
> > MCSE CCNP NCE1 JNCIA-ENT JNCIS-ENT CCIE #20572
> > http://cciep3.blogspot.com
> > http://www.linkedin.com/in/cciep3
> > http://twitter.com/cciep3
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIEx2 (R&S|Sec) #19963
Blogs and organic groups at http://www.ccie.net