Hi Tauseen,
BPDU Filter - Filter both incoming & outgoing BPDU on the switchports
BPDU Guard - Put interface on Err-disable when BPDU is received
BPDU Guard + Bpdu filter - BPDUs are filter only outbound direction (No
inbound BPDU filtering) When bpdu is received inbound port will be
err-disable
Hope this is clear
Thanks
Sara
On Tue, Dec 4, 2012 at 7:37 AM, Tony Singh <mothafungla_at_gmail.com> wrote:
> As per routing Freak
>
> Cat3560-3#sh run int g1/0/23
> Building configuration...
>
> Current configuration : 190 bytes
> !
> interface GigabitEthernet1/0/23
> switchport access vlan 10
> switchport mode access
> speed 100
> spanning-tree portfast
> spanning-tree bpdufilter enable
> spanning-tree bpduguard enable
> end
>
>
> Cat3560-3#show spanning-tree interface g1/0/23
>
> Vlan Role Sts Cost Prio.Nbr Type
> ------------------- ---- --- --------- --------
> --------------------------------
> VLAN0010 Desg FWD 19 128.23 P2p Edge
>
>
> Cat3560-3#show spanning-tree interface g1/0/24 detail
> Port 24 (GigabitEthernet1/0/24) of VLAN0010 is designated forwarding
> Port path cost 19, Port priority 128, Port Identifier 128.24.
> Designated root has priority 32778, address 30e4.db1d.1c80
> Designated bridge has priority 32778, address 30e4.db1d.1c80
> Designated port id is 128.24, designated path cost 0
> Timers: message age 0, forward delay 0, hold 0
> Number of transitions to forwarding state: 1
> The port is in the portfast mode
> Link type is point-to-point by default
> Bpdu guard is enabled
> Bpdu filter is enabled
> BPDU: sent 0, received 0
>
>
>
> Cat3560-3(config)#int g1/0/23
> Cat3560-3(config-if)#no spanning-tree bpdufilter
> Cat3560-3(config-if)#end
> 00:43:23: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi1/0/23 with
> BPDU Guard enabled. Disabling port.
> Cat3560-3(config-if)#end
> 00:43:23: %PM-4-ERR_DISABLE: bpduguard error detected on Gi1/0/23, putting
> Gi1/0/23 in err-disable state
> Cat3560-3#
> 00:43:24: %SYS-5-CONFIG_I: Configured from console by console
> 00:43:24: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> GigabitEthernet1/0/23, changed state to down
> Cat3560-3#
> 00:43:25: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/23, changed state to
> down
>
>
>
> On 3 December 2012 16:47, Tony Singh <mothafungla_at_gmail.com> wrote:
>
> > Sorry meant to say err disable not inconsistent, but my guess is that it
> > would be err disabled rather then bpdu's being filtered
> >
> > Will lab it later
> >
> > --
> > BR
> >
> > Sent from my iPhone on 3
> >
> > On 3 Dec 2012, at 16:24, Tauseef Khan <tasneemjan_at_googlemail.com> wrote:
> >
> > Hi Tony, I think you mean spanningtree gurad root interface level config
> > command which will disable the prot on which it configured if sees a
> > superior BPDU. My question is about bpdugurad and bpdufilter commands.
> > KR
> >
> > On 3 December 2012 15:56, Tony Singh <mothafungla_at_gmail.com> wrote:
> >
> >> Filter would drop the bpdu frames, guard is where you do not want any
> >> bpdu's i.e rogue switch and enforcement of your root bridge.
> >>
> >> I would think having both on, then it would go into inconsistent state,
> >> but I'm not near a switch what happened when you tried?
> >>
> >> --
> >> BR
> >>
> >> Tony
> >>
> >> Sent from my iPhone on 3
> >>
> >> On 3 Dec 2012, at 15:34, Tauseef Khan <tasneemjan_at_googlemail.com>
> wrote:
> >>
> >> > I know Anthony Sequeira has expalined it beautifully on the blog but
> >> > appreciate if someone could clarify.
> >> > If I have spanntree portfast bpdugurad enabled globally which
> in-effect
> >> > will apply to all access ports and will err-disable any accessports if
> >> it
> >> > sees an ingress BPDU. Now I enable "spanntree bpdufilter enable"
> >> interface
> >> > config commands on one of the access port interfaces with
> "spanning-tree
> >> > portfast default" globally configured, which action will take
> >> precedence.
> >> > ie port will be err-disable or will lose its host status on receipt of
> >> > BPDUs. Also what is the best practice in this scenario. disbale the
> >> > bpdugurad (spanningtree bpduguard disable) on the interface level
> before
> >> > enabling bpdufilter (spanntree bpdufilter enable) or both actions can
> >> > coexist.....
> >> > Thanks in advance
> >> >
> >> >
> >> > Blogs and organic groups at http://www.ccie.net
> >> >
> >> >
> _______________________________________________________________________
> >> > Subscription information may be found at:
> >> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Tue Dec 04 2012 - 11:32:45 ART
This archive was generated by hypermail 2.2.0 : Tue Jan 01 2013 - 09:36:53 ART