Re: BPDU filter and bpdu guard on the same interface

When both Filter and Guard are configured under the por, Guard will
have no effect. No BPDUs will be sent from the port and all incoming
BPDUs on the port will be silently dropped.

The combination behaves differently when globally configured Filter is used.

--
Marko Milivojevic - CCIE #18427 (SP R&S)
Senior CCIE Instructor - IPexpert
On Mon, Dec 3, 2012 at 4:32 PM, Sarad <tosara_at_gmail.com> wrote:
> Hi Tauseen,
>
> BPDU Filter - Filter both incoming & outgoing BPDU on the switchports
> BPDU Guard - Put interface on Err-disable when BPDU is received
>
> BPDU Guard + Bpdu filter - BPDUs are filter only outbound direction (No
> inbound BPDU filtering) When bpdu is received inbound port will be
> err-disable
>
> Hope this is clear
>
> Thanks
> Sara
>
>
>
> On Tue, Dec 4, 2012 at 7:37 AM, Tony Singh <mothafungla_at_gmail.com> wrote:
>
>> As per routing Freak
>>
>> Cat3560-3#sh run int g1/0/23
>> Building configuration...
>>
>> Current configuration : 190 bytes
>> !
>> interface GigabitEthernet1/0/23
>>  switchport access vlan 10
>>  switchport mode access
>>  speed 100
>>  spanning-tree portfast
>>  spanning-tree bpdufilter enable
>>  spanning-tree bpduguard enable
>> end
>>
>>
>> Cat3560-3#show spanning-tree interface g1/0/23
>>
>> Vlan                Role Sts Cost      Prio.Nbr Type
>> ------------------- ---- --- --------- --------
>> --------------------------------
>> VLAN0010            Desg FWD 19        128.23   P2p Edge
>>
>>
>> Cat3560-3#show spanning-tree interface g1/0/24 detail
>>  Port 24 (GigabitEthernet1/0/24) of VLAN0010 is designated forwarding
>>    Port path cost 19, Port priority 128, Port Identifier 128.24.
>>    Designated root has priority 32778, address 30e4.db1d.1c80
>>    Designated bridge has priority 32778, address 30e4.db1d.1c80
>>    Designated port id is 128.24, designated path cost 0
>>    Timers: message age 0, forward delay 0, hold 0
>>    Number of transitions to forwarding state: 1
>>    The port is in the portfast mode
>>    Link type is point-to-point by default
>>    Bpdu guard is enabled
>>    Bpdu filter is enabled
>>    BPDU: sent 0, received 0
>>
>>
>>
>> Cat3560-3(config)#int g1/0/23
>> Cat3560-3(config-if)#no spanning-tree bpdufilter
>> Cat3560-3(config-if)#end
>> 00:43:23: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi1/0/23 with
>> BPDU Guard enabled. Disabling port.
>> Cat3560-3(config-if)#end
>> 00:43:23: %PM-4-ERR_DISABLE: bpduguard error detected on Gi1/0/23, putting
>> Gi1/0/23 in err-disable state
>> Cat3560-3#
>> 00:43:24: %SYS-5-CONFIG_I: Configured from console by console
>> 00:43:24: %LINEPROTO-5-UPDOWN: Line protocol on Interface
>> GigabitEthernet1/0/23, changed state to down
>> Cat3560-3#
>> 00:43:25: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/23, changed state to
>> down
>>
>>
>>
>> On 3 December 2012 16:47, Tony Singh <mothafungla_at_gmail.com> wrote:
>>
>> > Sorry meant to say err disable not inconsistent, but my guess is that it
>> > would be err disabled rather then bpdu's being filtered
>> >
>> > Will lab it later
>> >
>> > --
>> > BR
>> >
>> > Sent from my iPhone on 3
>> >
>> > On 3 Dec 2012, at 16:24, Tauseef Khan <tasneemjan_at_googlemail.com> wrote:
>> >
>> > Hi Tony, I think you mean spanningtree gurad root interface level config
>> > command which will disable the prot on which it configured if sees a
>> > superior BPDU. My question is about bpdugurad and bpdufilter commands.
>> > KR
>> >
>> > On 3 December 2012 15:56, Tony Singh <mothafungla_at_gmail.com> wrote:
>> >
>> >> Filter would drop the bpdu frames, guard is where you do not want any
>> >> bpdu's i.e rogue switch and enforcement of your root bridge.
>> >>
>> >> I would think having both on, then it would go into inconsistent state,
>> >> but I'm not near a switch what happened when you tried?
>> >>
>> >> --
>> >> BR
>> >>
>> >> Tony
>> >>
>> >> Sent from my iPhone on 3
>> >>
>> >> On 3 Dec 2012, at 15:34, Tauseef Khan <tasneemjan_at_googlemail.com>
>> wrote:
>> >>
>> >> > I know Anthony Sequeira has expalined it beautifully on the blog but
>> >> > appreciate if someone could clarify.
>> >> > If I have spanntree portfast bpdugurad enabled globally which
>> in-effect
>> >> > will apply to all access ports and will err-disable any accessports if
>> >> it
>> >> > sees an ingress BPDU. Now I enable "spanntree bpdufilter enable"
>> >> interface
>> >> > config commands on one of the access port interfaces with
>> "spanning-tree
>> >> > portfast default" globally configured, which action  will take
>> >> precedence.
>> >> > ie port will be err-disable or will lose its host status on receipt of
>> >> > BPDUs. Also what is the best practice in this scenario. disbale the
>> >> > bpdugurad (spanningtree bpduguard disable) on the interface level
>> before
>> >> > enabling bpdufilter (spanntree bpdufilter enable) or both actions can
>> >> > coexist.....
>> >> > Thanks in advance
>> >> >
>> >> >
>> >> > Blogs and organic groups at http://www.ccie.net
>> >> >
>> >> >
>> _______________________________________________________________________
>> >> > Subscription information may be found at:
>> >> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net