Thanks for clarification Marko. What would be the behavior when Bpduguard
is configured globally and filter is configured under port. Also if I have
spanning-tree portfast bpduguard default configured globally and I want to
enable <spanning-tree grad root> on one of the ports. Do I disable
<spanning-tree bpduguard disable> first on that port or leave it?
Thanks in Advance and regards
On 4 December 2012 06:50, Marko Milivojevic <markom_at_ipexpert.com> wrote:
> When both Filter and Guard are configured under the por, Guard will
> have no effect. No BPDUs will be sent from the port and all incoming
> BPDUs on the port will be silently dropped.
>
> The combination behaves differently when globally configured Filter is
> used.
>
> --
> Marko Milivojevic - CCIE #18427 (SP R&S)
> Senior CCIE Instructor - IPexpert
>
> On Mon, Dec 3, 2012 at 4:32 PM, Sarad <tosara_at_gmail.com> wrote:
> > Hi Tauseen,
> >
> > BPDU Filter - Filter both incoming & outgoing BPDU on the switchports
> > BPDU Guard - Put interface on Err-disable when BPDU is received
> >
> > BPDU Guard + Bpdu filter - BPDUs are filter only outbound direction (No
> > inbound BPDU filtering) When bpdu is received inbound port will be
> > err-disable
> >
> > Hope this is clear
> >
> > Thanks
> > Sara
> >
> >
> >
> > On Tue, Dec 4, 2012 at 7:37 AM, Tony Singh <mothafungla_at_gmail.com>
> wrote:
> >
> >> As per routing Freak
> >>
> >> Cat3560-3#sh run int g1/0/23
> >> Building configuration...
> >>
> >> Current configuration : 190 bytes
> >> !
> >> interface GigabitEthernet1/0/23
> >> switchport access vlan 10
> >> switchport mode access
> >> speed 100
> >> spanning-tree portfast
> >> spanning-tree bpdufilter enable
> >> spanning-tree bpduguard enable
> >> end
> >>
> >>
> >> Cat3560-3#show spanning-tree interface g1/0/23
> >>
> >> Vlan Role Sts Cost Prio.Nbr Type
> >> ------------------- ---- --- --------- --------
> >> --------------------------------
> >> VLAN0010 Desg FWD 19 128.23 P2p Edge
> >>
> >>
> >> Cat3560-3#show spanning-tree interface g1/0/24 detail
> >> Port 24 (GigabitEthernet1/0/24) of VLAN0010 is designated forwarding
> >> Port path cost 19, Port priority 128, Port Identifier 128.24.
> >> Designated root has priority 32778, address 30e4.db1d.1c80
> >> Designated bridge has priority 32778, address 30e4.db1d.1c80
> >> Designated port id is 128.24, designated path cost 0
> >> Timers: message age 0, forward delay 0, hold 0
> >> Number of transitions to forwarding state: 1
> >> The port is in the portfast mode
> >> Link type is point-to-point by default
> >> Bpdu guard is enabled
> >> Bpdu filter is enabled
> >> BPDU: sent 0, received 0
> >>
> >>
> >>
> >> Cat3560-3(config)#int g1/0/23
> >> Cat3560-3(config-if)#no spanning-tree bpdufilter
> >> Cat3560-3(config-if)#end
> >> 00:43:23: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi1/0/23
> with
> >> BPDU Guard enabled. Disabling port.
> >> Cat3560-3(config-if)#end
> >> 00:43:23: %PM-4-ERR_DISABLE: bpduguard error detected on Gi1/0/23,
> putting
> >> Gi1/0/23 in err-disable state
> >> Cat3560-3#
> >> 00:43:24: %SYS-5-CONFIG_I: Configured from console by console
> >> 00:43:24: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> >> GigabitEthernet1/0/23, changed state to down
> >> Cat3560-3#
> >> 00:43:25: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/23, changed
> state to
> >> down
> >>
> >>
> >>
> >> On 3 December 2012 16:47, Tony Singh <mothafungla_at_gmail.com> wrote:
> >>
> >> > Sorry meant to say err disable not inconsistent, but my guess is that
> it
> >> > would be err disabled rather then bpdu's being filtered
> >> >
> >> > Will lab it later
> >> >
> >> > --
> >> > BR
> >> >
> >> > Sent from my iPhone on 3
> >> >
> >> > On 3 Dec 2012, at 16:24, Tauseef Khan <tasneemjan_at_googlemail.com>
> wrote:
> >> >
> >> > Hi Tony, I think you mean spanningtree gurad root interface level
> config
> >> > command which will disable the prot on which it configured if sees a
> >> > superior BPDU. My question is about bpdugurad and bpdufilter commands.
> >> > KR
> >> >
> >> > On 3 December 2012 15:56, Tony Singh <mothafungla_at_gmail.com> wrote:
> >> >
> >> >> Filter would drop the bpdu frames, guard is where you do not want any
> >> >> bpdu's i.e rogue switch and enforcement of your root bridge.
> >> >>
> >> >> I would think having both on, then it would go into inconsistent
> state,
> >> >> but I'm not near a switch what happened when you tried?
> >> >>
> >> >> --
> >> >> BR
> >> >>
> >> >> Tony
> >> >>
> >> >> Sent from my iPhone on 3
> >> >>
> >> >> On 3 Dec 2012, at 15:34, Tauseef Khan <tasneemjan_at_googlemail.com>
> >> wrote:
> >> >>
> >> >> > I know Anthony Sequeira has expalined it beautifully on the blog
> but
> >> >> > appreciate if someone could clarify.
> >> >> > If I have spanntree portfast bpdugurad enabled globally which
> >> in-effect
> >> >> > will apply to all access ports and will err-disable any
> accessports if
> >> >> it
> >> >> > sees an ingress BPDU. Now I enable "spanntree bpdufilter enable"
> >> >> interface
> >> >> > config commands on one of the access port interfaces with
> >> "spanning-tree
> >> >> > portfast default" globally configured, which action will take
> >> >> precedence.
> >> >> > ie port will be err-disable or will lose its host status on
> receipt of
> >> >> > BPDUs. Also what is the best practice in this scenario. disbale the
> >> >> > bpdugurad (spanningtree bpduguard disable) on the interface level
> >> before
> >> >> > enabling bpdufilter (spanntree bpdufilter enable) or both actions
> can
> >> >> > coexist.....
> >> >> > Thanks in advance
> >> >> >
> >> >> >
> >> >> > Blogs and organic groups at http://www.ccie.net
> >> >> >
> >> >> >
> >> _______________________________________________________________________
> >> >> > Subscription information may be found at:
> >> >> > http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Tue Dec 04 2012 - 08:37:51 ART
This archive was generated by hypermail 2.2.0 : Tue Jan 01 2013 - 09:36:53 ART