Still little confusion and appreciate if someone could spare some time for
expert opinion
On my switchport if I have spanning tree guard root configured and I don't
want to receive or send any bpdus of that port I configure spanningtree
bpdufilter enable on that port. do i need to remove spanningtree gurad from
that port before enabling spanningtree bpdufilter enable or both the
commands can co-exist on switchport and switchport will not send or receive
any BPDUs on that port.
Thanks in advance
regards
On 4 December 2012 08:37, Tauseef Khan <tasneemjan_at_googlemail.com> wrote:
> Thanks for clarification Marko. What would be the behavior when Bpduguard
> is configured globally and filter is configured under port. Also if I have
> spanning-tree portfast bpduguard default configured globally and I want to
> enable <spanning-tree grad root> on one of the ports. Do I disable
> <spanning-tree bpduguard disable> first on that port or leave it?
> Thanks in Advance and regards
>
>
> On 4 December 2012 06:50, Marko Milivojevic <markom_at_ipexpert.com> wrote:
>
>> When both Filter and Guard are configured under the por, Guard will
>> have no effect. No BPDUs will be sent from the port and all incoming
>> BPDUs on the port will be silently dropped.
>>
>> The combination behaves differently when globally configured Filter is
>> used.
>>
>> --
>> Marko Milivojevic - CCIE #18427 (SP R&S)
>> Senior CCIE Instructor - IPexpert
>>
>> On Mon, Dec 3, 2012 at 4:32 PM, Sarad <tosara_at_gmail.com> wrote:
>> > Hi Tauseen,
>> >
>> > BPDU Filter - Filter both incoming & outgoing BPDU on the switchports
>> > BPDU Guard - Put interface on Err-disable when BPDU is received
>> >
>> > BPDU Guard + Bpdu filter - BPDUs are filter only outbound direction (No
>> > inbound BPDU filtering) When bpdu is received inbound port will be
>> > err-disable
>> >
>> > Hope this is clear
>> >
>> > Thanks
>> > Sara
>> >
>> >
>> >
>> > On Tue, Dec 4, 2012 at 7:37 AM, Tony Singh <mothafungla_at_gmail.com>
>> wrote:
>> >
>> >> As per routing Freak
>> >>
>> >> Cat3560-3#sh run int g1/0/23
>> >> Building configuration...
>> >>
>> >> Current configuration : 190 bytes
>> >> !
>> >> interface GigabitEthernet1/0/23
>> >> switchport access vlan 10
>> >> switchport mode access
>> >> speed 100
>> >> spanning-tree portfast
>> >> spanning-tree bpdufilter enable
>> >> spanning-tree bpduguard enable
>> >> end
>> >>
>> >>
>> >> Cat3560-3#show spanning-tree interface g1/0/23
>> >>
>> >> Vlan Role Sts Cost Prio.Nbr Type
>> >> ------------------- ---- --- --------- --------
>> >> --------------------------------
>> >> VLAN0010 Desg FWD 19 128.23 P2p Edge
>> >>
>> >>
>> >> Cat3560-3#show spanning-tree interface g1/0/24 detail
>> >> Port 24 (GigabitEthernet1/0/24) of VLAN0010 is designated forwarding
>> >> Port path cost 19, Port priority 128, Port Identifier 128.24.
>> >> Designated root has priority 32778, address 30e4.db1d.1c80
>> >> Designated bridge has priority 32778, address 30e4.db1d.1c80
>> >> Designated port id is 128.24, designated path cost 0
>> >> Timers: message age 0, forward delay 0, hold 0
>> >> Number of transitions to forwarding state: 1
>> >> The port is in the portfast mode
>> >> Link type is point-to-point by default
>> >> Bpdu guard is enabled
>> >> Bpdu filter is enabled
>> >> BPDU: sent 0, received 0
>> >>
>> >>
>> >>
>> >> Cat3560-3(config)#int g1/0/23
>> >> Cat3560-3(config-if)#no spanning-tree bpdufilter
>> >> Cat3560-3(config-if)#end
>> >> 00:43:23: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi1/0/23
>> with
>> >> BPDU Guard enabled. Disabling port.
>> >> Cat3560-3(config-if)#end
>> >> 00:43:23: %PM-4-ERR_DISABLE: bpduguard error detected on Gi1/0/23,
>> putting
>> >> Gi1/0/23 in err-disable state
>> >> Cat3560-3#
>> >> 00:43:24: %SYS-5-CONFIG_I: Configured from console by console
>> >> 00:43:24: %LINEPROTO-5-UPDOWN: Line protocol on Interface
>> >> GigabitEthernet1/0/23, changed state to down
>> >> Cat3560-3#
>> >> 00:43:25: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/23, changed
>> state to
>> >> down
>> >>
>> >>
>> >>
>> >> On 3 December 2012 16:47, Tony Singh <mothafungla_at_gmail.com> wrote:
>> >>
>> >> > Sorry meant to say err disable not inconsistent, but my guess is
>> that it
>> >> > would be err disabled rather then bpdu's being filtered
>> >> >
>> >> > Will lab it later
>> >> >
>> >> > --
>> >> > BR
>> >> >
>> >> > Sent from my iPhone on 3
>> >> >
>> >> > On 3 Dec 2012, at 16:24, Tauseef Khan <tasneemjan_at_googlemail.com>
>> wrote:
>> >> >
>> >> > Hi Tony, I think you mean spanningtree gurad root interface level
>> config
>> >> > command which will disable the prot on which it configured if sees a
>> >> > superior BPDU. My question is about bpdugurad and bpdufilter
>> commands.
>> >> > KR
>> >> >
>> >> > On 3 December 2012 15:56, Tony Singh <mothafungla_at_gmail.com> wrote:
>> >> >
>> >> >> Filter would drop the bpdu frames, guard is where you do not want
>> any
>> >> >> bpdu's i.e rogue switch and enforcement of your root bridge.
>> >> >>
>> >> >> I would think having both on, then it would go into inconsistent
>> state,
>> >> >> but I'm not near a switch what happened when you tried?
>> >> >>
>> >> >> --
>> >> >> BR
>> >> >>
>> >> >> Tony
>> >> >>
>> >> >> Sent from my iPhone on 3
>> >> >>
>> >> >> On 3 Dec 2012, at 15:34, Tauseef Khan <tasneemjan_at_googlemail.com>
>> >> wrote:
>> >> >>
>> >> >> > I know Anthony Sequeira has expalined it beautifully on the blog
>> but
>> >> >> > appreciate if someone could clarify.
>> >> >> > If I have spanntree portfast bpdugurad enabled globally which
>> >> in-effect
>> >> >> > will apply to all access ports and will err-disable any
>> accessports if
>> >> >> it
>> >> >> > sees an ingress BPDU. Now I enable "spanntree bpdufilter enable"
>> >> >> interface
>> >> >> > config commands on one of the access port interfaces with
>> >> "spanning-tree
>> >> >> > portfast default" globally configured, which action will take
>> >> >> precedence.
>> >> >> > ie port will be err-disable or will lose its host status on
>> receipt of
>> >> >> > BPDUs. Also what is the best practice in this scenario. disbale
>> the
>> >> >> > bpdugurad (spanningtree bpduguard disable) on the interface level
>> >> before
>> >> >> > enabling bpdufilter (spanntree bpdufilter enable) or both actions
>> can
>> >> >> > coexist.....
>> >> >> > Thanks in advance
>> >> >> >
>> >> >> >
>> >> >> > Blogs and organic groups at http://www.ccie.net
>> >> >> >
>> >> >> >
>> >> _______________________________________________________________________
>> >> >> > Subscription information may be found at:
>> >> >> > http://www.groupstudy.com/list/CCIELab.html
>> >>
>> >>
>> >> Blogs and organic groups at http://www.ccie.net
>> >>
>> >> _______________________________________________________________________
>> >> Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu Dec 06 2012 - 13:37:58 ART
This archive was generated by hypermail 2.2.0 : Tue Jan 01 2013 - 09:36:53 ART