Re: BPDU filter and bpdu guard on the same interface

They can coexist, but Guard will not do anything. Filter will take
precedence - no BPDUs will be sent and all incoming BPDUs will be
dropped, but they will not cause the port to go err-disable.

--
Marko Milivojevic - CCIE #18427 (SP R&S)
Senior CCIE Instructor - IPexpert
On Thu, Dec 6, 2012 at 5:37 AM, Tauseef Khan <tasneemjan_at_googlemail.com> wrote:
> Still little confusion and appreciate if someone could spare some time for
> expert opinion
> On my switchport if I have spanning tree guard root configured and I don't
> want to receive or send any bpdus of that port I configure spanningtree
> bpdufilter enable on that port. do i need to remove spanningtree gurad from
> that port before enabling  spanningtree bpdufilter enable or both the
> commands can co-exist on switchport and switchport will not send or receive
> any BPDUs on that port.
> Thanks in advance
> regards
>
>
>
> On 4 December 2012 08:37, Tauseef Khan <tasneemjan_at_googlemail.com> wrote:
>
>> Thanks for clarification Marko. What would be the behavior when Bpduguard
>> is configured globally and filter is configured under port. Also if I have
>> spanning-tree portfast bpduguard default configured globally and I want to
>> enable <spanning-tree grad root> on one of the ports. Do I disable
>> <spanning-tree  bpduguard disable> first on that port or leave it?
>> Thanks in Advance and regards
>>
>>
>> On 4 December 2012 06:50, Marko Milivojevic <markom_at_ipexpert.com> wrote:
>>
>>> When both Filter and Guard are configured under the por, Guard will
>>> have no effect. No BPDUs will be sent from the port and all incoming
>>> BPDUs on the port will be silently dropped.
>>>
>>> The combination behaves differently when globally configured Filter is
>>> used.
>>>
>>> --
>>> Marko Milivojevic - CCIE #18427 (SP R&S)
>>> Senior CCIE Instructor - IPexpert
>>>
>>> On Mon, Dec 3, 2012 at 4:32 PM, Sarad <tosara_at_gmail.com> wrote:
>>> > Hi Tauseen,
>>> >
>>> > BPDU Filter - Filter both incoming & outgoing BPDU on the switchports
>>> > BPDU Guard - Put interface on Err-disable when BPDU is received
>>> >
>>> > BPDU Guard + Bpdu filter - BPDUs are filter only outbound direction (No
>>> > inbound BPDU filtering) When bpdu is received inbound port will be
>>> > err-disable
>>> >
>>> > Hope this is clear
>>> >
>>> > Thanks
>>> > Sara
>>> >
>>> >
>>> >
>>> > On Tue, Dec 4, 2012 at 7:37 AM, Tony Singh <mothafungla_at_gmail.com>
>>> wrote:
>>> >
>>> >> As per routing Freak
>>> >>
>>> >> Cat3560-3#sh run int g1/0/23
>>> >> Building configuration...
>>> >>
>>> >> Current configuration : 190 bytes
>>> >> !
>>> >> interface GigabitEthernet1/0/23
>>> >>  switchport access vlan 10
>>> >>  switchport mode access
>>> >>  speed 100
>>> >>  spanning-tree portfast
>>> >>  spanning-tree bpdufilter enable
>>> >>  spanning-tree bpduguard enable
>>> >> end
>>> >>
>>> >>
>>> >> Cat3560-3#show spanning-tree interface g1/0/23
>>> >>
>>> >> Vlan                Role Sts Cost      Prio.Nbr Type
>>> >> ------------------- ---- --- --------- --------
>>> >> --------------------------------
>>> >> VLAN0010            Desg FWD 19        128.23   P2p Edge
>>> >>
>>> >>
>>> >> Cat3560-3#show spanning-tree interface g1/0/24 detail
>>> >>  Port 24 (GigabitEthernet1/0/24) of VLAN0010 is designated forwarding
>>> >>    Port path cost 19, Port priority 128, Port Identifier 128.24.
>>> >>    Designated root has priority 32778, address 30e4.db1d.1c80
>>> >>    Designated bridge has priority 32778, address 30e4.db1d.1c80
>>> >>    Designated port id is 128.24, designated path cost 0
>>> >>    Timers: message age 0, forward delay 0, hold 0
>>> >>    Number of transitions to forwarding state: 1
>>> >>    The port is in the portfast mode
>>> >>    Link type is point-to-point by default
>>> >>    Bpdu guard is enabled
>>> >>    Bpdu filter is enabled
>>> >>    BPDU: sent 0, received 0
>>> >>
>>> >>
>>> >>
>>> >> Cat3560-3(config)#int g1/0/23
>>> >> Cat3560-3(config-if)#no spanning-tree bpdufilter
>>> >> Cat3560-3(config-if)#end
>>> >> 00:43:23: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi1/0/23
>>> with
>>> >> BPDU Guard enabled. Disabling port.
>>> >> Cat3560-3(config-if)#end
>>> >> 00:43:23: %PM-4-ERR_DISABLE: bpduguard error detected on Gi1/0/23,
>>> putting
>>> >> Gi1/0/23 in err-disable state
>>> >> Cat3560-3#
>>> >> 00:43:24: %SYS-5-CONFIG_I: Configured from console by console
>>> >> 00:43:24: %LINEPROTO-5-UPDOWN: Line protocol on Interface
>>> >> GigabitEthernet1/0/23, changed state to down
>>> >> Cat3560-3#
>>> >> 00:43:25: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/23, changed
>>> state to
>>> >> down
>>> >>
>>> >>
>>> >>
>>> >> On 3 December 2012 16:47, Tony Singh <mothafungla_at_gmail.com> wrote:
>>> >>
>>> >> > Sorry meant to say err disable not inconsistent, but my guess is
>>> that it
>>> >> > would be err disabled rather then bpdu's being filtered
>>> >> >
>>> >> > Will lab it later
>>> >> >
>>> >> > --
>>> >> > BR
>>> >> >
>>> >> > Sent from my iPhone on 3
>>> >> >
>>> >> > On 3 Dec 2012, at 16:24, Tauseef Khan <tasneemjan_at_googlemail.com>
>>> wrote:
>>> >> >
>>> >> > Hi Tony, I think you mean spanningtree gurad root interface level
>>> config
>>> >> > command which will disable the prot on which it configured if sees a
>>> >> > superior BPDU. My question is about bpdugurad and bpdufilter
>>> commands.
>>> >> > KR
>>> >> >
>>> >> > On 3 December 2012 15:56, Tony Singh <mothafungla_at_gmail.com> wrote:
>>> >> >
>>> >> >> Filter would drop the bpdu frames, guard is where you do not want
>>> any
>>> >> >> bpdu's i.e rogue switch and enforcement of your root bridge.
>>> >> >>
>>> >> >> I would think having both on, then it would go into inconsistent
>>> state,
>>> >> >> but I'm not near a switch what happened when you tried?
>>> >> >>
>>> >> >> --
>>> >> >> BR
>>> >> >>
>>> >> >> Tony
>>> >> >>
>>> >> >> Sent from my iPhone on 3
>>> >> >>
>>> >> >> On 3 Dec 2012, at 15:34, Tauseef Khan <tasneemjan_at_googlemail.com>
>>> >> wrote:
>>> >> >>
>>> >> >> > I know Anthony Sequeira has expalined it beautifully on the blog
>>> but
>>> >> >> > appreciate if someone could clarify.
>>> >> >> > If I have spanntree portfast bpdugurad enabled globally which
>>> >> in-effect
>>> >> >> > will apply to all access ports and will err-disable any
>>> accessports if
>>> >> >> it
>>> >> >> > sees an ingress BPDU. Now I enable "spanntree bpdufilter enable"
>>> >> >> interface
>>> >> >> > config commands on one of the access port interfaces with
>>> >> "spanning-tree
>>> >> >> > portfast default" globally configured, which action  will take
>>> >> >> precedence.
>>> >> >> > ie port will be err-disable or will lose its host status on
>>> receipt of
>>> >> >> > BPDUs. Also what is the best practice in this scenario. disbale
>>> the
>>> >> >> > bpdugurad (spanningtree bpduguard disable) on the interface level
>>> >> before
>>> >> >> > enabling bpdufilter (spanntree bpdufilter enable) or both actions
>>> can
>>> >> >> > coexist.....
>>> >> >> > Thanks in advance
>>> >> >> >
>>> >> >> >
>>> >> >> > Blogs and organic groups at http://www.ccie.net
>>> >> >> >
>>> >> >> >
>>> >> _______________________________________________________________________
>>> >> >> > Subscription information may be found at:
>>> >> >> > http://www.groupstudy.com/list/CCIELab.html
>>> >>
>>> >>
>>> >> Blogs and organic groups at http://www.ccie.net
>>> >>
>>> >> _______________________________________________________________________
>>> >> Subscription information may be found at:
>>> >> http://www.groupstudy.com/list/CCIELab.html
>>> >
>>> >
>>> > Blogs and organic groups at http://www.ccie.net
>>> >
>>> > _______________________________________________________________________
>>> > Subscription information may be found at:
>>> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net