Many thanks for explanation Joe / Marko, Much appreciated
On 6 December 2012 17:17, Marko Milivojevic <markom_at_ipexpert.com> wrote:
> They can coexist, but Guard will not do anything. Filter will take
> precedence - no BPDUs will be sent and all incoming BPDUs will be
> dropped, but they will not cause the port to go err-disable.
>
> --
> Marko Milivojevic - CCIE #18427 (SP R&S)
> Senior CCIE Instructor - IPexpert
>
> On Thu, Dec 6, 2012 at 5:37 AM, Tauseef Khan <tasneemjan_at_googlemail.com>
> wrote:
> > Still little confusion and appreciate if someone could spare some time
> for
> > expert opinion
> > On my switchport if I have spanning tree guard root configured and I
> don't
> > want to receive or send any bpdus of that port I configure spanningtree
> > bpdufilter enable on that port. do i need to remove spanningtree gurad
> from
> > that port before enabling spanningtree bpdufilter enable or both the
> > commands can co-exist on switchport and switchport will not send or
> receive
> > any BPDUs on that port.
> > Thanks in advance
> > regards
> >
> >
> >
> > On 4 December 2012 08:37, Tauseef Khan <tasneemjan_at_googlemail.com>
> wrote:
> >
> >> Thanks for clarification Marko. What would be the behavior when
> Bpduguard
> >> is configured globally and filter is configured under port. Also if I
> have
> >> spanning-tree portfast bpduguard default configured globally and I want
> to
> >> enable <spanning-tree grad root> on one of the ports. Do I disable
> >> <spanning-tree bpduguard disable> first on that port or leave it?
> >> Thanks in Advance and regards
> >>
> >>
> >> On 4 December 2012 06:50, Marko Milivojevic <markom_at_ipexpert.com>
> wrote:
> >>
> >>> When both Filter and Guard are configured under the por, Guard will
> >>> have no effect. No BPDUs will be sent from the port and all incoming
> >>> BPDUs on the port will be silently dropped.
> >>>
> >>> The combination behaves differently when globally configured Filter is
> >>> used.
> >>>
> >>> --
> >>> Marko Milivojevic - CCIE #18427 (SP R&S)
> >>> Senior CCIE Instructor - IPexpert
> >>>
> >>> On Mon, Dec 3, 2012 at 4:32 PM, Sarad <tosara_at_gmail.com> wrote:
> >>> > Hi Tauseen,
> >>> >
> >>> > BPDU Filter - Filter both incoming & outgoing BPDU on the switchports
> >>> > BPDU Guard - Put interface on Err-disable when BPDU is received
> >>> >
> >>> > BPDU Guard + Bpdu filter - BPDUs are filter only outbound direction
> (No
> >>> > inbound BPDU filtering) When bpdu is received inbound port will be
> >>> > err-disable
> >>> >
> >>> > Hope this is clear
> >>> >
> >>> > Thanks
> >>> > Sara
> >>> >
> >>> >
> >>> >
> >>> > On Tue, Dec 4, 2012 at 7:37 AM, Tony Singh <mothafungla_at_gmail.com>
> >>> wrote:
> >>> >
> >>> >> As per routing Freak
> >>> >>
> >>> >> Cat3560-3#sh run int g1/0/23
> >>> >> Building configuration...
> >>> >>
> >>> >> Current configuration : 190 bytes
> >>> >> !
> >>> >> interface GigabitEthernet1/0/23
> >>> >> switchport access vlan 10
> >>> >> switchport mode access
> >>> >> speed 100
> >>> >> spanning-tree portfast
> >>> >> spanning-tree bpdufilter enable
> >>> >> spanning-tree bpduguard enable
> >>> >> end
> >>> >>
> >>> >>
> >>> >> Cat3560-3#show spanning-tree interface g1/0/23
> >>> >>
> >>> >> Vlan Role Sts Cost Prio.Nbr Type
> >>> >> ------------------- ---- --- --------- --------
> >>> >> --------------------------------
> >>> >> VLAN0010 Desg FWD 19 128.23 P2p Edge
> >>> >>
> >>> >>
> >>> >> Cat3560-3#show spanning-tree interface g1/0/24 detail
> >>> >> Port 24 (GigabitEthernet1/0/24) of VLAN0010 is designated
> forwarding
> >>> >> Port path cost 19, Port priority 128, Port Identifier 128.24.
> >>> >> Designated root has priority 32778, address 30e4.db1d.1c80
> >>> >> Designated bridge has priority 32778, address 30e4.db1d.1c80
> >>> >> Designated port id is 128.24, designated path cost 0
> >>> >> Timers: message age 0, forward delay 0, hold 0
> >>> >> Number of transitions to forwarding state: 1
> >>> >> The port is in the portfast mode
> >>> >> Link type is point-to-point by default
> >>> >> Bpdu guard is enabled
> >>> >> Bpdu filter is enabled
> >>> >> BPDU: sent 0, received 0
> >>> >>
> >>> >>
> >>> >>
> >>> >> Cat3560-3(config)#int g1/0/23
> >>> >> Cat3560-3(config-if)#no spanning-tree bpdufilter
> >>> >> Cat3560-3(config-if)#end
> >>> >> 00:43:23: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port
> Gi1/0/23
> >>> with
> >>> >> BPDU Guard enabled. Disabling port.
> >>> >> Cat3560-3(config-if)#end
> >>> >> 00:43:23: %PM-4-ERR_DISABLE: bpduguard error detected on Gi1/0/23,
> >>> putting
> >>> >> Gi1/0/23 in err-disable state
> >>> >> Cat3560-3#
> >>> >> 00:43:24: %SYS-5-CONFIG_I: Configured from console by console
> >>> >> 00:43:24: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> >>> >> GigabitEthernet1/0/23, changed state to down
> >>> >> Cat3560-3#
> >>> >> 00:43:25: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/23, changed
> >>> state to
> >>> >> down
> >>> >>
> >>> >>
> >>> >>
> >>> >> On 3 December 2012 16:47, Tony Singh <mothafungla_at_gmail.com> wrote:
> >>> >>
> >>> >> > Sorry meant to say err disable not inconsistent, but my guess is
> >>> that it
> >>> >> > would be err disabled rather then bpdu's being filtered
> >>> >> >
> >>> >> > Will lab it later
> >>> >> >
> >>> >> > --
> >>> >> > BR
> >>> >> >
> >>> >> > Sent from my iPhone on 3
> >>> >> >
> >>> >> > On 3 Dec 2012, at 16:24, Tauseef Khan <tasneemjan_at_googlemail.com>
> >>> wrote:
> >>> >> >
> >>> >> > Hi Tony, I think you mean spanningtree gurad root interface level
> >>> config
> >>> >> > command which will disable the prot on which it configured if
> sees a
> >>> >> > superior BPDU. My question is about bpdugurad and bpdufilter
> >>> commands.
> >>> >> > KR
> >>> >> >
> >>> >> > On 3 December 2012 15:56, Tony Singh <mothafungla_at_gmail.com>
> wrote:
> >>> >> >
> >>> >> >> Filter would drop the bpdu frames, guard is where you do not want
> >>> any
> >>> >> >> bpdu's i.e rogue switch and enforcement of your root bridge.
> >>> >> >>
> >>> >> >> I would think having both on, then it would go into inconsistent
> >>> state,
> >>> >> >> but I'm not near a switch what happened when you tried?
> >>> >> >>
> >>> >> >> --
> >>> >> >> BR
> >>> >> >>
> >>> >> >> Tony
> >>> >> >>
> >>> >> >> Sent from my iPhone on 3
> >>> >> >>
> >>> >> >> On 3 Dec 2012, at 15:34, Tauseef Khan <tasneemjan_at_googlemail.com
> >
> >>> >> wrote:
> >>> >> >>
> >>> >> >> > I know Anthony Sequeira has expalined it beautifully on the
> blog
> >>> but
> >>> >> >> > appreciate if someone could clarify.
> >>> >> >> > If I have spanntree portfast bpdugurad enabled globally which
> >>> >> in-effect
> >>> >> >> > will apply to all access ports and will err-disable any
> >>> accessports if
> >>> >> >> it
> >>> >> >> > sees an ingress BPDU. Now I enable "spanntree bpdufilter
> enable"
> >>> >> >> interface
> >>> >> >> > config commands on one of the access port interfaces with
> >>> >> "spanning-tree
> >>> >> >> > portfast default" globally configured, which action will take
> >>> >> >> precedence.
> >>> >> >> > ie port will be err-disable or will lose its host status on
> >>> receipt of
> >>> >> >> > BPDUs. Also what is the best practice in this scenario. disbale
> >>> the
> >>> >> >> > bpdugurad (spanningtree bpduguard disable) on the interface
> level
> >>> >> before
> >>> >> >> > enabling bpdufilter (spanntree bpdufilter enable) or both
> actions
> >>> can
> >>> >> >> > coexist.....
> >>> >> >> > Thanks in advance
> >>> >> >> >
> >>> >> >> >
> >>> >> >> > Blogs and organic groups at http://www.ccie.net
> >>> >> >> >
> >>> >> >> >
> >>> >>
> _______________________________________________________________________
> >>> >> >> > Subscription information may be found at:
> >>> >> >> > http://www.groupstudy.com/list/CCIELab.html
> >>> >>
> >>> >>
> >>> >> Blogs and organic groups at http://www.ccie.net
> >>> >>
> >>> >>
> _______________________________________________________________________
> >>> >> Subscription information may be found at:
> >>> >> http://www.groupstudy.com/list/CCIELab.html
> >>> >
> >>> >
> >>> > Blogs and organic groups at http://www.ccie.net
> >>> >
> >>> >
> _______________________________________________________________________
> >>> > Subscription information may be found at:
> >>> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu Dec 06 2012 - 18:25:47 ART
This archive was generated by hypermail 2.2.0 : Tue Jan 01 2013 - 09:36:53 ART