[c-nsp] spanning-tree bpduguard vs. bpdufilter
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Thu Mar 26 16:29:17 EDT 2009
Hi,
> spanning-tree bpduguard enable
> spanning-tree bpdufilter enable
>
> Thinking this recommendation came from Cisco Works, it follows that this
> would make sense to do, right? As some more information on the effect of
> these commands has come to light, this is really not a good idea. The
> commands almost seem to serve opposite purposes - one shuts the port down if
> a bpdu is detected, the other obstensibly ignores bpdus. Which one of these
> commands takes precendence?
>
> >From what I understand, spanning-tree portfast will in effect serve the same
> purpose as spanning-tree bpdufilter enable IF the port is an active access
> port...is that correct?
no. spanning-tree portfast wont listen/discover/span. if you want it do
do this, you need to have the global spanning-tree command
spanning-tree portfast bpdufilter default
this will filter on portfast (what you alluded to).
however, if you have a switch in portfast mode then it should never receive
a bpdu from that port - if it does then something aint right on the network.
so perhaps it is worth having protection - which is what bpduguard does.
incidentally, it appears that some of this behvaiour changes from IOS to
IOS - we had many links with spanning-tree portfast trunk enabled...
and they got clobbered by bpduguard seeing bpdu coming down those links
from the other end switch - which we knew about....caveat empor etc
alan
More information about the cisco-nsp
mailing list