[c-nsp] spanning-tree bpduguard vs. bpdufilter
Steven Fischer
sfischer1967 at gmail.com
Thu Mar 26 16:51:41 EDT 2009
On Thu, Mar 26, 2009 at 4:29 PM, <A.L.M.Buxey at lboro.ac.uk> wrote:
> Hi,
>
> > spanning-tree bpduguard enable
> > spanning-tree bpdufilter enable
> >
> > Thinking this recommendation came from Cisco Works, it follows that this
> > would make sense to do, right? As some more information on the effect of
> > these commands has come to light, this is really not a good idea. The
> > commands almost seem to serve opposite purposes - one shuts the port down
> if
> > a bpdu is detected, the other obstensibly ignores bpdus. Which one of
> these
> > commands takes precendence?
> >
> > >From what I understand, spanning-tree portfast will in effect serve the
> same
> > purpose as spanning-tree bpdufilter enable IF the port is an active
> access
> > port...is that correct?
>
> no. spanning-tree portfast wont listen/discover/span. if you want it do
> do this, you need to have the global spanning-tree command
Right, it goes immediately from not active into forwarding state.
>
>
> spanning-tree portfast bpdufilter default
>
> this will filter on portfast (what you alluded to).
So, I need to add this "spanning-tree portfast bpdufilter default" if I want
bpdufilter as the default condition of interfaces configured with
portfast...correct?
The question is, if I'm using bpduguard on an interface, is there any
additional protection afforded by bpdufilter?
>
>
> however, if you have a switch in portfast mode then it should never receive
> a bpdu from that port - if it does then something aint right on the
> network.
> so perhaps it is worth having protection - which is what bpduguard does.
>
> incidentally, it appears that some of this behvaiour changes from IOS to
> IOS - we had many links with spanning-tree portfast trunk enabled...
> and they got clobbered by bpduguard seeing bpdu coming down those links
> from the other end switch - which we knew about....caveat empor etc
>
> alan
I prefer the "protection" of bpduguard over bpdufilter. Sure, it's more
drastic, but its more idiot proof ...ok...idiot-resistent as well.
Thanks....
--
To him who is able to keep you from falling and to present you before his
glorious presence without fault and with great joy
More information about the cisco-nsp
mailing list