[c-nsp] spanning-tree bpduguard vs. bpdufilter

[Bielawa, Daniel W. (NS)]

Hello

	From experience, I can tell you that the bpdufilter command will override the bpduguard command. Bpdufilter effectively turns off spanning tree on a port, but portfast keeps spanning tree enabled on a port, With bpdufilter enabled there is nothing to protect you from a loop.

Thank You

Daniel Bielawa
Network Engineer
Liberty University Information Services

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Fischer
Sent: Thursday, March 26, 2009 4:06 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] spanning-tree bpduguard vs. bpdufilter

When deploying our new network a few months ago, we set up Cisco Works to
manage it.  Cisco Works detected and flagged the lack of the following
commands as configuration errors:

spanning-tree bpduguard enable
spanning-tree bpdufilter enable

Thinking this recommendation came from Cisco Works, it follows that this
would make sense to do, right?  As some more information on the effect of
these commands has come to light, this is really not a good idea.  The
commands almost seem to serve opposite purposes - one shuts the port down if
a bpdu is detected, the other obstensibly ignores bpdus.  Which one of these
commands takes precendence?

>From what I understand, spanning-tree portfast will in effect serve the same
purpose as spanning-tree bpdufilter enable IF the port is an active access
port...is that correct?

Thanks

Steve

-- 
To him who is able to keep you from falling and to present you before his
glorious presence without fault and with great joy
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/