ccie-lab-bpduguard-vs-bpdufilter

BPDUfilter Spanningtree bpdufiltering feature Interface mode: spanning-tree bpdufilter enable Results port to not participate in STP, loops may occur.. Global mode: spanning-tree portfa

Trang 1

CCIE LAB BPDUguard vs. BPDUfilter

Spanningtree bpdufiltering feature

Interface mode:

spanning-tree bpdufilter enable

Results port to not participate in STP, loops may occur

Global mode:

spanning-tree portfast bpdufilter default

It enables bpdufiltering on ports that have port-fast configuration, so it sends a few bpdu while enabling port

then it filters bdpu unless receives a bpdu, after that it changes from port-fast mode and disables filtering

for port to operate like a normal port cause it has received bpdu

Spanningtree bpduguard feature

Interface mode:

spanning-tree bpduguard enable

Puts port in errdisable upon receiving any bpdu

Global mode:

author

Shawn Zandi

Routing, Switching &

Security Consultant

CCIEx3(R&S/SP/Security) FNCNE (BCNE) MCSE JNCISx2 (ER & SEC) http://www.shafagh.com

View my complete profile

search this blog

Search

powered by

labels

Basics (3) CCIE General-Info (4) Ethernet Switching (20) Extreme (1)

Foundry (2) IOS Services (9) IOS Tricks (16)

Trang 2

spanning-tree portfast bpduguard default

It enables bpduguard on ports that have port-fast configuration, puts port in errdisable upon receiving a

bpdu

posted by shawn zandi (shafagh) at 5:22 pm

labels: ethernet switching

13 comments:

IP Routing (18) Juniper (3) Multicast (4) Quality of Service (8) Security (25)

SP (27) VoIP (1) WAN Technologies (4) Wireless (1)

addthis

subscribe

links

Shafagh.com Cisco in Persian Shafagh.net (This Blog)

book list

recent comments

michal gurbski said

Thanks for explanation!

April 7, 2009 10:59 PM

Shafagh,

What is the difference between:

1 spanningtree portfast bpdufilter default

and

2 spanningtree portfast default?

I found that all ports that have PortFast enabled also have BPDU filtering automatically enabled

So these two command should give the same result Am I right?

April 7, 2009 11:09 PM

shafagh zandi said

Posts Comments

Trang 3

blog archive

► 2010 (8)

► 2009 (48)

▼ 2008 (49)

► December (3)

► November (1)

► September (1)

► August (1)

► July (16)

► June (1)

▼ May (15) CCIE LAB - Spanning Tree Protocol

CCIE LAB - Logging Config Changes

CCIE LAB - Source Address/Interface CCIE LAB - Parser Tricks CCIE LAB - Configuring KRON CCIE LAB - Servers

Loadbalancing with NAT CCIE LAB - Core Dump / Crash Log

CCIE LAB - IP SLA with HSRP

no, these are not same

"spanning-tree portfast bpdufilter default" does not make all ports "port-fast" but protects port which are in "port-fast" mode

so you need both commands at the same time to have all ports in "port-fast" mode

April 7, 2009 11:34 PM

So, what is the diffrence between:

sw1(config)#spanningtree portfast default sw1(config)#spanningtree portfast bpdufilter default

and

sw2(config)#spanningtree portfast default

? April 8, 2009 12:32 AM

the difference is that in second method you are not filtering incoming BPDUs and its dangerous for your STP

April 8, 2009 5:58 PM

This post has been removed by the author.

April 8, 2009 9:18 PM

Shafagh,

To sum up, Example1

SW1(config)#spanningtree portfast default SW1(config)#spanningtree portfast bpdufilter default

In this example ports will NOT send BPDU, but after receiving BPDU they will loose their portfast status (and proces BPDU)

Trang 4

CCIE LAB - IP SLA with HSRP CCIE LAB - TCL/Macro to Ping several IPs

CCIE LAB - Switch Macros CCIE LAB - BPDUguard vs

BPDUfilter CCIE LAB - PPPoFR CCIE LAB - Loopback backup of Interface

CCIE LAB - 802.1Q Tunneling CCIE LAB - Cisco 3560 Switches

► February (6)

► January (5)

recent posts

ccie training

Example2

SW2(config)#spanningtree portfast default

Here, ports WILL send BPDU, but after receiving BPDU they will loose their portfast status (and proces BPDU)

Example3

SW3(configif)#spanningtree bpdufilter enable

And finally in example 3, enabling BPDU Filtering on a specific port or ports, rather than enabling it globally, will result in received BPDUs being quietly ignored Those incoming BPDUs will be dropped, and the port will not send any BPDUs in return

To verify global configuration of BPDU Filtering use:

SW1#show spanningtree summary totals

To verify configuration of BPDU Filtering on a specific port use:

SW3#show spanningtree interface fast0/11 detail

Am I right?

April 8, 2009 11:03 PM

exactly, but keep in mind,

"spanning-tree portfast default" alone, without any bodufilter or bpduguard is dangerous cause it does not have any protection method and makes loop in network

April 9, 2009 12:09 AM

mauricio bento ghem said

Trang 5

Thanks a lot for the good explanation.

Cheers

July 8, 2009 7:38 PM

anonymous said

If the commands bpduguard/bpdufilter (either in global mode and/or in interface mode) are configured whats happen ?

Are these features were mutually exclusive ?

config-if#spanning-tree portfast config-if#spanning-tree bpduguard config-if#spanning-tree bpdufilter

Regards July 15, 2009 11:28 AM

Interface Configuration (if specifically configured) always overrides global configurations

July 15, 2009 11:47 AM

mohanraj said

Example1:

SW1(config)#spanning-tree portfast default SW1(config)#spanning-tree portfast bpdufilter default

In this example ports will NOT send BPDU, but after receiving BPDU they will loose their portfast status (and proces BPDU)

My query is here when portfast status is lost finally, BPDU would be received and processed Will it allow to send out BPDUs from those ports ??

Example2 SW2(config)#spanning-tree portfast default Here, ports WILL send BPDU, but after receiving BPDU they will loose their portfast status (and proces BPDU)

Trang 6

Newer Post Older Post

Định dạng
Số trang	6
Dung lượng	330,82 KB