Tauseef,
If you already have spanning-tree guard root on the port this means you're
receiving BPDU's but blocking superior BPDU's, when you enable bpdufilter
on the port this will stop the ingress/egress flow of BPDU's you should not
have a problem, however you will have a TCN on the downstream switch device
that you just stopped sending BPDU's too and therefore you will have a
Spanning-tree reconvergence if this port was a root port or backup port.
M2C
On Thu, Dec 6, 2012 at 7:37 AM, Tauseef Khan <tasneemjan_at_googlemail.com>wrote:
> Still little confusion and appreciate if someone could spare some time for
> expert opinion
> On my switchport if I have spanning tree guard root configured and I don't
> want to receive or send any bpdus of that port I configure spanningtree
> bpdufilter enable on that port. do i need to remove spanningtree gurad from
> that port before enabling spanningtree bpdufilter enable or both the
> commands can co-exist on switchport and switchport will not send or receive
> any BPDUs on that port.
> Thanks in advance
> regards
>
>
>
> On 4 December 2012 08:37, Tauseef Khan <tasneemjan_at_googlemail.com> wrote:
>
> > Thanks for clarification Marko. What would be the behavior when Bpduguard
> > is configured globally and filter is configured under port. Also if I
> have
> > spanning-tree portfast bpduguard default configured globally and I want
> to
> > enable <spanning-tree grad root> on one of the ports. Do I disable
> > <spanning-tree bpduguard disable> first on that port or leave it?
> > Thanks in Advance and regards
> >
> >
> > On 4 December 2012 06:50, Marko Milivojevic <markom_at_ipexpert.com> wrote:
> >
> >> When both Filter and Guard are configured under the por, Guard will
> >> have no effect. No BPDUs will be sent from the port and all incoming
> >> BPDUs on the port will be silently dropped.
> >>
> >> The combination behaves differently when globally configured Filter is
> >> used.
> >>
> >> --
> >> Marko Milivojevic - CCIE #18427 (SP R&S)
> >> Senior CCIE Instructor - IPexpert
> >>
> >> On Mon, Dec 3, 2012 at 4:32 PM, Sarad <tosara_at_gmail.com> wrote:
> >> > Hi Tauseen,
> >> >
> >> > BPDU Filter - Filter both incoming & outgoing BPDU on the switchports
> >> > BPDU Guard - Put interface on Err-disable when BPDU is received
> >> >
> >> > BPDU Guard + Bpdu filter - BPDUs are filter only outbound direction
> (No
> >> > inbound BPDU filtering) When bpdu is received inbound port will be
> >> > err-disable
> >> >
> >> > Hope this is clear
> >> >
> >> > Thanks
> >> > Sara
> >> >
> >> >
> >> >
> >> > On Tue, Dec 4, 2012 at 7:37 AM, Tony Singh <mothafungla_at_gmail.com>
> >> wrote:
> >> >
> >> >> As per routing Freak
> >> >>
> >> >> Cat3560-3#sh run int g1/0/23
> >> >> Building configuration...
> >> >>
> >> >> Current configuration : 190 bytes
> >> >> !
> >> >> interface GigabitEthernet1/0/23
> >> >> switchport access vlan 10
> >> >> switchport mode access
> >> >> speed 100
> >> >> spanning-tree portfast
> >> >> spanning-tree bpdufilter enable
> >> >> spanning-tree bpduguard enable
> >> >> end
> >> >>
> >> >>
> >> >> Cat3560-3#show spanning-tree interface g1/0/23
> >> >>
> >> >> Vlan Role Sts Cost Prio.Nbr Type
> >> >> ------------------- ---- --- --------- --------
> >> >> --------------------------------
> >> >> VLAN0010 Desg FWD 19 128.23 P2p Edge
> >> >>
> >> >>
> >> >> Cat3560-3#show spanning-tree interface g1/0/24 detail
> >> >> Port 24 (GigabitEthernet1/0/24) of VLAN0010 is designated forwarding
> >> >> Port path cost 19, Port priority 128, Port Identifier 128.24.
> >> >> Designated root has priority 32778, address 30e4.db1d.1c80
> >> >> Designated bridge has priority 32778, address 30e4.db1d.1c80
> >> >> Designated port id is 128.24, designated path cost 0
> >> >> Timers: message age 0, forward delay 0, hold 0
> >> >> Number of transitions to forwarding state: 1
> >> >> The port is in the portfast mode
> >> >> Link type is point-to-point by default
> >> >> Bpdu guard is enabled
> >> >> Bpdu filter is enabled
> >> >> BPDU: sent 0, received 0
> >> >>
> >> >>
> >> >>
> >> >> Cat3560-3(config)#int g1/0/23
> >> >> Cat3560-3(config-if)#no spanning-tree bpdufilter
> >> >> Cat3560-3(config-if)#end
> >> >> 00:43:23: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi1/0/23
> >> with
> >> >> BPDU Guard enabled. Disabling port.
> >> >> Cat3560-3(config-if)#end
> >> >> 00:43:23: %PM-4-ERR_DISABLE: bpduguard error detected on Gi1/0/23,
> >> putting
> >> >> Gi1/0/23 in err-disable state
> >> >> Cat3560-3#
> >> >> 00:43:24: %SYS-5-CONFIG_I: Configured from console by console
> >> >> 00:43:24: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> >> >> GigabitEthernet1/0/23, changed state to down
> >> >> Cat3560-3#
> >> >> 00:43:25: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/23, changed
> >> state to
> >> >> down
> >> >>
> >> >>
> >> >>
> >> >> On 3 December 2012 16:47, Tony Singh <mothafungla_at_gmail.com> wrote:
> >> >>
> >> >> > Sorry meant to say err disable not inconsistent, but my guess is
> >> that it
> >> >> > would be err disabled rather then bpdu's being filtered
> >> >> >
> >> >> > Will lab it later
> >> >> >
> >> >> > --
> >> >> > BR
> >> >> >
> >> >> > Sent from my iPhone on 3
> >> >> >
> >> >> > On 3 Dec 2012, at 16:24, Tauseef Khan <tasneemjan_at_googlemail.com>
> >> wrote:
> >> >> >
> >> >> > Hi Tony, I think you mean spanningtree gurad root interface level
> >> config
> >> >> > command which will disable the prot on which it configured if sees
> a
> >> >> > superior BPDU. My question is about bpdugurad and bpdufilter
> >> commands.
> >> >> > KR
> >> >> >
> >> >> > On 3 December 2012 15:56, Tony Singh <mothafungla_at_gmail.com>
> wrote:
> >> >> >
> >> >> >> Filter would drop the bpdu frames, guard is where you do not want
> >> any
> >> >> >> bpdu's i.e rogue switch and enforcement of your root bridge.
> >> >> >>
> >> >> >> I would think having both on, then it would go into inconsistent
> >> state,
> >> >> >> but I'm not near a switch what happened when you tried?
> >> >> >>
> >> >> >> --
> >> >> >> BR
> >> >> >>
> >> >> >> Tony
> >> >> >>
> >> >> >> Sent from my iPhone on 3
> >> >> >>
> >> >> >> On 3 Dec 2012, at 15:34, Tauseef Khan <tasneemjan_at_googlemail.com>
> >> >> wrote:
> >> >> >>
> >> >> >> > I know Anthony Sequeira has expalined it beautifully on the blog
> >> but
> >> >> >> > appreciate if someone could clarify.
> >> >> >> > If I have spanntree portfast bpdugurad enabled globally which
> >> >> in-effect
> >> >> >> > will apply to all access ports and will err-disable any
> >> accessports if
> >> >> >> it
> >> >> >> > sees an ingress BPDU. Now I enable "spanntree bpdufilter enable"
> >> >> >> interface
> >> >> >> > config commands on one of the access port interfaces with
> >> >> "spanning-tree
> >> >> >> > portfast default" globally configured, which action will take
> >> >> >> precedence.
> >> >> >> > ie port will be err-disable or will lose its host status on
> >> receipt of
> >> >> >> > BPDUs. Also what is the best practice in this scenario. disbale
> >> the
> >> >> >> > bpdugurad (spanningtree bpduguard disable) on the interface
> level
> >> >> before
> >> >> >> > enabling bpdufilter (spanntree bpdufilter enable) or both
> actions
> >> can
> >> >> >> > coexist.....
> >> >> >> > Thanks in advance
> >> >> >> >
> >> >> >> >
> >> >> >> > Blogs and organic groups at http://www.ccie.net
> >> >> >> >
> >> >> >> >
> >> >>
> _______________________________________________________________________
> >> >> >> > Subscription information may be found at:
> >> >> >> > http://www.groupstudy.com/list/CCIELab.html
> >> >>
> >> >>
> >> >> Blogs and organic groups at http://www.ccie.net
> >> >>
> >> >>
> _______________________________________________________________________
> >> >> Subscription information may be found at:
> >> >> http://www.groupstudy.com/list/CCIELab.html
> >> >
> >> >
> >> > Blogs and organic groups at http://www.ccie.net
> >> >
> >> >
> _______________________________________________________________________
> >> > Subscription information may be found at:
> >> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu Dec 06 2012 - 10:59:14 ART
This archive was generated by hypermail 2.2.0 : Tue Jan 01 2013 - 09:36:53 ART