I think the original question was about "who wins" if they're both configured.
I've labbed this before, but jumped in to my switches to refresh my memory and make sure I was about to answer correctly.... When both are enabled *at the interface level*, BPDUFilter wins. !## I configured a link to SW2 for BPDUGuard and Filter at the interface level. These are 3560s so they will not negotiate a trunk. Fa0/24 on SW2 is currently shut. SW1(config-if)#do sh run int fa0/24 Building configuration... Current configuration : 99 bytes ! interface FastEthernet0/24 spanning-tree bpdufilter enable spanning-tree bpduguard enable end !## I 'no shut' the interface on SW2. SW1(config-if)# *Mar 1 00:13:17.907: %LINK-3-UPDOWN: Interface FastEthernet0/24, changed state to up *Mar 1 00:13:18.914: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to up !## Note that the port came up and did not go into Err-Disable. SW1(config-if)#do sh spanning int fa0/24 Vlan Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- VLAN0001 Desg FWD 19 128.26 P2p SW1(config-if)# !## And again, we're forwarding on this port even though it's a normal switch port on the other end. BPDUFilter has won, it is filtering the BPDUs before BPDUGuard can "see" them. I then reconfigured things so that BPDUFilter was enabled globally as part of PortFast. In this mode, BPDUFilter actually lets a few BPDUs through (10, IIRC) to catch loops. If an incoming BPDU is detected on the port, the port loses its PortFast status, but stays up. However, since we *also* have BPDUGuard enabled, the Guard catches the BPDU and err-disables the port: SW1(config-if)#do sh run int fa0/24 Building configuration... Current configuration : 114 bytes ! interface FastEthernet0/24 switchport mode access spanning-tree portfast spanning-tree bpduguard enable end !## Here you can see that bpdufilter is enabled as part of PortFast, so any PortFast port has BPDUFilter on it. SW1(config-if)#do sh run | i bpdufilter spanning-tree portfast bpdufilter default SW1(config-if)# !## I 'no shut' Fa0/24 on SW2 again, and this time the first incoming BPDU is allowed, and it trips the Guard to err-disable the port: *Mar 1 00:20:15.400: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Fa0/24 with BPDU Guard enabled. Disabling port. *Mar 1 00:20:15.400: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/24, putting Fa0/24 in err-disable state If you have access to switch equipment, you should play with these features. I spent an afternoon a while ago trying every permutation of interface and global enabling of these features. There are a couple rather ugly cases where some bad things can happen. Having both enabled at the port level is one of them, because the Guard will never kick in, but BPDU filter allows a network loop to occur. Hope that helps! Bob On Sat, Feb 11, 2012 at 8:04 AM, Elie Raad <[email protected]> wrote: > Hello John > > BPDUGuard : Enabled per port; error disables the port upon receipt of any > BPDU and restrict the port from sending TCN BPDUs > BPDUfilter configured on the INTERFACE LEVEL will restrict the Port from > receiving and sending BDPUs.( as the name implies -->filtering BDPU) > > > > > Elie > > ________________________________________ > From: [email protected] [ > [email protected]] on behalf of John Edmunns [ > [email protected]] > Sent: Saturday, February 11, 2012 12:53 PM > To: [email protected] > Subject: [OSL | CCIE_RS] BPDU filter > > Good morning, > > I'm new in this list. > I am reviewing the L2 topics and I have a doubt... What feature is > preferred between bpduguard and bpdufilter? > > If I have a interface with this config: > > interface FastEthernet0/0 > swichtport mode access > spanning-tree bpduguard enable > spanning-tree bpdufilter enable > > If this interface receive a bpdu..What will happend? err-disable the port > or ignore the packet? > > Thanks! > > John. > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > http://onlinestudylist.com/mailman/listinfo/ccie_rs > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > http://onlinestudylist.com/mailman/listinfo/ccie_rs > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs
