Thank you very much! I will make the same simulation that you said, but till next monday when I arrive at work, I don't have switches to do it...
Best regards! John. El 11 de febrero de 2012 16:26, Bob McCouch <[email protected]> escribió: > I think the original question was about "who wins" if they're both > configured. > > I've labbed this before, but jumped in to my switches to refresh my memory > and make sure I was about to answer correctly.... > > When both are enabled *at the interface level*, BPDUFilter wins. > > !## I configured a link to SW2 for BPDUGuard and Filter at the interface > level. These are 3560s so they will not negotiate a trunk. Fa0/24 on SW2 is > currently shut. > > SW1(config-if)#do sh run int fa0/24 > Building configuration... > > Current configuration : 99 bytes > ! > interface FastEthernet0/24 > spanning-tree bpdufilter enable > spanning-tree bpduguard enable > end > > !## I 'no shut' the interface on SW2. > > SW1(config-if)# > *Mar 1 00:13:17.907: %LINK-3-UPDOWN: Interface FastEthernet0/24, changed > state to up > *Mar 1 00:13:18.914: %LINEPROTO-5-UPDOWN: Line protocol on Interface > FastEthernet0/24, changed state to up > > !## Note that the port came up and did not go into Err-Disable. > > SW1(config-if)#do sh spanning int fa0/24 > > Vlan Role Sts Cost Prio.Nbr Type > ------------------- ---- --- --------- -------- > -------------------------------- > VLAN0001 Desg FWD 19 128.26 P2p > SW1(config-if)# > > !## And again, we're forwarding on this port even though it's a normal > switch port on the other end. BPDUFilter has won, it is filtering the BPDUs > before BPDUGuard can "see" them. > > > > I then reconfigured things so that BPDUFilter was enabled globally as part > of PortFast. In this mode, BPDUFilter actually lets a few BPDUs through > (10, IIRC) to catch loops. If an incoming BPDU is detected on the port, the > port loses its PortFast status, but stays up. However, since we *also* have > BPDUGuard enabled, the Guard catches the BPDU and err-disables the port: > > > > SW1(config-if)#do sh run int fa0/24 > Building configuration... > > Current configuration : 114 bytes > ! > interface FastEthernet0/24 > switchport mode access > spanning-tree portfast > spanning-tree bpduguard enable > end > > !## Here you can see that bpdufilter is enabled as part of PortFast, so > any PortFast port has BPDUFilter on it. > > SW1(config-if)#do sh run | i bpdufilter > spanning-tree portfast bpdufilter default > SW1(config-if)# > > !## I 'no shut' Fa0/24 on SW2 again, and this time the first incoming BPDU > is allowed, and it trips the Guard to err-disable the port: > > *Mar 1 00:20:15.400: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port > Fa0/24 with BPDU Guard enabled. Disabling port. > *Mar 1 00:20:15.400: %PM-4-ERR_DISABLE: bpduguard error detected on > Fa0/24, putting Fa0/24 in err-disable state > > > If you have access to switch equipment, you should play with these > features. I spent an afternoon a while ago trying every permutation of > interface and global enabling of these features. There are a couple rather > ugly cases where some bad things can happen. Having both enabled at the > port level is one of them, because the Guard will never kick in, but BPDU > filter allows a network loop to occur. > > Hope that helps! > > Bob > > > > On Sat, Feb 11, 2012 at 8:04 AM, Elie Raad <[email protected]> wrote: > >> Hello John >> >> BPDUGuard : Enabled per port; error disables the port upon receipt of any >> BPDU and restrict the port from sending TCN BPDUs >> BPDUfilter configured on the INTERFACE LEVEL will restrict the Port from >> receiving and sending BDPUs.( as the name implies -->filtering BDPU) >> >> >> >> >> Elie >> >> ________________________________________ >> From: [email protected] [ >> [email protected]] on behalf of John Edmunns [ >> [email protected]] >> Sent: Saturday, February 11, 2012 12:53 PM >> To: [email protected] >> Subject: [OSL | CCIE_RS] BPDU filter >> >> Good morning, >> >> I'm new in this list. >> I am reviewing the L2 topics and I have a doubt... What feature is >> preferred between bpduguard and bpdufilter? >> >> If I have a interface with this config: >> >> interface FastEthernet0/0 >> swichtport mode access >> spanning-tree bpduguard enable >> spanning-tree bpdufilter enable >> >> If this interface receive a bpdu..What will happend? err-disable the port >> or ignore the packet? >> >> Thanks! >> >> John. >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> >> http://onlinestudylist.com/mailman/listinfo/ccie_rs >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> >> http://onlinestudylist.com/mailman/listinfo/ccie_rs >> > > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs
