bpduguard vs bpdufilter

Started by itech, November 16, 2017, 03:00:51 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

itech

November 16, 2017, 03:00:51 AM
hi everyone
i want to use bpduguard or bpdufilter on my cisco devices. but when i use bpduguard ,switchport(PC) has sent bpdu message still. when i use bpdufilter switchport hasnt sent bpdu messages.
are there any idea about this issue

i used this commands

SPANNING-TREE PORTFAST DEFAULT
SPANNING-TREE PORTFAST BPDUGUARD DEFAULT

SPANNING-TREE PORTFAST DEFAULT
SPANNING-TREE PORTFAST BPDUFILTER DEFAULT

SimonV

#1
November 16, 2017, 04:30:28 AM
A port in portfast mode will continue to send BPDUs. Only when it receives a BPDU will it go into err-disabled mode. 
BPDUfilter prevents BPDUs from being sent and received.

dlots

#2
November 16, 2017, 08:45:10 AM
BPDU guard acts like a gate, it lets traffic though and it will send BPDUs out, but if it sees a BPDU come in it slams the gate and doesn't let anything else come in

BPDU filter on the port acts like a sniper on a tower that was bullied by BPDUs when it was a kid, it kills all BPDUs: going in or coming out effectively disabling spanning-tree

BPDU filter at the global level basically stops interfaces with portfast from doing spanning-tree.  If a port with portfast on it gets a BPDU in this state it drops the portfast stuff and operates normally.

itech

#3
November 20, 2017, 06:36:02 AM Last Edit: November 20, 2017, 08:00:52 AM by itech
Quote from: dlots on November 16, 2017, 08:45:10 AM
BPDU guard acts like a gate, it lets traffic though and it will send BPDUs out, but if it sees a BPDU come in it slams the gate and doesn't let anything else come in

BPDU filter on the port acts like a sniper on a tower that was bullied by BPDUs when it was a kid, it kills all BPDUs: going in or coming out effectively disabling spanning-tree

BPDU filter at the global level basically stops interfaces with portfast from doing spanning-tree.  If a port with portfast on it gets a BPDU in this state it drops the portfast stuff and operates normally.

thanks
your answer is very obvious
well Which approach is better for us?

icecream-guy

#4
November 20, 2017, 07:35:48 AM
Quote from: itech on November 20, 2017, 06:36:02 AM
Quote from: dlots on November 16, 2017, 08:45:10 AM
BPDU guard acts like a gate, it lets traffic though and it will send BPDUs out, but if it sees a BPDU come in it slams the gate and doesn't let anything else come in

BPDU filter on the port acts like a sniper on a tower that was bullied by BPDUs when it was a kid, it kills all BPDUs: going in or coming out effectively disabling spanning-tree

BPDU filter at the global level basically stops interfaces with portfast from doing spanning-tree.  If a port with portfast on it gets a BPDU in this state it drops the portfast stuff and operates normally.

thanks
your answer is very obvious :smug:
well Which approach is better for us?

not disabling spanning-tree
:professorcat:

My Moral Fibers have been cut.

dlots

#5
November 20, 2017, 08:49:42 AM
Quote from: itech on November 20, 2017, 06:36:02 AM
thanks
your answer is very obvious
well Which approach is better for us?

Depends on what your goal is:

If it's to stop people from plugging in switches to your network BPDU guard.  This would be my guess as to what you want : You normally don't want random people to be able to plug a switch into your network and you REALLY don't want them to play with your spanning-tree.

If it's to let people plug in a switch wherever they need to but still have devices come up quickly when you plug them in Global BPDU filter.

If you want your network to be on fire and go down regularly because "Fuck this shit": https://www.youtube.com/watch?v=ulIOrQasR18 (NSFW - language)  Go with BPDU filter on the ports.
Print
Go Up Pages1
User actions