Lucien Avramov Tue, 10/13/2009 - 23:33
User Badges:
  • Red, 2250 points or more

Bpdufilter is typically used in conjunction with portfast. When bpdufilter is enabled you do not send any bpdus out the interface. If you hear a bpdu you take the port out of portfast state.


With bpduguard if you hear a bpdu you put the interface in err-disabled state.


The bpdufilter feature is available so you can say spanning-tree portfast default to make every port a portfast port. Ports that receive bpdus will be non-portfast.


Bpduguard should be used on ports that you know should never be connected to devices running spanning-tree on the other end of the link.

The difference between the two is the action. Bpdufilter is to revert to non-portfast state, while bpduguard is to revert to err-disabled state.


Giuseppe Larosa Tue, 10/13/2009 - 23:34
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Nasr,

MST 802.1s provides:

higher scalability: it can handle better hundreds to thousands of vlans

multi-vendor support: being a standard can be the best solution in multivendor contexts when all devices support it.


drawbacks:

configuration has to be replicated manually everywhere and requires careful planning.

because you can associate non-existing vlans to instances it is recommended to do so: divide the 4094 possible vlans in 64 subsets and freeze MST config.

When a new Vlan is needed depending on desired topology pick up one in the subset associated to a specific MST instance.


PVST+ or Rapid PVST:

cisco proprietary

less scalable

more user friendly: that is adding a new vlan doesn't require planning and it can be done without impact on the production network.


Bpdu filter:

blocks sending of BPDUs out of a port.


never use it on access port of an enterprise it is useful only for service providers to avoid to join their STP with customer's STP.


bpdu guard:

the right tool for access ports in enterprise:

if a bpdu is received on the port the port is placed in error disable.


This can detect users connecting unauthorized switches to the network.


Hope to help

Giuseppe


nasr.khan Wed, 10/14/2009 - 22:17
User Badges:

Hi,


Is bpduguard a global command. On interface of switch I can configure as


interface fa0/1

switchport mode access

switchport access vlan 2

spanning-tree portfast


If a router/switch is connected to fa0/1

then the port gets disabled.


What happens if a bridge is connected to this port.





ohassairi Wed, 10/14/2009 - 22:27
User Badges:
  • Silver, 250 points or more

bpduguard can be configured globally or per interface:


glogally:

Causes all PortFast-configurd interfaces to become in error-disabled state if they receive a BPDU frame.

Switch(config)# spanning-tree portfast bpduguard default


Per interface:

Causes one interface to become in error-disabled state if it receives a BPDU frame.

Switch(config-if)# spanning-tree bpduguard enable


nasr.khan Wed, 10/14/2009 - 22:57
User Badges:

This is very helpful.


what happens if a Cisco WLAN access-point is connected.


BackboneSwitch====connected=====EdgeSW

int gi0/10

switchport trunk encap dot1q

switchport mode trunk


Are there any other best-practice configuration to have on trunk interfaces









Actions

This Discussion