Lessons learned:
BPDUGuard:
This is similar to the BPDU filter – instead or reverting
out of portfast state. BPDU filter will basically shut the port down and put it
in the error-disabled state.
Will prevent against attacks, Improper wiring or a looped
cable.
This can als be configured like the BPDUFilter option,
either globally or at the interface level.
However the interface level will override the global config.
Ex: At the interface level we can configure “no
spanning-tree bpdufilter or bpduguard” this will override the global config for
this interface.
Link Level command:
#Spanning-tree
bpduguard enable
Then once the link receives a BPDU, it will disable the
port.
To recover the port we can shut and then no shut the
interface or wait until the Error recovery time expires.
Note; depending on the platform, some devices have the recovery
timer on by default but not all of them will.
#sh errdisable
recovery.
Will show the global status for errdisabled state.
However you can configure the errdisable recovery timer –
Set the recovery
# errdisable recovery
interval 30 (this is 30 seconds)
Set the cause to recover from
#errdisable recovery
cause bpduguard
Unless its turned on and the cause is set – the interface will
stay disabled. Also it will auto disable again once it receives a BPDU on the
interface.
This event can also cause a TCN to go out, if you lose
connectivity you’ll need to wait until the globally configured timers expire.
This command can also be run globally in conjunction with
portFast.
# Spanning-tree portfast default
#spanning-tree portfast bpduguard default
This again means that portfast is now on all interfaces that
are not a trunk. This will however disable the interface if it received a BPDU
and not enable portfast like BPDUFilter would.
No comments:
Post a Comment