Hi, > spanning-tree bpduguard enable > spanning-tree bpdufilter enable > > Thinking this recommendation came from Cisco Works, it follows that this > would make sense to do, right? As some more information on the effect of > these commands has come to light, this is really not a good idea. The > commands almost seem to serve opposite purposes - one shuts the port down if > a bpdu is detected, the other obstensibly ignores bpdus. Which one of these > commands takes precendence? > > >From what I understand, spanning-tree portfast will in effect serve the same > purpose as spanning-tree bpdufilter enable IF the port is an active access > port...is that correct?
no. spanning-tree portfast wont listen/discover/span. if you want it do do this, you need to have the global spanning-tree command spanning-tree portfast bpdufilter default this will filter on portfast (what you alluded to). however, if you have a switch in portfast mode then it should never receive a bpdu from that port - if it does then something aint right on the network. so perhaps it is worth having protection - which is what bpduguard does. incidentally, it appears that some of this behvaiour changes from IOS to IOS - we had many links with spanning-tree portfast trunk enabled... and they got clobbered by bpduguard seeing bpdu coming down those links from the other end switch - which we knew about....caveat empor etc alan _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/