Official Lammle User Forum
Color me crazy...
1. spanning-tree portfast enable -> We all know why.
2. spanning-tree portfast bpduguard enable -> Stops send/receive of spanning-tree bpdu's BUT:
when BPDU is received on the port with bpdufilter enabled, the port is portfast status is disabled and port will participate in spanning-tree. At this time network needs to be protected from unauthorized device that might decide to participate in your spanning-tree topology and cause spanning-tree loop or try to hijack root.
3. spanning-tree bpduguard enable -> Errdisables the port when a bpdu is received and may cause a little extra admin overhead but... that's what we get paid for... or you can use the errdisable recovery mechanism but you'll probably need to fix the situation anyway.
Umm... in my world it is far better to err-disable the newcomer rather that let me network take a hit that might affect production.
FYI - If it it of any consequence CiscoWorks will also note this in error if one uses one of the above without the other:
|Thread||Thread Starter||Forum||Replies||Last Post|
|Layer 2 vs. Layer 3 broadcast||ryan81||TCP / IP||11||01-05-2011 01:57 PM|
|New CCNA security book from sybex||anurag007||Announcements||10||04-10-2010 03:17 AM|
|Layer 2 vs. Layer 3 broadcast||ryan81||TCP / IP||0||12-12-2007 05:32 PM|
|What layer does SSL operate||CISSP_Candidate||CISSP Information||1||08-30-2006 09:23 AM|
|Q:204 which OSI layer does not provide security||CISSP_Candidate||CISSP Information||1||08-29-2006 05:57 PM|