BPDU Filter and Guard

BPDU Filtering, BPDU Guard, and Root Guard square measure s.t.p. security mechanisms. during this post i will be able to solely describe BPDU Filtering and BPDU Guard.

These a pair of options give protection against spanning-tree loops being created on ports wherever PortFast has been enabled. a tool connected to a PortFast interface isn't alleged to send BPDUs however ought to this happen BPDU Filtering and BPDU Guard give protection.


Fig 1.1-BPDU Guard

BPDU Guard and BPDU Filtering is organized in a pair of other ways, from world configuration mode or in interface configuration mode. In world configuration mode the feature (either BPDU guard or BPDU Filtering) can have impact on PortFast enabled port solely. In interface configuration mode it'll solely have an effect on  a such that port.


BPDU Guard
PortFast ought to be organized on port wherever bridging loops don't seem to be expected to make (which means no BPDUs ought to be receive on these ports), like on end-devices port sort of a single digital computer or server. 

PortFast provides fast network access by coming into directly in standard pressure forwarding state (bypassing listning and learning state). albeit PortFast will notice a bridging loop (While PortFast is enabled on a port, standard pressure remains running), it'll notice it in an exceedingly finite quantity of your time that's to mention the length of your time needed to maneuver the port through the traditional standard pressure states.

If any BPDUs  (superior to this root or not) ar received on port organized with BPDU Guard that port is place right away in errdisable state.


If configured in global configuration mode BPDU Guard will be enable on all configured PortFast ports:
Sw1(config)#spanning-tree portfast bpduguard ?
     default Enable bpdu guard by default on all portfast ports

If configured in interface configuration mode it will only be enable on the specific port:
Sw1(Config-if)#spanning-tree bpduguard ?
      disable   Disable BPDU guard for the interface
      enable    Enable BPDU guard for the interface
BPDU guard should be configured on all switchs ports where STP PortFast is enabled. This prevents any possibility that a switch will be added to the port  either intentionally or by mistake.

BPDU Filtering
BPDU Filtering allows to stop sending/receiving BPDUs on a port depending on how is configured.

If it is configured from global configuration mode BPDU Filtering will be enabled on all configured PortFast ports. No BPDUs will be sent out of that port which will hide STP  topology to end-users.  But as soon as a BPDU is received the port will lose  is PortFast status and  BPDU Filtering will be disabled. 

The port is then taking back to normal STP operation and sends/receives BPDUs. See bellow for how to configure BPDU Filtering from global configuration mode:

Sw3(Config)#spanning-tree portfast bpdufilter default

If BPDU Filtering is configured from the interface configuration mode the result is completely different as this will cause the specific port to stop sending AND receiving (BPDUs are dropped) BPDUs. Tthe port ignores any incoming BPDUs and changes to Forwarding state. this solution is not recommended as it can result in bridging loops.

Sw3(Config-if)#spanning-tree bpdufilter enable


Note: if you enable BPDU Guard on the same interface as BPDU Filtering, BPDU Guard has no effect because BPDU Filtering takes precedence over BPDU Guard. configuration of BPDU Filtering is not a recommended configuration.