Get Full Access to our 773 Cisco Lessons Now Start $1 Trial
You are here: Home » Cisco » CCNP SWITCH

Spanning-Tree BPDUFilter

The spanning-tree BPDUfilter works similar to BPDUGuard as it allows you to block malicious BPDUs. The difference is that BPDUguard will put the interface that it receives the BPDU on in err-disable mode while BPDUfilter just “filters” it. In this lesson we’ll take a good look at how BPDUfilter works.

BPDUfilter can be configured globally or on the interface level and there’s a difference:

  • Global: if you enable BPDUfilter globally then any interface with portfast enabled will not send or receive any BPDUs. When you receive a BPDU on a portfast enabled interface then it will lose its portfast status, disables BPDU filtering and acts as a normal interface.
  • Interface: if you enable BPDUfilter on the interface it will ignore incoming BPDUs and it will not send any BPDUs. This is the equivalent of disabling spanning-tree.

You have to be careful when you enable BPDUfilter on interfaces. You can use it on interfaces in access mode that connect to computers but make sure you never configure it on interfaces connected to other switches; if you do you might end up with a loop.

Let’s use the following topology to demonstrate the BPDUfilter:

Spanning-Tree BPDU Guard Topology

I’m going to use SW2 and SW3 to demonstrate BPDUfilter:

SW2(config)#interface fa0/16
SW2(config-if)#spanning-tree portfast trunk
SW2(config-if)#spanning-tree bpdufilter enable

It will stop sending BPDUs and it will ignore whatever is received. Let’s enable a debug to see what it does:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 773 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

Give Membership a try - it's just $1 ►

589 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags:

Forum Replies

  1. Hi Rene,

    Do you know what exactly happens when BPDU filter and Guard are both enabled on aportfast enabled interface and then a BPDU’s are suddenly received? I cannot find a clear answer on that anywhere. I read that BPDU filter takes precedence over BPDU guard when both configured on the interface, but it is still unclear to me what happens when in this case bpdu’s are received on a port configured this way.

  2. Hi Edwin,

    I just labbed this up. When you enable BPDU filter & guard at the same time then filter takes precedence. The BPDUs are ignored, the interface doesn’t go in err-disabled because of BPDUguard anymore.

    Rene

  3. Thanks Rene!

    That thus confirms that the guard fuction is useless when both guard and filter are enabled on the interface, as the guard never kicks in due to the bpdu’s being filtered beforehand

  5. Hi Rene,
    Configuring command “spanning-tree portfast trunk” for trunk port is needed ?.
    “spanning-tree bpdufilter enable” command anything to do with the above command.

    Thanks,
    SV

26 more replies! Ask a question or join the discussion by visiting our Community Forum