Spanning-Tree BPDUFilter

The spanning-tree BPDUfilter works similar to BPDUGuard as it allows you to block malicious BPDUs. The difference is that BPDUguard will put the interface that it receives the BPDU on in err-disable mode while BPDUfilter just “filters” it. In this lesson we’ll take a good look at how BPDUfilter works.

BPDUfilter can be configured globally or on the interface level and there’s a difference:

  • Global: if you enable BPDUfilter globally then any interface with portfast enabled will not send or receive any BPDUs. When you receive a BPDU on a portfast enabled interface then it will lose its portfast status, disables BPDU filtering and acts as a normal interface.
  • Interface: if you enable BPDUfilter on the interface it will ignore incoming BPDUs and it will not send any BPDUs. This is the equivalent of disabling spanning-tree.

You have to be careful when you enable BPDUfilter on interfaces. You can use it on interfaces in access mode that connect to computers but make sure you never configure it on interfaces connected to other switches; if you do you might end up with a loop.

Let’s use the following topology to demonstrate the BPDUfilter:

Spanning-Tree BPDU Guard Topology

I’m going to use SW2 and SW3 to demonstrate BPDUfilter:

SW2(config)#interface fa0/16
SW2(config-if)#spanning-tree portfast trunk
SW2(config-if)#spanning-tree bpdufilter enable

It will stop sending BPDUs and it will ignore whatever is received. Let’s enable a debug to see what it does:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 654 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

533 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags:


Forum Replies

  1. Hi Edwin,

    I just labbed this up. When you enable BPDU filter & guard at the same time then filter takes precedence. The BPDUs are ignored, the interface doesn’t go in err-disabled because of BPDUguard anymore.

    Rene

  2. Hi Rene ,

    Global: if you enable BPDUfilter globally then any interface with portfast enabled will not send or receive any BPDUs. When you receive a BPDU on a portfast enabled interface then it will lose its portfast status, disables BPDU filtering and acts as a normal interface.

    What does it mean of "disables BPDU filtering and acts as a normal interface " ?

    “Interface: if you enable BPDUfilter on the interface it will ignore incoming BPDUs and it will not send any BPDUs. This is the equivalent of disabling spanning-tree.”

    What if there is portfast enabled on t

    ... Continue reading in our forum

  3. Sims,
    What does it mean of “disables BPDU filtering and acts as a normal interface ” ?

    It means that the switch realizes either there has been a change in topology, or the administrator has made an error. A BPDU should never be received on an interface on which BPDU filtering is enabled. When the filtering is enabled globally, this is a safety mechanism so that when a BPDU is received on a port where the global filtering was enabled, the Switch knows there must be another switch on the other side. In order to prevent a possible loop, the BPDU filtering is tu

    ... Continue reading in our forum

  4. Hi Waqar,

    its other way around:-

    1. if you configured BPDFilter globally with portfast it will only filter sending BPDU but it will accept incoming BPDU.
    2. if you configure per interface it will not send nor accept any BPDU its like turning off STP.

    Regards
    Jama

  5. Hello Tejpal

    The confusion is understood and it is due to the terminology used. The text, to be clearer should read:

    Global: if you enable BPDUfilter globally then any interface with portfast enabled will not send and should not receive or process any BPDUs.
    If you receive a BPDU on a portfast enabled interface then it will lose its portfast status, disables BPDU filtering and acts as a normal interface.

    So when you configure a port using portfast, you can’t say “it will never receive BPDUs” because that depends on the port on the other end of the link, and

    ... Continue reading in our forum

9 more replies! Ask a question or join the discussion by visiting our Community Forum