🔒

Understanding BPDU Guard and Filter

May 23, 2025

View transcript

Jeremy’s IT Lab: BPDU Guard and BPDU Filter

Introduction

  • Part of the STP toolkit in the CCNA course.
  • Focus on BPDU Guard and BPDU Filter, often used with PortFast.
  • These features manage how a port reacts to BPDUs and affect the network's STP behavior.

Review of PortFast

  • Enables quick communication for end-host connected switch ports.
  • PortFast makes ports start in the Forwarding state on connection but does not disable STP.
  • PortFast-enabled ports send BPDUs every 2 seconds.

BPDU Guard

  • Purpose: Protects network from unauthorized switches.
  • Function: Disables a port if it receives a BPDU, entering an "error-disabled" state.
  • Configuration: Can be set per-port or as a default on all PortFast-enabled ports.
    • Per-port: SPANNING-TREE BPDUGUARD ENABLE
    • Default: SPANNING-TREE PORTFAST BPDUGUARD DEFAULT
    • Disable on specific ports: SPANNING-TREE BPDUGUARD DISABLE
  • Use Case: Prevents scenarios where a user connects an unauthorized switch, potentially altering STP topology.
  • Recovery from ErrDisable:
    • Manually with SHUTDOWN and NO SHUTDOWN.
    • Automatically using ErrDisable Recovery:
      • Enable with ERRDISABLE RECOVERY CAUSE BPDUGUARD.
      • Default recovery timer is 5 minutes.

BPDU Filter

  • Purpose: Prevents ports from sending BPDUs.
  • Functionality:
    • When configured per-port, the port will neither send nor react to BPDUs, effectively disabling STP.
    • When configured by default, ports do not send BPDUs but revert to normal STP behavior if they receive a BPDU.
  • Configuration:
    • Per-port: SPANNING-TREE BPDUFILTER ENABLE (use with caution as it disables STP).
    • Default: SPANNING-TREE PORTFAST BPDUFILTER DEFAULT (recommended method).
    • Disable on specific ports: SPANNING-TREE BPDUFILTER DISABLE
  • Risk: Disabling STP on a port can lead to permanent loops and network issues.

Recommendations

  • Use BPDU Guard with PortFast to protect against topology changes from unauthorized devices.
  • Configure BPDU Guard and BPDU Filter as defaults for PortFast-enabled ports.
  • Enable BPDU Filter by default, not per-port, to maintain STP reactivity to received BPDUs.
  • Address underlying issues before re-enabling err-disabled ports.

Summary

  • PortFast: Enables quick forwarding for end-host connections but still sends BPDUs.
  • BPDU Guard: Disables ports receiving BPDUs to prevent unauthorized STP changes.
  • BPDU Filter: Stops sending BPDUs to prevent unnecessary data sharing, with reactivity managed by configuration.
  • Ensure correct configuration to protect network stability and prevent topology disruptions.

Full transcript