Spanning-tree bpdufilter disable and spanning-tree bpduguard disable

Hi,
Can you please help me understand what these two commands do and why from a best practice perspective it would be good to disable both features?

 

Thank you,

Victor

Hi Victor,

Did you see my two examples for these topics?

BPDU Guard

BPDU Filter

BPDU Filter, when enabled on the interface level disables the sending and processing of BPDUs. This is dangerous as you are basically disabling spanning tree on the interface, which could cause loops if you connect another switch to this interface.

BPDU Guard can be useful, when you enable it then any interface that receives a BPDU will go in err-disable mode. This can be useful on interfaces that connect to hosts, printers, servers and so on. You should never see any BPDUs on these interfaces unless someone is messing around.

Rene

 

 

I am trying to understand why it would be best practice to disable BPDU filter on a host interface. Let’s say on that same interface I had BPDU guard disabled.

Hi Victor,

BPDU filter is disabled by default and you should never enable it on the interface level. If you do, it disables the sending and processing of BPDUs (basically you disable STP) on the interface which could cause a potential loop if you do connect a switch to this interface.

If you enable BPDU filter globally then it works a bit differently…it will only be activated for interfaces that have portfast enabled and it will stop sending and processing BPDUs on the portfast-enabled interface. The only difference with the interface command is that once you receive a BPDU, the interface will participate in STP (going through the blocking, listening and learning states) so that no loops can occur.

When it comes to best practice, there’s three things you could do:

interface fa0/1
 description ACCESS
 spanning-tree portfast default
 spanning-tree portfast bpdufilter default
 spanning-tree portfast bpduguard default

When you enable BPDU filter and guard globally, you will not send any BPDUs to interfaces with portfast enabled. When you do receive a BPDU, the interface will start participating in STP and BPDU guard can put the interface in err-disabled mode.

interface fa0/1
 description ACCESS
 spanning-tree portfast default
 spanning-tree portfast bpdufilter default

If you only use BPDUfilter then the portfast-enabled interfaces won’t send any BPDUs. If you do receive a BPDU then the interface will participate in STP but it won’t go in err-disabled mode.

interface fa0/1
description ACCESS
spanning-tree portfast default
spanning-tree portfast bpduguard default

If you don’t care about sending BPDUs on your portfast-enabled interfaces then you can forget about BPDU filter and only use BPDUguard. If you receive a BPDU, the interface goes in err-disabled mode.

Hope this helps!

Rene

Yes this helps. Thank you!