STP BPDU Filter

STP BPDU Filter is another Spanning Tree security feature used in switches. In this lesson, we will focus on what is BPDU Filter, what is the difference between BPDU filter vs BPDU Guard and how to configure BPDU Filter on Cisco switches. We will do Cisco BPDU Filter configuration.

What is BPDU Filter?

STP BPDU Filter is a Spanning Tree feature which blocks any BPDU (Bridge Protocol Data Unit) transmission on a port. As you know, BPDUs are very important for Spanning Tree. It is basically an STP message unit which describes switch port attributes like MAC address, priority etc. With these messages, Spanning Tree collect information about other switches. STP BPDU Filter block these important messages transferred on a port.

So why we use BPDU Filter? Sometimes, we need to prevent BPDUs to reach other parts of our network. To do this, we use BPDU Filter on the ports towards this prevented network. This mechanism is used to prevent any STP loop. For example, if you have connected a new switch to your network and if you do not want it to participate in spanning tree, you can use this feature.

STP Filter feature must be used very carefully. Because with this feature, we are filtering one of the important messaging in switching. If you use it carefully, it will be a good security feature that prevent your network.

BPDU Filter vs BPDU Guard

BPDU Filter and BPDU Guard are two STP security features with which we can control BPDUs in a switch ports. But when we compare BPDU Filter vs BPDU Guard, there is a key difference.

BPDU Filter blocks all BPDU transfer on a port. By doing this, it prevents other parts of the network from an STP loop. On the other hand, BPDU Guard is used to prevent receiving any BPDU on that port. By doing this, it prevents new unwanted switch connection to that port.

BPDU Filter blocks all BPDUs from being transfer on that port while BPDU Guard can receive BPDU but when it receives BPDU, it shuts down the port.

Cisco BPDU Filter Configuration Example

We can configure Cisco STP BPDU Filter both globally and interface based. Let’s firstly configure BPDU Filter globally on a Cisco switch.

To configure BPDU Filter globally, we use “spanning-tree portfast bpdufilter default” command. With this command, all the ports configured with port fast, will be configured also for BPDU Filter.

Switch# configure terminal

Switch(config)# spanning-tree portfast bpdufilter default

As you can see below, when we configure STP filter globally, it sends a few BPDU while enabling this feature.

! Switch was enabled with BPDU filter globally

Switch# show spanning-tree interface gi1/1/1 detail | in BPDU|Bpdu|Ethernet

Port 1 (GigabitEthernet1/1/1) of VLAN0001 is designated forwarding

BPDU: sent 56, received 5

Switch # show spanning-tree interface gi1/0/1 detail | in BPDU|Bpdu|Ethernet

Port 1 (GigabitEthernet1/1/1) of VLAN0001 is designated forwarding

BPDU: sent 58, received

To disable BPDU Filter on Cisco switches, we use, no spanning-tree portfast bpdufilter default command globally.

To configure BPDU Filter on an interface on a Cisco switch, we use “spanning-tree bpdufilter enable” on the related port. After this configuration, this port will nort we in Spanning Tree.

Switch# configure terminal

Switch(config)# interface Gi1/1/1

Switch(config-if)# spanning-tree bpdufilter enable

! Switch was enabled with BPDU filter only on port Gi1/1/1

Switch# show spanning-tree interface gi1/0/2 detail | in BPDU|Bpdu|Ethernet

Port 2 (GigabitEthernet1/1/1) of VLAN0001 is designated forwarding

Bpdu filter is enabled

BPDU: sent 113, received 84

Switch# show spanning-tree interface gi1/0/2 detail | in BPDU|Bpdu|Ethernet

Port 2 (GigabitEthernet1/1/1) of VLAN0001 is designated forwarding

Bpdu filter is enabled

BPDU: sent 113, received 84

Become a Member!