BPDUGUARD and BPDUFILTER:

BPDUGUARD and BPDUFILTER:

   ·         We don’t want to receive any BPDUs (STP info) on any access ports.

·         But, what if we receive them??

·         We have 2 solutions for this

 

1.  BPDUGUARD:

·         If we enable BPDUGUARD feature on any port, then the moment it receives any BPDUs on that port, it moves the port into err-disable mode.

Configuring per interface:

 

interface FastEthernet0/1

switchport mode access

switchport access vlan 10

spanning-tree bpduguard enable

!

Configuring Globally:

 

spanning-tree portfast bpduguard

 

To recover:

 

errdisable recovery cause bpduguard

errdisable recovery interval 120

          

2.  BPDUFILTER:

·         If we enable BPDUFILTER at the interface level, then it drops all inbound BPDUs and doesn’t send out BPDUs outside the interface.

·         The difference between them is; with the BPDUFILTER command, interface will not go into err-disable mode when a violation happens.

 

Configuring per interface:

 

interface FastEthernet0/1

spanning-tree bpdufilter enable

 

 

Configuring Globally:

 

spanning-tree portfast bpdufilter default

spanning-tree portfast default

 

·         There is a difference in the behavior between applying this under the interface and applying it globally.

 

·         When we apply it under the interface, it drops all inbound BPDUs and doesn’t send out BPDUs outside the interface.

·         When we apply it globally, when the switch detects receiving BPDUs on any port, it reverts the interface out of Portfast state.