Both `BPDU Filter` and `BPDU Guard` are features of the Spanning Tree Protocol (STP) used to control the behavior of network switches in response to Bridge Protocol Data Units (BPDUs). BPDUs are packets sent by switches to exchange information the STP uses to prevent loops in a network topology. Here are the differences between `BPDU Filter` and `BPDU Guard`:
Purpose:
BPDU Filter: This feature is used to prevent a switch port from sending or receiving BPDU packets. It essentially makes the port unaware of the existence of the spanning-tree, making the connected device think that no spanning tree exists on this port.
BPDU Guard: This feature protects the network from unexpected BPDU packets. If a port with BPDU Guard enabled receives a BPDU, it will err-disable the port (shut it down) to prevent potential loops.
Use Cases:
BPDU Filter: This is usually used on edge ports where you are sure that no switches will be connected and you don’t want BPDUs to be sent or processed by the end devices. It can be useful in a scenario where you don’t want the devices connected to the switch to participate in STP.
BPDU Guard: This is often used in environments where you want to prevent unauthorized switches from being added to the network. For example, you would enable BPDU Guard on ports that connect to end-user devices to ensure that if someone plugs in a switch, it won’t affect the STP topology.
Reaction to BPDUs:
BPDU Filter: If enabled globally, the switch stops sending BPDUs on a port that is in PortFast mode, and if a BPDU is received, it loses its PortFast status. If enabled at the interface level, the switch won’t send or process BPDUs.
BPDU Guard: The switch will immediately put the port into err-disabled state if a BPDU is received.
Risks:
BPDU Filter: Using BPDU Filter can be risky if not handled properly. If someone inadvertently connects a switch to a port with BPDU Filter enabled, it could cause a switching loop, as STP would be unable to manage the loop.
BPDU Guard: There is less risk associated with using BPDU Guard. It is more of a protective feature.
In summary, `BPDU Filter` is used to suppress the sending and processing of BPDUs on a switch port, effectively removing it from the STP domain. In contrast, `BPDU Guard` protects the network by shutting down a port that receives BPDUs, indicating that an unauthorized device (likely a switch) has been connected to that port.
Configuration Examples
Below are examples of how to configure both BPDU Guard and BPDU Filter at both the interface level and globally on a Cisco switch.
1. Configuring BPDU Guard:
a. Interface Level:
To enable BPDU Guard on a specific interface, enter interface configuration mode and issue the `spanning-tree bpduguard enable` command.
Switch(config)# interface FastEthernet0/1 Switch(config-if)# spanning-tree bpduguard enable Switch(config-if)# exit
b. Global Level:
To enable BPDU Guard globally for all interfaces that are in PortFast mode, issue the `spanning-tree portfast bpduguard default` command in global configuration mode.
Switch(config)# spanning-tree portfast bpduguard default Switch(config)# exit
2. Configuring BPDU Filter:
a. Interface Level:
To enable BPDU Filter on a specific interface, enter interface configuration mode and issue the `spanning-tree bpdufilter enable` command.
Switch(config)# interface FastEthernet0/1 Switch(config-if)# spanning-tree bpdufilter enable Switch(config-if)# exit
b. Global Level:
To enable BPDU Filter globally for all interfaces that are in PortFast mode, issue the `spanning-tree portfast bpdufilter default` command in global configuration mode.
Switch(config)# spanning-tree portfast bpdufilter default Switch(config)# exit
Please note that these features should be used with caution, especially BPDU Filter, as it can lead to loops if misconfigured. Typically, BPDU Guard is used on edge ports to ensure that no one can connect an unauthorized switch to the network. BPDU Filter should be used sparingly and only in scenarios where it is necessary for the switch port to not participate in STP.