» BPDU Filtering » Prevent port from sending or receiving BPDUs USE CAUTION: Can cause Layer 2 loops vCan be configured globally or per port with different results v Interface Level » spanning-tree bpdufilter enable v Prevents the interface from sending or receiving any BPDUs DANGEROUS - you are essentially disabling Spanning Tree Protocol on the port The Demo Topology!HLWshow spann_ Hi show meet tree inter HiWshow spanning-tree interface fa0/1 detail = Port 3 (Fast thernet0/1) of VLANOOOL is forwardit Port path cost 19, Port priority 128, Port Tdentifier 128.3. Designated root has ie orionkty 92769. address 000c. 362d. 9981 Designated bridge has priority 32769, address 8812. 7f46.9380 Designated port id is 128.3, designated path cost 19 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is pat eat by default <— sent 337. received @ spanning-tree interface fa0/1 detail Port’ 3" astethernetO/1) is forwarding Port path cost 19, Port priority 128, Port [dentifier 129.3. Designated root has priority 32768. address O00f . Designated bridge has prior! ty 32768. address O00f-24i9. he Designated port id is 128.4. designated path cost @ Timers: message age 2. forward delay 0, hold Number of ‘transitions’ to forwarding state: 1° Link type is point-to-point by det BEOU: sent 361, received 11 2 [Resuming connection 2 to swl .4 he VPORTEAST ¢ & Gov gua Aik AE forfase, Yaceven «lv moo jeter Sv isis) (Shs) a Bh Distle phar (ve fable 9p)STP - BPDU Filter Level of Configuration BPDU Filter Enabled Globally ™ Works specifically with Portfast interfaces * Does not send outgoing BPDUs except 10 initial BPDU packets * Incoming BPDUs disables Portfast and BPDU Filter on interface BPDU Filter Enabled On Interfaces * Works with or without Portfast * Does not send outgoing BPDUs * Totally ignores incoming BPDUs STP - BPDU Filter Commands Global Level spanning-tree portfast bpdufilter default Interface Level Spanning-tree bpdufilter enableBPDU Guard PortFast should be configured on port where bridging loops are not expected to form (which means that no BPDUs should be receive on these ports), such as on end-devices port like a single workstation or server. PortFast provides quick network access by entering directly in STP forwarding state (bypassing listning and learning state). Even if PortFast can detect a bridging loop (While PortFast is enabled on a port, STP is still running), it will detect it in a finite amount of time that is to say the length of time required to move the port through the normal STP states. If any BPDUs (superior to the current root or not) are received on port configured with BPDU Guard that port is put immediately in errdisable state. BPDU FILTER BPDUfilter on the other hand just filters BPDUs in both directions, which effectively disables STP on the port. Bpdu filter will prevent inbound and outbound bpdu but will remove portfast state on a port if a bpdu is received.Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning-tree loops.BPDU Guard verification ASA SWU1(contig)spanning-tree portfst bpduguard default yw Or 01 (contig)¥ interface 10/2 Foon Swi(config-i)#'spanning-ree bpduguardenable — “Laptep cn 0 ogee Sch ‘%SPANTREE-2-BLOCK_BPDUCUARD: Received BPDU on port FastEthernet0/2 with BPDU Guard enabled. Disabling port. ‘%PM-4-ERR_DISABLE: bpduguard error detected on Fa0/2. putting Fa0/2 in ersdisable state Ain #show interface status err-disabled <>) tN disabled Vians The port is err-disabled and, unless err-disabled recovery is enabled, has to be manually re-enabled via shut/no shut.BPDU Guard verification NPA, ‘SW (config)#spanning-tree portfast bpduguard defult Senn meres 072 5a Ps gag ‘am ‘SWI(config-)#spanning-tree bpduguardenable Lapp ca 500 Rogie Seen SbSPANTREE2BLOCK_BPDUGUARD: Rectved BFDU on 1 fastthemer Oph BPDU Cuard enabled. Diabing port 96PM-4.ERR_DISABLE: bpduguard emor detected on F90/2, puting F0/2 Geet sD AW\#show interface status e f B edisabled Viap. “The port is err-dsabled and, unless err-disabled recovery is enabled, har To DETFERUally re-enabled via shut/no shut. — ey So Oru tay | BPDU Filtering NA (config)# spanning-tree portfast bpdufilter default 2 Ifa Portfast interface receives any BPDUs. itis taken out Leonia. a The interfaces still send some BPDUs at the link-up, 2 if a BPDUis received, the interface loses its Port Fast status and BPDU Filtering is disabled, = (config-if)# spanning-tree bpdufilter enable 2 The interface doesn't send any BPDU and ignores the received ones. ©. The port is not shutdown and this basically disables: ce the interface.'5WV1(config)#spanning-tree portfast bpduguard default “ ee a. (config) # int 2 ae a SWI(contig-’spanning-tree bpduguard enable Lesion onto 3540 Hogue Sutcn BPDU Guard verification NEA, & %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/2 with BPDU Guard enabled. Disabling port. %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/2, puting Fa0/2 in eredisable state SW1#show interface status err-disabled Port Name Status Reason Errdisabled Vians Fa0/2 err-disabled bpduguard 8 ‘The port is err-disabled and, unless errdisabled recovery is enabled, has to be manually re-enabled vie shut/no shut. [BPDUilter on the other hand just filters BPDUs in both directions, which effectively disables STP on the port.8pdu filter will prevent inbound and outbound bpdu but will remove portfast state on a port ifa bpdu is received.Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning-tree loops. ae — Ser