BPDU Filter

1. What is BPDU Filter?

By default, ports connected to end-user devices (PCs, printers) send BPDUs as part of the Spanning Tree Protocol (STP) process.

BPDU Filter CCNA illustration showing a switch sending BPDUs every 2 seconds to end-user devices before filtering is applied

However, in most cases, sending BPDUs on these ports is unnecessary and can expose sensitive STP topology information.

BPDU Filter is an STP feature that disables the sending of BPDUs on such ports, enhancing security and preventing unwanted BPDU exchanges.

BPDU Filter CCNA example showing a switch preventing BPDU transmission to end-user devices for enhanced STP security

Real-World Use Case

BPDU Filter is especially useful in scenarios like company mergers, where two networks with separate STP topologies are interconnected.

BPDU Filter ensures that BPDUs are not exchanged between the different STP topology preserving their independent spanning tree configurations.

BPDU Filter CCNA example showing two separate STP topologies preventing BPDU exchanges to maintain independent spanning tree configurations

This ensures that each network maintains its own spanning tree configuration without sharing or disrupting the other’s topology.

2. Configuring BPDU Filter

BPDU Filter can be configured in two ways:

  1. On Individual Ports: Apply to specific interfaces for precise control over which ports should stop sending BPDUs.
  2. Globally: Enable across all PortFast-enabled ports on the switch.

3. Enabling BPDU Filter on Individual Ports

Let’s configure on interface GigabitEthernet0/0 of switch SW3 and SW5 to prevent the exchange of BPDUs between two separate STP topologies.

BPDU Filter configuration example in CCNA showing how to block BPDU exchange between two separate STP topologies on specific switch interfaces

For SW3 and SW5

  1. Enter interface configuration mode:
SW3(config)# interface g0/0

SW5(config)# interface g0/0

2. Enable BPDU Filter:

SW3(config-if)# spanning-tree bpdufilter enable

SW5(config-if)# spanning-tree bpdufilter enable

3. Verify Individual Interfaces

SW3# show spanning-tree interface g0/0 detail 
 Port 1 (GigabitEthernet0/0) of VLAN0001 is designated forwarding 
   Port path cost 4, Port priority 128, Port Identifier 128.1.
   Designated root has priority 32769, address 5030.9804.6800
   Designated bridge has priority 32769, address 5030.9804.6800
   Designated port id is 128.1, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   Bpdu filter is enabled
   BPDU: sent 63, received 2

As you can see the feature is enabled on GigabitEthernet0/0 of SW3, this interface will stop sending and receiving BPDUs.

SW5# show spanning-tree interface g0/0 detail  
 Port 1 (GigabitEthernet0/0) of VLAN0001 is designated forwarding 
   Port path cost 4, Port priority 128, Port Identifier 128.1.
   Designated root has priority 32769, address 5035.7404.6900
   Designated bridge has priority 32769, address 5035.7404.6900
   Designated port id is 128.1, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   Bpdu filter is enabled
   BPDU: sent 825, received 63

As shown, BPDU Filter is active and the interface has stopped exchanging BPDUs

Disabling BPDU Filter on Individual Ports

If you need to disable it on a specific interface, use the following command:

Switch(config-if)# spanning-tree bpdufilter disable

Effects of Individual BPDU Filter

  • No BPDU Transmission:
    The port will not send BPDUs, reducing unnecessary traffic and preventing the sharing of STP topology information.
  • BPDU Ignorance:
    The port will ignore any BPDUs it receives.
  • STP Disabled on Port:
    WARNING: Disabling BPDU Filter effectively disables STP on the port, which can lead to network loops if not managed carefully. Always ensure the feature is only enabled on ports where STP is not required.

4. Configuring BPDU Filter Globally

Now that we’ve learned how to configure it on individual ports, let’s explore how to set it up globally.

Configuring BPDU Filter globally simplifies the process by automatically applying the filter to all PortFast-enabled ports on the switch. This ensures that ports connected to end-user devices, such as PCs and printers, do not send BPDUs.

Global BPDU Filter configuration example in CCNA showing how to block BPDU transmission on all PortFast-enabled ports

The first step is to verify that our PortFast-enabled interfaces are correctly configured for end-user devices.

  1. Enable BPDU Filter Globally:
SW1(config)# spanning-tree portfast edge bpdufilter default

This command configures BPDU Filter on all ports that have PortFast enabled, ensuring that these ports do not send BPDUs by default.

Verify Interfaces

SW1# show spanning-tree int g0/1 detail 
 Port 2 (GigabitEthernet0/1) of VLAN0001 is designated forwarding 
   Port path cost 4, Port priority 128, Port Identifier 128.2.
   Designated root has priority 32769, address 5030.9804.6800
   Designated bridge has priority 32769, address 5030.9804.6800
   Designated port id is 128.2, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast edge mode
   Link type is point-to-point by default
   Bpdu filter is enabled by default
   BPDU: sent 2071, received 0

SW1# show spanning-tree int g0/2 detail  
 Port 3 (GigabitEthernet0/2) of VLAN0001 is designated forwarding 
   Port path cost 4, Port priority 128, Port Identifier 128.3.
   Designated root has priority 32769, address 5030.9804.6800
   Designated bridge has priority 32769, address 5030.9804.6800
   Designated port id is 128.3, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast edge mode
   Link type is point-to-point by default
   Bpdu filter is enabled
   BPDU: sent 870, received 0

As you can see again, theses outputs confirm the feature is enabled on our interfaces, effectively preventing them from sending BPDU.

BPDU Filter global configuration result in CCNA showing end-user ports not sending BPDUs after PortFast is enabled

Effects of Global BPDU Filter

  • BPDU Filter Applied to All PortFast-Enabled Ports:

All ports with PortFast enabled will no longer send BPDUs, reducing unnecessary traffic and enhancing security.

  • Ports Will Not Send BPDUs:

By not sending BPDUs, these ports help prevent the leakage of sensitive STP topology information to end-user devices.

  • Fallback Mechanism:

If a port configured with BPDU Filter receives a BPDU, both PortFast and BPDU Filter are automatically disabled. The port then reverts to a standard STP port to ensure network stability.

5. Conclusion

BPDU Filter is a valuable feature for securing STP topology information and managing BPDU exchanges. When configured correctly, it provides robust security and ensures network stability.

Key Takeaways

  1. Individual Port Mode:
    Use for specific ports with caution to avoid disabling STP unintentionally.
  2. Global Mode:
    Recommended for protecting all PortFast-enabled ports in scenarios where security is a concern.
  3. Fallback Mechanism:
    In global mode, receiving a BPDU reverts the port to normal STP operation.