BPDU Filter

By default, ports connected to end-user devices (PCs, printers) send BPDUs as part of the Spanning Tree Protocol (STP) process.

Figure 1 – Switches send BPDUs every 2 seconds by default

However, in most cases, sending BPDUs on these ports is unnecessary and can expose sensitive STP topology information.

BPDU Filter is an STP feature that disables sending and receiving of BPDUs on ports, enhancing security and preventing unwanted BPDU exchanges.

Figure 2 – BPDU Filter blocks both sending and receiving of BPDUs

Real-World Use Case

BPDU Filter is especially useful in scenarios like company mergers, where two networks with separate STP topologies are interconnected.

BPDU Filter ensures that BPDUs are not exchanged between the different STP topology preserving their independent spanning tree configurations.

Figure 3 – BPDU Filter prevents STP topology exchanges between two networks

This ensures that each network maintains its own spanning tree configuration without sharing or disrupting the other’s topology.

BPDU Filter can be configured in two ways:

1. On Individual Ports: Apply to specific interfaces for precise control over which ports should stop sending BPDUs.

2. Globally: Enable across all PortFast-enabled ports on the switch.

Let’s configure on interface GigabitEthernet0/0 of switch SW3 and SW5 to prevent the exchange of BPDUs between two separate STP topologies.

Figure 4 – STP Topology Used to Configure BPDU Filter

For SW3 and SW5

1. Enable BPDU Filter:

SW3(config)# interface g0/0
SW3(config-if)# spanning-tree bpdufilter enable

SW5(config)# interface g0/0
SW5(config-if)# spanning-tree bpdufilter enable

2. Verify Individual Interfaces