Difference Between BPDU Filter and BPDU Guard

BPDU Filter by its name filters out any BPDUs coming in and out of an interface. Why would you want this you may ask. This would be useful when you have a layer 2 network, which two vendors manage two sides of a layer 2 network as figure 1 shows. So you want spanning-tree to be managed separately. Another good reason would be to simply not want a port to participate in spanning tree. Of course this would have major drawback. It allows layer 2 loops to occur without detection from Spanning Tree.

Two vendor management
Figure 1, Two vendors managing one layer 2 network.

BPDU Guard protects the port by error disabling the port when a BPDU comes inbound on the interface. Note I said inbound.

This is useful for the below two reasons.

  • Protecting Root Bridge. When you enable BPDU Guard on a interface it protects from any new switches joining in the Spanning Tree Root Bridge selection process, from the configured interface.
  • Protecting the network from loops, when used in coordination with a interface configured with PortFast.

When you configure a interface with portfast it will enter forwarding state almost instantly by bypassing the listening and learning stages. Without BPDU guard the interface would already be forwarding data, even if a loop was created. Spanning Tree does still send BPDUs out of a portfast interface. Spanning Tree will still detect the loop and change one of the interfaces to blocking. But this will still cause issues in your network.

When a loop is created with BPDU guard enabled, as soon as the BPDU comes inbound on a interface with BPDU Guard enabled. The interface will go into err-disabled status. Which would need manual intervention to correct.

Be First to Comment

    Leave a Reply