Imagine a rogue switch suddenly plugged into your access port, instantly becoming the root bridge and destabilizing your entire Layer 2 topology. BPDU Guard and BPDU Filter are Spanning Tree Protocol (STP) security features that protect your network from such attacks. For the CCNA 200-301 exam (objective 2.5), you must understand when to use each, their configuration, and their behavior. Mastering these features is essential for real-world network engineering, as they prevent accidental loops and malicious disruptions.
Jump to a section
Think of your network as a secure office building. The STP root bridge is the CEO's office, and BPDUs are official memos sent between managers to decide who's in charge. PortFast is like a special badge that lets trusted employees (end devices) enter quickly without security checks. Now, BPDU Guard and BPDU Filter are two different security policies at the entrance.
BPDU Guard is like a guard at the door who checks every person's badge. If anyone tries to hand him a memo (BPDU), he immediately escorts them out and locks the door (errdisable the port). This is perfect for areas where only regular employees (hosts) should enter, and no managers (switches) are allowed. The guard doesn't just ignore the memo—he sees it as a violation of policy.
BPDU Filter, on the other hand, is like a filter that prevents any memos from being seen at all. At the door, the filter removes any memo that the employee tries to hand over, so the guard never sees it. Additionally, the filter also stops the employee from receiving any memos from inside the building. This creates a complete memo blackout. However, if a manager somehow gets in (e.g., a rogue switch), there's no guard to stop them, and they could start sending memos that disrupt the hierarchy.
In summary, BPDU Guard actively stops violations by disabling the port, while BPDU Filter passively prevents BPDUs from being sent or received, but offers no protection if a BPDU somehow appears. The exam tests your understanding of these distinct behaviors.
What Are BPDU Guard and BPDU Filter?
BPDU Guard and BPDU Filter are Cisco enhancements to Spanning Tree Protocol (STP) used on ports configured with PortFast. PortFast is a feature that immediately transitions a port from blocking to forwarding state, bypassing the usual listening and learning states. This is typically applied to access ports connecting end hosts (PCs, printers, servers) to avoid delays during boot-up.
However, PortFast creates a risk: if a switch or bridge is accidentally connected to a PortFast-enabled port, STP loops can form because the port didn't go through the normal BPDU exchange process. BPDU Guard and BPDU Filter mitigate this risk in different ways.
BPDU Guard: When enabled on a port, if the port receives any BPDU, it immediately places the port into an errdisable state (error-disabled). This effectively shuts down the port, preventing loops. The port remains down until manually re-enabled or automatically recovered via errdisable recovery.
BPDU Filter: When enabled on a port, it prevents the port from sending or receiving BPDUs. The port ignores incoming BPDUs and does not transmit any BPDUs. This allows a rogue device to be connected without triggering a shutdown, but also means the port will not participate in STP at all.
How They Work Step by Step at the Frame Level
BPDU Guard Operation:
1. A switch port is configured with PortFast and BPDU Guard.
2. The port comes up and immediately enters forwarding state (due to PortFast).
3. If a BPDU frame arrives on that port (destination MAC 01:80:C2:00:00:00, with STP information), the switch CPU processes it.
4. The switch detects that BPDU Guard is enabled on the receiving port.
5. The switch immediately places the port into errdisable state. The port LED turns orange/amber.
6. The switch logs a message: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port GigabitEthernet0/1 with BPDU Guard enabled. Disabling port.
7. The port stops forwarding all traffic. The connected device loses connectivity.
8. Recovery requires manual shutdown / no shutdown or errdisable recovery automation.
BPDU Filter Operation: 1. A switch port is configured with PortFast and BPDU Filter. 2. When the port comes up, BPDU Filter prevents the switch from sending any BPDUs out that port. 3. If a BPDU arrives on that port, the switch drops it; the BPDU is not processed by STP. 4. The port remains in forwarding state (due to PortFast). 5. The connected device (even a rogue switch) does not receive any BPDUs, so it may assume it is the root bridge (if it runs STP) or cause a loop if the rogue switch connects to another part of the network. 6. No errdisable occurs; the port stays up.
Key States, Timers, and Defaults
PortFast: Default is disabled globally and per interface. When enabled, the port transitions from blocking to forwarding immediately (0 seconds) instead of the usual 30 seconds (15 listening + 15 learning).
BPDU Guard: Default is disabled globally and per interface. Can be enabled globally with spanning-tree portfast bpduguard default or per interface with spanning-tree bpduguard enable.
BPDU Filter: Default is disabled globally and per interface. Can be enabled globally with spanning-tree portfast bpdufilter default or per interface with spanning-tree bpdufilter enable.
Errdisable state: When BPDU Guard triggers, the port enters errdisable. Default recovery is manual. Errdisable recovery can be configured with errdisable recovery cause bpduguard and a timer (default 300 seconds).
Interaction: If both BPDU Guard and BPDU Filter are configured on a port, BPDU Filter takes precedence. The port will not send/receive BPDUs, but BPDU Guard will not trigger because no BPDUs are processed.
IOS CLI Verification Commands
To verify BPDU Guard and BPDU Filter configuration and status:
Show running-config for interface:
interface GigabitEthernet0/1
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enableShow spanning-tree interface detail:
Switch# show spanning-tree interface gigabitEthernet 0/1 detail
Port 1 (GigabitEthernet0/1) of VLAN0001 is forwarding
Port path cost 4, Port priority 128, Port Identifier 128.1.
Designated root has priority 32768, address aabb.cc00.0100
Designated bridge has priority 32768, address aabb.cc00.0100
Designated port id is 128.1, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
BPDU: sent 0, received 0
The port is in the portfast mode
BPDU guard is enabled
BPDU filter is disabledShow errdisable recovery:
Switch# show errdisable recovery
ErrDisable Reason Timer Status
----------------- --------------
bpduguard Enabled
Timer interval: 300 secondsShow interfaces status (to see errdisable):
Switch# show interfaces status
Port Name Status Vlan Duplex Speed Type
Gi0/1 err-disabled 1 auto auto 10/100/1000BaseTXInteraction with Related Protocols
BPDU Guard and BPDU Filter are specifically tied to PortFast. They are not standalone features; they must be used in conjunction with PortFast to be effective. They are part of the broader STP toolkit that includes: - Root Guard: Prevents a port from becoming a root port; if a superior BPDU is received, the port goes into root-inconsistent state. - Loop Guard: Prevents alternate/root ports from becoming designated in the absence of BPDUs; if no BPDUs are received, the port goes into loop-inconsistent state. - UDLD (Unidirectional Link Detection): Detects unidirectional links and places ports in errdisable.
On the exam, know that BPDU Guard is the most common security feature for access ports, while BPDU Filter is rarely used because it offers no protection. BPDU Filter is sometimes used in specific scenarios, such as when connecting to a non-STP device that may send BPDUs (e.g., some IP phones) or to reduce BPDU traffic on ports that don't need it.
Enable PortFast on Access Ports
First, configure PortFast on all access ports that connect to end hosts. This allows the port to transition directly to forwarding state, bypassing listening and learning. Use either the global command `spanning-tree portfast default` to enable PortFast on all access ports, or per-interface with `spanning-tree portfast`. Verify with `show spanning-tree interface <int> detail` and look for 'The port is in the portfast mode'. ``` Switch(config)# spanning-tree portfast default Switch(config)# interface gigabitEthernet 0/1 Switch(config-if)# spanning-tree portfast ```
Enable BPDU Guard Globally or Per Port
Decide where to enable BPDU Guard. For maximum protection on all PortFast-enabled ports, use the global command `spanning-tree portfast bpduguard default`. This automatically enables BPDU Guard on all ports that have PortFast enabled. Alternatively, enable it per interface with `spanning-tree bpduguard enable`. The global method is recommended for consistency. Verify with `show spanning-tree interface <int> detail`. ``` Switch(config)# spanning-tree portfast bpduguard default ``` Or per interface: ``` Switch(config-if)# spanning-tree bpduguard enable ```
Test BPDU Guard by Connecting a Switch
To verify BPDU Guard works, connect another switch to the configured port. The port should immediately go into errdisable state. Check with `show interfaces status` and look for 'err-disabled'. Also check the log with `show logging` for the BPDU Guard message. This confirms that the port is protected. ``` Switch# show interfaces status | include Gi0/1 Gi0/1 connected err-disabled 1 auto auto 10/100/1000BaseTX ```
Configure Errdisable Recovery for BPDU Guard
To automate recovery after a BPDU Guard violation, enable errdisable recovery for the bpduguard cause. This saves manual intervention. Use `errdisable recovery cause bpduguard` and optionally set the timer with `errdisable recovery interval <seconds>` (default 300). Verify with `show errdisable recovery`. Note: recovery only works if the cause of the errdisable is removed (i.e., the offending device is disconnected). ``` Switch(config)# errdisable recovery cause bpduguard Switch(config)# errdisable recovery interval 300 ```
Understand BPDU Filter Configuration and Behavior
BPDU Filter is configured similarly: globally with `spanning-tree portfast bpdufilter default` or per interface with `spanning-tree bpdufilter enable`. However, BPDU Filter does not protect against rogue switches; it simply ignores BPDUs. Use it only when you are sure no BPDUs should be sent or received (e.g., on ports connecting to non-STP devices). Verify with `show spanning-tree interface <int> detail` and note that BPDU filter is enabled. ``` Switch(config)# interface gigabitEthernet 0/2 Switch(config-if)# spanning-tree bpdufilter enable ```
Compare BPDU Guard vs. BPDU Filter in a Lab
Set up two ports: one with BPDU Guard, one with BPDU Filter. Connect a switch to each. Observe that the BPDU Guard port goes err-disable, while the BPDU Filter port remains up and ignores BPDUs. Use `show spanning-tree vlan 1` to see that the BPDU Filter port does not affect the root bridge election. This lab reinforces the key difference: Guard = active protection, Filter = passive ignorance. ``` Switch# show spanning-tree vlan 1 VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32768 Address aabb.cc00.0100 This bridge is the root Bridge ID Priority 32768 Address aabb.cc00.0100 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Gi0/1 Desg FWD 4 128.1 P2p Edge Gi0/2 Desg FWD 4 128.2 P2p Edge (BPDU filter) ``` Note: Gi0/2 shows 'BPDU filter' in the Type column.
In enterprise networks, BPDU Guard is a standard security measure on all access ports. Imagine a corporate campus with thousands of desks. Each desk has a wall jack connected to a switch port configured with PortFast (to speed up PC boot time) and BPDU Guard (to prevent accidental loops if someone plugs in a switch). This is a best practice recommended by Cisco. Network engineers deploy this globally using spanning-tree portfast default and spanning-tree portfast bpduguard default on all access switches. This ensures that even if a junior technician or a malicious user plugs in a rogue switch, the port will automatically disable, triggering an alert via syslog or SNMP.
A common real-world scenario is during office moves or expansions. An employee might unplug their PC and plug in a small switch to share the connection with a colleague. Without BPDU Guard, this could create a loop if the switch also connects to another network point. With BPDU Guard, the port disables, causing a temporary outage but preventing a network-wide broadcast storm. The help desk then receives a ticket, investigates, and re-enables the port after removing the rogue switch.
BPDU Filter is rarely used in production due to its lack of protection. However, it has niche uses. For example, some older IP phones or devices might emit BPDUs due to a bug or misconfiguration. If you cannot replace the device, you might enable BPDU Filter on that specific port to prevent the BPDUs from being processed, while still allowing the device to function. Another scenario is when connecting to a non-STP device that you trust, such as a router interface that does not run STP. In that case, BPDU Filter reduces unnecessary BPDU traffic. But generally, BPDU Guard is the safer choice.
Scale considerations: In large networks with thousands of ports, enabling errdisable recovery is crucial to avoid manual intervention for every false positive. However, recovery should have a reasonable timer (e.g., 300 seconds) to allow an administrator time to investigate. Also, BPDU Guard can be combined with other features like Storm Control and Port Security for comprehensive access layer protection.
Misconfiguration: A common mistake is enabling BPDU Guard on trunk ports or uplinks. This would cause the port to err-disable if any BPDU is received from the neighboring switch, effectively breaking the link. Therefore, BPDU Guard should only be applied to access ports where end hosts are expected. Similarly, enabling BPDU Filter on a port that connects to another switch can cause STP loops because the port will ignore BPDUs and stay forwarding, potentially creating a bridging loop.
The CCNA 200-301 exam tests BPDU Guard and BPDU Filter under Objective 2.5: 'Configure and verify spanning tree protocols (RSTP and PVST)'. Expect questions that ask you to identify the correct feature for a given scenario, compare behaviors, or determine the outcome of a configuration.
Common Wrong Answers and Why: 1. 'BPDU Filter prevents loops better than BPDU Guard' – Wrong. BPDU Filter does not prevent loops; it only ignores BPDUs. A rogue switch can still cause a loop because the port remains forwarding. BPDU Guard actively disables the port, preventing loops. 2. 'BPDU Guard should be enabled on trunk ports' – Wrong. Trunk ports are expected to receive BPDUs from neighboring switches. Enabling BPDU Guard on trunks would cause them to go err-disable, breaking connectivity. BPDU Guard is for access ports only. 3. 'BPDU Filter and BPDU Guard can be used together on the same port for maximum security' – Wrong. If both are configured, BPDU Filter takes precedence, meaning BPDU Guard never triggers because BPDUs are filtered out. This actually reduces security. 4. 'PortFast must be enabled for BPDU Guard to work' – Partially true. BPDU Guard is typically used with PortFast, but it can be enabled independently (though it's not useful without PortFast). The exam may test that BPDU Guard can be configured on non-PortFast ports, but it will still trigger if a BPDU is received.
Specific Values and Defaults:
- Default errdisable recovery timer: 300 seconds.
- Global commands: spanning-tree portfast bpduguard default and spanning-tree portfast bpdufilter default.
- Per-interface commands: spanning-tree bpduguard enable and spanning-tree bpdufilter enable.
- Verification: show spanning-tree interface <int> detail shows 'BPDU guard is enabled' and 'BPDU filter is disabled'.
- Errdisable recovery: errdisable recovery cause bpduguard.
Decision Rule for Scenario Questions: - If the scenario mentions 'prevent loops from rogue switches' or 'disable port upon receiving BPDU', choose BPDU Guard. - If the scenario mentions 'ignore BPDUs' or 'prevent BPDU processing', choose BPDU Filter. - If the scenario mentions 'reduce BPDU traffic on a trusted link', choose BPDU Filter. - If the scenario involves a trunk port, neither BPDU Guard nor BPDU Filter should be used (unless explicitly for a specific reason).
Trap: The exam may ask 'Which feature prevents a port from sending BPDUs?' The answer is BPDU Filter, not BPDU Guard. BPDU Guard does not prevent sending; it reacts to receiving.
BPDU Guard places a port in errdisable state when a BPDU is received.
BPDU Filter prevents a port from sending or receiving BPDUs.
Both features are typically used with PortFast on access ports.
Global configuration: spanning-tree portfast bpduguard default.
Per-interface configuration: spanning-tree bpduguard enable.
Errdisable recovery can be automated with errdisable recovery cause bpduguard (default 300 seconds).
If both BPDU Guard and BPDU Filter are configured, BPDU Filter takes precedence.
These come up on the exam all the time. Here's how to tell them apart.
BPDU Guard
Disables port (errdisable) upon receiving any BPDU.
Actively protects against rogue switches.
Can be recovered via errdisable recovery.
Used on access ports with PortFast.
Verification: show spanning-tree interface shows 'BPDU guard is enabled'.
BPDU Filter
Prevents sending and receiving BPDUs on the port.
Does not protect against rogue switches; port stays up.
No errdisable; port remains forwarding.
Rarely used; only for specific scenarios (e.g., non-STP devices).
Verification: show spanning-tree interface shows 'BPDU filter is enabled'.
Mistake
BPDU Filter provides better security than BPDU Guard.
Correct
BPDU Filter does not protect against rogue switches; it only ignores BPDUs. BPDU Guard actively disables the port upon receiving a BPDU, providing real security.
Candidates see 'filter' as blocking unwanted traffic, but in STP, filtering BPDUs removes the mechanism that detects loops.
Mistake
BPDU Guard can be used on trunk ports to prevent loops.
Correct
BPDU Guard should only be used on access ports. Trunk ports are expected to exchange BPDUs with neighboring switches; enabling BPDU Guard would cause the trunk to go err-disable.
Candidates think any port that could cause a loop should have BPDU Guard, but trunks are part of the STP topology and must exchange BPDUs.
Mistake
BPDU Guard and BPDU Filter can be combined for double protection.
Correct
When both are enabled on the same port, BPDU Filter takes precedence, so BPDU Guard never activates. This reduces protection.
Candidates assume stacking security features always improves security, but here they conflict.
Mistake
PortFast must be enabled for BPDU Guard to work.
Correct
BPDU Guard can be configured independently of PortFast. However, it is most useful on PortFast ports because those ports skip STP convergence. BPDU Guard on non-PortFast ports will still trigger on BPDU reception, but the port would already be in listening/learning states.
Because BPDU Guard is often taught together with PortFast, candidates assume a dependency.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Technically yes, but it is not recommended. If a trunk port receives a BPDU from the neighboring switch (which it will, because trunks exchange BPDUs for STP), BPDU Guard will disable the port. This would break the trunk link. BPDU Guard is intended for access ports where only end hosts are connected. On the exam, assume BPDU Guard is for access ports only.
Yes, BPDU Guard can be configured on a port without PortFast. However, the combination is most useful because PortFast ports skip listening and learning, making them vulnerable to loops. Without PortFast, the port would go through normal STP convergence, which already provides some protection. But BPDU Guard will still trigger if a BPDU is received, disabling the port. On the exam, BPDU Guard is typically associated with PortFast.
BPDU Guard disables a port if any BPDU is received, preventing rogue switches. Root Guard prevents a port from becoming a root port; if a superior BPDU is received, the port goes into root-inconsistent state (still forwarding but not root). Root Guard is used on ports that should never become root, while BPDU Guard is for access ports that should never receive BPDUs.
You can manually recover by entering interface configuration mode and issuing 'shutdown' followed by 'no shutdown'. Alternatively, configure errdisable recovery: 'errdisable recovery cause bpduguard' and optionally set the timer with 'errdisable recovery interval <seconds>'. The default timer is 300 seconds. The port will automatically recover after the timer expires, provided the cause (rogue BPDU source) is removed.
You can, but it is dangerous. BPDU Filter prevents the exchange of BPDUs, which means STP cannot detect loops. The port will remain forwarding, potentially causing a bridging loop. BPDU Filter should only be used on ports where you are absolutely certain no loops can occur, such as when connecting to a non-STP device (e.g., a router interface without STP) or in very specific topologies.
Both are disabled by default. They must be explicitly enabled either globally or per interface. The global commands are 'spanning-tree portfast bpduguard default' and 'spanning-tree portfast bpdufilter default'. Per-interface commands are 'spanning-tree bpduguard enable' and 'spanning-tree bpdufilter enable'.
No, because a hub is a Layer 1 device and does not generate BPDUs. BPDU Guard only triggers when a BPDU is received. A hub simply repeats electrical signals; it does not send STP frames. To protect against loops with hubs, you need to rely on STP on other ports or use features like Loop Guard or UDLD. BPDU Guard is specifically for detecting rogue switches that send BPDUs.
You've just covered BPDU Guard and BPDU Filter — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?