Lucien Avramov Tue, 10/13/2009 - 23:33

Bpdufilter is typically used in conjunction with portfast. When bpdufilter is enabled you do not send any bpdus out the interface. If you hear a bpdu you take the port out of portfast state.

With bpduguard if you hear a bpdu you put the interface in err-disabled state.

The bpdufilter feature is available so you can say spanning-tree portfast default to make every port a portfast port. Ports that receive bpdus will be non-portfast.

Bpduguard should be used on ports that you know should never be connected to devices running spanning-tree on the other end of the link.

The difference between the two is the action. Bpdufilter is to revert to non-portfast state, while bpduguard is to revert to err-disabled state.

Giuseppe Larosa Tue, 10/13/2009 - 23:34

Hello Nasr,

MST 802.1s provides:

higher scalability: it can handle better hundreds to thousands of vlans

multi-vendor support: being a standard can be the best solution in multivendor contexts when all devices support it.


configuration has to be replicated manually everywhere and requires careful planning.

because you can associate non-existing vlans to instances it is recommended to do so: divide the 4094 possible vlans in 64 subsets and freeze MST config.

When a new Vlan is needed depending on desired topology pick up one in the subset associated to a specific MST instance.

PVST+ or Rapid PVST:

cisco proprietary

less scalable

more user friendly: that is adding a new vlan doesn't require planning and it can be done without impact on the production network.

Bpdu filter:

blocks sending of BPDUs out of a port.

never use it on access port of an enterprise it is useful only for service providers to avoid to join their STP with customer's STP.

bpdu guard:

the right tool for access ports in enterprise:

if a bpdu is received on the port the port is placed in error disable.

This can detect users connecting unauthorized switches to the network.

Hope to help


nasr.khan Wed, 10/14/2009 - 22:17


Is bpduguard a global command. On interface of switch I can configure as

interface fa0/1

switchport mode access

switchport access vlan 2

spanning-tree portfast

If a router/switch is connected to fa0/1

then the port gets disabled.

What happens if a bridge is connected to this port.

ohassairi Wed, 10/14/2009 - 22:27

bpduguard can be configured globally or per interface:


Causes all PortFast-configurd interfaces to become in error-disabled state if they receive a BPDU frame.

Switch(config)# spanning-tree portfast bpduguard default

Per interface:

Causes one interface to become in error-disabled state if it receives a BPDU frame.

Switch(config-if)# spanning-tree bpduguard enable

nasr.khan Wed, 10/14/2009 - 22:57

This is very helpful.

what happens if a Cisco WLAN access-point is connected.


int gi0/10

switchport trunk encap dot1q

switchport mode trunk

Are there any other best-practice configuration to have on trunk interfaces


This Discussion