Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

BPDU Guard Versus Filter


If want to set, at configuration global level, BPDU Guard AND BPDU filter enable for stp portfast. Is it a good idea ?

BPDU guard will shutdwon port if BPDU frame is received and with BPDU filter, a swict ports cannot send BPDU frame.

Si, if I do a loop with two ports where BPDU guard and filter enable, I will have a network outage ?

Is it true or not ?


New Member

Re: BPDU Guard Versus Filter

I'm not sure I completely understand your question, but BPDU guard and BPDU Filter can be configured globally or on an individual port, and applies to all non-trunking interfaces where Portfast has been enabled.

So if you're connecting two switches together both with BPDU Guard/Filter enabled and the ports connecting the switches are not configured to be a trunk then neither switch will send or acknowledge BPDU's on the connected ports unless portfast is disabled or BPDU Guard/Filter is turned off on the indiviual ports (I believe thats possible with BPDU Guard/Filter enabled globally.)

Check out this page for a litte more information on BPDU services the commands listed are for the CAT ios though.


New Member

Re: BPDU Guard Versus Filter

In fact, I put these 2 commands globally on 2950. A user takes another switch (Netgear) and connect it twice on the network on portfast ports . So he did a loop and i saw big issue in the lan.

I don't know exactly why ? I tkink that BPDUfilter blocks all bpdu annoucement so BPSDUGard don't shutdown the port ! Is it true ?


Re: BPDU Guard Versus Filter

Does the Netgear switch send / forward BPDU's?

BPDU guard puts a port into errrdisable if it receives a BPDU.

BPDU filter sort of disables STP by not sending or proccessing BPDS's. So if a BPDU is received on a BPDU filter port it will not process it.



Re: BPDU Guard Versus Filter

There is really no good reason to use bpdu filter and this will generally create loop issues if you don't know what you are doing. I would recommend using portfast bpdu-guard which would have prevented your loop issue since the Cisco switch would have seen its own BPDU through the netgear (or whatever) hub or switch and err-disabled one or both of the cross-connected ports.

I always recommend the following global commands on an edge switch:

'spanning-tree portfast default'

'spanning-tree portfast bpduguard default'

Please ensure that you have disabled both portfast AND bpduguard on all uplink ports before you enable this globally because unlike what was intimated in an earlier post, portfast and/or bpduguard can trigger on a trunk port before the dot1q trunk actually forms and this could err-disable your uplink port!

In summary, do the following:

conf t

! uplink ports

int range gi0/1-2

spanning-tree portfast disable

spanning-tree bpduguard disable


! global commands

spanning-tree extend system-id

spanning-tree portfast default

spanning-tree portfast bpduguard default

! edge ports

int range fa0/1-48

switchport mode access

default spanning-tree portfast