Tonight I have been doing some layer 2 security labs and brushing up on my STP theory. I have been trying to understand the differences between the portfast commands BPDU Guard and BPDU Filter, things like weather they can be enabled globally or on a per port basis and what effects they have when triggered, when I ran across a blog post by Marco Milivojevic from IP Expert.
I made some notes for myself below, but do yourself a favour and take a read of the whole article as Marco does a great job of explaining all the different scenarios and showing IOS output from the different commands:
Allows edge or host facing ports to start forwarding traffic immediately without transitioning through the STP states.
If enabled globally all access ports will start forwading imediately, unless a BPDU is received. If a BPDU is received the ports looses it’s portfast status and reverts to transitioning through the STP states.
If enabled on an individual port the port will ALWAYS retain its its portfast status.
BPDU Filter: Global
Part of global portfast. Prevents sending BPDU’s on ports enabled with portfast. If BPDU’s are received the port looses portfast status, BPDU filtering is disabled and the port resumes default spanning tree operations.
BPDU Guard: Port
Will errdisable portfast enabled ports if they receive a BPDU.
BPDU Filter: Port
Will always be active and NO BPDU frames will be sent. If both filtering and guard are enabled on the same port filtering will take precedence.
BPDU Guard: Port
Will errdisable port if BPDU is received.
Ports in errdiable state will stay inactive unless errdisable recovery is enabled or the port is manually shut/unshut.