Explaining Difference Between BPDU Filtering Vs BPDU Guard

BPDU Filtering, BPDU Guard, and Root Guard are STP security mechanisms. In this post I will only describe BPDU Filtering and BPDU Guard.

These 2 features provide protection against spanning-tree loops being created on ports where PortFast has been enabled. A device attached to a PortFast interface is not supposed to send BPDUs but should this happen BPDU Filtering and BPDU Guard provide protection.

BPDU Guard and BPDU Filtering can be configured in 2 different ways, from global configuration mode or in interface configuration mode. In global configuration mode the feature (either BPDU guard or BPDU Filtering) will have effect on PortFast enabled port only. In interface configuration mode it will only affect  a specified port.

BPDU Guard
PortFast should be configured on port where bridging loops are not expected to form (which means that no BPDUs should be receive on these ports), such as on end-devices port like a single workstation or server. PortFast provides quick network access by entering directly in STP forwarding state (bypassing listning and learning state). Even if PortFast can detect a bridging loop (While PortFast is enabled on a port, STP is still running), it will detect it in a finite amount of time that is to say the length of time required to move the port through the normal STP states.

If any BPDUs  (superior to the current root or not) are received on port configured with BPDU Guard that port is put immediately in errdisable state.

If configured in global configuration mode BPDU Guard will be enable on all configured PortFast ports:

 

If configured in interface configuration mode it will only be enable on the specific port:

 

BPDU guard should be configured on all switchs ports where STP PortFast is enabled. This prevents any possibility that a switch will be added to the port  either intentionally or by mistake.
BPDU Filtering

BPDU Filtering allows to stop sending/receiving BPDUs on a port depending on how is configured.

If it is configured from global configuration mode BPDU Filtering will be enabled on all configured PortFast ports. No BPDUs will be sent out of that port which will hide STP  topology to end-users.  But as soon as a BPDU is received the port will lose  is PortFast status and  BPDU Filtering will be disabled. The port is then taking back to normal STP operation and sends/receives BPDUs. See bellow for how to configure BPDU Filtering from global configuration mode:

If BPDU Filtering is configured from the interface configuration mode the result is completely different as this will cause the specific port to stop sending AND receiving (BPDUs are dropped) BPDUs. Tthe port ignores any incoming BPDUs and changes to Forwarding state. this solution is not recommended as it can result in bridging loops.

Important: If you enable BPDU Guard on the same interface as BPDU Filtering, BPDU Guard has no effect because BPDU Filtering takes precedence over BPDU Guard. Configuation of BPDU Filtering is not a recommended configuration.