add BPDU Guard & BPDU Filter

This commit is contained in:
shango-wk
2026-05-28 01:25:20 +02:00
parent 994cb382cb
commit 172db956a3

View File

@@ -7,12 +7,161 @@ tags: []
# BPDU Guard & BPDU Filter (STP Toolkit)
PortFast makes a port start in the Forwarding state when it is connected, but it doesn't disable STP
on the port.
- The port will continue to send BPDUs every 2 seconds.
Because end hosts don't run STP and send BPDUs, a PortFast enabled port shouldn't receive BPDUs
- But what if it does?
If a PortFast-enabled port receives an STP BPDU, it will revert to acting like a regular STP port
(without PortFast)
## BPDU Guard
### The problem
PortFast should only be enabled on ports connected to non-switch devices (end osts, routers).
- A PortFast-enabled port still sends BPDUs and will operate like a regular STP port if it
receives VPDUs from a neighbor.
- If an end user carelessly connects a switch to a port meant for end hosts,, it could affect the
STP topology.
- *BPDU Guard* acts as a safeguard against this.
### The Solution
BPDU Guard protects the network from unauthorized switches being connected to ports intended for end hosts.
It can be configured separately from [[PortFast]] but both features are usually used together.
They both enhance STP's functionality on ports inteded for end hosts.
A BPDU Guard-enabled port contibues to send BPDUs, but if it receives a BPDU it enters the error-disabled state.
- In effect, this disbales the port.
### Configuration
Like PorFast, BPDU Guard can be configured in two ways:
per-port:
```Cisco
SW3(config-if)# spanning-tree bpduguard enable
```
default
```Cisco
SW3(config)# spanning-tree portfast bpduguard default
```
When enabled by default *BPDU Guard* is activated on **All Portfast-enabled ports**.
disableing it
```Cisco
SW3(config)# spanning-tree bpduguard disable
```
### Errdisable
ErrDiable is a [[Cisco]] switch feature that disables a port under certain conditions, such as BPDU
Guard violation.
More examples are
- Power Policing violations
- Port Security violations
- DAI (Dynamic ARP inspection) violations
to re-enable an err-disabled port, *first solve the underlying issue*
- if you re0enable the port without fixing the issue, it will just be err-disabled again.
You can re-enable an err-disabled port in two ways:
1. Manual: use *shutdown* and *no shutdown* to reset the disabled port.
2. Automatic: *ErrDisable Recovery*
#### ErrDisable Recovery
ErrDisable Recovery is a feature that automatically re-enables err disabled ports after a certain period of time
ErrDisable Recovery is disabled by default
to view it status use
```Cisco
SW1# show errdisable recovery
```
The default recovery timer is 300 seconds (5minutes).
- err-disabled interfaces will be automatically re-enabled after 5 minutes
command to modify the interval is
```Cisco
SW1# errdisable recovery interval *seconds*
```
to enable ErrDisable Recovery for ports disabled by a particular cause use
```Cisco
SW1(config)# errdisble recovery cause *cause*
```
## BPDU Filter
### The Problem
A switch port connected to an end host contnues sending BPDUs every 2 seconds.
- regardless of whether PortFast and/or BPDU GUard are enabled
If the port doeen't connect to a switch, sending BPDUs is unnecessary and undesirable for a
coupe of reasons
1. Sendig BPDUs uses some bandwidth and processing power on the witch (althrough it's minimal).
2. BPDUs contain information about the LAN's STP topology
- If maximum security is a concern, you should avoid sending this info to user devices.
Bpdu Filter solves this by preventing a port from sending BPDUs
### The Solution
BPDU FIlter stops a port fro sending BPDUs
- Unlike BPDU Guard, it does not disable the port if it receives a BPDU
BPDU filter can be enabled in two ways:
per-port:
```Cisco
SW3(config-if)# spanning-tree bpdufilter enable
```
The port will not send BPDUs
The port will ignore any BPDUs it receives.
In effect this disables [[STP]] on the port. *Use with caution!*
default
```Cisco
SW3(config)# spanning-tree portfast bpdufilter default
```
BPDU Filter will be activated on all *PortFast-enabled ports*.
You can use spanning-tree bpdufilter disable to disable it on specific ports.
The port will not send BPDUs
If the port receives a BPDU, PortFast and BPDU Filter are disabled, and it operates as a normal STP Port.
## Recommandation
Enable PortFast and BPDU Guard however you prefer (per-port or by default)
- Only enable BPDU Filter by default (global config mode).
- Unless you have a very good reason to enable it per-port
*BPDU Guard* and *BPDU Filter* can be enabled on the same port at the same time:
---
If BPDU Filter is enabled in global-confg mode and the port receives a BPDU:
1. BPDU Filter will be disabled
2. BPDU Guard will be triggered (and err-disable the interface)
---
If BPDU Fileter is enabled in interface config mode and the port receives a BPDU:
- The BPDU will be ignored
- BPDU Guard will *not* be triggered
## Review
### BPDU Guard
Automatically disab
Automatically disables a port if it receives a BPDU, protecting the STP topology by preventing
unauthorized devices from becoming part of the network
BPDU Fileter
### BPDU Filter
Stops a port from sending BPDUs or processing received BPDUs