There are two features you can configure to complement the functionality of PortFast.

1. BPDU Guard
2. BPDU Filter

BPDU Guard: On PortFast-enabled ports, BPDU Guard provides the protection against Layer 2 loops that STP cannot provide when STP PortFast is enabled. In a valid configuration, PortFast Layer 2 LAN interfaces (edge ports) do not receive BPDUs.

When configured globally, BPDU Guard is only effective on ports in the operational PortFast (edge) state. Reception of a BPDU by a PortFast Layer 2 LAN interface signals an invalid configuration, such as connection of an unauthorized device. BPDU Guard provides a secure response to invalid configurations, because the administrator must manually put the Layer 2 LAN interface back in service. BPDU Guard can be configured at the interface level. When configured at the interface level, BPDU Guard shuts the port down as soon as the port receives a BPDU, regardless of the PortFast configuration.

*** To enable this on Global config mode *** 
6506(config)# spanning-tree portfast edge bpduguard default

*** To enable this on particular interface ***
6506(config) int g6/2
6506(config-if)# spanning-tree bpduguard enable

Once BPDU received on a port configured for BPDU guard, its going to err-disalbed (same as shutdown status) administrator has to manually enable the interface to bring port status up. You can configure automatically recover the port as long as it does not received BPDU packets on that port. You can use “errdisable recovery cause bpduguard” command to do this. Below shows the all the options available for err-disable port recovery.

6506(config)#errdisable recovery cause ?
  all                   Enable timer to recover from all causes
  arp-inspection        Enable timer to recover from arp inspection error disable state
  bpduguard             Enable timer to recover from BPDU Guard error disable state
  channel-misconfig     Enable timer to recover from channel misconfig disable state
  dhcp-rate-limit       Enable timer to recover from dhcp-rate-limit error disable state
  dtp-flap              Enable timer to recover from dtp-flap error disable state
  gbic-invalid          Enable timer to recover from invalid GBIC error disable state
  l2ptguard             Enable timer to recover from l2protocol-tunnel error disable state
  link-flap             Enable timer to recover from link-flap error disable state
  link-monitor-failure  Enable timer to recover from link monitoring failure
  loopback              Enable timer to recover from loopback disable state
  mac-limit             Enable timer to recover from mac limit disable state
  oam-remote-failure    Enable timer to recover from remote failure detected by OAM
  pagp-flap             Enable timer to recover from pagp-flap error disable state
  psecure-violation     Enable timer to recover from psecure violation disable state
  security-violation    Enable timer to recover from 802.1x violation disable state
  storm-control         Enable timer to recover from storm-control error disable state
  udld                  Enable timer to recover from udld error disable state
  unicast-flood         Enable timer to recover from unicast flood disable state
  vmps                  Enable timer to recover from vmps shutdown error disable state

BPDU Filter: PortFast BPDU filtering allows the administrator to prevent the system from sending or even receiving BPDUs on specified ports.

When configured globally, PortFast BPDU filtering applies to all operational PortFast (edge) ports. Ports in an operational PortFast state are supposed to be connected to hosts, which typically drop BPDUs. If an operational PortFast port receives a BPDU, it immediately loses its operational PortFast status and becomes a normal port. In that case, PortFast BPDU filtering is disabled on this port and STP resumes sending BPDUs on this port.

PortFast BPDU filtering can also be configured on a per-port basis. When PortFast BPDU filtering is explicitly configured on a port, it does not send any BPDUs and drops all BPDUs it receives.

When you enable PortFast BPDU filtering globally and set the port configuration as the default for PortFast BPDU filtering, then PortFast enables or disables PortFast BPDU filtering. If the port configuration is not set to default, then the PortFast configuration will not affect PortFast BPDU filtering.

Following table summarize the above.BPDU Guard-01

You can configure BPDU filter as shown in the below (global or interface level)

*** Enabling BPDU filtering on globally ****
6506(config)# spanning-tree portfast edge bpdufilter default

***  Configuring BPDU Filter on an interface ***
6506(config-if)# spanning-tree bpdufilter [enable | disable]

show spanning-tree summary totals” can be used to verify these as shown below

Router# show spanning-tree summary totals
Root bridge for: Bridge VLAN0025
EtherChannel misconfiguration guard is enabled
Extended system ID is enabled
PortFast Edge BPDU Guard Default is enabled
Portfast Edge BPDU Filter Default is enabled
Portfast Default is edge
Bridge Assurance is enabled
Loopguard is disabled
UplinkFast is disabled
BackboneFast is disabled
Pathcost method used is long

We will see “Root Guard” & “Loop Guard” features in the next post

Related Posts

1. Configuring STP in 12.2 SXI
2. Configuring STP-Portfast
3. Configuring STP-Root Guard & Loop Guard