What BPDU Filter Does (and Why It's Dangerous)
BPDU Filter is a mechanism to stop a port from sending and receiving BPDUs. It exists to support niche scenarios like service provider demarcation points, but it is frequently misused and can silently create spanning tree loops.
BPDU Filter has two modes:
- Per-Interface Mode: Port unconditionally stops sending/receiving BPDUs
- Global Mode: Port stops sending BPDUs if no BPDUs received; transitions to regular STP if BPDUs are detected
The dangerous part: If BPDU Filter is misconfigured, a port can forward traffic while not participating in spanning tree, creating undetected loops.
BPDU Filter: Global Mode (Default)
Global BPDU Filter is applied when you configure:
SW1(config)# spanning-tree portfast bpdufilter default
Behavior:
- Port has PortFast enabled (transitions immediately to forwarding)
- Port does not send BPDUs on startup
- If port receives a BPDU from a neighboring switch, BPDU Filter is automatically disabled, and the port reverts to regular STP (loses PortFast)
Global BPDU Filter is sometimes used in service provider networks where access ports should never participate in customer's spanning tree, but if a customer accidentally sends BPDUs, the port detects it and falls back to STP.
Example Scenario:
Service Provider Edge Switch
│
├─ Gi1/0/1 (Customer A, should not send BPDUs)
│ Configuration: spanning-tree portfast bpdufilter default
│ → Port has PortFast, does not send BPDUs
│ → If customer sends BPDU, PortFast disabled
│
├─ Gi1/0/2 (Customer B, should not send BPDUs)
│ Same configuration
│
└─ Gi1/0/3 (Core uplink, normal STP)
No BPDU Filter
Verify Global BPDU Filter
SW1# show running-config | include bpdufilter
spanning-tree portfast bpdufilter default
Effect on All Ports
All ports with PortFast now have BPDU Filter enabled (unless explicitly disabled per-interface).
BPDU Filter: Per-Interface Mode (More Dangerous)
Per-interface BPDU Filter unconditionally stops sending and receiving BPDUs:
SW1(config)# interface GigabitEthernet 1/0/10
SW1(config-if)# spanning-tree bpdufilter enable
SW1(config-if)# exit
Behavior:
- Port never sends BPDUs (even on startup)
- Port never receives BPDUs (filtering all BPDU frames)
- PortFast is not automatically disabled if BPDUs arrive
- Port stays in Forwarding state regardless of topology
This is extremely dangerous. If a loop exists, BPDU Filter prevents spanning tree from detecting and blocking it.
Example Danger Scenario:
SW1 (Root)
│
Gi0 (sends BPDUs)
│
┌──────┴──────┐
│ │
SW2 SW3
Gi1 Gi2
(PortFast) (PortFast)
(BPDU Filter) (Normal STP)
│ │
├─────────────┤ ← LOOP exists
│
Ports on same VLAN
Behavior WITHOUT BPDU Filter:
- SW2 receives BPDU on Gi1 (learns topology)
- SW2 blocks Gi2 to prevent loop
- No loop (normal STP)
Behavior WITH BPDU Filter on SW2 Gi1:
- SW2 Gi1 DOES NOT receive BPDU
- SW2 doesn't know topology
- SW2 keeps Gi2 Forwarding (should be blocking)
- LOOP SILENTLY CREATED
- Network floods with duplicate frames
Per-interface BPDU Filter should almost never be used in production.
When BPDU Filter Is Appropriate (Rare Cases)
BPDU Filter has legitimate uses in specific scenarios:
Service Provider Demarcation (Global BPDU Filter)
Service providers often create "closed" access ports that should never participate in customer STP:
! SP Edge Switch
interface GigabitEthernet 1/0/1
description Customer A Access
spanning-tree portfast
spanning-tree bpdufilter default ← Global only, with default PortFast
exit
! Behavior:
! - Port has PortFast (fast access for customer)
! - Port does NOT send STP BPDUs to customer
! - If customer sends BPDU, BPDU Filter disables and port reverts to STP
This ensures customer's spanning tree never influences the SP's topology.
Inter-DC WAN Links (Per-Interface, Requires Caution)
In rare cases, per-interface BPDU Filter is used on WAN links between data centers where spanning tree should not traverse:
! DC1 Core Switch
interface GigabitEthernet 1/0/50
description WAN to DC2
spanning-tree bpdufilter enable ← Per-interface only, with full understanding of risk
exit
! This assumes:
! 1. No possibility of loop through WAN link
! 2. Monitoring is in place
! 3. IT team fully understands implications
This is NOT recommended unless you have very specific, documented reasons.
Disabling BPDU Filter
If BPDU Filter is enabled globally but you want a specific port to participate in STP:
SW1(config)# interface GigabitEthernet 1/0/25
SW1(config-if)# no spanning-tree bpdufilter
SW1(config-if)# exit
The port now sends and receives BPDUs normally, even if global BPDU Filter is enabled.
Verify
SW1# show spanning-tree interface Gi1/0/25 detail
Portfast: Enabled
BPDU Guard: Enabled
BPDU Filter: Disabled ← Normal STP behavior
Comparison: BPDU Guard vs. BPDU Filter
| Feature | BPDU Guard | BPDU Filter |
|---|---|---|
| What It Does | Error-disables port if BPDU received | Stops sending/receiving BPDUs |
| Where Used | Access ports (PortFast) | SP edge, rare WAN scenarios |
| Action on BPDU | Port error-disables | BPDU ignored (or PortFast disabled if global) |
| Loop Protection | Prevents rogue switches | Does NOT prevent loops |
| Recommended | Yes, always | No, rarely |
| Safety | High | Low |
Recommendation: Use BPDU Guard on access ports. Avoid BPDU Filter unless you have a specific, documented reason.
Dangerous BPDU Filter Scenarios
Scenario 1: Per-Interface BPDU Filter on User Access Port
WRONG Configuration:
! Someone mistakenly enables BPDU Filter on access port
interface GigabitEthernet 1/0/10
spanning-tree portfast
spanning-tree bpdufilter enable ← DANGER
exit
What Happens:
User plugs a switch into Gi1/0/10. That switch starts sending BPDUs. The port:
- Receives the BPDU
- Filters it (does not process)
- Stays in Forwarding
- Loop is created silently
Fix: Remove BPDU Filter:
no spanning-tree bpdufilter
spanning-tree bpduguard enable ← Use BPDU Guard instead
Scenario 2: BPDU Filter on Trunk Port Connecting to Another Switch
WRONG Configuration:
! Trunk port with BPDU Filter
interface GigabitEthernet 1/0/48
switchport mode trunk
spanning-tree bpdufilter enable
exit
What Happens:
Both switches stop exchanging BPDUs on this trunk. Neither switch knows about topology changes. Blocking ports might not transition. Loops possible.
Fix: Remove BPDU Filter:
no spanning-tree bpdufilter
spanning-tree link-type point-to-point
exit
Scenario 3: Global BPDU Filter Without Understanding Consequences
WRONG Configuration:
! Someone enables global BPDU Filter without planning
spanning-tree portfast default
spanning-tree portfast bpdufilter default
What Happens:
All ports stop sending BPDUs immediately. If a switch is plugged into any port before the port receives an BPDU, that switch is isolated from spanning tree. Multiple switches can be inserted creating loops before anyone realizes.
Fix: Only use global BPDU Filter in controlled environments (service provider edge) with proper monitoring.
Lab Example (Service Provider Scenario Only)
SP Edge Switch Serving Two Customers
interface range GigabitEthernet 1/0/1-2
description Customer Access
spanning-tree portfast
spanning-tree bpdufilter default ← Global BPDU Filter only
spanning-tree bpduguard enable
exit
interface range GigabitEthernet 1/0/49-52
description SP Core
no spanning-tree portfast
spanning-tree link-type point-to-point
exit
Behavior:
- Customer ports (1-2): Have PortFast, do not send BPDUs, but revert to STP if customer sends BPDU
- Core ports (49-52): Normal STP
- BPDU Guard also enabled, so if customer sends BPDUs AND then tries to become root, port error-disables
This is safe because:
- Customer ports cannot influence SP topology (no BPDU transmission)
- If customer accidentally sends BPDU, PortFast disables and port reverts to STP
- BPDU Guard provides additional protection
Verification Commands
Check Global BPDU Filter Setting
SW1# show running-config | include portfast
spanning-tree portfast default
spanning-tree portfast bpdufilter default ← Global BPDU Filter
Check Per-Interface BPDU Filter
SW1# show spanning-tree interface GigabitEthernet 1/0/10 detail
Portfast: Enabled
BPDU Filter: Enabled ← Dangerous if per-interface
Verify Which Ports Have BPDU Filter
SW1# show spanning-tree summary totals
PortFast: 47
BPDU Filter: 47 ← All PortFast ports have filter (global mode)
If number of BPDU Filter > PortFast, some non-PortFast ports have per-interface BPDU Filter (potential danger).
Monitoring and Troubleshooting BPDU Filter
Symptom: Network Flooding, Duplicate Frames
Possible Cause: Per-interface BPDU Filter enabled on a port where a loop exists. Port forwards frames while topology is undetected.
Investigation:
! Check for BPDU Filter on non-PortFast ports
show spanning-tree
! Look for ports in Forwarding state that should be Blocking
! If found, check their BPDU Filter status
show spanning-tree interface Gi1/0/10 detail
Portfast: Disabled ← This is wrong if BPDU Filter is enabled
BPDU Filter: Enabled ← DANGER
Fix: Remove BPDU Filter:
interface Gi1/0/10
no spanning-tree bpdufilter
exit
Symptom: Port with Global BPDU Filter Suddenly Starts Participating in STP
Cause: Global BPDU Filter detected an incoming BPDU and automatically disabled itself (as designed).
Investigation:
show spanning-tree interface Gi1/0/1 detail
Portfast: Disabled (was Enabled)
BPDU Filter: Disabled (was Enabled)
The port was expecting no BPDUs (customer access), but received one. The PortFast and BPDU Filter have been automatically disabled, and the port now participates in STP.
Action: Investigate why a BPDU was received:
show cdp neighbors interface Gi1/0/1
Device ID Local Port Neighbor Port
UnknownSwitch Gi1/0/1 Gi1/0
! Customer plugged a switch in, which sent BPDU
This is the expected behavior of global BPDU Filter. No action needed (port is now safe in STP).
Why BPDU Filter Is Controversial
Network engineers are strongly divided on BPDU Filter:
Supporters:
- Essential for service provider edge isolation
- Provides explicit control over BPDUs on specific ports
Critics:
- Too easy to misconfigure
- Per-interface mode is inherently dangerous
- Can silently create loops
- BPDU Guard + Root Guard provide better protection
Industry Standard: Most production networks use BPDU Guard, Root Guard, and Loop Guard. BPDU Filter is used only in specific SP scenarios with extensive monitoring.
Best Practices
-
Never use per-interface BPDU Filter in campus or data center networks. Use BPDU Guard instead.
-
Global BPDU Filter is acceptable only on service provider edge switches where:
- Ports should not send BPDUs to customer
- Monitoring is in place
- Documentation exists explaining the decision
-
Test thoroughly if you must use BPDU Filter. Create a topology with loops and verify:
- Frames do not loop infinitely
- Monitoring alerts on loop creation
- Recovery is documented
-
Default recommendation: Use this STP protection strategy:
Access ports: PortFast + BPDU Guard Uplinks: No PortFast + Root Guard (designated) or Loop Guard (blocking) All links: UDLD aggressive on fiber
Troubleshooting Checklist
If you suspect BPDU Filter is causing problems:
! 1. Find all ports with BPDU Filter enabled
show spanning-tree
! 2. For each port with BPDU Filter, verify:
show spanning-tree interface Gi1/0/10 detail
→ Is PortFast enabled? (If not, BPDU Filter is per-interface—danger)
→ What's connected to this port?
→ Should this port participate in STP?
! 3. Check for unaccounted STP state changes
show spanning-tree
! 4. Check for loops (high CPU, traffic duplication)
show interfaces
show processes cpu
! 5. Remove BPDU Filter if in doubt
no spanning-tree bpdufilter
spanning-tree bpduguard enable
What's Next
BPDU Filter is an advanced feature with significant risks. For most networks, the correct strategy is Root Guard and Loop Guard on uplinks, combined with BPDU Guard on access ports. The final major STP configuration topic is MSTP (Multiple Spanning Tree), which consolidates multiple VLAN instances into fewer protocol instances for CPU efficiency. Article 14 covers "Configuring Multiple Spanning Tree (MST) on Cisco Switches," including instance mapping, region configuration, and when MST is appropriate for large campus networks.