spanning-tree bdpu-filter

Syntax

spanning-tree bdpu-filter

no spanning-tree bdpu-filter

Description

Enables the BDPU filter for the interface.

The BPDU filter feature allows control of spanning tree participation on a per-port basis. It can be used to exclude specific ports from becoming part of spanning tree operations. A port with the BPDU filter enabled will ignore incoming BPDU packets and stay locked in the spanning tree forwarding state. All other ports maintain their role. Typical uses for this parameter include:

  • To have MSTP operations running on selected ports of the switch rather than every port of the switch at a time.
  • To prevent the spread of errant BPDU frames.
  • To eliminate the need for a topology change when a port's link status changes. For example, ports that connect to servers and workstations can be configured to remain outside of spanning tree operations.
  • To protect the network from denial of service attacks that use spoofing BPDUs by dropping incoming BPDU frames. For this scenario, BPDU protection offers a more secure alternative, implementing port shut down and a detection alert when errant BPDU frames are received.
NOTE:

Ports configured with the BPDU filter mode remain active (learning and forward frames). However, spanning tree cannot receive or transmit BPDUs on the port. The port remains in a forwarding state, permitting all broadcast traffic. This can create a network storm if there are any loops (that is, redundant links) using these ports. If you suddenly have a high load, disconnect the link and disable the BPDU filter (using the no command.)

The no form of the command sets the BDPU filter status to the default of disabled on the interface.

Command context

config-if

Authority

Administrators

Examples

Enabling the BDPU filter on interface 1/1/1:

switch(config)# interface 1/1/1
switch(config-if)# spanning-tree bdpu-filter

Disabling BDPU filter on interface 1/1/1:

switch(config)# interface 1/1/1
switch(config-if)# no spanning-tree bdpu-filter