BPDU filtering
The STP BPDU filter feature allows control of spanning tree participation on a per-port basis. It can be used to exclude specific ports from becoming part of spanning tree operations. A port with the BPDU filter enabled will ignore incoming BPDU packets on all VLANs where the port is a member, and stay locked in the spanning tree forwarding state. All other ports will maintain their role.
Syntax:
[no] spanning-tree [ <port-list> |
all ] bpdu-filter
Enables/disables BPDU filtering on the specified ports. The
bpdu-filteroption forces a port to always stay in the forwarding state and be excluded from standard STP operation.Sample scenarios in which this feature may be used:
To have STP operations running on selected ports of the switch rather than every port of the switch at a time.
To prevent the spread of errant BPDU frames.
To eliminate the need for a topology change when a port's link status changes. For example, ports that connect to servers and workstations can be configured to remain outside of spanning tree operations.
To protect the network from denial of service attacks that use spoofing BPDUs by dropping incoming BPDU frames. For this scenario, BPDU protection offers a more secure alternative, implementing port shutdown and a detection alert when errant BPDU frames are received.
CAUTION: Ports configured with the BPDU filter mode remain active (learning and forward frames). However, spanning tree cannot receive or transmit BPDUs on the port. The port remains in a forwarding state, permitting all broadcast traffic. This can create a network storm if there are any loops (that is, redundant links) using these ports. If you suddenly have a high load, disconnect the link and disable the BPDU filter (using the
nocommand.)
![[CAUTION: ]](images/caution.gif)