Cisco provides two features to protect Spanning Tree from loops being
created on ports where PortFast has been enabled. In a proper configuration,
PortFast would be enabled only on ports supporting end devices such as servers
and workstations. It is anticipated that BPDUs from a switch device should not
be received on a PortFast interface. BPDU guard and BPDU filtering provide
protection in case BPDUs are received on a PortFast interface. Both BPDU guard
and BPDU filtering can be configured globally on all PortFast-configured ports,
or also on individual ports.
BPDU Guard
BPDU Guard is used to
protect the switched network from the problems that may be caused by the
receipt of BPDUs on ports which have been identified as ports that should not
be receiving them. The receipt of unexpected BPDUs may be accidental or may be
part of an unauthorized attempt to add a switch to the network.
BPDU
Filtering
PortFast BPDU filtering effects how the switch acknowledges
BPDUs seen on PortFast-configured ports. Its functionality differs when it is
configured globally or on a per-port basis. The functionality will be explained
later in this section.
BPDU Root Guard
BPDU Root Guard
protects against a switch outside the designated network attempting to become
the root bridge, its access is blocked until the receipt of its BPDUs
ceases.