What is a BPDU Filter?

Quick Definition: BPDU filtering is a networking security and performance feature that blocks the transmission of Bridge Protocol Data Units where it is implemented. This helps ensure rogue devices can’t become the root bridge and helps with network segmentation. 

Networking can be confusing, so we don’t want to make it any more difficult. Spanning Tree Protocol, mostly referred to as STP, is a networking protocol that prevents endless loops within a network. 

Computers don’t always know which path to take to get data to another end device, so they often rely on “asking” other computers who might know. Without Spanning Tree Protocol, we might experience a loop in which device 3 sends us back to device 2 for routing information because device 3 doesn’t know we’ve already “talked” to device 2.

To prevent this, STP uses special data blocks called BPDUs (Bridge Protocol Data Units) to help map and monitor the overall network topology. BPDUs also come with many features and capabilities. This article focuses on BPDU filtering, but before we get too deep into it, we need to discuss Rapid PVST+ STP.

Understanding Rapid PVST+ and Spanning Tree Protocol (STP)

Spanning Tree Protocol is used to prevent network loops, which would create a major challenge because networks are often designed with redundancy in case one or more network devices become unavailable for any reason. 

Rapid PVST+ STP is an improvement of the original Spanning Tree Protocol and is the default mode on many industry-standard switches. Rapid PVST+ helps adapt to network topology changes more quickly than the original STP, among other features, such as the ability to create separate spanning trees for each VLAN. 

As mentioned earlier, Spanning Tree Protocol uses special data blocks called BPDUs (Bridge Protocol Data Units) to provide information about network switches and ports. Based on the quality of the information they contain about a network, BPDUs are categorized into superior and inferior BPDUs. BPDUs contain many features, such as BPDU filtering.

What is a BPDU Filter?

BPDU filtering evaluates and removes incoming data when needed as it traverses a switch port. This functionality is great for network latency and security since BPDU filtering reduces the latency involved with topology changes. 

BPDU filtering also provides an additional layer of security from malicious devices attempting to become the root bridge, which we will elaborate on in the next section.

BPDU filters are an important component of the new CCNA exam. Get ready for the exam with our Cisco Certified Network Associate (200-301 CCNA) Online Training.

How Do BPDU Filters Work?

BPDU filtering prevents the transmission of Bridge Protocol Data Units on specified ports by removing the data without impacting the port itself. This is different from BPDU Guard, which shuts down any switch port that receives BPDUs with BPDU Guard enabled. 

BPDU filtering also prevents network loops by isolating parts of the network from each other. BPDU filtering is often considered more useful than BPDU Guard, whose primary purpose is to block the receipt of BPDUs at the root bridge to prevent unauthorized changes to the network topology. In contrast, BPDU filtering can preserve Spanning Tree Protocol configurations and more.

What are BPDU Filters Used for?

While BPDU filtering can protect the root bridge from being overtaken by an unauthorized device, it is also used to implement network segmentation. The main goal of the Spanning Tree Protocol is to prevent the formation of loops, and network segmentation helps accomplish that prevention. 

Mitigating networking loops improves stability performance, as networking devices won’t waste time looping back to devices that have already been contacted. 

Configuring BPDU Filter in Rapid PVST+

Now that we know a little more about the basics of BPDU filtering, let’s discuss the steps for configuration. While networking concepts may be difficult to understand at first, configuring these networking features is, thankfully, much simpler. 

We’re looking at Cisco configuration commands for this example, so your exact commands may vary depending on the device model and version information. 

After you log into your switch’s admin console, you’ll need to enter configuration mode on the interface you want to configure. You can do so using this command: 

Interface 1/1

Then, you’ll enable BPDU filtering with this command:

spanning-tree bpdufilter enable

Finally, once you’ve exited the interface and saved your changes, confirm BPDU filtering is enabled with this command:

show running-config

If you’d like to disable BPDU filtering, you can easily do so by repeating the steps above, only this time you’ll type the following:

spanning-tree bpdufilter disable

Once again, you should confirm that your configuration changes have been saved. 

Best Practices for Implementing BPDU Filters

Take the time to make a plan before implementing BPDU filtering in your network. Since BPDU filtering isolates network segments, you’ll want to ensure you are intentional about how and where you implement filtering. You’ll also want to consider whether you will only be using BPDU filtering or if you’ll be implementing other features such as BPDU guard or Spanning Tree Root Guard. These can all work together with some planning, but without careful preparation, you risk reducing network performance and unwanted isolation.

Challenges and Considerations

Failure to plan ahead for deploying BPDU filtering can lead to network loops in some cases. It can also isolate key network devices from each other, so be sure to plan and test your configuration changes well before implementing them in a production environment. 

Also, if you plan on implementing other features, such as BPDU guard or Spanning Tree Root Guard, confirm that the features will work well together instead of accidentally isolating particular segments of the network or otherwise impeding network traffic.

Conclusion

When implemented properly, BPDU filtering prevents loops in a network. In addition to improving network performance, BPDU filtering improves network security by preventing Bridge Protocol Data Units, or BPDUs, on specific ports that might otherwise be targets of rogue devices attempting to hijack root bridge status. Implementing BPDU filtering should be carefully planned to avoid accidental network isolation or the formation of loops. 

To learn more about building and securing networks, check our our Cisco Certified Network Associate (200-301 CCNA) Online Training.