BPDU Guard vs BPDU Filter

Today, I want to tell you a story... a story about Ahmed.

Ahmed is a good employee — but he has a problem with his manager.

👔 Manager: You're fired!!

🧑‍💻 Ahmed: Okay, fine... but I’ll take revenge!

It’s Ahmed’s last day at the company. He buys a used Cisco switch and hatches a plan.

Ahmed unplugs the PC from the company network and connects it to his own switch.

🛠️ Ahmed: "Let’s make my switch the Root Bridge of the network!"

SW(config)# spanning-tree vlan 1 priority 0

Then, he connects his PC to the rogue switch — ready to sniff data and cause chaos!

😱 So, how do we protect our network from someone like Ahmed?

Let’s talk about two powerful security features:

🎯 BPDU Guard & BPDU Filter

🔍 Interview Question 1: What’s the difference between them?

🔍 Interview Question 2: Where do we apply each one in the network?

🔍 Interview Question 3: What happens if we apply both at the same time?

✅ let's start with Question 2 – Where to Apply Them?

We apply both features at the Access Layer — specifically on ports connected to end devices, like user PCs.

✅ Question 1 – What’s the Difference?

🔒 BPDU Guard:

Sends BPDUs from the port

If it receives any BPDU,
it immediately shuts down the port (err-disabled)

interface e0/0

spanning-tree bpduguard enable

🚫 BPDU Filter:

Does not send or receive BPDUs

If a BPDU is received, it’s simply ignored — no action taken

interface e0/0

spanning-tree bpdufilter enable

✅ Question 3 – What if We Apply Both?

⚠️ If you apply both features on the same port, BPDU Filter takes precedence — it will override BPDU Guard.

📌 Conclusion:

With BPDU Guard and BPDU Filter properly configured, you can stop attackers like Ahmed before they cause harm. 🔐