Had an interesting natter with a colleague over the decisions of whether to filter or to guard when using spanning-tree on edge ports of cisco switches. The view from both sides was interesting and the consideration of the potential risks was seen by all to have a clear winner. Interestingly if you google it or plough through the cisco technical forums the diversity of viewpoints is some what intriguing. However, to offer a summary for those who have searched in vain to find the correct way to go, here’s some pointers to help you make a decision.
spanning-tree portfast bpdufilter
spanning-tree portfast bpduguard
The BPDU filtering prevents the switchport from sending or receiving BPDUs. The down side is that if someone plugs in a layer2 device to two ports you will have a loop.
The BPDUGUARD will automatically shutdown the port when it receives a BPDU. This is because the port is an edge port and it’s not expecting to see any additional infrastructure connected below it. I would hasten to add at this stage if you have not already then you need to consider the use of errdisable recovery to ensure that in the event of an issue the port is re-enabled automatically and if the issue is still present then shutdown again if the issue is still present. See the post in Troubleshooting