DELL Force10 : BPDU Guard vs BPDU Filtering

Spanning tree should be enabled on any enterprise switch during initial switch configuration. That's the reason I have mentioned spanning tree configuration in blog post "Initial switch configuration". On the latest FTOS version following spanning tree protocols are supported:

• STP (Spanning Tree Protocol)
• RSTP (Rapid Spanning Tree Protocol)
• MSTP (Multiple Spanning Tree Protocol)
• PVSTP+ (Per-VLAN Spanning Tree Plus)

I assume the reader is familiar with various spanning tree protocols and general difference between BPDU Guard and BPDU Filter. Here is just quick recap of relevant terminology

• BPDU Guard and BPDU Filtering are Spanning Tree Protocol security mechanisms.
• BPDU Guard is typically configured on particular switch edge port and it generally detects BPDU frames and because BPDU frames are not expected on edge port it disables the port temporary or permanently.
• BPDU Filter is also typically configured on switch edge port and detects BPDU frames however it does not disable switch port but instead filter these BPDU frames to mitigate impact on spanning tree protocol because BPDU frames can initiate topology change and selection of STP root. 

Generally it is not recommended to filter BPDUs but there are at least some use cases where BPDU filter is beneficial. Here are at least two use cases in my mind where I believe BPDU Filter can be beneficial:
Use Case 1/ Datacenter interconnect (aka DCI) where you are absolutely sure there cannot be the loop and you want to have two independent spanning tree regions and you really want filter BPDUs

• It is also CISCO’s best practice described in this white paper http://www.cisco.com/c/en/us/products/collateral/data-center-virtualization/data-center-interconnect/white_paper_c11_493718.html

Use Case 2/ Edge ports to ESXi hosts

• Rogue VM can send BPDUs to the network therefore some protection is needed especially in non-trusted  environments like IaaS Cloud Providers so you have to choose between BPDU Guard and BPDU Filter + Broadcast Storm Control
• BPDU Guard can cause DoS when you don’t have control on ESXi configuration. See. http://blog.igics.com/2015/01/bpdu-filter-and-forged-transmit-on.html for further details 
• BPDU Filter can help to mitigate topology changes when rogue VM is trying to be and not to be STP root switch periodically and initiate unwanted network topology changes   

This blog post main objective is explanation of specific DELL S-Series (formerly Force10) switches BPDU Guard and Filtering implementation so here it is.

Force10 BPDU Guard

• Software-based implementation - BPDUs are received on an interface and passed to the CPU for analysis/action (logs will reflect dropped BPDUs)
• Occurs when interfaces are configured for portfast/edge-port with bpduguard and a BPDU is received

Force10 BPDU Filtering

• Hardware-based implementation - BPDUs are dropped on ingress to the interface
• CPU does not receive BPDU, leaving CPU resources available for other tasks
• Logs will not reflect dropped BPDUs because it is possible only when BPDUs are sent to the CPU
• Occurs when STP is disabled globally or per-interface

Spanning Tree examples:

All examples below are for Rapid Spanning Tree Protocol (RSTP) but the same syntax works for other spanning tree protocol variants.

STP Portfast equivalent 

confinterface gigabitethernet 0/1  spanning-tree rstp edge-port

BPDU Guard - set port state to Error Disabled and drop traffic if a BPDU is received on interface - interface state remain up 

confinterface gigabitethernet 0/1  spanning-tree rstp edge-port bpduguard

BPDU Guard - shutdown interface if a BPDU is received on interface

confinterface gigabitethernet 0/1  spanning-tree rstp edge-port bpduguard shutdown-on-violation

BPDU Filter on particular interface

conf
interface gigabitethernet 0/1
  no spanning-tree