A rogue switch with a lower priority (BID) could easily be connected to a supposedly access only interface of your network and eventually become the root switch. In this particular case you would disable/filter Hello BPDUs on certain interfaces of your switch. If you know that no other switch is to a be connected to specific port of your switch it's a good idea to configure it to be access only interface and enable BPDU Guard.
Thanks for your responses.
I think the answers are more of replacing BPDU filter with guard. We can even enable both BPDU guard and filter on an interface at the same time. So it is not really a replacement. I have searched a lot but did not find that special cases yet. Can someone explain some additional benefits?
you would use bpdufilter when you want a switch plugged into your network but you don't want it participating in spanning tree.
an example is this: an office environment where someone needs another network drop under their desk but you don't have time/budget to run a new line for now. you, the netadmin sanction a small switch but you don't want it to break spanning tree.
the switch you have lying around for this task is a simple unmanaged switch and will only have 1 uplink into your network. so you put bpdufilter on your switch port.
bpduguard would see the bpdu from the simple switch and /err-disable the port, which isn't what you want.
Thanks Nick...you have enlightened me .
I can now imagine somebody introducing a switch in a big datacenter. He doesn't want to disturb the STP in business hours and would rather do it in a weekend maintenance window. This can be true when you introduce a switch for one week or so for a seminar etc.
Now, will you filter BPDUs on portfast ports, to stop additional processing burden to CPUs of both hosts and switches? Moreover is there any security concerns if the BPDU reaching a rouge host (not switch) like DTP spoofing?
In order to allow immediate transition of the port into forwarding state, enable the STP PortFast feature. PortFast immediately transitions the port into STP forwarding mode upon linkup. The port still participates in STP. So if the port is to be a part of the loop, the port eventually transitions into STP blocking mode.
Use care when entering the spanning-tree bpdufilter enable command. Enabling BPDU filtering on an interface is approximately equivalent to disabling the spanning tree for this interface. It is possible to create bridging loops if this command is not correctly used.
it doesn't give any indication whether the bpdu filtering is ingress, egress, or both. i suppose the more secure approach for rouge systems would be to shut all unused ports. on the active access ports, turn on portfast, port-security, bpduguard, and dhcpguard.
if somehow a rogue system gets STP information and begins to spoof a root bridge, bpduguard/filter will stop it from digging back in.
BPDU filter applied globally will allow you to cascade switches on a portfast port without causing loops. Once the port received a BPDU, it drops the portfast status and allows the cascaded switch to participate in spanning-tree. A better way to protect your STP topology is using "spanning-tree guard root" on the ports facing down from your root bridge.
A good example of a per-port bpdu filter would be HP Virtual Connect switches. They don't participate in STP at all, so no BPDUs are ever expected.