CCIE 400-101: Layer 2 Technologies - PortFast, BPDU Guard, BPDU Filter

PortFast

The PortFast feature was originally developed to overcome a situation where a PC was unable to obtain a DHCP address due to the port failing to transition into the forwarding state in time.
This results from STP going through the listening and learning states, which would normally take 30 seconds.
The PortFast feature allows the port to enter the forwarding state immediately, bypassing the listening and learning states.
Besides immediately transitioning the port to the forwarding state, PortFast provides another advantage: the switch will not generate a topology change notification for ports with PortFast enabled.
Should be configured only on edge ports connecting to end devices.
A PortFast enabled port will continue to transmit BPDUs and participate in STP.
If the port receives BPDUs, the PortFast feature is disabled.
Two ways to enable PortFast: globally (spanning-tree portfast default) or per interface (spanning-tree portfast).
Both commands enable PortFast on operational access ports.
To enable PortFast on both access and trunk ports, use the spanning-tree portfast trunk command.

BPDU guard prevents a port from receiving BPDUs.
If the port still receives a BPDU, it is put in the error-disabled state.
Much like the PortFast feature, BPDU Guard has two configuration options: globally (spanning-tree portfast bpduguard default) and per interface (spanning-tree bpduguard enable).
If configured globally, BPDU Guard is dependent on the operational PortFast state.
The per interface configuration unconditionally enables BPDU Guard on the port, independent of PortFast or access/trunk mode.
There are two ways to recover an err-disabled port, either by manually re-enabling with shutdown and no shutdown commands or by configuring automatic err-disable recovery with errdisable recovery cause bpduguard.

BPDU Filter prevents specified ports from sending or receiving BPDUs.
Again, there are two methods to configure this feature: globally (spanning-tree portfast bpdufilter default) and per interface (spanning-tree bpdufilter enable).
The interface configuration filters both incoming and outgoing BPDUs unconditionally – independent of the operational PortFast state or access/trunk mode. This is effectively the equivalent of turning off STP.
The global BPDU Filter is enabled on interfaces in operational PortFast state.
In global mode, the switch does not filter incoming BPDUs, but most (though not all) outgoing BPDUs are filtered. When a port comes up, 11 BPDUs are sent out.
If BPDUs are received, the PortFast and BPDU Filter features are disabled.

PortFast immediately moves the port into the forwarding state, bypassing listening and learning states.
A PortFast enabled port will continue to transmit BPDUs.
If a BPDU is received, PortFast is disabled.
The switch never generates a TCN when a PortFast enabled port goes up or down.
There is a difference between administrative and operational state.
The spanning-tree portfast trunk command enables PortFast on both access and trunk ports.
BPDU Guard and BPDU Filter global mode is dependent on operational PortFast.
BPDU Guard and BPDU Filter interface mode is unconditional.
Misconfigured BPDU Filter is much more dangerous than misconfigured PortFast, yet IOS does not generate a warning message about that.
PortFast can create a temporary loop of max. 2 seconds (default Hello interval) until the next BPDU is received and PortFast is disabled. BPDU Filter can create a permanent loop, because all BPDUs are ignored.
Remember the operation of STP - when BPDUs are sent and not sent.