Portfast + bpdufilter (used together) can be enabled globally or at interface level:
Globally:
(config)# spanning-tree portfast bpdufilter default
At interface level:
(config)# interface x/x (config-if)# spanning-tree portfast (config-if)# spanning-tree bpdufilter enable
Although the first impression is that the only difference is the global or per-interface effect, this is not entirely true and another subtle and important difference is described below.
By default, a port configured with portfast is still sending out BPDUs. If you want portfast-enabled ports to stop sending BPDUs you may rush to use command (config-if)# spanning-tree bpdufilter enable on the same interface.
While this gives you what you want (don’t send BPDUs on portfast interfaces), you have the following problem: you disable completely STP on that port, meaning that you stop both sending and receiving BPDUs. This is NOT SAFE as it may result in STP loops (in case you connect a BPDU-enabled device on that port).
A better option (and here it comes up the subtle difference that I talked about) is to enable bpdufilter globally for all portfast-enabled ports: (config)# spanning-tree portfast bpdufilter default.
This command stops, as well, sending BPDUs on the portfast interfaces, but in case a BPDU is received on that port, it will resume STP operations on it, thus preventing STP loops. If a BPDU is received, that port loses its portfast status immediatelly and starts following the STP rules/states.
CostiSer 